Home > CCNA Access List Sim 2

CCNA Access List Sim 2

February 15th, 2014 Go to comments

Question

A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.

The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.

All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17

access_list_sim2.jpg

Answer and Explanation

(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt

Corp1>enable (you may enter “cisco” as it passwords here)

We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.

Corp1#show running-config

access_list_sim_show_running.jpg

We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).

Corp1#configure terminal

Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)

Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80

Deny other hosts access to the Finance Web Server via web

Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80

All other traffic is permitted

Corp1(config)#access-list 100 permit ip any any

Apply this access-list to Fa0/1 interface (outbound direction)

Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out

Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.

In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.

Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.

Finally, save the configuration

Corp1(config-if)#end
Corp1#copy running-config startup-config

(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)

Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.

Some modifications:

Modification 1:

permit host B from accessing finance server access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
deny host B from accessing other servers (not the whole network) access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
permit everything else access-list 100 permit ip any any

Modification 2:

Only allow Host C to to access the financial server access-list 100 permit ip host 192.168.33.3 host 172.22.242.23
Not allow anyone else in any way communicate with the financial server access-list 100 deny ip any host 172.22.242.23
Allow all other traffic access-list 100 permit ip any any

Modification 3:

- Host C should be able to use a web browser(HTTP)to access the Finance Web Server access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
- Other types of access from host C to the Finance Web Server should be blocked
- All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
access-list 100 deny ip any host 172.22.242.23
(because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN)
- All hosts in the Core and local LAN should be able to access the Public Web Server * access-list 100 permit ip any host
(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any”

Modification 4:

Host C should be able to use a web browser to access the financial web server access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Other types of access from host C to the finance web server should be blocked access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
All hosts in the core and on the local LAN should be able to access the Public web server * access-list 100 permit ip any host
(The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any”

* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.

(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out

And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)

I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).

accesslist_sim2_packet_tracer.jpg

Download this sim here

Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.

accesslist2_test_http.jpg

And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.

Other lab-sims on this site:

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

CCNA EIGRP LAB

CCNA Drag and Drop SIM

CCNA Implementation SIM

Comments
Comment pages
1 33 34 35 36 37 63 41
  1. Gagandeep Singh
    February 23rd, 2014

    Hi cliff

    can you tell any new questions in the exam ??
    i am giving on 26th feb..

  2. azeem
    February 24th, 2014

    i have not understand about this command ip addesses why we are using “0.0.0.15″

    access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15

  3. Vineesh Vasudev
    February 25th, 2014

    @Azeem :
    It means the destination network is /28 (255.255.255.240) and 0.0.0.15 is the wild card mask.
    (255-240 = 15)

  4. azeem
    February 25th, 2014

    still i have not understood about this command why we are using 172.22.242.16 and 0.0.0.15

    access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15

  5. Navid
    February 25th, 2014

    first of all i would like to thank Mr 9tut for their outstanding job for creating this amazing website. from today two Months ago that i passed my CCNA exam 890/1000 which was not easy,
    i was about to get 1000, due to my nervousness i lost my mind to create the changes on the right interface i lost 100 point, however it was much fun and great that i did it. in the entire exam their will be three lab they all are exist in 9tut.com there is no concern about worrying of labs. its very easy i am sure you’ll can go trough. study hard before your exam its a quite expensive exam, make sure don’t be so hurry on choosing the right answer you may not be able to come to previous question. and there will be three lab tow from access-list and one from EIGRP which is very simple. each lab has 100 point and each question has 5 point if you get 825/100 you are pass less than your failed. please don’t hesitate to contact me on skype: navid.1

  6. Navid
    February 25th, 2014

    24/7 contact me trough skype: Navid.1 you’ll pass the exam for sure

  7. Atif
    February 26th, 2014

    @navid , please can you be more specify , what u mean by ” i lost my mind to create the changes on the right interface i lost 100 point, ” ?

  8. Rakesh
    February 27th, 2014

    Hi I passed CCNA today 1000/1000. Labs were ACL1,2 &EIGRP Thanks to 9tut,Examtut& Exam collection..

  9. Karthik
    February 28th, 2014

    I completed my CCNA exams esterday.. too easy…Thanks to 9tut scored 9xx… … all u need to do is know the answers by heart… never take a chance. The below questions were there for my sim

    The task is to create and apply a numbered access-list with no more than three statements that
    -> will allow ONLY host D web access to the Finance Web Server.
    ->All other traffic from D to finance server is denied.
    ->All traffic from lan servers(A,B,C) and core to the Finance Web Server is denied.
    -> All other traffic is permitted to public server.

