Tweet
TSHOOT (642-832): Ticket 5 – R1 ACL
Client is not able to ping the server. Except for R1, no one else can ping the server. (use ipv4 Layer 3)
Problem:on R1 acl blocking ip
Configuration on R1
interface Serial0/0/0/1
description Link to ISP
ip address 209.65.200.224 255.255.255.252
ip nat outside
ip access-group edge_security in
!
ip access-list extended edge_security
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny 127.0.0.0 0.255.255.255 any
permit ip host 209.65.200.241 any
!
Answer: add permit ip 209.65.200.224 0.0.0.3 any command to R1′s ACL
Ans1) R1
Ans2) IPv4 Layer 3 Security
Ans3) Under the ip access-list extended edge-security configuration add the permit ip 209.65.200.224 0.0.0.3 any command
Note: This is the only ticket the extended access-list edge_security exists. In other tickets, the access-list 30 is applied to the inbound direction of S0/0/0/1 of R1.
Problem:on R1 acl blocking ip
Configuration on R1
interface Serial0/0/0/1
description Link to ISP
ip address 209.65.200.224 255.255.255.252
ip nat outside
ip access-group edge_security in
!
ip access-list extended edge_security
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny 127.0.0.0 0.255.255.255 any
permit ip host 209.65.200.241 any
!
Answer: add permit ip 209.65.200.224 0.0.0.3 any command to R1′s ACL
Ans1) R1
Ans2) IPv4 Layer 3 Security
Ans3) Under the ip access-list extended edge-security configuration add the permit ip 209.65.200.224 0.0.0.3 any command
Note: This is the only ticket the extended access-list edge_security exists. In other tickets, the access-list 30 is applied to the inbound direction of S0/0/0/1 of R1.