CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
*allow host B to access web service of finance server
*Deny host B and Core network to access any other services on Finance server
*allow access of public server for everything from everyone
Can anyone help me with this ACL lab?
@kuschev
I think it will be
access-list 100 permit tcp host (host b ip) host ( finance server ip) eq 80
access-list 100 deny ip any host ( finance server ip )
access-list 100 permit ip any host (public server ip)
if there is a third server , i will never use access-list 100 permit ip any any.
because, i think it will cancel the implicit deny all ( hidden line =implicit) so i will be specif with the public server ip address here,
i have exam on 8th, pleaase every one pray for me, and if my list over here is not correct please correct it so that it will not be misguiding any one
thanks
any one want to test any thing , best way to down load, ACL 2 sim from this website,
and in packet tracer try the ACL commands and check the results your self.
like i checked a question in packet tracer which was disturbing me since many weeks,
VTY pass word,
if no pass word is set telnet access is denied
if pass word is set and you enter no login
you may telnet to the switch , but unless you set enable secret password, it will b use less.
@waheed
Assalamu waheed bahai
Will plz update your experience on 8th after completing exam please.Inshaallah, allah sey duah ahi sab asan ho jath.
About acceslist,Eigrp,Vtp simulations plzzzzzzzzzzzz
I just compiled all the given conditions that I’ve read from the comment section
Practice this and you will have a good start!
I already have the answer and I will post it .
ACL LIST OF CONDITION:
(A)
*Host A should connect to Finance via web
*Deny Host A to reach Finance via anything else than web
*Deny other hosts access to the Finance Web Server via anything
*permit all to the servers
==========================
(B)
*permit host A to access Finance web server using https.
*block other connection from host A and LAN core to Finance web server.
*permit all other connections from LAN core to other servers.
===========================x
(C)
*Host B should be able to use a web browser(HTTP)to access the Finance Web Server
*Other types of access from host B to the Finance Web Server should be blocked
*All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
*All hosts in the Core and local LAN should be able to access the Public Web Server
===========================
(D)
*The user on host C should be able to use a web browser to access financial information from the Finance Web Server.
*No other hosts from the LAN nor the Core should be able to use a web browser to access this server
*Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
===========================
(E)
*Host C should be able to use a web browser(HTTP)to access the Finance Web Server
*Other types of access from host C to the Finance Web Server should be blocked
*All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
*All hosts in the Core and local LAN should be able to access the Public Web Server
============================
(F)
*allow host B to access web service of finance server
*Deny host B and Core network to access any other services on Finance server
*allow access of public server for everything from everyone
=============================
(G)
*allow ONLY host C web access to the Finance Web Server.
*No other hosts will have web access to the Finance Web Server
*all other traffic should be allowed.
===============================
(H)
*permit host B from accessing finance server
*deny host B from accessing other servers (not the whole network)
*permit everything else
==============================
(I)
*Only allow Host C to to access the financial server
*Not allow anyone else in any way communicate with the financial server
*Allow all other traffic
==============================
(J)
*Host C should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
*All hosts in the Core and local LAN should be able to access the Public Web Server
================================
(K)
*Host C should be able to use a web browser to access the financial web server
*Other types of access from host C to the finance web server should be blocked
*All hosts in the core and on the local LAN should be able to access the Public web server *
================================================================
(A)
permit tcp host 192.168.33.1 host 172.22.242.23 eq www
deny ip any host 172.22.242.23
permit ip any any
(B)
permit tcp host 192.168.33.1 host 172.22.242.23 eq www
deny ip any host 172.22.242.23
permit ip any any
(C)
permit tcp host 192.168.33.2 host 172.22.242.23 eq www
deny ip any host 172.22.242.23
permit ip any any
(D)
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
deny ip any host 172.22.242.23
permit ip any any
(E)
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
deny ip any host 172.22.242.23
permit ip any any
(F)
permit tcp host 192.168.33.2 host 172.22.242.23 eq www
deny ip any host 172.22.242.23
permit ip any any
(G)
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
deny tcp any host 172.22.242.23 eq www
permit ip any any
(H)
permit ip host 192.168.33.2 host 172.22.242.23
deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
permit ip any any
(I)
permit ip host 192.168.33.3 host 172.22.242.23
permit ip any host 172.22.242.23
permit ip any any
(J)
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
deny ip host 192.168.33.3 host 172.22.242.23
permit ip any any
===================
feel free to comment if there is wrong with my commands :)
answer to (K)
Lettering last part was messed up i’m sorry LOL
should be
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
deny ip host 192.168.33.3 host 172.22.242.23
permit ip any any
@SilverStone
I just read you post for answers till D, ACL FOR D IS WRONG,
in the second statment you are denying every thing it should be something like that
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
deny tcp any host 172.22.242.23 eq www
permit ip any any
so did not read any thing after your D , seems good effort but always varify, double check, any thing before pasting coz people trust this site and mostly depend on this site to pass the exam.
