Home > Ticket 5 – R1 ACL

Ticket 5 – R1 ACL

May 2nd, 2018 in TSHOOT v2 Go to comments

Configuration on R1
interface Serial0/0/1
description Link to ISP
ip address 209.65.200.224 255.255.255.252
ip nat outside
ip access-group edge_security in
!
ip access-list extended edge_security
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny 127.0.0.0 0.255.255.255 any
permit ip host 209.65.200.241 any
!

Answer:

Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‘ip access-list extended edge_security’ configuration add the ‘permit ip 209.65.200.224 0.0.0.3 any’ command.

Note:
+ This is the only ticket the extended access-list edge_security exists. In other tickets, the access-list 30 is applied to the inbound direction of S0/0/1 of R1.
+ Although host 209.65.200.241 is permitted to go through the access-list (permit ip host 209.65.200.241 any) but clients cannot ping the web server because R1 cannot establish BGP session with neighbor 209.65.200.226.

Comments (34) Comments
Comment pages
1 6 7 8 26
  1. ChillBaba
    August 7th, 2018

    CAn any one tell what is the question/issue/problem of this new sim? if we dont know the issue how will we be able to identify it or compare it with answers.

  2. jirehccnp
    August 8th, 2018

    @networktut,

    Could you please don’t totally remove the old scenario? how could I revise and have look on those old scenario? we don’t know maybe old scenario might appear again right.

  3. jirehccnp
    August 8th, 2018

    hi all,
    just for sharing.
    old scenario:

    ip access-list standard nat_traffic
    permit 10.1.0.0 0.0.255.255

    it is not permit 10.2.0.0 0.0.255.255, and ACL end with explicit deny,
    so, the traffic of 10.2.0.0 could not get through.

  4. Please help me.Please for god sake
    August 8th, 2018

    @Network Tut
    Dear Team,
    My account is going to expire and I have 5 tickets left
    4 , 8 , 9 , 11 and 17 does not have a problem question.How will I be able to identify if no question is stated.
    Example:

    Problem: Client 1 is able to ping 209.65.200.226 but can’t ping the Web Server 209.65.200.241.

  5. CCNP switching Exam
    August 8th, 2018

    Hello All,

    I am renewing the CCNP certification.

    Has anyone got those exams lately?

    where do I get the dumps?
    where do I get some T-shooting simulations?

    Thank you.

    Star

  6. jirehccnp
    August 11th, 2018

    @CCNP switching Exam

    sign up for premium account for networktut then u will get

  7. new
    August 15th, 2018

    Hi everyone,

    After we enter the answers, are we required to test for resolution

  8. @new
    August 20th, 2018

    dont think so, under tshoot exam we only can find the issues and propose solution

  9. Igor
    August 27th, 2018

    Hi admin,
    Please change ip address on s0/0/1 from x.x.x.224 to x.x.x.225

  10. Anonymous
    September 1st, 2018

    Hello jirehccnp,

    thank you for the reply. I have signed up with the premium.

    Do you know if the tickets are still valid?

    Regards,

    Star

  11. Anonymous
    September 27th, 2018

    Good catch Igor, i caught the same thing.

  12. ipconfig
    October 2nd, 2018

    Configuration on R1
    interface Serial0/0/1
    description Link to ISP
    ip address 209.65.200.224 255.255.255.252
    ip nat outside
    ip access-group edge_security in

    The ip address for R1 s0/0/1 is really 209.65.200.224 when you show command? because the 209.65.200.224 /30 is network address maybe the website got typo error.

