Home > Ticket 5 – R1 ACL

Ticket 5 – R1 ACL

May 2nd, 2018 in TSHOOT v2 Go to comments

Configuration on R1
interface Serial0/0/1
description Link to ISP
ip address 209.65.200.224 255.255.255.252
ip nat outside
ip access-group edge_security in
!
ip access-list extended edge_security
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny 127.0.0.0 0.255.255.255 any
permit ip host 209.65.200.241 any
!

Answer:

Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‘ip access-list extended edge_security’ configuration add the ‘permit ip 209.65.200.224 0.0.0.3 any’ command.

Note:
+ This is the only ticket the extended access-list edge_security exists. In other tickets, the access-list 30 is applied to the inbound direction of S0/0/1 of R1.
+ Although host 209.65.200.241 is permitted to go through the access-list (permit ip host 209.65.200.241 any) but clients cannot ping the web server because R1 cannot establish BGP session with neighbor 209.65.200.226.

Comments (50) Comments
Comment pages
1 2 3 8 26
  1. Naveed
    September 4th, 2010

    Even R1 also would not be able to ping the web server or ISP(209.65.200.226). Since explicit deny of this ACL will not allow a reply to come back in to R1(since this ACL is applied in the ‘in’ direction) from outside until a permit entry is included in ACL. This will also cause the BGP neighbor relationship get down.
    You will see one permit entry for web server only, which is not enough. You will see the contents of this ACL as below.

    ip access-list extended edge_security
    permit ip host 209.65.200.241 any
    deny ip 10.2.0.0 0.0.255.255 any
    deny ip 10.1.0.0 0.0.255.255 any
    deny ip host 127.0.0.1 any

    Thats why an entry of ‘permit 209.65.200.224 0.0.0.3 any’ is required to solve this problem.
    And by the way, the entries for 10.x.x.x network is neither have any effect nor required in this ACL, they put these up only to confuse the candidates.

  2. Anonymous
    September 4th, 2010

    R4, R3, R2 can not ping 209.65.200.226

  3. Leonardo
    September 7th, 2010

    @Naveed
    Could you please tell me why on the example above it says:

    “Answer: add permit 209.65.200.241 command to R1′s ACL”

    Because then say answer: Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL

    I’m sure 100% sure that Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL is the correct one; but the explanation above can confuse the candidate..

  4. Naveed
    September 8th, 2010

    @Leonardo
    In the above ticket there are two contradictory answers are mentioned. The correct one is the same one which u mentioned. And yes right, candidates can be confused because of two different answers mentioned above.

    @networktut
    Kindly remove this extra line which is wrong for this TT and also not required, since correct answer is also mentioned down to that. ‘Answer: add permit 209.65.200.241 command to R1′s ACL’

  5. networktut
    September 9th, 2010

    Yes, thank for your detection, I updated the answer.

  6. Nipun
    September 19th, 2010

    Hello All!!
    Kindly provide the correct answer.
    Your explanations confused me.It seems that the correct anwer is “permit 209.65.200.224 0.0.0.3 to R1′s ACL” and it is in the inbound direction of R1 interface s0/0/0/1.Is there any other access-list in the outbound direction of R1 s0/0/0/1 interface as well?

  7. ki
    September 19th, 2010

    10q for the site. Earlier it helped me with BCMSN. Some comments.
    @Naveed, I think the other deny’s are for spoofing attacks from external so that the external can not spoof internal addresses.

  8. KACHY
    September 20th, 2010

    PLS I WOULD REALLY LIKE TO KNOW IF THE QUESTION WILL APPEAR EXACTLY THE SAME WAY IT IS DISPLAY ON THIS SITE.I MEAN HW DO I KNOW THAT A PARTICULAR TICKET IS RELATED TO BGP,EIGRP,OSPF,IPV6 AND WHAT HAVE?

  9. Naveed
    September 24th, 2010

    @Kachy
    You are CCNP candidate, so don’t expect every thing as a piece of cake. You will receive a single type of question for all tickets and the only way to differentiate among those is the symptoms which are discussed on this forum many times. I think we should not expect even more then that.
    regards.

  10. wicked_one
    September 28th, 2010

    Essential for this Question is, that the ACL results in BGP neighboring to fail. For example, it would also work if you just permit “host 209.65.200.226” (the BGP neighbor) but seems not to be a possible Answer to select. (but would be considered a Best Practice for ACLs to be as specific as possible)

    @Naveed
    The 10.x.x.x statements aren´t requiered, but do have effect (not for the LAB Topology, but for RL). Blocking the private IP-Ranges of the Inside Network are recommended to mitigate IP-Spoofing Attacks.

