CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
@Arif
gimj has a good comment. I’m with him
@Mike
Thanks again bro.
@gimj
Thanks for the explanation, just for my understanding, if the assigned address are from 172.22.242.37 – 172.22.242.70 then n/w id would be 172.22.242.32 and wild card mask would be 0.0.0.31. Am i Right? Correct me if i m wrong.
@akii
The wildcard mask 0.0.0.31 will only span from .32-.64.
@ akkii
if your NID is .32 and wildcard is 0.0.0.31 it would block from .32 to .63. Remember, .64 would be the next subnet.
@gimj
thnks
Just one more question please, must I always use the START of the network address?
hi look my question is ,let say the stetement say you have to apply the access list on the interface where the address belong in this case fa0/1 rigth?
what about if the you have to apply in int fa0/0? it will change the the access-group if will be OUT or IN?
please!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
because it came in my exam so i dont know if i got rigth
i put OUT
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
so if the iwas fastethernet0/0 it would be applied into (inbound direction)??????
@soopros
No, direction is not changing, if you saw fa0/0 instead fa0/1 in a topology, why would you change direction ?
@Ella
Let’s say that you want to block access to part of the network that is in the range from 172.16.8.0 through 172.16.15.0. That is a block size of 8.
Your network number would be 172.16.8.0, and the wildcard would be 0.0.7.255.The 7.255 is what the router uses to determine the block size. The network and wildcard tell the router to start at 172.16.8.0 and go up a block size of eight addresses to network
172.16.15.0. In our example, the wildcard would be 7 since our block size
is 8. If you used a block size of 16, the wildcard would be 15.
Another example
access-list 10 deny 172.16.16.0 0.0.3.255
This configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The range would then be 172.16.16.0 through 172.16.19.255.
Hope it helped.
all you have
to do is remember that the wildcard is always one number less than the block size
@9tut and @All
Some people say that they got a strange question about NAT and ACL
“Implement, verify, and trouble shooting NAT and ACLs in a medium-size Entrprise branch office network”
and also they can’t get above 40% marks.
What is the requirements of this question and how to solve it.
Please answer this question. I am taking exam on next week. Please…
@ Arif
i have mine 2morow and i’m worried about this question
passed yesterday with 947, this site rocks! know your ACL, EIGRP and VTP sims! they are on the exam.
@18oct
Please if you go tomorow tell me what you have seen in the sims(what is the scenario of ACL ,some vtp questions and what about eigrp) i must write too this friday,a day after you. I need yr help please . I will wait for comments.thanks and good luck .i know that you will pass.
@ 19oct950pts
i will update u after the exam.thanks
my exam date is net Saturday .. i am very confuse about it .. specially the labs . are you sure guys that the sim is only VTP , ACL ,And EIGRP ??
@ gimj pls can u tell me the dumps you read for the ccna exam. Did you see any question like implement, verify and trobleshoot nat and acl.
the expected sim is VTP,ACL2 AND EIGRP but for a safer side study all the lab on 9tu
t
@18Oct
Good luck for your exam and don’t forget to share your experiences.
I am taking my exam next week.
hello guys
please let me know can i use ( ? ) question mark in exam? and when i complete my configuration what i need to type at the end (just end or /copy running-config startup config as well) or any thing else?
any one please send me shaker dupms on my email i will be very thankful.
ks_jafry@yahoo.com
Hi guys, would like to ask about an update regarding the exam.. what are the latest set of laboratory simulations on the actual ccna exam? is it still EIGRP, VTP and ACL2? will be havin my exam by monday 22nd of oct..
thanks and best regards.. :)
@ Rose. I wil b havin my exam on 20th this month. So i wil update u if there’s change in the sim questions
Any suggestions as to how to open .pkt files without having to buy something like PCCleaner? Thanks.
@cshockley
.pkt stands for Packet Tracer File
Install it and open :)
Hi 9tut, thanks a lot for providing such a comprehensive study material for ccna, I v going through this material for last 4 weeks n failed my exam today with 788/1000. I m utterly disappointed n plz can i v some idea that i v got 0% in the section ” Implement, verify and troubleshoot NAT and Acls in a medium -size Enterprise branch office network”. Although i configured the ACl according to the sim described here, n there was an additional statement to create access list n that was “Other types of access from host C to the Finance Web Server should be blocked”. n i did it as “access-list 100 deny ip host 192.168.33.3 host 172.22.242.23. any suggestions plzzzzzzzzzz????
@18 oct
Please what was the dump that you used?and how many new questions you saw?i hav exam tomorow.so tell me
@G. Abbas
Would you please tell me what they required to do in exam? Did you write ACL with exactly 3 line or more and what was those lines. And did you save your configuration finally?
Oh! I forget to ask you that, did you find anything to do with NAT? i mean create nat pool and apply them in inside and outside interfaces in the question ”Implement, verify and troubleshoot NAT and Acls in a medium -size Enterprise branch office network”.
