Home > Ticket 5 – R1 ACL

Ticket 5 – R1 ACL

May 2nd, 2018 in TSHOOT v2 Go to comments

Configuration on R1
interface Serial0/0/1
description Link to ISP
ip address
ip nat outside
ip access-group edge_security in
ip access-list extended edge_security
deny ip any
deny ip any
deny ip any
deny any
permit ip host any


Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‘ip access-list extended edge_security’ configuration add the ‘permit ip any’ command.

+ This is the only ticket the extended access-list edge_security exists. In other tickets, the access-list 30 is applied to the inbound direction of S0/0/1 of R1.
+ Although host is permitted to go through the access-list (permit ip host any) but clients cannot ping the web server because R1 cannot establish BGP session with neighbor

Comments (30) Comments
Comment pages
1 4 5 6 7 8 14 26
  1. tank
    February 26th, 2013

    It is really not the difficult exam compare to the rest of exam from the CCNP series. I pass it today in the New York and got 1000 and had a plenty time to investigate all configs. Look what bug did I find: in R1 access-list question I was be able to ping from Client 1 and 2 which is completely weird. There was the ACL which blocked everything except, so, it had to be blocked. I am just curious if anybody else saw the same behavior or it is me only.
    Almost forgot – thanks to everybody and especially to networktut.com ! See all of you on the next level! I am CCNP now – I still do not believe )

  2. Bryan
    February 28th, 2013

    Hi Guys passed my exam today with 945 marks, enrhteivg from, P4sure But be carefull there is a BUg in exam as well as P4sure.For TT- Vlan Access map, you have to choose ASW1 in exam to get the correct option & also for TT- port security, shut- no shut is required to get the interfaces up from error disable mood. P4sure gives you wrong solution for these two tickets ..Be carefull Hope it will help you guys, if you require any help just post a comment, will ans that

  3. Mohammad
    March 5th, 2013

    Hi Guys,
    i tried the above solution on gns3 it doesn’t work.

    I am not able to ping R1 from Client.

    R1(config)#access-list 30 permit

    Yes as Anon said R1 can ping Web Server but Client , cannot ping R1.

  4. AndreiX
    April 17th, 2013

    Hello, I passed yesterday (1000/1000)
    Small change to this ticket:
    – access list name was “edge_security” (this ticket was the only one to have this)
    – deny statements for all the internal subnets
    – permit statement for the server IP address
    – applied in the in direction

    Answer is the same:
    add permit

  5. Andres
    April 20th, 2013

    Hi Guys,
    for those who have taken the exam, pleaseeee does this comamds work sh ip bgp summery?

  6. gaveaway200bucks
    April 21st, 2013

    To Andres April 20th, 2013:

    Yes the command works:

    show ip bgp summary

  7. Anonymous
    April 25th, 2013

    Does R1 have a default route?

  8. Dinesh Kumar
    May 6th, 2013

    is Trouble shoot is Multiple choice question like CCNP route and Switch or Purely Lab. we need to do the configuration changes in exam..

  9. Fibrizo
    May 8th, 2013


    In what topology do we need to add this permit statement? Also, in what interface serial, S0/0?

    Please help me , because i got confused and my exam is soon

  10. zouhir
    May 21st, 2013

    can any one explain me the reponse of this lab .

  11. TAMER
    May 24th, 2013

    This case had been modified a little in the exam but the problem or I think the debug in the exam that client A can ping but client B can’t do it although they are in the same VLAN and all other routers and switches can’t ping I think there is something wrong

  12. Mia
    June 2nd, 2013

    to @ Daisy December 21st, 2012

    A1 = R1
    A2 = IPv4 Layer 3 security.
    A3= Under ip access_list extended edge_security configuration add the permit any.

  13. ccnp
    June 29th, 2013

    still is valid
    A1 = R1
    A2 = IPv4 Layer 3 security.
    A3= Under ip access_list extended edge_security configuration add the permit any.

  14. keyakuyakoy
    July 16th, 2013

    still is valid
    A1 = R1
    A2 = IPv4 Layer 3 security.
    A3= Under ip access_list extended edge_security configuration add the permit any.

  15. bgp4+
    September 3rd, 2013

    I don’t think “permit ip any” corrects the problem. Why in the world would you apply an blanket ACL on the upstream link? Even if the BGP session is up you still can’t receive anything but packets originated on ISP router. And the server prefix is still getting dropped.

  16. bob
    September 4th, 2013

    Sorry, but another odd thing I’m seeing about the test. if you are not permitting any the BGP relationship will not form. The only way I could see then that you could still ping the server is if you have a static route on R1 to point at the external serial interface. if you have this, you can still ping the server from anywhere in the network if you have redistributed the static route throughout the network. I guess I would have to see the running config on the exam, but it seems a bit suspect to me.

