Home Security Security General Access-list(ACL) for Traceroute and Tracert

Here is the sample configuration to allow traceroute(Unix or Network devices) and tracert(MS Windows)

"TraceRoute" commands of Unix and Cisco devices send UDP packets, while "TraceRT" commands in MS Windows is sending ICMP packets.
In both cases the returning packets are only ICMP. For "TraceRT".


Cisco Router#
Cisco Router#conf t

Cisco Router(config)#access-list 111 permit icmp any any time-exceeded
Cisco Router(config)#access-list 111 permit icmp any any unreachable or port-unreachable 

If you want to accept ping (ICMP echo-reply), it would be like below

Cisco Router#
Cisco Router#conf t
Cisco Router(config)#access-list 111 permit icmp any any echo-reply ; (ICMP type 0)
Cisco Router(config)#access-list 111 permit icmp any any time-exceeded
Cisco Router(config)#access-list 111 permit icmp any any unreachable or port-unreachable ; (ICMP type 3)


Then, apply WAN Serial interface(in this example)


Cisco Router#
Cisco Router#conf t

Cisco Router(config)#interface serial1/1
Cisco Router(config-if)#ip access-group 111 in

* If you have outbound ACL, you need to allow UDP and ICMP echo. If you have inbound policy, then you don't need below.

Cisco Router(config)#access-list 111 permit UDP any any gt 3000
Cisco Router(config)#access-list 111 permit icmp any any echo ; Echo request (type 8)
 

 ** If you see below output, it is evidence of missing "time-exceeded (ICMP type 11)"

Cisco Router#tr 200.200.200.1

Type escape sequence to abort.
Tracing the route to 200.200.200.1

  1 100.100.100.2 24 msec 24 msec 8 msec
  2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6 200.200.200.1 44 msec 52 msec *
Cisco Router#

 

 

Last Updated (Saturday, 13 March 2010 21:59)

 
Smart Link
Search
Statistics
Content View Hits : 2069784
Polls
Highly recommended firewall vendor?
 
Google Translation
English Arabic Chinese (Simplified) Czech Dutch French German Italian Korean Portuguese Russian Spanish Filipino Vietnamese Thai Turkish
BGP routing issue?
Banner
World Route Servers
Banner
Who's Online
We have 53 guests online