Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
QID:S09 Configure an ACL to block Telnet IN on a Router (SIM)
#1

Hello folks,

I have been stuck on this question for some time now.  At first I thought I was doing something wrong, however even after many many repeated attempts I still cannot get the answer correct.  And yes, I have looked at the answer and copied the suggested ACL Configuration word-for-word.  I am at my wits end and starting to believe the router sim is somehow not working OK at the moment!?

So, what the fu.. can be possibly wrong with this SIM ? - Has anybody else noticed the same problem with the S09 SIM ???

Any confirmation would be greatly appreciated!

One more supplemental question:

Do you think that the following (slightly more simple) ACL-config would be OK in the S09 Case:

access-list 100 deny tcp any any eq telnet
access-list 100 permit ip any any

+

ip access-group 100 IN

on both s1 and e0 ???

This is only 3 quite simple config lines in total, matching the IP ranges on the two Interfaces on the Austin Router, and thus blocking incomming Telnet traffic to the Router - you know...

If not - Why don't you think it would work on the Austin Router?

Cheers from

/Nick


Reply
#2

Well, Perhaps the problem could be related to correct use of the "Done" button at the end of the SIM (although - according to my memory - I think I also tried that - at least - some of the times, when trying to solve the S09 case the other day!?

After many retries, for some reason it suddenly succeded with a "Pass" feed-back message.

However I still don't understand, why the following ACL configuration will not work on the Austin Router in the S09 SIM:

access-list 100 deny tcp any any eq telnet
access-list 100 permit ip any any

+

ip access-group 100 IN

on both the s1 and e0 Interface

This is just 3 quite simple config lines in total, which I think should match the needed IP address ranges to be filtered on the two Interfaces on the Austin Router, and thus blocking incomming Telnet traffic to the Router, as wanted in the case, but the SIM engine won't in anyway accept this alternative configuration...

It's just sugested as an (perhaps a little more simple) config alternative, instead of specifying the exact IP adresses in more ACL statements, as suggested in the answering section of the S09 SIM - (The configured ACL filter is verified by means of some test-packets simply send out by the S09 SIM engine)

Any feedback, answer + hints etc. would be greatly appreciated !

Thank you in advance!

/Nick_K
Reply
#3
If you carefully read the question statement you should understand that you have to deny telnet access to Austin router only. The telnet traffic destined for other hosts should pass through Austin without any restriction. See below extract of question statement:

"Configure and apply an access list that will prevent telnet access to the Austin router while allowing all other traffic to pass".

All other traffic does include telnet traffic from other hosts destined for some other host, say Host F wants to telnet into router FortWorth. Now your solution blocks telnet totally from passing through router Austin, that is why it is incorrect.
Reply
#4

Yep - Good point, that really cleared up things!  Smile

So the big art is "just" to read and understand the question 100%, then supplying the right configuration alltogether during the extreeme time pressure for the test - oushh - not always very easy!  Smile

Thank's for answering!
Reply
#5
I don't know actually I was somewhat confused last evening and did not realize that you needed to selected each lab individually (new to this whole Cisco game)... been a Bay/Nortel engineer for years however,

I tried this question several times and at first I fell for the deny tcp any any gig myself and then read the question carefully

Then I used access-list 101 deny tcp any host 192.168.33.2 eq 23 .. and followed through for the next network and then the access-list permit ip any any
then, applied 101 in to both e0 and s0 and it failed me...

So, I tried it again this time printing out the answer.... it failed me

I tried again this time however, I typed in using no abbreviations: enable, configure terminal, copy running-config startup-config instead of the en, conf t, copy run start (which all worked by the way and it passed me) but only when I used access-list 100

Maybe I am just to old and set in my ways to follow along with all of this...
Reply


Forum Jump:


Users browsing this thread: 6 Guest(s)