  17. CeeMax
    September 5th, 2013

    Tks bob ! i understand clearly now :S

  18. @lcisoft
    October 8th, 2013

    Passed today and scored 1000 points. TT valid.

  19. JakyMix
    October 16th, 2013

    I got 1000/1000

  20. Alicia
    November 19th, 2013

    Hi All, Just someone to clear something for me. How will I know if a specific question is related to ASW1, DSW1, R4, R2 or even R1? Or how will I know its Allowed Vlan ticket, Port Security ticket, NAT ACL tickets e.t.c. Thank you all.

  21. Ram
    November 21st, 2013

    I have a question, i gave my exam today and surprisingly all of the questions were just stating Client -1 cant ping .241 server. It was the same in 11 out of the 13 tickets. I am confused as to how do we check once the ticket is solved if we can ping the same or not. The configs on all the routers and switches are correct but in MCQs option is given, so for 11 instances of same Client1-cant ping webserver .241 how do we choose which issue will come ?

    Please help.

  22. DB
    November 22nd, 2013

    Why does R1 have the network if ISP does not advertise it?

    ROutside#sh run | sec router bgp
    router bgp 65002
    no synchronization
    bgp log-neighbor-changes
    network mask
    redistribute connected
    neighbor remote-as 65001
    neighbor soft-reconfiguration inbound
    no auto-summary

    R1#sh run | sec router bgp
    router bgp 65001
    bgp log-neighbor-changes
    network mask
    neighbor remote-as 65002
    no auto-summary


  23. Alicia
    November 26th, 2013

    Hello All, Will “Show run” be enough to figure out all issues in the exam? Yes I mean for all 13Tickets. You advise is appreciatede. I’m writing this Friday. Thank you all in advance.

  24. Abhishek Singh
    November 27th, 2013

    Guys i passed Tshoot exam today with 945 marks.
    All the tickets are same and exam is pretty easy to clear
    Thanks a lot to following:
    GNS Talk videos
    Khattak Strategy pdf
    Bulls Eye Strategy videos
    Tshoot Flow Chart by Naren pdf (https://www.dropbox.com/sh/e6tlz9ryb1lm3o9/npe8jf4SJx)
    The new Tshoot flow chart made things more simpler…

  25. Alicia
    November 29th, 2013

    PASSED today 29/11/2013 A BIG thank you to networktut.com and TSHOOT Strategy by Khattak Document.
    My approach to the exam:
    1. Commands I used for All tickets “Ipconfig”, “Ping” and “show run”
    2. First 15min of the exam “tutorial time” I wrote down all 13Tickets in a list format.
    3. I did IPCONFIG on “Client 1” to confirm if I have 169.x.x.x or 10.x.x.x IP for those tickets
    4. Once divided into two group “169.x and 10.x” I concentrated on the 169.x.x tickets first to identify the issues there “refer to this website”
    5. Then followed by IPv6 and HSRP tickets which are very easy to pick up from the “question line” OR you can actually mark this two tickets down before even doing the IPCONFIG to have 11Tickets to work from.
    6. Name all possible issues relating to each group “169.x and 10.x”
    7. When working with 10.x.x.x “Group” have in mind to PING and PING
    8. Divide another group of tickets which you can Ping both and
    9. Divide another 1 tickets which you can Ping BUT NOT Ping
    10. My over message to everyone “group your tickets and you exam will be easy, easy, easy” keep in mind “Ipconfig”, “Ping” and “show run” that’s all you need, know what you’re looking for in a tickets when its VLAN Filter, Port Security, Switchport Trunk e.t.c
    All the best to everyone and another thing just forget about “IP Helper Address ticket” and “EIGRP Wrong AS No ticket” concentrate only on the 13Tickets.


  26. Brian
    December 1st, 2013


    “redistribute connected” command on ISP Router will do this. If this command wouldn’t exist on the ISP router, there was no way you could be able to reach it unless it advertise under BGP settings as you mentioned.

  27. Khurram
    February 8th, 2014

    I passed today with 1000/1000. no AS and Ip helper address TT. rest of all are same. just Follow Khatak strategy and Get sound practically with gns3 talk.

  28. Anonymous
    April 9th, 2014

    Even if the problem is the BGP the “in” direction with source the same router address looks wrong to me. When the packet from the neighbor comes “in” it has the source of the neighbor. When it goes “out” then the source (exactly like the permit addition) is the interface id. Either the ip addresses should be changed or even better the direction?

  29. Anonymous
    April 9th, 2014

    Oh it has the full network permitted. Still looking at .224 interface ip address with 0.3 wm looks strange.

  30. Said
    April 9th, 2014

    I’m ok with you @Anonumous. I think it is a bug because in normal operation, all packets coming from Server are supposed to pass on the interface Serial0/0/0/1 without restruction

Comment pages
1 4 5 6 7 8 14 26