Home > Ticket 5 – R1 ACL

Ticket 5 – R1 ACL

May 2nd, 2018 in TSHOOT v2 Go to comments

Configuration on R1
interface Serial0/0/1
description Link to ISP
ip address
ip nat outside
ip access-group edge_security in
ip access-list extended edge_security
deny ip any
deny ip any
deny ip any
deny any
permit ip host any


Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‘ip access-list extended edge_security’ configuration add the ‘permit ip any’ command.

+ This is the only ticket the extended access-list edge_security exists. In other tickets, the access-list 30 is applied to the inbound direction of S0/0/1 of R1.
+ Although host is permitted to go through the access-list (permit ip host any) but clients cannot ping the web server because R1 cannot establish BGP session with neighbor

Comments (30) Comments
Comment pages
1 5 6 7 8 9 14 26
  1. Jim
    April 24th, 2014

    @Anonymouse, it is correct. nothing should be changed.
    when request comes from web server it is not nat translated. cuz webserver has public ip. and it is already allowed in access list. bgp connected interface is not allowed thus failing neighborship and webserver route is not being advertised.

  2. Eray
    May 20th, 2014

    In fact R1 will NOT be able to ping the server in this ticket (as no one else will).
    The ACL doesn’t permit the interconnection subnet between R1 and the ISP router, hence the BGP session cannot establish (sh ip bgp summary will show the session in “active” state (not established)).
    That being the case, the network of the server is not known to any router in the topology.
    Once the ACL permits the interconnection network, the BGP session can establish and propagate the network of the server. The answer is therefor correct.

  3. Client 1 CLI
    May 24th, 2014

    Hey guys cleared tshoot exam today 5/24/2014 **All tickets still valid** There are strategies out there, this what I used.

    1- Find 4 tickets for R1. ***OBS*** number in parentheses represent ticket’s order on Networktut.com
    -> If can ping the tickets will be:
    – Nat ACL(4),BGP Neighbor (3) R1 ACL (5)
    -> if can’t ping but can ping ticket will be:
    – OSPF Authentication (1)

    2- find the 2 tickets for HSRP TRACK (2) DSW1 and IPV6 OSPF (12) R2

    3- find 4 tickets 3 for ASW1 and 1 for R4
    -> If client get ip 169.x.x.x or no IP address, tickets will be:
    -Switchport vlan 10 (8)
    -Port security (7) int 1/0/1 shutdown in **error disable** .
    -Switchport trunk (9) All in ASW1
    The other ticket will be in R4
    -DHCP Range (13)

    4- find one ticket where client get ip 10.x.x.x but can’t ping default gateway, ticket willl be:
    -Vlan filter (6) it will be DSW1 or ASW1 check for option port/acl

    5- 2 tickets where client get 10.x.x.x these two tickets will be:
    -OSPF to EIGRP (11) R4
    -EIGRP Passive Interface (14) R4

    I would advice to become premium member to interact with these tickets.

    Good lucky guys!!

  4. Rami2000
    June 7th, 2014

    Thanks networktut, I passed exam today. and all TTs are valid

  5. mchi
    June 23rd, 2014

    I took TShoot exams yesterday:

    Got 1000 scores
    Got 2 Multiple questions, with slightly changes in choices but answers posted here hold still.
    Got 1 drag and drop
    Got 13 TTs
    TTs here are all valid.

    Just study CCNP official cert guide to gain confidence and to back you up in case of trouble.

    Thanks to this site and to khatakk for strategy.
    I am now CCNP!

  6. Michi
    August 14th, 2014

    14.8.2014 TT still valid
    Found it because of missing BGP TCP session on R1

  7. CJ
    August 16th, 2014

    All TTs are still VALID! every single one IPs and all
    I DID get the eigrp passive interface ticket!!
    No wrong AS ticket
    1 dd (#2) wording a lil different as stated but same answer
    3 multiple choice- wording for FCAPS question and answers are different. “What are 3 levels of the FCAPS model?” Answ: config, fault, security, accounting, backup I didn’t choose config as 1 of the 3 so I got it wrong
    I would HIGHLY suggest getting premium membership! It’s so worth it. All you need is networktut and khattak strategy to pass. Super big thanks to you both. I’m officially CCNP whoop whoooooop!!!!!

