6

I am trying to ping a host, let's say 10.1.1.1, from 20.1.1.1.

I have created the ACL:

R1(config)#access-list 1
R1(config)#Deny 20.1.1.1 
R1(config)#Permit any
R1(config)# int s0/0
R1(config-if)#ip access-group 1 in

Never mind the configuration, I can deny the host 20.1.1.1 which tries to access 10.1.1.1.

Now when I try to ping 10.1.1.1 from 20.1.1.1, it returns U.U.U. This means destination host unreachable or it is blocked.

I don't want a malicious person to know that I have used an access-list to block him. I want to change this ICMP Request to be done so that when it throws the error message, it should not return U.U.U. It should read Destination Host Unreachable or anything better than this.

Kindly Suggest to me how to do this...Thank You

Brett Lykins
  • 8,288
  • 5
  • 36
  • 66
user3146180
  • 153
  • 1
  • 2
  • 9
  • Is the user at 20.1.1.1 pinging from the same point you are? If you block his (or her) pings, they will get a timeout (.) Unreachable (U) means the router doesn't have a route to the target. – Ron Trunk Jan 16 '14 at 16:22
  • @ron, No matching route is only one of several reasons for seeing U.U.U... if the router is sending ICMP admin prohibited messages, you will also see U.U.U – Mike Pennington Jan 16 '14 at 17:09
  • Hi Mike and Ron, I have not created any scenario, I just wanted to know how to make the output as silent instead of U.U.U. When we use ACL. So I mentioned some example , nothing much. I understand From your Example clearly and even we give no ip unreachable in the particular interface, If the router doesn't know the route for the destination its also going to give the output as U.U.U ( Destination Unreachable ). – user3146180 Jan 16 '14 at 18:15

2 Answers2

9
R1(config)#access-list 1
R1(config)#Deny 20.1.1.1 
R1(config)#Permit any
R1(config)# int s0/0
R1(config-if)#ip access-group 1 in

When i try to ping 10.1.1.1 it returns U.U.U -----> Which means destination host unreachable.

The only thing you can do is add no ip unreachables to Serial0/0. This would make pings simply timeout instead of receiving an ICMP admin prohibited message when packets are denied on the serial interface.

Examples:

The following examples illustrate what happens:

  • When ROUTER1 pings ROUTER2:Gi0/0, and ROUTER2 denies ROUTER1 via acl 166; ip unreachables is configured on Gi0/0
  • When ROUTER1 pings ROUTER2:G0/0, and ROUTER2 denies ROUTER1 via acl 166; no ip unreachables is configured on Gi0/0

With ip unreachables (which is the default) on the interface

On the router with the ACL...

ROUTER2#sh runn | i access-list 166
access-list 166 deny  ip host 192.0.2.111 any
access-list 166 permit ip any any
ROUTER2#sh runn int gi0/0
!
interface GigabitEthernet0/0
 ip address 192.0.2.29 255.255.255.0
 ip access-group 166 in
 no ip redirects
 no ip proxy-arp

And on the host being blocked...

ROUTER1#debug ip icmp
ROUTER1#ping 192.0.2.29 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.29, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.111
U.U.U
Success rate is 0 percent (0/5)
ROUTER1#sh log | i administrat
Jan 16 11:02:29.251 CST: ICMP: dst (192.0.2.111) administratively 
 prohibited unreachable rcv from 192.0.2.29
Jan 16 11:02:31.255 CST: ICMP: dst (192.0.2.111) administratively 
 prohibited unreachable rcv from 192.0.2.29
Jan 16 11:02:33.263 CST: ICMP: dst (192.0.2.111) administratively 
 prohibited unreachable rcv from 192.0.2.29

With no ip unreachables

Adding no ip unreachables on ROUTER2...

ROUTER2#conf t
ROUTER2(config)#int gi0/0
ROUTER2(config-if)#no ip unreach

Now the pings fail silently...

ROUTER1#ping 192.0.2.29 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.29, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.111
.....
Success rate is 0 percent (0/5)
ROUTER1#
Community
  • 1
Mike Pennington
  • 29,876
  • 11
  • 78
  • 152
-1

Based on your question, it sounds like you're saying that someone has broken into your router to ping 10.1.1.1 in which case you obviously have bigger problems than the output of an ICMP request as I believe they would only get that type of reply to their ping if they are pinging from the Cisco CLI. If this so-called "malicious person" is attempting to ping from their local machine's terminal or command line, they won't see U.U.U as output. However, it is good to note that there are alternative ways they could still carry out penetration testing of your system. In particular, they could use something I recently learned about called tcptraceroute which will act like a regular TCP connection and bypass your ACL or hping which carries out pings using TCP or UDP rather than ICMP.

THE DOCTOR
  • 953
  • 4
  • 13
  • 25