Home > Ticket 5 – R1 ACL

Ticket 5 – R1 ACL

May 2nd, 2018 in TSHOOT v2 Go to comments

Configuration on R1
interface Serial0/0/1
description Link to ISP
ip address 209.65.200.224 255.255.255.252
ip nat outside
ip access-group edge_security in
!
ip access-list extended edge_security
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny 127.0.0.0 0.255.255.255 any
permit ip host 209.65.200.241 any
!

Answer:

Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‘ip access-list extended edge_security’ configuration add the ‘permit ip 209.65.200.224 0.0.0.3 any’ command.

Note:
+ This is the only ticket the extended access-list edge_security exists. In other tickets, the access-list 30 is applied to the inbound direction of S0/0/1 of R1.
+ Although host 209.65.200.241 is permitted to go through the access-list (permit ip host 209.65.200.241 any) but clients cannot ping the web server because R1 cannot establish BGP session with neighbor 209.65.200.226.

Comments (50) Comments
Comment pages
1 5 6 7 8 26
  1. CCNP-Renew
    May 5th, 2017

    Testing Tshoot in 2 days. Just became a premium member but I am disappointed with the new format. I used Network Tut a couple of years ago when they used the low tech “Read More” link to display full answers was way more user friendly.
    This new simulations are a great idea but not really good for a quick study reference.
    If anyone has updated dumps please send to matt.ryder22 at outlook dot com
    Thank you and good luck.

  2. david
    May 23rd, 2017

    I just passed today. Got 1000/1000. Stick only to networktut.com. All the questions in feb. 2017.pdf from tut came out. Pls practice nothing but tut. All still valid

  3. maha
    June 8th, 2017

    @ david
    Pleease send to my feb.2017.pdf in my email ( {email not allowed})

  4. Andrea
    June 9th, 2017

    Are there updated ccnp Tshoot?? I will the examen next Friday

  5. Slillz
    June 29th, 2017

    I’m confused here. How will this work when OSPF is not redistributing BGP into OSFP?

  6. Kelle
    July 12th, 2017

    Estou muito feliz com meus resultados ate’ momento! http://www.mgbargen.ch/yellabook/guestbook.php

  7. Saleh
    July 12th, 2017

    @ david

    Please send feb.2017 pdf on salehalkaseri@yahoo dot com

  8. mkzozo
    August 2nd, 2017

    i have cleared tshoot exam today with 925 everything is from this site. thanks 9TUT. no need to buy some funny dumps

  9. Peter
    August 2nd, 2017

    Passed today with 1000. Ticket valid.

  10. Brozzo
    September 13th, 2017

    Hello, I have noted that in some of the tickets the device and error is supposed to be “abc” and “123”, however, you will observe the same erroneous config as identified in some other ticket.
    My assumption is that any particular ticket should have only one erroneous config and everything else correct, is this the correct position?

  11. Kyi Lwin
    September 19th, 2017

    Plz send me lastest dump file into my email kyilwin @ ayabank.com

  12. FureC
    October 19th, 2017

    Hi, i dont see any questions in this tickets (5,11,13) thats the way the problems shows up at the exam ???

  13. Life
    October 19th, 2017

    Dear,

    Same puting under the ip access-list extended edge_security’ configuration add the permit ip 209.65.200.224.0.0.0.3 any’ command the client 1 cannot ping the 209.65.200.241 because other ACLS. So this answer aren’t correct.

  14. Life
    October 19th, 2017

    I’m so sorry. Checked again, this answer is correct.

  15. Missing network command?
    November 3rd, 2017

    @Networktut:
    On this TT5 noticed another missing network command under router bgp 65001 on R1. Could you pls fix this or advise? Thxs

  16. Anonymous
    November 19th, 2017

    This question was still in the exam today.

  17. Fern
    November 20th, 2017

    Please sent me the latest dump PFD file fjsuarez1981 @ yahoo dot com

  18. Anonymous
    November 21st, 2017

    Hi Anonymous,

    Do you remember the 5 drag n drops questions? Please share.

  19. garga
    December 4th, 2017

    New tshoot dumps available {email not allowed}

  20. garga
    December 4th, 2017

    garga @ inbox dot lv

  21. Lemon
    December 5th, 2017

    what is the question in this ticket?

  22. G-unit
    December 12th, 2017

    Most tickets have the same “question” Client 1 cannot reach server at 209.65.200.241
    Just check the config for edge security ACL

  23. AAA
    December 16th, 2017

    If anyone has dumps/drag and drop please forward me. Much appreciated ivanmedena (at) gmail thank you..I plan on giving test next week. Will keep you guys informed.

  24. Anonymous
    December 18th, 2017

    Can anyone help with valid dumps? dumanski (at) gmail Thanks!

