CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
@9tut i have a silly question does it matter if we use tcp or ip?
@theone
congrats!
soon ill take ccna too :D
Mikey
I think this is the ri8 answer of your Question
access-list 100 permit tcp host 172.22.242.23 host 192.168.33.4 eq 80
ccess-list 100 deny ip host 172.22.242.23 host 192.168.33.4
access-list 100 permit ip any any
But
I can;t understand your Last Statement
“all other from any access should be denied.”
access-list 100 permit tcp host 192.168.33.2 host 172.22.242.23 eq 80 (allow host b to F Server)
access-list 100 deny ip any host 172.22.242.23(Deny all other traffic from host b to finance server )
access-list 100 permit ip any any
plz Reply is it True.???
@Theone
Finally congrats mate!
How’s your ACL same with your last ?
i clear my test thank u
@kambal. I had to deny all
Traffic to the finance server from core and lan so where to place the list was easy!!!
@Theone
Congrats Sir! I failed my exam last Monday and I’m planning to retake first week of March. Please respond if all your second try exam are all different questions and scenarios. Thanks and more power to you!
One question about:
deny host B from accessing the OTHER server (not the whole network)
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
The wild card mask is 15 because the LAN has been assigned addresses of 172.22.242.17 – 172.22.242.30. That would give use 13ip (30-17=13). To get 13ips we have to use a CIDR of /20 or /28. 240-256=16ips – 1 = 15. Can anyone tell me if my logical is right?
sorry if I double posted. This question if for ACL2
^
to make it easy,
network address is .16 and the broadcast is .31
w/c falls into /28 with the subnet mask of
255.255.255.240, and if we convert it to subnet mask
it will turn out into 0.0.0.15
interface fa0/1
ip access-group 100 out
Is that right?
In all exams was “OUT” ?
@9tut
question about this modification:
deny host B from accessing the OTHER server (not the whole network) access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
If you apply that ACL all the servers and Fa0/1 should deny access to host B. If the goal is just deny traffic to host B to the OTHER SERVER would not be better use access-list 100 deny ip host B host Server?
Why apply the wild card mask that include the whole server lan?
@zipper: “out” here because we only want to filter all traffic going out of fa0/1 interface (outbound direction).
@wannabe: maybe the “OTHER” word is misleading, we meant “all other servers in the network”.
Hi guys!
After executing
Router(config)#access-list 100 deny tcp any host 172.22.242.24 eq 80
in the exam it was not possible to execute
Router(config)#no access-list 100 deny tcp any host 172.22.242.24 eq 80
Is it normal that at the test sim or is simulator problem, if so can i complain?
Thank you in advance for your posts.
Access list, VTP, and EIGRP SIMS same as 9tut, but bit tricky .
Train very good these Sims and try to understand the concepts.
Good luck.
Just passed CCNA today :) i had ACL 2,eigrp,ACL was different,but i still managed to pass.
@Nav which ACL is different ?
can you please explain it to me ?
deb
Even if you configure that ACL with exactly same commands as used in this ACL.You will score 60 % in ACL.So i types exactly same commands for ACL and all the other multichoice questions were right.I score 950 .
NAV
that means no change in ACL sim 2.one more thing can please give me the link of current dumps for ccna..
deb
i used pass4sure !!!
@Nav you kidding me right what if someone else gets 60 on the EIGRP and 90 on the VTP Sim you know that is fail right.you need to get 100 on evertything else.
why we applied the ACL to interface fa0/1?
extended ACL should be as close as possible to source (HostC) – int f0/0
@Nav: pass4sure was not good????????
can we use
#show ip interface brief
instead of show running-config ? or i will lose points
You can use any command you want. You will not use points for displaying commands! USE ANY COMMAND YOU WANT TO.
Hi guys
I’ve just took the exam today and I can say that I had some luck. I’ve scored 907/1000. I had the classical 3 simulation exam (VTP – 5 questions; ACL 2 and eigrp)
The ACL SIM has this Scenario:
Only allow Host C to to access the financial server a
Not allow anyone else in any way communicate with the financial server
Allow all other traffic should be permitted.
The EIGRP had the modification 221 as eigrp no, with a passive interface S0/1 -Link to ISP (leave it as passive!)
