HELP NEEDED IN ACCESS-CONTROL LIST !!!!!

moss12 · October 2004

Network address - 202.30.40.0
Wan ip address - 192.168.8.0
Needed Host - 25
Use 4th usable Lan
Plan the 8 usable subnet of the Lan network address

I done all the subnetting

and assigned

Production Host
IP address _____202.30.40.67______________________
Subnet Mask ____255.255.255.240______________
Default Gateway ___202.30.40.66________________________

Management Host
IP address ______202.30.40.77_____________________
Subnet Mask _____255.255.255.240_____________
Default Gateway ___202.30.40.66________________________

BRANCH IP ADDRESS RANGE

Production range(Lower half) 202.30.40.65 to 202.30.40.71

Management range(upper half) 202.30.40.72 to 202.30.40.78

NOW THE ACLS

1. The company has an Intranet Web server host that all systems can reach at IP address 172.16.0.1 with only HTTP access. No other protocols will be permitted to this site.
2. The company also has a server pool in the 209.0.0.0/24 network. Half of the servers are allocated with odd number ip address(e.g 209.0.0.1) and other half of the ip address are allocated with even number address(e.g 209.0.0.2).The servers in odd numbers are reachable by management hosts using all possible ip protocols. The servers in even numbers are reachable by all LAN hosts using all possible protocols. The servers should not be accessible by any other hosts.
3. The company has discovered an Internet Web server at 198.0.0.1 that is known to contain viruses.
All hosts are to be banned from reaching this site.

MY ANSWERS ARE THEY CORRECT

! Allow all company hosts to access intra server with only HTTP access

Access-list 101 permit tcp any host 172.16.0.1 eq 80

! No other protocols will be permitted to intraserver

Access-list 101 deny ip any host 172.16.0.1

! servers in odd numbers are NOT reachable by production hosts

Access-list 101 deny ip host 202.30.40.67 209.0.0.0 0.0.254.255

! servers in odd numbers are reachable by management hosts using all possible IP protocols

Access-list 101 permit ip host 202.30.40.77 209.0.0.0 0.0.254.255

! servers in the odd numbers are NOT reachable by any other hosts

Access-list 101 deny ip any host 209.0.0.1

! all hosts are to be banned from reaching this site Internet Web server at 198.0.0.1

Access-list 101 deny tcp any host 198.0.0.1 eq 80

access-list 100 permit ip any any

interface FastEthernet0/0

ip access-group 100 in

I will really appreciate if any one out there to help on this acls .

Have a Nice day !

p.s -please post any mistakes i did and solutions

Drakonblayde · October 2004

Network address - 202.30.40.0
Wan ip address - 192.168.8.0
Needed Host - 25
Use 4th usable Lan
Plan the 8 usable subnet of the Lan network address

I done all the subnetting

and assigned

Production Host
IP address _____202.30.40.67______________________
Subnet Mask ____255.255.255.240______________
Default Gateway ___202.30.40.66________________________

Management Host
IP address ______202.30.40.77_____________________
Subnet Mask _____255.255.255.240_____________
Default Gateway ___202.30.40.66________________________

BRANCH IP ADDRESS RANGE

Production range(Lower half) 202.30.40.65 to 202.30.40.71

Management range(upper half) 202.30.40.72 to 202.30.40.78

Ok, parts of these are wrong. If I'm reading that top right, you need 25 hosts per subnet
and you need to borrow enough bits to create 8 subnets. The subnet mask you're using above
will not work with those requirements. A 255.255.255.240 subnet mask only leaves you enough
bits for 16 hosts per subnet, only 14 of which will be usable. You're also creating 16
subnets, with 14 usable. Your netmask needs to be modified to 255.255.255.224. This will
create 8 subnets (3 bits borrowed) with 6 usable and leave 5 bits for host addressing,
resulting in 32 addresses per subnet, 30 of which are usable. Your subnet map would break down
as follows:

0: 202.30.40.0 - 202.30.40.31
1: 202.30.40.32 - 202.30.40.63
2: 202.30.40.64 - 202.30.40.95
3: 202.30.40.96 - 202.30.40.127
4: 202.30.40.128 - 202.30.40.159
5: 202.30.40.160 - 202.30.40.191
6: 202.30.40.192 - 202.30.40.223
7: 202.30.40.224 - 202.30.40.255

Since you need to be working with the 4th usable subnet, that would be 202.30.40.128 to
202.30.40.159. Your production range would be 202.30.40.129 to 202.30.40.143, and your
Management range would be 202.30.40.144 to 202.30.40.158 (note that I am excluding the
subnet ID ip and the broadcast Ip from the ranges)

Assuming that your default gateway needs to be the first ip in the subnet,
it should be 202.30.40.129, and assuming that the production host is supposed to be
the first usable IP after that, it would be 202.30.40.130. Assuming that your management
host is supposed to be the last usable ip in the upper half, it would be 202.30.40.158.

