I'm studying for the CCNA 640-801 exam and in some study materials there is the following ACL question and I don't understand why the answer is what it is. I was hoping someone in here could help with explaining why. Thanks.
PCA through PCF all seem to be connected to a common backbone. All three routers appear to also be connected to the same backbone as the PCs. Router1 conects to Router2 which connects to Router3.
PCA - 188.8.131.52/24
PCB - 184.108.40.206/24
PCC - 220.127.116.11/24
PCD - 18.104.22.168/24
PCE - 22.214.171.124/24
PCF - 126.96.36.199/24
You're the systems administrator at Cisco, and you create the following access control lists.
access-list 101 deny tcp 188.8.131.52 0.0.0.0 184.108.40.206 0.0.0.255 eq telnet
access-list 101 permit any any
You then enter the command "ip access-group 101 in" to apply access control list
101 to router1's e0 interface.
Which of the following Telnet sessions will be blocked as a result of your access
lists? (Select all that apply)
A. Telnet sessions from host A to host 220.127.116.11
B. Telnet sessions from host A to host 18.104.22.168
C. Telnet sessions from host B to host 22.214.171.124
D. Telnet sessions from host B to host 126.96.36.199
E. Telnet sessions from host C to host 188.8.131.52
F. Telnet sessions from host F to host 184.108.40.206
Answer D & F
I understand answer D, that is straight forward and easy to understand however I don't understand answer F. The ACL statement, 'access-list 101 deny tcp 220.127.116.11 0.0.0.0' specifically has the source host listed which is not PCF. I would think only addresses matching the source address in the ACL should be blocked. Thanks to anyone who can help.
I have an issue with their solution and an issue with your solution.
I think that the major flaw in their solution is putting the access-group on the serial interface as an inbound filter. As an inbound filter on the serial 192.168.1.1 or 192.168.118.0 would be the source address and their access list has it as the destination. Putting the access list as inbound on Ethernet 0 is effective. Putting it also on serial 1 adds no effectiveness. I am not clear whether they were again trying to point out the possibility of preventing telnet by denying the response traffic. But you can not do both in one access list which is limited to 3 statements.
Another (small) issue with their access list is in the second line:
access-list 101 deny tcp any 192.168.118.0 0.0.0.0 eq 23
The mask is for a specific host but 192.168.118.0 is not a host. It is the network/subnet address and no legitimate traffic will ever have that as a source address.
The main issue in your access list is the placement of "eq 23". You have it coming before the source address and the "eq port" comes after an address specification (after either the source or after the destination) and not before both of the addresses. Also if your access list is inbound on interface Ethernet 0 then telnet traffic to router 1 will have port 23 (telnet) as the destination port.
There is an apparent difference between your list and their list but it does not matter. You specify 192.168.134.0/24 as the source address and they specify any as the source address. Since the network explanation indicates that 192.168.134.0 is the only network behind E 0 the effect of the access lists does not change between the two source address specifications.
I agree with Kevin that there does not appear to be a lot of effective proof reading of this material. I have taught Cisco classes and I have written training material and I appreciate that this is difficult to do. But it is highly unfortunate and lowers the credibility of the material (and their source) when these kinds of mistakes are apparent.