  8. JA Spain
    August 29th, 2014

    Passed today 1000/1000. 3 Multichoice, 1 D&D and 13 labs. All from this site. This TT was the same one. Highly recomended become premium. TSHOOT_Strategy_by_Khattak, CBT Nuggets and this site is enought.

  9. DHeffernan
    September 2nd, 2014

    So, how does one actually study for this? The Strategy from Khattak is unclear and not very written, hard to understand what he’s trying to get across as the english doesn’t seem proper.

    The 3 sub questions you get, what if you memorized the 3rd answer which seems unique with each TT, could you then not answer subquestion 1 & 2 according to that? Are you able to see & answer the 3rd subquestion prior to answering 1 & 2?

  10. Buddy
    September 3rd, 2014


    Yop, you just got the point, and that’s exactly why you should learn how to master EFFICIENT Network Troubleshooting i GENERAL yourself, by Means of indeed the TSHOOT Book combined with e.g. Packet Tracer Tickets (and/or a Premium membership) provided at this Site!

    By studying & using various more or less correct “Predefined TSHOOT Strategies”, you simply fool yourself, and just work like a “Robot” when solving Tickets @ exam, and you’ll most likely “struggle” when solving IRL Network Problems in general – (having e.g. a skilled Customer in the back of your Shoulder) – because you failed BIG TIME your way of learning “Real Network Troubleshooting” in general – Right Bro!?

    So, pls. consider this, when defining your OWN TSHOOT Study Strategy!!!

    Regarding the 3 sub questions you get at exam, you’ll need to answer theese in the right sequence – one by one – in order to get the correct answering options while solving each Ticket @ exam!

    Wish you well @ exam!


  11. GCM Blue
    September 10th, 2014

    Praise d Lord ! I’ve got 945/1000 score today Sep 10, 2014
    Thanks lot Networktut team …. very effective though some questions were confusing but be careful… I used PING & SH RUN commands to check config…. I applied strategy of Khatak & Naren … thanks lot too !
    >>Got 2 MCQ (debug ip packet … & ip tftp instead…); 1 DD & 13 TTs still valid here
    >>No EIGRP wrong AS
    >>No DHCP range
    >>With IP Helper (wrong address @DSW1)

    God bless NETWORKTUT !!!

  12. Wilson
    October 6th, 2014

    I think the IP address “ip address” configured is wrong as 224 is a network address for /30 subnet mask

  13. Mian
    October 12th, 2014

    Dear All
    Successes are from Almighty and the failures are mine
    Passed TSHOOT on 11th Oct 2014 ( UK London )=== 1000/1000.

    Everything on this site including this ticket is valid

    For details about the materiel used to pass TSHOOT pls see under
    Share your TSHOOT Experience

  14. Aandz
    October 13th, 2014

    This ticket got a bug.
    I tried to ping from client1 to R1-ISP interface and ISP-R1 interface IP, both the ping is success, but when i tried to ping from DSW1 to above interface IP’s its not going.
    The statement deny ip any should drop all the packets from client1,dsw1,R4…etc. But client1 ping is success to This will confuse you guyz with the BGP ticket, but carefully checking the R1 will point out the issue.

  15. Bart
    November 5th, 2014

    @wilson, please refresh your subnetting. 224 is not /30. 255-252 = 3(wildcard) aka p2p cidr with usable 2 ips.

  16. slim…
    November 11th, 2014

    passed today.. 9xx.. ccnp certified now.. CCIE next….

  17. Jim
    November 11th, 2014

    passed the exam with a 945. Came across an unusual ticket: on the DSW1, the eigrp process had host addresses for the links and the R4 had a /24 listed in the process. The answers really didn’t have a good solution presented. Other than that, the tickets are still good.

  18. jhonny015
    November 12th, 2014

    Thank God I passed the exam today with 931.
    All tickets are valid !!!
    Prepare to fully understand the scenario of the exam.
    14 tickets as well prepared for the perfect scenario.
    Show the ball examination

  19. Dave
    November 13th, 2014


    You might be a little mixed up, the deny for RFC1918 addresses is to prevent inbound packets with a SOURCE address of those networks, pings from the inside would not hit this acl

    however you should not be able to ping the ISP interface from R1 either since it would hit the drop, yet i could ping it during the lab

  20. Anonymous
    November 15th, 2014


    R1 should be able to ping the ISP interface from to That’s how BGP is formed.

