CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
D…
It is better to understand what you are trying to accomplish, than to focus on the samples here.
Yes, for sure the samples will help you become familiar with the questions.. and commands.
But it is better to understand: only allow one host access to the HTTP of the finance server.
So you would need to use an extended access list as you will be specific to http.
Then block all other’s http traffic to the finance web server..
Then allow everything else..
As stated by CAHOP240, normally you would want to apply it on FA0/0 nearest the source, but as stated, then it would not filter the “core” network, so in this case we need to apply it FA0/1..out bound..
801, you were very close..
dont make the simulation seem harder than it really is..another word, dont 2nd guess yourself..
good luck on your next attempt..
Thank you guys, it makes sense now :)
Passed today. Labs were ACL, EIGRP and VTP as here. The solutions here didn’t work, but the labs were almost the same. Thanks, 9tut.
@ziggy
What do you mean the solution didn’t work?
@Ziggy
i did this lab on packet Tracer and it works. Here my config as same as 9 tut.
access-list 101 permit tcp host 192.168.33.3 host 172.22.242.23 eq www
Access to FWS
access-list 101 deny tcp any host 172.22.242.23 eq www
Deny all trafic through FWA
access-list 101 permit tcp any any
Permit all of othe situation
!
interface FastEthernet0/0
ip address 172.22.242.30 255.255.255.240
ip access-group 101 out
pls share your config and compare that
@Umit
I think it’s better to use “access-list 100 permit ip any any”
if the condition is states to allow all the traffic
In the real exam are they going to give the ip address of the finance and other servers?
Why do you think that? could you pls explain it.
Passed CCNA today and got a bit confused on this one. The questions said to allow host D access to the Finance web server, but block all other traffic to it. And then to allow all traffic from all hosts to the Public server. I only used two statements:
access-list 100 permit tcp host [Host D] host [Finance server] eq www
access-list 100 permit ip any [Public server]
My reasoning was the default implicit deny all at the end would prevent any other traffic (other than Host D) from going to the Finance server. The test window only lets you check for web traffic from the hosts, so couldnt verify with other types of traffic.
Thoughts on this?
@Test what score did u get for the ACL thats what you have to ask yourself then you will know what is missing
your second statement should have been
access-list 100 deny tcp host any ip of finance web server
then the last statement should have been
access-list 100 permit ip any any
I only got 60% in the NAT/ACL section. I was trying to decide at the time if I should use 3 statements, but it seemed to me that 2 would be fine, since the implicit deny all would take care of blocking other access to the Finance server.
Obviously not since I got a bad score for it, but I thought there might be different ways of completing the objective.
Actually now I see why my 2 statements were not going to work. I forgot that packets are filtered by the first match and then stop checking. So once packets matched my “permit ip any [Public Server]” they would then not have been filtered by the implicit deny all later, and would have been allowed through to the Finance server. Oh well, at least I know what I did wrong.
@Test how did u manage to pass if you got 60 on the ACL and the NAT,which means u have one more sim left which was VTP and even if you got 100% and 100% in the WAN and the Dag and Drop.
@9tut
should it be
access-list 100 deny ip any host (finance) eq 80 ?
because on your post you didn’t put that even on the sim I have to do that also
@imeen: What requirement are you talking about?
Had this today. Had to allow http access to server from host b. Deny all other trafic from host b to finance server. And allow all over hosts from core and lan.
i did
access-list 100 permit tcp host b host finance server eq 80
access-list 100 deny ip host b host finance server
acess list 100 permit ip any any
in fa0/1
ip acces-group 100 out.
Is this correct as i failed and only got 40% by the look of things.
@ Theone,
As far as i see it, all looks gr8 & good. Did you try the same access-list with packet tracer?
ok based on what i see,the correct answer should have been
access-list 100 permit tcp host b host finance server eq 80
access-list 100 deny tcp host any finance server
acess list 100 permit ip any any
HOST D should be able to access finance server via http.
all other access of host D to finance server should be blocked.
all host should be able to access Public server.
all other from any access should be denied.
- – – – – – – – – – – – – -
access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq www >> 1st statement
access-list 100 deny ip any host [Finance Server] >> 2nd statement
access-list 100 permit ip any host [Public Server] >> 3rd statement
Implicit deny >> 4th statement
if “access-list 100 permit ip any any” you’re not denied all other from any access, which is statement number 4.
ok you need 3 statements not 4
HOST D should be able to access finance server via http.
all other access of host D to finance server should be blocked.
all host should be able to access Public server.
all other from any access should be denied.
—————
Which gives full marks:
1) a) access-list 100 deny tcp any host 172.22.242.23 eq 80
or
b) access-list 100 deny ip any host
2) a) access-list 100 permit any any
b) access-list 100 permit any host (Public Server)
@jumper yep ive tried it, have worked with cisco kit for 5 years in the real world. Maybe i didnt read the questions properly which i can sometimes be a sinner for. I failed with 801 as there was a bug in the VTP sim which wouldnt take any of my commands, i have raised a case with Cisco and im awaiting a response. Re-take on monday should smash it. hopefully ill get a refund aswel.
@Theone,
Sorry to hear about it, well look at the bright side you get a chance to review all the question that came. Btw, how many of the question were same per 9tut? I plan to sit for my cert soon.
Anyway .. Best of luck for the resit & do let us know of the outcome.
