03-22-2004 03:32 AM - edited 03-02-2019 02:27 PM
We have an issue with a device on a route receiving TCP resets whenever a connection is attempted. This route goes through a third party. We have removed all blocks on our part of the network. My question is, how do access-lists deal with denied packets. Do they direct the packet to Null0 and simply drop the packet or would an extended access-list denying on a TCP rule send a reset thereby closing the connection? My own feeling is that there may be a firewall rule in the way as the reset is at layer 4. Would apprecieate some clarification.
Thanks.
Steve.
03-22-2004 03:58 AM
Denied packets are dropped by access lists (and logged if configured to do so).
Standard access lists just look at the addressing, extended access lists look at the TCP port etc.
to decide to pass through the list or to drop.
It sounds as if the TCP reset is coming from the remote end
best of luck
03-22-2004 04:50 AM
Additionally a packet being denied by tha ACL causes the router to send a ICMP message (code 3(destination unreachable ), subcode 13(Communication Administratively Prohibited) to the source of the packet).
Hope this helps,
03-22-2004 05:41 AM
Thanks guys, yes that has helped us out. The ICMP returns helped us to look in the right direction to sort this.
04-01-2004 07:01 PM
Dear all
I add ACl at interface.But logging this message.
136.136.1.1 is a router interface.
Why source interface is router ip not is PC address.
%SEC-6-IPACCESSLOGDP: list 2302 denied icmp 136.136.1.1 -> 151.199.214.230 (3/13), 2 packets
%SEC-6-IPACCESSLOGDP: list 2302 denied icmp 136.136.1.1 -> 130.85.193.10 (3/13), 1 packet
%SEC-6-IPACCESSLOGDP: list 2302 denied icmp 136.136.1.1 -> 12.222.154.63 (3/13), 1 packet
Extended IP access list 2302
permit ip 136.136.1.0 0.0.0.255 136.136.0.0 0.0.255.255
deny ip 136.136.1.0 0.0.0.255 any log-input (20351 matches)
permit ip any any (48654 matches)
thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: