Enable traceroute after blocking ICMP

Unanswered Question
Nov 5th, 2009
User Badges:


I am trying to disable PING and Tracerout but leave it enable for internal hosts.

After done below configuraion, I can ping any outside hosts but can't do traceroute.

Can anyone tell me what configuration is missing? Thank you.

ip access-list extended ICMP

permit icmp any any echo-reply

permit icmp any any traceroute

deny icmp any any

permit ip any any

interface GigabitEthernet1/1

ip access-group ICMP in

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Lucien Avramov Thu, 11/05/2009 - 12:20
User Badges:
  • Red, 2250 points or more

Traceroute can be used over different protocols and port. It does not have to be over icmp.

Different vendors / OS use different implementation for traceroute.

Lucien Avramov Thu, 11/05/2009 - 14:14
User Badges:
  • Red, 2250 points or more

Your config seems right.

You need to find what type of traceroute your computer is using and then you can allow this on the router.

It sounds like your computer is not using ICMP based traceroute.

johgill Thu, 11/05/2009 - 14:42
User Badges:
  • Bronze, 100 points or more

I assume this ACL is applied inbound at the edge?

I would suggest adding

permit icmp any any ttl-exceed

permit icmp any any port-unreachable




This Discussion