Home > Ticket 5 – R1 ACL

Ticket 5 – R1 ACL

March 26th, 2015 in TSHOOT v2 Go to comments

Client is not able to ping the server. no one can ping the server.

Problem:on R1 acl blocking ip
Configuration on R1

interface Serial0/0/1
 description Link to ISP
 ip address 209.65.200.225 255.255.255.252
 ip nat outside
 ip access-group edge_security in
!

ip access-list extended edge_security
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 172.16.0.0 0.15.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny 127.0.0.0 0.255.255.255 any
 permit ip host 209.65.200.241 any
!

Answer: add permit ip 209.65.200.224 0.0.0.3 any command to R1’s ACL

Ans1) R1
Ans2) IPv4 Layer 3 Security
Ans3) Under the ip access-list extended edge-security configuration add the permit ip 209.65.200.224 0.0.0.3 any command

Note:
+ This is the only ticket the extended access-list edge_security exists. In other tickets, the access-list 30 is applied to the inbound direction of S0/0/1 of R1.
+ Although host 209.65.200.241 is permitted to go through the access-list (permit ip host 209.65.200.241 any) but R1 cannot ping the web server because R1 cannot establish BGP session with neighbor 209.65.200.226.

Comments (46) Comments
Comment pages
1 4 5 6 26
  1. Loretta
    December 18th, 2015

    Hi Ameer, please uptade the blog after you appeared the exam. Hope you do well. All the best, I am also planning to give the exam by next week or so.Please do let us know if the vce file that Luis referred is still valid or not.Thanks in advance

  2. Not Working As Expected
    December 18th, 2015

    Help !! None of the tickets are loading !!

  3. Aditya
    December 29th, 2015

    @networktut
    Aren’t there 3 diff concepts…
    1.why should “ping” from client 1 to209.65.200225 on R1 fail-ACL blocking ip not icmp??

    (2.the logic that reply coming fails because it gets filtered “inward” from R1 would work only if ‘icmp’ was mentioned as the protocol?)

    3.Still(after correcting the above 2),are we saying that “ping” is not giving the true fault reason—bcoz BGP comes into picture for “data” packets only? (there are 2 diff reasons for the 2 packet types)

  4. Aditya
    December 30th, 2015

    Got the ans to my 2 queries—its a “permit”–so ip packets get permitted
    ping,being icmp is denied

    But still 3rd one remians a question..

  5. Aditya
    December 30th, 2015

    what I mean is i.e.even after correcting as above,”ping”(icmp) when used for testing would still fail??so ping is not a reliable test??

  6. ak
    January 3rd, 2016

    @Aditya:

    The ping utility (based on the ICMP Protocol, among others) is definitely a very reliable test on most IP networks:

    From WIKIPEDIA:

    ICMP (Internet Control Message Protocol) is the protocol that IP uses for “control messages”!!!

    The implementation of ICMP supports three protocols:

    ◾ Echo Reply (0) or “ping”: The client replies to the ping, echoing the data in the IP packet!

    ◾ Destination Unreachable: This is an indication that the device cannot forward an IP packet. For example, this error message will be sent if a packet addressed to the device requires a protocol that the device does not support.

    ◾ Time exceeded: This indicates that the device has dropped a packet because its “time to live” (TTL) has reached 0.

    The ICMP Protocol from an application perspective:

    ICMP messages are processed and generated by the IP stack itself! – Therefore, an application should NOT need to interact with the ICMP code at all.
    If the user wishes to generate its own ping to a device, it can form the packet as an IP packet and send via the IP module.

    The BGP Protocol depends on an existing reliable TCP/IP Connection between two BGP Peers – Therefore, within e.g. the actual TSHOOT Ticket 5 – The ISP and R1 devices does NOT become eBGP neighbors due to IP connectivity problems caused by the misconfigured Extended “edge_security” ACL on the R1 Device!

    Therefore the Clients can’t reach the external WEB Server (209.65.200.241) via the TSHOOT IP Infrastructure.

