Home > Ticket 5 – R1 ACL

Ticket 5 – R1 ACL

May 2nd, 2018 in TSHOOT v2 Go to comments

Configuration on R1
interface Serial0/0/1
description Link to ISP
ip address 209.65.200.224 255.255.255.252
ip nat outside
ip access-group edge_security in
!
ip access-list extended edge_security
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny 127.0.0.0 0.255.255.255 any
permit ip host 209.65.200.241 any
!

Answer:

Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‘ip access-list extended edge_security’ configuration add the ‘permit ip 209.65.200.224 0.0.0.3 any’ command.

Note:
+ This is the only ticket the extended access-list edge_security exists. In other tickets, the access-list 30 is applied to the inbound direction of S0/0/1 of R1.
+ Although host 209.65.200.241 is permitted to go through the access-list (permit ip host 209.65.200.241 any) but clients cannot ping the web server because R1 cannot establish BGP session with neighbor 209.65.200.226.

Comments (30) Comments
Comment pages
1 2 3 14 26
  1. Naveed
    September 4th, 2010

    Even R1 also would not be able to ping the web server or ISP(209.65.200.226). Since explicit deny of this ACL will not allow a reply to come back in to R1(since this ACL is applied in the ‘in’ direction) from outside until a permit entry is included in ACL. This will also cause the BGP neighbor relationship get down.
    You will see one permit entry for web server only, which is not enough. You will see the contents of this ACL as below.

    ip access-list extended edge_security
    permit ip host 209.65.200.241 any
    deny ip 10.2.0.0 0.0.255.255 any
    deny ip 10.1.0.0 0.0.255.255 any
    deny ip host 127.0.0.1 any

    Thats why an entry of ‘permit 209.65.200.224 0.0.0.3 any’ is required to solve this problem.
    And by the way, the entries for 10.x.x.x network is neither have any effect nor required in this ACL, they put these up only to confuse the candidates.

  2. Anonymous
    September 4th, 2010

    R4, R3, R2 can not ping 209.65.200.226

  3. Leonardo
    September 7th, 2010

    @Naveed
    Could you please tell me why on the example above it says:

    “Answer: add permit 209.65.200.241 command to R1′s ACL”

    Because then say answer: Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL

    I’m sure 100% sure that Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL is the correct one; but the explanation above can confuse the candidate..

  4. Naveed
    September 8th, 2010

    @Leonardo
    In the above ticket there are two contradictory answers are mentioned. The correct one is the same one which u mentioned. And yes right, candidates can be confused because of two different answers mentioned above.

    @networktut
    Kindly remove this extra line which is wrong for this TT and also not required, since correct answer is also mentioned down to that. ‘Answer: add permit 209.65.200.241 command to R1′s ACL’

  5. networktut
    September 9th, 2010

    Yes, thank for your detection, I updated the answer.

  6. Nipun
    September 19th, 2010

    Hello All!!
    Kindly provide the correct answer.
    Your explanations confused me.It seems that the correct anwer is “permit 209.65.200.224 0.0.0.3 to R1′s ACL” and it is in the inbound direction of R1 interface s0/0/0/1.Is there any other access-list in the outbound direction of R1 s0/0/0/1 interface as well?

  7. ki
    September 19th, 2010

    10q for the site. Earlier it helped me with BCMSN. Some comments.
    @Naveed, I think the other deny’s are for spoofing attacks from external so that the external can not spoof internal addresses.

  8. KACHY
    September 20th, 2010

    PLS I WOULD REALLY LIKE TO KNOW IF THE QUESTION WILL APPEAR EXACTLY THE SAME WAY IT IS DISPLAY ON THIS SITE.I MEAN HW DO I KNOW THAT A PARTICULAR TICKET IS RELATED TO BGP,EIGRP,OSPF,IPV6 AND WHAT HAVE?

  9. Naveed
    September 24th, 2010

    @Kachy
    You are CCNP candidate, so don’t expect every thing as a piece of cake. You will receive a single type of question for all tickets and the only way to differentiate among those is the symptoms which are discussed on this forum many times. I think we should not expect even more then that.
    regards.

