Host Unreachable vs Communication Administratively Prohibited in ACL Ping Response

aclciscogns3pingrouter

Below is a portion of my topology.

Faculty of Arts student subnet should not be able to ping Faculty of Arts staff subnet but the staff should be able to ping the student subnet. I know that this should be done using access lists. So I did some research on Access Lists and concluded that this should be the access-list:

Router02(config)#do show access-lists
Extended IP access list 100
10 deny icmp 123.45.0.0 0.0.3.255 123.45.8.0 0.0.1.255 echo (15 matches)
20 deny icmp 123.45.0.0 0.0.3.255 123.45.10.0 0.0.1.255 echo (15 matches)
30 permit icmp any any (5 matches)
40 permit ip any any

I applied it on interface f2/0

interface FastEthernet2/0
 ip address 123.45.0.1 255.255.252.0
 ip access-group 100 in
 duplex auto
 speed auto

Before implementing this ACL, both PCs could ping each other successfully. After, only the staff could successfully ping the student subnet. This is the reply when the student PC pings the staff PC:

FAS1> ping 123.45.8.2
*123.45.0.1 icmp_seq=1 ttl=255 time=18.989 ms (ICMP type:3, code:13, 
Communication administratively prohibited)
*123.45.0.1 icmp_seq=2 ttl=255 time=3.011 ms (ICMP type:3, code:13, 
Communication administratively prohibited)
*123.45.0.1 icmp_seq=3 ttl=255 time=6.896 ms (ICMP type:3, code:13, 
Communication administratively prohibited)
*123.45.0.1 icmp_seq=4 ttl=255 time=6.123 ms (ICMP type:3, code:13, 
Communication administratively prohibited)
*123.45.0.1 icmp_seq=5 ttl=255 time=13.003 ms (ICMP type:3, code:13, 
Communication administratively prohibited)

It's saying "Communication administratively prohibited". I know this is a silly question because it's obviously not pinging, but I just want to be sure. Every example that I've seen, the reply is "host is unreachable" not what I'm getting. Are they the same thing? And is my Access List correct?

Any help would be appreciated. Thanks.

Best Answer

Practically it's the same. The router isn't silently dropping the packets but returning an ICMP error message 3/13, informing the sender that the packet has been filtered.

Users often don't care why a destination isn't reachable but when you're debugging your own network the distinction might make a valuable difference.

The access list looks OK, though you shouldn't need line 30. Line 40 picks up anything undefined already.

With `ip unreachables` (which is the default) on the interface

On the router with the ACL...

ROUTER2#sh runn | i access-list 166
access-list 166 deny  ip host 192.0.2.111 any
access-list 166 permit ip any any
ROUTER2#sh runn int gi0/0
!
interface GigabitEthernet0/0
 ip address 192.0.2.29 255.255.255.0
 ip access-group 166 in
 no ip redirects
 no ip proxy-arp

And on the host being blocked...

ROUTER1#debug ip icmp
ROUTER1#ping 192.0.2.29 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.29, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.111
U.U.U
Success rate is 0 percent (0/5)
ROUTER1#sh log | i administrat
Jan 16 11:02:29.251 CST: ICMP: dst (192.0.2.111) administratively 
 prohibited unreachable rcv from 192.0.2.29
Jan 16 11:02:31.255 CST: ICMP: dst (192.0.2.111) administratively 
 prohibited unreachable rcv from 192.0.2.29
Jan 16 11:02:33.263 CST: ICMP: dst (192.0.2.111) administratively 
 prohibited unreachable rcv from 192.0.2.29

With `no ip unreachables`

Adding no ip unreachables on ROUTER2...

ROUTER2#conf t
ROUTER2(config)#int gi0/0
ROUTER2(config-if)#no ip unreach

Now the pings fail silently...

ROUTER1#ping 192.0.2.29 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.29, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.111
.....
Success rate is 0 percent (0/5)
ROUTER1#

Cisco VPN IPsec – Phase 2 Unable to Come Up

I changed the original acl of:

access-list 153 permit icmp 192.168.30.0 0.0.0.255 any

To:

access-list 153 permit icmp 192.168.30.0 0.0.0.255 2.2.2.2 0.0.0.0

As soon as that was changed the maps matched on both ends and the tunnels came up. I've since added an eth0:0 on the openswan side with an address in the 192.168.10.0 range changing the acl to

access-list 153 permit 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

Tunnel came right up, this just made some things a little easier, now if follows the standard "lan-to-lan" model.

Best Answer

Related Solutions

Cisco – Change Ping Response for Traffic Blocked by Access Control List

With ip unreachables (which is the default) on the interface

With no ip unreachables

Cisco VPN IPsec – Phase 2 Unable to Come Up

Related Topic

With `ip unreachables` (which is the default) on the interface

With `no ip unreachables`