cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4707
Views
5
Helpful
6
Replies

Difference between ping and traceroute actions.

REDDOUG53
Level 1
Level 1

In a lab enviroment I was experimenting with acl's and inspections. I could ping a destination with no problem but when trying to use traceroute to the same destination it would fail. Access list I was using was          access-list 101 permit icmp any any echo-reply log

                                                                                              access-list 101 permit tcp any any www established log

                                            Inspect rules were                        ip inspect name myrules tcp audit-trail on

                                                                                              ip inspect name myrules udp audit-trail on

                                                                                              ip inspect name myrules icmp audit-trail on

                                                                                              ip inspect name myrules http audit-trail on

                                                                                              ip inspect name myrules ftp audit-trail on

Trying figure out why ping would work and not traceroute. I am pinging accross a vpn tunnel to another router. Access list and inspection rules applied to the inbound port between tunnel router and destination router.

I am a CCNP student at local college.

Thaks, Doug

6 Replies 6

marikakis
Level 7
Level 7

Please have a look at the following URL about how traceroute works:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml#traceroute

If I understand your setup correctly, then I think you need at least the following ACEs included in the ACL:

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

Hi

I used you acl's and was able to successfully use the traceroute command.

Thanks, Doug

Hi Doug,

That's good news! Thanks for taking the time to provide feedback about the outcome.

Kind Regards,

Maria

Hi,

also note Cisco devices are sending UDP packets when running tracert command:

http://www.cisco.com/en/US/tech/tk364/technologies_tech_note09186a00801ae32a.shtml

BR,

Milan

Hi Milan,

You are right. In this case there was a single ACL reported to exist, it would permit echo-reply (so ping worked), and it was applied to some inbound port. For that reason I thought the problem was probably in the return path and suggested only the minimum required additional configuration for traceroute to work as well. What needs to be included in the ACLs depends on the direction the ACL is applied (in/out of interface).

Kind Regards,

Maria

Edit: I forgot to mention that the direction of the traceroute is also part of the game.

REDDOUG53
Level 1
Level 1

Thanks, I will give it a try Monday.

Doug

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco