CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
@nath
NOOOO…it’s like this:
access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80
access-list 100 deny tcp any host 172.22.242.23 eq 80
access-list 100 permit ip any any
Remember, deny tcp to all other hosts on port 80…If you deny the ip protocol you would be denying everyone from accessing other resources…
@jimmy
yes that is the list on the money.
and if u see passive interface on EIGRP dont touch it,
and if u cant see the last line of show vtp status ,run the command again and it will appear in the output of the previous command
im sure u will pass,
its very easy
goodluck
@nath
no your list is wrong, in second statement you dont just deny tcp eq 80, you deny all ip traffic so the list written by jimmy above is correct, u just have to insert your given ip addresse infront of words (host), cause they use diffrent ip addresses all the time
for ip addresses in this example here it should look like this
access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
thats it
I need you help URGENTLY!!! I will sit my exam on 27th September, tomorrow.
I want to know what is the different between…..
- Other types of access from host C to the Finance Web Server should be blocked
(access-list 100 deny ip any host 172.22.242.23)
Other types of access from host C to the finance web server should be blocked
(access-list 100 deny ip host 192.168.33.3 host 172.22.242.23)
these are from upper above table……..
which one is right??? I am so complicated about it. Please help meeee.
what should I block??? Host A,B,D or deny Host C could not to ping “ip”
Thanks in advance.
@nath i guess this is the answer, correct me if i’m wrong
access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80
access-list 100 deny any host 172.22.242.23
access-list 100 permit ip any any
Guys, it’s:
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
||
access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80 ||
access-list 100 deny tcp any host 172.22.242.23 eq 80 ||
access-list 100 permit ip any any ||
||
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
@ Cuban87
Thanks for you help in advance.
Please Let me know….,
So…, is it the fault of 9tut???
Well Lynn Winchester, 9tut has it correct if you look at it…they have the same thing that I have…And no problem bro anything I can help with just ask…I actually passed my exam yesterday lol
@Lynn
i think 1-st acl deny all traffic to server , and second – deny traffic from *.*.33.3
Are you guys referring to ACL 2 ? the answer is:
access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80
access-list 100 deny tcp any host 172.22.242.23 eq 80
access-list 100 permit ip any any
Then you apply it to the respective interface in the OUTBOUND direction with this command:
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Can’t be more clear guys !!!
@cuban87
dont panic, did u read my 1st comment ? the answers i gave are of the question i got in my exam which i explained how was it in my 1st comment.not the one in 9tut
u will not always get exactly the same question as in 9tut, they put a lil changes sometimes, i explain the changes and what you saw i how to do it cause i got 1000/1000 that means i must be right
@mziwanda I understand and congrats on your score…but the only way you could have scored 1000/1000 is if the question was asking something other than what it’s asking in the ACL Sim 2 from 9tut…you can’t block IP protocol and expect to have access to ANY IP resources…including http, tcp, udp….etc
@cuban87
do you reall understand how access-lists work ? they start to execute top to bottom, that means the lower statement has nothing to do with the upper statement, because if something matching upper statement reach the interface it will be allowed before even consider the lower statements of the lists, saying that means…. as long as a i permit particular resource of ip before denying all ip traffic it doesnt matter that i blocked all ip traffic of host d, because the particular resource was already allowed in above statement,
i hope u get this .
thanks
@cuban87
my question is not exactly the same as 9tut, it had a lil changes
it was like this
1.allow host D to web access of finance server
2.deny all other access of host D to finance server
3.deny all others(core&hosts) to access finance server
4.permit all (core&hosts) to access public web server
@mziwanda
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
I have only 15hour for the exam :S:S:S:S:S
@ Cuban87 Your first line allows host D to use the web browser to browse the Financial server. Then your second line you *block* host D and other hosts from using the web browser to browse financial server. You are you *wrong* Jimmy, jruy and mziwanda above are ALL CORRECT. I would seriously follow what they provided and you will get full marks.
@CiscoER Dude, the hole point of an access-list is not just what’s written in it, but the order in which it appears (it doesn’t matter that I’m blocking everyone on the second line because the host that I want to grant access to has been granted access on the FIRST LINE (D in this case)…I thought everyone was referring to the ACL 2 Sim, which is the one that appears to most people taking the 640-802…if you haven’t read on the top right hand corner, this forum refers to CCNA (640-802)…Thanks
passed in Saudi Arabia today with 947 got EIGRP, VTP and ACL2 the following question was there. thanks 9tut.