    Hope this helps!?

  7. R1 — ACL—Failed with 710!!
    January 8th, 2016

    This was on test !

    Answer: add permit ip 209.65.200.224 0.0.0.3 any command to R1’s ACL

    Ans1) R1
    Ans2) IPv4 Layer 3 Security
    Ans3) Under the ip access-list extended edge-security configuration add the permit ip 209.65.200.224 0.0.0.3 any command

  8. MM-DOUBT
    January 19th, 2016

    Shouldn’t be IP 209.65.200.0 0.0.0.255?

    Because if IP 209.65.200.224 used with its original wildcard 0.0.0.3 the ACL entry will allow only IPs .225 and .226.

    Am I wrong?

  9. vl
    January 19th, 2016

    DOUBT:

    Boop boop – Don’t forget the LAST ACE within the extended “edge-security” ACL:

    permit ip host 209.65.200.241 any !!!

    This ACE handles indeed the traffic from also the external WEB Server into the TSHOOT Infrastructure!

    This way we’re having a very selective inbound ACL filter, that ONLY allows inbound traffic from the relevant .225 / .226 / .241 node addresses, which excactly fulfill our needs within the actual TSHOOT Ticket (#5) Infrastructure

    Hope this helps!?

  10. Aditya
    January 28th, 2016

    @networktut
    shouldnt ans 2 be “bgp issue”??
    (noted in IP NAT also–similar case ACL and NAT–and both in options–u chose NAT??)

  11. DD
    February 18th, 2016

    As the ACL is applied on inbound interface of Serial0/0/1:
    interface Serial0/0/1
    description Link to ISP Router s0/0/0
    ip address 209.65.200.225 255.255.255.252
    ip access-group Edge_Security in

    We will also have to permit the host or the host network:
    R1#sh access-lists Edge_Security
    Extended IP access list Edge_Security
    permit ip 209.65.200.224 0.0.0.3 any (37 match(es))
    permit ip 209.65.200.240 0.0.0.7 any (6 match(es))
    or,
    R1#sh access-lists Edge_Security
    Extended IP access list Edge_Security
    permit ip 209.65.200.224 0.0.0.3 any (52 match(es))
    permit ip host 209.65.200.241 any (3 match(es))

  12. PeerReview
    March 11th, 2016

    Hello,

    The “interface Serial0/0/1” ip address statement “ip address 209.65.200.224 255.255.255.252” is wrong. It should read 209.65.200.225.

  13. Anonymous
    March 11th, 2016

    Spot on, PeerReview. Let us hope the actual test would have got it right!

    Furthermore, we tend to overlook the fact that the entire network segment 10.0.0.0 255.0.0.0 was also denied access in the edge-security acl. This must also be corrected, otherwise the hosts would still be unable to ping the web-server.

    So this ticket had two issues, but the answers given do not reflect that fact!

  14. vl
    March 11th, 2016

    Yop, it looks so! –
    Therefore @Network Tut Admin:
    Could you please change the R1 serial0/0/1 IP address on top to .225 instead of .224 as user PeerReview suggests above!?
    Thank you in advance!

  15. networktut
    March 12th, 2016

    @PeerReview, @vl: Thanks for your information. We have just fixed it!

  16. Anonymous
    March 14th, 2016

    I have checked the diagram again and noted that the acl is applied to traffic coming into R1 from the cloud. So it was probably wrong to suggest that traffic from clients on the internal 10.0.0.0 network would also be denied access!

  17. vl
    March 15th, 2016

    @Anonymous:
    Please beware traffic DIRECTION to/from R1:
    1)
    External traffic going into R1 from Cloud: “Deny All” except traffic from: 209.200.65.224/30 and traffic from: 209.200.65.241/32
    2)
    Outgoing User- and Transit- traffic going towards Cloud from R1: “Allow” theese Traffic types from: 10.1.0.0/14 (Summary NAT’ed into 209.65.200.225 incl. overload).
    Hope this helps!?

