11-05-2009 10:52 AM - edited 03-06-2019 08:28 AM
Hello,
I am trying to disable PING and Tracerout but leave it enable for internal hosts.
After done below configuraion, I can ping any outside hosts but can't do traceroute.
Can anyone tell me what configuration is missing? Thank you.
ip access-list extended ICMP
permit icmp any any echo-reply
permit icmp any any traceroute
deny icmp any any
permit ip any any
interface GigabitEthernet1/1
ip access-group ICMP in
11-05-2009 12:20 PM
Traceroute can be used over different protocols and port. It does not have to be over icmp.
Different vendors / OS use different implementation for traceroute.
11-05-2009 01:54 PM
So my configuration is correct?
Thank you.
11-05-2009 02:14 PM
Your config seems right.
You need to find what type of traceroute your computer is using and then you can allow this on the router.
It sounds like your computer is not using ICMP based traceroute.
11-05-2009 02:42 PM
I assume this ACL is applied inbound at the edge?
I would suggest adding
permit icmp any any ttl-exceed
permit icmp any any port-unreachable
Regards,
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: