ACL help again

Unanswered Question
May 25th, 2007

Hi i still have another question about access-lists.

There are four routers connected together like a hub on spoke topology. The central router A is connected to internet and the three others Miami,LA and Chicago are connected to it.

So the goal is to PERMIT hosts at LA and Chicago to access web ressources on the internet, but NOT hosts in Miami subnet. Also we do not want anyone NOT in Miami to access web sites hosted in Miami.

Assuming that the hosts subnets at Miami are are associated with 192.168.1.0/24, Chicago with 192.168.2.0/24 and LA with 192.168.3.0/24, which of the following lines might be use in an ACL to accomplish the task if the last line of the ACL is

access-list 110 permit ip any any ?

A. access-list 110 deny tcp 192.168.0.0 0.0.0.255 any eq 80

B. access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq 80

C. access-list 110 deny tcp any 192.168.0.0 0.0.0.255 eq 80

D access-list 110 permit tcp any 192.168.0.0 0.0.0.255 eq 80

The answer he gave was A and C, but as far as i am concerned i only answered C and guessed another ACL command was missing in the choices listed (or incorrectly written).

If we add "A" we're not blocking only hosts in Miami to access the internet but also LA et Chicago's!!! Or we have to change the wilcard mask and/or address(in my opinion)

Please help me fix that shit!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
CSCO10892433 Fri, 05/25/2007 - 10:12

Hi, farellfolly

Something need to be clarified from you:

1. Has the question metioned any place where the ACL is applied to? (Miami, LA or what? which interface?)

2. The source address in the ACL 192.168.0.0/24(192.168.0.0 0.0.0.255) doesn't seem to be relevant to this senario. Are you sure it is not a typo? It make more sense if it is "192.168.1.0 0.0.0.255", isn't it?

3. The goals that the question want you to achieve-- one is miami cannot access internet, the other is nobody can access miami's web, are basically in opposite direction. So it's difficult to achieve these goals by only one ACL.It might need two ACLs to do that, agree?

Regards

SSLIN

farellfolly Fri, 05/25/2007 - 11:03

I agree with the fact that at least two or more ACLs are needed. That's why i was suggesting using another wildcard mask and/or IP address(for instance a network address as close as possible(equal) to miami's subnet.

Next the question did not specify where to place the access-list.

That's.

Should you continue your explanation

CSCO10892433 Fri, 05/25/2007 - 11:44

I try my best...

I suppose that 192.168.0.0 0.0.0.255 is not a typo. This address/mask pair match 192.168.0.0/24 which appears nowhere in this senario. It dose not match LA, Chicago or Miami's subnet. Block (or permit) this address will not achieve any goal that the question gives you. In other words, no answer can be given for this question.

Regards

SSLIN

Actions

This Discussion