Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Enable traceroute after blocking ICMP

Hello,

I am trying to disable PING and Tracerout but leave it enable for internal hosts.

After done below configuraion, I can ping any outside hosts but can't do traceroute.

Can anyone tell me what configuration is missing? Thank you.

ip access-list extended ICMP

permit icmp any any echo-reply

permit icmp any any traceroute

deny icmp any any

permit ip any any

interface GigabitEthernet1/1

ip access-group ICMP in

4 REPLIES

Re: Enable traceroute after blocking ICMP

Traceroute can be used over different protocols and port. It does not have to be over icmp.

Different vendors / OS use different implementation for traceroute.

New Member

Re: Enable traceroute after blocking ICMP

So my configuration is correct?

Thank you.

Re: Enable traceroute after blocking ICMP

Your config seems right.

You need to find what type of traceroute your computer is using and then you can allow this on the router.

It sounds like your computer is not using ICMP based traceroute.

New Member

Re: Enable traceroute after blocking ICMP

I assume this ACL is applied inbound at the edge?

I would suggest adding

permit icmp any any ttl-exceed

permit icmp any any port-unreachable

Regards,

John

481
Views
0
Helpful
4
Replies
CreatePlease to create content