ICMP - response to a ping that is blocked by an ACL
In a scenario where a Ping is blocked by an Access-List (ACL) somewhere along its path, the ICMP response that is sent back from the router on which the ACL is configured, typically includes information that states that the destination was "administratively prohibited unreachable".
The following is an example of the output of a debug of ICMP messages that indicate this particular ICMP message:
Router1#**ping 172.16.4.34** Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.4.34, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) Jan 20 16:34:49.207: IP: s=172.16.12.1 (local), d=172.16.4.34 (Serial0), len 100, sending Jan 20 16:34:49.287: IP: s=172.16.4.34 (Serial0), d=172.16.12.1 (Serial0), len 56, rcvd 3 Jan 20 16:34:49.291: ICMP: dst (172.16.12.1) administratively prohibited unreachable rcv from 172.16.4.34 Jan 20 16:34:49.295: IP: s=172.16.12.1 (local), d=172.16.4.34 (Serial0), len 100, sending Jan 20 16:34:51.295: IP: s=172.16.12.1 (local), d=172.16.4.34 (Serial0), len 100, sending Jan 20 16:34:51.367: IP: s=172.16.4.34 (Serial0), d=172.16.12.1 (Serial0), len 56, rcvd 3 Jan 20 16:34:51.371: ICMP: dst (172.16.12.1) administratively prohibited unreachable rcv from 172.16.4.34 Jan 20 16:34:51.379: IP: s=172.16.12.1 (local), d=172.16.4.34 (Serial0), len 100, sending
Notice the "administratively prohibited unreachable" message that is received. This indicates that the echo request was blocked by the ACL.
For more information about troubleshooting using ping, take a look at these notes:
Links
https://forum.networklessons.com/t/ping-troubleshooting-on-cisco-ios/1460/28?u=lagapides
https://networklessons.com/cisco/ccna-200-301//ping-troubleshooting-on-cisco-ios