    So they aren´t for confusing, in a Real Life Scenario they would be there for good reason, because R1 would be the Gateway to th ISP – practically the whole Internet…

    Taking the Exam on Thursday, already being courious how this will look in the Exam

  11. wicked_one
    September 28th, 2010

    Sorry for Spam
    @Kachy – go, do your homework. This is NP, not CCENT… the informations on this site should be enough to put the pieces together

    by the way, great site, thx to the creators and all who share

  12. ZZZ
    September 30th, 2010

    I have not taken the exam yet, so I don’t know exactly how the question sounds.

    My post is based on the assumption that the acl is on the “IN” direction of R1 serial link to the ISP.

    If R1 is performing NAT, then the echo request, no matter if it’s coming directly from R1, or the client, will have a source address of 209.65.200.226 and destination 209.65.200.241. The echo reply will have a source address of 209.65.200.241 and destination 209.65.200.226.

    In first of Naveed’s posts, it is stated that the access list is an extended one. So by saying “permi ip host 209.65.200.241 any”, you allow traffic from the web server towards 209.65.200.226 (and the client, if the NAT translation works right).

    If the access list is standard, then permit 209.65.200.224/30 won’t do the thing, because it matches the source address, not the destination (and the echo reply has a source address of 209.65.200.241) and because the acl is inbound to the interface.

    Am I missing something here ?

  13. wicked_one
    September 30th, 2010

    @ZZZ
    yep, but not your Fault, because the description above is incomplete.

    The ACL in the Exam denies some 10.x and IIRC the 127.x , but does already permit the webservers IP – so it´s really just up to permit the 209.65.200.224/30 because this prevents BGP neighboring to happen.

  14. ZZZ
    September 30th, 2010

    @wicked one

    Thanks for the reply.
    But I have one more thing to add. In the description of the ticket, it is stated that ONLY R1 can ping the webserver. How can it ping the server if the BGP session isn’t established and 209.65.200.240/29 is NOT connected (it is announced by the BGP peer). Does R1 has a static default route towards 209.65.200.226 ?

  15. leeyoung
    October 1st, 2010

    @naveed
    thx a lot. i wanna to know that is it only this case about acl in the real exam?

  16. RedAnt
    October 4th, 2010

    i got it

    the acl deny the nat’s inside global ip (209.65.200.225),this is really reason!
    this is why R1 can ping web_server,but others can not , the ip trans by R1 being deny.

    how to resolve this problem? use this :
    access-list 30 permit 209.65.200.225 0.0.0.0
    and is included by 209.65.200.224 0.0.0.3
    so Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL is right!

    by the way , the all entry of original acl-list 30 are not work,except the hidden”deny any any”

  17. ZZZ
    October 4th, 2010

    R1 can’t ping the server if the BGP session isn’t established and R1 doens’t have a default route.

  18. RedAnt
    October 4th, 2010

    @ZZZ

  19. RedAnt
    October 4th, 2010

    @ZZZ

    BGP’s establish need a monent,plese wait 1 minete. then you’ll find established while you not type any key.

    so,it’s not BGP’s problem.

  20. ZZZ
    October 4th, 2010

    @RedANT

    What I meant is that if the line “permit 209.65.200.224 0.0.0.3” is not present, then R1 can’t learn about 209.65.200.240/?? , no matter how long u wait.

  21. BlueHorse
    October 4th, 2010

    I just tried this TT in GNS3. If the config on R1 is as follows:

    ip access-list extended edge_security
    permit ip host 209.65.200.241 any
    deny ip 10.2.0.0 0.0.255.255 any
    deny ip 10.1.0.0 0.0.255.255 any
    deny ip host 127.0.0.1 any

    Then client 1 will be able to ping web server (209.65.200.241). You don’t need to change anything. You even do not need to add permit ip 209.65.200.224 0.0.0.3 any.

    If the config on R1 is

    ip access-list extended edge_security
    deny ip 10.2.0.0 0.0.255.255 any
    deny ip 10.1.0.0 0.0.255.255 any
    deny ip host 127.0.0.1 any

    Then you need to add permit ip host 209.65.200.241 any to R1. Can someone also test this out.

  22. BlueHorse
    October 4th, 2010

    Sorry folks. my bad.
    My GNS3 was not working properly. I tested this TT again and the correct answer is you need to add permit ip 209.65.200.224 0.0.0.3 any in order for Client 1 to ping the web server.

    Just ignore my previous post.

  23. RedAnt
    October 5th, 2010

    @ZZZ
    OH
    you test it by GNS3,it’s acl is IN direction,default.
    i used is packet tracer,it’s origen code is OUT direction.
    their appearances is different.

  24. Naveed
    October 10th, 2010

    @ZZZ
    You are right and same thing I mentioned in my very first post above about failure of BGP relationship. Let me repeat, if you apply under discussion ACL in the ‘in’ direction without ‘permit ip 209.65.200.224 0.0.0.3 any’ entry, it will cause the BGP neighbor relationship get down. Once this happen then of course there is no way R1 can reach Web Server, no matter permit entry for web server is already there.

