ACL for Traceroute

Unanswered Question
Apr 1st, 2009

I want to create an acl to permit traceroute. But I see two different types

of the icmp commands for traceroute. Which pair is correct?


> permit icmp any any ttl-exceed

> permit icmp any any port-unreachable

or permit icmp any any traceroute

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
thotsaphon Wed, 04/01/2009 - 20:41


To make sure that I will get any response from Linux,Cisco or Windows box.

permit icmp any any ttl-exceed

permit icmp any any port-unreachable

permit icmp any any echo-reply

This is all about inbound direction.


thotsaphon Wed, 04/01/2009 - 21:28


I'm not sure about that command. Actually it's a different type and code for ICMP.

So It's not all in one command to include things like ttl-exceed and port-unreachable.

Type 0 Echo-reply

Type 3 Destination-unreachable

Code 0 network-unreachable

Code 1 host-unreachable

Code 2 protocol-unreachable

Code 3 port-unreachable

Code 4 fragmentation-needed

Code 5 source-route-failed

Code 6 network-unknown

Code 7 host-unknown

Code 8 network-prohibited

Code 9 host-prohibited

Code 10 TOS-network-unreachable

Code 11 TOS-host-unreachable

Code 12 communication-prohibited

Code 13 host-precedence-violation

Code 14 precedence-cutoff

Type 11 Time-exceeded

Code 0 ttl-zero-during-transit

Code 1 ttl-zero-during-reassembly

Type 30 Traceroute


Rupesh Kashyap Wed, 04/01/2009 - 21:50

thanks for your efforts. I think you are write as I have never seen traceroute keyword in acl.


This Discussion