Review Question

I was looking in a review book, and a question they had in there I wasn't sure if their answer was right.

Question: You've configured an interface with the access list shown. Based on the access list, which information packets in the left column would be permitted, and which poackets would be denied?

Access-list 107 deny tcp 207.16.12.0 0.0.3.255 any eq http
Access-list 107 permit ip any any

A) Source IP : 207.16.32.14, destination application: http

Source IP : 207.16.15.9, destination port 23
C) Source IP: 207.16.14.7, destination port 80
D) Source IP : 207.16.13.14, destination application http
E) Source IP : 207.16.16.14, destination port 53

Book Answer:
Allowed D, C
Denied A,B,E

Reason: The wildcard 0.0.3.255 is a block size of 4, which means that the third octet will permit anything from 12 to 15. Also, the application is http, so the access list will only permit port 80

My answer:
Allowed - A, B, E
Denied - C, D

Is it just me, or are the 'deny/permit' statement backwards in the answer? Just want to make sure.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

georgemc

The wildcard mask 0.0.3.255 is a block size of 4, which means that the third octet will match anything from 12 to 15. Also, the application is http, so the deny statment will only match port 80.

Thus, C and D will match the deny statement in the access-list and A, C, and E will match the permit.

George

dtlokee

Access-list 107 deny tcp 207.16.12.0 0.0.3.255 any eq http
Access-list 107 permit ip any any

A) Source IP : 207.16.32.14, destination application: http
Source IP : 207.16.15.9, destination port 23
C) Source IP: 207.16.14.7, destination port 80
D) Source IP : 207.16.13.14, destination application http
E) Source IP : 207.16.16.14, destination port 53

C,D will match the deny statement
A,B,E will match the permit ip any any statement

B, E are easy because they're not using http for the destination port so that only leaves weeding out the other 3. I always find it's easiest to eliminate the ones that cannot be correct and choose from what's left.

wait2dominate

That's what I thought....just wanted to make sure I wasn't missing anything

kafifi13

Does anybody have a good link i can go to for the wild card masks. I have the ICND and the only thing not sinking in my head is when you use a wild card mask like the one listed below. For some reason it's just not clicking.

The Prize Is Lobster

what about them dont you understand?

the whole block thing seems overexplained. I just learned it as subtract from 255 for each octet = wildcard mask.

dtlokee

In many cases the wildcard mask used is just an inverted subnet mask (the ones turned to zeros and the zeros turned to ones). the easy way to find them is to take the mask and subtract from 255.255.255.255:

            255.255.255.255
Subnet Mask 255.255.255.192
             0 . 0 . 0 . 63

So if you wanted to match all the hosts on the 192.0.2.64/27 network you would use the entry 192.0.2.64 0.0.0.63 in your access-list.

The case really becomes that the address you specify is a match condition, and the wildcard mask determines what part to match and what part to wildcard. The other key is a wildcard mask does not need to be contigious like a subnet mask.

For example let's say you want to match all IP's with an even third octet (not very practical but you can do it). In this case you would use the 0.0.0.0 255.255.254.255 in your access list, basically ensuring all the matched addresses have a '0' in the low order bit of the third octet which determines even and odd (yes I know this would match 0 and it's neither even or odd but you get the point)