Jump to content
Sign in to follow this  
kamui

Ranet ACL need to be clarify

Recommended Posts

Hi All,

 

I'm actually practice my ccna with ranet packet lab you can found below:

PArt 1: Basic Networking

 

- 1-1 Basic Configuration

Hidden Content

    Give reaction to this post to see the hidden content.

- 1-2 IPv4 Addressing

Hidden Content

    Give reaction to this post to see the hidden content.

- 1-3 IPv6 Addressing

Hidden Content

    Give reaction to this post to see the hidden content.

 

Part 2: LAN Technology

 

- 2-1 InterVLAN Routing

Hidden Content

    Give reaction to this post to see the hidden content.

- 2-2 VTP

Hidden Content

    Give reaction to this post to see the hidden content.

- 2-3 STP

Hidden Content

    Give reaction to this post to see the hidden content.

 

Part 3: WAN Technology

 

- 3-1 PPP - PAP

Hidden Content

    Give reaction to this post to see the hidden content.

- 3-2 PPP - CHAP

Hidden Content

    Give reaction to this post to see the hidden content.

- 3-3 Frame Relay - Multipoint

Hidden Content

    Give reaction to this post to see the hidden content.

- 3-4 Frame Relay - Point-to-Point

Hidden Content

    Give reaction to this post to see the hidden content.

 

PArt 4: IP Routing and Services

 

- 4-1 Static and Default Route

Hidden Content

    Give reaction to this post to see the hidden content.

- 4-2 RIP

Hidden Content

    Give reaction to this post to see the hidden content.

- 4-3 OSPF

Hidden Content

    Give reaction to this post to see the hidden content.

- 4-4 EIGRP

Hidden Content

    Give reaction to this post to see the hidden content.

- 4-5 Port Security

Hidden Content

    Give reaction to this post to see the hidden content.

- 4-6 Access Control List

Hidden Content

    Give reaction to this post to see the hidden content.

- 4-7 NAT

Hidden Content

    Give reaction to this post to see the hidden content.

- 4-8 VPN-IPsec

Hidden Content

    Give reaction to this post to see the hidden content.

- 4-9 DHCP

Hidden Content

    Give reaction to this post to see the hidden content.

 

Answers of these Labs: http://rapidshare.com/files/346115082/Answer-LAB-Packet-CCNA-Ranet-New050210.zip

 

Credits:

Hidden Content

    Give reaction to this post to see the hidden content.

 

subnet calculator:

Hidden Content

    Give reaction to this post to see the hidden content.

 

I have an issue do understand this 4-6 Access Control List response :

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23=> Can someone clarify this please ?

Ranet-HQ(config)#access-list 100 deny tcp host 172.22.3.53 any eq 80

Ranet-HQ(config)#access-list 100 permit ip any any

Share this post


Link to post
Share on other sites

i would've said

 

access-list 100 deny tcp 172.22.3.53 0.0.0.1 host 172.22.3.90 eq 23

Share this post


Link to post
Share on other sites

if you read step 5 , "allow only admin host can access to RanetCoreSw via telnet" and on your acl you deny only one host User Host 1.

 

I don't understand why 172.22.3.52 ? on this acl Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23

Share this post


Link to post
Share on other sites

well, "allow only someone" means "block everybody else", right?

you block the other hosts from the 172.22.3.48 /27 network except the admin host.

 

Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23

this blocks 172.22.3.52 .53 .54 and .55 from accessing 172.22.3.90 on the telnet port (23)

 

 

Ranet-HQ(config)#access-list 100 deny tcp host 172.22.3.53 any eq 80

this blocks host 172.22.3.53 from accessing any other host on the http port (80)

 

 

Ranet-HQ(config)#access-list 100 permit ip any any

this allows all the other hosts that don't match the above criteria (either be from the first range or be the host at .53) to go pass the router to other networks.

Share this post


Link to post
Share on other sites

thanks but it's still confusing

Hidden Content

    Give reaction to this post to see the hidden content.

 

normally 172.22.3.50/27 it's belongs to network 172.22.3.32 with mask of 255.255.255.224 ? so you've done some VLSM to reach 172.22.3.52/30 can you precise please , and where comming is 172.22.3.48 /27 ?? thanks.

Edited by kamui

Share this post


Link to post
Share on other sites

oops, my bad, it's the .32 network

Hidden Content

    Give reaction to this post to see the hidden content.

 

as i said from my first reply i would've used the 0.0.0.1 wildcard

 

thanks but it's still confusing 172.22.3.52 0.0.0.3 => 172.22.3.52/30 ?? , is it network or host range ?

it's the host range, there would be no logical reason to block the subnet address IP or the braodcast IP, isn't there?

Share this post


Link to post
Share on other sites

Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23=> Can someone clarify this please ?

Ranet-HQ(config)#access-list 100 deny tcp host 172.22.3.53 any eq 80

Ranet-HQ(config)#access-list 100 permit ip any any

 

 

What is your question mate?

