Ticket 5 – R1 ACL

Even R1 also would not be able to ping the web server or ISP(209.65.200.226). Since explicit deny of this ACL will not allow a reply to come back in to R1(since this ACL is applied in the ‘in’ direction) from outside until a permit entry is included in ACL. This will also cause the BGP neighbor relationship get down.
You will see one permit entry for web server only, which is not enough. You will see the contents of this ACL as below.

ip access-list extended edge_security
permit ip host 209.65.200.241 any
deny ip 10.2.0.0 0.0.255.255 any
deny ip 10.1.0.0 0.0.255.255 any
deny ip host 127.0.0.1 any

Thats why an entry of ‘permit 209.65.200.224 0.0.0.3 any’ is required to solve this problem.
And by the way, the entries for 10.x.x.x network is neither have any effect nor required in this ACL, they put these up only to confuse the candidates.

R4, R3, R2 can not ping 209.65.200.226

@Naveed
Could you please tell me why on the example above it says:

“Answer: add permit 209.65.200.241 command to R1′s ACL”

Because then say answer: Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL

I’m sure 100% sure that Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL is the correct one; but the explanation above can confuse the candidate..

@Leonardo
In the above ticket there are two contradictory answers are mentioned. The correct one is the same one which u mentioned. And yes right, candidates can be confused because of two different answers mentioned above.

@networktut
Kindly remove this extra line which is wrong for this TT and also not required, since correct answer is also mentioned down to that. ‘Answer: add permit 209.65.200.241 command to R1′s ACL’

Yes, thank for your detection, I updated the answer.

Hello All!!
Kindly provide the correct answer.
Your explanations confused me.It seems that the correct anwer is “permit 209.65.200.224 0.0.0.3 to R1′s ACL” and it is in the inbound direction of R1 interface s0/0/0/1.Is there any other access-list in the outbound direction of R1 s0/0/0/1 interface as well?

10q for the site. Earlier it helped me with BCMSN. Some comments.
@Naveed, I think the other deny’s are for spoofing attacks from external so that the external can not spoof internal addresses.

PLS I WOULD REALLY LIKE TO KNOW IF THE QUESTION WILL APPEAR EXACTLY THE SAME WAY IT IS DISPLAY ON THIS SITE.I MEAN HW DO I KNOW THAT A PARTICULAR TICKET IS RELATED TO BGP,EIGRP,OSPF,IPV6 AND WHAT HAVE?

@Kachy
You are CCNP candidate, so don’t expect every thing as a piece of cake. You will receive a single type of question for all tickets and the only way to differentiate among those is the symptoms which are discussed on this forum many times. I think we should not expect even more then that.
regards.

Essential for this Question is, that the ACL results in BGP neighboring to fail. For example, it would also work if you just permit “host 209.65.200.226″ (the BGP neighbor) but seems not to be a possible Answer to select. (but would be considered a Best Practice for ACLs to be as specific as possible)

@Naveed
The 10.x.x.x statements aren´t requiered, but do have effect (not for the LAB Topology, but for RL). Blocking the private IP-Ranges of the Inside Network are recommended to mitigate IP-Spoofing Attacks.

So they aren´t for confusing, in a Real Life Scenario they would be there for good reason, because R1 would be the Gateway to th ISP – practically the whole Internet…

Taking the Exam on Thursday, already being courious how this will look in the Exam

Sorry for Spam
@Kachy – go, do your homework. This is NP, not CCENT… the informations on this site should be enough to put the pieces together

by the way, great site, thx to the creators and all who share

I have not taken the exam yet, so I don’t know exactly how the question sounds.

My post is based on the assumption that the acl is on the “IN” direction of R1 serial link to the ISP.

If R1 is performing NAT, then the echo request, no matter if it’s coming directly from R1, or the client, will have a source address of 209.65.200.226 and destination 209.65.200.241. The echo reply will have a source address of 209.65.200.241 and destination 209.65.200.226.

In first of Naveed’s posts, it is stated that the access list is an extended one. So by saying “permi ip host 209.65.200.241 any”, you allow traffic from the web server towards 209.65.200.226 (and the client, if the NAT translation works right).

If the access list is standard, then permit 209.65.200.224/30 won’t do the thing, because it matches the source address, not the destination (and the echo reply has a source address of 209.65.200.241) and because the acl is inbound to the interface.

Am I missing something here ?

@ZZZ
yep, but not your Fault, because the description above is incomplete.

