4.4.2.9 Packet Tracer – Troubleshooting IPv4 ACLs

Last Updated on May 3, 2018 by Admin

4.4.2.9 Packet Tracer – Troubleshooting IPv4 ACLs

Packet Tracer – Troubleshooting IPv4 ACLs (Answer Version)

Answer Note: Red font color or gray highlights indicate text that appears in the Answer copy only.

Topology

Addressing Table

Device	Interface	IP Address	Subnet Mask	Default Gateway
R1	G0/0	10.0.0.1	255.0.0.0	N/A
	G0/1	172.16.0.1	255.255.0.0	N/A
	G0/2	192.168.0.1	255.255.255.0	N/A
Server1	NIC	172.16.255.254	255.255.0.0	172.16.0.1
Server2	NIC	192.168.0.254	255.255.255.0	192.168.0.1
Server3	NIC	10.255.255.254	255.0.0.0	10.0.0.1
L1	NIC	172.16.0.2	255.255.0.0	172.16.0.1
L2	NIC	192.168.0.2	255.255.255.0	192.168.0.1
L3	NIC	10.0.0.2	255.0.0.0	10.0.0.1

Objectives

Part 1: Troubleshoot ACL Issue 1

Part 2: Troubleshoot ACL Issue 2

Part 3: Troubleshoot ACL Issue 3

Scenario

This network is meant to have the following three policies implemented:

• Hosts from the 192.168.0.0/24 network are unable to access any TCP service of Server3.
• Hosts from the 10.0.0.0/8 network are unable to access the HTTP service of Server1.
• Hosts from the 172.16.0.0/16 network are unable to access the FTP service of Server2.

Note: All FTP usernames and passwords are “cisco”.

No other restrictions should be in place. Unfortunately, the rules that have been implemented are not working correctly. Your task is to find and fix the errors related to the access lists on R1.

Part 1: Troubleshoot ACL Issue 1

Hosts from the 192.168.0.0/24 network are intentionally unable to access any TCP service of Server3, but should not be otherwise restricted.

Step 1: Determine the ACL problem.

As you perform the following tasks, compare the results to what you would expect from the ACL.

1. Using L2, attempt to access FTP and HTTP services of Server1, Server2, and Server3.
2. Using L2, ping Server1, Server2, and Server3.
3. Using L2, ping G0/2 of R1.
4. View the running configuration on R1. Examine access list 192_to_10 and its placement on the interfaces. Is the access list placed on the correct interface and in the correct direction? Is there any statement in the list that permits or denies traffic to other networks? Are the statements in the correct order?
5. Perform other tests, as necessary.

Step 2: Implement a solution.

Make an adjustment to access list 192_to_10 to fix the problem.

Step 3: Verify that the problem is resolved and document the solution.

If the problem is resolved, document the solution: otherwise return to Step 1.

_______________________________________________________________________________________

_______________________________________________________________________________________

No traffic is getting through because of the implicit deny any. Added a permit ip any any to the ACL

Part 2: Troubleshoot ACL Issue 2

Hosts from the 10.0.0.0/8 network are intentionally unable to access the HTTP service of Server1, but should not be otherwise restricted.

Step 1: Determine the ACL problem.

As you perform the following tasks, compare the results to what you would expect from the ACL.

1. Using L3, attempt to access FTP and HTTP services of Server1, Server2, and Server3.
2. Using L3, ping Server1, Server2, and Server3.
3. View the running configuration on R1. Examine access list 10_to_172 and its placement on the interfaces. Is the access list placed on the correct interface and in the correct direction? Is there any statement in the list that permits or denies traffic to other networks? Are the statements in the correct order?
4. Run other tests as necessary.

Step 2: Implement a solution.

Make an adjustment to access list 10_to_172 to fix the problem.

Step 3: Verify the problem is resolved and document the solution.

If the problem is resolved, document the solution; otherwise return to Step 1.

_______________________________________________________________________________________

_______________________________________________________________________________________

ACL was applied outbound on G0/0. Removed as outbound and applied as inbound on G0/0.

Part 3: Troubleshoot ACL Issue 3

Hosts from the 172.16.0.0/16 network are intentionally unable to access the FTP service of Server2, but should not be otherwise restricted.

Step 1: Determine the ACL problem.

As you perform the following tasks, compare the results to the expectations of the ACL.

1. Using L1, attempt to access FTP and HTTP services of Server1, Server2, and Server3.
2. Using L1, ping Server1, Server2, and Server3.
3. View the running configuration on R1. Examine access list 172_to_192 and its placement on the interfaces. Is the access list placed on the correct port in the correct direction? Is there any statement in the list that permits or denies traffic to other networks? Are the statements in the correct order?
4. Run other tests as necessary.

Step 2: Implement a solution.

Make an adjustment to access list 172_to_192 to fix the problem.

Step 3: Verify the problem is resolved and document the solution.

If the problem is resolved, document the solution; otherwise return to Step 1.

_______________________________________________________________________________________

_______________________________________________________________________________________

All traffic is allowed through because the order of the statements is wrong. Reorder the statements so that the permit ip any any is the second statement

Suggested Scoring Rubric

Question Location	Possible Points	Earned Points
Documentation Score	10
Packet Tracer Score	90
Total Score	100