Difference between ping and traceroute actions.

Unanswered Question
Nov 26th, 2009

In a lab enviroment I was experimenting with acl's and inspections. I could ping a destination with no problem but when trying to use traceroute to the same destination it would fail. Access list I was using was          access-list 101 permit icmp any any echo-reply log

                                                                                              access-list 101 permit tcp any any www established log

                                            Inspect rules were                        ip inspect name myrules tcp audit-trail on

                                                                                              ip inspect name myrules udp audit-trail on

                                                                                              ip inspect name myrules icmp audit-trail on

                                                                                              ip inspect name myrules http audit-trail on

                                                                                              ip inspect name myrules ftp audit-trail on

Trying figure out why ping would work and not traceroute. I am pinging accross a vpn tunnel to another router. Access list and inspection rules applied to the inbound port between tunnel router and destination router.

I am a CCNP student at local college.

Thaks, Doug

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Reddoug53_2 Mon, 11/30/2009 - 18:20


I used you acl's and was able to successfully use the traceroute command.

Thanks, Doug

marikakis Tue, 12/01/2009 - 03:10

Hi Doug,

That's good news! Thanks for taking the time to provide feedback about the outcome.

Kind Regards,


marikakis Wed, 12/02/2009 - 06:33

Hi Milan,

You are right. In this case there was a single ACL reported to exist, it would permit echo-reply (so ping worked), and it was applied to some inbound port. For that reason I thought the problem was probably in the return path and suggested only the minimum required additional configuration for traceroute to work as well. What needs to be included in the ACLs depends on the direction the ACL is applied (in/out of interface).

Kind Regards,


Edit: I forgot to mention that the direction of the traceroute is also part of the game.


This Discussion