Production Host binary IP range -
202.30.40.129 - x.x.x.10000001
202.30.40.143 - x.x.x.10001111
00011111
202.30.40.144 - x.x.x.10010000
202.30.40.159 - x.x.x.10011111
00011111
1. The company has an Intranet Web server host that all systems can reach at IP address 172.16.0.1 with only HTTP access. No other protocols will be permitted to this site.
2. The company also has a server pool in the 209.0.0.0/24 network. Half of the servers are allocated with odd number ip address(e.g 209.0.0.1) and other half of the ip address are allocated with even number address(e.g 209.0.0.2).The servers in odd numbers are reachable by management hosts using all possible ip protocols. The servers in even numbers are reachable by all LAN hosts using all possible protocols. The servers should not be accessible by any other hosts.
3. The company has discovered an Internet Web server at 198.0.0.1 that is known to contain viruses.
All hosts are to be banned from reaching this site.

MY ANSWERS ARE THEY CORRECT

! Allow all company hosts to access intra server with only HTTP access

Access-list 101 permit tcp any host 172.16.0.1 eq 80

! No other protocols will be permitted to intraserver

Access-list 101 deny ip any host 172.16.0.1

These are correct, in the first instance you are allowing port 80 to the server but denying everything else

! servers in odd numbers are NOT reachable by production hosts

Access-list 101 deny ip host 202.30.40.67 209.0.0.0 0.0.254.255

! servers in odd numbers are reachable by management hosts using all possible IP protocols

Access-list 101 permit ip host 202.30.40.77 209.0.0.0 0.0.254.255

Ok, besides the ip's being incorrect due to mixed up subnetting, the wildcard masks are wrong.
If you're trying to deny all hosts in the production range, the wildcard needs to be
0.0.0.16 All hosts in the range from 129 to 143 will have 1000 set for the first 4 bits,
and all hosts in the management range will begin with the bit pattern 1001. The 4 bits
after that are irrelevant, the first 4 determine which range they belong to.

Now, you only want to deny access to servers with odd ip's. So the hostmask for the
destination needs to be 254. Why? because a host can't be odd unless the right most bit
is set. So your first ACL should read

access-list 101 deny ip 202.30.40.129 0.0.0.16 209.0.0.1 0.0.0.254

The second access list wants to allow all hosts on the subnet access to it, so the ACL should
look like this

access-list 101 permit ip 202.30.40.0 0.0.0.64 209.0.0.2 0.0.0.254

The first three bits for the 4th usable subnet will always be 100, so you want to match
that. A wildcard mask of 64 translates to 00011111, which tells the acl to make sure the first
three bits match. Again, you use a 254 mask for the destination since the last bit is the only
one you need to determine if the host is odd or even.

! servers in the odd numbers are NOT reachable by any other hosts

Access-list 101 deny ip any host 209.0.0.1

This is not necessary. The first access list explicity denies hosts in the lower range from
hitting the odd number servers and the second acccess list explicitly allows all hosts in the
4th subnet access to the even numbered servers.

! all hosts are to be banned from reaching this site Internet Web server at 198.0.0.1

Access-list 101 deny tcp any host 198.0.0.1 eq 80

This is almost right. I'd personally use

access-list 101 deny ip any host 198.0.0.1

If the webserver is known to be infected, then any communication with it could result in a
possible spread of virii. The above access list only blocks http traffic, there are other
protocols that the server could use to spread. Better to cut off all ip traffic to that
address.

access-list 100 permit ip any any

interface FastEthernet0/0

ip access-group 100 in

Again, almost right. You're finishing the access list with a permit ip any any to allow all
traffic not explicitly denied by the above statements, but your number is wrong. You're using
100 when you should be using 101. Same goes for the ip access-group statement.

