Packet Tracer Details: This packet tracer asks us to diagnose any problems with the configured Access Control List (ACL) for R1. Within the packet tracer, there are connectivity issues between an end device and a server's FTP, which is being blocked by the router's ACL. So, we're essentially tasked with trying to figure out what's wrong (which ultimately turns into a poorly configured "direction" on an ACL).
Below you will find a download of the completed packet tracer file. It is recommended that you read the tutorial, it provides knowledge on troubleshooting ACLs.
Alternatively, you may use the commands from the tutorial.
Tutorial / Walk-throughOur scenario starts off with the situation of three addresses being unable to access a server's FTP site. Using our show commands to diagnose the problem.
For one instance, the IP for the server is incorrect.
Lets first start off by using FTP to tunnel into a server, so open L2 and connect to it's respective server (172.16.255.254). You should get the following:
Trying to connect...172.16.255.254
%Error opening ftp://172.16.255.254/ (Timed out)
Then two (for most the most part) blank lines, now lets see if we can connect elsewhere. From that same laptop, FTP into 192.168.0.254. The username and password for the FTP is both 'cisco'.
Packet Tracer PC Command Line 1.0
Trying to connect...192.168.0.254
Connected to 192.168.0.254
220- Welcome to PT Ftp server
331- Username ok, need password
230- Logged in
(passive mode On)
When we test 10.255.255.254, we fail. There should be rules to permit any, because it's 'deny implicit'. Lets fix this.
Close out of any open CLI or Tab, and open R1. Lets check our access lists, then edit them accordingly:
R1#show access-lists (that command is extremely important for ACLs)
Extended IP access list 10_to_172
10 deny tcp 10.0.0.0 0.255.255.255 host 172.16.255.254 eq www
20 permit ip any any
Extended IP access list 172_to_192
10 permit ip any any
20 deny tcp 172.16.0.0 0.0.255.255 host 192.168.0.254 eq ftp
Extended IP access list 192_to_10
10 deny tcp 192.168.0.0 0.0.0.255 host 10.255.255.254
R1(config)#ip access-list extended 192_to_10
R1(config-ext-nacl)#permit ip any any
For the second ACL, the deny statements must be first.
So, from the output of 'show access-lists', copy the deny statement from the following ACL.
R1(config)#no ip access-list extended 172_to_192
R1(config)#ip access-list extended 172_to_192
R1(config-ext-nacl)#20 deny tcp 172.16.0.0 0.0.255.255 host 192.168.0.254 eq ftp
R1(config-ext-nacl)#21 permit ip any any
Exit your configuration to default, lets check our config (Save prior to this).
Notice anything odd about G0/0? You should.
If you don't see it, the access group used for that interface is 'out', and should be 'in' for that interface. Simply re-enable the ACL, but change the direction of the ACL when re-enabling it.
R1(config-if)#no ip access-group 10_to_172 out
R1(config-if)#ip access-group 10_to_172 in