Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Issues with OSPF and ACL. Need Help

I'm having some issues configuring ACL's in the following situation:

ACL.png

c.     Configure HQ and Branch with OSPF routing according to the following criteria:

·         Assign the process ID 1.

·         Advertise all three attached networks. Do not advertise the link to the Internet.

·         Configure appropriate interfaces as passive.

d.     Set a default route on HQ which directs traffic to S0/0/1 interface. Redistribute the route to Branch.

e.     Design a named access list HQServer to prevent any computers attached to the Gigabit Ethernet 0/0 interface of the Branch router from accessing HQServer.pka. All other traffic is permitted. Configure the access list on the appropriate router, apply it to the appropriate interface and in the appropriate direction.

f.      Design a named access list BranchServer to prevent any computers attached to the Gigabit Ethernet 0/0 interface of the HQ router from accessing the HTTP and HTTPS service of the Branch server. All other traffic is permitted. Configure the access list on the appropriate router, apply it to the appropriate interface and in the appropriate direction.

I dont know what I am missing or doing incorrectly. This is what I have done to configure this scenario:

Configuring HQ OSPF

HQ>enable

HQ#config t

Enter configuration commands, one per line. End with CNTL/Z.

HQ(config)#router ospf 1

HQ(config-router)#network 172.16.0.0 0.255.255.255 area 0

HQ(config-router)#interface s0/0/1

HQ(config-if)#router ospf 1

HQ(config-router)#passive-interface s0/0/1

HQ(config-router)#passive-interface g0/1

HQ(config-router)#passive-interface g0/0

HQ(config-router)#default-information originate

HQ(config-router)#exit

HQ(config)#ip route 0.0.0.0 0.0.0.0 s0/0/1

Configuring HQ ACL

HQ(config)#ip access-list extended BranchServer

HQ(config-ext-nacl)#deny tcp 172.16.64.0 0.0.0.255 172.16.128.1 0.0.15.255 eq 80

HQ(config-ext-nacl)#deny tcp 172.16.64.0 0.0.0.255 172.16.128.1 0.0.15.255 eq 443

HQ(config-ext-nacl)#permit ip any any

HQ(config-ext-nacl)#interface g0/0

HQ(config-if)#ip access-group BranchServer in

HQ(config-if)#exit

Configuring Branch OSPF

Branch>enable

Branch#config t

Enter configuration commands, one per line. End with CNTL/Z.

Branch(config)#router ospf 1

Branch(config-router)#network 172.16.0.0 0.0.255.255 area 0

Branch(config-router)#passive-interface g0/0

Branch(config-router)#passive-interface g0/1

Branch(config-router)#exit

Branch(config)#ip route 0.0.0.0 0.0.0.0 64.104.34.2

Branch(config)#no ip route 0.0.0.0 0.0.0.0 64.104.34.2

Configuring Branch ACL

Branch(config)#ip access-list extended HQServer

Branch(config-ext-nacl)#deny ip any 172.16.0.1 0.0.63.255

Branch(config-ext-nacl)#permit ip any any

Branch(config-ext-nacl)#interface g0/0

Branch(config-if)#ip access-group HQServer in

Branch(config-if)#exit

Branch(config)#exit

If anyone could please explain to me why I'm only get 43/100 after all these configurations? What am I missing? I've been working on this for hours looking over the chapter and various resources online and I'm just at a loss at this point. I have also attached the packet tracer file if anyone would like to take a look at it.

5 REPLIES
Purple

Issues with OSPF and ACL. Need Help

Hi,

-first you omitted to enable OSPF on the link between Branch and HQ:

router os 1

netw 192.168.0.0 0.0.0.3 area 0

-The ACLs should be

HQ(config-ext-nacl)#do sh access-list

Extended IP access list BranchServer

    10 deny tcp 172.16.64.0 0.0.63.255 host 172.16.128.1 eq www

    20 deny tcp 172.16.64.0 0.0.63.255 host 172.16.128.1 eq 443

    30 permit ip any any

Branch(config-if)#do sh access-list

Extended IP access list HQServer

    10 deny ip 172.16.144.0 0.0.15.255 host 172.16.0.1

    20 permit ip any any

-B1 IP is not correct it should be 172.16.144.1 and not 172.168.143.1

I'm still stuck at 50% after this and I don't know why because the ACL do what they are meant to do and are applied as close to the source as possible.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Issues with OSPF and ACL. Need Help

Thank you for the reply. I fixed the IP on B1 and added the network between HQ and Branch and that bumped me up to 50%.

New Member

Re: Issues with OSPF and ACL. Need Help

Seriously does NOBODY know how to go about fixing this or configuring it the way it should be?

Silver

Re: Issues with OSPF and ACL. Need Help

Maybe they want you to be more specific with your OSPF statements:

HQ(config-router)#network 172.16.0.0 0.0.63.255 area 0

HQ(config-router)#network 172.16.64.0 0.0.63.255 area 0

Branch(config-router)#network 172.16.128.0 0.0.31.255 area 0

New Member

f.      Design a named access

f.      Design a named access list BranchServer to prevent any computers attached to the Gigabit Ethernet 0/0 interface of the HQ router from accessing the HTTP and HTTPS service of the Branch server. All other traffic is permitted. Configure the access list on the appropriate router, apply it to the appropriate interface and in the appropriate direction.

Configuring HQ ACL

HQ(config)#ip access-list extended BranchServer

HQ(config-ext-nacl)#deny tcp any host 172.16.128.1 eq 80

HQ(config-ext-nacl)#deny tcp any host 172.16.128.1 eq 443

HQ(config-ext-nacl)#permit ip any any

HQ(config-ext-nacl)#interface g0/0

HQ(config-if)#ip access-group BranchServer in

HQ(config-if)#exit

 

1) While the 172.16.64.0 0.0.0.255  network is technically equivalent to any for the diagram the directions ask you to block all traffic on g0/0 including someone who decides to change their ip address 172.16.63.128.  If you want to block a whole LAN segment you need to use any.

2) You want to deny access to a single host 172.16.128.1 not 172.16.128.1 0.0.15.255 network

 

Configuring Branch ACL

Branch(config)#ip access-list extended HQServer

Branch(config-ext-nacl)#deny ip any host 172.16.0.1

Branch(config-ext-nacl)#permit ip any any

Branch(config-ext-nacl)#interface g0/0

Branch(config-if)#ip access-group HQServer in

Branch(config-if)#exit

Branch(config)#exit

 

1) You want to deny access to a single host 172.16.128.1 not 172.16.128.1 0.0.15.255 network

That should get you the last 50 points

4104
Views
7
Helpful
5
Replies