Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Difference between ping and traceroute actions.

In a lab enviroment I was experimenting with acl's and inspections. I could ping a destination with no problem but when trying to use traceroute to the same destination it would fail. Access list I was using was          access-list 101 permit icmp any any echo-reply log

                                                                                              access-list 101 permit tcp any any www established log

                                            Inspect rules were                        ip inspect name myrules tcp audit-trail on

                                                                                              ip inspect name myrules udp audit-trail on

                                                                                              ip inspect name myrules icmp audit-trail on

                                                                                              ip inspect name myrules http audit-trail on

                                                                                              ip inspect name myrules ftp audit-trail on

Trying figure out why ping would work and not traceroute. I am pinging accross a vpn tunnel to another router. Access list and inspection rules applied to the inbound port between tunnel router and destination router.

I am a CCNP student at local college.

Thaks, Doug

6 REPLIES

Re: Difference between ping and traceroute actions.

Please have a look at the following URL about how traceroute works:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml#traceroute

If I understand your setup correctly, then I think you need at least the following ACEs included in the ACL:

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

New Member

Re: Difference between ping and traceroute actions.

Hi

I used you acl's and was able to successfully use the traceroute command.

Thanks, Doug

Re: Difference between ping and traceroute actions.

Hi Doug,

That's good news! Thanks for taking the time to provide feedback about the outcome.

Kind Regards,

Maria

Re: Difference between ping and traceroute actions.

Hi,

also note Cisco devices are sending UDP packets when running tracert command:

http://www.cisco.com/en/US/tech/tk364/technologies_tech_note09186a00801ae32a.shtml

BR,

Milan

Re: Difference between ping and traceroute actions.

Hi Milan,

You are right. In this case there was a single ACL reported to exist, it would permit echo-reply (so ping worked), and it was applied to some inbound port. For that reason I thought the problem was probably in the return path and suggested only the minimum required additional configuration for traceroute to work as well. What needs to be included in the ACLs depends on the direction the ACL is applied (in/out of interface).

Kind Regards,

Maria

Edit: I forgot to mention that the direction of the traceroute is also part of the game.

New Member

Re: Difference between ping and traceroute actions.

Thanks, I will give it a try Monday.

Doug

2655
Views
5
Helpful
6
Replies