  13. Anonymous
    October 4th, 2018

    ping 209.65.200.241

    Pinging 209.65.200.241 with 32 bytes of data:

    Reply from 209.65.200.241: bytes=32 time=10ms TTL=122
    Request timed out.
    Reply from 209.65.200.241: bytes=32 time=9ms TTL=122
    Reply from 209.65.200.241: bytes=32 time=13ms TTL=122

    Ping statistics for 209.65.200.241:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 9ms, Maximum = 13ms, Average = 10ms

  14. Anonymous
    October 4th, 2018

    ip access-list extended Edge_Security
    permit ip host 209.65.200.241 any
    permit ip host 15.15.15.15 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any

    ip access-list extended Edge_Security
    permit ip host 209.65.200.241 any
    permit ip host 15.15.15.15 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    permit tcp host 209.65.200.226 host 209.65.200.225 eq 179

  15. My exam is next week
    November 16th, 2018

    Is this the answer for this ticket? please clarify

    permit tcp host 209.65.200.226 host 209.65.200.225 eq 179

  16. imare
    November 25th, 2018

    @Networktut

    I see alot of comments about this ticket saying it has changed ? Can you please confirm if the answers for this question is still :

    Ans1) R1
    Ans2) IPv4 Layer 3 Security
    Ans3) Under the ip access-list extended edge-security configuration add the permit ip 209.65.200.224 0.0.0.3 any command

  17. Polaris
    November 30th, 2018

    Guys a question…If you work with Trouble Tickets…will system register also what kind of commands did you use? Could that be also a factor that how you found out what the issue is?

    For example, if you perform “show run” will that give you lower score for a Trouble Ticket? I am a little bit desperate as I received no confirmation that if you accidentally not select an answer if the system take it as incorrect or unanswered. They confirmed me only that they see it correct and that questions were incorrect, however they can’t tell that system will take it as unanswered at all…which gives me chills now…

    My other question is that if it’s ok to proceed with “ping” command only? My troubleshooting method is that I start with “ipconfig” then I check IP address and default gateway. Then I try ti ping default gateway and then to ping 10.1.1.1 and from there to ping device by device closing the problem. I still cant remember if I really failed because of not hitting “Done” button on Trouble Ticket section. I simply don’t know and I will go blind on my second try. Really afraid…any answer to cheer me up somehow will be appreciated. I am simply lost as I followed every advice and took procedure. Afraid now if I really answered incorrect those trouble tickets.

  18. Marcus
    January 26th, 2019

    My remarks:
    Wrong IP address on link to ISP. There must be “209.65.200.225” instead of “209.65.200.224”.

    Missed the “ip” keyword in ACL rule for network 127.0.0.0/8.

  19. Max2019
    February 12th, 2019

    Ticket 5, Note:`+ Although host 209.65.200.241 is permitted to go through the access-list (permit ip host 209.65.200.241 any) but clients cannot ping the web server because R1 cannot establish BGP session with neighbor 209.65.200.226.`

    seems not to be correct!

    R1#show ip bgp sum
    209.65.200.226 Neighbor status is Active

    Could you please explain why ‘permit ip 209.65.200.224 0.0.0.3 any’ is making possible to ping web server from the client? Thanks.

  20. ThePunisher
    February 12th, 2019

    @Max2019

    “Could you please explain why ‘permit ip 209.65.200.224 0.0.0.3 any’ is making possible to ping web server from the client? Thanks.”

    Permit on 209.65.200.224 0.0.0.3 will permit the interface with ip 209.65.200.226 to go to R1. This enable BGP neigbor traffic to be accepted and adjancy to go up.

    As adjancy goes up, R1 can now learn route to the server and client 1 can ping :)

  21. Max2019
    February 12th, 2019

    @ThePunisher
    please read all of my text: if zou do the command
    R1#show ip bgp sum
    zou will see that
    209.65.200.226 Neighbor status is Active
    That means Adjacency already exist, it is not BGP problem that stop pings from client

  22. AGuy
    February 14th, 2019

    Active does not mean BGP is established, just means it is trying. If it was established you should see prefixes learned

  23. Hello
    February 15th, 2019

    hi Networktut,

    this is another ticket that has a mismatch in the answer here on the page and what you have in the simulation. They don’t match.

    can you please update to eliminate confusion. Thanks !!!

