CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
@Johnboy,
I think the correct cli command is “access-list 100 permit tcp host (ip) host (ip) eq 80 . because the 80 is under the tcp command
Passed My CCNA score 920/1000 . Thanks to Allah first and thanks to 9tut, Acme and spike … labs were EIGRP (just have to change the new routers process ID to 2 and have to advertise every network in the main router), ACL 2 (host C communicate with finance server through port 80, all other host can not communicate with Finance and allow all host to communicate with the Public server) and VTP …
NOw the worst thing happened to me in VTP Lab … by typing show VTP status this command helps you to view that from where the switch is getting VTP advertisements so In the exam when i typed that the IP was hidden behind the Window means i cant maximize the Window to view the entire command .. and i think maybe i lose marks for that ..
But Guyz dont be afraid of the test Just go through 9tut labs and acme dumps and learn them with concepts i am sure u would deferentially pass the test .. If any one wants advice just call me +923323319824 i will try my best to explain
I received full marks for this ACL question. Mine had slight variance.
-Host B can have Finance webserver web access but all other traffic should be blocked
-All traffic from all other hosts in Core and LAN networks to Finance server should be blocked
-both Core and LAN network can access Public Web Server
access-list 150 deny tcp host [hostBIP] host [FinanceIP] eq 80
access-list 150 deny ip any host [FinanceIP]
access-list 150 permit ip any any
@EAGLE, can you explain further what is the process ID? is it the same as AS number?
Dear @tut
in your ACL Sim2 .. one thing please clear . with these three ACLs
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
Corp1(config)#access-list 100 permit ip any any
All hosts ABCD can still access finance web server with Https://
waiting for your swift response.
Hi Guys,
passed the ccna exam with a score of 960. Study ACL2, EIGRP and VTP. You should understand the concept because the questions are tricky. Thank you very much 9tut, Spike and Shekhar. Study harder..harder and dont forget to pray to our God it’s the secret…….
Good Luck! Take before Sept 30, 2013.
Is vtp is acl1
Hi there, I took the exam on 8/30 and failed 801/825. I am going to take the exam next week again. Any suggestions for the second time? thanks a lot
- Host D should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
- All hosts in the Core and local LAN should be able to access the Public Web Server
What answer ?????
@Male
In the first line you talk about Host D but then in the second line you says:’- Other types of access from host C to the Finance Web Server should be blocked” which make me think you press by mistake C or D in one of the to line. Assuming that you are talking about host D, the ACL will be:
access-list 100 permit tcp host 192.168.33.4 hot 172.22.242.23 eq 80
//with this command we are giving access to host D to reach Finance Wed Server via HTTP (Wed, Port 80).//
access-list 100 deny ip any host 172.22.242.23
//with this command we are blocking everybody including host D to reach Finance Web Server in any way, but, because the first line of the access-list, Host D will be able to reach it via Web because the access-list are apply from top to bottom //
access-list 100 permit ip any any
//with this command we are giving access to any ip address in the network to reach the Public Web server. For the exam purpose you don’t need to specified the ip address of the Public Web Server, the ip any any means any ip address (host) in the network can reach any ip address in the network //
I’m going to sit for the exam tomorrow , plzzz anyone let me know, which kind of changes are there in labs ???? plzzzzzzzzzzzzzz anyone respond to me plzzzzzzzzzzzzz………..
Manuka
Is like this
Male September 3rd, 2013
- Host D should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
- All hosts in the Core and local LAN should be able to access the Public Web Server
What answer ?????
@Male
The second line of the access-list I did is actually blocking Host C from accessing the Finance Web Server in any way possible. If you read the requirements they are not asking to allow Host C to access Finance Web Server, so I believe they just put that sentence to make you go crazy. Try that access-list and you will see is going to work just fine.
don’t blindly believe this question just practice this question and the question is some what different so carefully study and ans it
i got 920
I have studied this for nearly a year and failed twice is it a good idea to go to Pass4sure to get answers do you think?
I am wiling to pay
- 1
Host D should be able to use a web browser to access the financial web server
- Other types of access from host D to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
- All hosts in the Core and local LAN should be able to access the Public Web Server
2
- Host D should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
- All hosts in the Core and local LAN should be able to access the Public Web Server
I want answer
Hi,i have the same problem of the ahtasham
I’ve done this lab with these acl’s command:
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
Corp1(config)#access-list 100 permit ip any any
All hosts ABCD can still access finance web server with Https://
Please give me anybody an answer clear.
@ sararoma, did you configure
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
this is to set the restriction on the interface fa 0/1. so only host D should have access to the finance web server. you must finish up the whole configuration and save using corp1#copy running-config startup-config or corp1#write memory
@ sararoma, did you configure
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
this is to set the restriction on the interface fa 0/1. so only host D should have access to the finance web server. you must finish up the whole configuration and save using corp1#copy running-config startup-config or corp1#write memory. you can call +2348149949902 for more details.
yes, now works fine, thanks a lot.
I failed today. 815 with a passing score requirement of 825. I forgot to check the web access from the host PC and lost a massive amount of points. Make sure you go through the whole lab and not just the commands.
@Sharref so sorry for the lost, Dont give up, try to reschedule the exam before Sept 30 if you have the money.
I have question for you, is the question the same like the one on 9tut.
(A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.)
hi, please i want to understand the diff between “permit tcp” and “permit ip” are they the same thing and why?
thanks
@owen
Permit ip – will permit any traffic. Permit tcp will permit selected traffic only. Hope that helps!!!
