Solved: Re: ACL Issue.

jrosetta1 · ‎04-20-2009

Hello all, for some reason with this packet tracer lab I keep getting the last bit of ACL's incorrect.

Here is the lab that I have completed so far (94%)

http://www.sendspace.com/file/gsnk07

They ask me the following

Configure standard named ACLs on the R1 and R3 vty lines, permitting hosts connected directly to their Fast Ethernet subnets to gain Telnet access. Explicitly deny all other connection attempts.Name these standard ACLs VTY-Local.

They also ask this for the extended ACL's

Name the ACL block.

Prohibit traffic originating from the R1 LAN from reaching the R3 LAN.

Prohibit traffic originating from the R3 LAN from reaching the R1 LAN.

Permit all other traffic.

Here is what I have on router 1 for the standard ACLs

ip access-list standard VTY-Local

deny 10.1.0.0 0.0.0.3

deny 10.3.0.0 0.0.0.3

deny 10.3.1.0 0.0.0.255

permit 10.1.1.1 0.0.0.255

I could not figure out why my ACL's are incorrect.

Host 1's IP (The host connected to R1 ip) - 10.1.1.1

Serial connection from R1 to R2 ip subnet is

10.1.0.0 /30

R2 to R3 is

10.3.0.0 / 30

Host 2 to R2

10.3.1.0 /24

Host 2's address is 10.3.1.1 /24

Can someone help me?

andrew.prince · ‎04-21-2009

deny 10.1.0.0 0.0.0.3 - matches IP 10.1.0.x

deny 10.3.0.0 0.0.0.3 - matches IP 10.3.0.x

deny 10.3.1.0 0.0.0.255 - matches IP 10.3.1.x

permit 10.1.1.1 0.0.0.255 - match IP 10.1.1.0

Correct ACL's should be:-

deny 10.1.0.0 0.0.0.3

deny 10.3.0.0 0.0.0.3

deny 10.3.1.0 0.0.0.255

permit 10.1.1.1 0.0.0.0

or

permit 10.1.1.1 0.0.0.0

deny all

HTH>

View solution in original post

andrew.prince · ‎04-21-2009

deny 10.1.0.0 0.0.0.3 - matches IP 10.1.0.x

deny 10.3.0.0 0.0.0.3 - matches IP 10.3.0.x

deny 10.3.1.0 0.0.0.255 - matches IP 10.3.1.x

permit 10.1.1.1 0.0.0.255 - match IP 10.1.1.0

Correct ACL's should be:-

deny 10.1.0.0 0.0.0.3

deny 10.3.0.0 0.0.0.3

deny 10.3.1.0 0.0.0.255

permit 10.1.1.1 0.0.0.0

or

permit 10.1.1.1 0.0.0.0

deny all

HTH>

jrosetta1 · ‎04-21-2009

Thank you so much! The last permit you did I was supposed to have a 10.1.1.0 0.0.0.255 and then the deny all and it worked!

I cannot believe I missed it by one one digit. I appreciate your help :)

andrew.prince · ‎04-21-2009

np - glad to help.

Sahandbyebye · ‎03-06-2010

Hello

Sorry but I still have some problems with configuration. I don't know why its not moving from 95 %. I will attached my PT file.

Will you please inform me R1 or R2 configuration?

Looking forward to your kind reply

Sahandbyebye · ‎03-06-2010

Hey

Do you still have your file?

andrew.prince · ‎03-06-2010

I do not use Packet Tracer.

Sahandbyebye · ‎03-06-2010

Thanks a lot for your concern

Attached you can find the running config of R1 & R3 in text file.

Thanks about careing

andrew.prince · ‎03-07-2010

OK - I have the files, what is your issue?

shehriyar · ‎03-07-2010

hi all

i've done 97%, only problem with this

Using extended ACLs on R2, complete the following requirements:

Name the ACL block
Prohibit traffic originating from the R1 connected subnets from reaching the R3 connected subnets.
Prohibit traffic originating from the R3 connected subnets from reaching the R1 connected subnets.
Permit all other traffic.

could anyone help

thanx beforehand

andrew.prince · ‎03-07-2010

Use the below

ip access-list extended R1<>R3
5 deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
10 deny ip 10.1.1.0 0.0.0.255 10.3.0.0 0.0.0.3
15 deny ip 10.1.0.0 0.0.0.3 10.3.1.0 0.0.0.255
20 deny ip 10.1.0.0 0.0.0.3 10.3.0.0 0.0.0.3
25 permit ip any any

ip access-list extended R3<>R1
5 deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
10 deny ip 10.3.0.0 0.0.0.3 10.1.1.0 0.0.0.255
15 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.0.3
20 deny ip 10.3.0.0 0.0.0.3 10.1.0.0 0.0.0.3
25 permit ip any any

int serial <>
ip access-group R3<>R1 out

int serial <>
ip access-group R1<>R3 out

There is a simpler way of doing the above, you should be able to find it from using the above config.

Sahandbyebye · ‎03-07-2010

Dear Shehriyar

ip access-list extended block
deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any

Can I see your configuration for R1 & R3?

shehriyar · ‎03-07-2010

dear sahand

you can check R1 and R3 configurations, no problem

i've wrote that configurations for R2

but when i check results it only denies block acl

Sahandbyebye · ‎03-07-2010

Dear shehiyar

erase all R2 configuration and reload it again.

This is my R2 Running config.

I check it again now for you, it will works:

Building configuration...

Current configuration : 1061 bytes
!
version 12.3
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
!
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
!
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 10.1.0.2 255.255.255.252
ip access-group block in
!
interface Serial0/0/1
ip address 10.3.0.1 255.255.255.252
ip access-group block in
clock rate 64000
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.1.0.0 0.0.0.3 area 0
network 10.3.0.0 0.0.0.3 area 0
!
ip classless
!
!
ip access-list extended block
deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
!
!
!
no cdp run
!
!
!
!
!
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
!
end

check it again

What is your R1 & R3?

shehriyar · ‎03-07-2010

sahad, i've the same configuration for R2 with yours

i couldn''t understand your question but if you are asking for R1 and R3 password it is class