Todd Lammle Practice exam #2 - ACL

alliasneo

Hey guys,

Just working through some of Todd Lammle's extra practice labs and I need to set up an ACL on a router to stop HTTP traffic from hitting the tftp server. My config so far is:



I created an ACL on the Core Router to stop HTTP traffic. I still want to allow pings:

access-list 101 deny tcp 192.168.10.240 0.0.0.7 eq www host 10.10.10.254
access-list 101 permit ip any any

So I was hoping this extended ACL would stop any host on the 192.168.10.240 -.247 range being able to request http traffic from the server. I have then added the permit any any (I understand that normally you would allow traffic and then deny any any but I didn't know how to do this to allow pings but deny http traffic?). But this hasn't worked anyway, everything seems to be going through.


interface Serial0/0
description connected to router P1r1
ip address 192.168.10.254 255.255.255.252
ip access-group 101 in
clock rate 64000

fsanyee

1 Your ACL is in a wrong place, You should put it closer to the source.
2 That ACL deny-s packet from source port 80 and you want to deny the destination.
like this:
access-list 101 deny tcp 192.168.10.240 0.0.0.7 host 10.10.10.254 eq www
If you want to permit ping, than you can use permit icmp any any and deny everything else.

Todd Burrell

I think the syntax is your issue - I think it should be like this:

access-list 101 deny tcp 192.168.10.240 0.0.0.7 host 10.10.10.254 eq www

If you do SHOW ACCESS LIST I think it will show you the number of hits for each line. I doubt this line was getting any hits with your current syntax.

Hope this helps.

alliasneo

Thanks both, that has now worker. Can I just confirm what section I had wrong?

My original ACL: access-list 101 deny tcp 192.168.10.240 0.0.0.7 eq www host 10.10.10.254
The New ACL: access-list 101 deny tcp 192.168.10.240 0.0.0.7 host 10.10.10.254 eq www

So my original ACL was saying to deny tcp traffic on port 80 to the host 10.10.10.254? I thought the request would be coming from the PC to the server on port 80 though?

I don't' quite understand this. I need to read over ACL's a lot more I think.

Roguetadhg

1. Place the Extended ACL as close to the source as possible. In this case: 2621XM(p1r1). Outbound.

2. access-list 101 deny tcp [source address] [source wild-mask] [source port] [Dest. Address] [Dest. Wild-mask] [Dest. Port]
In this case you want to cut-off a block of ip addresses to the tftp server.
(Source: The IP addresses)
(Dest: TFTP Server(
access-list 101 deny tcp 192.168.10.240 0.0.0.7 host 10.10.10.254 eq www

3. ACLs work from top bottom + the imcplicit deny. A packet will be matched on the top to the bottom. By denying the port 80 from sources 192.168.10.240 - .247, you'd have packets from any other sources/destin/ports still open. So a ping (ICMP) packet does not match your first acl command even if it came from a source of 192.168.10.241. It's checking for all TCP/HTTP/port80 requests.

To allows ping packet, you can setup the permit ip any any. or you can also do:
access-list 101 permit icmp 192.168.10.240 0.0.0.7 host 10.10.10.254

The order of the two set access-list does not matter (keeping in mind there's that implicit deny at the bottom). If I remember correctly from the video lectures, place the ACLs that have a wider range near the bottom, and the more explicit commands at the top. It also make sense this way too. A more global ACL will deny/permit and may overwrite a more explicit "deny port:80" closer to the bottom.


As to why the port:80 block on all sources won't work: open up the command prompt in windows. Type in "netstat" you'll see the connections and ports.

You'll see your ports and the ports you're connected to at the destination.

Your ports will go through multiple numbers because you have more than one connection to more than one webserver. However, webservers use the ports to know that you're tying to communication to them on that level. Ie: You're using port 80 to send a HTTP request. When you say to the webserver: [TFTP Server:23], you're asking it to make a Telnet connection. It won't even try to make a HTTP connection.