  18. vl
    March 16th, 2016

    Correction:
    209.200.65.241= 209.65.200.241
    Sorry!

  19. tshoot_exam
    April 6th, 2016

    This ticket is really messy. My reason: applying the access-list in the inbound direction of R1 is really tricky. It is not only blocking access to traffic coming to R1 from the inside of the network but it also blocks routing protocol update from the ISP. I could not believe that placing the access-list inbound on R1 would block access to client 1 and client 2 then I setup a small topology in GNS3 to test it. The result was amazed….

  20. Netw_Filter
    April 6th, 2016

    @tshoot_exam:

    Please beware the fact, that the extended Ticket#5: “edge_security” access-list applied in the INBOUND direction of R1 is ONLY blocking access to certain traffic coming INTO R1 from the OUTSIDE of the network (the Cloud) including routing protocol updates etc. from the ISP, since NO eBGP Peering can be established / formed over the Serial link connecting the Cloud ISP PE Device and the TSHOOT.com R1 CE Router.

    The applied edge_security ACL simply prevents this!

    Thus Ticket # 5 is learning us the IMPORTANCE of – ALLWAYS – keeping track of also the “Traffic DIRECTION” when applying specific ACL filters to relevant Interfaces within a certain Network Topology! – Right!?

    Pls also notice that – in addition to this – the applied “NAT” Setup on R1, prohibits (or prevents) any “10” Based IP traffic to appear within the external WAN Cloud at any time!

    Good luck @ exam!!!

  21. diki
    April 6th, 2016

    hi friends also that will work:

    permit ip host 209.65.200.226 any

    you don’t need to permit 209.65.200.225…

  22. John
    April 7th, 2016

    @diki:

    Pls note that ONLY:

    permit ip host 209.65.200.226 any

    (or permitting the whole .224 subnet itself)

    will work on R1!!!

    permit ip host 209.65.200.225 any – ALONE

    will NOT work, as shown below!

    R1(config-ext-nacl)#do sh ip rou bgp – (B4 doing anything within Ticket 5!):
    *** NO eBGP Routes on R1 ! ***

    R1(config-ext-nacl)#permit ip host 209.65.200.225 any
    R1(config-ext-nacl)#do sh ip rou bgp
    *** STILL no eBGP Routes on R1! ***
    BUT this makes a HUGE difference:
    R1(config-ext-nacl)#no permit ip host 209.65.200.225 any
    R1(config-ext-nacl)#permit ip host 209.65.200.226 any

    R1(config-ext-nacl)#%BGP-5-ADJCHANGE: neighbor 209.65.200.226 Up <—- !!!

    NOW we got needed eBGP routes on R1:

    R1(config-ext-nacl)#do sh ip rou bgp
    B* 0.0.0.0 [20/0] via 209.65.200.226, 00:08:21
    B 15.15.15.15 [20/0] via 209.65.200.226, 00:08:21
    B 209.65.200.240/29 [20/0] via 209.65.200.226, 00:08:21

    R1(config-ext-nacl)#^Z
    R1#
    %SYS-5-CONFIG_I: Configured from console by console
    R1#

  23. diki
    April 9th, 2016

    @John

    i know and that’s what I said…

    you don’t have to -> permit ip 209.65.200.224 0.0.0.3 any

    just permit ip host 209.65.200.226 any will work fine

  24. CCDP
    April 9th, 2016

    @diki @ John,

    I cannot see the answer “permit ip host 209.65.200.226 any” from the list of answers?

    please advice

  25. John
    April 10th, 2016

    @ccdp:
    Yes – the discussion above is just about the various possibilities for permitting the ISP Device as an IP Sender for various eBGP traffic etc. coming into the TSHOOT.com infrastrucsture via the WAN Cloud – Here I think – (and in sync w. correct answer above) – Permitting the whole .224 Subnet is probably best, in case of ISP and R1 Devices – for some future / unknown / odd reason – should switch their WAN addresses on that Subnet.
    However diki dik’s suggested ACL solution also works fine on the link IRL, although not in perfect sync with the wanted (and correct) Ticket answer @ exam.

