Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Access-list question

We have an issue with a device on a route receiving TCP resets whenever a connection is attempted. This route goes through a third party. We have removed all blocks on our part of the network. My question is, how do access-lists deal with denied packets. Do they direct the packet to Null0 and simply drop the packet or would an extended access-list denying on a TCP rule send a reset thereby closing the connection? My own feeling is that there may be a firewall rule in the way as the reset is at layer 4. Would apprecieate some clarification.



Community Member

Re: Access-list question

Denied packets are dropped by access lists (and logged if configured to do so).

Standard access lists just look at the addressing, extended access lists look at the TCP port etc.

to decide to pass through the list or to drop.

It sounds as if the TCP reset is coming from the remote end

best of luck

Cisco Employee

Re: Access-list question

Additionally a packet being denied by tha ACL causes the router to send a ICMP message (code 3(destination unreachable ), subcode 13(Communication Administratively Prohibited) to the source of the packet).

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
Community Member

Re: Access-list question

Thanks guys, yes that has helped us out. The ICMP returns helped us to look in the right direction to sort this.

Community Member

Re: Access-list question

Dear all

I add ACl at interface.But logging this message. is a router interface.

Why source interface is router ip not is PC address.

%SEC-6-IPACCESSLOGDP: list 2302 denied icmp -> (3/13), 2 packets

%SEC-6-IPACCESSLOGDP: list 2302 denied icmp -> (3/13), 1 packet

%SEC-6-IPACCESSLOGDP: list 2302 denied icmp -> (3/13), 1 packet

Extended IP access list 2302

permit ip

deny ip any log-input (20351 matches)

permit ip any any (48654 matches)

thank you

CreatePlease to create content