  21. Wilson
    November 25th, 2014

    @Bart i think you need to relearn your subnetting ,as IP address configured in this example is ” ip address″
    Which provides you 64 sunets each with 2 host, is network address is broadcast address and ,,226 are two IP address for IP with /30 subnet mask.

  22. Mike
    November 25th, 2014

    @Network Tut:

    Yop, there seem to be a minor problem with the s0/0/0/1 I/F Configuration on R1 within your description @ top of this page:

    interface Serial0/0/0/1
    description Link to ISP
    ip address
    ip nat outside

    think it should be: “ip address” – Right!?

    Therefore, could you pls take a look on the issue and preferable correct it, if possible!?

    Thank you!

  23. John
    November 26th, 2014

    Hi all

    I’m checking the labs configs, and .. following the comments for each tieckt here, I have seen that some labs (on packet tracert from file Cisco_PT_6_1_TSHOOT_Package.zip, don’t match with the solution described on each of these tickets .. for example for ticktets 5 and 6 … the R1 config for ticket 5 and DSW1 config for ticket 6 are not equal to the associated packet tracert config PT 642_832 TSHOOT Ticket 05.pkt and PT 642_832 TSHOOT Ticket 06.pkt …)

    Is there some mistake?

    Am I understanding the labs in a different way?


  24. Buddy
    November 27th, 2014


    Regarding Packet Tracer Ticket Configs (from file: Cisco_PT_6_1_TSHOOT_Package.zip):

    Ticket#5 is configured excactly due to descriptions here @ Net Tut – pls check once more.

    Tickets: #2 / #6 /#11 are faked configurations designed to simulate the similar (real) Tickets as close as possible, beceause of some Technical limitations within the PT 6.1 release

    Please read IMPORTANT instructions regarding all this within the Packet Tracer “Read Me First” (.zip) file Provided, and within the “Ticket Answers:” Pull Down Menu @ the Bottom Packet Tracer ToolBar (pls click at the small “v”-sign right next to the menu-text there)

    Remaining PT based TSHOOT Tickets here are just fine!

    Thank you.

  25. Whiz
    December 1st, 2014

    I labbed the question as explained; it worked perfectly.

  26. Jack
    December 1st, 2014

    ohh yes – although the IP address for the Serial0/0/0/1 Interface on R1 needs to be: instead of the mentioned:

    (The latter is a Network address covering a range of IP addresses for the subnet instead of just a single host (interface) IP address as needed.

  27. Mina Saba
    December 4th, 2014

    Hellos everybody , I examed today and got 986 and I found some thing very strange related to the ticket of ACL no R1. As Client 1 can ping but R1 and DSW1 cant’t ping neither nor 241.
    I doubt on Natting as may on R1 allow to 10.2.x.x and prevent 10.1.x.x but I found the answer not give me this answer anf thus I ensured on ACL and may ping from Client 1 is bug on exam

  28. A tech note regarding Packet Tracer 6.1 “show ip bgp xxx” commands:
    December 4th, 2014


    While Troubleshooting TSHOOT Ticket: 3 and 5, within Packet Tracer release 6.1 – pls be aware, that output from the following two commands:

    R1#show ip bgp summ – and:

    R1#show ip bgp neigh

    isn’t 100% correct – (there’s a minor issue in showing the correct “eBGP connection states” within the output for the two PT 6.1 commands in the two tickets)

    The problem has already been reported to the PT R&D Team.

    Because of this, pls use instead:

    R1#show ip route bgp – and:

    R1#show ip bgp

    while troubleshooting TSHOOT Ticket# 3 and 5 within the current Packet Tracer 6.1 release!

    Thank you.


  29. snooper
    December 8th, 2014

    I think, R1 should not be able to ping the web server as well, based on the config…

  30. Mike
    December 9th, 2014


    Here we go:

    Ticket 5 including the ip access-list extended “Edge_Security” ACL Problem on R1:


    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
    Success rate is 0 percent (0/5)


    So Yes! – R1 doesn’t seem to have any IPv4 Connectivity on to the external WEB Server residing within eBGP AS60002 within this Ticket 5, according to the config present !!!

Comment pages
1 5 6 7 8 9 14 26