  26. ps
    July 8th, 2016
  27. TSHOOT
    July 19th, 2016

    could you please share Tickets simulation via Packet tracer.

    thanks in advance

  28. Bruce
    July 20th, 2016
  29. Adam
    July 24th, 2016

    Dear friends and exam takers,,,,

    Please tell me that tickets and configs are same in guest and premium account? Or they are different

  30. ccnpaspirations
    July 24th, 2016

    Can someone double-check my logic?

    R1 does not have a route to 209.65.200.241/29 (it does have a route to 209.65.200.224/30). In order to get a route to 209.65.200.241/29, we need to get BGP working and BGP isn’t working because of the edge acl which is not allowing the ISP router and R1 to communicate.

    Is this an accurate summation of the problem?

    To explore a little further, if BGP was working but no route encompassing 209.65.200.241/29 is advertised, then there would still be a ping issue.

    Any feedback is appreciated.

  31. Brian
    July 25th, 2016

    @ccnpaspirations:
    1) Yop – You just nail’ed it!!!
    2) And Yop once again – if BGP was working but NO route encompassing 209.65.200.241/29 is advertised (from the external ISP eBGP Neighbor), then there would STILL be a ping issue (towards the external WEB Server from the inside) is ALSO just SO TRUE, SO TRUE!!!
    So just wonders – Where the heck do you “get it” from? – How does it come to you this “cool” and “strategic” tech overview? ;)

  32. ccnpaspirations
    July 26th, 2016

    @Brian:

    Thank you very much for your help! I’ve been studying using the CCNP Official Cert Library and also the CCNP Switch/Route Lab Manuals. I’ve got a home lab but would like to eventually find a job as a network engineer (or something similar).

    Are you a network engineer?

    Thanks again.

  33. Brian
    July 26th, 2016

    @ccnpaspirations:
    OhK, Thaat’s the reason! – Seems like a good study strategy! ;)
    Yep, I’ve worked like a Netw Eng. for some years, while maintaining my Cisco Certs. etc. at the same time ;)
    Good luck ahead within the business ;)

  34. cls
    August 21st, 2016

    show ip bgp summary appears in the TSHOOT that was posted.

  35. Dinesh
    September 13th, 2016
  36. CCNP-1000
    September 15th, 2016

    I pass the exam today with score of 1000/1000 it took me 70 minute to finished it.

    I had the latest dumps all off them was garbage. I just study this website go for premium.
    I read all the comments and practice all the tickets on website and PT and gns3.

    To pass the exam with score of 1000 this website it’s enough but to survive out there you have to study hard, by hard i mean hard! Out there the person who knows one line more its the winner so passing this exam its jut the beginning of your study’s.

    Enough said this is how i did it : (i found this strategy on this website bye the ccnp-guy)
    ______________________________________________________________________

    You have to ask your self Is it ipv4 or ipv6?

    If IPv6 you have these 3 questions, 1 each on
    R2: (T12) IPv6: enable ospf 0
    R3: (T15) IPv6: remove “tunnel mode ipv6″
    R4: (T16) missing Redistribution from RIPng to OSPFv3

    If its IPv4 do the following to narrow it down:

    From Client 1 ping 10.1.1.1 if its :

    OK? = 3 tickets on R1:
    (T03) Wrong IP of BGP neighbour
    (T04) NAT – ACL mis-configured
    (T05) WAN ACL statement missing

    If you cant ping 10.1.1.1 try to ping 10.1.1.2 from client 1

    OK? = 1 ticket on R1:
    (T01) OSPF Authentication

    If you cant ping 10.1.1.2 try to ping 10.2.1.1 from client 1

    OK? = 2 tickets on R4:
    (T11) Redistribute ospf to eigrp (“to” & -> )
    (T14) EIGRP Passive Interface

    If you cant ping 10.2..1.1 you have 4 ticket as follow:

    NO? = 1 ticket on DSW1:
    (T06) VLAN filter

    or = 3 tickets on ASW1:

    (T08) Access port not in VLAN 10
    (T09) Port Channel not allowing VLAN 10,200
    (T07) Port Security

    I also had multiple choice questions and Eigrp and ospf simlets

    Good luck to you all.
    This is just the beginning so study hard.

