Sending RST packets

Discussion in 'Cisco' started by Matthias Scheler, Dec 8, 2006.

  1. Hello,

    I've got a Cisco (877W with IOS 12.4 in my case) which uses an "access-list"
    to filter IP traffic on the external interface:

    interface Dialer0
    [...]
    ip access-group 101 in
    [...]

    [...]
    access-list 101 permit tcp any host 1.2.3.4 eq www
    [...]
    access-list 101 deny tcp any any
    [...]

    The rules work fine and prevent access to TCP ports which are supposed
    to be protected.

    If an external hosts does however try to connect to one of the protected
    ports the Cisco seems to send an "host unreachable - admin prohibited filter"
    ICMP packet like this:

    22:07:57.539673 IP 5.6.7.8 > 9.10.11.12: icmp 36: host 1.2.3.4 unreachable - admin prohibited filter

    The host I'm using for testing seems to ignore these packets. The previous
    firewall (a NetBSD system using PF) could be configured to send a TCP-RST
    packet in this case. Is that possible to configure IOS to do the same?

    Kind regards
     
    Matthias Scheler, Dec 8, 2006
    #1
    1. Advertisements

  2. Matthias Scheler

    Martin Turba Guest

    Maybe you could achieve that by using tcp intercept in passive mode and
    tuning the watch-timeout, e.g.:

    !
    interface Dialer0
    ip access-group 101 in
    !
    access-list 101 permit tcp any host 1.2.3.4 eq www
    [...]
    access-list 101 deny tcp any any
    !
    ip tcp intercept list 101
    ip tcp intercept mode watch
    ip tcp intercept watch-timeout 5
    !

    (http://www.cisco.com/en/US/products..._guide_chapter09186a00804fde4f.html#wp1000937)


    Regards,
    Martin
     
    Martin Turba, Dec 9, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.