CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
NIshant what about question on this site i am talking about mcq pls answer me because iam
going in next week
Conglatulation to those of you who have made it please to 9tut or any body that can help me does administrator server 2008 and ccna have any relation ? is it advisable that if you have your ccna certificate you should move straight to ccnp or going to do server 2008 if you have plans to do ccnp, please i need a help thank in advance
Failed test – new areas in the test – HSRP and Netflow – several questions in fact. Virtually no questions on sub-netting which i had practiced lots :-(
Hi Mike 9645 congratulations on passing. I am trying to figure out the statements used to meet the requirements. Would you mind posting?
Whatsit, did you take 640-802 or the new 200-120 CCNA?
Whatsit, I’m guessing you took 200-120 since exam topics of 640-802 do not include HSRP, but 200-120 does.
-The user on host A should be able to use a web browser to access financial information from the Finance Web Server
Answer: access list 100 permit tcp host 192.168.33.1 host 172.22.242.23 eq 80
-The user on host A should be able to use a web browser to access financial information from the Finance Web Server.
- Other types of access from host A to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
For all those three statements above how are u going to do that using the 3 required statements?
or should u use access list 100 deny ip any any? but it would not fit for the blocking of a web browser for the other LAN.
- All hosts in the Core and local LAN should be able to access the Public Web Server.
access list 100 permit ip any any.
Hi Mike, how did you answer that question in the 2nd to 4th statements?
or can anyone have any idea how to answer that?
Thanks
I am preparing for the old CCNA exam and the ACL should look like this:
ip access-list extended 100
permit tcp host “X” host “server” eq www — here only the PC is allowed to access the server using HTTP
deny tcp any host “server” eq www — here nobody else is allowed to access the server using HTTP
permit ip any any — here you permit all other IP traffic from anywhere going to anywhere
Hope this helps!
access list 100 permit tcp host 192.168.33.1 host 172.22.242.23 eq 80
Access list 100 deny ip any host 172.22.242.23
Access list 100 permit ip any any
Also keep in mind that the tab and question mark are allowed, which help me big time :)
I correct the question that I was asked,
-The user on host A should be able to use a web browser to access financial information from the Finance Web Server
- Other types of access from host A to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
- All hosts in the Core and local LAN should be able to access the Public Web Server.
And only 3 statements:
access list 100 permit tcp host 192.168.33.1 host 172.22.242.23 eq 80
Access list 100 deny ip any host 172.22.242.23
Access list 100 permit ip any any
Also keep in mind that the tab and question mark are allowed, which help me big time :)
That looks much better, sorry for the confusion guys
sitting exam 640-802 in 24 hours. what do you guys suggest to help calm the nerves i feel? i have been going through questions and have studied ccna books for past 3 months.
@ Mike9645 GREAT WORK remembering that from the test!! That was some big confusion earlier. I went into a tailspin trying to figure it out.
Your revised much better. Anyway, I am thinking, based on the criteria, we will need 4
ACLs Question though… Did the instructions say 3 ACLs required?
-The user on host A should be able to use a web browser to access financial information
from the Finance Web Server
#access-list 100 permit tcp host 192.168.33.1 host 172.22.242.23 eq 80
- Other types of access from host A to the Finance Web Server should be blocked (I
think you forgot to do this one. Here I am blocking Host A from pinging etc to Financial Server)
#access-list 100 deny ip host 192.168.33.1 host 172.22.242.23
– All access from hosts in the Core or local LAN to the Finance Web Server should be
blocked
#access-list 100 deny ip any host 172.22.242.23
All other traffic permitted
#access-list 100 permit ip any any
I actually DID it and RAN it on my Packet Tracer Ver 5.3.3.0019
Testing Host A: – a) I could access the web on Financial Svr 172.22.242.23
b) Could *not* PING Financial Svr. Since it asked to block other types of access.
c) Could PING Public server 172.22.242.17 – Works!!!
Testing Host D: a) I could *not* access the web on Financial Svr 172.22.242.23. Works!!
b) Could *not* PING Financial Svr. Works!!!
c) Could PING Public server 172.22.242.17 – Works!!!
Remember if you do NOT add the second ACL command, then Host A can do other things on Financial Server. The goal was JUST to allow Host A to Browse the web on Financial Server ONLY!!!!
Anyone please chip in. All I did was added an extra line – the second line in the ACL.
Please Note: You can use the command #show ip access-list – to just display the ACLs
Hi All,
I’m preparing for my first ever attempt and will sit for the CCNA exam on next Saturday 21st Sep’13. requesting you (who already appeared) for the general exam tips.
Also have a quick question please
– In the ACL-2 lab, are the options mentioned in 9tut.com enough to study or you can suggest me a better website link to study more possible options for the exam.
Hi all, I had today exam CCNA 640-802, failed with 775points..labs are AC2,VTP and EIGRP but all with different addresses..about the questions, from 9tut about 10 were in the exam, the otheres never seen before. IP subnetting just 1 question, probably, bacause of just 50 points, Im gonna try again before the end of Sep. Best luck to all!
And TAB and ? are working!!!
Ciacoer, yes the question only asked for 3 statments.
And I did not try the pong command, I only try accessing the web.
If you look at the options above for this sim, under “some modifications” the 3rd one looks just like mine, except mine was host A.
Ops “ping”
@ Michael This is the only difference between our ACLs – my extra ACL #access-list 100 deny ip host 192.168.33.1 host 172.22.242.23. And since the question asked for just 3 ACLs then yours would be the right one I guess. The only reason I added the 4th line was because it asked to block ALL traffic *other than* web browsing from Host A. So first line – web browsing from Host A- ALLOWED. Next line, Host A – DENIED all other types of access from Host A. You passed with 947, so who is to debate? Congrats. Thanks for tips.
@ Danny Le Roy so close to passing. Sorry. Any idea where the other questions came from if only 10 from 9tut? Karven or Acme dumps?
Thanks
Is there any update or changes in ACL-2
I passed with an 876 a couple days ago. I got this question. Didn’t get a few of the multiple choice questions right but I got 100% on the labs (Thanks 9tut!). I got this lab and the last line of the ACL was access-list 100 permit ip any any even though it asked that a specific server be accessed.
All hosts in the core and on the local LAN should be able to access the Public web server *
Answer: access-list 100 permit ip any host
(The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any”
For those who encounter this lab during their exam. What is the safest way? should we use “access-list 100 permit ip any any” command or the access-list 100 permit ip any host 172.22.242.17 which is for the public web server.
For clarification please.
Thank you
Danny Le Roy
for IP subnetting just 1 question what u did answer ? a b c or d ?
i had fail for CCNA 640-802 i;ve got confused for LAB, EIGRP ACL2 and VTP i just following the command from here and i was checked for R1 to ISP there’s no passive-interface
can u guys show how i do for LAB question thx
@ Mike9645
would you like to send to me the COMMAND’s Please
@BroiwSSep, if they is no passive-interface in either of the routers or ISP, just forget it and verify other things but if they is one in the routers not in the ISP, better remove with router eigrp 212
no passive-interface fa0/2
period .
All the best .
@ Alex
how i do that ?
router eigrp 212
no passive-interface fa0/2
from which Router ?
can u teach me ?
i still got confused
@BroiwSSep, Try and read EIGRP features and operations more, you will have a care view about it, I mean no offence .
@ alex
i’ve done, but i was failed exam yesterday , how do i know i was wrong doing all lab, i was followed everything from here but still fail
@BroiwSSep, the gave you a print out after the exam, showing were you should work on, be strong and go back to the drawing board asap.
once you can implement eigrp on a router, it shouldn’t be hard,
if you see passive-interface in any router other than router interface close to ISP, GO into the router,
#router eigrp 212(anything the gave you)
no passive-interface fa0/0
but if you didn’t see any passive-interface in the router, move on by answering the question and from one router ping all the ip address that was given to you, once the are replying you are good.
