Jump to content


0

Ranet ACL need to be clarify


16 replies to this topic

#1 kamui

kamui

    Member

  • Members
  • PipPip
  • 35 posts
  • 7785 thanks

Posted 03 April 2011 - 10:19 AM

Hi All,

I'm actually practice my ccna with ranet packet lab you can found below:
PArt 1: Basic Networking

- 1-1 Basic Configuration http://www.ranet.co.th/packetlab/ccna/NA-1-1-BasicConfig.pka
- 1-2 IPv4 Addressing http://www.ranet.co.th/packetlab/ccna/NA-1-2-IPv4addressing.pka
- 1-3 IPv6 Addressing http://www.ranet.co.th/packetlab/ccna/NA-1-3-IPv6addressing.pka

Part 2: LAN Technology

- 2-1 InterVLAN Routing http://www.ranet.co.th/packetlab/ccna/NA-2-1-InterVLAN.pka
- 2-2 VTP http://www.ranet.co.th/packetlab/ccna/NA-2-2-VTP.pka
- 2-3 STP http://www.ranet.co.th/packetlab/ccna/NA-2-3-STP.pka

Part 3: WAN Technology

- 3-1 PPP - PAP http://www.ranet.co.th/packetlab/ccna/NA-3-1-PPP-PAP.pka
- 3-2 PPP - CHAP http://www.ranet.co.th/packetlab/ccna/NA-3-2-PPP-CHAP.pka
- 3-3 Frame Relay - Multipoint http://www.ranet.co.th/packetlab/ccna/NA-3-3-FR-Multipoint.pka
- 3-4 Frame Relay - Point-to-Point http://www.ranet.co.th/packetlab/ccna/NA-3-4-FR-P2P.pka

PArt 4: IP Routing and Services

- 4-1 Static and Default Route http://www.ranet.co.th/packetlab/ccna/NA-4-1-Static-Default-Route.pka
- 4-2 RIP http://www.ranet.co.th/packetlab/ccna/NA-4-2-RIP.pka
- 4-3 OSPF http://www.ranet.co.th/packetlab/ccna/NA-4-3-OSPF.pka
- 4-4 EIGRP http://www.ranet.co.th/packetlab/ccna/NA-4-4-EIGRP.pka
- 4-5 Port Security http://www.ranet.co.th/packetlab/ccna/NA-4-5-PortSecurity.pka
- 4-6 Access Control List http://www.ranet.co.th/packetlab/ccna/NA-4-6-AccessList.pka
- 4-7 NAT http://www.ranet.co.th/packetlab/ccna/NA-4-7-NAT.pka
- 4-8 VPN-IPsec http://www.ranet.co.th/packetlab/ccna/NA-4-8-VPN.pka
- 4-9 DHCP http://www.ranet.co.th/packetlab/ccna/NA-4-9-DHCP.pka

Answers of these Labs: http://rapidshare.com/files/346115082/Answer-LAB-Packet-CCNA-Ranet-New050210.zip

Credits: http://www.ranet.co.th/articlesi.php?id=012

subnet calculator: http://www.ranet.co.th/IPsubnet01-eng.php

I have an issue do understand this 4-6 Access Control List response :

Posted Image

Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23=> Can someone clarify this please ?
Ranet-HQ(config)#access-list 100 deny tcp host 172.22.3.53 any eq 80
Ranet-HQ(config)#access-list 100 permit ip any any

Thanked by 3 Members:
Kelvinhtet , chetanvyas , Lyderavskogen

#2 xallax

xallax

    Member

  • Members
  • PipPip
  • 43 posts
  • 2448 thanks
  • LocationRomania

Posted 03 April 2011 - 08:35 PM

i would've said

access-list 100 deny tcp 172.22.3.53 0.0.0.1 host 172.22.3.90 eq 23

#3 kamui

kamui

    Member

  • Members
  • PipPip
  • 35 posts
  • 7785 thanks

Posted 03 April 2011 - 09:55 PM

if you read step 5 , "allow only admin host can access to RanetCoreSw via telnet" and on your acl you deny only one host User Host 1.

