ACL for Traceroute

Rupesh Kashyap · ‎04-01-2009

I want to create an acl to permit traceroute. But I see two different types

of the icmp commands for traceroute. Which pair is correct?

>

> permit icmp any any ttl-exceed

> permit icmp any any port-unreachable

or permit icmp any any traceroute

Thotsaphon Lueangwattanaphong · ‎04-01-2009

Rupesh,

To make sure that I will get any response from Linux,Cisco or Windows box.

permit icmp any any ttl-exceed

permit icmp any any port-unreachable

permit icmp any any echo-reply

This is all about inbound direction.

Toshi

Rupesh Kashyap · ‎04-01-2009

What is the meaning of permit icmp any any traceroute ?

Thotsaphon Lueangwattanaphong · ‎04-01-2009

Rupesh,

I'm not sure about that command. Actually it's a different type and code for ICMP.

So It's not all in one command to include things like ttl-exceed and port-unreachable.

Type 0 Echo-reply

Type 3 Destination-unreachable

Code 0 network-unreachable

Code 1 host-unreachable

Code 2 protocol-unreachable

Code 3 port-unreachable

Code 4 fragmentation-needed

Code 5 source-route-failed

Code 6 network-unknown

Code 7 host-unknown

Code 8 network-prohibited

Code 9 host-prohibited

Code 10 TOS-network-unreachable

Code 11 TOS-host-unreachable

Code 12 communication-prohibited

Code 13 host-precedence-violation

Code 14 precedence-cutoff

Type 11 Time-exceeded

Code 0 ttl-zero-during-transit

Code 1 ttl-zero-during-reassembly

Type 30 Traceroute

Toshi

Rupesh Kashyap · ‎04-01-2009

thanks for your efforts. I think you are write as I have never seen traceroute keyword in acl.