Chapter 12 - Access Lists, Number 6

What am I doing wrong here....

The correct answer(s): A C
Which of the following access-list commands permit traffic that matches packets going to a web server, from host 10.1.1.1, for all web servers whose IP addresses begin with 172.16.5? Select all that apply.

A.) access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
B.) access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
C.) access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
D.) access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
E.) access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255

Alright, it's web traffic so we are talking about TCP, so that breaks it down

A.) access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
C.) access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
E.) access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255

I said A, C and E. Why can't E be an answer? Can't you just block www as part of the source? why does www need to be part of the destination?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

ignign0kt

The port or service name has to be at the end of the command, not after the source address... or anywhere else for that matter.

Ciscopimpenator

To further clarify...

You can't block www as the source because the source port is not www.
In this particular case the destination port is www(80).
The source port could be anything decided upon by your OS or application.
Read about tcp source ports on the Internet it will help you clarify things.

:0)

Pash

the source port could be anything from 1024 to 65000 odd.

tech-airman

Daniel333 wrote:

What am I doing wrong here....

The correct answer(s): A C
Which of the following access-list commands permit traffic that matches packets going to a web server, from host 10.1.1.1, for all web servers whose IP addresses begin with 172.16.5? Select all that apply.

A.) access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
B.) access-list 2523 permit ip host 10.1.1.1 eq www 172.16.5.0 0.0.0.255
C.) access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
D.) access-list 1951 permit ip host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
E.) access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255

Alright, it's web traffic so we are talking about TCP, so that breaks it down

A.) access-list 101 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
C.) access-list 2523 permit tcp host 10.1.1.1 172.16.5.0 0.0.0.255 eq www
E.) access-list 2523 permit tcp host 10.1.1.1 eq www 172.16.5.0 0.0.0.255

I said A, C and E. Why can't E be an answer? Can't you just block www as part of the source? why does www need to be part of the destination?

Daniel333,

Let's read the problem to find out the ACL requirements:

permit traffic
from host 10.1.1.1
going to a web server
all web servers whose IP addresses begin with 172.16.5

Now that we know the direct requirements, let's determine the indirect requirements.

Since this is "going to a WEB server", we know the destination TCP port is 80.
Since "all web servers whose IP addresses begin with 172.16.5", there is a destination involved.
Since there is a destination involved, we need to use an IP extended access list instead of a standard access list.
Since we're going to be using an IP extended access list, what are the valid access list numbers? The valid access-list number ranges are 100-199 and 2000-2699.

At this point, we can mark option D) as incorrect because the access list number of "1951" falls in the range of access list numbers for an "IP standard access list (expanded range)."

Let's go back to the direct requirements...

permit traffic

This means so far, options A),

, C), and E) are correct so far.

Since "going to a web server" is a direct requirement, we are creating a TCP access list for destination port 80. Therefore we can mark option

as incorrect because that is an IP access list not a TCP access list.

Since "from host 10.1.1.1" is a direct requirement, that means the source is the host with the IP address 10.1.1.1. The IOS syntax for specifying that host is "host 10.1.1.1". That means options A), C), and E) are valid so far.

Since "going to a web server" and "all web servers whose IP addresses begin with 172.16.5" are direct requirements, we're going to need to figure out the destination wildcard address and wildcard masks. Since the "IP addresses begin with 172.16.5", the destination wildcard address is 172.16.5.0 . Indirectly, that also says that it doesn't matter what the last octet of the destination web server address is, so the wildcard mask will be 0.0.0.255. So the complete destination wildcard address and destination wildcard mask is "172.16.5.0 0.0.0.255". At this point, we can mark option E) as incorrect because the destination wildcard address and mask is "172.16.5.0 0.0.0.255" and not "eq www." That leaves options A) and C).

Since "going to a web server" is a direct requirement, the TCP port will be 80, or in the case of Cisco IOS, you may use "eq www". That leaves options A) and C) as the remaining valid options so that's why those are the acceptable answers.

I hope this helps.

Daniel333

thanks guys, I'll get this stuff yet.

Looks like I need to review TCP/UDP ports. I didn't understand that a client could use PORT XYZ but the destination is is 80. I thought they both HAD to communicate on port 80. Off to reread TCP! Ha.

tech-airman

Daniel333 wrote:

thanks guys, I'll get this stuff yet.

Looks like I need to review TCP/UDP ports. I didn't understand that a client could use PORT XYZ but the destination is is 80. I thought they both HAD to communicate on port 80. Off to reread TCP! Ha.

Daniel333,

Find out about:

The TCP Handshaking process
The Source Port and Destination Port fields in the TCP header for communications from the Client to the Server
The Source Port and Destination Port fields in the TCP header for communications from the Server to the Client.

Ciscopimpenator

Daniel333 wrote:

thanks guys, I'll get this stuff yet.

Looks like I need to review TCP/UDP ports. I didn't understand that a client could use PORT XYZ but the destination is is 80. I thought they both HAD to communicate on port 80. Off to reread TCP! Ha.

Net+ didn't teach you source ports?

What the hell are they testing on?