- Host C should be able to use a web browser(HTTP)to access the Finance Web Server access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked access-list 100 deny ip any host 172.22.242.23
(because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN)
- All hosts in the Core and local LAN should be able to access the Public Web Server * access-list 100 permit ip any host
(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any”
dt let yourself disturb even if there is a bug which was my case today , the bug took me 40 min but i took myelf up succeded thanks GOD my sims were VTP ACL2 and EIGRP
Just to be sure do we have to apply these access list in outward direction (fa0/1 of corp1) towards server LAN ?? Because as per my understanding extended Access list are best to apply close to the source.
Hi All,
Went through some modifications mentioned above.
deny host B from accessing other servers (not the whole network)
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
Please help me to understand why do we write 0.0.0.15 ? Can we just write
access-list 100 deny ip host 192.168.33.2 any.
Also on which interface this access list needs to be applied.
@ Ahmad: on which interface we need to apply this access list.
@joseph
the main point of this task is to secure the servers so the access-lists are applied at the interface of the servers, “ip access-list out”, after they are routed to that interface.
use “ip interface brief” to check which interface is connected to the serves but in exam they will show you which interface is connected to servers in the topology diagram, so u wont have to check it unless u wanna prove
sorry
“ip access-group 100 out”
100 or 101 or 102 …….or……. whatever, i dont remember the last number
@jimmy
now i dont know which question you are talkin about,but
1.if its the one in 9tut then their solution is 100% correct
2.if its the one i got in my exam ,that i mentioned in my 1st comment then the solution u just wrote above is 100% correct(but for host D the address should be 192.168.33.4)
the thing is i got different ip addresses from mentioned above but the concepts are correct
just passed my ccna 870. sims included vtp, eigrp, acl. thanks 9tut. also used spike662 dump.
Passed the exam with 986, special thanks for the 9tut, spike, CBTnuggest
@ chanaka
would u be kind enough to confirm, did u get ACL or ACL2 sim…..
really important as sitting for the exam 2moro!!!
Hello guys,
I went for CCNA exam today got ACL2 same to same as here apart from host C was host A; EIGRP lab was same to same make sure you do check on all PCs the web browser to both server and when done do the same. There is the passive interface but just ignore it and leave it as it is. for VTP lab I got the 5 questions out from here and where it asked to choose the root switch I just put switch 2 there lolll since everything was the same and even the IP address!!
I want to be very honest I did the CCNA completely in less than 1 month and on top I go to work.. At first I studied the CBT nuggets video for both ICND1 and ICND2 then went for the ACME dumps but didnt know anything so i took the time n studied the chapters where i was having issues in Todd book. Then went back for the dumps. In ACME dumps there are 10 exam papers i did all of them atleast three times. I studied the labs for NAT, VTP, EIGRP AND ACLS only (ONLY EIGRP ACLS2 AND VTP CAME OUT) one day before going for the exam. AND HERE I AM WITH 1000/1000.
TIP :- DO NOT LEARN WHERE THE ANSWERS ARE BUT INSTEAD TRY TO UNDERSTAND WHY ITS THE ANSWER. ALWAYS MAKE GOOD USE OF GOOGLE!!
CCNA PASSED >> GOING FOR CCNP
THANKS A LOT GOD, MY FAMILY , 9TUT, ACME, CBTNUGGETS AND TODD.
I had passed with 947points.
LABS same as 9tut:
ACL2
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
VTP (fa0/4 in vlan33, write two times show vtp status)
EIGRP (ping ISP doesn’t work) but I have max point.
I get some new question. I can’t remember exactly but connect with dhcp ip problem and so on…
Thanks my family and girlfriend and 9tut and Spike!!
Passed with 973 points yesterday. ACL2, VTP and EIGRP for LABS. Thanks 9tut ! Show vtp status on the VTP sim didnt show ‘last modified by …”
I will be Writing mine today
Hi guys! how many marks do one LAB carry and how many questions are in the exam all together?
i had passed with 973
LABS same as 9tut:
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
VTP (fa0/4 in vlan33, write two times show vtp status)
text king 100% http://www.examcollection.com/640-802.html
thanks 9tut
@mziwanda
Dude scoring a 1000/1000 on the CCNA test doesn’t mean anything if you haven’t had real world experience…Don’t you know that some people have been on the field for many years, know a lot more than many CCNAs, yet they fail the exam. One thing is theory, taking an exam, and something very different is being able to work on the real world my friend. My supervisor gets many calls from CCIE asking him questions when ever they can’t figure something out, and guess what, he doesn’t have any certifications, but he started working with Cisco since Cisco started this business…and if you read my comment, what you said about the functionality of an access-list, I mentioned it way before you did…lol
@ Cuban87 This is an educational blog. Please tone it down. I don’t see how your comments are helping anyone. And *last* comment to you. The question asked for 3 ACLs, with your thinking/logic, which no one is saying is wrong, 4 ACLs will be generated. Would you lose points for writing more than the required 3 ACLs? That is up to Cisco but everyone here wants to play safe so they are going with 3 ACLs.
