CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
Wildcard Mask for 10.0.0.16 to 10.0.0.23 is 0.0.0.7 :
16 will be written in binary like :
128 64 32 16 8 4 2 1
0 0 0 1 0 0 0 0
Same way, 23 will be :
128 64 32 16 8 4 2 1
0 0 0 1 0 1 1 1
so, as u can see first 5 bits match, which is equivalent to subnet mask of 248
We need wildcard mask which will be 255-248=7
Hence, wildcard mask will 0.0.0.7
Hope it helps!
thank you champ….
hi champ, if wildcard mask 0.0.0.7 means it will check and allow 10.0.0.0 to 10.0.0.7 ip only.
but am asking wcm for range 10.0.0.16 to 10.0.0.23??????
thanks
Great explanation, and handy packet tracer lab, I still have doubts, but thanks to you just a few.
Thank you.
thnx alot for explain
can someone please send the latest CCNA 200-120 dumps to marksniper@yahoo.com
thanks in advance..
Thanks God I passed today 1000/1000
thanks examcollection, 9tut, examtut and spintry
I got 3 sims
ACL 1 , 2 & EIGRP
two new questions
One on Etherchannel:
Network Admin creates a layer 3 Etherchannel, bounding 4 interfaces into channel group 1. On what interface is the IP address configured?
A) the port-channel 1 interface
B) the highest number member interface
C) all member interfaces
D) the lowest number member interface
Answer is A
one for For the SNMP :
Q1. What is SNMPv2 authentication procol.
A. Community Strings
B. HMAC-MD5
C. HDMAC-SHA
the answer is B
@ahmed kindly tell me , how did you put your effort to clear ccna?
Ahmed you are sure that answer for the question this snmp is b? not is A?
@ Ivan, Ahmed is correct. I passed 1000/1000 2hours ago! I got 3 Sim ACL 1,2 & EIGRP & 2 new question same as Ahmed.
Hey Guys,
I just passed today with a 945! I had the ACL, ACL2, and EIGRP sims. The ACL 1 was exactly like the one on this site. The EIGRP had different network addresses and used ‘router eigrp 2′ as the proper instance. The ACL 2 was a little different than the one on this site just slightly. Instead of blocking Host A, B, and D’s port 80 access to the Finance web server you had to block all traffic….so the command would be something like this: “access-list 100 deny ip any host 172.22.242.4″ instead of “access-list 100 deny tcp any host 172.22.242.4 eq 80.” Make sure to look at the New CCNA – New Questions 1/2 sections as a few questions came from there. The one about Etherreal was on there. They also asked about HSRP. So I would study up on that.
Hi , I passed the CCNA exam on 07th Dec 13. I had a weired situation, where in i was not able to apply the access list to the interface. ip access-group 100 out was not working at all at interface level, meaning i was not able to fulfill the requirement of the question. Luckily all the other question i have answered correctly, helped me scoring a pass mark. did Any one encountered this issue?
Any one tell me how i got latest dumps and Software to run these dumps??
Ahmad do you plz tell me how i open the dumps? Can you plz email the software to open the dumps? my email is arsalan_duli@yahoo.com
i just passed exam scored 1000/1000 … Thanks to 9tut, examtut and spintry…. for the excellent resources ….
sims : ACL 1 , 2 & EIGRP
Must read Etherchannel: for new Q,,,,
Hi all, Please I will like to know if there has been any changes in the Sim for the CCNA 200-120 for I will writing my exams in less than two weeks.
Just passed CCNA now,now. (93% )
-Sims:ALC,ACL1, EIGRP.
-Only got two drag and drop Q’s.
ACL2-Permit D to Web Server
-Deny All to Web Server
-Permit all to public server
Good luck, CCNA’ans.
Bless God. Passed Yesterday….1000/1000.
Thanx Y’all.
does anyone know exactly how many questions are to study from since the new revamp of the ccna test….its it still 600 questions to study or did they shorten it to 300…thanks
So, why you use it on fa 0/1, output ?
Why dont use in input of fa 0/0 ?
A extend ACL is not more recomended use in origin of the trafic ?
Because you need to block traffic coming from the core network also. In order to do everything in 3 statements you must apply acl to block what is going out
but in exam asked
no more than three command
but you write 4 command
whats happen if i don’t write this command ?
access-list 100 deny tcp any host 172.22.242.23 eq 80
plez someone help me
Considered wrong question
download free latest dumps from
9
t
u
t
.
w
e
b
s
.
c
o
m
Where can i find material for CCNP?
@Ahmed, @quynhlx: the below page seems to pretty clearly state that SNMPv2c uses community strings, not HMAC-MD5 or
@Ahmed, @quynhlx: the below page seems to pretty clearly state that SNMPv2c uses community strings, not HMAC-MD5 or HMAC-SHA.