  37. Dinesh
    October 2nd, 2016

    Hi Guys

    I Cleared CCNP TSHOOT on 30th Sep 2016 with 1000 Marks. I am going to my share experience of recent completion of exam details with new Packet tracer labs and Multiple choice explanation on You tube channel. If any one plan to take exam in upcoming days, I hope will helpful for you to score 1000 Marks. Please subscribe to my channel if you like it. Right now i had posted previous videos in tamil, But will post Labs in English with fixing Voice issue in video faced by user in previous videos. Your Suggestion welcome on Channel.

    https://www.youtube.com/playlist?list=PLkKuRw9Jznp7BVs7T9noV8d8rc0x_OjjZ

  38. Cruise
    October 12th, 2016

    Al7amd Le Allah, i Passed Tshoot last Friday scoring 987,

    I wanted to comment on this ticket as there was a problem in it that i want to warn every one about it, the problem is that even though the ACL is applied R1 is able to ping the BGP neighbor “209.65.200.226” , so take care this is just a bug in the system.

    I have included a comment in my exam, so that they would fix it in the future, but overall i really enjoyed this exam, by not memorizing the tickets instead making a troubleshooting strategy which is as below:

    1. if it is IPv4 ticket, first distinguish whether it is L2 or L3 ticket by the following:
    on Client 1, do ipconfig to know the IP of the gateway.
    Ping the gateway

    If the success this is L3 ticket, if not this L2 Ticket.

    2. L2 ticket investigation, open L2 topology
    insure that Client 1 and 2 ports on ASW1 are configured on the right VLAN,
    Trunks between the switches are carrying the correct VLANs
    Check port security
    Check VACL

    3. L3 tickets, do traceroute from DSW1 to see where the problem resides

    4. IPV6 tickets, do traceroute from DSW1 to see where the problem resides.

  39. aj
    October 16th, 2016

    @cruise is it allowed traceroute in the real exam

  40. Anonymous
    October 24th, 2016

    545/1000 Today I took the test and all tickets changed. I need help. If anyone has new tickets my mail is {email not allowed}

  41. Ivanka
    November 11th, 2016

    I recently passed my 300-135 exam with the use of Grades4sure dumps. I got same questions in my exam that I prepared from Grades4sure test engine software. I recommend http://www.grades4sure.com/300-135-exam-questions.html to you if you want to clear your exam in first attempt.

  42. Emma
    November 16th, 2016

    I recommended testmayor.com ! I passed my exam yesterday with the score 98%. You can try the demo before you pay for the order. 100% money back guarantee. You will lose nothing.

  43. hakzik
    November 18th, 2016

    Hi, today passed exam 1000/1000. In tickets 5-7 client 1 always had correct ip-address.

  44. Agatha
    January 10th, 2017

    christmas classic mp3 – myfreemp3.review/search/christmas-classic-mp3/
    download free music

  45. 2/3 CCNP
    February 2nd, 2017

    Folks,

    Just passed tshoot exam. Score 870/1000
    It was not so easy. A lot of new questions MCQ and a very hard iBGP & eBGP Sim. On this one there were two AS. Your duty is to console R1 and fix the issue. The iBGP & eBGP are in idle state.
    Also I had a problem in a ticket. I’ve left a comment.
    Apart from that everything worked just fine.

    be careful.

    cheers.

  46. Raghav
    February 2nd, 2017

    Passed today. MCQs changed, New exhibits, not so difficult iBGP & eBGP Simulation. Trouble tickets remained unchanged though.

    Read the Scenario for iBGP & eBGP Simulation your answers will be there if you pay attention when looking at the configuration.

    All the best!!

Comment pages
1 4 5 6 26