  25. Laxmikanth
    December 31st, 2017

    GO for premium membership, it would be sufficient to clear the exam.

  26. jgsodia
    January 2nd, 2018

    i took the exam last 20th Dec and i failed, i retook the exam 28th Dec and i passed. all you need is here, the exam is the same in both ocasions

  27. Clap-Back
    January 3rd, 2018

    What @Laxmikanth said.

  28. plop
    January 3rd, 2018

    Where’s the actual question?

  29. Fattah RazzaqghanimughnI
    January 4th, 2018

    I applied this answers which also working:
    Ans1) R1
    Ans2) Access list
    Ans3) enter to “ip access-list extended Edge_Security”, and then execute command “permit ip host 209.65.200.226”

    However, there will be multiple choice for this question.

  30. Frankie96
    January 4th, 2018

    Hello Networktut.. I don’t understand why R1 is not able to ping it’s own .225 address. Is this an error in the simulation?

  31. networktut
    January 4th, 2018

    @Frankie96: Yes, it is an error. Thanks for your detection, we have just fixed it!

  32. Anonymous
    January 13th, 2018

    Hi. I am new to Networktut. this simulation does not allow validation of answer before submission. is that correct?

  33. Spirit
    January 13th, 2018

    Hello, I am only able to perform traces from DSW1 and to only one IP which is the web server 209.65.200.241. when tracing to 209.65.200.225 from DSW1, I get the following error message “We are very sorry but traceroute to 209.65.200.241 is only allow on DSW1” where it is being sourced. get the same message from all routers. is this by design? not able to perform traces from routers is rather strange. PLease advise.

  34. Anonymous
    January 15th, 2018

    @Spirit, traceroute to 209.65.200.141 and 209.65.200.225 is the same thing, basically it will take the same path so traceroute to the web server should be good enough for your purpose.

  35. @JR
    January 17th, 2018

    Please send feb.2017 pdf on jamesracevedo@gmail dot com

  36. Anonymous
    January 20th, 2018

    How upto date are the labs

  37. Arczi
    January 26th, 2018

    Passed.

    No new questions, everything is here. But be careful, tasks are very tricky and all mentioned bugs are there.

  38. asdf
    February 7th, 2018

    @Slillz
    > How will this work when OSPF is not redistributing BGP into OSFP?
    R1 has s static route 0.0.0.0/0 It redistribute to OSPF

  39. Hunter
    February 9th, 2018

    @asdf

    Just remember the answers as given. Dont waste time thinking too much in the exam as you cannot correct the config in the exam. These answers are all correct.

  40. Sm-New
    February 17th, 2018

    i need to take in a weeks time this exam, can (network tut) or anyone please answer how do we know which question and what answer we need to remember when there is only one question for 13 sim lets that client cannot reach web server etc?

  41. Anonymous
    February 18th, 2018

    @Sm-New, lol

  42. The_Boss
    February 19th, 2018

    guys,please advise in the exam

    what are the bugs on this questtion:
    A)are we able to do a sho run
    B)are we able to do a trace from client 1
    C)is testing from DSW1 fine,if so
    i)will ping work (we should sourse it fro which interface)
    ii)will trace route work(we shld source from which interface)
    D)pings from R1/R2 will they work

    which specific commands should we use to check

  43. 46598dasd
    May 14th, 2018

    2018 Latest Update CCNP Dumps 300-135 100% Valid
    stumbleupon.com/su/1xowyV

  44. CCNP_SOON
    May 17th, 2018

    @Tshoot 18, I know in ticket 5 there are 2 answers, how do you know which one is correct. This is the one with Edge Security?

    R1:Missing command under
    the outside ACL NAT_Traffic
    Add 10.2.0.0 network

    OR

    R1:(T05)WAN ACL
    Missing command under the
    outside edge security ACL
    Add 209.65.200.244 network

  45. Yammer
    May 28th, 2018

    Is this in the exam?

  46. X
    June 6th, 2018

    @ CCNP_SOON

    I think you are right. There might be two variants of this ticket.

    1. The entry ‘permit 10.2.0.0 0.0.255.55’ might be missing in the ACL called ‘nat_traffic’

    or

    2. The entry ‘209.65.200.224 0.0.0.3’ it is missing under the ACL configuration called ‘edge_security’. (This ACL may be applied under the interface s 0/0/1 in ‘inbound’ direction and the bgp state is ‘active’. Verify this last with the command “show ip bgp summary”)

    Conclusion:

    If the output of the command ‘show ip bgp summary’ on R1, the state is ‘Active’ then
    the solution is in the variant 2.

    If the output of the command ‘show ip bgp summary’ on R1, the state is ‘Established’ then
    the solution is in the variant 1.

    You may correct me if I am wrong.

    Thank you.

