CompTIA
Exam Vouchers
Save money on CompTIA exams
| Question of the day
Sign up to receive
interactive practice questions
for MCSE, CompTIA
Cisco and other exams
| TestKing
Get MCSE, MCSD, CCNA, CCNP,A+, N+ and many more | * ExamSheets *
Guide for Success!
Actual Questions & Answers
MCSE, MCSD, A+ ,CCNA, CCNP
Oracle 8i, Oracle 9i Online practice tests
Certification sites Online university Online college Online education Distance learning Software forum Server administration forum Programming resources
|
|  |
| Author |
Access List questions
|
TheMetalMiltia
Junior Member
M
Registered: Mar 2004
Location: a
Country: United States
State: RI
Certifications: a
Working on: a
Total Posts: 5
|
|
 Access List questions
I found this from a braindump
quote:
Given three routers Nortel, Cisco and Austin.
Nortel
e0 192.168.11.1
s0 192.168.21.1
It asked to apply access-list on Nortel router to block the telnet access and allow all other
traffic thru Nortel. Make sure the ACL code doesn't exceed 3 lines.
I guess I got this one wrong
and that is the reason Cisco cut my score.
my solution...
access-list 101 deny tcp any 192.168.11.1 0.0.0.0 eq telnet
access-list 101 deny tcp any 192.168.21.1 0.0.0.0 eq telnet
access-list 101 permit ip any any
interface ethernet 0
ip access-group 101 in
interface serial 0
ip access-group 101 in
Is that right or is that guy saying that is what he typed in but got it wrong? If its wrong what is the right answer?
Report this post to a moderator
|
|
 03-07-04 12:10 AM
|
|
smrkdown
Senior Member
M
Registered: Dec 2003
Location:
Country: United States
State:
Certifications: A+, Network+, Linux+, CCNA
Working on: (3 of 4) CCNP, CCIE
Total Posts: 845
|
|
|
How would he know if he got it wrong on the exam? It doesn't tell you.
I also had questions about access lists on the exam though. Can you use keywords like host instead of the wildcard mask 0.0.0.0 or telnet for port 23 etc.. Also you can apply access lists to the vty lines themselves using "access-class" but can you do that on the exam?
worrywarm should know
Report this post to a moderator
|
|
|
03-07-04 01:41 AM
|
|
Joe Dali
Senior Member
M
Registered: Oct 2000
Location: Mars
Country: United States
State:
Certifications: MCSE, MCSA, MCP+i
Working on:
Total Posts: 161
|
|
|
|
03-07-04 04:16 AM
|
|
worrywarm
Senior Member
F
Registered: Feb 2004
Location:
Country: United States
State: MO
Certifications:
Working on:
Total Posts: 169
|
|
|
Re: Access List questions
quote:
Originally posted by TheMetalMiltia
I found this from a braindump
Is that right or is that guy saying that is what he typed in but got it wrong? If its wrong what is the right answer?
Yeah, it's on my test, and your solution is right.
smrkdown, your question is what I was wondering before I took the exam. Now I can ensure you that you can use host instead of 0.0.0.0, because in the exam when I checked the running-config, it automatically reformat my 0.0.0.0 to host format. As to 'access-class', I did not try this way, because I read some posts from how2pass.com that they typed the command and it didn't work.
Report this post to a moderator
|
|
|
03-07-04 04:20 AM
|
|
edmonds_robert
Senior Member
M
Registered: Sep 2002
Location:
Country: United States
State:
Certifications: MCSE, CCNA, CCA
Working on: CCNP, MCSE 2000, Linux+, Playstation 2+
Total Posts: 367
|
|
|
Re: Access List questions
quote:
Originally posted by TheMetalMiltia
[...]
Given three routers Nortel, Cisco and Austin.
Nortel
e0 192.168.11.1
s0 192.168.21.1
It asked to apply access-list on Nortel router to block the telnet access and allow all other
traffic thru Nortel. Make sure the ACL code doesn't exceed 3 lines.
I guess I got this one wrong
and that is the reason Cisco cut my score.
my solution...
access-list 101 deny tcp any 192.168.11.1 0.0.0.0 eq telnet
access-list 101 deny tcp any 192.168.21.1 0.0.0.0 eq telnet
access-list 101 permit ip any any
interface ethernet 0
ip access-group 101 in
interface serial 0
ip access-group 101 in
[...]
Actually, it's hard to tell what this question is asking. Are they trying to (1) prevent telnet access to the router, or are they trying to (2) prevent the router from passing telnet traffic to its connected networks. In either case, I believe your configuration is incorrect.
In case 1, the answer would be a simple access-list denying telnet, then apply it to the vty lines, like this:
access-list 1 deny any
line vty 0 4
access-class 1 in
If the case is 2, then your access list should look like:
access-list 101 deny tcp any 192.168.11.0 0.0.0.255 eq telnet
access-list 101 permit ip any any
access-list 102 deny tcp any 192.168.21.0 0.0.0.255 eq telnet
access-list 102 permit ip any any
int e0
ip access-group 101 OUT
int s0
ip access-group 102 OUT
Alternatively, if you really wanted to use inbound access-lists, you could apply them to the other interfaces, like this:
int e0
ip access-group 102 in
int s0
ip access-group 101 in
Either way will work.
I know someone will correct me if I am wrong, but I don't think you can apply an access-list to an interface where the source or destination address is the interface address. Hope the preceding information helps.
Robert
__________________
Save the animals. Eat a vegetarian.
Report this post to a moderator
|
|
|
03-07-04 09:53 PM
|
|
npo3po
LOCK AND LOAD!
M
Registered: Jun 2003
Location:
Country: United States
State:
Certifications: A+, CCNA, CWNA
Working on: MCSA 2K3: Security, CCDA, CQS-IPS
Total Posts: 231
|
|
|
Practically setting an access-list on the vty lines themselves would make better sense, but that would mean only two statements, in which case you'd only need one deny statement, and your permit, but in this case you're asked to filter telnet, which is an application layer protocol, and remember if you were to use line vty 0 4 with access-class, to apply the access-list to an interface, there be no point of specifying telnet.
hope that helps
Amir
Report this post to a moderator
|
|
|
03-07-04 10:00 PM
|
|
|
Click here for list of CCNA study
guides
Cisco exam notes
CCNA(tm) exam details
Forum Rules:
Who Can Read The Forum? Any registered user or guest.
Who Can Post New Topics? Any registered user.
Who Can Post Replies? Any registered user.
Changes: Messages can be edited by their author.
Posts: HTML code is OFF. Smilies are ON. vB code is ON. [IMG] code is ON. |
|
ExamNotes forum archive
|