80% of the questions i had seen from 9 tut. go over every question and make sure you understand the concepts, you will whizz through the multi choice section this way.
Just passed with an 867! Failed last month with a 815 (1%). True what all say sekar 90-95% valid and 9tut sims are spot on.
theone my man it also happed to me the same vtp but didnt know what to do becoz i was crazy confused lets see how we can solve this problem
i passed yesterday this demo is very valid
deep thanks to 9tut and examcollection
@Chris what kind of questions did u get and the sims what were they?
looking on this site and speaking to people i know. Everyone gets ACL sim there are various different requirements on this question.. VTP sim similar to on this site, use the same concepts and you’ll be fine. And EIGRP SIM. If you have actually taken the time to practice and read up on these concepts you will have no issues with the exam!
Please correct me if anyone has had other sims..
Can someone please clear this up for me –
if i were asked to
A) allow http access to server from host b
B)block all other traffic from host b to the server
c) allow all other traffic access to the public web server.
Would i apply the access list inbound from the host Lan, as this will meet all the requirements???
please answer ASAP
Hi people i posted a few days back and was puzzled why i got low marks on the sim, i think i have solved the issue.
I should of applid the access list to the inbound f0/0 interface. this would have met the whole criteria and placed as near to the source as possible.
what do you tihnk guys?
previous post below
************************************************************
Had this today. Had to allow http access to server from host b. Deny all other trafic from host b to finance server. And allow all over hosts from core and lan.
i did
access-list 100 permit tcp host b host finance server eq 80
access-list 100 deny ip host b host finance server
acess list 100 permit ip any any
in fa0/1
ip acces-group 100 out.
Is this correct as i failed and only got 40% by the look of things.
@9tut i really think you should state in the “some modifications” section what interface and direction the ACL should be applied.
i think your 2nd statement should be
access-list 100 deny tcp any host finance server eq 80
or
access-list 100 deny ip any host (finance WS)
==========================
so the statement would be like this
access-list 100 permit tcp host (Host B) host (finance WS) eq 80
access-list 100 deny tcp any host (finance WS) eq 80
—- / or access-list 100 deny ip any host (finance WS)
access-list 100 permit ip any any
int fa0/0
ip access-group 100 out
what do you think guys?
@Theone
your solution is exactly as mine
I think you forgot something or misunderstood
something
==========================
Can someone please clear this up for me –
if i were asked to
A) allow http access to server from host b
B)block all other traffic from host b to the server
c) allow all other traffic access to the public web server.
Would i apply the access list inbound from the host Lan, as this will meet all the requirements???
please answer ASAP
MY SOLUTION>
access-list 100 permit tcp host (b) host (server) eq 80
access-list 100 deny ip host (b) host (server)
access-list 100 permit ip any any
My access list is deinetly correct. Its just where to place it. If you are not blocking anythin from the core and only filtering traffic from the lan surely it should be placed inbound on the lan interface of the router.
Remeber extended acls should be placed as close to the source as possible.
Wrote ccna today bt did nt pass. However thanks 2evry1 4d assistance. D Sims are stil EIGRP,ACL 2 ,VTP
@Theone
your statement is correct and I wonder how come you only got 40% on your sims
1)allow http access to server from host b.
2)Deny all other traffic from host b to finance server.
3) allow all over hosts from core and lan.
access-list 100 permit tcp host [b] host [server] eq 80
access-list 100 deny ip host [b] host [server]
access-list 100 permit ip any any
========================
Where to put the ACL is it inbound or outbound
Outbound (fa0/1) – This is the best solution on your sim question because the third condition states that all other traffic will be allowed it simply means we need also to include the CORE .
Inbound(fa0/0)- This can only be applied if the condition only states the first and second conditions but with your Sim questions it clearly states that it will include the Core area.
In my opinion i would rather to choose the outbound interface of fa0/1 because it will meet all the given conditions.
————-
@9tut can you give some ideas about this one thanks!
@kambal. I ony states that the core needa access to the public server. So if we apply it inbound on the f0/0. The core network will have access as there is no acl effecting the core!
Its a hard one because both will work. It justs the best place to put it.
Im taking exam monday would be nice to know.
@theone
from 9tut comment
“Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.”
In that scenario that is true because you have to block http traffic from
All hosts and the core. If you are not asked to block anything from the core then the ACL can be placed on the inbound f0/0 interface. Try it in packet tracer!
^
Lab sims and real scenario are different,
we should assume that there is another traffic from another network that is present
thats why 9tut suggest we should put it on outbound f0/1, and yes on real scenario
in bound f0/0 will be really efficient, and yes It work on packet tracer, but as I have said we need to assume that there is still other network connected or involved even though its not present.
Passed today 933!!! Had to allow http from host b. block all
Other traffic to server. And allow other to the public we server. Soo applied outwards on f0/1. Practice this site and you will pass
hi can any1 tell me if the questions and lab changes every week ???
congratulation to u Theone i failed last week with 77% i could not answer the 2 lab question i was very stupid b cause i have them before and if i did some practice i would won my exam ,i will tray next week please before i go any1 can tell if i will get 2 of the 8 lab on here .
@theone what was the statement this time then
@theone what did u get for the EIGRP and the VTP SIM was it the same with the same answers?
Same concepts not answers. Learn the concept not the answers.
@theone which dump did u use was it 680 or the 697?
@theone looks like you got the same question lucky you