960/1000 today. ACL2 sim was identical to the main example. Also EIGRP, VTP were almost identical.
@Peter congratulation , Please can you remember the question on ACL and what was your approch to it.
passed today CCNA 973/1000 . 100% valid labs and test . LABS : ACL2 ,VTP (5questions) , EIGRP P.S show vlan brief in VTP doesnt work use show run to verify whitch port in witch VLAN . all labs 100% same that i done hear . good luck all
THX 9tut!!!!!!!
also TAB and ? working it saves me on exam 2 times :) dont warry !
@ Mike9645
I correct the question that I was asked,
-The user on host A should be able to use a web browser to access financial information from the Finance Web Server
- Other types of access from host A to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
- All hosts in the Core and local LAN should be able to access the Public Web Server.
And only 3 statements:
access list 100 permit tcp host 192.168.33.1 host 172.22.242.23 eq 80
Access list 100 deny ip any host 172.22.242.23
Access list 100 permit ip any any
Also keep in mind that the tab and question mark are allowed, which help me big time :)
That looks much better, sorry for the confusion guys
is This right command ?
this one should be like this ?
interface fa0/1
ip access-group 100 out
or
interface fa0/1
ip access-group 100 in
which one is right ?
@Beqa Please can you remember the question on ACL and what was your approch to it.
@ Zelda thats the correct ACLs for HostA. Remember they can change the host. So pay attention to that.
@ Mamooobbx 100 out.
@Alex i got exactly the same question what you see in this lab . i’v done all the same work what you see hear i attack ACL on router Fa0/1 out dircation it’s correct :D Alex you dont need to worry abaout Labs belive me you will see exactly this Labs and test what you see here . if you can done this tests and labs you will pass the Exam i’m 110% sure .
hi all and @9tut
noticed the packek tracer acl2 sim , the subnet mask on public server and finance web server is /20 while router fast Ethernet0/1 is /28 . is this any error ? pings still allowed from public server and finance web this configuration. please kindly clarify
I passed with a score of 986 today, study eigrp, extended access lists, vtp and dumbs from examcollection and 9tut. this is enough to pass this exam even if you don’t have any book. having said that this exam is a piece of cake if you are serious with your preparation. good luck to all of you guys. even though I also used cbt nugget, tod lammle, and testout. It took me just one and half month and I passed on my first try so anyone can do it with little effort.
access list: permit host b to access finance web server, deny host b from accessing finance server in any other way, deny core and lan from accessing finance server and finaly allow core and the lan to access public server. vtp exactly like 9tut, eigrp AS number mismatch. FRANKLY THE EXAM IS EASY JUST STUDY THE MATERIALS
@CiscoER karven is valid!!!!but watch out because they made some modifiction!
@Kiddo the ip subnetting question was really easy. Was smth like in one /20 how many host u can have.
@Kiddo this IP question was in the exam:
If an Ethernet port on a router was assigned an IP address of 172.1.1.1/20, what is the maximum number of hosts allowed on this subnet?
A. 4094
B. 1024
C. 8190
D. 2046
E. 4096
Answer: A
I answered right.
Guys i was failed exam on 17th september, if i want do exam again next week the LAB still same or not ?
I’m gonna try again on the 26th!! I will update for whose are gonna do the exam on the last day availble:the 30th of September.
hi joka, can the access-list you mentioned be implemented in three lines? pls share the implementation. Thanks.
hi joka
same like Tosin asked = can the access-list you mentioned be implemented in three lines? pls share the implementation. Thanks.
Can Please anyone explain me the differce between:
Not allow anyone else in any way communicate with the financial server
access-list 100 deny ip any host 172.22.242.23
and:
Other types of access from host C to the finance web server should be blocked
access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
Thanks!I’m gonna on the second try next week!!
Ok…I got it!!!! :)
@Baqa thanks.
Passed my ccna exam yesterday.. 881/1000.
all the questions were from dumbs . labs were EIGRP, VTP and ACL(this one )..
in eigrp correct the AS no . and correct the advertised networks.
u can contact me on nsbathorce@gmail.com