Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
0
Helpful
2
Replies

acl problem

Go to solution
eduardovila
Level 1
Level 1

‎05-13-2012 11:07 AM - edited ‎03-11-2019 04:06 PM

Hello there,

I'm stucked with an acl problem. Attached to the message is the topology of an enterprise LAN with a server farm that I'm trying to protect using ACL's. Thre's also an addresssing table.

The goals of the test (a paket tracer activity) are:

1. Prior to configuring access control lists both PCs can ping all servers and access all web pages.

2. After configuring access control lists, PC2, representing a legitimate inside user, can not ping any

server but can access all web pages.

3. After configuring access control lists, PC1, representing a PC set up to maintain switch

configurations, can ping servers in its own VLAN, can not ping other servers, and can not access

any web pages.

There must be 2 acl's one to permit web traffic to the server farm from pc1 and pc 2 and deny all other traffic and another one to permit dns traffic and deny all other. The acl's must be aplied outbound on router 1 and 2 in fa0/0.21, fa0/0.22, fa0/0.23

My choice, which doesn't work, is:

access-list 101 remark web traffic

access-list 101 permit tcp any 172.18.21.0 0.0.7.255 eq 80

access-list 102 reamrk dns traffic

access-list 102 permit tcp any 172.18.21.0 0.0.7.255 eq 53

access-list 102 permit udp any 172.18.21.0 0.0.7.255 eq 53

access-list 102 deny ip any any

What am I doing worng?

Thanks.

Labels:
127905-addressing_table.txt.zip
64 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-13-2012 07:35 PM

For your point 2 - can not ping any server because access list to allow ping has not been configured:

access-list 101 permit icmp any 172.18.21.0 0.0.7.255

access-list 102 permit icmp any 172.18.21.0 0.0.7.255

For your point 3 - can not access any web pages from PC1, you can add the following:

access-list permit tcp any 172.18.21.0 0.0.7.255 eq 80

Hope this helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-13-2012 07:35 PM

For your point 2 - can not ping any server because access list to allow ping has not been configured:

access-list 101 permit icmp any 172.18.21.0 0.0.7.255

access-list 102 permit icmp any 172.18.21.0 0.0.7.255

For your point 3 - can not access any web pages from PC1, you can add the following:

access-list permit tcp any 172.18.21.0 0.0.7.255 eq 80

Hope this helps.

0 Helpful

Go to solution
eduardovila
Level 1
Level 1
In response to Jennifer Halim

‎05-13-2012 11:59 PM

Thanks Jennifer,

completion of the activity is now 100!!. The remark command was not allowed in the activity, so even you write correctly the acl statement the app gave you an error.

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card