CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
another question can we use copy run start in the exam?
or the full command copy running-config start-up config
Is TAB button when coding in CLI works? Please advise.
@ Jack
yes you can use the copy run start command instead of copy running-config start-up config..
hi does the tab key and ? work in the exam?
Sandeep – I am certain that both tab and ? work in the real exam
Guys please help, I failed my 1st exam in Dec. Got 768/1000. I want to retake the exam soon, but I’m afraid about Sim questions. Do they change or I could still find, EIGRP, ACL and VTP. You can also email me ur experience at myezakp@gmail.com Thanking you in advance
Hey( KP) man they will be the same but with few changes so be carefull. CONCEPTS so important i took the exam twice till i failed. am still 4 it in march
Hi Aniket,
Please share ur exam experience was there any changes on the Simultion or did you feel any of the Latest dumps was much useful. If so please share the link i’m going to take the exam on comming monday.
Thank you
Abhilash
Newbie when it comes to usin Packet Tracer. Can anyone confirm why it won’t allow me to enter the ports that I have to permit/deny when I’m creating these ACLs?
Thanks
hi guys any one who passed exam can guide me tha interface of real exam i mean it looks like same as VCE or it is changed . and also about sims how are thy configured in real exam same as packet tracer or not. please guide because on friday i m going to write exam.
scored 651. so many tricks in my exam
1. The interface that has the finance server (fa0/1) was shutdown when I did the show run config. So I apply the int “S0/1 out” on the host instead of on the fa0/1. I dont know if its correct
Also, EIGRP is having passive-interface. So one of the networks on C couldn’t update. I tried and i know I have more then 6 commands.
Pls, someone should explain how to solve the two
Thank you
@esteecee
which was PASSIVE interface ????
ISP interface OR In the internal routers ??
Please explain more what did u get in the exam ???
@kevin
The passive interface was on the EIGRP simulation. I cant remember if its in ISP or router but it couldn’t allow the 2nd network on R3 to be added
When I input the command for the 2 networks in R3,
R3(config-router)#network 192.168.60.0 and R3(config-router)#network 192.168.77.0
Then show running-config, 192.168.77.0 was not showing and the message passive-interface was appearing somewhere with network 192.168.77.0 within the output
I added it with the command R1(config)#router eigrp 212
R1(config-router)#network 192.168.77.0 and saved but it still appeared with the msg
Then on ACL, when i did show running-config, the Interface on finance server, 172.22.242.23 was showing “shutdown”. I only saw the serial interface of the Corp 1. so one cannot know which interface is on it. A friend told me that I was suppose to do “no shutdown” for it to come up
Hi guys, just sat the exam…
For those of you looking to sit the exam soon, Sims are still valid (VTP, EIGRP and ACL 2)
Passed, goodluck everyone.
Thanks tut9 and everyone contributing. Advice, if you need the extra help towant to pass, become premium member, not only you will be contributing but also pretty much guarantees you pass.
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
Can any body explain to me how can I implement this?
-All hosts in the Core and local LAN should be able to access the Public Web Server *
from the question above the answer for this statement is :
“access-list 100 permit ip any any”
this ACL statement will be true if the question is
“All hosts in the Core and local LAN should be able to access the all the Server”
but the question indicates that Core and Lan should be able to access ONLY PUBLIC WEB SERVER not any server e.g finance server and dns server.
my answer : access-list 100 permit ip any host 172.22.242.17
correct me if im wrong
@Air
Yes, you are wrong.
Statement says that all hosts should access Public Web Server, but it doesn’t say to deny access to other servers, right?
access-list 100 permit ip any any – this is a right command,
access-list 100 permit ip any host 172.22.242.17 – wrong command, because you deny access to other servers, but in requirements they didn’t ask us to do so
just passed the test 933/1000 thanks to 9tut specially for the labs, studied form testking v39, actualtest from the 12/20/12 (20/DEC/2012) dump, and 9tut.
not hard, though i studied like a retard for 2 weeks, learning to do the labs and use the commands was the key.
access-list 100 tcp any any eq 80 (and that doesnt freaking makes sense) but looks like it worked, if not i was lucky.
the thing that really freaked me out was on the VTP simulator, show vtp status didnt show the IP from where the switch got its updates.
creepy
@Mike
Thanks dude for clearing it up it kinda confused me .
Even though it indicate it can access the Public Web server so it also means that it can access also the other servers right?
the answer is access-list 100 permit ip any any thanks!
——————-
How about my example :
That Core and Lan should be able to access ONLY PUBLIC WEB SERVER not any server e.g finance server and dns server.
is my statement correct?
access-list 100 permit ip any host 172.22.242.17
A corporation wants to add security to its network. The requirements are:
- Host C should be able to use a web browser (HTTP) to access the Finance Web Server.
