CCNA Access-List help please 3

[DigitalRick]

I have a rather simple question but I know I blew it on the exam so I am looking to my peers for CLI as to how they would approach this.

You have a subnet with 5 hosts 192.168.1. 1,2,3,4,5

This is connected to a router which is connected to a web server 172.64.18.254 on a different network.
Also the connections are NOT listed as to which is conected to which the router, ie S0/0, FA0/1 etc...I know, I was taken back a bit by this too.

You need to allow host 192.168.1.3 access to this web server but not anyone else in the network. Other users from other networks will need to access this webserver. This must be done in no more than 3 lines.

Any ideas?

 

[dan0923]

hi guys i failed my test by 2 marks i got 847 but the pass marks is 849 i cant belive guys well this is my 2nd time i failed this test. pls need some advice how to study .


peace .

 

[dan0923]

Select the console on Corp1 router

Configuring ACL

Corp1>enable
Corp1#configure terminal

comment: To permit only Host C (192.168.33.3){source addr} to access finance server address (172.22.242.23) {destination addr} on port number 80 (web)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80

comment: To deny any source to access finance server address (172.22.242.23) {destination addr} on port number 80 (web)
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80

comment: To permit ip protocol from any source to access any destination because of the implicit deny any any statement at the end of ACL.
Corp1(config)#access-list 100 permit ip any any

Applying the ACL on the Interface

comment: Check show ip interface brief command to identify the interface type and number by checking the IP address configured.
Corp1(config)#interface fa 0/1
If the ip address configured already is incorrect as well as the subnet mask. this should be corrected in order ACL to work
type this commands at interface mode :
no ip address 192.x.x.x 255.x.x.x (removes incorrect configured ip address and subnet mask)
Configure Correct IP Address and subnet mask :
ip address 172.22.242.30 255.255.255.240 ( range of address specified going to server is given as 172.22.242.17 - 172.22.242.30 )

comment: Place the ACL to check for packets going outside the interface towards the finance web server.
Corp1(config-if)#ip access-group 100 out

Corp1(config-if)#end

Important: To save your running config to startup before exit.
Corp1#copy running-config startup-config


Verifying the Configuration :

Step1: show ip interface brief command identifies the interface on which to apply access list .

Step2: Click on each host A,B,C & D . Host opens a web browser page , Select address box of the web browser and type the ip address of finance web server(172.22.242.23) to test whether it permits /deny access to the finance web Server .

hope this will help .

 

[comptek]

Dan,

Someone will eventually tell you this but you should start your own thread instead of piggybacking on this one. There said it. But yeah I feel your pain my friend. I took the 2 part ccna and had to take the intro 2x to finally pass. I then took the icnd 2x and failed it. Getting ready to take the icnd again soon, and are pretty good but just a few hiccup's with sims. that close of a score what happend? As far as what to do look over your score sheet and work on those ones that you have a low score on. I know it is easy to say it but for me when I failed the 2nd time (icnd) didnt even bother looking at the score I got so mad I threw away the sheet and just read the sybex book and worked on labs. What are you using to study with?

Rick,

is there any more info? it sounds like an extended acl. I could be way wrong but maybe permit tcp 192.168.1.3 0.0.0.0 172.64.x.x eq 80? Implicit deny should prevent others. Just throwing my 2 cents out. Good luck.


Comptek
A+, Network+

 

[burtsbees]

access-list 101 permit tcp host 192.168.1.3 host 172.64.18.254 eq 80
access-list 101 deny tcp 192.168.1.0 0.0.0.255 host 172.64.18.254 eq 80
access-list 101 permit ip any any

Comptek---the second deny statement is needed to prevent the rest of the 192.168.1.0/24 network from accessing the web server. The last "permit ip any any" statement is needed because all the other networks need to access the web server.
You could deny the 4 hosts that need to be denied, and permit ip any any to allow the rest, but the question wants 3 statements.

Burt

 

[jeter]

This question is very similar to the actual test question on the CCNA exam.... I recertified back in March and seen this..... The only tip I will give is that you better test your programming.... When I tested from the correct pc it worked, I then went to another pc and it failed. I thought okay I got but then I tested the the last pc and all seem to go astray from there...... Just be mindful that the sims are not actual routers as far as testing....

last tip:
permit
deny
permit


Daily Thought:Some people are like slinkies. Not really good for anything but they bring a smile to your face when
pushed down the stairs.


Tek-TIP Member 19,650

 

[DigitalRick]

OMG !! Burt you nailed it !!!