The ACL in the Exam denies some 10.x and IIRC the 127.x , but does already permit the webservers IP – so it´s really just up to permit the 209.65.200.224/30 because this prevents BGP neighboring to happen.

@wicked one

Thanks for the reply.
But I have one more thing to add. In the description of the ticket, it is stated that ONLY R1 can ping the webserver. How can it ping the server if the BGP session isn’t established and 209.65.200.240/29 is NOT connected (it is announced by the BGP peer). Does R1 has a static default route towards 209.65.200.226 ?

@naveed
thx a lot. i wanna to know that is it only this case about acl in the real exam?

i got it

the acl deny the nat’s inside global ip (209.65.200.225),this is really reason!
this is why R1 can ping web_server,but others can not , the ip trans by R1 being deny.

how to resolve this problem? use this :
access-list 30 permit 209.65.200.225 0.0.0.0
and is included by 209.65.200.224 0.0.0.3
so Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL is right!

by the way , the all entry of original acl-list 30 are not work,except the hidden”deny any any”

R1 can’t ping the server if the BGP session isn’t established and R1 doens’t have a default route.

@ZZZ

@ZZZ

BGP’s establish need a monent,plese wait 1 minete. then you’ll find established while you not type any key.

so,it’s not BGP’s problem.

@RedANT

What I meant is that if the line “permit 209.65.200.224 0.0.0.3″ is not present, then R1 can’t learn about 209.65.200.240/?? , no matter how long u wait.

I just tried this TT in GNS3. If the config on R1 is as follows:

ip access-list extended edge_security
permit ip host 209.65.200.241 any
deny ip 10.2.0.0 0.0.255.255 any
deny ip 10.1.0.0 0.0.255.255 any
deny ip host 127.0.0.1 any

Then client 1 will be able to ping web server (209.65.200.241). You don’t need to change anything. You even do not need to add permit ip 209.65.200.224 0.0.0.3 any.

If the config on R1 is

ip access-list extended edge_security
deny ip 10.2.0.0 0.0.255.255 any
deny ip 10.1.0.0 0.0.255.255 any
deny ip host 127.0.0.1 any

Then you need to add permit ip host 209.65.200.241 any to R1. Can someone also test this out.

Sorry folks. my bad.
My GNS3 was not working properly. I tested this TT again and the correct answer is you need to add permit ip 209.65.200.224 0.0.0.3 any in order for Client 1 to ping the web server.

Just ignore my previous post.

＠ZZZ
OH
you test it by GNS3，it’s acl is IN direction,default.
i used is packet tracer,it’s origen code is OUT direction.
their appearances is different.

@ZZZ
You are right and same thing I mentioned in my very first post above about failure of BGP relationship. Let me repeat, if you apply under discussion ACL in the ‘in’ direction without ‘permit ip 209.65.200.224 0.0.0.3 any’ entry, it will cause the BGP neighbor relationship get down. Once this happen then of course there is no way R1 can reach Web Server, no matter permit entry for web server is already there.

@leeyoung
Yes.

@wicked_one
Yes right, blocking the private IP-Ranges of the inside network are recommended to IP-Spoofing attacks. Thanks for addition.

Are there any symptoms on the exam to differentiate this solution from TT3? Or are the available solutions different on these two tickets?

The reason I ask is because (unless I’m mistaken) Naveed’s correction to TT3 states that R1 and all others cannot ping the web server, which seem to be the same symptoms as on this ticket.

Nevermind, I think I figured this one out. The difference is whether or not we can ping 209.65.200.226 from R1 (or any other router or client).

On TT5, clients and routers cannot ping 209.65.200.226 due to the ACL. Anything received by R1 with a source IP in the 209.65.200.226/30 network will be dropped (i.e.: BGP packets, ping responses from .226, etc) due to the ACL’s implicit deny. Adding “permit 209.65.200.224 0.0.0.3 any” to R1′s ACL will now accept traffic sourced from that network, which (eventually) brings up BGP and R1 can then route pings to the web server.

On TT3, they CAN ping 209.65.200.226 but can’t ping the web server due to the BGP config error.

*** typo in above post
“Anything received by R1 with a source IP in the ***209.65.200.224/30*** network will be dropped …”

Let’s use TT 5 as an example. What would be the question and do have to go into the interface and correct the problem or would you be able to just respond with the three answers. Just liking for a better ideal of the format.

