CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
permit everything else | access-list 100 permit ip any any |
Modification 2:
Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
- Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
- Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
- All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
Hi cliff
can you tell any new questions in the exam ??
i am giving on 26th feb..
i have not understand about this command ip addesses why we are using “0.0.0.15″
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
@Azeem :
It means the destination network is /28 (255.255.255.240) and 0.0.0.15 is the wild card mask.
(255-240 = 15)
still i have not understood about this command why we are using 172.22.242.16 and 0.0.0.15
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
first of all i would like to thank Mr 9tut for their outstanding job for creating this amazing website. from today two Months ago that i passed my CCNA exam 890/1000 which was not easy,
i was about to get 1000, due to my nervousness i lost my mind to create the changes on the right interface i lost 100 point, however it was much fun and great that i did it. in the entire exam their will be three lab they all are exist in 9tut.com there is no concern about worrying of labs. its very easy i am sure you’ll can go trough. study hard before your exam its a quite expensive exam, make sure don’t be so hurry on choosing the right answer you may not be able to come to previous question. and there will be three lab tow from access-list and one from EIGRP which is very simple. each lab has 100 point and each question has 5 point if you get 825/100 you are pass less than your failed. please don’t hesitate to contact me on skype: navid.1
24/7 contact me trough skype: Navid.1 you’ll pass the exam for sure
@navid , please can you be more specify , what u mean by ” i lost my mind to create the changes on the right interface i lost 100 point, ” ?
Hi I passed CCNA today 1000/1000. Labs were ACL1,2 &EIGRP Thanks to 9tut,Examtut& Exam collection..
I completed my CCNA exams esterday.. too easy…Thanks to 9tut scored 9xx… … all u need to do is know the answers by heart… never take a chance. The below questions were there for my sim
The task is to create and apply a numbered access-list with no more than three statements that
-> will allow ONLY host D web access to the Finance Web Server.
->All other traffic from D to finance server is denied.
->All traffic from lan servers(A,B,C) and core to the Finance Web Server is denied.
-> All other traffic is permitted to public server.
had my ccna 2dy…..scored 986, tnx 9tut……
hi every one
Navid can you give me your skype address where you from ? I want to talk to you because I wanna go for exam next week. my skype id is syed ali. plz reply
syed ali exam very easy ccna don’t afraid guy just focus with lap ACL1 . ACL2 . EIGRP . and questions:- 1- SNMP 2-NETflow 3- HSRP 4- VRRP 5- GLBP that’s it . good luck
SNMPv2 authentication protocol?
answer please
@ atif saw in one of my dumps that its community strings
This Sim was in todays Exam
this is simple network management protocol this is give you details information for your pc’s in network like cpu , RAM, opreating system are connected with network and how the preference for pc . SNMPV2 AND SNMPV3 V3 has encryption and authentication security then SNMPV2
I did mine today, scored 972. ACL1, ACL2, EIGRP with little modifications on AC2 and EIGRP.
can you tell me where is the ACL 1 in 9tut tnx
Anonymous, what was the modification? I am taking the test on the 12th of March.
do this site really help full, i been studying lot i am so sacred to pass please help me :(
Please, anyone could tell me why we applied acl to fa 0/1 out instead of fa0/0 in?
In theory we must apply extended acl closer to source, am I wrong?
Can you answer me to alvicsam@gmail.com, thank you!
I understand why we applied acl to fa 0/1 out instead of fa0/0 in.
Because of “allow ONLY host C web access to the Finance Web Server”.
I ignored that we also have core network.
I’m from lagos,Nigeria.. Took my exam on 7th march, had 972 labs were acl1,acl2 and eigrp, the onli diff n my acl2 was dat I was to allow onli host B access to the finance server thru http nd deny all other means also all other hosts nd d core shdnt av access to d finance web server, howeva, all others shd av access to the public server
go to examtut.com for help on hsrp,glbp and vrrp, syslog, netflow and snmp. Had some questns on them durin my exam
hi if I apply access-list
accesss-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny tcp any any eq 80
access-list 100 permit ip any any
will it work correctly
thanks
I finished CCNA successfully today. acl,acl2 and eigrp from 9tut are valid. Also see the dump “Cisco.Actualtests.200-120.v2014-02-12.by.GillBeast.299q.vce” and “Cisco.Certkey.200-120.v2014-02-19.by.Lusi.272q.vce”.
That is enought for CCNA 200-120 exam.Trust me
kamal, it would be work, but your acl will deny only http access to host 172.22.242.23
(for example you can ping 172.22.242.23)
Task usually requires deny all protocols to server.
thanks alexander so mean to say I must define the specific host address
Hi
I just purchased cheapest LAB on the Ebay with all routers 15.1 IOS , as you mentioned above I did research and it looks like c2800nm-advsecurityk9-mz.151-4.M7.bin installed, perfect for NEW ICND1/ICND2
I thought it will be helpful to let others know as well.
