CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
I pass ccna today. I got this sim today. Different ips and asked for host D to access finance web server, block all other to finnance web server and allow all other to public web server. Only 2 web servers. Test is possible only by web browser, so learrn and understand. In real exam you cannost test all other traffic, you can test only http
Iam forget, thank 9tut !
I fail with 801/1000. I dun know how I fail. So sad any crying.
my scores are
D — 50%
C — 64%
I — 83%
C — 77%
E — 100%
I — 67%
I — 100%
I — 67% … someone tell me which session I study again and how can I pass in next exam.
But, I think I can’t take exam in 640-802.
I try harder and harder in new exam 200-120.
linux we are in the same boat lets try harder. the sim are too tricky
anthony
it seems we should practice on acls,eigrp n vtp advice pls
867/1000
Anyone who want to pass 640-802 must to know all questons from here(visiable on 9tut) and on exam you will have about 70% questons from here. So other 30% luck,Spike dumps or your knowledge from tutorials… And also just learn for lab verry good practice you can see here VTP,EIGRP,ACL2 are almost same with little differents
I have true information that from 1.october 2013 cisco exam go in new version. So this all questons and labs you can see now will not be in new version!
YOU ALL MUST PASS EXAM ON END OF MONTH SEPTEMBER 2013!
I passed the exam this morning.got 973.. VTP sim, EIGRP and ACL2 were all there.. review all the show commands! VTP sim is very tricky! tnx 9tut
thank you 9tut :) I gt 973/1000 :)
exam labs are as same as 9tut labs?
815/1000…. SO CLOSE! damn
Hi Guys,
I just want to know for the ACL 2 question, “All hosts in the core and on the local LAN should be able to access the Public web server” What is the command must i use ?
Is it “access-list 100 permit ip any any ” or “access-list 100 permit ip any host and followed with the public web server’s IP” ? Please do help out
@Razor: You must use “access-list 100 permit ip any any” to get full score for this sim.
Thanks 9tut,
but doesn’t the “access-list 100 permit ip any host and followed with the public web server’s IP” looks the better choice ?
@Razor: Yes, the command “access-list 100 permit ip any host and followed with the public web server’s IP” is really a better solution but as I mentioned in the explanation of that sim, it is a bug in the exam.
Today I passed the CCNA exam. This site was really helpful. I was presented with 50 questions in total total 3 labs
- Access list just as in the example explain by 9 tut (Using extended ACL allowing only one host to connect the HR server)
- EIGRP Similar to this lab but instead they changed the AS to 23, be prepare to learn the concepts do not memorize the labs.
- VTP very similar too, but they changed the format for some of the questions.
- Not many questions for IPV6 max 2
I recommend to study the VCEs excellent dumps @ examcollection.com
Hope this helps for someone else
@9tut Hey guys! I was studying a Pass4sure exam, and i got this same simulation, but the answers are different and well, for me it make sense i would like to know what do you think:
-Host C should be able to use a web browser(HTTP)to access the Finance Web Server
access-list 100 permit tcp host 192.168.86.2 host 172.22.63.17 eq 80
-All hosts in the Core and local LAN should be able to access the Public Web Server *
access-list 100 permit ip any host 172.22.63.17
-Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
access-list 100 deny ip any any
It’s like the one posted here, but it is written in another way. I’d like to know what do you think, and if the version posted on this site really Works for the exam.
Thank u for your time!
Hi guys I know this is CCNA block can any one help me which link I can find MCSE dumpster pls
Just Passed 894…was hard..Sims..VTP.EIGRP AND ACL..manage time wisely or it will run out..Oh..show mac-address-table command don’t work in vtp sim.My Cisco Academy class made the difference
I am planning to take the Exam on Thursday 1st August……. any advice from you guys ??????
I passed CCNA today with 920/1000 :)
Most of the questions were in 9tut.com. Beware that the miltiple choice answers are in different order to those seen in examples on the net. Don’t just remember the position of the answer. Some questions had different answers but there were very few that were different to 9tut.com. The SIMs were ACL2, EIGRP and VTP. Hardly any subnetting. The EIGRP was different due to it having a different As number. The passove interface was faceing the Internet provider so ignore this. I finished with 30 minutes to spare so do not panic about time, there is plenty of it. The interface for the SIMS is quite limited and you can only get to routers/switches you should be able to. You can’t access the others without a PC on the screen with a rolled cable on it. Beware that once you have finished with the CLI and you want to go back to the topology there is a tiny ‘Go back to Topology’ button on the bottom left coloured in blue. Took me ages to work that out.
