Changing returned message from router when using ACL

Unanswered Question
Dec 18th, 2007


I configured a few voice routers that are directly exposed on Internet. They have access-lists that denies all the sip and h.323 traffic. When I'm scanning the router for example with nmap (syn scan) I get message that the port is open (administratively filtered). I just want to deny any responses on that ports like the and hide my router at all. Is there a way to do that?

Thank you in advance.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
mhellman Tue, 12/18/2007 - 15:44

you need to use the --packet-trace option of nmap to see what, if anything, is actually being returned by the router. By default, I believe Cisco routers will reply with a helpful ICMP message. You can filter outbound ICMP using an ACL. You may be able to selectively disable certain ICMP types via a more global setting too. Post this question to the firewall group with your router model and IOS version and you're sure to get a good response.

z.zdravkov Tue, 12/18/2007 - 23:58

Thank you very much. If I don't find any better ideias I'm going to filter the outgoing icmps.



This Discussion