Traceroute output explanation

kpatoli · ‎05-12-2004

Currently I am pinging an IP Address but getting the A! response. Could any body tell me what configuration have probably been implemented on the remote network router?

patpee_NL · ‎05-12-2004

As you can see here: http://www.cisco.com/warp/public/105/traceroute.shtml#add

The A! means Admin Denied, so it seems that the other router is configured to block traceroute 'attempts'.

kpatoli · ‎05-12-2004

Basically I want to know the configuration / command set on the remote network router.

patpee_NL · ‎05-12-2004

Sorry, my fault. But you just have to make use of extended access-lists which block some ICMP commands.

If you want to permit ping, but not traceroute, then you have to permit echo-reply, block the rest.

access-list 101 permit icmp any any echo-reply

access-list 101 deny icmp any any

access-list 101 permit ip any any

If you want to permit traceroute, but block ping replys, switch it around, permit time-exceeded, permit unreachables, deny echo-reply.

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny icmp any any

access-list 101 permit ip any any

If you want to block all ICMP outbound then you need the following:

access-list 101 deny icmp any any

access-list 101 permit ip any any

Ofcourse you have to apply this accesslist to an interface (serial 0/0 in this case):

serial 0/0

ip access-group 101 in

kpatoli · ‎05-12-2004

Thanks. Your reply solved my problem as required. I hope you will extended such favours in future.

Kashif Siddiq Patoli

Assistant Divisional Engineer,

Pakistan Internet Exchange,

Karachi Pakistan

patoli@pie.net.pk