Hi All,
passed yesterday with 933/1000.. I studied Cisco.Acme.640-802.v2013-08-06.by.Acme.649q.vce dumps and its 100% valid and i got only one new question out of this dump. Simulations were VTP, ACL, EIGRP with AS 222 and one Passive Interface towards the ISP.
thanx 9tut.i passed exam today 933/1000.many question in 9tut and pass4sure dumps.simulation were ACL,VTP AND EIGRP With AS 23 and passive-interface serial interface.
@Mark Thanks, I now get it.
@ Owen. You use TCP when the question refers to telnet (23), web browser (80), FTP (21)/(20) etc. You can *only* use tcp in extended list *not* standard list because that is the syntax.
**It’s a Rubicon**
@sararoma that is because https dosent use port 80 ,it uses 443 instead
LAB Ques – 1) Assuming you know stuff how long each lab takes? Is it after the end of the Multiple Choice? Do you have to run some test like PING to make sure your network is working? Someone said you will lose points if you just add the correct commands but no troubleshooting test.
2) Can you go back to revisit a question or once you choose the answer in MC and click NEXT does it let you go back? I think not.
3) So many test takers and no one answering these important questions. Someone please help us all
Thanks in advance
**It’s a Rubicon**
@CiscoER
1/ it depend on you .. 3 to 4 min. for me / and it’s between the multiple choice / running a test is recommended for you but i don’t know if you lose point if you don’t do it.
2/ No .. once you click next you can’t co back.
3/ you welcome :)
Took the test and it was EIGRP, VTP, and ACL2. Make sure you test. Make sure you know all parts of the VTP question. #show vtp status will not work, nor will #show mac-address-table (use show mac address-table).
@Duke, if show vtp status won’t work, what will we then use. Please this is very important, and having my exam in the next two days.
Thanks.
Hi All/9tut,
Can someone help understand re this scenario
“Deny host B from accessing other servers (not the whole network)
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15″
Where did this ip 172.22.242.16 and 0.0.0.15 come from?
thanks in advance Guys! :)
@mike
its a route summary for 172.22.242.17 -> public server and 172.22.242.30 -> dns server. you get the common bits. and then you get the wildcard mask afterwards.
@wang
Thanks.
i have an ccna exam soon and i studied every thing will labs from 9tut vtp acl2 and eigrp
should i studied all the other labs or not ?
@Dolee
Your doing it right just focus on that (acl & acl2, eigrp, vtp) practice practice practice!
cleared the exam last Sept 10 w/ 922 out of 1000.
“access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15″
As stated, “the servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30″ <— USABLE HOST ADDRESS with /28 subnet
So 172.22.242.16 being the Network address for the Server LAN with 255.255.255.240 subnet, wildcard mask will be 0.0.0.15, which meant that ANY address in this network won't be accessed by Host B.
Hello guys, I think the last line of the Access-list “permit ip any any ” is better than permit ip any host …” because of the DNS Server in the same network. Of course no one mention it but I think the idea of putting it there is to make you think that in real life situation, in order to use a web server you usually type the URL not the IP. So you have to use a DNS server(it could be external too). Knowing that the last line of any access-list would deny all, If we apply the “permit ip any host (including public web server IP) we would be denying all traffic to the DNS server, therefore the only way to get access to the Server will be by putting the ip instead of the URL.
Just a tip. Most of my friends who took the exam said not to use the TAB key when configuring commands because it has deduction on your points!
messed up the exam on this lab
i studied hard practiced a lot, and the exam was plain sailing i didnt feel challenged by any of the questions (thanks be to 9tut alone(i dont bother with dumps) and any that i really didnt know the answer to (like one on gratuitous arp) i just answered the best i could
but then i got to this lab fluffed the first command, nerves set in at this point, used the tab to re enter it but to no avail manually re entered the command and it worked entered the last two commands used http to reach the server from host c and moved on…..i didnt realise till very much later i hadnt applied the list to the interface (S***) bloody nerves
@piya
what about shortcut commands? is that a deduction as well. i usually use short cut commands even at school. please clarify. thanks.
hi,
can anybody answer my question. people who have tried taking the exam. thanks.
@wang Just type in the *full* commands. Better safe than sorry. And the full commands not hard anyway. You gotta to do it right way before you can do it the short cut way is what I think they are looking for on the labs as well. I am going to do *all* full commands.
@ismr So sorry. That’s one of my pitfalls too. Nerves set in and my mind go blank. Which labs did you get? Any variations from 9tut labs?
**It’s a Rubicon*
I have a question, I took 640-802exam yesterday and scored 762, too bad, wasted allot of time in VTP finding where my switch got his information, before I knew it I have only 20mins, I started rushing things and I believe I didn’t do well on that VTP SIM, my bad. Am planning to retake it again. will the SIM and the exam be alike or will it be more harder ? Please assist me on this, am ready to face it again, am not backing down.
Thanks.
@9tut
Hi, I am confused about the correct answer to used on this similation. Can you please tell what are the correct commands to used for the configuration of the this ACL? I thought the correct commands will be the following:
- access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
- access-list 100 deny tcp any host 172.22.242.23 eq 80
- access-list 100 permit ip any any
- interface fa0/1
- ip access-group 100 out
- end
- copy running-config startup-config
Thanks for your answer.
how to solve labs in packet tracer…..
plz plz help me ………
@ Rajan download 9tut sims. They are listed at the beginning of the sim. Open it in your PT. Click on the Router and a new screen pops up. Click on CLI tab for Command Line Interface. There you make changes. Follow the SIMs from here. That’s about it.