CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
i wrote on friday ,and i got 735 but i m not sad.let say
was to permit host C to use hhtp but the ip was different,
and the interface was fa0/0
i configure that way:
access-list 100 permit tcp host xxxx host xxxx eq 80
acess-list 100 permit tcp any host xxxxx eq 80
access-list 100 permit ip any any
interface fa0/0
ip access-group 100 out
that what i did but not so sure about the interface but the ip was in that interface ….help
@mr major
Your 2nd access-list line should be ‘deny’ not ‘permit’. Sorry that cost you a pass.
what i must do to get the full version of VCM? ou if someone can send me to sopprusbarbosa@hotmail.com
Can someone please help me fast? I am having a hard time opening ACL SIMS 1 and 2. All i get is invalid packet tracer file. I use Packet Tracer v5.0
You can email it to my inbox- babarindetosin@gmail.com
My exam is 25th and i need it so badly.
Thanks for your help……….
did my exam on 5.oct.2012
my config was as follows
access-list 101 permit tcp host xxx host yyy
access-list 101 deny ip any host yyy
access-list 101 permit ip any any
int fa0/1
ip access-group 101 out
I got this sim today. This sim is just like it is on the real test with different IP addresses.
Hi there, i had my exam today and there are some changes on this lab. i failed :(
@ ezuedeen.
As you can see in the question that, Servers should be assigned from the range 172.22.242.17 – 172.22.242.30 ( N/w – 172.22.242.16 Wild card mask 0.0.0.15 used). and you see only servers in Network.
What “Some modifications” mean?. Those lab variations could be in real exam?. Or just the one at the top of this lab?.
Thanks!
Alhamulillah!!! Passed the exam today with 960,thanx to almighty Allah, 9tut and exam collection. No need to get scared guys study SEKHER dumps and 9tut its too enough to pass the exam easily. Today had eigrp,acl,vtp simulations as same as in 9tut.
Wish u the best !!!
i have given ccna exam today thanks to 9tut i passed successfully with 973 marks
sims are valid i got
access list (with little modifications)
vtp sim
eigrp sim
Apart from this site study dumps by brar from examcollection.
any new dumps
Guys were the answers for the VTP question exactly the same as the dumps or different? Same with the eigrp question. When I took the exam yesterday the ip addresses were different for eigrp.
Please respond guys. thanks.
Can we get same model of questions…..means change in IP address,hosts doesn’t matter…..
Can anybody tell me….
M taking exam on 17-10
thanks…
Today ,I passed exam with 973 marks.
Labs were EIGRP ,ACL , VTP.
thank to examcollection and 9tut!
hello,i have exam friday please i need your help,somebody who wrote his this week can tell me ‘what are the tasks of ACL sim ‘(the scenario)that he has seen?and what are some questions of VTP that he can remember?please help me.
can some one send me the lastst dump?
plz….
bharat.dande@usa.com
can some one send me the ccna dumps plzzzzzzz mail id:vivekmana21@gmail.com
hello shoaib sheikh plz help me and guide about ccna
If there is a statement in the exam along the lines of:
“Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.”
We should use the “permit ip any any” statement as our last statement of our access-list. If we only configure the statement “permit ip any host 172.22.242.23″, then this will be followed by a deny all statement, blocking traffic to the other severs on the LAN. We don’t want this.
Good luck!
my date is on friday,worried about eigrp i don’t no if there is other idea of solving them but what i no is ”change the AS numbers,add the network ,no auto-summarry,and removing the network,are there any idea on default route or any config ,pls help if u guys can
@9tut
Hi 9TUT
Its one week now! I can ping and Web access as desired from PC1—4 without any problems. On Pkt Tracer how do I use PC with console, does it need to be on separate NW and what Ip add should it have? It is really driving me crazy, your help will be welcome.
Thanx
All I want to do is Access from the CORE that it can access to 172.22 NW? or not
Please reply as early as possible. God Bless You!
@BMW
Copy paste your config here.
Dear Mike,
Many thanks for your quick reply, Please note that I am simulating this scenario at Pkt Tracer I can perform what is been asked except that I dont know how to test from Core side! Below is the config:
interface FastEthernet0/0
ip address 192.168.33.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 172.22.242.30 255.255.255.240
ip access-group 100 out
duplex auto
speed auto
!
interface Serial2/0
ip address 198.18.196.66 255.255.255.252
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq www
access-list 100 deny tcp any host 172.22.242.23 eq www
access-list 100 permit ip any any
Dear Mike
Ignore that, as usual my fault, using wrong cable with Core to PC (should be X-over) not the Blue console.
