Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-lists responding.

Should access-lists configured on a router respond to UDP traffic with an ICMP response packet?


Re: Access-lists responding.

An ICMP 3/13 means a filtered port (code 13 is "Communication Administratively Prohibited" - RFC-1812, Requirements for Internet routers).

By default, a Cisco router generates ICMP unreachables like 3/13. Adding "no ip unreachable" under the incoming interface for the packet would block generation of those messages. But by default, ICMP unreachables are generated. And most customers do not deactivate unreach generation.

PIX's silently drop packets (by default) that are denied, it won't send a RST (for TCP) or icmp message. Use the "service resetinbound" command to return an RST for denied TCP packets.

It will not send a ICMP type 3 code 3 (Destination Unreachable, Port Unreachable) for denied UDP or TCP packets.

Most implementations generate an ICMP port unreachable error when a user (or intruder) sends a packet to a closed UDP port. Thus, a lack of a response indicates an active port. In terms of a UDP port scan, if there is a PIX between a source and the destination that blocks UDP traffic (by simply dropping the packet), and sends no response, most port scans will detect this as an indication of an open port.

Hope it helps.


New Member

Re: Access-lists responding.

That helps!


CreatePlease to create content