if i am wrong please update me as well, will check later today,
have exam tommorow
hope to pass and share my experience tommrow.
@Waheed
Thanks dude ! I didn’t notice it
correct answer for (D)
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
deny tcp any host 172.22.242.23 eq www
permit ip any any
@silver stone will please tell what is the www
i.e permit tcp host 192.168.33.3 host 172.22.242.23 eq www?
@Anonymous
it means
www = port 80
which is web services (HTTP)
I suggest you better review well known port for strong foundation
@silver stone
I need help in access list i.e host c should be permit to access the web server finance server and other hosts should be deny,
and all other hosts should be access the public web server.
my only doubt is while am config the corp. router ihad given
Access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Access-list 100 denny tcp any host 172.22.242.23 eq 80
int fa0/1
ip access-group 100 out
here where should i have to permit the public web server?
plzzzzzzzzz help me in detail.
thanks for helping inthe above access list examples.
@Anonymous
can you please indicate your condition in detailed?
you mean
Permit host C to access finance web server via web service
-No host should access the finance web server
-or No other hosts will have web access to the Finance Web Server
All hosts in the core and on the local LAN should be able to access the Public web server
@silver stone
-no host should access the finance web server
and
All hosts in the core and on the local LAN should be able to access the Public web server.
am scaring to take exam silver stone but i need some help i thnk your the right person….
You don’t need to be nervous when will be your exam?
What is your review material?
I suggest you read books for strong foundation not relying only to dumps
*host c should permit to access the finance server via web
-access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
*no host should access the finance web server
-access-list 100 deny ip any host 172.22.242.23
[It doesn't indicate any specific protocol to be denied that why it's better to use this one]
*All hosts in the core and on the local LAN should be able to access the Public web server.
-access-list 100 permit ip any any
@siver stone
Ihad studied Sekhar,spike dumps and i want to take exam on 11-4-13.
and am refering richard deal.book plz hepl me
Uhm what do you mean about richard deal books?
Goodluck it will be this week!
Do you have any problem on a certain topic?
to SilverStone: if it is required HTTPS, dont we must use 443 port instead ?
(B)
*permit host A to access Finance web server using https.
*block other connection from host A and LAN core to Finance web server.
*permit all other connections from LAN core to other servers.
then
acc 100 permit tcp host 192.168.33.1 host 172.22.242.23 eq 443
acc 100 deny ip any host 172.22.242.23
acc 100 permit ip any any
@sss
yes HTTPS is port 443
I’m sorry it should be HTTP instead of HTTPS
anyway though if the condition states it’s HTTPS it should be port 443 :)
thankfull to 9tut
Hi guys, I gave exam yesterday and this sim was almost same and after entering all commands when I tried to enter ip access-group 100 out I got error with ^ below ‘g’ of group that this command is not valid. Did any1 else faced the same issue or know why tat would happen?? Also what’s the sim version for the current 802 lab??