Problem:on R1 acl blocking ip
acl something like this:
deny 10.2.1.0
deny 10.1.4.0
deny 10.1.1.0

Answer: add permit 209.65.200.224 0.0.0.3 command to R1′s ACL

Ans1) R1
Ans2) IPv4 Layer3 Security
Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL

On what interface the access list was applied and in what direction ?

@ Naveen, I took test with 1K, one thing confused me is that I was unable to ping up to 209.65.200.226. I total agree with your comment above. also it makes BGP link down that make people think this is a BGP issue. actually, its not.

correction: I was able to ping up to 209.65.200.226 which should not

@NetBt

under serial 0/0/0/1 , in direction.

interface Serial0/1
ip address 209.65.200.225 255.255.255.252
ip access-group EDGE_SECURITY in
ip nat outside

ip access-list extended EDGE_SECURITY
permit ip 209.65.200.224 0.0.0.31 any —> this allow webServer respond to ping and
BGP does not fail
deny ip 10.2.0.0 0.0.255.255 any
deny ip 10.1.0.0 0.0.255.255 any
deny ip host 127.0.0.1 any
————————————————————————————————————
In GNS3

ip access-list extended EDGE_SECURITY
permit ip 209.65.200.224 0.0.0.3 any –> BGPsession works well but webserver not respond to ping
deny ip 10.2.0.0 0.0.255.255 any
deny ip 10.1.0.0 0.0.255.255 any
deny ip host 127.0.0.1 any

————————————————————————————————————–

ip access-list extended EDGE_SECURITY
permit ip host 209.65.200.241 any ——> after some time bgp session fail
deny ip 10.2.0.0 0.0.255.255 any
deny ip 10.1.0.0 0.0.255.255 any
deny ip host 127.0.0.1 any

*Mar 1 02:46:40.927: %BGP-5-ADJCHANGE: neighbor 209.65.200.225 Down BGP Notif

@NP->SP->IE
TSHOOT exam is based on simulation not the real routers/IOS, so you can expect weird behaviors of exam lab (some times), many people observed and reported the same for their exams. The important thing is to be very clear with the concept and for exam prospective its good to cross check every TT with all the symptoms. Thats why I have mentioned more then one symptoms for all TTs.

as far as i know, if we don’t have the permit access list for 209.65.200.224 0.0.0.3 any , the BGP session will not be up.. is it right ?

@raba…Right.

Hey naveed,

I took the exam recently and i noticed something peculiar about this ticket. All devices could not ping 209.65.200.226 but the CLIENT 1 PC could ping it. Not even R1 could ping it…Any ideas?

@Donchichi
Same reason as i mentioned above in my post, the exam is a simulation work and not based on actual IOS, so these type of simulation malfunctioning are possible. I never mentioned this before but let me tell u that in my exam, in one of TTs Client 1 was not able to ping client 2 but client 2 was perfectly pinging client 1…more interestingly client 2 wasn’t even pinging itself :) . Thats why I am always recommending people to cross check every TT with multiple symptoms to get a perfect hypothesis about a TT.

take it with all this god willing shit , half you lot are cheating Muslims.. read the Koran brother and you will see that the profit said ” at the point of stealing, cheating the Muslim is no longer a believer”

you have just become a infidel for the sake of a cert. well done

@CCIE interested people
This is an open invitation for the serious people about CCIE. You are advised to send an email to the below mentioned address for enrolling your willingness. We’ll be utilizing the concept of 1+1 = 11 by putting our minds together to study/practice the right thing. Here it doesn’t require a mention for a CCIE candidate but let me clear one thing, ‘THERE IS NO SHORTCUT TO CCIE’, so any body looking for shortcuts, please accept my advance excuse. However, we’ll try to do our best to find out the fastest way and most effective material of practice/study.
Kindly, enroll your willingness at following email address. Also if you have any question, send to the same address.
ask_ccie@yahoo.com

@networktut
I wish you could have a managed discussion forum for CCIE as you have for CCNP

Without neighbourship established, how can R1 ping Server?

@Bit Confused

It cannot.

so let me get this clear,
in order for the clients to be able to ping the webserver, R1 must have an access list applied into its S0/0/0/1 interface, and that access list must allow traffic coming from the WAN subnet (the 209.65.200.224/30 subnet), correct?