  10. wicked_one
    September 28th, 2010

    Essential for this Question is, that the ACL results in BGP neighboring to fail. For example, it would also work if you just permit “host 209.65.200.226” (the BGP neighbor) but seems not to be a possible Answer to select. (but would be considered a Best Practice for ACLs to be as specific as possible)

    @Naveed
    The 10.x.x.x statements aren´t requiered, but do have effect (not for the LAB Topology, but for RL). Blocking the private IP-Ranges of the Inside Network are recommended to mitigate IP-Spoofing Attacks.

    So they aren´t for confusing, in a Real Life Scenario they would be there for good reason, because R1 would be the Gateway to th ISP – practically the whole Internet…

    Taking the Exam on Thursday, already being courious how this will look in the Exam

  11. wicked_one
    September 28th, 2010

    Sorry for Spam
    @Kachy – go, do your homework. This is NP, not CCENT… the informations on this site should be enough to put the pieces together

    by the way, great site, thx to the creators and all who share

  12. ZZZ
    September 30th, 2010

    I have not taken the exam yet, so I don’t know exactly how the question sounds.

    My post is based on the assumption that the acl is on the “IN” direction of R1 serial link to the ISP.

    If R1 is performing NAT, then the echo request, no matter if it’s coming directly from R1, or the client, will have a source address of 209.65.200.226 and destination 209.65.200.241. The echo reply will have a source address of 209.65.200.241 and destination 209.65.200.226.

    In first of Naveed’s posts, it is stated that the access list is an extended one. So by saying “permi ip host 209.65.200.241 any”, you allow traffic from the web server towards 209.65.200.226 (and the client, if the NAT translation works right).

    If the access list is standard, then permit 209.65.200.224/30 won’t do the thing, because it matches the source address, not the destination (and the echo reply has a source address of 209.65.200.241) and because the acl is inbound to the interface.

    Am I missing something here ?

  13. wicked_one
    September 30th, 2010

    @ZZZ
    yep, but not your Fault, because the description above is incomplete.

    The ACL in the Exam denies some 10.x and IIRC the 127.x , but does already permit the webservers IP – so it´s really just up to permit the 209.65.200.224/30 because this prevents BGP neighboring to happen.

  14. ZZZ
    September 30th, 2010

    @wicked one

    Thanks for the reply.
    But I have one more thing to add. In the description of the ticket, it is stated that ONLY R1 can ping the webserver. How can it ping the server if the BGP session isn’t established and 209.65.200.240/29 is NOT connected (it is announced by the BGP peer). Does R1 has a static default route towards 209.65.200.226 ?

  15. leeyoung
    October 1st, 2010

    @naveed
    thx a lot. i wanna to know that is it only this case about acl in the real exam?

  16. RedAnt
    October 4th, 2010

    i got it

    the acl deny the nat’s inside global ip (209.65.200.225),this is really reason!
    this is why R1 can ping web_server,but others can not , the ip trans by R1 being deny.

    how to resolve this problem? use this :
    access-list 30 permit 209.65.200.225 0.0.0.0
    and is included by 209.65.200.224 0.0.0.3
    so Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL is right!

    by the way , the all entry of original acl-list 30 are not work,except the hidden”deny any any”

  17. ZZZ
    October 4th, 2010

    R1 can’t ping the server if the BGP session isn’t established and R1 doens’t have a default route.

  18. RedAnt
    October 4th, 2010

    @ZZZ

  19. RedAnt
    October 4th, 2010

    @ZZZ

    BGP’s establish need a monent,plese wait 1 minete. then you’ll find established while you not type any key.

    so,it’s not BGP’s problem.

  20. ZZZ
    October 4th, 2010

    @RedANT

    What I meant is that if the line “permit 209.65.200.224 0.0.0.3” is not present, then R1 can’t learn about 209.65.200.240/?? , no matter how long u wait.