@mars
have u cleared the exam?
@mars
how did you implement the command? if you got that kind of error?
@Mars i think u didn’t put – in between access-group…that might be the reason showing ^ below g…or else you were typing this command in global config mode not specifying the interface to which you wr going to apply
I can’t believe it, Passed today with 986 score,
this sim was there with second scenario, read the sim carefully,thanx to all and best luck for future test takers
congrats Islam!
you did well! what lab did you get?
and did you spike for the review?
Hi guys hope you can help megha posted this a few weeks ago and I am bit confused with the answers i think the correct answers should be correct please can some one help apprectiate it
statement 1 access-list 100 permit tcp host 192.168.33.3 host 172.22.63.17 eq 80
statement 2 access-list 100 deny ip any host 172.22.63.17
9tut states if the public server doesnt have ip address we can use permit ip any any however it does have a ip address.
e Public Web Server in the Server LAN has been assigned an address of 172.22.63.18
statement 3 should be access-list 100 a permit ip any host 172.22.63.18
please can some one clarify this
thanks
so statement 3 should be
can any one please explain this question:
QUESTION NO: 461 CORRECT TEXT
A corporation wants to add security to its network. The requirements are:
- Host B should be able to use a web browser (HTTP) to access the Finance Web Server.
- Other types of access from host B to the Finance Web Server should be blocked.
- All access from hosts m the Core or local LAN to the finance Web Server should be blocked.
- AM hosts in the Core and on local LAN should be able to access the Public Web Server.
You have been tasked to create and apply a numbered access list to n single outbound interface
Cisco 640-802 Exam
“Pass Any Exam. Any Time.” – http://www.actualtests.com 369
-
-
-
-
can contain no more than three statements that meets these requirements.
Access to the router CLI can be gained by clicking on the appropriate host.
A corporation wants to add security to its network. The requirements are:
- Host B should be able to use a web browser (HTTP) to access the Finance Web Server.
- Other types of access from host B to the Finance Web Server should be blocked.
- All access from hosts in the Core or local LAN to the Finance Web Server should be blocked.
- All hosts in the Core and on local LAN should be able to access the Public Web Server.
You have been tasked to create and apply a numbered access list to n single outbound interface.
This access list can contain no more than three statements that meets these requirements.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”
The Core connection uses an IP address of 198.18.222.65
The computers in the Hosts LAN have been assigned addresses of 192.168.86 1-
192.168.86.254.
host A 192.168.86.1
host B 192.168.86.2
host C 192.168.86.3
host D 192.168.86.4
The Finance Web Server has been assigned an address of 172.22.63.17
The Public Web Server in the Server LAN has been assigned an address of 172.22.63.18
Answer:
Corp1#configure terminal
Our access-list needs to allow host B – 192.168.86.3 to the Finance Web Server 172.22.63.17 via
web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.63.17 eq 80
All hosts in the Core and on local LAN should be able to access the Public Web Server
Corp1(config)#access-list 100 permit ip any host 172.22.63.18
All other traffic is denied
Corp1(config)#access-list 100 deny ip any any
Apply this access-list to LAN interface (need to figure out the interface to apply it to based on the
topology diagram)
Corp1(config)#interface fa0/0
Corp1(config-if)#ip access-group 100 out
( here in answer i have confusion on this line :
Our access-list needs to allow host B – 192.168.86.3 to the Finance Web Server 172.22.63.17 via
web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.63.17 eq 80)
@Silverstone please can you re check number J your question and reply are the following
(J)
*Host C should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
*All hosts in the Core and local LAN should be able to access the Public Web Server
ANSWER
(J)
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
deny ip host 192.168.33.3 host 172.22.242.23
permit ip any any
Surely it should be the following
permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
deny ip any host 172.22.242.23 and not deny ip host 192.168.33.3 host 172.22.242.23??
permit ip any any if the public server did not have ip address thanks
@islam
Congrats man uhave done
ithink lots of hardwork behind that.
