ACL Issue.

Answered Question
Apr 20th, 2009
User Badges:

Hello all, for some reason with this packet tracer lab I keep getting the last bit of ACL's incorrect.


Here is the lab that I have completed so far (94%)

http://www.sendspace.com/file/gsnk07



They ask me the following


Configure standard named ACLs on the R1 and R3 vty lines, permitting hosts connected directly to their Fast Ethernet subnets to gain Telnet access. Explicitly deny all other connection attempts.Name these standard ACLs VTY-Local.




They also ask this for the extended ACL's


Name the ACL block.

Prohibit traffic originating from the R1 LAN from reaching the R3 LAN.

Prohibit traffic originating from the R3 LAN from reaching the R1 LAN.

Permit all other traffic.


Here is what I have on router 1 for the standard ACLs


ip access-list standard VTY-Local

deny 10.1.0.0 0.0.0.3

deny 10.3.0.0 0.0.0.3

deny 10.3.1.0 0.0.0.255

permit 10.1.1.1 0.0.0.255


I could not figure out why my ACL's are incorrect.


Host 1's IP (The host connected to R1 ip) - 10.1.1.1


Serial connection from R1 to R2 ip subnet is


10.1.0.0 /30


R2 to R3 is


10.3.0.0 / 30


Host 2 to R2

10.3.1.0 /24


Host 2's address is 10.3.1.1 /24



Can someone help me?

deny 10.1.0.0 0.0.0.3 - matches IP 10.1.0.x

deny 10.3.0.0 0.0.0.3 - matches IP 10.3.0.x

deny 10.3.1.0 0.0.0.255 - matches IP 10.3.1.x

permit 10.1.1.1 0.0.0.255 - match IP 10.1.1.0


Correct ACL's should be:-


deny 10.1.0.0 0.0.0.3

deny 10.3.0.0 0.0.0.3

deny 10.3.1.0 0.0.0.255

permit 10.1.1.1 0.0.0.0

or

permit 10.1.1.1 0.0.0.0

deny all


HTH>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer

deny 10.1.0.0 0.0.0.3 - matches IP 10.1.0.x

deny 10.3.0.0 0.0.0.3 - matches IP 10.3.0.x

deny 10.3.1.0 0.0.0.255 - matches IP 10.3.1.x

permit 10.1.1.1 0.0.0.255 - match IP 10.1.1.0


Correct ACL's should be:-


deny 10.1.0.0 0.0.0.3

deny 10.3.0.0 0.0.0.3

deny 10.3.1.0 0.0.0.255

permit 10.1.1.1 0.0.0.0

or

permit 10.1.1.1 0.0.0.0

deny all


HTH>

jrosetta1 Tue, 04/21/2009 - 07:48
User Badges:

Thank you so much! The last permit you did I was supposed to have a 10.1.1.0 0.0.0.255 and then the deny all and it worked!


I cannot believe I missed it by one one digit. I appreciate your help :)

Sahandbyebye Sat, 03/06/2010 - 09:23
User Badges:

Hello


Sorry but I still have some problems with configuration. I don't know why its not moving from 95 %. I will attached my PT file.


Will you please inform me R1 or R2 configuration?


Looking forward to your kind reply

Sahandbyebye Sat, 03/06/2010 - 17:57
User Badges:

Thanks a lot for your concern


Attached you can find the running config of R1 & R3 in text file.


Thanks about careing

Attachment: 
shehriyar Sun, 03/07/2010 - 03:01
User Badges:

hi all

i've done 97%, only problem with this


Using extended ACLs on R2, complete the following requirements:

  • Name the ACL block
  • Prohibit traffic originating from the R1 connected subnets from reaching the R3 connected subnets.
  • Prohibit traffic originating from the R3 connected subnets from reaching the R1 connected subnets.
  • Permit all other traffic.


could anyone help

thanx beforehand


Use the below


ip access-list extended R1<>R3
  5 deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
10 deny ip 10.1.1.0 0.0.0.255 10.3.0.0 0.0.0.3
15 deny ip 10.1.0.0 0.0.0.3 10.3.1.0 0.0.0.255
20 deny ip 10.1.0.0 0.0.0.3 10.3.0.0 0.0.0.3
25 permit ip any any


ip access-list extended R3<>R1
  5 deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
10 deny ip 10.3.0.0 0.0.0.3 10.1.1.0 0.0.0.255
15 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.0.3
20 deny ip 10.3.0.0 0.0.0.3 10.1.0.0 0.0.0.3
25 permit ip any any


int serial <>
ip access-group R3<>R1 out


int serial <>
ip access-group R1<>R3 out


There is a simpler way of doing the above, you should be able to find it from using the above config.

Sahandbyebye Sun, 03/07/2010 - 05:45
User Badges:

Dear Shehriyar


ip access-list extended block
deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any




Can I see your configuration for R1 & R3?

shehriyar Sun, 03/07/2010 - 10:25
User Badges:

dear sahand

you can check  R1 and R3  configurations, no problem

i've wrote that configurations for R2

but when i check results it only denies block acl

Sahandbyebye Sun, 03/07/2010 - 10:33
User Badges:

Dear shehiyar


erase all R2 configuration and reload it again.


This is my R2 Running config.


I check it again now for you, it will works:





Building configuration...

Current configuration : 1061 bytes
!
version 12.3
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
!
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
!
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 10.1.0.2 255.255.255.252
ip access-group block in
!
interface Serial0/0/1
ip address 10.3.0.1 255.255.255.252
ip access-group block in
clock rate 64000
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.1.0.0 0.0.0.3 area 0
network 10.3.0.0 0.0.0.3 area 0
!
ip classless
!
!
ip access-list extended block
deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
!
!
!
no cdp run
!
!
!
!
!
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
!
end


check it again


What is your R1 & R3?

shehriyar Sun, 03/07/2010 - 12:06
User Badges:

sahad, i've the same configuration for R2 with yours

i couldn''t understand your question but   if you are asking for R1 and R3 password it is    class

Actions

This Discussion