Question : Problem: Problem with no hop info during traceroute. Blocked, permitted?

Hi,

Pretty simple, but I'm pretty newb...  From this edge router (meaning logged into the router and performing the trace) I want to do a traceroute to a vendor.  Pings work fine, after I added ICMP permits. The trace will complete but I get the "*   *   *" timeout for all the hops.

Am I missing something and blocking myself? The code is the sanitized config off the edge router I'm using (Cisco 2621).

Code Snippet:

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100:

version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname LG ! boot-start-marker boot-end-marker ! no logging console enable secret 5 $1$QwJ5$NX6w3bX9xrCqSdAtfhGwG0 ! no aaa new-model ip subnet-zero ip cef ! ! ip name-server 204.117.214.10 ! ! ! ! class-map match-any APP match access-group 110 ! ! policy-map QoS class APP priority percent 35 class class-default fair-queue ! ! ! interface FastEthernet0/0 ip address xxx.xxx.12.226 255.255.255.224 ip nbar protocol-discovery speed auto full-duplex ! interface Serial0/0 description T1 Line ip address xxx.xxx.111.10 255.255.255.252 ip access-group internet-in in ip access-group internet-out out no ip proxy-arp service-policy output QoS ! interface FastEthernet0/1 ip address 192.168.8.1 255.255.255.0 shutdown duplex auto speed auto ! ip http server ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ! ! ip access-list extended internet-in deny ip 0.0.0.0 0.255.255.255 any log-input deny ip 10.0.0.0 0.255.255.255 any log-input deny ip 127.0.0.0 0.255.255.255 any log-input deny ip 169.254.0.0 0.0.255.255 any log-input deny ip 172.0.0.0 0.31.255.255 any log-input deny ip 192.0.2.0 0.0.0.255 any log-input deny ip 192.168.0.0 0.0.255.255 any log-input deny ip 194.87.6.0 0.0.0.255 any deny ip 209.1.230.0 0.0.0.255 any deny ip 224.0.0.0 31.255.255.255 any log-input deny ip 240.0.0.0 7.255.255.255 any log-input deny ip 248.0.0.0 7.255.255.255 any log-input deny ip host 255.255.255.255 any log-input deny udp 194.87.6.0 0.0.0.255 any permit udp any eq domain any gt 1023 permit tcp any 206.105.12.224 0.0.0.31 gt 1023 established permit icmp any any echo log-input permit icmp any any echo-reply log-input ip access-list extended internet-out permit ip xxx.xxx.12.224 0.0.0.31 any permit icmp any any echo log-input logging xxx.xxx.12.230 access-list 1 permit xxx.xxx.12.224 0.0.0.31 access-list 110 permit tcp any host 209.34.xxx.xxx eq 443 snmp-server community dooroo RO ! line con 0 password 7 051F031D254540080D0A05 login line aux 0 password 7 1311125456050A2B3F2B3A login line vty 0 4 password 7 1311125456050A2B3F2B3A login ! ! end

Open in New Window Select All

Answer : Problem: Problem with no hop info during traceroute. Blocked, permitted?

In order to receive traceroute messages, you need to allow icmp ttl-exceeded messages.

permit icmp any any ttl-exceeded