  47. TicketSolver
    June 6th, 2018

    There can be even 3rd modification: both s0/0/0 and s0/0/1 are configured as ip ant inside, so s0/0/1 (or any interface pointing to ISP) has to be set to ip nat outside

  48. abc
    July 30th, 2018

    Ticket 5 – R1 ACL
    Client is not able to ping the server. no one can ping the server.
    Problem:on R1 acl blocking ip Configuration on R1
    interface Serial0/0/1 description Link to ISP ip address 209.65.200.224 255.255.255.252 ip nat outside ip access-group edge_security in !
    ip access-list extended edge_security deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny 127.0.0.0 0.255.255.255 any permit ip host 209.65.200.241 any !
    Answer: add permit ip 209.65.200.224 0.0.0.3 any command to R1‟s ACL
    Ans1) R1 Ans2) IPv4 Layer 3 Security Ans3) Under the ip access-list extended edge-security configuration add the permit ip 209.65.200.224 0.0.0.3 any command
    Note: + This is the only ticket the extended access-list edge_security exists. In other tickets, the access-list 30 is applied to the inbound direction of S0/0/1 of R1. + Although host 209.65.200.241 is permitted to go through the access-list (permit ip host 209.65.200.241 any) but R1 cannot ping the web server because R1 cannot establish BGP session with neighbor 209.65.200.226.

  49. testing soon
    July 31st, 2018

    Will the sim be updated? I guess I’ll be ready for either scenario, but not it still shows the permit 10.2.0.0 0.0.255.255 option as correct, with 20..65.200.224 0.0.0.3 any already in the acl.

  50. JUSTPASSED
    July 31st, 2018

    I have passed one hour ago with 940/1000
    This is what I had in my exam:

    1-Which protocols are supported with MPP? (choose three):
    A.OSPF
    B. HTTP and HTTPS
    C. SSH
    D. FTP
    E. SFTP
    F. SFTP
    I have chosen (B,C D)
    2-Drag and drop the sequence for configuring SSH in correct order.
    A. ip ssh ver 2
    B. ip domain-name cisco.com
    C. crypto-key generate rsa
    D. line vty 0 4
    E. Transport input ssh
    Transport input telnet (you don not need , because you need to choose 5 only)
    I have chosen (B,C,A,D,E) In this order

    3-Drag and drop about uRPF strict and loose mode:
    strict mode: (you can only chose two for strict in the exam), I have chosen:
    – used on inside internet router interface
    – Must have the same path back
    Loose mode: (you must choose 3)
    – Must have the source IP in routing table
    – used on outside internet router interface
    I did not chose: Configured on L2 switches, I have the other one (I do not remember)
    4-Which protocol does mGRE use to send packets?
    A. DMVPN
    B. NHRP
    C. OSPF
    D. IPSec
    Chosen B

    5-Which topologies are allowed with p2p GRE over IPsec? (Choose two)
    A. Hub and Spoke
    B. Partial mesh
    C. Point to multipoint
    D. Bus
    E. Star

    I chose A,B
    Output of sh access-list, what can you do to correct SSH?

    6-Extended IP access-list 100
    Deny tcp any any eq 22
    Permit ip any any
    Extended IP access-list 150
    Permit tcp any any eq 23
    Deny tcp any any eq 22
    Permit ip any any
    Extended IP access-list 175
    Permit tcp any any eq 22
    Permit tcp any any eq 23
    Line vty 0 4
    Access-class 100 in
    Transport input ssh
    A. Change access-class 100 in with access-class 150 in
    B. Change transport input ssh with transport input telnet
    C. Change access-class 100 in with access-class 100 out
    D. Change access-class 100 in with access-class 175 in
    I chose D (cause I had 175)
    7-Which keywords can be used with debug condition to filter output? (Choose two)
    A. Username
    B. Interface ID
    C. Port number
    D. Protocol
    Ε. Packet Size
    I chose: A,B

    8- IPSec mode encrypted with least overhead (something like that)

    I chose: transport

    Ticket are all the same in networktut
    Only one was tricked, you can ping the 10.1.1.1, (this ticket took from me 30 minutes)but at last I figured it uit.
    The answer:
    R1
    IPNAT
    Under the ip access-list standard nat_trafic configuration enter the add permit ip 209.65.200.224 0.0.0.3 any command to R1‘s ACL

    Sims
    I had both sims;
    HSRP sim: the problem was DHCP (look at the interface, you see dhcp configured on R4 and R5)
    The rest are on networktut ( Same)
    BGP sim: I had the same as here in networktut.
    PLEASE grap the ticket very good. In the exam you do not know if it is ipv6 or ipv4 ticket is. Just flow the ping chart of networktut,
    I wish you all the best

Comment pages
1 5 6 7 8 26