I wish all of you the very best of luck and I urge you to download some Exam testing programs and packettracer with 9tut sims. I used Visual CerExam Manager (which I used over and over again) and I used CBT Nuggets which I found useful early in the mornings when my eyes were still blurry. haha
Passed CCNA 200-120 today 945/1000. This NAT sim was in the exam ( ip addresses were – different). Other sims were ACL Eigrp. Valid dump Cisco.PracticeTest.200-120.v2013-06-19.by.Pascal.267q.
Hello to all
Just to know if somoene could help me with the latest version of Visual CertExam+ crack in order to prepare a dump test of 640-802
Thanks in advance
Best regards
Whats the difference between putting access list as
1. access-list 1 permit 192.168.100.16 0.0.0.15
and
2. access-list 1 permit 192.168.100.17 0.0.0.14
Can anyone explain detail…why .16 even though our servers n/w starts with .17-.30/28.
Dears I’ve passed in the exam yesterday with 960/1000 score.
The labs were ACL2, EIGRP and VTP too. One changing in the ACL2 scenario was that besides permitting the HTTP traffic from host x to the finance web server, they put an IP address in “Public web server” too, and asked to permit HTTP traffic from LAN and CORE networks, but deny all other traffic. Indeed, when you click on the hosts in the sim, they put you right trough the web browser, so you didn’t even need to test ping.
I have to thank very much to 9tut.com team for the explanations.
Please explain me why
interface “fa0/1″
ip access-group 100 “out”
I get it now ahahahha >.<
Could someone provide me the latest Visual CertExam crack to my e-mail:docramji1233@gmail.com? I hope that I will sit on ccna exam on next month.
Please I’m waiting
Thanks to all.
hi everyone and 9TUT guy specially,
please note this statement in question –> “Since there are multiple resources for the corporation at this location”
i think this makes us chose to use “permit ip any any” instead of using “permit ip any host ” explicitly.. ;)
CCNA EIGRP LAB Question BY Mr.Mast From Thailand
http://www.youtube.com/watch?v=-NmNOedFchA
thanks
Hello guys
.Just want to also thanks Prem Kumar for his help about the latest VCE +crack.
Thanks to 9tut
Thank you for everthing 9tut!!
I passed my exam 907/1000
VTP Sim, EIGRP and ACL 2
Also, I saw a few question about frame relay I havent seen before – be careful
Hi Everyone Thanks 2 Spike and 9tut valid Reviewer.
Got 815 / 1000 passing 825 unfortunately i fail. but it doesnt mean that this dumps are not reliable. it was my mistake because i forgot to save my ACL sim to excited to hit next after i got it working.
So pls dont forget to save all your configuration before moving on..
BTW will retake this august 16 and will give you all a positive feedback. Thanks Again 9tut
I passed the exam yesterday with 933 Mark… thanks 9tut and Spike you both rock.. Always remember on the Labs “If you are dealing with an opponent you just first met, but had some info on, Use the info as a guide and learn to adjust”” Cisco – Everyday I’m shufflin” haha Goodluck guys. Now let’s dance http://www.youtube.com/watch?v=KQ6zr6kCPj8
Hi, yesterday i passed my CCNA with 900 score.dumps are valid.but i think there are some mistakes in dumps i read.
dumps are valid
lab-ACL2,EIGRP,VTP.
passing score is 825
exam cost is bit high.. including tax.. it is 20984
Thanks to 9tut.. very useful ..labs part i got from 9tut examples.its very useful
all the best to all
What test score should you aim for on the dumps before taking the real exam? CAN ANYONE
HELP WITH THIS QUESTION???/
How long is the exam?
This may work, but I thought extended access-lists should be placed closer to the source, which would be int fa0/0. not sure if the exam will catch that on this question or not…
hope this will be the one to show in the exam onmonday..
I just passed the Test .. got 894 out of 1000 … some modifications in the labs .. First of all to those how does not work .. question mark ? .. to complete a command .. does not work .. either TAB……. Study the commands .. Now ..
3 LABS .. EIGRP , ACLS AND VTP
IN EIGRP .. THE AS WAS DIFFERENT , MAIN ROUTER or R1 got a network that was not listed as neighbor, and also mas missing a network to ROUTER R3 …
IN VTP .. There is a bug , the question ……….From which switch did Sw-Ac3 receive VLAN information ?
show vtp status command did not show any ip address … so I was not able to detect how was the switch … I failed this question ..
some questions shows in the test ..
