Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL Issue.

Hello all, for some reason with this packet tracer lab I keep getting the last bit of ACL's incorrect.

Here is the lab that I have completed so far (94%)

http://www.sendspace.com/file/gsnk07

They ask me the following

Configure standard named ACLs on the R1 and R3 vty lines, permitting hosts connected directly to their Fast Ethernet subnets to gain Telnet access. Explicitly deny all other connection attempts.Name these standard ACLs VTY-Local.

They also ask this for the extended ACL's

Name the ACL block.

Prohibit traffic originating from the R1 LAN from reaching the R3 LAN.

Prohibit traffic originating from the R3 LAN from reaching the R1 LAN.

Permit all other traffic.

Here is what I have on router 1 for the standard ACLs

ip access-list standard VTY-Local

deny 10.1.0.0 0.0.0.3

deny 10.3.0.0 0.0.0.3

deny 10.3.1.0 0.0.0.255

permit 10.1.1.1 0.0.0.255

I could not figure out why my ACL's are incorrect.

Host 1's IP (The host connected to R1 ip) - 10.1.1.1

Serial connection from R1 to R2 ip subnet is

10.1.0.0 /30

R2 to R3 is

10.3.0.0 / 30

Host 2 to R2

10.3.1.0 /24

Host 2's address is 10.3.1.1 /24

Can someone help me?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACL Issue.

deny 10.1.0.0 0.0.0.3 - matches IP 10.1.0.x

deny 10.3.0.0 0.0.0.3 - matches IP 10.3.0.x

deny 10.3.1.0 0.0.0.255 - matches IP 10.3.1.x

permit 10.1.1.1 0.0.0.255 - match IP 10.1.1.0

Correct ACL's should be:-

deny 10.1.0.0 0.0.0.3

deny 10.3.0.0 0.0.0.3

deny 10.3.1.0 0.0.0.255

permit 10.1.1.1 0.0.0.0

or

permit 10.1.1.1 0.0.0.0

deny all

HTH>

15 REPLIES

Re: ACL Issue.

deny 10.1.0.0 0.0.0.3 - matches IP 10.1.0.x

deny 10.3.0.0 0.0.0.3 - matches IP 10.3.0.x

deny 10.3.1.0 0.0.0.255 - matches IP 10.3.1.x

permit 10.1.1.1 0.0.0.255 - match IP 10.1.1.0

Correct ACL's should be:-

deny 10.1.0.0 0.0.0.3

deny 10.3.0.0 0.0.0.3

deny 10.3.1.0 0.0.0.255

permit 10.1.1.1 0.0.0.0

or

permit 10.1.1.1 0.0.0.0

deny all

HTH>

New Member

Re: ACL Issue.

Thank you so much! The last permit you did I was supposed to have a 10.1.1.0 0.0.0.255 and then the deny all and it worked!

I cannot believe I missed it by one one digit. I appreciate your help :)

Re: ACL Issue.

np - glad to help.

New Member

Re: ACL Issue.

Hello

Sorry but I still have some problems with configuration. I don't know why its not moving from 95 %. I will attached my PT file.

Will you please inform me R1 or R2 configuration?

Looking forward to your kind reply

New Member

Re: ACL Issue.

Hey

Do you still have your file?

Re: ACL Issue.

I do not use Packet Tracer.

New Member

Re: ACL Issue.

Thanks a lot for your concern

Attached you can find the running config of R1 & R3 in text file.

Thanks about careing

Re: ACL Issue.

OK - I have the files, what is your issue?

New Member

Re: ACL Issue.

hi all

i've done 97%, only problem with this

Using extended ACLs on R2, complete the following requirements:

  • Name the ACL block
  • Prohibit traffic originating from the R1 connected subnets from reaching the R3 connected subnets.
  • Prohibit traffic originating from the R3 connected subnets from reaching the R1 connected subnets.
  • Permit all other traffic.

could anyone help

thanx beforehand

Re: ACL Issue.

Use the below

ip access-list extended R1<>R3
  5 deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
10 deny ip 10.1.1.0 0.0.0.255 10.3.0.0 0.0.0.3
15 deny ip 10.1.0.0 0.0.0.3 10.3.1.0 0.0.0.255
20 deny ip 10.1.0.0 0.0.0.3 10.3.0.0 0.0.0.3
25 permit ip any any


ip access-list extended R3<>R1
  5 deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
10 deny ip 10.3.0.0 0.0.0.3 10.1.1.0 0.0.0.255
15 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.0.3
20 deny ip 10.3.0.0 0.0.0.3 10.1.0.0 0.0.0.3
25 permit ip any any

int serial <>
ip access-group R3<>R1 out

int serial <>
ip access-group R1<>R3 out

There is a simpler way of doing the above, you should be able to find it from using the above config.

New Member

Re: ACL Issue.

Dear Shehriyar

ip access-list extended block
deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any

Can I see your configuration for R1 & R3?

New Member

Re: ACL Issue.

dear sahand

you can check  R1 and R3  configurations, no problem

i've wrote that configurations for R2

but when i check results it only denies block acl

New Member

Re: ACL Issue.

Dear shehiyar

erase all R2 configuration and reload it again.

This is my R2 Running config.

I check it again now for you, it will works:


Building configuration...

Current configuration : 1061 bytes
!
version 12.3
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
!
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
!
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 10.1.0.2 255.255.255.252
ip access-group block in
!
interface Serial0/0/1
ip address 10.3.0.1 255.255.255.252
ip access-group block in
clock rate 64000
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.1.0.0 0.0.0.3 area 0
network 10.3.0.0 0.0.0.3 area 0
!
ip classless
!
!
ip access-list extended block
deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255
deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
!
!
!
no cdp run
!
!
!
!
!
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
!
end

check it again

What is your R1 & R3?

New Member

Re: ACL Issue.

sahad, i've the same configuration for R2 with yours

i couldn''t understand your question but   if you are asking for R1 and R3 password it is    class

New Member

Re: ACL Issue.

Thanks Pal

5032
Views
0
Helpful
15
Replies