I’ve recently started a blog, the information you provide on this site has helped me tremendously. Thank you for all of your time & work.

hi guys somebody help i am tr to do the demo but there is only 4 tt qu and all releated to l3 topology plz help is there more or just this is it
and how i know this q releated to which topology my cordial thanks to u guys

Thanks for an idea, you sparked at thought from a angle I hadn’t given thoguht to yet. Now lets see if I can do something with it.

@ NAVEED
Final Confirmation Please:

You said that R1 cannot ping the server, but it is said that in TT 1st line “Except for R1, no one else can ping the server.”

This given that R1 can ping the server is a statement given in the exam or by testing the from the router in exam ?

If it is by testing, so it is an error due to simulated IOS ?

BR
Omar

@ Naveed,

tested this with GNS3.
since the cause of the problem was that BGP neighborships weren’t establishing, i simply added this line under “edge_security”

R1(config-ext-nacl)#permit ip host 209.65.200.226 host 209.65.200.225

everything worked well.

@ Naveed,

so the final config looks like…

R1#
R1#show run | b access-list
ip access-list extended edge_security
permit ip host 209.65.200.241 any
deny ip 10.2.1.0 0.0.0.255 any
deny ip 10.1.4.0 0.0.0.255 any
deny ip 10.1.1.0 0.0.0.255 any
deny ip host 127.0.0.1 any
permit ip host 209.65.200.226 host 209.65.200.225
!

this specifically allows the remote AS 65002 BGP neighbor to communicate with r1 at AS 65001. this will be sufficient for the necessary BGP advertisement to arrive at our network, for Client_1 to access the web server.

@ uddika

is the command permit “”"ip host 209.65.200.226 host 209.65.200.225″”" is one of the available choice in the exam ?

@ Omar

I think that option is not available that is why we have to add permit ip 209.65.200.224 0.0.0.3 any under acl list.

Otherwise above solution or just permit ip host 209.65.200.226 any will do….

thanks all for good explanation…..

@Omar
Nothing is given in the exam, every thing you have to test. R1 cannot ping the server in this TT and the reason is explained well in above posts.

@uddika
Yes, this entry ‘permit ip host 209.65.200.226 host 209.65.200.225′ is also a correct solution but since it is not available as an option to select in exam, so adding the entry for ‘permit ip 209.65.200.224 0.0.0.3 any’ is the correct available option.

Hi,
In my exam, I colun’t able to perfom SHOW ACCESS-LIST any specific reason for that.

i am Giving today.

@ Naveed,

Hi Naveed i want to clear one more thing..
as per configuation

On R1 interface s0/0/0/1
ip address 209.65.200.224 255.255.255.252
ip nat outside.

as per me

On R1 interface S0/0/0/1
ip address 209.65.200.225 255.255.255.252
ip nat outside.

is it true or not… plz let me know…

@ naveed

209.65.200.224 is a network address…

@Malay,

U are right, its a typo, 209.65.200.224 is a network address.

On R1 interface S0/0/0/1
ip address 209.65.200.225 255.255.255.252
ip nat outside.

@ David..

thanks for your rply.can you plz tell me still TT is valid.. i have exam next week.

@Malay

Base on the exam i taken, this TT is still valid.

But need to read check the config thoroughly during the Test, there could be some minor changes, e.g. incorrect IP addresses in ACL, or ACL was applied in wrong direction [OUT instead of IN] at interface etc.

I believe there will not be ‘major’ changes to the questions. But this is just my own opinion.

@ David,

Thanks for your valuable rply.

i tried this TT at my real Router [ 2611xm ]

after configure access-list, i got these logs and then i can’t ping to server except R1

*Mar 3 08:48:41.203: %BGP-5-ADJCHANGE: neighbor 209.65.200.226 Down BGP Notification sent
*Mar 3 08:48:41.203: %BGP-3-NOTIFICATION: sent to neighbor 209.65.200.226 4/0 (hold time expired) 0 bytes

after input this line “R1(config)#access-list 30 permit 209.65.200.224 0.0.0.3″

*Mar 3 08:53:55.690: %BGP-5-ADJCHANGE: neighbor 209.65.200.226 Up

I took tshoot few days ago and i got 982/1000
Ans2 is “IPv4 Layer3 Security” not ACL

If you could e-mail me with a few suggestions on just how you made your blog look this excellent, I would be grateful.