Your response will be great for us because most of the people are anxious about this question. So I request you to reply what you seen in exam and what you did?
@ G. Abbas
What was the dump that you used for exam please?
hi
i gave my exam on 17th oct n i failed…. :( got 788/1000….
got 3 usual sim’s vtp,eigrp n acl2.. 1st two are same as here…in acl got 2nd statement in some modification 4rm ds blog saying “deny host B from accessing the OTHER server (not the whole network)”….
i hope it will help for sum1…
for the ACL2 THIS WAS MY Q
Host C should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
- All hosts in the Core and local LAN should be able to access the Public Web Server
Only the ip address changes
my answer was
access-list 100 permit tcp host 192.168.175.3 host 172.22.81.17 eq 80
access-list 100 deny ip any host 172.22.81.17
access-list 100 permit ip any any
int fa0/1
ip access-list 100 out
end
copy running-config startup-config and i got 100% on the sim
remember-
the Implement, verify and troubleshoot NAT and Acls in a medium -size Enterprise branch office network is the ACL,NAT question in general BUT cisco is only using ACL2 FOR NOW WHICH IS THE ON ABOVE,so no need to worry,but my advice is you just have to know them all in case cisco changes their questions,
my eigrp was the same as here only the ip address that changes
my vtp was QUESTION,1,5,6,7 AND (8) but the 8 question was change to ip address which i would like guys to comment about the question says—
Out of which ports will a frame be forwarded that has source ip-address 192.168.34.2 and destination ip-address 192.0.23.1? (Choose three) i just guess on this one.
finaly my score was 967,my dumps were brar,sekhar,cbt neget,examcollection and above all 9tut thank u a
Hi all
Whats the diffence between ::#access-list 100 deny tcp any host xxxx and
#access-list 100 deny ip any host xxxx
@ Arif, i used sekhar dump n 9tut, but majority of the qs were from this site.
Hi All,
FYI.
You can use “?” and tab in the exam. Shortcuts are also doing well.
Try to experiment when you’re in the exam.
@Kenn: how was ur exam? hope it goes well. any updates on the Lab sims?
@all: is it still the same? i mean the lab sim sets being ACL2, VTP and EIGRP? will be havin my exam on the 22nd.. thanks..
Hey 9tut
I want to know that in exam the IP addresses of server LAN or of Host LAN would be in contiguous number or not ? means simple wild card just like u mentioned in modified task 1 172.22.242.16 0.0.0.15 or we have to right wild card mask for non contiguous network ?
please reply.
@Oct18
Thanks bro for sharing your experience and specially for the meaning of “Implement, verify and troubleshoot NAT and Acls in a medium -size Enterprise branch office network”. I am worried about that but now i feel good.
Having my exam on 22Oct.
@Ghulam Abbas
Thanks brother.
Labs were ACL2, VTP, and EIGRP today.
Passed ccna yesterday with 973/1000.sims same like 9tut
only the ip has changed and autonomous numb.vtp 5
questions.acl permit host b ,deny others hosts to access
finance serv. Ip has changed too.i used sekhar and brar
for the new questions from 380 to 631q there are a lot of new questions there that are not in sekhar but i
got only 2 or 3 new questions the rest are from sekhar
697q.
Thanks mike,18oct,arif,9tut,sekhar and examcollect
Thanks to God almighty, I Passed ccna today 960/1000 labs are acl2, eigrp, and vtp.
I passed my exam on friday these are good dumps:
http://www.multiupload.nl/3DL4TBN1BO
you study these questions and the labs on 9tut.com and you will be fine!
good luck :)
@richard
implement, verify and trobleshoot nat and acl. is all question relacted to acl and nat include the simulator acl in exam the most complicated simulator is access list make sure u know rigth
@ Mike i just was wondering,as we cant see on the topology, thanks alot
Passed the Exam today.. 933/1000
Sekhar dumps still valid..
just encountered 3 new questions (cant remember) but all the others are still on the dumps..
laboratories are still the same, VTP, ACL2 and EIGRP.. the details like IPs and AS are the only things that are changed..
on VTP, got questions 1,2,4,6 and 8..
on EIGRP, AS is 112..
on ACL2, got the one below..
—————————————————————————————————————
- Host C should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
- All hosts in the Core and local LAN should be able to access the Public Web Server *
I ans:
- access-list 100 permit tcp host (IP of Host C) host(IP of Finance web server) eq 80
- access-list 100 deny ip any host (IP of Finance web server)
- access-list 100 permit ip any any
- interface fa0/1
- ip access-group 100 out
- copy running-config startup-config
—————————————————————————————————————
1st of all, thanks to our creator, God..
to Rivan IT, MNET IT and 9tut!!..
copy run start – very important!
what is the new sim?