 

if it is about the ACL above then its denying TCP traffic from Host with IP number 172.22.3.52 to host with ip Number 172.22.3.90 eq=equal to TCP port (23)

 

#access-list 100 deny tcp host 172.22.3.53 any eq 80= is to deny TCP traffic to host 172.22.3.53 equal to HTTP or WWW the (80) is the http port number or the internet.

 

Regards,

Edited by tasnimkido

Share this post


Link to post
Share on other sites

we can also doing like that , seems to be more simple to understand ?

 

access-list 100 permit tcp host 172.22.3.50 host 172.22.3.90 eq 23

access-list 100 deny tcp any host 172.22.3.90 eq 23

access-list 100 deny tcp host 172.22.3.57 any eq 80

access-list 100 permit ip any any

Share this post


Link to post
Share on other sites

if you read step 5 , "allow only admin host can access to RanetCoreSw via telnet" a.

 

I don't understand why 172.22.3.52 ? on this acl Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23

 

we can do also like this ?

 

access-list 100 permit tcp host 172.22.3.50 host 172.22.3.90 eq 23

access-list 100 deny tcp any host 172.22.3.90 eq 23

access-list 100 deny tcp host 172.22.3.57 any eq 80

access-list 100 permit ip any any

Edited by kamui

Share this post


Link to post
Share on other sites

ok... first thing first: permit only host 172.22.3.50 to access the vty lines, deny access for anyone else.

on Ranet-CoreSW we create this access-list:

Hidden Content

    Give reaction to this post to see the hidden content.

we go on telnet/ssh configuration mode:

Hidden Content

    Give reaction to this post to see the hidden content.

 

 

second thing to do is denying host 172.22.3.53 from accessing any webpages (protocol is http by default, port number is 80)

on Ranet-HQ we create this access-list:

Hidden Content

    Give reaction to this post to see the hidden content.

we then configure the interface that connects to the ISP router (ISP-GW in the picture). let's assume it's interface s0/0/0

Hidden Content

    Give reaction to this post to see the hidden content.

 

 

i chose to set the access-list on the exiting interface because there could be intranet webpages that host has to access.

Share this post


Link to post
Share on other sites

access-list 100 permit tcp host 172.22.3.50 host 172.22.3.90 eq 23

access-list 100 deny tcp any host 172.22.3.90 eq 23

access-list 100 deny tcp host 172.22.3.57 any eq 80

access-list 100 permit ip any any

 

yes, you are right, this is the solution.

and you apply this list to the LAN interface of the router. i didn't read the part that said only use access-list 100 earlier.

Edited by xallax

Share this post


Link to post
Share on other sites

Hi xallax ,

 

I finnaly figure out my confusion , thanks to Lamlee wildcard calculation method,

 

Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23=> Can someone clarify this please ?

Ranet-HQ(config)#access-list 100 deny tcp host 172.22.3.53 any eq 80

Ranet-HQ(config)#access-list 100 permit ip any any

 

 

I did know why they use 172.22.3.52 with this wilcard card mask 0.0.0.3. you want to allow only host 172.22.3.50 to telent switchcore and block other host .53 and .54 , so that means you need to block two host .53 to host .54 , so you need to use an ip range with block size of 4.

 

172.22.3.0

172.22.3.4

172.22.3.8

172.22.3.--

--.--.--.--

172.22.3.48

172.22.3.52 <= interesting range

172.22.3.56

 

.52 belongs to ip block size of four , that's belongs to range of host .52 to .55 so that's match with our requirement permit host .50 and block .54 and .53. so this access list is good access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23

 

that's it , much appreciated for your answer xallax

Share this post


Link to post
Share on other sites

Hi xallax ,

 

I finnaly figure out my confusion , thanks to Lamlee wildcard calculation method,

 

Ranet-HQ(config)#access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23=> Can someone clarify this please ?

Ranet-HQ(config)#access-list 100 deny tcp host 172.22.3.53 any eq 80

Ranet-HQ(config)#access-list 100 permit ip any any

 

 

I did know why they use 172.22.3.52 with this wilcard card mask 0.0.0.3. you want to allow only host 172.22.3.50 to telent switchcore and block other host .53 and .54 , so that means you need to block two host .53 to host .54 , so you need to use an ip range with block size of 4.

 

172.22.3.0

172.22.3.4

172.22.3.8

172.22.3.--

--.--.--.--

172.22.3.48

172.22.3.52 <= interesting range

172.22.3.56

 

.52 belongs to ip block size of four , that's belongs to range of host .52 to .55 so that's match with our requirement permit host .50 and block .54 and .53. so this access list is good access-list 100 deny tcp 172.22.3.52 0.0.0.3 host 172.22.3.90 eq 23

 

that's it , much appreciated for your answer xallax

 

Sorry if there is a bit of confusion in this thread now. I merged the Topic opened at two different places for the same discussion. You will manage to carry on.

Edited by harry817
Duplicate Topics merged

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...