CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
i just change the router 2 from 22 to 221 and add network (this will show on show run). then add the network on router 2 to the main router. make sure you can ping the network from any other LAN on the router 2
ok shadow i make this im acl and eigrp i take 40& why ?? thw same question here ????
why ???
i write command acl the same and rigrp the same and save commands but i take 40% why ??
@Saaf
i dont know what exactly question you have got. mine was allow host B to access FWS via http and block all other in the LAN core to access any on the FWS not affecting the PWS.
right the same shadow can wite this commands and send me icl and eigrp
here or in gmail borglahsaad@gmail.com plzzzz
@ Saaf
the conept about eigrp is already in here at 9tut (almost the same but different network).
ACL i have already post in here too.
access-list 100 permit tcp Host (B) Host (FWS) eq 80
—-> to give access host B to FWS via HTTP
access-list 100 deny ip any host (FWS)
—-> to deny everything in the LAN core NOT to access FWS
access-list 100 permit ip any any
—-> to access PWS everything from the LAN core
int fa0/1
ip access-group 100 out
Ok write where the command console in router ?????
where command eigrp ???
i suggest practice the lab using packet tracer…. it’s all in there… practice all the modification and what the other say about they encountered in real exam, or make your own scenario on how to solve it… from there, you will know it by heart not just memorizing the command…. cheers :)
i practice in paket
im sranger from 40%
40% onely lab or lab with multiple options ??
Nice website that help me to pass my CCNA exam today with score 933 points. All CCNA exam is in this website. Thank a lot 9tut.
alcides plzzz help me tommorow exam
whats the labs ??? the same here ????
Can any one help me with this one?
the exam asked to block other access from host C except telnet and block every traffic from every other host from network to Finanace Web Server. Permit every traffic from networks to Public Web Server.
i take the same can any one help me write commands???
tommorrow exam can any body tell me about the exams and labs ?
my bad luck yesterday– CCNA
ACL LAB 4 STEP NOT 3
1)to give access host B to FWS via HTTP
2)TO DENY ALL OTHER TRAFFIC FROM HOST B TO FWS
3)to deny everything in the LAN core NOT to access FWS
4)to access PWS everything from the LAN core
i passed yesterday!!!thank you 9tut
happie what the questions came and labs help me plzzzzz?
jimmy the acl came not the same in 9tut?
jimmy u pass ccna
@ Jimmy
access-list 100 permit tcp host host eq 80
access-list 100 permit ip any host
access-list 100 deny ip any any
int fa 0/0
ip access-group 100 out
@ Jimmy
access-list 100 permit tcp host (B) host (FWS) eq 80
access-list 100 permit ip any host (PWS)
access-list 100 deny ip any any
int fa 0/0
ip access-group 100 out
I keep getting a
Statement 1 of your access-list is not correct! message,,
Here us how its configured in the sim (using the tutorial)
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny tcp any host 172.22.242.23 eq 80
access-list 100 permit ip any any
interface fa0/1
ip access-group 100 out
I also tried switching up the IPs (Host D and Finance Sever) that differ from the tutorial.. What is the correct answer?
@willy
the configuration is for allow only B to allow web browser & other all service deny for B & also for the core & other LAN device,
allow all core & LAN device to allow public web server
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 permit ip any host 172.22.242.17
access-list 100 deny ip any any
interface fa0/1
ip access-group 100 out
http://www.9tut.com/final_flash/ACL_Sim_v2/ACL2.html
The sim says HOST D..
My first statement is
access-list 100 permit tcp host 192.168.33.4 host 172.22.142.23 eq 80 (Is this correct?)
The 2nd statement is
access-list 100 deny ip any host 172.22.142.23 (Is this correct?)
The 3rd statement
Statement 3 of your access-list is not correct! (I get a ‘Statement 3 of your access-list is not correct!’)
What is the correct statement?
Ok figured it out…
The sim must have been updated or something.. Correct answer is
access-list 100 permit tcp host 192.168.33.4 host 172.22.142.23 eq 80
access-list 100 deny ip any host 172.22.142.23
access-list 100 permit ip any any
interface fa0/1
ip access-group 100 out
how will be find to access list 1-99 and 100 to 199?
