Here is the sample configuration to allow traceroute(Unix or Network devices) and tracert(MS Windows)
"TraceRoute" commands of Unix and Cisco devices send UDP packets, while "TraceRT" commands in MS Windows is sending ICMP packets.
In both cases the returning packets are only ICMP. For "TraceRT".
Cisco Router#
Cisco Router#conf t
Cisco Router(config)#access-list 111 permit icmp any any time-exceeded
Cisco Router(config)#access-list 111 permit icmp any any unreachable or port-unreachable
If you want to accept ping (ICMP echo-reply), it would be like below
Cisco Router#
Cisco Router#conf t
Cisco Router(config)#access-list 111 permit icmp any any echo-reply ; (ICMP type 0)
Cisco Router(config)#access-list 111 permit icmp any any time-exceeded
Cisco Router(config)#access-list 111 permit icmp any any unreachable or port-unreachable ; (ICMP type 3)
Then, apply WAN Serial interface(in this example)
Cisco Router#
Cisco Router#conf t
Cisco Router(config)#interface serial1/1
Cisco Router(config-if)#ip access-group 111 in
* If you have outbound ACL, you need to allow UDP and ICMP echo. If you have inbound policy, then you don’t need below.
Cisco Router(config)#access-list 111 permit UDP any any gt 3000
Cisco Router(config)#access-list 111 permit icmp any any echo ; Echo request (type 8)
** If you see below output, it is evidence of missing "time-exceeded (ICMP type 11)"
Cisco Router#tr 200.200.200.1
Type escape sequence to abort.
Tracing the route to 200.200.200.1
1 100.100.100.2 24 msec 24 msec 8 msec
2 * * *
3 * * *
4 * * *
5 * * *
6 200.200.200.1 44 msec 52 msec *
Cisco Router#
The www.ipBalance.com runs by a volunteer group with IT professionals and experts at least over 25 years of experience developing and troubleshooting IT in general. ipBalance.com is a free online resource that offers IT tutorials, tools, product reviews, and other resources to help you and your need.