    @leeyoung
    Yes.

    @wicked_one
    Yes right, blocking the private IP-Ranges of the inside network are recommended to IP-Spoofing attacks. Thanks for addition.

  25. cmnl
    October 11th, 2010

    Are there any symptoms on the exam to differentiate this solution from TT3? Or are the available solutions different on these two tickets?

    The reason I ask is because (unless I’m mistaken) Naveed’s correction to TT3 states that R1 and all others cannot ping the web server, which seem to be the same symptoms as on this ticket.

  26. cmnl
    October 11th, 2010

    Nevermind, I think I figured this one out. The difference is whether or not we can ping 209.65.200.226 from R1 (or any other router or client).

    On TT5, clients and routers cannot ping 209.65.200.226 due to the ACL. Anything received by R1 with a source IP in the 209.65.200.226/30 network will be dropped (i.e.: BGP packets, ping responses from .226, etc) due to the ACL’s implicit deny. Adding “permit 209.65.200.224 0.0.0.3 any” to R1’s ACL will now accept traffic sourced from that network, which (eventually) brings up BGP and R1 can then route pings to the web server.

    On TT3, they CAN ping 209.65.200.226 but can’t ping the web server due to the BGP config error.

  27. cmnl
    October 11th, 2010

    *** typo in above post
    “Anything received by R1 with a source IP in the ***209.65.200.224/30*** network will be dropped …”

  28. Nexttest
    October 11th, 2010

    Let’s use TT 5 as an example. What would be the question and do have to go into the interface and correct the problem or would you be able to just respond with the three answers. Just liking for a better ideal of the format.

    Problem:on R1 acl blocking ip
    acl something like this:
    deny 10.2.1.0
    deny 10.1.4.0
    deny 10.1.1.0

    Answer: add permit 209.65.200.224 0.0.0.3 command to R1′s ACL

    Ans1) R1
    Ans2) IPv4 Layer3 Security
    Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL

  29. NetBt
    October 18th, 2010

    On what interface the access list was applied and in what direction ?

  30. NP->SP->IE
    October 19th, 2010

    @ Naveen, I took test with 1K, one thing confused me is that I was unable to ping up to 209.65.200.226. I total agree with your comment above. also it makes BGP link down that make people think this is a BGP issue. actually, its not.

  31. NP->SP->IE
    October 19th, 2010

    correction: I was able to ping up to 209.65.200.226 which should not

  32. NP->SP->IE
    October 19th, 2010

    @NetBt

    under serial 0/0/0/1 , in direction.

  33. Paitanas
    October 20th, 2010

    interface Serial0/1
    ip address 209.65.200.225 255.255.255.252
    ip access-group EDGE_SECURITY in
    ip nat outside

    ip access-list extended EDGE_SECURITY
    permit ip 209.65.200.224 0.0.0.31 any —> this allow webServer respond to ping and
    BGP does not fail
    deny ip 10.2.0.0 0.0.255.255 any
    deny ip 10.1.0.0 0.0.255.255 any
    deny ip host 127.0.0.1 any
    ————————————————————————————————————
    In GNS3

    ip access-list extended EDGE_SECURITY
    permit ip 209.65.200.224 0.0.0.3 any –> BGPsession works well but webserver not respond to ping
    deny ip 10.2.0.0 0.0.255.255 any
    deny ip 10.1.0.0 0.0.255.255 any
    deny ip host 127.0.0.1 any

    ————————————————————————————————————–

    ip access-list extended EDGE_SECURITY
    permit ip host 209.65.200.241 any ——> after some time bgp session fail
    deny ip 10.2.0.0 0.0.255.255 any
    deny ip 10.1.0.0 0.0.255.255 any
    deny ip host 127.0.0.1 any

    *Mar 1 02:46:40.927: %BGP-5-ADJCHANGE: neighbor 209.65.200.225 Down BGP Notif

  34. Naveed
    October 26th, 2010

    @NP->SP->IE
    TSHOOT exam is based on simulation not the real routers/IOS, so you can expect weird behaviors of exam lab (some times), many people observed and reported the same for their exams. The important thing is to be very clear with the concept and for exam prospective its good to cross check every TT with all the symptoms. Thats why I have mentioned more then one symptoms for all TTs.

  35. raba
    October 27th, 2010

    as far as i know, if we don’t have the permit access list for 209.65.200.224 0.0.0.3 any , the BGP session will not be up.. is it right ?

  36. Naveed
    October 28th, 2010

    @raba…Right.

  37. Donchichi
    October 28th, 2010

    Hey naveed,

    I took the exam recently and i noticed something peculiar about this ticket. All devices could not ping 209.65.200.226 but the CLIENT 1 PC could ping it. Not even R1 could ping it…Any ideas?

  38. Naveed
    October 30th, 2010

    @Donchichi
    Same reason as i mentioned above in my post, the exam is a simulation work and not based on actual IOS, so these type of simulation malfunctioning are possible. I never mentioned this before but let me tell u that in my exam, in one of TTs Client 1 was not able to ping client 2 but client 2 was perfectly pinging client 1…more interestingly client 2 wasn’t even pinging itself :) . Thats why I am always recommending people to cross check every TT with multiple symptoms to get a perfect hypothesis about a TT.

  39. cisco guru
    November 5th, 2010

    take it with all this god willing shit , half you lot are cheating Muslims.. read the Koran brother and you will see that the profit said ” at the point of stealing, cheating the Muslim is no longer a believer”

    you have just become a infidel for the sake of a cert. well done

  40. Naveed
    November 8th, 2010

    @CCIE interested people
    This is an open invitation for the serious people about CCIE. You are advised to send an email to the below mentioned address for enrolling your willingness. We’ll be utilizing the concept of 1+1 = 11 by putting our minds together to study/practice the right thing. Here it doesn’t require a mention for a CCIE candidate but let me clear one thing, ‘THERE IS NO SHORTCUT TO CCIE’, so any body looking for shortcuts, please accept my advance excuse. However, we’ll try to do our best to find out the fastest way and most effective material of practice/study.
    Kindly, enroll your willingness at following email address. Also if you have any question, send to the same address.
    ask_ccie@yahoo.com

    @networktut
    I wish you could have a managed discussion forum for CCIE as you have for CCNP

  41. Bit Confused
    November 16th, 2010

    Without neighbourship established, how can R1 ping Server?

  42. zizu
    November 23rd, 2010

    @Bit Confused

    It cannot.

  43. Meru
    November 24th, 2010

    so let me get this clear,
    in order for the clients to be able to ping the webserver, R1 must have an access list applied into its S0/0/0/1 interface, and that access list must allow traffic coming from the WAN subnet (the 209.65.200.224/30 subnet), correct?

  44. naggi
    December 5th, 2010

    hi guys somebody help i am tr to do the demo but there is only 4 tt qu and all releated to l3 topology plz help is there more or just this is it
    and how i know this q releated to which topology my cordial thanks to u guys

  45. Omar
    December 9th, 2010

    @ NAVEED
    Final Confirmation Please:

    You said that R1 cannot ping the server, but it is said that in TT 1st line “Except for R1, no one else can ping the server.”

    This given that R1 can ping the server is a statement given in the exam or by testing the from the router in exam ?

    If it is by testing, so it is an error due to simulated IOS ?

    BR
    Omar

  46. uddika
    December 10th, 2010

    @ Naveed,

    tested this with GNS3.
    since the cause of the problem was that BGP neighborships weren’t establishing, i simply added this line under “edge_security”

    R1(config-ext-nacl)#permit ip host 209.65.200.226 host 209.65.200.225

    everything worked well.

  47. uddika
    December 10th, 2010

    @ Naveed,

    so the final config looks like…

    R1#
    R1#show run | b access-list
    ip access-list extended edge_security
    permit ip host 209.65.200.241 any
    deny ip 10.2.1.0 0.0.0.255 any
    deny ip 10.1.4.0 0.0.0.255 any
    deny ip 10.1.1.0 0.0.0.255 any
    deny ip host 127.0.0.1 any
    permit ip host 209.65.200.226 host 209.65.200.225
    !

    this specifically allows the remote AS 65002 BGP neighbor to communicate with r1 at AS 65001. this will be sufficient for the necessary BGP advertisement to arrive at our network, for Client_1 to access the web server.

  48. Omar
    December 15th, 2010

    @ uddika

    is the command permit “””ip host 209.65.200.226 host 209.65.200.225″”” is one of the available choice in the exam ?

  49. matrix
    December 16th, 2010

    @ Omar

    I think that option is not available that is why we have to add permit ip 209.65.200.224 0.0.0.3 any under acl list.

    Otherwise above solution or just permit ip host 209.65.200.226 any will do….

    thanks all for good explanation…..

  50. Naveed
    December 16th, 2010

    @Omar
    Nothing is given in the exam, every thing you have to test. R1 cannot ping the server in this TT and the reason is explained well in above posts.

    @uddika
    Yes, this entry ‘permit ip host 209.65.200.226 host 209.65.200.225’ is also a correct solution but since it is not available as an option to select in exam, so adding the entry for ‘permit ip 209.65.200.224 0.0.0.3 any’ is the correct available option.

Comment pages
1 2 3 8 26