The inbound filter also needs icmp echo-reply and telnet reply to comply with question 2.6 (permit R4 to telnet and ping to BB3 and beyond)
NAT must be enabled on E0/1 and E0/0
Extended IP access list fw-in 10 evaluate eval 20 permit tcp any host 204.12.1.100 neq smtp 30 permit tcp any eq bgp any 40 permit tcp any any eq bgp 50 permit icmp any any echo-reply 60 permit tcp any eq telnet any (51 matches) 1000 deny ip any any log
Extended IP access list fw-out 10 permit tcp any any reflect eval 20 permit udp any any reflect eval
interface Ethernet0/0 ip address 204.12.1.4 255.255.255.0 ip access-group fw-in in ip access-group fw-out out no ip unreachables ip nat outside half-duplex no cdp enable end
interface Ethernet0/1 ip address 10.4.4.4 255.255.255.0 ip nat inside
Comments
No OSPF neighbor on R4 e0/0.
Why outbound ACL dont have permit ip any any in the end ?
Should it be
ip access-list extended TO_OUTSIDE
permit tcp any any reflect MIRROR
permit udp any any reflect MIRROR
permit ip any any
Of course there is no need to do this to complete this task. But i dont see why we have to deny at the end because the task not ask for it/
I suppose you would need the "permit ip any any" is you want to be able to ping from the inside. But the task does say deny all other traffic.
The inbound filter also needs icmp echo-reply and telnet reply to comply with question 2.6 (permit R4 to telnet and ping to BB3 and beyond)
NAT must be enabled on E0/1 and E0/0
Extended IP access list fw-in
10 evaluate eval
20 permit tcp any host 204.12.1.100 neq smtp
30 permit tcp any eq bgp any
40 permit tcp any any eq bgp
50 permit icmp any any echo-reply
60 permit tcp any eq telnet any (51 matches)
1000 deny ip any any log
Extended IP access list fw-out
10 permit tcp any any reflect eval
20 permit udp any any reflect eval
interface Ethernet0/0
ip address 204.12.1.4 255.255.255.0
ip access-group fw-in in
ip access-group fw-out out
no ip unreachables
ip nat outside
half-duplex
no cdp enable
end
interface Ethernet0/1
ip address 10.4.4.4 255.255.255.0
ip nat inside