Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
0
Helpful
2
Replies

Access-lists responding.

amtunnell
Level 1
Level 1

‎10-22-2002 11:34 AM - edited ‎03-09-2019 12:46 AM

Should access-lists configured on a router respond to UDP traffic with an ICMP response packet?

Labels:
0 Helpful
2 Replies 2

steve.barlow
Level 7
Level 7

‎10-22-2002 03:11 PM

An ICMP 3/13 means a filtered port (code 13 is "Communication Administratively Prohibited" - RFC-1812, Requirements for Internet routers).

By default, a Cisco router generates ICMP unreachables like 3/13. Adding "no ip unreachable" under the incoming interface for the packet would block generation of those messages. But by default, ICMP unreachables are generated. And most customers do not deactivate unreach generation.

PIX's silently drop packets (by default) that are denied, it won't send a RST (for TCP) or icmp message. Use the "service resetinbound" command to return an RST for denied TCP packets.

It will not send a ICMP type 3 code 3 (Destination Unreachable, Port Unreachable) for denied UDP or TCP packets.

Most implementations generate an ICMP port unreachable error when a user (or intruder) sends a packet to a closed UDP port. Thus, a lack of a response indicates an active port. In terms of a UDP port scan, if there is a PIX between a source and the destination that blocks UDP traffic (by simply dropping the packet), and sends no response, most port scans will detect this as an indication of an open port.

Hope it helps.

Steve

0 Helpful

amtunnell
Level 1
Level 1
In response to steve.barlow

‎10-22-2002 03:40 PM

That helps!

Thanks.

0 Helpful
Customers Also Viewed These Support Documents