A network administrator wants to block both DNS requests and zone transfers coming from
outside IP addresses. The company uses a firewall which implements an implicit allow and is
currently configured with the following ACL applied to its external interfacE.
PERMIT TCP ANY ANY 80
PERMIT TCP ANY ANY 443
Which of the following rules would accomplish this task? (Select TWO).
A.
Change the firewall default settings so that it implements an implicit deny
B.
Apply the current ACL to all interfaces of the firewall
C.
Remove the current ACL
D.
Add the following ACL at the top of the current ACL
DENY TCP ANY ANY 53
E.
Add the following ACL at the bottom of the current ACL
DENY ICMP ANY ANY 53
F.
Add the following ACL at the bottom of the current ACL
DENY IP ANY ANY 53
Not sure about answer “F”…since DNS is using TCP port 53 (answer “D”)
DNS request on 53/UDP and zone transfer on 53/TCP
Please excuse me for this simple question
I am confused about extended ACLS when we use (permit|deny) for Protocol IP,TCP,UDP on an access list
I have 2 Examples below
1. access-list 102 permit tcp any 192.168.10.10
OR
access-list 102 permit ip any 192.168.10.10
2. access-list 103 deny tcp any 192.168.20.10
OR
access-list 103 deny ip any 192.168.20.10
Q1. In example 1 i am permiting TCP and IP protocol from any to 192.168.10.10
My Question what is difference does it make if we either use TCP or IP in a permit acccess-list ie ( what is the meaning of using IP or TCP) and what impact does it have?
Q2 Same goes for the access-list 103 what is difference in using TCP or IP in Deny statement and waht impact does it have?
Q3. If iwant to block or permit traddic through access-list should i use IP or TCP in the Protocol field of access-list
My confusion is about IP,TCP and UDP. ANSWER:
Everything is included under IP.
TCP, UDP, ICMP for examples are all under IP.
Q1. If you configure IP, that would already include TCP, hence, you do not need to configure TCP anymore if you already configure IP.
Q2. “deny tcp” will only deny TCP protocol, eg: telnet, smtp, http, while “deny IP” will include everything (TCP, UDP, ICMP proctocol), eg: telnet, smtp, http, dns, icmp, snmp, etc.
Q3. If you would like to deny everything, you should use “IP” instead of “TCP” only.
Hope that helps.