CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
@ hi
i dont give up, i just asking for if i take exam again for next week, is the Sim will same or not ?
does anyone failed? and just take again the exam what about the SIM is it still same ?
Hi All
I have a doubt. When creating access list where should I type “tcp” and where should I type “IP”?
“access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80″
“access-list 100 deny ip host 192.168.33.3 host 172.22.242.23″
In the 1st command I see “TCP” and in the 2nd command I see “IP” why is that? Please explain.
Thanks a lot :-)
Cheers :-)
@Abs619…
depending on the question like in lab they asked for blocking or allowing http which uses port 80 and you have to know that http uses tcp for communication therefore we have to use tcp….
by using IP in permiting command we make everthing accessible like telnet,http,ftp etc….
conclusively assume that if you want allow every protocol to be used then you will put IP but if you want to prevent some of the resources then go with tcp , icmp or whatever you wish to prevent ……
hope this helped ….
I pass CCNA on 18 Sep with 960/1000.
The dump ACME-640-802 v2013-08-06 by acme 649q is 100% valid, it just the multiple choice sequence is changed.
The simulation is NAT 2, ACL 2 and VTP. In ACL 2 Simulation i have
- Host A should be able to use a web browser to access the financial web server
- Other types of access from host A to the finance web server should be blocked
- All hosts in the core and on the local LAN should be able to access the Public web server
For first and second statement I use command same as stated in 9tut but for 3rd statement I use “access-list 100 permit ip any host XXX.XXX.XXX.XXX (Public web server IP addr)” and I get 60% only in my score for NAT.
So I think the correct command for the 3rd statement is access-list 100 permit ip any any.
Hope will help. Good luck
there’s LAB for NAT ?
which one Nat1 or Nat 2 ?
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
how to do for ping? how to check ip?
download latest dumps from
9 t u t . w e e b l y . c o m
HI all, Please can anybody help me with this? In each modification to this laboratory, the acl woul be added to the fa0/1 “out” interface? because in the first modification listed:
permit host B from accessing finance server
deny host B from accessing other servers (not the whole network)
permit everything else
the access-list could be added in the fa0/0 “in”
Please answer this, i have my exam in two days
this sim came yesterday .. only ip of hosts were changed. eg 192.168.212.4. I Did as given but don’t know why the 1st configuration did not work.
Corp1(config)#access-list 100 permit tcp host 192.168.212.3 host 172.22.242.23 eq 80.
Error was showing at the ip address. though rest all the configuration worked but overall configuration became wrong. A lot of time wasted and got no score for this. Could score only 788 :( I failed. Again have to prepare for new ccna 200-122. feeling terrible :(
RETAKE – Do you get a different lab sim on your second attempt? I heard when you retake, they replace one of the labs with NAT lab. Can anyone one confirm this?
@ Isabel “out” is correct. Don’t stress over that. Just use “out” and figure it out after your exam but Cisco not changing it. You have traffic from both LAN and Core. “in” will *not* filter Core traffic.
Do I need to ping after I wrote all of the above configuration ?
If I finish the Sim without the ping command ,, I will lose some points ??
Can any one help me ?
Alhamodolillah
just today i passed the new CCNA 200-120 with score 917/1000
Thaaaaaaaaaaaaaaank 9 tut
download latest dumps from
9 t u t . w e e b l y . c o m
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
Router(config)#access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
Router(config)#access-list 100 permit ip any any
Router(config)#interface fastethernet0/1
Router(config-if)#ip access-group 100 out
Router(config-if)#end
Router#
%SYS-5-CONFIG_I: Configured from console by console
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
[OK]
Needs to verify if im missing a command.
Permit host B from accessing finance server
Deny host B from accessing the Other server( not the whole network)
Permit everything else. When im opening the host B Browser to check if host B is allowed to access the finance server, it looks fine but why host A,C, and D can access also the finance server? Thanks,
guy’s
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
how i do for “PING” NEED FAST Respon plz
I passed my exam today . Sims were VTP, ACL2, and EIGRP
This is excellent. Thanks 9tut
I passed my exam today Sims were VTP with the new question, ACL2 and EIGRP
IVE GOT CONFUSED WITH DOING THIS PING!
After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
HOW I CAN DO THAT START FROM WHERE PLEASE HELP ME!
@ Jack – First of all forget pinging. You need to run just 1 test after you complete your ACLs and save your config. 1) If the ACL allows Host-C to browse Finance Server – Click on Host-C, like you did above and type in the IP of Fin Server. It should be able to browse Fin Svr – and your results working. Move onto next question.
But I am not sure what you are asking. You seem to have it right. Do you have a Cisco Packet Tracer program? That is what you will need to be able to do the above. You cannot do it from the topology above.
9tut has the Packet Tracer somewhere around on this site.
@ Fox you did *not* block http traffic. You need to add tcp and eq 80 to your first ACL. See { } Corp1(config)#access-list 100 permit { tcp } host 192.168.33.2 host 172.22.242.23{ eq 80.} This will permit Host-B web access to Fin Svr. Your ACLs had no mention of http {port 80} yet you are using the web browser to test it…. not right.
@ CiscoER
i was failed last week, tommorrow my 2nd exam any changed for LAB ? last week ive got VTP EIGRP and ACL2, how about for my 2nd exam tomorrow it will be changed ? how about NAT ?
hhmmmm crucial moment to pass but awesome !!! i pass the exam
thanks for the Following
9tut.com – your the best
testking reviewer
jeremy video lab
dancourse.com video lab
and etc..
