From: Rich Collins (nilsi2002@gmail.com)
Date: Mon Oct 08 2007 - 18:28:20 ART
Hi George,
I took a close look at this and can think of two things.
One: there are only web servers and not ftp servers int the 10.1.1.0/24network
Two: The first line is not necessary if you have the second.
permit tcp 10.1.1.0 0.0.0.255 eq www any
permit tcp 10.1.1.0 0.0.0.255 any established
Probably for internal connection to external ftp servers (active mode) this
is not what should be there: permit tcp 10.1.1.0 0.0.0.255 any eq ftp-data
but this permit tcp 10.1.1.0 0.0.0.255 any eq ftp-data established
instead of this as well : permit tcp 10.1.1.0 0.0.0.255 any established
Rich
On 10/7/07, George Goglidze <goglidze@gmail.com> wrote:
>
> Hi all,
>
> In ipexpert lab 9 task 2:
> Create an access-list on R4 named lambeau. The access-list should permit
> web
> and ftp traffic
> for all the users on the 10.1.1.0/24 network (there are web/ftp clients
> and
> servers on the 10.1.1.0/24 network).
> There is a possibility that in the future another router will be added on
> the 10.1.1.0/24 network
> and it will want to join the OSPF network so OSPF traffic should also be
> allowed.
> All other traffic should be denied at the earliest point on R4 (no traffic
> that is prohibited should reach the routing engine).
> All routing adjacencies must be maintained.
>
> ipexpert gives us following solution to this problem:
>
> !
> interface FastEthernet0/0
> ip address 10.10.1.4 255.255.255.0
> ip access-group lambeau in
> duplex auto
> speed auto
> !
>
> ip access-list extended lambeau
> permit tcp 10.1.1.0 0.0.0.255 any eq www
> permit tcp 10.1.1.0 0.0.0.255 any eq ftp
> permit tcp 10.1.1.0 0.0.0.255 any eq ftp-data
> remark those three lines cover stuff the users generate
> permit tcp 10.1.1.0 0.0.0.255 eq www any
> remark that line covers the replies from web servers on the inside
> permit tcp 10.1.1.0 0.0.0.255 any established
> remark that line is necessary for the FTP server responses since ports
> vary
> permit ospf 10.1.1.0 0.0.0.255 any
>
>
> ---------------------
>
> I think they don't meet all the requirements, and I need your opinion on
> this one.
>
> 1)
> permit tcp 10.1.1.0 0.0.0.255 any eq www
> permit tcp 10.1.1.0 0.0.0.255 any eq ftp
> permit tcp 10.1.1.0 0.0.0.255 any eq ftp-data
>
> these are not correct because the traffic is coming from port 80/21/20 not
> going to these ports.
> it should be like this:
> permit tcp 10.1.1.0 0.0.0.255 eq www any
> permit tcp 10.1.1.0 0.0.0.255 eq ftp any
> permit tcp 10.1.1.0 0.0.0.255 eq ftp-data any
>
> 2)
> permit tcp 10.1.1.0 0.0.0.255 eq www any
> permit tcp 10.1.1.0 0.0.0.255 any established
> after our corrections in step 1 we don't need these any more.
>
>
> and as well it would not be correct because traffic is coming in from
> interface s1/0 and we don't put this access-list on s1/0.
> so the last requirement that traffic should not get to routing engine is
> not
> met.
> the routing table will be looked up, and after trying to pass int f0/0
> will
> be dropped/allowed access.
>
> what I really would do is put acl on s1/0 direction IN and change it
> following way:
>
>
> ip access-list extended lambeau
> permit tcp any 10.10.1.0 0.0.0.255 eq ftp
> permit tcp any 10.10.1.0 0.0.0.255 eq ftp-data
> permit tcp any 10.10.1.0 0.0.0.255 eq www
> deny ip any 10.10.1.0 0.0.0.255
> permit ip any any
> !
>
>
> Please tell me what you think about this.
>
> Thanks a lot.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:12 ART