- Other types of access from Host C to the Finance Web Server should be blocked.
- All access from hosts in the Core or local LAN to the finance Web Server should be blocked.
- All host in the Core and on local LAN should be able to access the Public Web Serve
How can I apply this one?
@Metallica : failed…775, i got confused on same ACL question.
@Anonymous
does some of the question same on this sims?
@anonymous – i also thought it didnt work. then i scrolled down the cmd line. and it worked all along.
@9tut
in Last case of Modification any one can access Finanacial Web Server
@Kevin: Yes, but the request does not mention about it so we are allowed to do so.
@9tut
thank you
One more questions Please Help me
1. permit host B from accessing finance server ( Here we have to use IP protocol)
2. permit host B from accessing finance web server ( Here we have to use TCP protocol)
is it correct ??
of it is metioned that “using Web browser” then and only we have to use TCP or only with web finance server
O correto seria aplicar a ACL to Fa0/1 interface (inbound direction).
Motivo: para evitar tráfego e processamento de CPU do router. Identificar o pacote antes de todo o processamento.
Correto:
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 in
Perdão aí galera:
comando correto é e sempre será:
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
I am going to take exam on 21st……testking and actualtest dumps and 9tut are enough? please suggest me what to do,i am scared a little bit!!
i pass today the access list on the interface f0/0 and permit host A to financ and prevent him from any ather access
good luck guys
@memw what many sim questions were dere? and questions are on 9tut or it was tough? please reply…
i passed mine ccna this morning with just 2 sims ACL and eigrp but the ACL sim ws so different you are to permit host c to access finance server and other hosts access to public servers there where just 2 servers instead of 3 and got like 7 drag and drop
Tarqui Costa concordo com você que para evitar o tráfego de processamento aplicar como inbound direction porém, se aplicar na na f0/1 não vai nem funcionar pois a lógica é bem clara out = interface de saída f0/1 e in = interface de entrada f0/0.
Regra para o CCNA, ACL padrão perto do destino
ACL estendida perto da origem
For CCNA exam remember it, ACL standart near destination.
ACL extended near source.
In this case we can configure the ACL on f0/1 out or f0/0 in…….but f0/0 in is much better because, reduce CPU utilization in router.
@ kolawole
thats great…. would you kind enough please to share the commands that you use to enable this? i am going to take the exam end of January. my boss paid for it and he expect me to pass it. it would be very grateful and helpful for me if you will going share this…. thanks mate….
@9tut
deny host B from accessing the OTHER server (not the whole network)
whats the difference of
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
to
access-list deny ip host 192.168.33.2 host 172.22.242.16
if the 2nd option is wrong. why?
same ACL EIGRP and VTP?
Grato pelo comentário bem elaborado CCNA_br. Vlw.
Grato Pelo Comentário Bem elaborado CCNA_br. Vlw.
@someone
as you can see we need to summarize the network of the TWO other servers
ranging from
172.22.242.30 – 172.22.242.17
if we will use this statement
access-list deny ip host 192.168.33.2 host 172.22.242.16
<– It will only deny host B to host 172.22.242.16 (This Ip add is not even on the addressing scheme of the network and the statements requires that host B will be denied on the Two other servers)
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
This one is the correct answer because we use the wildcard mask of
0.0.0.15 equal to subnet mask of 255.255.255.240 within this range
the Ip address of Public server and DNS server will be included
@kambalpogi
thx. im not that good on access list.
hello friends can any one provide me the latest ccna dumps i shall be very thankful to you
rock3400@gmail.com
Do shortened commands work on the actual exam? config t? copy run start? etc etc.
Thanks in advance.
Why in the 1st scenario (modifications) when we’re applying the “access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15” are we expected to put a wildcard mask and not specify the host like this “access-list 100 deny ip host 192.168.33.2 host 172.22.242.16”. The other scenario’s don’t require a wildcard mask and have “host” before the “OTHER server” ip number we specify?
Can someone please explain this to me?
@ Mo : The wildcard mask for a single Host is 0.0.0.0. The wild card mask of 0.0.0.15 is for more then 1 host. Read carefully and use a wild card mask which applies to what they ask.
Can anybody explain please the difference between access group in and out ?
thanks a lot!!
Just took the exam today and by the grace of my lord and savior Jesus Christ I was able to pass the exam. Do not freak out people you will do just fine. The sims I received was the exact same sims as 9Tut VTP ACL2 an EIGRP. For the remaining exam just study this dump (url link below) and you will do just fine! The dump is 100% accurate and it covers all the questions that I received. http://www.examcollection.com/cisco/Cisco.ActualTests.640-802.v2012-07-15.by.Sekhar.697q.vce.file.html