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swsnmp.html
Look at Table 30-1 SNMP Security Models and Levels.
Could you please explain why you think the answer is B, not A?
Also, could someone please send the latest braindumps to donaldratelman@gmail.com? I am taking the exam soon.
Thanks so much.
How do I get the sims to open with Cisco Tracker. I click on the 9tut and nothing happens. Can they be down loaded
route and tshoot for ccnp not working…admin please feedback
In this Sim,
there is one more variation I encountered today in exam.
Permit access of Host B to finance server, but deny everything else to finance server by B.
Deny access to finance web server by everone else; host and core. Permit everybody to the rest of the network. Now they didn’t asked like “”””Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed”””””””. Rest was same. Only IPs difference.
In exam I was unable to get the point, but now I think the solution is
access-list 101 permit tcp host host eq 80
access-list 101 deny any host
access-list 101 permit any any
Now B will only access the FWS by port 80 and others will also be denied. And the rest of the network will also be open for everbody else.
I remembered exactly like that bcoz in exam I tried to solve it and took time to read it again n again.
In this Sim,
there is one more variation I encountered today in exam.
Permit access of Host B to finance server, but deny everything else to finance server by B.
Deny access to finance web server by everone else; host and core. Permit everybody to the rest of the network. Now they didn’t asked like “”””Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed”””””””. Rest was same. Only IPs difference.
In exam I was unable to get the point, but now I think the solution is
access-list 101 permit tcp host 192.168.33.2 host 172.22.242.23 eq 80
access-list 101 deny ip any host 172.22.242.23
access-list 101 permit ip any any
Now B will only access the FWS by port 80 and others will also be denied. And the rest of the network will also be open for everbody else.
I remembered exactly like that bcoz in exam I tried to solve it and took time to read it again n again.
Took and passed mine today. The 2 sims I got were ACL2 and EIGRP
THANK’S TO THIS SITE ….. I passed the exam …..870 …… but it is important to study and understand da basics ….the only problem is that there you are so stressed that ….you forget basic stuf …get confused…….. in real work enviorement …… you have …under controll lot of things and you have to focused only an troubleshoot ….. or what ever……thank’s once again to the guys ho did this site ……
Got 986. 2 ACL and EIGRP. There were 2 multiple choice questions which I think were new. But majority of the questions are here in 9tut. Thanks!
Hey Friend, I think the way access-list created is right but the way it is implemented is wrong according to the concept because the extended access-list should be used near to the source but in this example it is used at Router 2 interface connected to servers side and used as outbound. But it should be kept near to the source side(LAN) that is at the interface that is connected to LAN side and need to used as inbound. :-)
@Amrit Manandhar
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Is correct because it has to block data from the Core network as well. Anybody do the exam recently know what they want?
@amrit manadhar
if you apply it on int f0/0 in
it will affect only LAN PCs … but in question mentioned also COre network and in your case the core network will be allowed and your answer is not true here ..
so we must apply it on f0/1 out to filter both LAN and Core traffic
i hope that helps you ..
Can anyone tell me if the command deny tcp any host and deny ip any host are the same???
not are the same command
What is the news about the exam , because i’ll do it today ?
I will be taking the 200-120 exam on Tuesday and will post any new findings then. But for now, has anyone taking the latest exam with news?
I took my exam yesterday and scored 972, the simulations in the exam were Access-list 1, Access-list 2, and eigrp. There were two new questions in the multi-choice questions. One is from OSPF. The access-list 2 that came out was:
– Host C should be able to use a web browser(HTTP)to access the Finance Web Server – Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked – All hosts in the Core and local LAN should be able to access the Public Web Server *
Thank you 9tut for your great support.
ACL SIM2
Host C should be able to use HTTP to access Finance web server
Host C should NOT be able to access Finance web server any other way
Core and LAN should NOT be able to access Finance web server
Core and LAN should be able to access Public web server
EIGRP SIM
AS was 212
Everything like dump.
ACL SIM1
Everything like dump.
Anon
based on your ACL SIM2 information, we still have to use only 3 statements to accomplished that?
thank you Anon for your post
I want to ask you about how many statements can use in this configuration
could you help us to type here
I have ccna exam today after 6 hours
thank you in advance
hello,
it’s possible to use the tab command and the ? to get the command menu over the exam router ?
i wanna know the three statement command to execute the alc2 in 15 jan
download free latest dumps from
9
t
u
t
.
w
e
b
s
.
c
o
m
I have passed my CCNA 200-120 today, I got this sim in my exam.
thanks