That’s right. If the ACL in R1 is not allowed 209.65.200.226, so R1 cannot establish BGP neighbor with AS 65002. And then, the route 209.65.200.240/29 cannot be advertised. And it’s certainly, in R1 routing table, the route 209.65.200.240/29 does not exist.–>We cannot ping Web server from R1.

Client is not able to ping the server. Except for R1, no one else can ping the server !!!

in the pass4sure .. R1 is also not able to see the webserver !! r u sure about this ??

Hi everyone! I’m going to take the exam next week. Guys please let me know if there is anything changed or updated.

Are these questions still valid?

Please help me……!

Thank you

I did the exam yesterday and got 1000……………..!

Thanks for everybody here supporting me for this achievement.

All the questions in the exam are the things appear here. Nothing has been changed.

But i would like to give an important advice for the people who wish to take the exam soon.

Please read the comments in following link by Geno and Lisa. Those instructions were really

helpful to me…!

http://www.networktut.com/tshoot-ticket-1

Dear All;
just passed Tshoot,& um CCNP.Got 1000 ;i ve got the following:
4 MCQ
NO Drag & Drop.
12 TT (1 new TT,the old TT with wrong ip 209.56.200.241 has been removed)all other TT are VALID.
Thanks Networktut for charing knowledge.

if any one have latest Dumps Plz send me wahabktk@yahoo.com

in this ticket ,you can use command “sh ip bgp neighbor” ,you found “BGP state = active”,that means all packet from 209.65.200.226 was droped.
after you add the acl permit 209.65.200.224 0.0.0.3 to acl 30 , the BGP state resume to “Established”.

if there wasn’t a BGP relationship how come R1 could ping the server

so am thinking there’s a problem with the initial question,i think with the ACL no device should be able to reach the server

I think that in real exam R1 learns default route from bgp neighbor.

Since acl 30 doesn’t allow traffic with source ip address 209.65.200.226 bgp neighborship will not be established and R1 will not learn the default route from its neighbor.

R1 will drop all packets for unknown networks because it doesn’t have a default route to forward traffic to.

This is why ping fails from all devices.

Add “permit 209.65.200.224 0.0.0.3″ command to R1′s ACL, bgp neighborship will be established and R1 will learn the default route and ping will be successful from any of devices.
What do you think about that?

guys planning to do the exam day after tom!!!!!!!!!! are this ticket 100% sure

The access list 30 deny 10.1.0.0 0.0.255.255 and deny 10.2.0.0 0.0.255.255 has no effect on the ping of the pc 1 because the ip access-group 30 in is applied in the inbound direction of the interface s0/0/1 . the only net coming in is the host of webserver and net of the bgp and to get echo back from the net you have to permit it by adding in the access-list 30
permit 209.65.200.224 0.0.0.3 and host of course

to wicked _one to block private ip addresses from spoofing you have to block the 10 and 172.16.0.0 to 172.31.255.255 and 192.168.0.0 range .
or you permit the net that connect us to the internet and the webserver host address and
the rest will be denied .

Has anyone seen the TSHOOT 642-832 Dump for Testinside? It has not Trouble tickets questions. Something is really wrong there…

The 642-832 TSHOOT Topology made available by cisco on the PDF is not the same as their online Topology demo. Could someone please confirm the actually topology used in the real exam?

Can anybody give me an example of exactly how the TT Questions are asked i the exam?

correct, R1 won’t be able to ping the webserver unless there is a default route out s0/0/0/1,

the thing about this ticket is, that the bgp neighbors won’ t peer as the bgp tcp session is blocked by the acl. neighbor 209.65.200.226 will be in state “Active” (who thought that’s a good state?) where it should show the numbers of prefixes learned from that neighbor.

enjoy

Does the CCNP 642-832 TSHOOT exam ROUTERS and SWITCHES resetS themselves, or do we have logout of all DEVICES after every Trouble Ticket?

interface Serial0/0/0/1
ip address 209.65.200.224 255.255.255.252
ip nat outside
————–
IP configured on this interface is also wrong, it cannot be 224. could be a typo error

How does the routers refreshes themselves between trouble tickets

Hello everybody, I did the test today with 930/1000 – there is a tt of bgp and drag drop a question that is not available on the site that went into my exam, the rest are equal.
Thank you!

@Felcor
Dear All!
There is a little bit different TT!
The “#show ip bgp” also do not show anything, because there is an ACL called something like “outside area” on the serial interface to the Service Provider of R1.
On the ACL are about 5 lines, none of them permits connections to 209.65.200.224.
Because that we can not see the BGP peer!
So the answers are:
1, R1
2, ACL?
3, permit 209.65.200.224…
It is easy to find.
Br!

