To go on a bit, would the "deny ip any any" in the Untrusted ACL on R2 not cause users on the 150.50.17.0/24 not to be able to use the services configured in question 10 - even if the time based entries are in effect?
Is this an example of things breaking in the during the lab as is implied by the remark in the ACL? Kim -----Oorspronkelijk bericht----- Van: Scott Morris [mailto:[EMAIL PROTECTED] Verzonden: donderdag 7 juni 2007 15:43 Aan: 'Kim Blom'; [email protected] Onderwerp: RE: [OSL | CCIE_RS] Lab9 IPExpert v9.0 The established line probably would have met the technical requiremeents... We may have to look at the wording on there, because (IMHO) that leaves things a little too lame! :) But hey, it's all about interesting changes. As for the client ports, you likely could have specified gt 1023 there if you wanted to, but the any would have worked as well. Scott -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kim Blom Sent: Thursday, June 07, 2007 9:35 AM To: [email protected] Subject: [OSL | CCIE_RS] Lab9 IPExpert v9.0 Hi, Just joined and currently working on lab 9 of the IPExpert Workbook. When I look at the latest downloaded final configuration for question 2 (R4's lambeau ACL), it specifically lists a line matching return traffic for web servers followed by a line matching return traffic from FTP servers: permit tcp 10.1.1.0 0.0.0.255 eq www any remark that line covers the replies from web servers on the inside permit tcp 10.1.1.0 0.0.0.255 any established remark that line is necessary for the FTP server responses since ports vary Would the answer not also be possible to be the following: 1. Just the established line or 2. add gt 1024 to the FTP entry (not a stated requirement, though, I think) Further, the answers seem to take server ports into account, but not client ports, when specific entries are asked and to allow remaining traffic, if only certain flows are explicitly stated to be blocked. Is this normal lab practice, so to speak, or is it typically something to ask the proctor? Kind regards, Kim Blom
