Packet Tracer - Troubleshooting IPv4 ACLs (Instructor Version)

Desarrollado por: OSCAR VANEGAS LANDINEZ

Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table

Device Interfac IP Address Subnet Mask Default

e Gateway
G0/0 10.0.0.1 255.0.0.0 N/A
R1 G0/1 172.16.0.1 255.255.0.0 N/A
G0/2 192.168.0.1 255.255.255.0 N/A
Server1 NIC 172.16.255.254 255.255.0.0 172.16.0.1
Server2 NIC 192.168.0.254 255.255.255.0 192.168.0.1
Server3 NIC 10.255.255.254 255.0.0.0 10.0.0.1
L1 NIC 172.16.0.2 255.255.0.0 172.16.0.1
L2 NIC 192.168.0.2 255.255.255.0 192.168.0.1
L3 NIC 10.0.0.2 255.0.0.0 10.0.0.1

Objectives
Part 1: Troubleshoot ACL Issue 1
Part 2: Troubleshoot ACL Issue 2

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of
Packet Tracer - Troubleshooting IPv4 ACLs

Part 3: Troubleshoot ACL Issue 3

Scenario
This network is meant to have the following three policies implemented:
 Hosts from the 192.168.0.0/24 network are unable to access any TCP service of Server3.
 Hosts from the 10.0.0.0/8 network are unable to access the HTTP service of Server1.
 Hosts from the 172.16.0.0/16 network are unable to access the FTP service of Server2.
Note: All FTP usernames and passwords are “cisco”.
No other restrictions should be in place. Unfortunately, the rules that have been implemented are not working
correctly. Your task is to find and fix the errors related to the access lists on R1.

Part 1: Troubleshoot ACL Issue 1

Hosts from the 192.168.0.0/24 network are intentionally unable to access any TCP service of Server3, but
should not be otherwise restricted.

Step 1: Determine the ACL problem.

As you perform the following tasks, compare the results to what you would expect from the ACL.
a. Using L2, attempt to access FTP and HTTP services of Server1, Server2, and Server3.

b. Using L2, ping Server1, Server2, and Server3.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of
Packet Tracer - Troubleshooting IPv4 ACLs

c. Using L2, ping G0/2 of R1.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of
Packet Tracer - Troubleshooting IPv4 ACLs
d. View the running configuration on R1. Examine access list 192_to_10 and its placement on the interfaces.
Is the access list placed on the correct interface and in the correct direction? Is there any statement in the
list that permits or denies traffic to other networks? Are the statements in the correct order?

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of
Packet Tracer - Troubleshooting IPv4 ACLs
e. Perform other tests, as necessary.

Step 2: Implement a solution.

Make an adjustment to access list 192_to_10 to fix the problem.

Step 3: Verify that the problem is resolved and document the solution.
If the problem is resolved, document the solution: otherwise return to Step 1.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of
Packet Tracer - Troubleshooting IPv4 ACLs

RTA: Realizando la desconexión es correcto; bloqueando los servicios STP.

Se verifican la interfaces Giga bit de entrada que sean las correctas según disposición del origen y
destino 10 deny tcp 192.168.0.0 0.0.0.255 host 10.255.255.254 (24 match(es)) donde deny es una
negación implícita de cualquier tráfico, no permitiendo conectividad a la altura de Capa 3
Para crear la solución, se procedió a emplear los siguientes comandos:
R1(config)#do show ip access-list : Da la vista de las listas de acceso en R1.
R1(config)#ip access-list extended 192_to_10: Crea la lista de acceso extendida
R1(config-ext-nacl)#20 permit ip any any : Determinando que el valor sea mayor a 10, agrega una
nueva linea que pueda permitir cualquier otro tráfico IP de cualquier origen a cualquier destino
No traffic is getting through because of the implicit deny any. Added a permit ip any any to the ACL

Part 2: Troubleshoot ACL Issue 2

Hosts from the 10.0.0.0/8 network are intentionally unable to access the HTTP service of Server1, but should
not be otherwise restricted.

Step 1: Determine the ACL problem.

As you perform the following tasks, compare the results to what you would expect from the ACL.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of
Packet Tracer - Troubleshooting IPv4 ACLs
a. Using L3, attempt to access FTP and HTTP services of Server1, Server2, and Server3.

b. Using L3, ping Server1, Server2, and Server3.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of
c. View the running configuration on R1. Examine access list 10_to_172 and its placement on the interfaces.
Is the access list placed on the correct interface and in the correct direction? Is there any statement in the
list that permits or denies traffic to other networks? Are the statements in the correct order?

Se encuentra de salida en G0/0 para la red 10, siendo incorrecto, ya que es un error ya que se encuentra
invertida donde L3 y Server3 son el origen y Server1 es el destino.
d. Run other tests as necessary.
Step 2: Implement a solution.
Make an adjustment to access list 10_to_172 to fix the problem.

Step 3: Verify the problem is resolved and document the solution.

If the problem is resolved, document the solution; otherwise return to Step 1
Están las entradas en el orden correcto, donde se niega TCP desde la red 10 como origen hacia el Host
servidor 1 como destino del puerto 80 HTTP, permitiendo cualquier otro trafico

ACL was applied outbound on G0/0. Removed as outbound and applied as inbound on G0/0.
Part 3: Troubleshoot ACL Issue 3
Hosts from the 172.16.0.0/16 network are intentionally unable to access the FTP service of Server2, but
should not be otherwise restricted.

Step 1: Determine the ACL problem.

As you perform the following tasks, compare the results to the expectations of the ACL.
a. Using L1, attempt to access FTP and HTTP services of Server1, Server2, and Server3.

El FTP es satisfactorio pero no esta bien para la lista de acceso, ya que esta trata de bloquear el FTP
b. Using L1, ping Server1, Server2, and Server3.
 c. View the running configuration on R1. Examine access list 172_to_192 and its placement on the
interfaces. Is the access list placed on the correct port in the correct direction? Is there any statement
in the list that permits or denies traffic to other networks? Are the statements in the correct order?
d. Run other tests as necessary.

Step 2: Implement a solution.

Make an adjustment to access list 172_to_192 to fix the problem.

Step 3: Verify the problem is resolved and document the solution.

If the problem is resolved, document the solution; otherwise return to Step 1.
En TCP desde la red 172. 16 como el origen al Host Servidor 2 como destino empleando FTP además de permitir
otro tráfico, donde debe quedar al final
All traffic is allowed through because the order of the statements is wrong. Reorder the statements so that the
permit ip any any is the second statement
Suggested Scoring Rubric

Possibl Earn
Question Location e ed
Points Poin
ts
Documentation Score 1
0
Packet Tracer Score 9
0
Total Score 1
0
0