CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
My exam will be tomorrow, March 26, 2013. Wish me luck! :D
I tried using the Packet tracer sim.. But when I added the Access-list command
access-list 100 permit tcp host 192.168.33.2 host 172.22.242.23 eq 80
‘^’. ^
Invalid input detected
Can someone please help
The errors occured at 100 and host am idling something wrong?
you have given wrong ip address
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80(is correct one)
if you dont mine can u tell me which dumps r u preparing for multiple questions
I tried using the Packet tracer sim.. But when I added the Access-list command
access-list 100 permit tcp host 192.168.33.2 host 172.22.242.23 eq 80
‘^’. ^
Invalid input detected
Can someone please help
u need to at configuration mode not enable mode
go configure terminal
then apply the access-list
dont forget the interface good luck
for morgan
do “?” work in that sim while completing the sim ?
THERE IS A BUG ON ACL CAN SOMEONE HELP SOLVE THIS ISSUE I JUST FAILED BECAUSE OF IT PLZ
الحمد لله
Passed yesterday(24March)_986
Labs EIGRP,VTP,ACL
EIGRP,R1 has wrong network and u should remove it with no network command
and there is passive interface with ISP router and u should leave it
VTP and ACL are the same .
I studied 9tut,Sakher,Brar,636q,ACME,Spike,Daniel,AbouHamza. u may need to study only the two high voted exams.
Thanks to every one helped me
“access-list 100 permit ip any any” is correct, otherwise it will prevent the DNS queries to be blocked
passed yesterday this is from Ketans post a few weeks ago
Sim is VTP, EIGRP & ACL2
the AS no. is 12 & other configuration is same as shown here, I right here Router name R1, R2, R3 & R4 only just for ur understanding bcoz there is router name & IP addresses are different, but configuration is same.
In the EIGRP there was a passive interface on the home network and all serial interfaces was shut down.
you must enable the interfaces,remove the incorrect network and the passwive interface.
what I did is remove the entire EIGRP AS 12,and added the networks,by doing this i was able to get rid of the passive interface,so i didn’t have to go back and forth.my only problem is that i forgot to add the no-auto summary so I lost 30 points,I got full marks in the ACL read below,for the rest of the questions in the VTP and the ACL same exact questions.
“In ACL they said
Host B should be able to use a web browser(HTTP)to access the Finance Web Server
Other types of access from host B to the Finance Web Server should be blocked
All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
All hosts in the Core and local LAN should be able to access the Public Web Server
But there is much bugs in VTP :
First i tell u which Q. comes in it,
Q.1 What interface did Sw-AC3 associate with source MAC address 0010.5a0c.ffba ?
Bug : There is “Show mac-address-table” command not working therefore i used shortcut of it “show mac” & then it show me mac address but there is Fa 0/12 interface associate with it.
Q.2 Which switch is the root bridge for VLAN 1?
Ans : Ans same as here
Q.3 From which switch did Sw-Ac3 receive VLAN information ?
Bug : I used “show vtp status” command, the mode of switch is client but there is no IP address shown from which it take VLAN information therefore i have no idea what can i do, therefore i give approx ans which i seen here, i don’t know it is right or wrong in there.
Q.4 Refer to the exibit, SwX was taken out of the production network for maintenance. It will be reconnected to the Fa 0/16 port of Sw-Ac3. What happens to the network when it is reconnected and a trunk exists between the two switches?
Ans : Here is vary big twist bcoz ans is same but they right there in different form, they say that All existing switches will have only students, admin, faculty VLANs. There is no option of “The VLANs Servers, Management, Production and no-where will be removed from existing switches”
Q.5 Out of which ports will a frame be forwarded that has source mac-address 0010.5a0c.fd86 and destination mac-address 000a.8a47.e612? (Choose three)?
Ans : Same as here shown.
I think it help u guys, best of luck to all, i share it bcoz happiness is increase when it share.
When u also give exam then it share may that help anyone.
From bottom of my heart thank you vary much 9tut, u guys doing vary nice job to helping us, god may bless you…….”
