CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
I think you took the new test. There is a new one but you can still take the old one up until Sept according to the Cisco website. So I test next weekend and it is the old one. IF by chance I dont make it I will schedule the old one until I do.
I think they just want to cause panic on all takers spreading false rumors
968/1000 Thanks 9tut, the questions are the same as what is on 9tut, read the tutorials, memorize the questions you will have no issue. ACL2/VTP/EIGRP, Same as what 9tut says, memorize the variations.
Congrats Budd!
can you sare some your experience with the labs?
just to be sure,
when they say that the access-list needs to contain 3 sentences
did that include the deny any at the end?
or it’s obvious and it’s not counted
PASSED TODAY 894/1000, PPL!!! THX TO 9TUT AND PASS4SURE. SO F****NG HAPPY :DDDDDDDD
Ok in regards to the acl sim i got my answer looked like this
access-list 100 permit tcp host (Host^) host (finance server) eq 80
access-list 100 deny ip any host (Finanace Server)
access-list 100 permit ip any any
interface fa0/1
ip access-group 100 out
I got 100% in ACL. Take care, and no i do not have dumps everyone asking for dumps should just go to examcollection.com, and stop spamming this site asking for dumps.
Passed yesterday with 1000/1000 marks. I got this lab in my exam with little changes. Best of luck guys!!!!!!
Today had given exam but fail
i have got EIGRP,ACL
the eigrp lab is very easy compare to acl but my time was wasted in acl only
Simple question :Allow the host D to fianance server
block the Host d frm accessing ths host to finanace server.
permit all hosts to public server.
and just concentrate on drag and drop,Spike questions dnt mug the answers. it may cause fail and wish all the very best friends……….
Passed today 933/1000 Thanks Sekhar.Dump still 100% valid laps (EIGRP,ACL2,VTP) same as 9tut
Budd access-list 100 deny ip any host (Finanace Server) why this??
which one is correct?
access-list 100 deny tcp any host 172.22.242.23 eq 80
or
access-list 100 deny ip any host (Finanace Server)
@Georgia: If you want to deny just the web traffic (its what question asks), you must use the first. If you want to deny any traffic from any host, you use the second.
hi GHORBA it is the still the same questions as 9tut ?regard sam.
Hello,
For the ip-access group 100 command,
should’nt it be : int f0/1
ip-access group 100 in, because for extended ACL’s the access list should be applied closest to the source, so when it is coming from the host c, it is coming in to the CORP 1 router.
As a rule of thumb, I remember
STANDARD ACLS = APPLY CLOSEST TO DESTINATION AS POSSIBLE
EXTENDED ACLS = APPLY CLOSEST TO SOURCE AS POSSIBLE
Please help I’m so confused right now, also will this ACL be on the real exam.
Thanks,
Zain
Yes this will be on the exam. I am in Kosovo and I encountered it last month. I think the reason they are saying it is applied on FA 0/1 is because of the Core networks. I know to me this doesnt make much sense as the exam doesnt ask you to block anything other than host .3 as was on mine. I hope this can be cleared up before Friday as I dont want to have to retake this a third time. The sims people mentioned earlier is what you will encounter.
Other types of access from host C to the finance web server should be blocked
Host C should be able to use a web browser to access the financial web server
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Other types of access from host C to the finance web server should be blocked
access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
kindly explain me the second command… i didnt understand it help me…
Host C should be able to use a web browser to access the financial web server
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Other types of access from host C to the finance web server should be blocked
access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 ?????
kindly explain me the second command… i didnt understand it help me…
Host C should be able to use a web browser to access the financial web server
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Other types of access from host C to the finance web server should be blocked
access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 ????? Why
access-list 100 deny ip any host 172.22.242.23 eq 80 ….. according to me it is right one. Help me
All hosts in the core and on the local LAN should be able to access the Public web server access-list 100 permit ip any host
Please anyone Clarify me…..
the “deny Ip” is blocking all types of access. When you want to specify a port, you use “tcp” instead of “ip”.
@ruhail
…the deny statement you have up is wrong because the question isn’t asking to block web access specifically. It wouldn’t because the first statement is allowing web traffic. “other types of access” mean all other then web access, in which case you would say “access-list 100 deny ip host 192.168.33.3 host 172.22.242.23″
hope this helps
third example in “Some modifications” in my today CCNA exam
@pb
…did you issue the “ip any any” statement or did you specify a host address on your third line?
Hi guys i am going to take the exam CCNA. can anyone plz send me the valid dumps
? thank you.
Hi guys i am going to take the exam CCNA. can anyone plz send me the valid dumps
? thank you. pkst0107@yahoo.com
please i need latest. ccna dumb … i’ll be really grateful if anyone cares
my email elahly_egypt_2000@yahoo.com
please i need CCNP dumps if any one have ,, i’ll b grareful ,, if any one could sent it to this email add .. burhan.hussaini@live.com
thanks !