Please keep it up, you people are simply the BEST!
Need Shekhar dumps. Taking exam on 18 Oct. Please send me dumps on xpress.013@gmail.com
@Arif
visit http://www.examcollection.com/640-802.html and you’ll get it
i cleared ccna exam thank u for 9tut i need ccnp switch dumps where i can find them plz help me with websites ………
@Radeon & @Nanda Kumar N
OK I understand :) thanks alot!
@chris
Thanks bro.
What ver of Packet tracer is been used?
Pls can anyone tell me if Sekhar dumps will be valid till 17th Oct 2012
please somebody can tell me if there are some changements in eigrp sims?please i hav exam 18th oct.i need help
and for acl too?
fail today 749 the config shown here i think is wrong bec i got 20% for implement ,verify,troubleshoot NAT and ACLs in a meduim-size enterprize branch office network …….or am i wrong?
@hendricko
9tut gives you a great hint about the sims. You didn’t pass because of memorising q&a. Forget about it and just study
hi,please somebody can help me to resolve this?
– Host B should be able to use a web browser(HTTP)to
access the Finance Web Server
– Other types of access from host B to the Finance
Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
– All hosts in the Core and local LAN should be able
to access the Public Web Server
According to me the answer is:
-Access-list 101 permit tcp host ‘host c ip addr’ host ‘financ serv ip addr’ eq 80
-access-list 101 deny ip any host ‘ip addr financ serv’
-access-list 101 permit ip any any
Am i right? If i have done some mistakes please correct me.thanks
and i forgot to apply
-int fa0/1
Ip access-group 101 out
End
1st statement is incorrect, as source host should be referred to “host B ip address”
its true it is a mistake its host B that i wanted to put but i was very focus on host C ,that’s why i have done an error. Is it only this mistake?
yes, I agree with ezuedeen
Questions :
permit host B from accessing finance server
deny host B from accessing the OTHER server (not the whole network)
permit everything else
Answer :
access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
permit ip any any
* shoudn’t it be
access-list 106 permit IP host 192.168.33.2 host 172.22.242.23
access-list 106 deny IP host 192.168.33.2 172.22.242.16 0.0.0.7
access-list 106permit ip any any
* I tested on packet tracer and added another server on the 172.22.242.16/28 network
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 — blocks host B from accessing the entrie netwrk.
Where as :
access-list 106 deny IP host 192.168.33.2 172.22.242.16 0.0.0.7 —- blocks the servers but not the entire network
172.22.242. 0001 0001 – 17 Public Web Server
172.22.242. 0001 0100 – 20 DNS Server
172.22.242. 0001 0111 – 23 Finance Web Server
——————————————————
172.22.242.16 /29
* any advise on which is the right asnwer please…
s’il vous plait si je tape la commande show running-config et je ne vois pa le ip adress 172.22.242.30 255.255.255.240 ?
merci
please if I type the command show running-config and I see the ip address 172.22.242.30 pa 255 255 255 240?
thank you
Can anyone explain me this…
permit host B from accessing finance server
deny host B from accessing the OTHER server (not the whole network)
permit everything else
access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
permit ip any any
WHY N HOW SECOND STATEMENT IS CORRECT ?
“access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15″
A question regarding:
deny host B from accessing the OTHER server (not the whole network) access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
If you should only deny host b from accessing the other server than the wildcard bit can not be 0.0.0.15????It should also be host?
Please assist
I agree with you akkii, I have been breaking my head over this for the last hour, maybe it is a typo and should be servers?
@ akki & ella
the statement says that The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
this is 13 addresses so we know that it has to be a block size of 16. 172.22.242.16 should be the network ID. the wildcard mask is always 1 less than the block size so 0.0.0.15 is correct.
the first line “access-list 100 permit ip host 192.168.33.2 host 172.22.242.23″
allows host B access to the finance server
the second line “access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15″
will deny host B all access to any other servers in the subnet which is what is requested. you are only denying access to the server LAN here, not the entire network…
(this is the best answer because they only want three lines)
the third line “permit ip any any” will allow anything else.
hope this helps
@9tut and @Mike
Please need suggestion about posts of akkii and Ella. Which is the correct???
I agree with gimj as they want ONLY 3 lines…