I have some questions to the modifications. Maybe it’s the core to the question why somone with the permit ip any any passed and someone hadn’t. We should place the extended ACL as close to the source as possible (well explained in CBT nuggets videos)
1st modification: should it be ?
interface Fa0/0 !
ip access-group 100 in
- because, there isn’t anything in the statements about denying Core LAN, so if you place it inbound, the Core traffic will be permitted anyways (there’s no inbound ACL on Serial int, or outbound on Fa0/1) = 3rd statement permit everything else
2nd modification:
interface Fa0/1 !
ip access-group 100 out
- there is the “in any way” in the 2nd statement – meaning Core + LAN, so outbound to deny all to FWS
3rd modification:
interface Fa0/1 !
ip access-group 100 out
- probably the only obvious direction, because it says to block Core and LAN from accesssing FWS
4th modification:
interface Fa0/0 !
ip access-group 100 in
- here is the main problem, the first two statements only allow or deny Host C (LAN on the right side) so we can place the access-list inbound Fa0/0
- the third statement says “allow everything”, so if we put it inbound int Fa0/0 (with the permit ip any any from LAN on the right), the traffic from the Core will be passed thru the router and we fullfill the rule to place the access-list as close to the source as possible too.
Maybe we lose point because of this, not because of the permit ip any any or permit ip any host.
What do you think? Is there the point? Should we still use the permit ip any any?
Add to Modification 4
I’d use the permit ip any host FWS there, because the permit ip any any would allow the traffic to the Core and other web servers, too
Thnx God and 9tut.
Pass just a couple of hours ago.
The same lab was in my exam.
Thanx you Allah and 9tut.
i just passed with full marks on this SIM Q this morning. Questions is as follows:
- Host C should be able to use a web browser(HTTP)to access the Finance Web Server access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked access-list 100 deny ip any host 172.22.242.23
- All hosts in the Core and local LAN should be able to access the Public Web Server *
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
Could it be that last permit ip any any, without the IP of ,because otherwise you are not allowing any other traffic due to the explicit deny ip any any, and the question does not say anything about that??
@RAZIF— GOOD JOB
NOW IS MY TURN,I HAVE EXAM TODAY EVENING.
In access list lab,they mention about NO MORE THAN THREE STATEMENT.
PLZ REPLY
Which of the following is a characteristic of full-duplex communication?
a)Hub communication is done via full duplex
b) It is a CSMA/CD Network
c) It is a CSMA/CA Network
d) It is a point-to-point only
Ans: A
how come the answer for this question is A?
Hub communicate via half duplex
@ Marvic
Option A is wrong! option D is correct! Use dumps only for Question scenario, not for answer!
dumps 100%, I was approved today with 986, labs VTP, ACL and EIGRP all the 9tut with minor changes.
@Marvic
Hub doesnt use Full duplex
THe correct answer is D
@Ed
Congrats!
please i want last update of labs in exam …. my exam 2/4/2013
please
i want last update of labs in exam ccna …. my exam 2/4/2013 email hassan_altapakh65@yahoo.com
what was the minor change Mr.ED can u tell us ?
i pass my exam with 973 marks thx 9tut…. now ccnp
Congrats Akshay
can you please share your experience what sims come out?
What dump did you use?
please can i have the last update of the labs that are coming to the exams my email faizan_jehangir88@hotmail.co.uk Thanks
Where should I place the ACL in 4th modification?
-Host C should be able to use a web browser to access the financial web server
-Other types of access from host C to the finance web server should be blocked
-All hosts in the core and on the local LAN should be able to access the Public web server *
interface fa0/0
ip access-group 100 in ????
because I don’t need to block anything from Core, so I would place the ACL inbound the LAN interface (192.168.33.254). Is it correct?
That’s what I thought but both 9tut and how2pass have the access list applied outbound on the interface facing the servers. I thought extended ACLs went as close to the source as possible????
It’s true (as close as possible), but 9tut haven’t specified where to place ACL in this particular matter.
They say:
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
Probably bug or something? Did anyone have the example above at exam?
@4th mod: In this case we have to apply the acl to the interface close to the server (the “.30″ interface). Although it is against the rule but it is necessary to filter both traffic from the Core and from the hosts.