I have completed my CCNP certification today by passing my last exam TSHOOP.
The exam itself was kind of straight forward with almost all of the TT well know
as state on this site. I had 2 DD, 2 MCQ & 13 TT

One of the issues with this TSHOOP exam is that you have to constantly move windows around whiles you are trying to keep your concentration. I was also working on small screen. (Frustrating)

TIP
Have a strategy with your PING command
Make sure you properly exit all devices after each ticket.
Abort and move to the next TT if you can’t find the problem. (You can always come back)

I think cisco should have offered a PRINT OUT OF THE TOPOLOGY to all candidates on exam day and collect them afterwards. Anyway! I have a good dump. Interested? Drop me a line donald.bart-williams@stjohns.surrey.sch.uk

I am now going to be focus on ASA5510 firewall

To all you CCNP Candidates on this forum including SWITCH & ROUTE, Good Luck and have a nice summer. It has been fun

any one found any new dump please send to hima_data@yahoo.com

Dear All 1000/1000 today(( Muslems want all you fine))
The ACL make all the devices can not bing 209.65.200.241 and 209.65.200.226
All devices including R1 can’t bing :-

You will find that the ACL is not including the int of the other side of the link which is 209.65.200.226 so it will drop all packets from it and the neighbors Fails
so the solution is by adding
permit ip 209.65.200.224 0.0.0.3 any
THANKS 9TUT ALL QUESTIONS ARE HERE.

yesterday I passed the exam , got 1000/1000.

For the VLAN filter TT:

In pass4sure mentioned the answer is vlan access-map test1 10

But the correct answer is

Remove vlan filter test1 from DSW1

as mentioned in networktut
=================================================

For the R1 ACl : Littel bit correction

“IP Access list” mentioned in networktut in exam it is “IPV4 layer3 security”

Thanks For This Blog, was added to my bookmarks.

Hello Guys,
Need CBT Nuggets TSHOOT .Pls call if anybody has got it. Happy to share Route and Switch study and P4S Q&A plus all Sims for route and switch. Routes in GNS3 and Switch in Packet Tracer.
Thanks
email:kripa.jyoti@gmail.com

Guy.. Any changes in the current update????? if any1 of u got updated dumps. plz update me on shariq2009@live.com

Kindly advice,
In the bgp TT when we use sh ip bgp summary, the output is nthing..that means we don’t have relationship with the peer.. the problem was “wrong ip add”

but here i really confuised because why the bgp neighbor isn’t up??

can any1 clear it for me?

@ Mohammad– Without wasting time in internet.. go and study well before attempt for exam

@Pank -if you don’t want to provide help..skip this comment (I DON’T NEED YOUR OPINON)!!!!

@mohamed-from the client if it is not pinging to te web server(209.200.1.241 i guess its te ip for web server) its a defnte bgp issue no woories about tat.In bgp issue te 209.x.x.226 address will ping from te client.If te .226 address is not pinging its Nat or R1 acl defntly….plz look through.

anyone with an update

As each packet comes through an interface with an associated access list the list is scanned from top to bottom–in the exact order that it was entered–for a pattern that matches the incoming packet. The pattern statement also can include a TCP or UDP User Datagram Protocol port number…Access list statements are entered one line at a time and the list is scanned for a match in that same order.

Building permits issued recently by the Seattle Department of Planning and Development.

hii all
today I passed the exam , got 986/1000.
1 MCQ
2 Drag & Drop.
13 TT all TT are VALID.
Thanks Networktut

Tell me how would I distinguish that the question asked in a ticket is related to what topology i.e. Layer 3 / or Layer 2,3 Topology

As all the IPs and devices are same in both topologies

I passed the exam yesterday 31-oct-2011 with 1000

I dont remember how many D&D was there 1 or 2 but whatever is here in the site is valid for D&D and MCQ

For Ticket 5 – R1 ACL

R1 is not pingable because of the ACL it is permitting only (permit ip host 209.65.200.241 any) and dening all in the incoming side of R1 serial interface so it is dening 209.65.200.226 so the BGP session will be down because of the TCP connection and R1 dosnt have any default route toward the server.

Hope for all, alll the best

Regards,

Are there any social site like 9tut for CCNP Security?

