Monday, April 11, 2016

CCNAv2 Completed Packet Tracer

Greetings, and welcome to Seeseenayy.

Packet Tracer Details: This packet tracer asks us to diagnose any problems with the configured Access Control List (ACL) for R1. Within the packet tracer, there are connectivity issues between an end device and a server's FTP, which is being blocked by the router's ACL. So, we're essentially tasked with trying to figure out what's wrong (which ultimately turns into a poorly configured "direction" on an ACL).

Below you will find a download of the completed packet tracer file. It is recommended that you read the tutorial, it provides knowledge on troubleshooting ACLs.


Alternatively, you may use the commands from the tutorial.

Tutorial / Walk-through 
Our scenario starts off with the situation of three addresses being unable to access a server's FTP site. Using our show commands to diagnose the problem.

For one instance, the IP for the server is incorrect.

Lets first start off by using FTP to tunnel into a server, so open L2 and connect to it's respective server ( You should get the following:
Trying to connect...

%Error opening (Timed out)

Then two (for most the most part) blank lines, now lets see if we can connect elsewhere. From that same laptop, FTP into The username and password for the FTP is both 'cisco'. 

Packet Tracer PC Command Line 1.0
Trying to connect...
Connected to
220- Welcome to PT Ftp server
331- Username ok, need password
230- Logged in
(passive mode On)

When we test, we fail. There should be rules to permit any, because it's 'deny implicit'. Lets fix this. 
Close out of any open CLI or Tab, and open R1. Lets check our access lists, then edit them accordingly:

R1#show access-lists (that command is extremely important for ACLs)
Extended IP access list 10_to_172
    10 deny tcp host eq www
    20 permit ip any any
Extended IP access list 172_to_192
    10 permit ip any any
    20 deny tcp host eq ftp
Extended IP access list 192_to_10
    10 deny tcp host
R1#conf t
R1(config)#ip access-list extended 192_to_10
R1(config-ext-nacl)#permit ip any any

For the second ACL, the deny statements must be first.
So, from the output of 'show access-lists', copy the deny statement from the following ACL.

R1(config)#no ip access-list extended 172_to_192
R1(config)#ip access-list extended 172_to_192
R1(config-ext-nacl)#20 deny tcp host eq ftp
R1(config-ext-nacl)#21 permit ip any any

Exit your configuration to default, lets check our config (Save prior to this).
R1#show run

Notice anything odd about G0/0? You should.
If you don't see it, the access group used for that interface is 'out', and should be 'in' for that interface. Simply re-enable the ACL, but change the direction of the ACL when re-enabling it.
R1#conf t
R1(config)#int g0/0
R1(config-if)#no ip access-group 10_to_172 out
R1(config-if)#ip access-group 10_to_172 in

// TAGS: 

No comments:

Post a Comment

Feel free to comment if you have a question, commendation, or concern. We love to hear your feedback!

Please do not share links to external websites if it not relevant to discussion. We reserve our right to remove any content we deem advertising.