f. Design a named access

Sirah8499 · ‎02-16-2014

I'm having some issues configuring ACL's in the following situation:

c. Configure HQ and Branch with OSPF routing according to the following criteria:

· Assign the process ID 1.

· Advertise all three attached networks. Do not advertise the link to the Internet.

· Configure appropriate interfaces as passive.

d. Set a default route on HQ which directs traffic to S0/0/1 interface. Redistribute the route to Branch.

e. Design a named access list HQServer to prevent any computers attached to the Gigabit Ethernet 0/0 interface of the Branch router from accessing HQServer.pka. All other traffic is permitted. Configure the access list on the appropriate router, apply it to the appropriate interface and in the appropriate direction.

f. Design a named access list BranchServer to prevent any computers attached to the Gigabit Ethernet 0/0 interface of the HQ router from accessing the HTTP and HTTPS service of the Branch server. All other traffic is permitted. Configure the access list on the appropriate router, apply it to the appropriate interface and in the appropriate direction.

I dont know what I am missing or doing incorrectly. This is what I have done to configure this scenario:

Configuring HQ OSPF

HQ>enable

HQ#config t

Enter configuration commands, one per line. End with CNTL/Z.

HQ(config)#router ospf 1

HQ(config-router)#network 172.16.0.0 0.255.255.255 area 0

HQ(config-router)#interface s0/0/1

HQ(config-if)#router ospf 1

HQ(config-router)#passive-interface s0/0/1

HQ(config-router)#passive-interface g0/1

HQ(config-router)#passive-interface g0/0

HQ(config-router)#default-information originate

HQ(config-router)#exit

HQ(config)#ip route 0.0.0.0 0.0.0.0 s0/0/1

Configuring HQ ACL

HQ(config)#ip access-list extended BranchServer

HQ(config-ext-nacl)#deny tcp 172.16.64.0 0.0.0.255 172.16.128.1 0.0.15.255 eq 80

HQ(config-ext-nacl)#deny tcp 172.16.64.0 0.0.0.255 172.16.128.1 0.0.15.255 eq 443

HQ(config-ext-nacl)#permit ip any any

HQ(config-ext-nacl)#interface g0/0

HQ(config-if)#ip access-group BranchServer in

HQ(config-if)#exit

Configuring Branch OSPF

Branch>enable

Branch#config t

Enter configuration commands, one per line. End with CNTL/Z.

Branch(config)#router ospf 1

Branch(config-router)#network 172.16.0.0 0.0.255.255 area 0

Branch(config-router)#passive-interface g0/0

Branch(config-router)#passive-interface g0/1

Branch(config-router)#exit

Branch(config)#ip route 0.0.0.0 0.0.0.0 64.104.34.2

Branch(config)#no ip route 0.0.0.0 0.0.0.0 64.104.34.2

Configuring Branch ACL

Branch(config)#ip access-list extended HQServer

Branch(config-ext-nacl)#deny ip any 172.16.0.1 0.0.63.255

Branch(config-ext-nacl)#permit ip any any

Branch(config-ext-nacl)#interface g0/0

Branch(config-if)#ip access-group HQServer in

Branch(config-if)#exit

Branch(config)#exit

If anyone could please explain to me why I'm only get 43/100 after all these configurations? What am I missing? I've been working on this for hours looking over the chapter and various resources online and I'm just at a loss at this point. I have also attached the packet tracer file if anyone would like to take a look at it.

cadet alain · ‎02-17-2014

Hi,

-first you omitted to enable OSPF on the link between Branch and HQ:

router os 1

netw 192.168.0.0 0.0.0.3 area 0

-The ACLs should be

HQ(config-ext-nacl)#do sh access-list

Extended IP access list BranchServer

10 deny tcp 172.16.64.0 0.0.63.255 host 172.16.128.1 eq www

20 deny tcp 172.16.64.0 0.0.63.255 host 172.16.128.1 eq 443

30 permit ip any any

Branch(config-if)#do sh access-list

Extended IP access list HQServer

10 deny ip 172.16.144.0 0.0.15.255 host 172.16.0.1

20 permit ip any any

-B1 IP is not correct it should be 172.16.144.1 and not 172.168.143.1

I'm still stuck at 50% after this and I don't know why because the ACL do what they are meant to do and are applied as close to the source as possible.

Regards

Alain

Don't forget to rate helpful posts.

Sirah8499 · ‎02-17-2014

Thank you for the reply. I fixed the IP on B1 and added the network between HQ and Branch and that bumped me up to 50%.

Sirah8499 · ‎02-17-2014

Seriously does NOBODY know how to go about fixing this or configuring it the way it should be?

mfurnival · ‎02-18-2014

Maybe they want you to be more specific with your OSPF statements:

HQ(config-router)#network 172.16.0.0 0.0.63.255 area 0

HQ(config-router)#network 172.16.64.0 0.0.63.255 area 0

Branch(config-router)#network 172.16.128.0 0.0.31.255 area 0

M Ross · ‎03-21-2014

f. Design a named access list BranchServer to prevent any computers attached to the Gigabit Ethernet 0/0 interface of the HQ router from accessing the HTTP and HTTPS service of the Branch server. All other traffic is permitted. Configure the access list on the appropriate router, apply it to the appropriate interface and in the appropriate direction.

Configuring HQ ACL

HQ(config)#ip access-list extended BranchServer

HQ(config-ext-nacl)#deny tcp any host 172.16.128.1 eq 80

HQ(config-ext-nacl)#deny tcp any host 172.16.128.1 eq 443

HQ(config-ext-nacl)#permit ip any any

HQ(config-ext-nacl)#interface g0/0

HQ(config-if)#ip access-group BranchServer in

HQ(config-if)#exit

1) While the 172.16.64.0 0.0.0.255 network is technically equivalent to any for the diagram the directions ask you to block all traffic on g0/0 including someone who decides to change their ip address 172.16.63.128. If you want to block a whole LAN segment you need to use any.

2) You want to deny access to a single host 172.16.128.1 not 172.16.128.1 0.0.15.255 network

Configuring Branch ACL

Branch(config)#ip access-list extended HQServer

Branch(config-ext-nacl)#deny ip any host 172.16.0.1

Branch(config-ext-nacl)#permit ip any any

Branch(config-ext-nacl)#interface g0/0

Branch(config-if)#ip access-group HQServer in

Branch(config-if)#exit

Branch(config)#exit

1) You want to deny access to a single host 172.16.128.1 not 172.16.128.1 0.0.15.255 network

That should get you the last 50 points

Issues with OSPF and ACL. Need Help