Ticket 6

Instead of changing CBAC's inspection direction on r6's fa0/1, I edited "OUTSIDE_IN" acl to allow icmp to come back in.  Comments?

interface Serial0/0/0
 description == OUTSIDE
 ip address 54.1.1.6 255.255.255.0
 ip access-group OUTSIDE_IN in

Rack1R6#sh access-l
Extended IP access list OUTSIDE_IN
    5 permit icmp any any (10 matches)
    10 permit eigrp any any (2245 matches)
    20 permit ospf any any
    30 permit pim any any
    40 permit tcp any any eq bgp (439 matches)
    50 deny ip any any (392 matches)

Rack1SW4#p 112.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 112.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 26/40/51 ms

Comments

  • I did the same.

    Since there's no restriction i guess it's fine

  • I also did the same. But I think SG solution makes more sense than adding entry in the ACL.

  • That's a big question for the lab, do you implement the fastest solution that doesn't break any requirements (like changing OUTSIDE_IN acl) or keep looking for a 'more better' solution like changing CBAC in this case.

  • That's a big question for the lab, do you implement the fastest solution that doesn't break any requirements (like changing OUTSIDE_IN acl) or keep looking for a 'more better' solution like changing CBAC in this case.

    IMO, in the lab, we should be able to read the mind of the one that creates the task. So that we can provide the solution that is asked. Normally, restriction will help us to nail down the required solution. But if this is not tue case and we have multiple viable solutions, my take is to check with the proctor. In my exam I did this and the proctor basically told me that I can do either way.

  • Hi,

       Expect in the tshoot section to have specific restrictions; for the config section it may be that not everything is as aclear as you expect or as clear as you can understand! However, if have multiple options, ask the proctor, if proctor does not give you the answer you are looking for, select the most appropriate solution related to that technology. So in this case, you can re-configure CBAC, modify the ACL or just remove the ACL, or just remove  CBAC. For sure last two options, even if you had no restrictions, are not aviable solution. While it makes sense to edit the ACL, it may not always be the case.

       Given this task requirements and restrictions, first two solutions are acceptable.

    Good luck with your studies!

  • if have multiple options, ask the proctor, if proctor does not give you the answer you are looking for, select the most appropriate solution related to that technology. So in this case, you can re-configure CBAC, modify the ACL or just remove the ACL, or just remove  CBAC. For sure last two options, even if you had no restrictions, are not aviable solution. While it makes sense to edit the ACL, it may not always be the case.

    Its worth to note such points before going for the lab.

  • I did modifying the ACL to make it works, but after i saw the SG, i realized that it's make more sense and more elegant to amend the CBAC.

  • I actually configured the CBAC policy out towards BB1 :

    interface Serial0/0/0
     ip inspect FIREWALL out

    and I left the config on f0/1 untouched.

    It is working. Would that be a valid solution for the lab ?

     

    Thanks

Sign In or Register to comment.