Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1177
Views
0
Helpful
4
Replies

Enable traceroute after blocking ICMP

David Lin
Level 1
Level 1

‎11-05-2009 10:52 AM - edited ‎03-06-2019 08:28 AM

Hello,

I am trying to disable PING and Tracerout but leave it enable for internal hosts.

After done below configuraion, I can ping any outside hosts but can't do traceroute.

Can anyone tell me what configuration is missing? Thank you.

ip access-list extended ICMP

permit icmp any any echo-reply

permit icmp any any traceroute

deny icmp any any

permit ip any any

interface GigabitEthernet1/1

ip access-group ICMP in

Labels:
0 Helpful
4 Replies 4

Lucien Avramov
Level 10
Level 10

‎11-05-2009 12:20 PM

Traceroute can be used over different protocols and port. It does not have to be over icmp.

Different vendors / OS use different implementation for traceroute.

0 Helpful

David Lin
Level 1
Level 1
In response to Lucien Avramov

‎11-05-2009 01:54 PM

So my configuration is correct?

Thank you.

0 Helpful

Lucien Avramov
Level 10
Level 10
In response to David Lin

‎11-05-2009 02:14 PM

Your config seems right.

You need to find what type of traceroute your computer is using and then you can allow this on the router.

It sounds like your computer is not using ICMP based traceroute.

0 Helpful

johgill
Level 1
Level 1
In response to David Lin

‎11-05-2009 02:42 PM

I assume this ACL is applied inbound at the edge?

I would suggest adding

permit icmp any any ttl-exceed

permit icmp any any port-unreachable

Regards,

John

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card