So the final statement should read access-list 101 permit ip any any

and you should apply ip access-group 101 in to the ethernet inteface for the LAN

Now, I'm sure I made a mistake somewhere, I've been answering this over the course of a couple
hours at work between calls, so I'm sure my train of thought got crossed somewhere. If anyone
sees any mistakes with my solution, let me know, I'd rather not spread incorrect information hehe

Btw, this will be the only time I give explicit answers to your homework Next time, I'll just give pointers hehe

Drakonblayde · October 2004

access-list 101 permit ip 202.30.40.0 0.0.0.64 209.0.0.2 0.0.0.254

The first three bits for the 4th usable subnet will always be 100, so you want to match
that. A wildcard mask of 64 translates to 00011111, which tells the acl to make sure the first
three bits match. Again, you use a 254 mask for the destination since the last bit is the only
one you need to determine if the host is odd or even.

Actually, looking back over this, I'm pretty sure that the above statement isn't needed either. The permit ip any any at the end of the statement would allow the management hosts to hit those servers. The only issue that needs to be dealt with in the server farm, as I understand it, is denying the production hosts access to the odd numbered servers.

Generally with access lists, they work one of two ways.

You either explicity allow certain traffic and deny everything else, or you explicitly deny certain traffic and allow everything else. If the first case, your acl would only contain permit statements, as the implicit deny all all at the end of the acl would take care of killing everything else, and in the second case, you should not have any permit lines above your permit ip any any because it's basically a waste, anything you're permitting explicitly would be permitted by the permit ip any any at the end of the acl anyway.

Drakonblayde · October 2004

Quote:

MY ANSWERS ARE THEY CORRECT

! Allow all company hosts to access intra server with only HTTP access

Access-list 101 permit tcp any host 172.16.0.1 eq 80

! No other protocols will be permitted to intraserver

Access-list 101 deny ip any host 172.16.0.1

These are correct, in the first instance you are allowing port 80 to the server but denying everything else

Well, given the logic I just espoused above, there's, well not an error, but an inefficiency with the above statements. The first statement should be changed to

access-list 101 deny tcp any host 172.16.0.1 neq 80

instead

That will block all tcp traffic into that host except that on port 80, and the second statement would take care of all other ip traffic

I don't have access to a router atm to test, but I'm not sure if you could streamline it by saying

access-list 101 deny ip any host 172.16.0.1 neq 80

and that way just cut it down to one statement, but for some reason I think I remember reading that if you choose ip as the protocol to permit/deny, you can't specify ports

moss12 · October 2004

thanks Marcus Drakonblayde

You helped me on this better than my cisco teacher , I wish i had a teacher like you.I hope you help me in near future

Thank you!

Let god bless you

moss12 · October 2004

sorry to bother you again Drakonblayde

But are you sure your subnetting are correct cause my cisco teacher looked at my subnetting and said there right ,I'm so confused but i will follow your workings. well my cisco teacher is not that great he only has CCNA 2 for god sakes and he teaches.ohhh well next semester i won't see him anyways.

You have a nice day Drakonblayde

Drakonblayde · October 2004

It all depends. See, you said this

Needed Host - 25

If that means you need 25 hosts per subnet, then a 255.255.255.240 mask will not work.

It's all binary.. you're using a class C address, so default mask is 255.255.255.0. That means you can only borrow bits from the last octet. 240 is 11110000 in binary, and that means the first 4 bits can't be used for host addresses. So with 4 0 bits, you've got 2 to the power of 4 possibilities. 2 * 2 = 4 * 2 = 8 * 2 = 16. Since you can't use the first ip because it's the network ID, or the last IP because it's the broadcast, you only have 14 host ip's available, and that does not meet a 25 host per subnet requirement.

If you use 255.255.255.224 (last octet would be 11100000 binarily), that leaves 5 bits for addressing, 2 to the power of 5 = 32. Drop 2 for the network ID and broadcast, and you've got 30 ip's for hosts, which satisfies the 25 hosts per subnet requirement.

Now, I broke it down to that basic level even though I'm sure you probably understood what I said in my first response. Since your teacher seems to need the refresher in subnetting course, print this thread out and show it to him

moss12 · October 2004

yeap Drakonblayde your great

thanks for helping me your the best keep up the good work

Thank http://www.techexams.net for doing such a good job especially thanks to Drakonblayde because of you everyone can be winners

Keep the knowledge spreading

barryn13087 · December 2004

access-list 101 permit ip 202.30.40.0 0.0.0.64 209.0.0.2 0.0.0.254

sorry to bring up a old topic but I am doing a similar skills exam in my Cisco class dealing with ACL’s and when it comes to configuring, I don’t quite understand where the 209.0.0.5 0.0.0.254 comes from, could someone shed some light in this matter?[/quote]

HELP NEEDED IN ACCESS-CONTROL LIST !!!!!

Comments