Monday, April 11, 2016

CCNAv2 Completed Packet Tracer 9.4.2.6

Greetings, and welcome to Seeseenayy.

Packet Tracer Details: This packet tracer asks us to diagnose any problems with the configured Access Control List (ACL) for R1. Within the packet tracer, there are connectivity issues between an end device and a server's FTP, which is being blocked by the router's ACL. So, we're essentially tasked with trying to figure out what's wrong (which ultimately turns into a poorly configured "direction" on an ACL).

Below you will find a download of the completed packet tracer file. It is recommended that you read the tutorial, it provides knowledge on troubleshooting ACLs.

Download(s)

Alternatively, you may use the commands from the tutorial.

Tutorial / Walk-through 
Our scenario starts off with the situation of three addresses being unable to access a server's FTP site. Using our show commands to diagnose the problem.

For one instance, the IP for the server is incorrect.

Lets first start off by using FTP to tunnel into a server, so open L2 and connect to it's respective server (172.16.255.254). You should get the following:
PC>ftp 172.16.255.254
Trying to connect...172.16.255.254

%Error opening ftp://172.16.255.254/ (Timed out)
.

Then two (for most the most part) blank lines, now lets see if we can connect elsewhere. From that same laptop, FTP into 192.168.0.254. The username and password for the FTP is both 'cisco'. 

Packet Tracer PC Command Line 1.0
PC>ftp 192.168.0.254
Trying to connect...192.168.0.254
Connected to 192.168.0.254
220- Welcome to PT Ftp server
Username:cisco
331- Username ok, need password
Password:
230- Logged in
(passive mode On)
ftp>


When we test 10.255.255.254, we fail. There should be rules to permit any, because it's 'deny implicit'. Lets fix this. 
Close out of any open CLI or Tab, and open R1. Lets check our access lists, then edit them accordingly:

R1>en
R1#show access-lists (that command is extremely important for ACLs)
Extended IP access list 10_to_172
    10 deny tcp 10.0.0.0 0.255.255.255 host 172.16.255.254 eq www
    20 permit ip any any
Extended IP access list 172_to_192
    10 permit ip any any
    20 deny tcp 172.16.0.0 0.0.255.255 host 192.168.0.254 eq ftp
Extended IP access list 192_to_10
    10 deny tcp 192.168.0.0 0.0.0.255 host 10.255.255.254
R1#conf t
R1(config)#ip access-list extended 192_to_10
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#ex

For the second ACL, the deny statements must be first.
So, from the output of 'show access-lists', copy the deny statement from the following ACL.

R1(config)#no ip access-list extended 172_to_192
R1(config)#ip access-list extended 172_to_192
R1(config-ext-nacl)#20 deny tcp 172.16.0.0 0.0.255.255 host 192.168.0.254 eq ftp
R1(config-ext-nacl)#21 permit ip any any

Exit your configuration to default, lets check our config (Save prior to this).
R1>en
R1#show run

Notice anything odd about G0/0? You should.
If you don't see it, the access group used for that interface is 'out', and should be 'in' for that interface. Simply re-enable the ACL, but change the direction of the ACL when re-enabling it.
R1#conf t
R1(config)#int g0/0
R1(config-if)#no ip access-group 10_to_172 out
R1(config-if)#ip access-group 10_to_172 in


________
// TAGS: 


No comments:

Post a Comment

Feel free to comment if you have a question, commendation, or concern. We love to hear your feedback!

Please do not share links to external websites if it not relevant to discussion. We reserve our right to remove any content we deem advertising.