|
Home > Archive > CCNA > March 2004 > Access List questions
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Access List questions
|
|
| TheMetalMiltia 2004-03-06, 7:10 pm |
| I found this from a braindump
quote:
Given three routers Nortel, Cisco and Austin.
Nortel
e0 192.168.11.1
s0 192.168.21.1
It asked to apply access-list on Nortel router to block the telnet access and allow all other
traffic thru Nortel. Make sure the ACL code doesn't exceed 3 lines.
I guess I got this one wrong
and that is the reason Cisco cut my score.
my solution...
access-list 101 deny tcp any 192.168.11.1 0.0.0.0 eq telnet
access-list 101 deny tcp any 192.168.21.1 0.0.0.0 eq telnet
access-list 101 permit ip any any
interface ethernet 0
ip access-group 101 in
interface serial 0
ip access-group 101 in
Is that right or is that guy saying that is what he typed in but got it wrong? If its wrong what is the right answer? | |
| smrkdown 2004-03-06, 8:41 pm |
| How would he know if he got it wrong on the exam? It doesn't tell you.
I also had questions about access lists on the exam though. Can you use keywords like host instead of the wildcard mask 0.0.0.0 or telnet for port 23 etc.. Also you can apply access lists to the vty lines themselves using "access-class" but can you do that on the exam?
worrywarm should know | |
| Joe Dali 2004-03-06, 11:16 pm |
| I heard you can't do access-class ... But I suck nutts on 801, so please, don't listen to me.  | |
| worrywarm 2004-03-06, 11:20 pm |
| quote:
Originally posted by TheMetalMiltia
I found this from a braindump
Is that right or is that guy saying that is what he typed in but got it wrong? If its wrong what is the right answer?
Yeah, it's on my test, and your solution is right.
smrkdown, your question is what I was wondering before I took the exam. Now I can ensure you that you can use host instead of 0.0.0.0, because in the exam when I checked the running-config, it automatically reformat my 0.0.0.0 to host format. As to 'access-class', I did not try this way, because I read some posts from how2pass.com that they typed the command and it didn't work. | |
| edmonds_robert 2004-03-07, 4:53 pm |
| quote:
Originally posted by TheMetalMiltia
[...]
Given three routers Nortel, Cisco and Austin.
Nortel
e0 192.168.11.1
s0 192.168.21.1
It asked to apply access-list on Nortel router to block the telnet access and allow all other
traffic thru Nortel. Make sure the ACL code doesn't exceed 3 lines.
I guess I got this one wrong
and that is the reason Cisco cut my score.
my solution...
access-list 101 deny tcp any 192.168.11.1 0.0.0.0 eq telnet
access-list 101 deny tcp any 192.168.21.1 0.0.0.0 eq telnet
access-list 101 permit ip any any
interface ethernet 0
ip access-group 101 in
interface serial 0
ip access-group 101 in
[...]
Actually, it's hard to tell what this question is asking. Are they trying to (1) prevent telnet access to the router, or are they trying to (2) prevent the router from passing telnet traffic to its connected networks. In either case, I believe your configuration is incorrect.
In case 1, the answer would be a simple access-list denying telnet, then apply it to the vty lines, like this:
access-list 1 deny any
line vty 0 4
access-class 1 in
If the case is 2, then your access list should look like:
access-list 101 deny tcp any 192.168.11.0 0.0.0.255 eq telnet
access-list 101 permit ip any any
access-list 102 deny tcp any 192.168.21.0 0.0.0.255 eq telnet
access-list 102 permit ip any any
int e0
ip access-group 101 OUT
int s0
ip access-group 102 OUT
Alternatively, if you really wanted to use inbound access-lists, you could apply them to the other interfaces, like this:
int e0
ip access-group 102 in
int s0
ip access-group 101 in
Either way will work.
I know someone will correct me if I am wrong, but I don't think you can apply an access-list to an interface where the source or destination address is the interface address. Hope the preceding information helps.
Robert | |
| npo3po 2004-03-07, 5:00 pm |
| Practically setting an access-list on the vty lines themselves would make better sense, but that would mean only two statements, in which case you'd only need one deny statement, and your permit, but in this case you're asked to filter telnet, which is an application layer protocol, and remember if you were to use line vty 0 4 with access-class, to apply the access-list to an interface, there be no point of specifying telnet.
hope that helps
Amir |
|
|
|
|