I don't understand why 172.22.3.52 ? on this acl Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23

#4 xallax

xallax

    Member

  • Members
  • PipPip
  • 43 posts
  • 2448 thanks
  • LocationRomania

Posted 04 April 2011 - 08:18 AM

well, "allow only someone" means "block everybody else", right?
you block the other hosts from the 172.22.3.48 /27 network except the admin host.

Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23
this blocks 172.22.3.52 .53 .54 and .55 from accessing 172.22.3.90 on the telnet port (23)


Ranet-HQ(config)#access-list 100 deny tcp host 172.22.3.53 any eq 80
this blocks host 172.22.3.53 from accessing any other host on the http port (80)


Ranet-HQ(config)#access-list 100 permit ip any any
this allows all the other hosts that don't match the above criteria (either be from the first range or be the host at .53) to go pass the router to other networks.

#5 kamui

kamui

    Member

  • Members
  • PipPip
  • 35 posts
  • 7785 thanks

Posted 04 April 2011 - 12:10 PM

thanks but it's still confusing  :unsure: 172.22.3.52 0.0.0.3 => 172.22.3.52/30 ?? , is it network or host range ?

normally 172.22.3.50/27 it's belongs to network 172.22.3.32 with mask of 255.255.255.224 ? so you've done some VLSM to reach 172.22.3.52/30 can you precise please , and where comming is 172.22.3.48 /27 ?? thanks.

Edited by kamui, 04 April 2011 - 12:12 PM.


#6 xallax

xallax

    Member

  • Members
  • PipPip
  • 43 posts
  • 2448 thanks
  • LocationRomania

Posted 04 April 2011 - 01:51 PM

oops, my bad, it's the .32 network :)
0.0.0.3 is the wild card

as i said from my first reply i would've used the 0.0.0.1 wildcard

Quote

thanks but it's still confusing  172.22.3.52 0.0.0.3 => 172.22.3.52/30 ?? , is it network or host range ?
it's the host range, there would be no logical reason to block the subnet address IP or the braodcast IP, isn't there?

#7 tasnimkido

tasnimkido

    Advanced Member

  • Members
  • PipPipPip
  • 78 posts
  • 79 thanks

Posted 04 April 2011 - 06:15 PM

Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23=> Can someone clarify this please ?
Ranet-HQ(config)#access-list 100 deny tcp host 172.22.3.53 any eq 80
Ranet-HQ(config)#access-list 100 permit ip any any
[/quote]


What is your question mate?

if it is about the ACL above then its denying TCP traffic from Host with IP number 172.22.3.52 to host with ip Number 172.22.3.90 eq=equal to TCP port (23)

#access-list 100 deny tcp host 172.22.3.53 any eq 80= is to deny TCP traffic to host 172.22.3.53 equal to HTTP or WWW the (80) is the http port number or the internet.

Regards,

Edited by tasnimkido, 04 April 2011 - 06:19 PM.


#8 kamui

kamui

    Member

  • Members
  • PipPip
  • 35 posts
  • 7785 thanks

Posted 04 April 2011 - 10:25 PM

we can also doing like that , seems to be more simple to understand ?

access-list 100 permit tcp host 172.22.3.50 host 172.22.3.90 eq 23
access-list 100 deny tcp any host 172.22.3.90 eq 23
access-list 100 deny tcp host 172.22.3.57 any eq 80
access-list 100 permit ip any any

#9 kamui

kamui

    Member

  • Members
  • PipPip
  • 35 posts
  • 7785 thanks

Posted 04 April 2011 - 11:41 PM

if you read step 5 , "allow only admin host can access to RanetCoreSw via telnet" a.

I don't understand why 172.22.3.52 ? on this acl Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23


we can do also like this ?

access-list 100 permit tcp host 172.22.3.50 host 172.22.3.90 eq 23
access-list 100 deny tcp any host 172.22.3.90 eq 23
access-list 100 deny tcp host 172.22.3.57 any eq 80
access-list 100 permit ip any any

Edited by kamui, 04 April 2011 - 11:42 PM.