Passed my CCNA yesterday 29th March, I had this same access-list question on my exam with different IP addresses,this, the VTP and EIGRP SIM will 95% of the time show up in your exam, one thing I know now is you cannot be prepared 100% it’s not that difficult but please don’t under rate it. Hurry up before cisco updates/change the questions, I almost rescheduled thinking am not ready, and Don’t panic like me on the exam…lol if you do just breath in deeply through your nose, exhale slowly through your mouth repeat a few times and you will be fine. It’s not that difficult, don’t rush but manage your time well during the exam.
@9tut thank you very much, will apply it at exam in a week :)
How many minutes does exam consumes does it automatically make it 120minutes if I’m from non english country?
I need latest CCNA dumps that includes more than 600 questions. I am having my exam in next couple of weeks. I would appreciate your help if you could send it to me on my id. My id is bhargav_bhld@yahoo.co.in. Thanking you.
With minor of change. this LAB is important plz any guy who is going for exam now a days must review this LAB.
- Host C should be able to use a web browser(HTTP)to access the Finance Web Server access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked access-list 100 deny ip any host 172.22.242.23
(because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN)
- All hosts in the Core and local LAN should be able to access the Public Web Server * access-list 100 permit ip any host
(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any”
Any One who need for dumps. plz visit http://www.examcollection.com/cisco/Cisco.ActualTests.640-802.v2013-01-28.by.Spike.662q.vce.file.html ( this is great Dump )
Guys every LAB is important in 9tut. but plz must see (Some modifications:) of every LAB.
Hey Guys I took the test a month ago and I got 778.. the sims are the same as 9tut.com VTP, ACL 2 , EIGRP …. I failed on the ACL … It asked for 4 conditions to put in 3 lines like on this sim. Questions are the same in every dumps… Tomorrow is my second attempt.. I practice really well ACL.. I see that ACL is the hardest sim but it is not a big deal after some practice… Enjoy the test guys!!!
Thanx for taking time out to share your experiences.
HEY GUY AGAIN!!! I TOOK THE TEST TODAY AND I GOT 867 !!!! THANK TO GOD!!!!!
JUST TO SAY THAT I HAVE AGAIN ( BECAUSE THIS IS MY SECOND ATTEMPT ) THIS ACL WITH THE 4 CONDITIONS BUT JUST PUTTING 3 LINES … THIS SIM IS AMAZING AND AS WELL AS THE EIGRP AND VTP … ALSO PRACTICE ALL THE DUMPS THAT ARE POSSIBLE.. EVERYTHING COUNTS!!!…
IT IS HARD BUT AFTER SOME PRACTICE IT GETS EASIER!!!
KEEP STUDYING GUYS!!
Passed 973. April 2. Same SIM here. I used the access-list 100 permit ip any host and the SIM took it. You need to understand the concepts very well to be able to adjust to the tweaks. Good luck peeps
Passed 920 April 04.Thank you 9tut and examcollection
dump Valid 100% by Spike) it was so easy
ACL2
- Host D should be able to use a web browser(HTTP)to access the Finance Webserver
- Other types of access from host C to the Finance Web Server should be blocked
All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
- All hosts in the Core and local LAN should be able to access the Public Web Server
EIGRP
- AS number 22 incorect and ip interface on main router incorect. Please try to shoot lab carefully.
VTP
- same sim lab on 9tut
Good luck.
@JORGE ****MIAMI, FL** April 2nd, 2013
Do You Have the Latest version of VCE 3.1 software.
@ All,
How did you practice the dumps and from which site, please let me know.
I have a one before latest version I don’t know which one … It works all dumps … You need to practice all the sims (ACL2, VTP, EIGRP) also all the questions from this website and of course examcollection.com
are we allowed to use the question mark in the acl ?
Passed today. In the ACL sim you may encounter this problem: the command: access-list 100 permit tcp host 192.168.33.2 host 172.22.242.23 eq 80 is invalid. In this situation, you could use access-list permit tcp 192.168.33.2 0.0.0.0 172.22.242.23 0.0.0.0 eq 80
Just Passed CCNA exam today. (EIGRP, ACL , VTP ) All same labs, just a little difference.