  21. BlueHorse
    October 4th, 2010

    I just tried this TT in GNS3. If the config on R1 is as follows:

    ip access-list extended edge_security
    permit ip host 209.65.200.241 any
    deny ip 10.2.0.0 0.0.255.255 any
    deny ip 10.1.0.0 0.0.255.255 any
    deny ip host 127.0.0.1 any

    Then client 1 will be able to ping web server (209.65.200.241). You don’t need to change anything. You even do not need to add permit ip 209.65.200.224 0.0.0.3 any.

    If the config on R1 is

    ip access-list extended edge_security
    deny ip 10.2.0.0 0.0.255.255 any
    deny ip 10.1.0.0 0.0.255.255 any
    deny ip host 127.0.0.1 any

    Then you need to add permit ip host 209.65.200.241 any to R1. Can someone also test this out.

  22. BlueHorse
    October 4th, 2010

    Sorry folks. my bad.
    My GNS3 was not working properly. I tested this TT again and the correct answer is you need to add permit ip 209.65.200.224 0.0.0.3 any in order for Client 1 to ping the web server.

    Just ignore my previous post.

  23. RedAnt
    October 5th, 2010

    @ZZZ
    OH
    you test it by GNS3,it’s acl is IN direction,default.
    i used is packet tracer,it’s origen code is OUT direction.
    their appearances is different.

  24. Naveed
    October 10th, 2010

    @ZZZ
    You are right and same thing I mentioned in my very first post above about failure of BGP relationship. Let me repeat, if you apply under discussion ACL in the ‘in’ direction without ‘permit ip 209.65.200.224 0.0.0.3 any’ entry, it will cause the BGP neighbor relationship get down. Once this happen then of course there is no way R1 can reach Web Server, no matter permit entry for web server is already there.

    @leeyoung
    Yes.

    @wicked_one
    Yes right, blocking the private IP-Ranges of the inside network are recommended to IP-Spoofing attacks. Thanks for addition.

  25. cmnl
    October 11th, 2010

    Are there any symptoms on the exam to differentiate this solution from TT3? Or are the available solutions different on these two tickets?

    The reason I ask is because (unless I’m mistaken) Naveed’s correction to TT3 states that R1 and all others cannot ping the web server, which seem to be the same symptoms as on this ticket.

  26. cmnl
    October 11th, 2010

    Nevermind, I think I figured this one out. The difference is whether or not we can ping 209.65.200.226 from R1 (or any other router or client).

    On TT5, clients and routers cannot ping 209.65.200.226 due to the ACL. Anything received by R1 with a source IP in the 209.65.200.226/30 network will be dropped (i.e.: BGP packets, ping responses from .226, etc) due to the ACL’s implicit deny. Adding “permit 209.65.200.224 0.0.0.3 any” to R1’s ACL will now accept traffic sourced from that network, which (eventually) brings up BGP and R1 can then route pings to the web server.

    On TT3, they CAN ping 209.65.200.226 but can’t ping the web server due to the BGP config error.

  27. cmnl
    October 11th, 2010

    *** typo in above post
    “Anything received by R1 with a source IP in the ***209.65.200.224/30*** network will be dropped …”

  28. Nexttest
    October 11th, 2010

    Let’s use TT 5 as an example. What would be the question and do have to go into the interface and correct the problem or would you be able to just respond with the three answers. Just liking for a better ideal of the format.

    Problem:on R1 acl blocking ip
    acl something like this:
    deny 10.2.1.0
    deny 10.1.4.0
    deny 10.1.1.0

    Answer: add permit 209.65.200.224 0.0.0.3 command to R1′s ACL

    Ans1) R1
    Ans2) IPv4 Layer3 Security
    Ans3) Add permit 209.65.200.224 0.0.0.3 to R1′s ACL

  29. NetBt
    October 18th, 2010

    On what interface the access list was applied and in what direction ?

  30. NP->SP->IE
    October 19th, 2010

    @ Naveen, I took test with 1K, one thing confused me is that I was unable to ping up to 209.65.200.226. I total agree with your comment above. also it makes BGP link down that make people think this is a BGP issue. actually, its not.

Comment pages
1 2 3 14 26