  24. Question to ALL
    February 17th, 2019

    since the IP NAT statement under Serial0/0/1 got changed to OUT

    shouldn’t the solution for this ticket be changed to follow, so the correct solution should be related to the direction of NAT (ie. IP access-group edge_security “OUT” )

    instead of the permit 0.0.0.3

    ???

    can someone explain this, please?

  25. Anonymous
    February 20th, 2019

    @AGuy and all –
    if BGP session is established (after permit on 209.65.200.224 0.0.0.3), my question is how it will be possible to ping (client to web server) with acl extended edge security deny ip 10.0.0.0 0.255.255.255 ? This supposed to have whole L2 subnet blocked ?

  26. Marcus
    February 23rd, 2019

    @Anonymous, this ACL blocks bogon networks from ISP side, not from own network where Client 1 is placed. Note, these ACL are applied on link to ISP with ‘in’ direction. Note well, it’s called EDGE security. It means it protected the enteprise network from OUTSIDE.

  27. Anonymous
    March 8th, 2019

    1811(config)#ip ssh ver
    1811(config)#ip ssh version 2
    Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
    1811(config)#cry
    1811(config)#crypto k
    1811(config)#crypto key ge
    1811(config)#crypto key generate ?
    ec Generate EC keys for ECDSA
    rsa Generate RSA keys

    1811(config)#crypto key generate rsa ?
    encryption Generate a general purpose RSA key pair for signing and
    encryption
    exportable Allow the key to be exported
    general-keys Generate a general purpose RSA key pair for signing and
    encryption
    label Provide a label
    modulus Provide number of modulus bits on the command line
    on create key on specified device.
    redundancy Allow the key to be synced to high-availability peer
    signature Generate a general purpose RSA key pair for signing and
    encryption
    storage Store key on specified device
    usage-keys Generate separate RSA key pairs for signing and encryption

    1811(config)#crypto key generate rsa
    % Please define a domain-name first.
    1811(config)#ip do
    1811(config)#ip domain-n
    1811(config)#ip domain-name ?
    WORD Default domain name
    vrf Specify VRF

    1811(config)#ip domain-name bobsburgers.com
    1811(config)#line
    1811(config)#line vt
    1811(config)#line vty 0 4
    1811(config-line)#tra
    1811(config-line)#transport in
    1811(config-line)#transport input ssh ?
    pad X.3 PAD
    rlogin Unix rlogin protocol
    telnet TCP/IP Telnet protocol
    udptn UDPTN async via UDP protocol

    1811(config-line)#transport input ssh
    1811(config-line)#ssh in correct sequential order

  28. DiegoMendoza
    March 31st, 2019

    @Anonymous When you permit 209.65.200.224/30 segment, the BGP session will be sucess. There is no problem if we deny 10.0.0.0 0.255.255.255 segment, our host with ip 10.2.1.3 will comunicate with 209.65.200.241 through NAT.

  29. DOTTMAN
    September 23rd, 2019

    Hi Guys. If you want to download freedump 300-135 go in my link. Last updated 08/08/2019

    htt ps : //w ww. youtu be. com/watch?v= yzG7EKVVz_0

  30. Eng.CCNP
    November 10th, 2019

    @Networktut:

    Can I use the answer (Ans3) Under the ‘ip access-list extended edge_security’ configuration add the ‘permit ip 209.65.200.224 0.0.0.3 any’ command.) in the exam now?

  31. Westman
    November 12th, 2019

    Hi!
    Is it a symulator mistake that we can’t ping R1 external interface (209.65.200.225) from Client1?

  32. Anonymous
    November 12th, 2019

    I had my TShoot exam today and failed. It had loads of new questions on it? Does anyone have these?

  33. chris
    November 19th, 2019

    oh man ..this is not good … Does anyone has latest Q’s ?

  34. Dmytro
    November 20th, 2019

    Does anyone know question in this ticket?

Comment pages
1 6 7 8 26