Please…!! How can i see the core traffic to Finance Server?
subhsamal,
I had the same problem as you described with this SIM on my exam today. The error pointed at the IP address. Did we forget to put “ip” between permit and host?
@Don
If you use “ip”, you can’t make protocol filtering.
access-list 100 permit ip host 192.168.33.1 host 172.22.242.23
OR!!!
access-list 100 permit tcp host 192.168.33.1 host 172.22.242.23 eq 80
Could you explain exactly what was the problem in real exam?
permit host B from accessing finance server access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
deny host B from accessing other servers (not the whole network) access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
permit everything else permit ip any any
please does it mean that for the other hosts if you open desktop webbrowser and type ip http:// e.g 172.22.242.23 to the financia sever you will not have a reppy
please answer me because it urgent
Please check this out!
1) Host C should be able to use a web browser to access the financial web server
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
2) Other types of access from host C to the finance web server should be blocked
access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
>> All access are allowed from hosts in the Core or local LAN to the Finance Web Server, Public Web Server and DNS Server <> All access are allowed from hosts in the Core or local LAN to the Finance Web Server, Public Web Server and DNS Server <<
interface FastEthernet0/1
ip access-group 100 out
end
copy run start
second line it doesn’t make sense, it should be something like:
2) access-list 100 deny ip any host 172.22.242.23
All access from host C, hosts in the Core or local LAN to the Finance Web Server should be blocked…
3) access-list 100 permit ip any any
the “?” key works in acl2 sim in exam ? please someone reply
@mziwanda
yes,”?” it Works~
@ reci The second line (access-list 100 deny ip host 192.168.33.3 host 172.22.242.23) in your first example *is fine* BUT the exam requires you to write just 3 ACLS. so use your second example 2) access-list 100 deny ip any host 172.22.242.23
@ nadane you should try it in your packet tracer. But why are you asking about if the other hosts can *web browse* the financial server? The ACLs you have did not block or deny web browsing access – there is no TCP or EQ 80 in your ACLs And doing that test will not get you points because it is not asked. However, the answer is YES. The other hosts will *not* be able to web browse financial web server. They can PING the web server though.
@ Dimmax someone said on your second try they replace one of your previous labs with NAT. I cannot confirm or deny that. But do study NAT.
Thank GOD !!! Thanks 9tut you guys are the best I passed my CCNA exam today with 907…On the test I got ACL 2, EIGRP and VTP SIM…
refer to
access-list 100 permit ip any host
(The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any”
Its wrong cause it cant block the rest to access www web server
instead use “access-list 100 permit ip any host 172.22.242.17″ cause it meet the requirement
9 TUTE BEST CISCO SITE EVER!!!! passed my ccna 640-802 exam today . thanx 9tute. eigrp access list vtp labs all the same as on the site just numbers different
cmd to
There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim. how to make this run
u dont have the public web server address in the exam.. so u have to go with permit ip any any
had this in my exam today
Alhamdulilaah, I passed my CCNA Exam on 25 Sept score of 973/1000, the Simulations were EIGRP, VTP and ACL2, those who are preparing good luck to you
Thanks 9tut, Thanks 9tut… all Sims from 9tut .. ACL,Eigrp,NAT… Jsut IP and AS number was chnaged.
Study these materials Examcollections, Toddlamle, CBT Nuggets
suny conglatulation are you saying that nat was there and what about mcq questions
download latest dumps from
9 t u t . w e e b l y . c o m
I just passed the CCNA exam 1 hour ago. 894/1000.
I read Sybex book and practiced on #ExamCollection dumps + 9tut labs.
Labs were VTP, ACL, EIGRP.
Thanks and all the best to everyone. :)
I just put it to bed with 1000/1000 a few hours ago,
Thank you JESUS
thanks to 9tut, examcollection.com, spike, sekhar, acme, todd lammle, CBTNuggets.
i had EIGRP, VTP, ACL 2,
I wanna lay down a few things concerning sims
EIGRP- the eigrp number was 122, so dont crame and also there was a passive interface and default route on R1 router to ISP , i tried to undo the passive cause i wasnt able to ping ISP from R3 ,but i couldnt so i left it like it is ,i guess i was right
VTP- there is a bug in show vtp status because the info”… last modified by x.x.x.x” is not displayed at first, so i wrote the command again and this second time the information of “last modified” is displayed on the output of the previous command.
ACL 2- it was a bit tricky cause they asked that,host D, not C as here, to be able to access the web of finance server, then all other access of host d to finance server denied, nobody should be able to access finance server meaning core and other hosts, and the last was core and the hosts can access public web server( and the ip address of public web server was given). it is tempting to use permit ip any host x.x.x.x for allowing all users to use the public web server cause ip addr is given but i used permit ip any any, and i was right
goodluck to you all
@mziwanda is this the correct ACL?
access-list 100 permit tcp host host eq 80
access-list 100 deny ip any host
access-list 100 permit ip any any
I am taking exam tomorrow gyáááááá
Hi all, Just passed my Cisco exam with 920/1000. Lab sims were EIGRP, VTP and ACL2. Thanks for this resourceful website. All the best to those writing.
@mziwanda can you give the correct ACL that u command if host D is used not host C? Thanks, Godbless.
access-list 100 permit tcp host 192.168.33.4 ost 172.22.242.23 eq 80
access-list 100 deny ip any host 17.22.242.23 eq 80
access-list 100 permit any any
is this right for host D?