Chapter 12 - Access Lists, Number 6

Daniel333Daniel333 Member Posts: 2,077 ■■■■■■□□□□
in CCNA & CCENT
What am I doing wrong here....

The correct answer(s): A C
Which of the following access-list commands permit traffic that matches packets going to a web server, from host 10.1.1.1, for all web servers whose IP addresses begin with 172.16.5? Select all that apply.

A.) access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
B.) access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
C.) access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
D.) access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
E.) access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255

Alright, it's web traffic so we are talking about TCP, so that breaks it down

A.) access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
C.) access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
E.) access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255

I said A, C and E. Why can't E be an answer? Can't you just block www as part of the source? why does www need to be part of the destination?
-Daniel
· Share on FacebookShare on Twitter

Comments

  • ignign0ktignign0kt Member Posts: 42 ■■□□□□□□□□
    The port or service name has to be at the end of the command, not after the source address... or anywhere else for that matter.
    · Share on FacebookShare on Twitter
  • CiscopimpenatorCiscopimpenator Inactive Imported Users Posts: 134
    To further clarify...

    You can't block www as the source because the source port is not www.
    In this particular case the destination port is www(80).
    The source port could be anything decided upon by your OS or application.
    Read about tcp source ports on the Internet it will help you clarify things.

    :0)
    -Ciscopimpenator
    · Share on FacebookShare on Twitter
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    the source port could be anything from 1024 to 65000 odd.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
    · Share on FacebookShare on Twitter
  • tech-airmantech-airman Member Posts: 953
    Daniel333 wrote:
    What am I doing wrong here....

    The correct answer(s): A C
    Which of the following access-list commands permit traffic that matches packets going to a web server, from host 10.1.1.1, for all web servers whose IP addresses begin with 172.16.5? Select all that apply.

    A.) access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
    B.) access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
    C.) access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
    D.) access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
    E.) access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255

    Alright, it's web traffic so we are talking about TCP, so that breaks it down

    A.) access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
    C.) access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
    E.) access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255

    I said A, C and E. Why can't E be an answer? Can't you just block www as part of the source? why does www need to be part of the destination?

    Daniel333,

    Let's read the problem to find out the ACL requirements:
    1. permit traffic
    2. from host 10.1.1.1
    3. going to a web server
    4. all web servers whose IP addresses begin with 172.16.5

    Now that we know the direct requirements, let's determine the indirect requirements.
    1. Since this is "going to a WEB server", we know the destination TCP port is 80.
    2. Since "all web servers whose IP addresses begin with 172.16.5", there is a destination involved.
    3. Since there is a destination involved, we need to use an IP extended access list instead of a standard access list.
    4. Since we're going to be using an IP extended access list, what are the valid access list numbers? The valid access-list number ranges are 100-199 and 2000-2699.

    At this point, we can mark option D) as incorrect because the access list number of "1951" falls in the range of access list numbers for an "IP standard access list (expanded range)."

    Let's go back to the direct requirements...
    1. permit traffic

    This means so far, options A), B), C), and E) are correct so far.

    Since "going to a web server" is a direct requirement, we are creating a TCP access list for destination port 80. Therefore we can mark option B) as incorrect because that is an IP access list not a TCP access list.

    Since "from host 10.1.1.1" is a direct requirement, that means the source is the host with the IP address 10.1.1.1. The IOS syntax for specifying that host is "host 10.1.1.1". That means options A), C), and E) are valid so far.

    Since "going to a web server" and "all web servers whose IP addresses begin with 172.16.5" are direct requirements, we're going to need to figure out the destination wildcard address and wildcard masks. Since the "IP addresses begin with 172.16.5", the destination wildcard address is 172.16.5.0 . Indirectly, that also says that it doesn't matter what the last octet of the destination web server address is, so the wildcard mask will be 0.0.0.255. So the complete destination wildcard address and destination wildcard mask is "172.16.5.0 0.0.0.255". At this point, we can mark option E) as incorrect because the destination wildcard address and mask is "172.16.5.0 0.0.0.255" and not "eq www." That leaves options A) and C).

    Since "going to a web server" is a direct requirement, the TCP port will be 80, or in the case of Cisco IOS, you may use "eq www". That leaves options A) and C) as the remaining valid options so that's why those are the acceptable answers.

    I hope this helps.
    · Share on FacebookShare on Twitter
  • Daniel333Daniel333 Member Posts: 2,077 ■■■■■■□□□□
    thanks guys, I'll get this stuff yet.

    Looks like I need to review TCP/UDP ports. I didn't understand that a client could use PORT XYZ but the destination is is 80. I thought they both HAD to communicate on port 80. Off to reread TCP! Ha.
    -Daniel
    · Share on FacebookShare on Twitter
  • tech-airmantech-airman Member Posts: 953
    Daniel333 wrote:
    thanks guys, I'll get this stuff yet.

    Looks like I need to review TCP/UDP ports. I didn't understand that a client could use PORT XYZ but the destination is is 80. I thought they both HAD to communicate on port 80. Off to reread TCP! Ha.

    Daniel333,

    Find out about:
    1. The TCP Handshaking process
    2. The Source Port and Destination Port fields in the TCP header for communications from the Client to the Server
    3. The Source Port and Destination Port fields in the TCP header for communications from the Server to the Client.
    · Share on FacebookShare on Twitter
  • CiscopimpenatorCiscopimpenator Inactive Imported Users Posts: 134
    Daniel333 wrote:
    thanks guys, I'll get this stuff yet.

    Looks like I need to review TCP/UDP ports. I didn't understand that a client could use PORT XYZ but the destination is is 80. I thought they both HAD to communicate on port 80. Off to reread TCP! Ha.

    Net+ didn't teach you source ports? icon_eek.gif

    What the hell are they testing on?
    -Ciscopimpenator
    · Share on FacebookShare on Twitter
Sign In or Register to comment.