04-20-2009 07:28 PM - edited 02-20-2020 09:41 PM
Hello all, for some reason with this packet tracer lab I keep getting the last bit of ACL's incorrect.
Here is the lab that I have completed so far (94%)
http://www.sendspace.com/file/gsnk07
They ask me the following
Configure standard named ACLs on the R1 and R3 vty lines, permitting hosts connected directly to their Fast Ethernet subnets to gain Telnet access. Explicitly deny all other connection attempts.Name these standard ACLs VTY-Local.
They also ask this for the extended ACL's
Name the ACL block.
Prohibit traffic originating from the R1 LAN from reaching the R3 LAN.
Prohibit traffic originating from the R3 LAN from reaching the R1 LAN.
Permit all other traffic.
Here is what I have on router 1 for the standard ACLs
ip access-list standard VTY-Local
deny 10.1.0.0 0.0.0.3
deny 10.3.0.0 0.0.0.3
deny 10.3.1.0 0.0.0.255
permit 10.1.1.1 0.0.0.255
I could not figure out why my ACL's are incorrect.
Host 1's IP (The host connected to R1 ip) - 10.1.1.1
Serial connection from R1 to R2 ip subnet is
10.1.0.0 /30
R2 to R3 is
10.3.0.0 / 30
Host 2 to R2
10.3.1.0 /24
Host 2's address is 10.3.1.1 /24
Can someone help me?
Solved! Go to Solution.
04-21-2009 12:58 AM
deny 10.1.0.0 0.0.0.3 - matches IP 10.1.0.x
deny 10.3.0.0 0.0.0.3 - matches IP 10.3.0.x
deny 10.3.1.0 0.0.0.255 - matches IP 10.3.1.x
permit 10.1.1.1 0.0.0.255 - match IP 10.1.1.0
Correct ACL's should be:-
deny 10.1.0.0 0.0.0.3
deny 10.3.0.0 0.0.0.3
deny 10.3.1.0 0.0.0.255
permit 10.1.1.1 0.0.0.0
or
permit 10.1.1.1 0.0.0.0
deny all
HTH>
04-21-2009 12:58 AM
deny 10.1.0.0 0.0.0.3 - matches IP 10.1.0.x
deny 10.3.0.0 0.0.0.3 - matches IP 10.3.0.x
deny 10.3.1.0 0.0.0.255 - matches IP 10.3.1.x
permit 10.1.1.1 0.0.0.255 - match IP 10.1.1.0
Correct ACL's should be:-
deny 10.1.0.0 0.0.0.3
deny 10.3.0.0 0.0.0.3
deny 10.3.1.0 0.0.0.255
permit 10.1.1.1 0.0.0.0
or
permit 10.1.1.1 0.0.0.0
deny all
HTH>
04-21-2009 07:48 AM
Thank you so much! The last permit you did I was supposed to have a 10.1.1.0 0.0.0.255 and then the deny all and it worked!
I cannot believe I missed it by one one digit. I appreciate your help :)
04-21-2009 08:02 AM
np - glad to help.
03-06-2010 09:23 AM
03-06-2010 09:25 AM
03-06-2010 10:01 AM
I do not use Packet Tracer.
03-06-2010 05:57 PM
03-07-2010 12:33 AM
OK - I have the files, what is your issue?
03-07-2010 03:01 AM
hi all
i've done 97%, only problem with this
Using extended ACLs on R2, complete the following requirements:
could anyone help
thanx beforehand
03-07-2010 04:23 AM
Use the below
ip access-list extended R1<>R3
5 deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
10 deny ip 10.1.1.0 0.0.0.255 10.3.0.0 0.0.0.3
15 deny ip 10.1.0.0 0.0.0.3 10.3.1.0 0.0.0.255
20 deny ip 10.1.0.0 0.0.0.3 10.3.0.0 0.0.0.3
25 permit ip any any
ip access-list extended R3<>R1
5 deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
10 deny ip 10.3.0.0 0.0.0.3 10.1.1.0 0.0.0.255
15 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.0.3
20 deny ip 10.3.0.0 0.0.0.3 10.1.0.0 0.0.0.3
25 permit ip any any
int serial <
ip access-group R3<>R1 out
int serial <
ip access-group R1<>R3 out
There is a simpler way of doing the above, you should be able to find it from using the above config.
03-07-2010 05:45 AM
Dear Shehriyar
ip access-list extended block
deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
Can I see your configuration for R1 & R3?
03-07-2010 10:25 AM
dear sahand
you can check R1 and R3 configurations, no problem
i've wrote that configurations for R2
but when i check results it only denies block acl
03-07-2010 10:33 AM
Dear shehiyar
erase all R2 configuration and reload it again.
This is my R2 Running config.
I check it again now for you, it will works:
Building configuration...
Current configuration : 1061 bytes
!
version 12.3
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
!
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
!
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 10.1.0.2 255.255.255.252
ip access-group block in
!
interface Serial0/0/1
ip address 10.3.0.1 255.255.255.252
ip access-group block in
clock rate 64000
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.1.0.0 0.0.0.3 area 0
network 10.3.0.0 0.0.0.3 area 0
!
ip classless
!
!
ip access-list extended block
deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
!
!
!
no cdp run
!
!
!
!
!
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
!
end
check it again
What is your R1 & R3?
03-07-2010 12:06 PM
sahad, i've the same configuration for R2 with yours
i couldn''t understand your question but if you are asking for R1 and R3 password it is class
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: