Home > Ticket 5 – R1 ACL

Ticket 5 – R1 ACL

May 2nd, 2018 in TSHOOT v2 Go to comments

Configuration on R1
interface Serial0/0/1
description Link to ISP
ip address
ip nat outside
ip access-group edge_security in
ip access-list extended edge_security
deny ip any
deny ip any
deny ip any
deny any
permit ip host any


Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‘ip access-list extended edge_security’ configuration add the ‘permit ip any’ command.

+ This is the only ticket the extended access-list edge_security exists. In other tickets, the access-list 30 is applied to the inbound direction of S0/0/1 of R1.
+ Although host is permitted to go through the access-list (permit ip host any) but clients cannot ping the web server because R1 cannot establish BGP session with neighbor

Comments (30) Comments
Comment pages
1 2 3 14 26
  1. Naveed
    September 4th, 2010

    Even R1 also would not be able to ping the web server or ISP( Since explicit deny of this ACL will not allow a reply to come back in to R1(since this ACL is applied in the ‘in’ direction) from outside until a permit entry is included in ACL. This will also cause the BGP neighbor relationship get down.
    You will see one permit entry for web server only, which is not enough. You will see the contents of this ACL as below.

    ip access-list extended edge_security
    permit ip host any
    deny ip any
    deny ip any
    deny ip host any

    Thats why an entry of ‘permit any’ is required to solve this problem.
    And by the way, the entries for 10.x.x.x network is neither have any effect nor required in this ACL, they put these up only to confuse the candidates.

  2. Anonymous
    September 4th, 2010

    R4, R3, R2 can not ping

  3. Leonardo
    September 7th, 2010

    Could you please tell me why on the example above it says:

    “Answer: add permit command to R1′s ACL”

    Because then say answer: Ans3) Add permit to R1′s ACL

    I’m sure 100% sure that Ans3) Add permit to R1′s ACL is the correct one; but the explanation above can confuse the candidate..

  4. Naveed
    September 8th, 2010

    In the above ticket there are two contradictory answers are mentioned. The correct one is the same one which u mentioned. And yes right, candidates can be confused because of two different answers mentioned above.

    Kindly remove this extra line which is wrong for this TT and also not required, since correct answer is also mentioned down to that. ‘Answer: add permit command to R1′s ACL’

  5. networktut
    September 9th, 2010

    Yes, thank for your detection, I updated the answer.

  6. Nipun
    September 19th, 2010

    Hello All!!
    Kindly provide the correct answer.
    Your explanations confused me.It seems that the correct anwer is “permit to R1′s ACL” and it is in the inbound direction of R1 interface s0/0/0/1.Is there any other access-list in the outbound direction of R1 s0/0/0/1 interface as well?

  7. ki
    September 19th, 2010

    10q for the site. Earlier it helped me with BCMSN. Some comments.
    @Naveed, I think the other deny’s are for spoofing attacks from external so that the external can not spoof internal addresses.

  8. KACHY
    September 20th, 2010


  9. Naveed
    September 24th, 2010

    You are CCNP candidate, so don’t expect every thing as a piece of cake. You will receive a single type of question for all tickets and the only way to differentiate among those is the symptoms which are discussed on this forum many times. I think we should not expect even more then that.

  10. wicked_one
    September 28th, 2010

    Essential for this Question is, that the ACL results in BGP neighboring to fail. For example, it would also work if you just permit “host” (the BGP neighbor) but seems not to be a possible Answer to select. (but would be considered a Best Practice for ACLs to be as specific as possible)

    The 10.x.x.x statements aren´t requiered, but do have effect (not for the LAB Topology, but for RL). Blocking the private IP-Ranges of the Inside Network are recommended to mitigate IP-Spoofing Attacks.

    So they aren´t for confusing, in a Real Life Scenario they would be there for good reason, because R1 would be the Gateway to th ISP – practically the whole Internet…

    Taking the Exam on Thursday, already being courious how this will look in the Exam

  11. wicked_one
    September 28th, 2010

    Sorry for Spam
    @Kachy – go, do your homework. This is NP, not CCENT… the informations on this site should be enough to put the pieces together

    by the way, great site, thx to the creators and all who share

  12. ZZZ
    September 30th, 2010

    I have not taken the exam yet, so I don’t know exactly how the question sounds.

    My post is based on the assumption that the acl is on the “IN” direction of R1 serial link to the ISP.

    If R1 is performing NAT, then the echo request, no matter if it’s coming directly from R1, or the client, will have a source address of and destination The echo reply will have a source address of and destination

    In first of Naveed’s posts, it is stated that the access list is an extended one. So by saying “permi ip host any”, you allow traffic from the web server towards (and the client, if the NAT translation works right).

    If the access list is standard, then permit won’t do the thing, because it matches the source address, not the destination (and the echo reply has a source address of and because the acl is inbound to the interface.

    Am I missing something here ?

  13. wicked_one
    September 30th, 2010

    yep, but not your Fault, because the description above is incomplete.

    The ACL in the Exam denies some 10.x and IIRC the 127.x , but does already permit the webservers IP – so it´s really just up to permit the because this prevents BGP neighboring to happen.

  14. ZZZ
    September 30th, 2010

    @wicked one

    Thanks for the reply.
    But I have one more thing to add. In the description of the ticket, it is stated that ONLY R1 can ping the webserver. How can it ping the server if the BGP session isn’t established and is NOT connected (it is announced by the BGP peer). Does R1 has a static default route towards ?

  15. leeyoung
    October 1st, 2010

    thx a lot. i wanna to know that is it only this case about acl in the real exam?

  16. RedAnt
    October 4th, 2010

    i got it

    the acl deny the nat’s inside global ip (,this is really reason!
    this is why R1 can ping web_server,but others can not , the ip trans by R1 being deny.

    how to resolve this problem? use this :
    access-list 30 permit
    and is included by
    so Ans3) Add permit to R1′s ACL is right!

    by the way , the all entry of original acl-list 30 are not work,except the hidden”deny any any”

  17. ZZZ
    October 4th, 2010

    R1 can’t ping the server if the BGP session isn’t established and R1 doens’t have a default route.

  18. RedAnt
    October 4th, 2010


  19. RedAnt
    October 4th, 2010


    BGP’s establish need a monent,plese wait 1 minete. then you’ll find established while you not type any key.

    so,it’s not BGP’s problem.

  20. ZZZ
    October 4th, 2010


    What I meant is that if the line “permit” is not present, then R1 can’t learn about , no matter how long u wait.

  21. BlueHorse
    October 4th, 2010

    I just tried this TT in GNS3. If the config on R1 is as follows:

    ip access-list extended edge_security
    permit ip host any
    deny ip any
    deny ip any
    deny ip host any

    Then client 1 will be able to ping web server ( You don’t need to change anything. You even do not need to add permit ip any.

    If the config on R1 is

    ip access-list extended edge_security
    deny ip any
    deny ip any
    deny ip host any

    Then you need to add permit ip host any to R1. Can someone also test this out.

  22. BlueHorse
    October 4th, 2010

    Sorry folks. my bad.
    My GNS3 was not working properly. I tested this TT again and the correct answer is you need to add permit ip any in order for Client 1 to ping the web server.

    Just ignore my previous post.

  23. RedAnt
    October 5th, 2010

    you test it by GNS3,it’s acl is IN direction,default.
    i used is packet tracer,it’s origen code is OUT direction.
    their appearances is different.

  24. Naveed
    October 10th, 2010

    You are right and same thing I mentioned in my very first post above about failure of BGP relationship. Let me repeat, if you apply under discussion ACL in the ‘in’ direction without ‘permit ip any’ entry, it will cause the BGP neighbor relationship get down. Once this happen then of course there is no way R1 can reach Web Server, no matter permit entry for web server is already there.


    Yes right, blocking the private IP-Ranges of the inside network are recommended to IP-Spoofing attacks. Thanks for addition.

  25. cmnl
    October 11th, 2010

    Are there any symptoms on the exam to differentiate this solution from TT3? Or are the available solutions different on these two tickets?

    The reason I ask is because (unless I’m mistaken) Naveed’s correction to TT3 states that R1 and all others cannot ping the web server, which seem to be the same symptoms as on this ticket.

  26. cmnl
    October 11th, 2010

    Nevermind, I think I figured this one out. The difference is whether or not we can ping from R1 (or any other router or client).

    On TT5, clients and routers cannot ping due to the ACL. Anything received by R1 with a source IP in the network will be dropped (i.e.: BGP packets, ping responses from .226, etc) due to the ACL’s implicit deny. Adding “permit any” to R1’s ACL will now accept traffic sourced from that network, which (eventually) brings up BGP and R1 can then route pings to the web server.

    On TT3, they CAN ping but can’t ping the web server due to the BGP config error.

  27. cmnl
    October 11th, 2010

    *** typo in above post
    “Anything received by R1 with a source IP in the ****** network will be dropped …”

  28. Nexttest
    October 11th, 2010

    Let’s use TT 5 as an example. What would be the question and do have to go into the interface and correct the problem or would you be able to just respond with the three answers. Just liking for a better ideal of the format.

    Problem:on R1 acl blocking ip
    acl something like this:

    Answer: add permit command to R1′s ACL

    Ans1) R1
    Ans2) IPv4 Layer3 Security
    Ans3) Add permit to R1′s ACL

  29. NetBt
    October 18th, 2010

    On what interface the access list was applied and in what direction ?

  30. NP->SP->IE
    October 19th, 2010

    @ Naveen, I took test with 1K, one thing confused me is that I was unable to ping up to I total agree with your comment above. also it makes BGP link down that make people think this is a BGP issue. actually, its not.

Comment pages
1 2 3 14 26