Home > Ticket 5 – R1 ACL

Ticket 5 – R1 ACL

May 2nd, 2018 Go to comments

Configuration on R1
interface Serial0/0/1
description Link to ISP
ip address 209.65.200.224 255.255.255.252
ip nat outside
ip access-group edge_security in
!
ip access-list extended edge_security
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny 127.0.0.0 0.255.255.255 any
permit ip host 209.65.200.241 any
!

Answer:

Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‘ip access-list extended edge_security’ configuration add the ‘permit ip 209.65.200.224 0.0.0.3 any’ command.

Note:
+ This is the only ticket the extended access-list edge_security exists. In other tickets, the access-list 30 is applied to the inbound direction of S0/0/1 of R1.
+ Although host 209.65.200.241 is permitted to go through the access-list (permit ip host 209.65.200.241 any) but clients cannot ping the web server because R1 cannot establish BGP session with neighbor 209.65.200.226.

Comments (6) Comments
  1. Alexnader
    January 29th, 2020

    In this ticket, in my Lab in Packet Tracert. The command that say 9tut (permit ip host 209.65.200.224 any) in the access list permit ip host 209.65.200.224 any. With this the ping dont work. i did hace to put the command permit ip host 209.65.200.224 any, and the ping to external web server Work.

    Details.

    ip access-list standard Nat_Traffic
    permit 10.1.0.0 0.0.255.255
    permit 10.2.0.0 0.0.255.255
    permit 192.168.1.128 0.0.0.31
    ip access-list extended Edge_Security
    permit ip host 209.65.200.241 any
    permit ip host 15.15.15.15 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    permit ip host 209.65.200.224 any – – – – – Ping dont work
    !

    Ping work

    ip access-list standard Nat_Traffic
    permit 10.1.0.0 0.0.255.255
    permit 10.2.0.0 0.0.255.255
    permit 192.168.1.128 0.0.0.31
    ip access-list extended Edge_Security
    permit ip host 209.65.200.241 any
    permit ip host 15.15.15.15 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    permit ip host 209.65.200.224 any
    permit ip host 209.65.200.226 any Ping Work

  2. dizdazzled
    February 2nd, 2020

    The solution stated in tut is permit ip 209.65.200.224 0.0.0.3. This will permit the two host addresses 225 and 226 with 227 being broadcast and 224 being the network address. But you solution of host 226 makes more sense. No need to permit 225 inbound since it is your IP and located on the inside of the network not the outside. Either solution – yours or tut will permit 226 in which will allow bgp to form a neighbor with the ISP

  3. sha
    February 5th, 2020

    can you go forward and backward between three questions of a ticket?

  4. JeffryChandraBiz
    February 6th, 2020

    For over a decade, JeffryChandra.biz has been breaking new ! ground in bringing to the boating community a wide selection of very competitively priced new and pre-owned boats and Jetski sales. jeffrychandra.biz offering boat rental and storage. With our 125 wet slips, 150 dry storage and launching services, jeffrychandra.biz is the perfect place to store your boat. We are located is in Surabaya, Jawa Timur – Indonesia.

  5. Gobyre
    February 9th, 2020

    Hii Guys.Be very careful with the first answer, the second is based on the first and the third based on the second

  6. Rr
    February 22nd, 2020

    Sad I failed