#10 xallax

xallax

    Member

  • Members
  • PipPip
  • 43 posts
  • 2448 thanks
  • LocationRomania

Posted 05 April 2011 - 03:47 PM

ok... first thing first: permit only host 172.22.3.50 to access the vty lines, deny access for anyone else.
on Ranet-CoreSW we create this access-list:
access-list 1 permit host 172.22.3.50
we go on telnet/ssh configuration mode:
line vty 0 4
access-class 1 in


second thing to do is denying host 172.22.3.53 from accessing any webpages (protocol is http by default, port number is 80)
on Ranet-HQ we create this access-list:
access-list 100 deny tcp host 172.22.3.53 any eq 80
access-list 100 permit ip any any
we then configure the interface that connects to the ISP router (ISP-GW in the picture). let's assume it's interface s0/0/0
interface s0/0/0
ip access-group 100 out


i chose to set the access-list on the exiting interface because there could be intranet webpages that host has to access.

#11 xallax

xallax

    Member

  • Members
  • PipPip
  • 43 posts
  • 2448 thanks
  • LocationRomania

Posted 05 April 2011 - 03:59 PM

please read my reply on this issue under CCNA LABS.

#12 xallax

xallax

    Member

  • Members
  • PipPip
  • 43 posts
  • 2448 thanks
  • LocationRomania

Posted 06 April 2011 - 03:37 AM

View Postkamui, on 04 April 2011 - 10:25 PM, said:

access-list 100 permit tcp host 172.22.3.50 host 172.22.3.90 eq 23
access-list 100 deny tcp any host 172.22.3.90 eq 23
access-list 100 deny tcp host 172.22.3.57 any eq 80
access-list 100 permit ip any any

yes, you are right, this is the solution.
and you apply this list to the LAN interface of the router. i didn't read the part that said only use access-list 100 earlier.

Edited by xallax, 06 April 2011 - 03:37 AM.


#13 kamui

kamui

    Member

  • Members
  • PipPip
  • 35 posts
  • 7785 thanks

Posted 06 April 2011 - 09:18 PM

Hi xallax ,

I finnaly figure out my confusion , thanks to Lamlee wildcard calculation method,

Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23=> Can someone clarify this please ?
Ranet-HQ(config)#access-list 100 deny tcp host 172.22.3.53 any eq 80
Ranet-HQ(config)#access-list 100 permit ip any any


I did know why they use 172.22.3.52 with this wilcard card mask 0.0.0.3. you want to allow only host 172.22.3.50 to telent switchcore and block other host .53 and .54 , so that means you need to block two host .53 to host .54 , so you need to use an ip range with block size of 4.

172.22.3.0
172.22.3.4
172.22.3.8
172.22.3.--
--.--.--.--
172.22.3.48
172.22.3.52 <= interesting range
172.22.3.56

.52 belongs to ip block size of four , that's belongs to range of host .52 to .55 so that's match with our requirement permit host .50 and block .54 and .53. so this access list is good access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23

that's it , much appreciated for your answer xallax

#14 kamui

kamui

    Member

  • Members
  • PipPip
  • 35 posts
  • 7785 thanks

Posted 06 April 2011 - 09:18 PM

Hi xallax ,

I finnaly figure out my confusion , thanks to Lamlee wildcard calculation method,

Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23=> Can someone clarify this please ?
Ranet-HQ(config)#access-list 100 deny tcp host 172.22.3.53 any eq 80
Ranet-HQ(config)#access-list 100 permit ip any any


I did know why they use 172.22.3.52 with this wilcard card mask 0.0.0.3. you want to allow only host 172.22.3.50 to telent switchcore and block other host .53 and .54 , so that means you need to block two host .53 to host .54 , so you need to use an ip range with block size of 4.

172.22.3.0
172.22.3.4
172.22.3.8
172.22.3.--
--.--.--.--
172.22.3.48
172.22.3.52 <= interesting range
172.22.3.56

.52 belongs to ip block size of four , that's belongs to range of host .52 to .55 so that's match with our requirement permit host .50 and block .54 and .53. so this access list is good access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23

that's it , much appreciated for your answer xallax

Sorry if there is a bit of confusion in this thread now. I merged the Topic opened at two different places for the same discussion. You will manage to carry on.

Edited by harry817, 07 April 2011 - 06:29 AM.
Duplicate Topics merged





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Organization

Community

Downloads

Test Providers

Site Info


Go to top