Ebay Item: 141220216083
Thanks
Steven
how is ccna graded it
Hi
I’m having a problem while doing modification 1 and 2
the access list is correct and implemented on fa0/1 out
still the access list isnt filtering anything! ping and http working just fine
correct me if im wrong but denying ip denies all other protocols right?
HELP
Thnks
download free latest dumps from
d u m p s c c n a . w e e b | y . c o m
Passed CCNA today with 986/1000
Concentrate on these 2 dumps watson 314 q & N.S 32q.. These 2 are very imp. The dumps Matthew 319 q and gillbeast 299 q are more or less the same to watson.
Sims are acl, acl2(Host C instead of B) and eigrp. Thanks to 9tut and examcollection.
All the best for future ccna aspirants :)
In the modification which is HOST B. which said that to ALLOW only host B to access finance server and deny host B from other servers.
I tired many times but It’s possible to access finance server and public web server through all hosts. I copied the commands as it’s mentioned there and I got the same problem. is it a bug in SIM or it’s all right when other hosts access whole servers
i am so confused because so many people have posted random messages here. Guys if in the actual exam they require you to put three statements to resolve the issue what are those three STATEMENTS? are those ( access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 ) ( Access-list 100 deny tcp any host 172.22.242.23 eq 80 ) ( access-list 100 permit ip any any ) is that what we have to do in the actual exam ? please specify this clearly guys its confusing to some of us… I am fully prepared and I am ready to sit in the exam but I am not sure about these labs how would I go about doing this? I would really appreciate if someone please kindly specify in details with correct information. Those who have passed please provide further details in clear words what you guys did to accomplish this or any other task Thank You and any help will be much much appreciated….
passed ccna today with 1000/1000…..feeling excited…..now looking for ccnp switching….can somebody help me which is best site for ccnp swithing preparation….
Please rohit what you got the lab in exam. and congratulations for your passed . thanks
@rohit congrats buddy. What Labs you got ? I mean Host B ? because I’m ready but still all hosts can access finance server. hope you see my post as soon as possible. :)
@sa’ad i got eigrp, Acl 1 and Acl 2….
Host D should be able to access finance web server on port 80
other types of access from host D to finance web server should be blocked, neither core and any d users should be able to access finance web server.
All other types of access is permitted.
I used following CMD:-
access-list 102 permit tcp host Ip address of host D host ip address of finance web server eq 80
access-list 102 deny ip any host host ip address of finance web server
access-list 102 permit ip any any.
Hope this will help u…
Thank you so much. It’s help . The problem I got while configuring modification of Host B. It say that only host B can access finance server but not others. But when I open the browser every host is able to access finance server, even through http. that’s made me worry.
I have question on exam is Inbound our outbound like on inter fa 0/1 I need to know that part plzzzzzzzzzzzz
Hi guys, to those who’ve given the exam. If you got ACL2 simulation question with slightly different IP addresses, can you tell me how different were they? Like, were the server IP addresses significantly different or slightly tweaked? Please let me know because I’m kinda getting confused with wildcard mask bit even though I feel I’ve gotten the hang of it. Thanks a lot!
@ Siva, Congrat!, Can you pls send me softcopy of those dumps you use during your preparation. my E-mail is: flourishjoh@yahoo.com. I really appreciate.
Hi guys wrote my exam 2 days ago, passed with 986/1000 big thanks to jeremy from cbtnuggets, dumbs from examcollection and 9tut…. watson dumps is very valid and gillbeast also…Goodluck to those about to write the exam…..CCNP next!!!
Hello guys, I have learned with dumps from last year and they are still valid, but I´ve got one Etherchannel question that was not in dump. You have seen two outputs from show port-channel. Question was why is port-channel down. Answer was wrong duplex on one fastEthernet port.
To everybody how wants to know if TAB and ? help is working. YES it was, with every Lab SIM.
But I was confused with one Access Lab. #ip access-list command was not supported. You have to type #access-list ip any any, etc.
Regards and Good luck
Miagi
hello guy i need lastest dumps to prepare for ccna rs exam.. (jimoh_abdol@yahoo.com)
Can i choose any number for extended access list (from 100-199 or from 2000-2699) ?
Or i should use the first possible number which is 100?
You could choose any number.
100-199
helo pls im writing nxt week im practicing only with 9tut it is a good site to do the practice ,everything is posted here it si the exam?im worried.tell me ppl