Traffic Filtering Using Extended Access-Lists

Yaaay, I'm the first one to post here [:P]

This task is so confusing...

1) Configure R4 to permit any TCP traffic destined for R5 and sourced from the Loopback0 subnets. Ensure R4 allows returning TCP packets for those connections

ip access-l extended OUTBOUND
 permit tcp 150.1.0.0 0.0.255.255 any
!
ip access-l extended INBOUND
 permit tcp any 150.1.0.0 0.0.255.255 established

a) If it's destined to R5 shouldn't we specify that? 155.1.58.0 0.0.0.255 - 155.1.5.0 0.0.0.255 - 150.1.5.0 0.0.0.255 - 155.1.45.5 instead of any

b) Why do we have the "established" keyword inbound? The task simply asks to allow returning traffic, it does not say anything about allowing traffic only if it has been previously initiated by a host in the 150.1.x.x network

 

2) Ensure you only permit active FTP responses from servers in VLAN 146

ip access-l extended INBOUND
 permit tcp any 155.1.146.0 0.0.0.255 range 20 21
!
ip access-l extended OUTBOUND
 permit tcp 155.1.146.0 0.0.0.255 range 20 21 any

a) What is up with this wording? Shouldn't the task just say permit returning traffic instead of permit active FTP responses?

b) If the wording is correct, I was actually thinking about the "established" keyword here as opposed to being in the other line

 

3) Deny all ICMP “unreachable” messages with your configuration

ip access-l extended INBOUND and OUTBOUND
 permit icmp any any port-unreachable
 permit icmp any any time-exceeded

a) If it says deny, shouldn't we saying "deny icmp any any port-unreachable"?

b) Why do we have the entry "permit icmp any any time-exceeded"?

 

I'd really appreciate if you shared your thoughts on this task [:)]

Comments

  • JoeMJoeM ✭✭✭

    1) Configure R4 to permit any TCP traffic destined for R5 and sourced from the Loopback0 subnets. Ensure R4 allows returning TCP packets for those connections


    ip access-l extended OUTBOUND
     permit tcp 150.1.0.0 0.0.255.255 any
    !
    ip access-l extended INBOUND
     permit tcp any 150.1.0.0 0.0.255.255 established


    a) If it's destined to R5 shouldn't we specify that? 155.1.58.0 0.0.0.255 - 155.1.5.0 0.0.0.255 - 150.1.5.0 0.0.0.255 - 155.1.45.5 instead of any

    Your solution would seem to be the most accurate. Right to the letter of the requirement.   I would be more exact about this if it was a graded lab or the actual lab exam.   But for the workbook lesson , I say  "good catch. move on".

     

    b) Why do we have the "established" keyword inbound? The task simply asks to allow returning traffic, it does not say anything about allowing traffic only if it has been previously initiated by a host in the 150.1.x.x network


    The wording is important here. It is saying to allow TCP, while there are other restrictions (only active FTP).  When it specifically says to "allow" for TCP, then first thing I thought was reflexive or established.

     

    2) Ensure you only permit active FTP responses from servers in VLAN 146


    ip access-l extended INBOUND
     permit tcp any 155.1.146.0 0.0.0.255 range 20 21
    !
    ip access-l extended OUTBOUND
     permit tcp 155.1.146.0 0.0.0.255 range 20 21 any


    a) What is up with this wording? Shouldn't the task just say permit returning traffic instead of permit active FTP responses?


    b) If the wording is correct, I was actually thinking about the "established" keyword here as opposed to being in the other line

    The wording is a test of FTP knowledge: Passive vs Active.


    Established will not allow the client to connect to port 21, but port 20 could be used with established.


    NOTE: I see that in the workbook, established is the next lesson.  So, we  are not supposed to know about established yet. ;-)




    I often forget the exact mechanism for passive vs active.   Here is a good reminder doc that I reference whenever I forget. :-)


    http://slacksite.com/other/ftp.html#basics

     

    3) Deny all ICMP “unreachable” messages with your configuration


    ip access-l extended INBOUND and OUTBOUND
     permit icmp any any port-unreachable
     permit icmp any any time-exceeded


    a) If it says deny, shouldn't we saying "deny icmp any any port-unreachable"?


    b) Why do we have the entry "permit icmp any any time-exceeded"?

    Too many questions (just joking).  I ran out of time and have to run. ;-)


    I looked at my old workbook, and I do not have any notes about this being an error.


    With a quick glance, I believe there is the game of ICMP vs  PMTUD and Traceroute.  I need to look at it closer.

     

     

  • 3) Deny all ICMP “unreachable” messages with your configuration


    ip access-l extended INBOUND and OUTBOUND
     permit icmp any any port-unreachable
     permit icmp any any time-exceeded


    a) If it says deny, shouldn't we saying "deny icmp any any port-unreachable"?


    b) Why do we have the entry "permit icmp any any time-exceeded"?

    a. It says all ICMP, then it should be :

             deny icmp any any unreachable

     

    b. time-exceeded is used for traceroute. I guess the reason is traceroute doesn't have "unreachable" message, thus it is allowed.

     

    Not sure if we can use:

              deny icmp any any uncreachable

              permit icmp any any

Sign In or Register to comment.