Thanks to almighty God,who see me through my CCNA training n exam. i appreciate the effort of mr PAT,rolex, lucas and the entire student @ new horizon. 9tut u guys are doing g8 work , i met access list2, Eigrp, Vtp in my exam same ……i had 920……keep addicted with 9tut is sure
for this statement – access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 – how would I know that the wild card mask is 0.0.0.15?
oh nevermind, I see from the running config that the mask for 172.22.242.30
is 255.255.255.240 which is wildcard 0.0.0.15
@nadeem
The lettering on the lower part of my post is a little bit scrambled .I forgot to put the letter (k) condition on the answer list. I can’t edit on that post but I already mentioned it on my other comment :)
Thank you for mentioning it again
(J)
*Host C should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
*All hosts in the Core and local LAN should be able to access the Public Web Server
================================
(K)
*Host C should be able to use a web browser to access the financial web server
*Other types of access from host C to the finance web server should be blocked
*All hosts in the core and on the local LAN should be able to access the Public web server *
==============================
(J)
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
deny ip any host 172.22.242.23
permit ip any any
(k)
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
deny ip host 192.168.33.3 host 172.22.242.23
permit ip any any
@SilverStone
Thanks for your compilation on the various conditions.
A part from the ones you corrected, I think for the condition D, the answer should be:
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
deny tcp any host 172.22.242.22 eq www
permit ip any any
Please comment.
@9tut
I have also noticed that the last statement is alway: permit ip any any even if it the requirement is more precise. Can’t we adjust the last statement to meet exactly the requirement rather than the general statement? Should it have any effect on how Cisco would mark that one??
@Petit
yep that is the correct :)
I already corrected it on my previous comment
Thanks !
about the last statement
it can be more specific but some takers shared there experience when they
input the command permit ip any any they got 100% on their ACL2
@nadeem, did u get any answer for ur ACL Qouestion in actual test that u asked about ? I’m confused about it too … but I’m practicing SilverSton’s conditions ! Thanks SilveStone
hi can any body help me i can download the access list sim from the above link, it download but when i am going to open it give me msg that is invalid file i have version 5 of packet tracer.
@Ishfaq
you need to download the latest version of packet tracer in order to access it
same acl2 in my exam i have passed ,
A LITTLE CHANGE CREATE acl FOR host d
wow! do you encounter new questions saran?
@lorikeet
no i am still waiting for someobody to clear this up for me. can anybody help me with my previous post please
@lorikeet
silverstone is correct however if you read the ACL question it does mention the public server and 9tut states if this is mention to write this ACL statement and not permit ip any any. can some one clear that up please
@nadeem
yeap it was mention on the ACL condition
If I will apply it on real world scenario I will input the command
access-list 100 permit ip any host [public web server] instead of the permit ip any any
==================
Maybe it’s a glitch for ACL? LOL
I have a buddy who tried to input the specific command but he did not get 100% .
That’s why 9tut recommend to use the access-list 100 permit ip any any
@ Silverstone
thanks for your quick response so i should be ok for the exam acccess-list 100 permit ip any any in the exam.
as this will also qualify for the 3 statements too
@SilverStone
thanks a lot, i try its working with latest version.
@SilverStone
thanks a lot
I dont remember right off hand but for the VTP sim on the test do you click on the router or the computer next to it. If you click on the computer next to it do you have to telnet into the router. I took the test on Mar 30 and because I thought I knew enough of the commands I didnt pay attention to the labs. Now getting spun up for the 27th Apr 13.
failed today :( ACL2 EIGRP VTP
my vtp was buggy so beware
Dont beat yourself up over it. Attempted it with out looking at these labs and made a 646 so on the 27th will do again. So pick yourself up and do it again.
Many people are reporting that the questions have changed does anybody can update these questions