Permit ping and traceroute and deny all other services using an ACL

First, I'd prefer to apply the ACL inbound on Hermes rather than outbound on Bono. That way "the network protects itself" rather than "I depend on the upstream network to defend this network". But that's just my preference. Your ACL at least blocks traffic before it fills up that serial line.

Second, there are several different implementations of traceroute. The unix and mac variant uses UDP outbound to a high UDP port, and relies on ICMP error messages coming in the other way (on my mac the ports start at 33435 and increase. Per "TCP IP Illustrated Volume 1" by Richard Stevens that is the traditional Unix implementation). Since your traceroute succeeds with an icmp permit, it must be a variant using icmp (I believe windows traceroute uses icmp, I don't have a packet capture so I can't see the exact message used).

Capture of unix tcpdump:

droot@Darrell-Roots-Potato ~ % sudo tcpdump -n udp or icmp
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
14:46:42.103395 IP 192.168.0.27.42637 > 4.2.2.1.33435: UDP, length 24
14:46:42.107453 IP 192.168.0.1 > 192.168.0.27: ICMP time exceeded in-transit, length 36
14:46:42.108577 IP 192.168.0.27.42637 > 4.2.2.1.33436: UDP, length 24
14:46:42.109736 IP 192.168.0.1 > 192.168.0.27: ICMP time exceeded in-transit, length 36
14:46:42.109799 IP 192.168.0.27.42637 > 4.2.2.1.33437: UDP, length 24
14:46:42.110945 IP 192.168.0.1 > 192.168.0.27: ICMP time exceeded in-transit, length 36

Note that the last ICMP reply might be "ICMP destination port unreachable" rather than time exceeded.

I also don't like allowing traceroute into my network. I prefer to allow traceroute out and permit the responses in. But your requirement is to allow traceroute in, so for windows you need to permit the icmp and for unix/mac you need to permit the udp ingress.

Your second requirement is to permit icmp inbound. I don't like allowing reconnaissance of my network, but if that's your requirement it makes that part of the ACL easy. I'd prefer to allow ICMP responses in but block ICMP echo requests.

Your third requirement is to be able to web surf (using TCP) and get replies. I'll expand that to making outbound tcp connections in general and get replies.

That makes your ACL as follows: (you can apply this outbound on bono or inbound on hermes)

access-list 122 remark permit tcp replies to outbound connections
access-list 122 remark but do not allow tcp connections initiated inbound
access-list 122 permit tcp any any established
access-list 122 remark permit icmp inbound per requirement and for windows tcpdump
access-list 122 permit icmp any any
access-list 122 remark permit unix traceroute inbound
access-list 122 remark warning this allows udp scanning of your network
access-list 122 permit udp any any range 33435 33535
access-list 122 remark deny by default explicitly at end, add logging during troubleshooting
access-list 122 deny ip any any ! log

Note that "range 33435 33535" uses an "expensive" LOU TCAM on high-end hardware-forwarding routers. You typically get only 30-50 of those per high-end router. So use them sparingly for important rules (such as minimizing ingress udp scanning, as I did here). Reusing the exact same range in different ACLs typically allows reuse of the same TCAM.

Even after all this, your network will not be "operational". At the very least you need to permit UDP replies from your DNS server (you already permit tcp replies thanks to the "permit tcp any any established").

EDIT: Taking off my network engineer hat and putting on my information security hat, I'd like you to decide which network you want to protect. If you are protecting the Hermes network, don't let the internet ping or traceroute inbound. Pinging and tracerouting outbound (and allowing minimal replies) makes more sense.