Today, I have passed TSHOOT with full mark Alhamdulleah (thanks for GOD). All the dumps are valid.

13 TT (EIGRP AS ticket is not in the exam).

All 13 TT is the same.

this ticket has been modified, almost got this one wrong. answer is layer 3 security, there is no ip acces list option and 3 question answer has been modifed as well.

oh and I got a perfect score so trust me on this one.

actually a few people do have sorta the correct answer on here. look for answer 3. extended edge security with ip, wildcard mask with “Any” at end of statement.

What are people getting for Ticket 5 is it

1 R1
2 IPv4 L3 Security
3 ip access-list standard edge_security permit 209.65.200.224 0.0.0.3

or IP Access list

???

passed yst !

answer is as shown above : #Newf

Alhumdullilah I have passed my exam with score 945. Thanks to Allah and network tut.

aleemyousuf@gmail.com

Guys i have exam on 2nd jan.please can someone provide me with perfect configuration for the 3 topologies?i desperately need them.please mail it on ahsanalicha@hotmail.com

Hi Guys,
Very confused if the answer for Ticket 5 would be IPv4 Layer 3 Security or IP Access list. Kindly help who got 1000/1000 plssssssssssssss……….

Ans1) R1
Ans2) IP Access list / IPv4 Layer 3 Security.
Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL / ip access-list standard edge_security permit 209.65.200.224 0.0.0.3

Passed my TShoot Exam on 5th January, 2012 with 1000/1000, Allhamdulilah.
“Networktut” website and my brother Sohaib Fouzi helped me to prepare this exam, thanks for both of you.
All TTs are still valid and same as mentioned under “networktut”. I got multiple choices and 13 TTs. Except EIGRP AS all TTs came. In All TTS Client1 will have valid IPs (except 4 TTs of 169.x.x.x).
I did my complete exam using only “ipconfig”, “ping” and “show run” commands and never felt to use any other command. One thing is very important that you should have complete understandings of TTs other wise you will not able to understand 2 or 3 TTs because Cisco made very minor changes in mulitple choices or in configuration. The IP scheme between R4, DSW1 and DSW2 is 10.1.4.x.
When i entered in LAB, before starting my exam i wrote the below lines on the provided sheet and then it became very easy to solve the TTs. To solve the TTs i followed the following scheme and order: (remember to use “ipconfig” and “ping” always in Client1 for all TTs)

->> If it is 169.x.x.x there are 4-TTs
1.ASW1 – port security (show-run ASW1 if 1/0/1 and 1/0/2 are in Vlan10, apply sh int for both)
2.ASW1 – access vlan 10 (show-run and check ASW1 if 1/0/1 and 1/0/2 are in Vlan1, if they are… stop!)
3.ASW1 – switch-to-switch (show-run ASW1)
4.R4 – DHCP excluded (show-run R4)
——————————————————————-

->> If client got IP address then 2 options:
-First, if client1 can ping 10.1.1.1 not to server 209.65.200.241 (3TT) ALL IN R1
1.R1 – NAT (10.2.0.0) (show-run R1)(sh ip BGP summary)
2.R1 – BGP (56-65) (show-run R1)(sh ip BGP summary)
3.R1 – ACL (show-run R1)(sh ip BGP summary)
-Second , Client can’t ping 10.1.1.1 but it can ping to 10.1.1.2) then: (1TT)
4-R1 – OSPF authentication (show-run R1 + R2)
-Thirdly, if client1 cannot ping 10.1.1.1, then (4 TTs)
1. DSW1(ASW1) – vlan access map(vlan acl port) *** this one cannot ping even gateway (Check vlan-filter command, which contain vlan access-map, this contain access-list no., now check access-list no. It can drop the packet for PC conntected to ASW1.)
2. R4 – Route redistribution: (show-run R4)(EIGRP->OSPF is created and EIGRP-TO-OSPF is used)
3. R4 – EIGRP Passive Interface: passive interface (show-run R4)(sh IP protocols )
4-R4-EIGRP AS: AS number of EIGRP is different is used To verify – show IP protocols.
——————————————————————-

->> Finally, there are 2 distinct TTs,
- HSRP on DSW1: Check DSW1 Use track 10 instead of track 1 (show run) and this is the only question you will see tracking.
- OSPF IPv6 on R2: On serial interface use area 0, not area 12 (show run), you will recognize this TT by reading ticket because it is the only TT which says about IPv6.

