Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-lists responding.

Should access-lists configured on a router respond to UDP traffic with an ICMP response packet?

2 REPLIES

Re: Access-lists responding.

An ICMP 3/13 means a filtered port (code 13 is "Communication Administratively Prohibited" - RFC-1812, Requirements for Internet routers).

By default, a Cisco router generates ICMP unreachables like 3/13. Adding "no ip unreachable" under the incoming interface for the packet would block generation of those messages. But by default, ICMP unreachables are generated. And most customers do not deactivate unreach generation.

PIX's silently drop packets (by default) that are denied, it won't send a RST (for TCP) or icmp message. Use the "service resetinbound" command to return an RST for denied TCP packets.

It will not send a ICMP type 3 code 3 (Destination Unreachable, Port Unreachable) for denied UDP or TCP packets.

Most implementations generate an ICMP port unreachable error when a user (or intruder) sends a packet to a closed UDP port. Thus, a lack of a response indicates an active port. In terms of a UDP port scan, if there is a PIX between a source and the destination that blocks UDP traffic (by simply dropping the packet), and sends no response, most port scans will detect this as an indication of an open port.

Hope it helps.

Steve

New Member

Re: Access-lists responding.

That helps!

Thanks.

205
Views
0
Helpful
2
Replies
CreatePlease to create content