CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
@torsin @sojues1, yes the task is to apply it with no more than three statements so this is how I did it, in my case all the ip addresses were the same with 9tut ACL2: access-list 100 permit tcp host 192.168.33.2 host 172.22.242.23 eq www
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
this last line is to prevent core and lan from accessing public web server despite its ip adress was given I used permit ip any any and it worked. Apply to fa0/1 outbound and save your configuration.
hey guys, badly need your answer. For those who have taken the exam, for scenario 3 and 4 for acl 2 sim, did you put in ‘permit ip any any’ or did you put in ‘access-list 100 permit ip any host [IP address]‘
Be safe and type the PORT # instead of the name. Example eq 80 instead of eq http. I don’t think can ever type www even though a #show ip access-list will show www.
acl,eigrp,vtp sim.
Hi @all,
for better understanding…
numbered access-list = means access-list 1-99 or 100 – 199
named access-list =
access-list 100 remark “Example”…..
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
thx for our Feedback.
@zelda, yes you are right.
access list 100 permit tcp host 192.168.33.1 host 172.22.242.23 eq 80
Access list 100 deny ip any host 172.22.242.23
Access list 100 permit ip any any
And don’t forget to apply it to the interface
interface fa0/1
ip access-group 100 out
I will be taking the exam on Sept 30th. Kinda nervous, I hope I’ll pass the exam.
thanks 9tut.. just passed the exam today.. :) looking forward for another certification..
I jus becme cisco certied 2day 2 God b the glorly thanks 9tut u labs were on point vtp eigrp, Acl2 also spike 670 n Acme 649 r valid 100% gudluck the clock is tickn evrytn is possible
@9tut
you said ” notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.” i didn’t understand why we should filter this traffic
how can i now the no. of access list ?? on which basis i put no ”100” as the no of accessl list in my configuration ?!!!!! please need fast reply
Thanks Joka. And congrats
@ michael on Sept 20 – For standard Access List you use a number between 1-99, and extended access list is between 100-199. There are more but worry about these range only. For the ACL2 SIMs we will be using Extended list. Since the access list will be applied at one interface – fa0/1 we won’t need more than one access list. So if the config list it as 100 stick to 100.
which is much more reliable, 9tut or dumps on exam collection since they have different answers in some questions. i’m already confused which to follow.
please help.
@Karen, it could be different since the sim are totally random. But as long as you understand the basic configuration, you’ll be fine. Just keep on practicing and goodluck!
@Danny, we have the same schedule! Goodluck!
Anyone who has recently taken the 640-802 exam? My friends said that cisco included new questions from the new curriculum >.< If so, what could it possibly be about?
Oh and @Danny, like I’ve said, TAB and ? might be working but they DEDUCT points for every TAB that you make. So it’s better to just type the entire commands rather than lose points from using TAB.
And I read from @Whatsit that new questions include HSRP and Netflow which are from the new curriculum.. So we might as well try to review those too before taking the exam.. Or just pray that you don’t get any of those in your test.
Hi guys when I apply the access-list to the interface, ip access-group 100 out does not take it. please help me.
Planning to take 640-802 between 28-30 of this month.. as per all recommendation using 9tut dums and sims.. also got acme 649q and spike 670q.. hop for the best.. best luck rest guys whos giving exam. ty
gooooooooooooooooooooooood
fff
can i apply this acl on the interface 0/0 IN ? THIS QUESTION about only host b
permit host B from accessing finance server access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
deny host B from accessing other servers (not the whole network) access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
permit everything else permit ip any any
Hil all,
Congratulation for your passing the CCNA exam…
I have schedule to take exam this Wednesday 25th Sep, so please I need your help if you remember some of question you it will help me
some of guys mentioned that there is bugs in exam simulation so please did you faced any error, by the way I had Passit4sure dumps is it enough ?
thanks for your help
hebbo7@yahoo.com
@Vinoth
Cong..
plz is there any tricky question in the exam ?
what is “VLAN simlet”? is is the “CCNA VTP SIM Question”
@ Ola Correct. They call it a simlet because you have 5 questions to answer. Make sure you do *not* click next before completing all 5 questions. 9tut has a tutorial at CCNA FAQs and Tips. See if you can find it then run it and get a feel oh what the exam format will be like. You will see a simlet there.
Any one to send me the latest dumps?? I’m taking my exam on the final day 30th sept dee_bob22@hotmail.com
I did it sep 20 and got 947
this sim was there
EIGRP was also there with passive- interface, ACL2 was also.
lead2pass is 100% OK
I did it 3 times
thanks a lot 9tut..!
can use short commands in ccna exam
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
which IP i have to Ping ?
