Question : Allow ping but not tracert

Is there a way to allow ping through a 1721 cisco router, but not Traceroute? I know you can get pretty granular with ICMP, but it seems that tracert needs to echo from ping to work.

thanks

Answer : Allow ping but not tracert

It's easy:
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any time-exceeded

Traceroute uses time exceeded messages plus some udp. So the aobve will just cause * to appear once it hits your router. The above allows ping both ways, you might want to allow echo-reply inbound while blocking echos inbound- so inside people can ping and get replies, but outside people outside can't ping in.

Remember that access lists have an implicit deny at the end. So anything not specifically permitted will be denied once the access list is applied. In the above case ONLY ping will be allowed, no other traffic. So use it as part of a list only!

Random Solutions

Setting height of a maximized Weblogic Portlet

Pix 501 Remote Access VPN Issue

Remote access to another computer

How to track down a person's email address from Internet mailing list archive

Updating my ethernet card drivers ruined my connection!

EJB Exception in WebServer

My Exchange Server can't recieve e-mails from lpw-law.com

Wireless Router VS Wireless access point router

How do I create a batch file to enable a network card, whilst disabling another.

Second IP-adress for one networkadapter / Virtual interface