@SilverStone u have posted the right answer of D
@Waheed your answer is wrong
*Host C should be able to use a web browser to access the financial web server
*Other types of access from host C to the finance web server should be blocked
*All hosts in the core and on the local LAN should be able to access the Public web server *
================================================================
correct answer for (D)
*permit tcp host 192.168.33.3 host 172.22.242.23 eq www
*deny ip any host 172.22.242.23 eq www (we have to deny the other type of access so for this deny ip, not asking about web browser )
*permit ip any any
Dear @Waheed @ silverStone…
I am wrong… sorry for the above post…… it is totally wrong………. apologize
PASS today. 907. People watch the ACL and do a running config after to make sure it stuck. Mine didn’t and had to redo it. Then it stuck. EIGRP, VTP, and ACL. The VTP was really squirly an couldn’t put in command CDP at all. SO be watchful. Thank god. Osama you have everything you need here. I used Pass4Sure and they have the same things.
Will this work?
access-list 100 permit ip host 192.168.33.3 host 192.22.242.23
instead of
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
John each test is different. My second line was IP instead of TCP as it said block all. Your first line should be TCP.
Guys…just passed the ccna yesterday. Be careful of the acl 2 simulation, i used “access-list 100 permit ip any host (public web server)” for the last line though the situation is to specifically permit access to public web server from all host. It gave me a score of only 60%.. This confirms, there is a bug in acl2 simulation. Use “access-list 100 permit ip any any” instead.
I took the exam a few days ago and unfortunately the labs were not working. Indeed, I was not able to type the letters on the keyboard (especially with letters “a” and “c”) to enter the commands. As a result, I was not able to pass the exam and the CCNA center is still not able to solve the problem !
I had thesame problem, the router will not take any configuration saying that its not allowed or not expected, when i have 100% assurance that it was the right thing. I tried to save using copy run start it would not take it copy running-config start-config it didnt accept anything wasted so much time on it and counld not do it neither was i able to finish. So i couldnt get make the mark, so painful that the questions were just all the three here in 9tut eigrp accesslist and vtp
Please help i want to give ccna exam After 10 days please sent Latest dumps on
naifhamed2000@yahoo.com
I had the same problem when I took the exam one month ago I typed the command access-list 100 but received a error message saying that this command was not allowed but I when typed ip ? I saw that was the command then I thought that maybe it’s working but doesn’t appear on the sim where I was working on but at the end of the lab I failed just because of that lab
Network users are complaining that they cannot access resources on the LAN attached to interface e0 ofthe Production router. Which of the following commands will display current IP addressing and the Layer 1 and Layer 2 status of this interface? (Choose three.)
A.
Production# show version
B.
Production# show protocols
C.
Production# show interfaces
D.
Production# show controllers
E.
Production# show ip interface
F.
Production# show startup-config
Some say answer is BDE and some say is CDE ????
which one is true
I took the exam and you should use “permit ip any any” for public web server!!! i used the ip of the public server and i did not get the points!
I just nailed it with 986/1000. All questions came from SEKHAR, except maybe 1 extra which I don’t remember exactly, something about configuring SSH-only input on the router using “transport input ssh”.
Labs were ACL2, EIGRP and VTP, but in VTP one of the questions had some new “catches”: Q6 “From where did Sw-Ac3 receive VLAN information?” – the same as 9tut, but when typing “sh vtp status” I didn’t see the last line saying “Configuration last modified by” or anything similar. I solved it by typing just “show vtp” instead and I got “Last update by 192.168.1.250 on VLAN1″ or something along that line. Now a new problem – this IP didn’t match anything in “sh cdp neighbor”, so I checked “sh ip int brief” and there it was: VLAN1 with IP address 192.168.1.250 – the right answer was: last update was received locally (Sw-Ac3).
In the ACL2 lab, last requirement was “All hosts in the Core and local LAN should be able to access the Public Web Server” so I did just what 9tut says: “access-list 100 permit ip any any” instead of “access-list 100 permit ip any [IP address of Public Web Server]” and I got maximum points!
By the way, TAB and “?” worked during the sims.
Many thanks to SEKHAR and all of you who made this site possible! You are making the exams look like piece of cake :)
Hi guys i am going to take the exam CCNA. can anyone plz send me the valid dumps
? thank you. tharakanuwancool@gmail.com
passed my exam today!yaaay!
thanks to 9tut, Brar, Spike n ofcourse to all the comments posted by test takers!
n thanks to God :)
Data backup online is not too hard. My computer documents are all encrypted at http://twentie.com/backup Their cloud is the fastest and also free.
and also to Todd Lammel’s book 6th edition
Please can anyone help me with the link to microsft exam dumps. 76-647 windows server 2008. Enterprice Administrator. my email kenec090@yahoo.com
mks, your comment below clears up alot for me! thanks!
**the “deny Ip” is blocking all types of access. When you want to specify a port, you use “tcp” instead of “ip”.**
i cannot make the check ?!!
Passed today with 907/1000
The question was to
1. allow host c web access to finance server.
2. Deny all others from access to finance server.
3. Allow access for public server for all.
All in 3 statement.
plz send me latest dumps on khaleddn@yahoo.com
thanks
Could you please SHUT UP about those dumps already? Comment section is for legit discussions about exams, sims etc. And if you can’t find them by yourself what IT guy are you anyway?…