What ports on Sw-AC3 are operating has trunks
Which switch is the root bridge for VLAN 1
the default-gateway for the host connected to interface fa 0/4 of SW-Ac3
SwX was taken out of the production network for maintenance. It will be reconnected to the Fa 0/16 port of Sw-Ac3. What happens to the network when it is reconnected and a trunk exists between the two switches?
This last question .. was inverse .. the x switch got a lower revision … the other switch got a higher revision · .. therefore the vlans present of it will stay ..
And in the last Lab .. which was the ACL ..
Only host A will access financial serve through port 80 permit tcp host …host … eq 80
deny any host to access public server Deny Ip any host ……….
and permit any communication with the rest of the servers permit IP Any Any
Thanks 9 tut .. I helped a lot to get this certification!! so I want to share with the rest and help as much I as can !!! Any question just let me know
I just passed the Test .. got 894 out of 1000 … some modifications in the labs .. First of all …. those how does not know if question mark ? work to complete a command .. does not work .. either TAB……. Study the commands ..
Now ..
3 LABS .. EIGRP , ACLS AND VTP
IN EIGRP .. THE AS WAS DIFFERENT, MAIN ROUTER or R1 got a network that was not listed as neighbor, and also was missing a network to ROUTER R3 … in router r3 I change the AS and add a neighbor from R1
IN VTP .. There is a bug , the question ……….From which switch did Sw-Ac3 receive VLAN information ?
show vtp status command did not show any ip address … so I was not able to detect how was the switch … I failed this question ..
Some questions show in the test..
What ports on Sw-AC3 are operating has trunks
Which switch is the root bridge for VLAN 1
the default-gateway for the host connected to interface fa 0/4 of SW-Ac3
SwX was taken out of the production network for maintenance. It will be reconnected to the Fa 0/16 port of Sw-Ac3. What happens to the network when it is reconnected and a trunk exists between the two switches?
This last question .. was inverse .. the x switch got a lower revision … the other switch got a higher revision • .. therefore the vlans present on it will stay .. so X vlans will be remove cause the other switch was the modifier
And in the last Lab .. Which was the ACL ..
Only host A will access financial serve through port 80 permit tcp host …host … eq 80
deny any host to access public server Deny Ip any host ……….
and permit any communication with the rest of the servers permit IP Any Any
Thanks 9 tut .. I helped a lot to get this certification!! so I want to share with the rest and help as much I as can !!! Any question just let me know
Since we learn that all the permit statement should be first What if we apply the acl in the following order?
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 permit ip any any
access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
plz help on acl lab!
how will we know on which interface we have to apply the list? plz help!
interface fa0/1
ip access-group 100 out
how do we know its fa0/1?
@1Tarun
.16 is the sub network address of all servers.. CIDR value /28. The question asks us to block/permit all servers, By blocking/permiting .16 , all webservers effected.
Passed August 9th! With an 843. About 5 drag and drops, Eigrp is “122″ and the IPs are different, VTP i forgot “sh vtp status” command so i guessed at that one question. Also I got the exact SIM from the dump for Access List 2 to allow Host C to finance. Took the test in NJ if that helps. Good luck and Take your time! Would not have passed without the Chris Bryant Advantage (to actually learn the material), examcollection, and 9tut!
@RobZop did you take the new exam or the old one?
ii have cleared the exam .the dumps available in this site http://ruturl.com/tja
@Anonymous the old one
@Anonymous the old one
you guys rock. just passed the exam with 947. the labs are just the way it is in the dumps. the only difference is the ip addresses.Thanks 9tut
In ACL2 SIM:
1. Host C should be able to use a web browser(HTTP)to access the Finance Web Server access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
2. Other types of access from host C to the Finance Web Server should be blocked
3.1 All access from hosts in the Core or local LAN to the Finance Web Server should be blocked access-list 100 deny ip any host 172.22.242.23
(because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN)
3.2 All hosts in the Core and local LAN should be able to access the Public Web Server * access-list 100 permit ip any host
(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any”
Can someone please clarify what does this mean:
“If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any””
We know the IP of Public Web Server (The Public Web Server is assigned an IP address of 172.22.242.17). How do i answer? Do i still have to answer: access-list 100 permit ip any any?
Please clarify.