I knew it was something so simple as that. Now I just feel way stupid!!

You got it !! That is EXACTLY how it needs to be done.

Though it is not an extended list as the host will need more access than simply web(80). I believe it is a simple host to host permit. Because it would be a stnadard list this should be applied in the outbound interface of the router port connecting to the web server subnet correct?

Rick

 

[burtsbees]

Yes---outbound on the interface that connects 172.64.18.254. I figured since it is a web server, port 80 was to be denied. I can't remember, but I think Cisco tests will specifically tell you to create a standard/extended list.

Burt

 

[wj7771]

Hi guys, am trying my first attempt this month end, so I will get back to you all. But thanks for the great staff.

 

[david61364]

I have a question about,

access-list 101 permit tcp host 192.168.1.3 host 172.64.18.254 eq 80
access-list 101 deny tcp 192.168.1.0 0.0.0.255 host 172.64.18.254 eq 80
access-list 101 permit ip any any

Would it not be more efficient to apply this to the inbound 192.168.1.0 interface? Since the subnet is denied to a specific tcp host the router wouldn't have to process the extra traffic. Or is there something I am missing? Thanks in advance for any input.

 

[CiscoGuy33]

david61364,

You are correct - however the router will still have to process the traffic whether it is inbound or outbound.

Standard Access Control Lists (ACL) are Cisco IOS-based commands used to filter packets on Cisco routers based on the source IP Address of the packet. Extended Access Control Lists have the ability to filter packets based on source and destination IP addresses.

Since access-list 101 is an extended access list and filters based on source and destination IP addresses, the rule of thumb is to place it as close to the source as possible, standard access lists are placed as close to the destination as possible.

Hope this helps!





E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[thecrow123456]

Digital,
I think I got that question too.
I had a some trouble finding the complete IP of the host.
(remember, all they gave us was the last octet)
I tried
- sh cdp neighbor detail, didn't work
- sh ip int brief wount get me 2 hops away

would you mind sharing with us how you did that.
you sorta skipped over that part in the thread.
thanks.

 

[DigitalRick]

Here use this. I used this when I went in for my exam. I made it to help give me the little push I needed to pass.

http://www.hikeronline.com/ccna_cram

Rick

 

[thecrow123456]

thanks for the link.
but if you wouldn't mind...
how did you find out the first 3 octets of the hosts' ip address?
they were 2 hops away and 'sh cdp neighbor' was disabled.
i think everyone would really like to know.

 

[DigitalRick]

On the question I had the IP addresses were given. Sounds like they changed the question around a bit if I am thinking of the same question. This is the access-list question correct?

Rick

 

[thecrow123456]

yes, we are talking about the acl.
i was just given the last octets.
(.1 .2 .3 .4 .5)

i think i am supposed to apply the acl to the local router (inbound), so I need the first 3 octets.

however, we can only access the remote router by CLI.
sh cdp neighbor detail doesn't work.
sh ip int brief only shows local interfaces.
(next time I think I'll try 'sh ip route')

But...
You guys made mention of applying the acl to the remote router, and even made mention of making it a standard acl. why would you do that? you're looking 4 http traffic. right?

 

[thecrow123456]

Though it is not an extended list as the host will need more access than simply web(80)."

Would you be kind enough to explain this line?

 

[DigitalRick]

Ahh yes, if you look on the top of the page on that question (you have scrol bars) you have to scroll the screen to see the IP addresses. it was 192.168.1.x meaning 1.1, 1.2, 1.3, 1.3 and you had to allow like 1.4 but block all others.
I hate to say it but I think the scroll got ya :-(

Sorry...

Good luck, I hope this helps a bit. Trust me though, the IPs we given in the text of the problem.

Rick

 

[DigitalRick]

On more thing Crow, Burt nailed the code, what he wrote was the EXACT answer.....

access-list 101 permit tcp host 192.168.1.3 host 172.64.18.254 eq 80
access-list 101 deny tcp 192.168.1.0 0.0.0.255 host 172.64.18.254 eq 80
access-list 101 permit ip any any

You then apply it to the inbound ethernet port of the router. (local to the 192.168.1.x subnet)

Good luck !!

Rick

 

[thecrow123456]

You then apply it to the inbound ethernet port of the router. (local to the 192.168.1.x subnet)"

...but to apply it to the inbound ethernet port of the router, means you had to get to the router to begin with.

To begin, the console points to a different router.

Did you telnet the router to do that?
(did they provide you with the IP to the router)
(not me)

(I apologize in advance for the bother.)