For all of u who are preparing for the exam read carefully this simulations, the are really helpful.
Thanks 9tut! Awesome job!
@ Daniel
what is the statement you used.because i realise some of the statements,relating to some of the questions and they are different.
—permit host B from accessing finance server
access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
—deny host B from accessing other servers (not the whole network)
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
—permit everything else
access-list 100 permit ip any any
first statement might be correct because it permitted the host b in accessing the finance server but the host a,c and d are also permitted in accessing the finance server, so it turns out that the first statement is pretty useless yet it satisfies the requirements.
john are u replying to the statement because if u are then that is not correct.nothing there says the whole network.
@anonymous this is for the first example of modification.
From Daniel statement/scenario:
Only allow Host C to to access the financial server a
Not allow anyone else in any way communicate with the financial server
Allow all other traffic should be permitted.
access-list 100 permit ip host 192.168.33.3 host [financial server a IP]
access-list 100 deny ip any host [financial server IP]
access-list 100 permit ip any any
Is this correct?
i apply the exam yesterday and i solve the same questions bt i take 40% why ???
tell me plzzz
No, the first statement is about denying access from C to the Financial Server, but with a web brower. So the command shoul be
access-list 100 deny tcp host [ip host C] host [ip Financial Server] eq www
access-list 100 deny ip any host [Ip Financial Server]
access-list 100 permit ip any any
As I read from this site this sim has some bugs and some of you are using deny ip any any. I dont know if that is correct.
Another bug I’ve noticed for VTP simulation is about the show mac-address table command. It is not working properly from the switch. I have used a shorter command like “SH MAC’ and it worked. With the full command I had no luck.
Cheers guys
i write the same
access-list 100 deny tcp host [ip host C] host [ip Financial Server] eq www
access-list 100 deny ip any host [Ip Financial Server]
access-list 100 permit ip any any
i take 40% why ???
implement verify and troubleshoot nat and acls in medium size 40 % why ??
i write the same commands
i sure
why ??
thanks >>>>>
I took also 40% for this section. I do not know why, but I believe it is a bug somewhere in this simulation.
u r took 40% why ???
the same question here
im write the same commands
????
i sure
u r pass ccna ??
I have a exam tomorrow,plz I need some tips
careful eigrp and icl
hi
what the advantages of layer 2 ethernet switches over hubs ??????
@saaf
i think u had to permit in the 1st statment
I had the question – C can access finance port 80, c cant access finance on any other port, no access to finance for a,b,d on 80. access for all to public. Just took it today.
I’d also like to point out that i did the access lists correctly for the simulation, and it did NOT work. I did a simple access-list as a test, and that did NOT work either. I believe this simulation is bugged. The simple acl i did was permit c to reach finance on 80, block all others to finance on 80, permit anything else. applied access group to fa0/0 in. copy run start. All machines were still able to access all servers on 80.
Thank you Lord and 9tut —- I PASSED THE EXAM YESTERDAY 947/1000!!!! TO GOD BE THE GLORY…..
LAB are stil ACL2 VTP and EIGRP (221). VTP – 5 Questions – almost the same with 9tut, just study the concept of how the command works and you will pass. ACL – allow hobst b to access FWS via HTTP and block all, then allow everything on core LAN to access Public server
access-list 100 permit tcp Host (B) Host (FWS) eq 80
access-list 100 deny ip any host (FWS)
access-list 100 permit ip any any
int fa0/1
ip access-group 100 out
hi shadow,
welldone ,Tomorrow my turn.
ok TOTAL How many question
Hi shadow,
one correction in access-list,
access-list 100 permit tcp Host (B) Host (FWS) eq 80
access-list 100 deny ip any host (FWS)—————————–here should be tcp NOT ip
I am wright or wrong………………….
ok i write in exam access list the same i take 40% acl why ??????
im write the same
access-list 100 permit tcp Host (B) Host (FWS) eq 80
access-list 100 deny ip any host (FWS)—————————–here should be tcp NOT ip
shadow sure the same commands here plzzzzzz ???
what about eigrp ????
@saaf
access-list 100 permit tcp Host (B) Host (FWS) eq 80
access-list 100 deny ip any host (FWS)
access-list 100 permit ip any any
int fa0/1
ip access-group 100 out