@azam
standard access-list uses 1-99 and extended access-list uses 100-199
and it is used for tcp and such
why did thaey put tahe ACL on out? is’t in better?
Hi,
I got following questions..(diff ip)
1)Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
2)Deny other hosts access to the Finance Web Server via web
3)Other types of access from host C to the Finance Web Server should be blocked
4)All other traffic is permitted
—————————————————-
my question is (3) have two answer on 9tut.com webside which one is correct.
3)Other types of access from host C to the Finance Web Server should be blocked
access-list 100 deny ip any host 172.22.242.23
OR
access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
@jimmy
access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
is correct
@jimmy
1) access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
2) Deny other hosts access to the Finance Web Server via web
3) Other types of access from host C to the Finance Web Server should be blocked
access-list 100 deny ip any host 172.22.242.23
4) All other traffic is permitted
access-list 100 permit ip any any
@jimmy
1) access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
2) Deny other hosts access to the Finance Web Server via web
access-list 100 deny tcp any host 172.22.242.23 eq 80
3) Other types of access from host C to the Finance Web Server should be blocked
access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
4) All other traffic is permitted
access-list 100 permit ip any any
Hey jimmy i think ur second line
2) Deny other hosts access to the Finance Web Server via web
is wrong bcoz these 1 to 4 configuration in 3 steps is not possible, we need at least 4 steps for this,
i think the second line may be only
Deny other hosts access to the Finance Web Server
Sorry if i wrong…..
in VTP LAB.
Which switch is the root bridge for VLAN 1?
WHEN we run.. sw-3 # sh spanning-tree command, it shows all desg port.
it means sw-3 is a root bridge (I am wright or wrong)
@ Jimmy,
I’m showing switch 3 having a “root fwd” port as well, which I was under the impression meant it can’t be the root bridge. The root bridge is the switch connected to Fa0/12. A sho cdp neighbor command” states that SW-DS1 is the root bridge.
Hey jimmy u don’t give me ACL answer..???
Is it right or wrong..???
And for VTP Lab u check the Priority & Mac address of Root Id & Bridge Id means our switch, if it same means our switch is Root Bridge.
im taking the test next Monday. Is the SHEKAR 697q on virtual exam still valid? Also any idea where to download the packet tracer? last time i tried downloading the virtual exam stuff got a nasty virus, i still cant use my chrome…
Is this the right configuration?
Access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Access-list 100 deny tcp any host 172.22.242.23 eq 80
Access-list 100 permit ip any any
int fa0/1
Ip access-group 100 out
Is the second line command right?becos i can see it written in a different form in here.
@ Paul
Yes ur configuration is right for allow only C to access web browser & deny others for Financial web server & allow all services to other server from lan & core.
You see different form of command second line bcoz they said allow C to access web browser to financial web server & other services deny to C also therefore the second command is
Access-list 100 deny ip any host 172.22.242.23
Passed the test! This website is AWESOME!!! ACL2, VTP, EIGRP almost the same as on here. Many questions were the same as this website. If you can go through this website and answer the questions correctly but more importantly understand the explanation of why the answer is what it is then you will pass for certain. Interesting to note that the simulations are sprinkled throughout the exam. I thought they would all be at the end. One simulation question will have like 5 sub-questions but the sim question only counts as one out of the 50 questions. Big tip is to know how to subnet quickly this will save a lot of time. Good luck all! On to CCNP!
congratulations to those who passed ..
Why do we apply the access list to the int fa0/1 out? wouldn’t it be more efficient if we applied it to the int fa0/0 in??
I we apply it in, we will safe processing time in the router bc packets wil be discard even before the router checks its routing table
Thanks
I get it now, it needs to be done on that port to block packets from the core as well :D
Passed CCNA today with 947
The exam was very very easy….9tut,Sekhar,Spike and Prepking 680q still valid..no more qns out of these..i advice u 2 take exam and u will pass
The correct configuration is
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
interface fast ethernet 1/0
ip access-group 100 out
this was confirmed as I tried the exact config on here but the second line did not work I had to put ip instead of TCP!