@CiscoER
Hey dude, this is hilarious honestly, I apologize if I caused anyone here to be offended it was the last of my intentions. Indeed remember this, where there is no passion there is no fun, I just wanted to add some emotion to the topic. But please I beg you rectify, my post on the access-list only has 3 comments and I emphasize I’m referring to ACL Sim 2. Everyone taking the 640-802 keeps getting ACL Sim 2, that’s why I focused on that one in particular…Once again, I apologize to you and all if I hurt feelings !!! Good Luck To All !!!
Just passed my ccna! 50 questions in 90 mins? Is it same to everyone? My booking says 110 mins.
3 Labs – EIGRP, ACL2 and VT and questions from 9tut/sehkhar/todd lam book with slight changes.
ACL2:
1. Allow host C to access HTTP on Finance svr
2. Block Host C to access any other services on Finance Server
3. Block All other LAN and Core elements to connect F.Server
4. Allow full access to Public and other core services for All
Access-list 100 permit tcp host 192.168.33.3 host 172.22.149.19 eq www
Access-list 100 deny ip any host 172.22.149.19
Access-list 100 permit ip any any
int f0/1
ip access-group 100 out
EIGRP:
New router ‘central2’ connect to ‘cerntral1’ find fault and allow routing b/w all routers, ‘Central2’ hasn’t have access to ISP at this stage. (means your ping test to ISP will fail … so no issues )
Area: 112
First: sh run on Central2 -> remove incorrect area 22 -> now define eigrp with 112 and add networks
Second: add missing network onto Central1 to establish adjacency b/w central2 & central1 … cmd = router eigrp 112 -> network 192.168.33.0
Now test connectivity b/w rotuers using PING cmd
VTP Q:
1. in my case, swAC3 was root bridge for forwarding vtp info – local switch, the ip was 192.168.1.250
2. Tell modal of VLAN-R1 – 2620
3. asked to tell mac address for an ip, i used command show mac address-table instead of SHOW MAC-ADDRESS-TABLE, so carefull
4. what is default gateway IP for host connect to port fa0/4, it was VLAN 22 –Server, and IP is 192.168.22.254
Hi,
have you ever heard or read about a “named access-list” in the ACL2 SIM ???
Instead the numbered or access-list in the description text of the SIM?
thx for Feedback.
@Anonymous, I think it’s not part of ccna exam…. by the way in lab sim … they ask for numbered access list … and for sure you have to define extended one…
God bless u 9tut!!!!!! I failed on the 18th with 775, and just 2 hours ago on my 2nd attempt I did it with 841!!!!!!!!!!!!!!! :):):):) I got EXACTLY the same lab sim!! best of the luck to all the guys that are gonna make the exam in this days!!!
Other types of access from host C to the finance web server should be blocked
access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
access-list 100 deny ip any host 172.22.242.23
(because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN)
help me plz 2 understand different between these 2 commands :(
Passed with 930 points yesterday. ACL2, VTP and EIGRP for LABS. Thanks 9tut !
@ Danny congrats!! Did you get the same labs as you did on your first try? Someone said you retakers get the NAT lab? Can you verify?
@ ahmed the 1st line block ONLY the ip 33.3 from accessing the financial server. The second line blocks ANY ip from accessing the financial server. ANY means ANY IP.. The reason why we use ANY in the above example is so we can combine both of them into one ACL access-list 100 deny ip any host 172.22.242.23.
@ahmed..I got exactly this sim as u wrote it today..and I got 100% from it..so it’s valid!!
@anonymous..I got exactly the same labs…NO nat!!:)
@ Danny thanks … re no NAT
@ everyone who took exam this week. Were there Passive-interfaces to be removed?
My ACL 2 sim was exactly like this, but without the DNS server…. Host A needed to access www on Finance Server but all other traffic from host A, CORE, etc. gets blocked, then allow all other traffic to access the public server.