@ Mike9645
access list 100 permit tcp host 192.168.33.1 host 172.22.242.23 eq 80
Access list 100 deny ip any host 172.22.242.23
Access list 100 permit ip any any
And don’t forget to apply it to the interface
interface fa0/1
ip access-group 100 out
for : Access list 100 deny ip any host 172.22.242.23
do am i should be put “eq 80″ on the last ?
@ Zelda If you are permitting or denying a port then you need TCP with EQ
If you are permitting or denying IP you don’t associate IP with EQ
So, NO, do not add EQ 80 to last. But not sure which last you are referring to. If the 2nd ACL then my statement stands.
@ CiscoER
thx for fast replied :) and explaination
Hi folks, I really need a help. when I apply the access-list to the interface, it is rejected
interface fa0/1
ip access-group 100 out
please please I need help
@ Gideon not enough info to answer your question
@ Zelda you are welcome. Just remember the syntax
9tut, thanks a lot for this great site!
Alhamdulillah.. Passed CCNA 640-802..
Thanks to 9tut,Saiful Bhai and a very veeeeeery special thanks to Ripon Sir..
EIGRP was there with passive interface,ACL 2 with Public Server IP and VTP..
Well Guys:
Thanks to 9tut and examcollection.com. Today i passed the exam with 1000/1000.
No problem Guys ,you can pass it easily.Hurry up, the last date is Sept 30 2013 for 640-802.
My Exam Lab Questions are as follows:
I hope this will be helpful to new test takers.
ACL SIm Question:
-Host C should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
- All hosts in the Core and local LAN should be able to access the Public Web Server .
EIGLP SIM:
same question as 9tut, changes include:AS 22, Ip address are new. No passive-interfaces enabled.
VTP/VLAN SIM:
5Q: (find VTP server, Root Bridge),effect of new switch with higher RV, default gateway of host connected on port no 5, find out the destination of unknown mac forwarded from one of the switchports)
for those who took the exam, is the “do” command is working? thanks
Some tips:
My VTP /VLAN SIM had not shown the updater at first by using the command” show vtp status”.But Thanks it later showed.
Controls could not be used in ACL SIM but in other lab works I could use controls.The same thing happened with ACL SIM configuration. I wrote the acl commands , saved and checked the configuration with the show run file , there was no any configuration related to acl. I was surprised and checked the connectivity thru. host A, B, C to web access the finance server, it had worked.Then again, I went to topology and checked the configuration file, then the acl configurations were there.
I was extremely surprised to see such kind of activities on the real cisco online exam.
This might be the bug of Cisco in the exam SIM.
But , don’t worry guys, Keep Patient, all will be fine.
The right thing is you should have enough knowledge. Passing the exam is nothing!
I did the CCNA exam on 20 sept,2013 and i highly passed it!!! Eureka 9tut and may all who contribute here be blessed. olesimbe@yahoo.com
Thank u 9tut , I ‘m got 907 today. ACL2 , VTP , EIGRP as dump…
@ Maddy Congrats on a perfect score. Thanks for sharing. What commands for the 3 ACL?
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Corp1(config)#access-list 100 deny ip any host 172.22.242.23
Corp1(config)#access-list 100 permit ip any any
Drag and drop Questions? If so how many? Lots of subnetting?
Passed my CCNA exam today afternoon with score 947… Thanks 9tut… all Sims from 9tut .. ACL,Eigrp,NAT… Jsut IP and AS number was chnaged.
Shekar Dups still valid …
http://www.examcollection.com/cisco/Cisco.ActualTests.640-802.v2012-07-15.by.Sekhar.697q.vce.file.html
Thanks 9tut for the SIMs, i passed today, i sent you some donation for your effort!!
The sim was little bit different at the exam, you couldn t enter to the router/switch directly, there was a pc connected, you had to use it to go in the node.
Passed my CCNA exam today, got 907/1000. Lab sims are VTP, ACL 2, and EIGRP. Thanks 9tut!
Will be taking my exam this weekend.. Good luck to those who are still going to take..
guy’s i was faild exam CCNA last week, i will take again on 26th, the LAB will be same ? VTP and ACL2 and EIGRP?
Hi all
i;m failed exam CCNA last week, 1 question from the SIM will same as VTP , EIGRP and ACL 2 ? or changed
thx
dont gef up