Today i passed my exam & i score 960/1000,
Thanks to 9 tut for sim practice, but there is bug in exam that they asked in VTP to
“From which switch did Sw-Ac3 receive VLAN information ?”
i give command “show vtp status” but there is no ip address from which it modified & also sw-ac3 is client, therefore i give approx ans which i see here bcoz there is no option for me to give ans, & also a bug is there is not working “show mac-address-table” command when i give shortcut of “show mac” then it show mac table
Sim is ACL2, Eigrp & VTP, paper is very easy, i complete my paper in 1 hrs. therefore don’t be hurry in exam bcoz once u go to next Q. u don’t come back, therefore understand the Q. & then give confirm ans.
ACL2 :
allow host B to financial web server to access web browser
other services are deny to lan, core & also host B
to other permit all
EIGRP :
Configuration same as Here only IP address & Router name different.
Thank to 9tut, god bless u, u doing nice work to helping us.
hi all, im a bit worried abt the ACL qns, on the 2nd commands especially. when do you apply ip or tcp? we are talking abt host c. im taking exam on 20th March..
eg. 1.
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
interface fast ethernet 1/0
ip access-group 100 out
eg.2
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny tcp any host 172.22.242.23
access-list 100 permit ip any any
interface fast ethernet 1/0
ip access-group 100 out
Please send me latest CCNA dumps nikhilnaik8310@gmail.com
Yesterday i clear my exam with 960/1000 marks in just 1 hrs, paper is vary easy.
Sim is VTP, EIGRP & ACL2
EIGRP & ACL sim also easy,
In EIGRP there is no passive-interface between R1 to R2, R3 or R4, therefore no need to remove it, only the passive-interface is in between R1 & ISP but we don’t need to remove it, the AS no. is 221 & other configuration is same as shown here, I right here Router name R1, R2, R3 & R4 only just for ur understanding bcoz there is router name & IP addresses are different, but configuration is same.
In ACL they said
Host B should be able to use a web browser(HTTP)to access the Finance Web Server
Other types of access from host B to the Finance Web Server should be blocked
All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
All hosts in the Core and local LAN should be able to access the Public Web Server
But there is much bugs in VTP :
First i tell u which Q. comes in it,
Q.1 What interface did Sw-AC3 associate with source MAC address 0010.5a0c.ffba ?
Bug : There is “Show mac-address-table” command not working therefore i used shortcut of it “show mac” & then it show me mac address but there is Fa 0/12 interface associate with it.
Q.2 Which switch is the root bridge for VLAN 1?
Ans : Ans same as here
Q.3 From which switch did Sw-Ac3 receive VLAN information ?
Bug : I used “show vtp status” command, the mode of switch is client but there is no IP address shown from which it take VLAN information therefore i have no idea what can i do, therefore i give approx ans which i seen here, i don’t know it is right or wrong in there.
Q.4 Refer to the exibit, SwX was taken out of the production network for maintenance. It will be reconnected to the Fa 0/16 port of Sw-Ac3. What happens to the network when it is reconnected and a trunk exists between the two switches?
Ans : Here is vary big twist bcoz ans is same but they right there in different form, they say that All existing switches will have only students, admin, faculty VLANs. There is no option of “The VLANs Servers, Management, Production and no-where will be removed from existing switches”
Q.5 Out of which ports will a frame be forwarded that has source mac-address 0010.5a0c.fd86 and destination mac-address 000a.8a47.e612? (Choose three)?
Ans : Same as here shown.
I think it help u guys, best of luck to all, i share it bcoz happiness is increase when it share.
When u also give exam then it share may that help anyone.
From bottom of my heart thank you vary much 9tut, u guys doing vary nice job to helping us, god may bless you…….
@9tut does it matter in the test of the access-list number ? Between 100 & 101 ? I see it alternate often when people post about the exam