Note: The above scheme i copied from one comment under “networktut”, i dont remember the name. Sory to mention under my comments but it was just to help others. Please feel free for any query, my email address belal_fouzi@yahoo.com

@DavidW,
Its IPv4 Layer 3 Security and then ip access-list standard edge_security permit 209.65.200.224 0.0.0.3.

i was also confused but when i found “ip access-list standard edge_security permit 209.65.200.224 0.0.0.3″ under “IPv4 Layer 3 Security” then i felt it is write.

@netwoktut
interface Serial0/0/0/1
ip address 209.65.200.224 255.255.255.252
???
ip address should be 209.65.200.225
thanks

@ Naveed…

Salam brother,,can you pls explain me that is it Standar or Extended Access-List,i think it is Extended bcs of the Location where it is applied, I think you will understood what i am saying

@Naveed

It is Urgent brother,bcz in 2 days i m going for the exam

Thanks in Advance

A big congratulations to everyone who just passed THOOT paper, if possible please share the Dump of TSHOOT to this mail please and thanks a lot ! kkk278@hotmail.co.uk also if you have any packet tracer software 5.3+ pls send me one and really appreciated ! (Urgent)

@for all experts :
My question is about R1-ACL:
as we all know ANS is ” permit 209.65.200.224 0.0.0.3″, means we have to allow /30 subnet (of WAN link) to make the CLIENT1 able to ping the web server.
BUT
my question is :
when CLIENT1 pings web server (209.65.200.241) which is permitted already then why client1 can NOT ping the same????
The ICMP packet (for PING) is only destined to WEB SERVER and NOT 209.65.200.224/30.
Then what magic is being done by adding 209.65.200.224/30 subnet..
I think everyone is blindly following the trend. Please let me know the reason.

You cannot do this with a standard acl. It does not matter if you ping the web server from R1 or from a different router, source will always be the server for ACL inbound direction.
There are 2 options:
1) everyone can ping server
2) nobody can ping webserver
If BGP is up or not, is not important. The reply, where source is IP of the webserver, will pass or not based on this ACL.

@Rocksays18:
In order for R1 to have 209.65.200.224/30 route in its BGP/routing table, it needs to have bgp relationship with 209.65.200.226 at the ISP. Now the access list “access-list 30 permit host 209.65.200.241″ is only allowing that particular ip address and all the other ip addresses are implicitly denied, you need to add an access list to allow 209.65.200.224/30 subnet so that R1 could have a BGP neighborship with the ISP router. Now to have a BGP relationship, both these router do not need to be in the same subnet but there should be a tcp connection to exchange inforamtion between then. I hope that makes sense.

TT is still Valid..I passed this evening. Everyone has given all info you need but I advice you develop your own technique n approach. If Client 1 & 2 IP is 169.x.x.x it implies that they cannot access the DHCP on R4 so this will help u narrow your Tshoot. Best of Luck

I think this TT is all about NAT.

I tried to find out by using “debug ip nat” command on R1 in simulation. (Debug command is not supported in real exam. But it tells us what happens. I used the PKT file from ciscoguide.com)

At first, ping from Client 1 to Web server with ORIGINAL configuration, this is debugging information:
“NAT: s=10.2.1.3->209.65.200.225, d=209.65.200.226 [17]
NAT*: s=209.65.200.225->209.65.200.226, d=209.65.200.225 [2916]
NAT*: s=209.65.200.225, d=209.65.200.225->10.2.1.3 [2916]”
(So, obviously, R1 translated the 10.2.1.3 to 209.65.200.225, then it was denied by implicit “deny any any” in access-list 30, which has no permit for 209.65.200.225/30 subnet. The packet was denied, so it went back to 209.65.200.225)

After I added “permit 209.65.200.224 0.0.0.3″ in R1 configuration.
Ping again.
The debugging information:
“NAT: s=10.2.1.3->209.65.200.225, d=209.65.200.226 [21]
NAT*: s=209.65.200.226, d=209.65.200.225->10.2.1.3 [139]”
(As you can clearly see that 10.2.1.3 was translated to 209.65.200.255, and echo was returned from 209.65.200.226 with a destination of 209.65.200.225, which was translated back to 10.2.1.3, ping was successful)

So this is the NAT ACL problem.

I hope my explanation helps you guys get rid of the confusions.

To correct, it is about R1 ACL which restricts the addresses after NAT.

Sorry.