  10. ugosh
    February 28th, 2014

    had my ccna 2dy…..scored 986, tnx 9tut……

  11. syed Ali
    March 1st, 2014

    hi every one

  12. syed Ali
    March 1st, 2014

    Navid can you give me your skype address where you from ? I want to talk to you because I wanna go for exam next week. my skype id is syed ali. plz reply

  13. mustafa abualkhair
    March 2nd, 2014

    syed ali exam very easy ccna don’t afraid guy just focus with lap ACL1 . ACL2 . EIGRP . and questions:- 1- SNMP 2-NETflow 3- HSRP 4- VRRP 5- GLBP that’s it . good luck

  14. Atif
    March 3rd, 2014

    SNMPv2 authentication protocol?
    answer please

  15. rita ojomo
    March 3rd, 2014

    @ atif saw in one of my dumps that its community strings

  16. Anonymous
    March 4th, 2014

    This Sim was in todays Exam

  17. mustafa abualkhair
    March 4th, 2014

    this is simple network management protocol this is give you details information for your pc’s in network like cpu , RAM, opreating system are connected with network and how the preference for pc . SNMPV2 AND SNMPV3 V3 has encryption and authentication security then SNMPV2

  18. Anonymous
    March 5th, 2014

    I did mine today, scored 972. ACL1, ACL2, EIGRP with little modifications on AC2 and EIGRP.

  19. kevin
    March 6th, 2014

    can you tell me where is the ACL 1 in 9tut tnx

  20. lochinvar_2001
    March 7th, 2014

    Anonymous, what was the modification? I am taking the test on the 12th of March.

  21. help me
    March 7th, 2014

    do this site really help full, i been studying lot i am so sacred to pass please help me :(

  22. alexander
    March 7th, 2014

    Please, anyone could tell me why we applied acl to fa 0/1 out instead of fa0/0 in?
    In theory we must apply extended acl closer to source, am I wrong?
    Can you answer me to alvicsam@gmail.com, thank you!

  23. alexander
    March 8th, 2014

    I understand why we applied acl to fa 0/1 out instead of fa0/0 in.
    Because of “allow ONLY host C web access to the Finance Web Server”.
    I ignored that we also have core network.

  24. temi
    March 9th, 2014

    I’m from lagos,Nigeria.. Took my exam on 7th march, had 972 labs were acl1,acl2 and eigrp, the onli diff n my acl2 was dat I was to allow onli host B access to the finance server thru http nd deny all other means also all other hosts nd d core shdnt av access to d finance web server, howeva, all others shd av access to the public server

  25. temi
    March 9th, 2014

    go to examtut.com for help on hsrp,glbp and vrrp, syslog, netflow and snmp. Had some questns on them durin my exam

  26. kamal
    March 10th, 2014

    hi if I apply access-list

    accesss-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
    access-list 100 deny tcp any any eq 80
    access-list 100 permit ip any any

    will it work correctly

    thanks

  27. Eranga
    March 10th, 2014

    I finished CCNA successfully today. acl,acl2 and eigrp from 9tut are valid. Also see the dump “Cisco.Actualtests.200-120.v2014-02-12.by.GillBeast.299q.vce” and “Cisco.Certkey.200-120.v2014-02-19.by.Lusi.272q.vce”.
    That is enought for CCNA 200-120 exam.Trust me

  28. alexander
    March 11th, 2014

    kamal, it would be work, but your acl will deny only http access to host 172.22.242.23
    (for example you can ping 172.22.242.23)
    Task usually requires deny all protocols to server.

  29. kamal
    March 12th, 2014

    thanks alexander so mean to say I must define the specific host address

  30. Steven
    March 13th, 2014

    Hi
    I just purchased cheapest LAB on the Ebay with all routers 15.1 IOS , as you mentioned above I did research and it looks like c2800nm-advsecurityk9-mz.151-4.M7.bin installed, perfect for NEW ICND1/ICND2
    I thought it will be helpful to let others know as well.
    Ebay Item: 141220216083
    Thanks
    Steven

  31. help me
    March 15th, 2014

    how is ccna graded it

  32. Fadeel
    March 18th, 2014

    Hi
    I’m having a problem while doing modification 1 and 2
    the access list is correct and implemented on fa0/1 out
    still the access list isnt filtering anything! ping and http working just fine
    correct me if im wrong but denying ip denies all other protocols right?
    HELP
    Thnks

  33. Anonymous
    March 18th, 2014

    download free latest dumps from

    d u m p s c c n a . w e e b | y . c o m

  34. Siva
    March 21st, 2014

    Passed CCNA today with 986/1000
    Concentrate on these 2 dumps watson 314 q & N.S 32q.. These 2 are very imp. The dumps Matthew 319 q and gillbeast 299 q are more or less the same to watson.
    Sims are acl, acl2(Host C instead of B) and eigrp. Thanks to 9tut and examcollection.
    All the best for future ccna aspirants :)

  35. Sa’ad
    March 21st, 2014

    In the modification which is HOST B. which said that to ALLOW only host B to access finance server and deny host B from other servers.
    I tired many times but It’s possible to access finance server and public web server through all hosts. I copied the commands as it’s mentioned there and I got the same problem. is it a bug in SIM or it’s all right when other hosts access whole servers

  36. Kashif
    March 22nd, 2014

    i am so confused because so many people have posted random messages here. Guys if in the actual exam they require you to put three statements to resolve the issue what are those three STATEMENTS? are those ( access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 ) ( Access-list 100 deny tcp any host 172.22.242.23 eq 80 ) ( access-list 100 permit ip any any ) is that what we have to do in the actual exam ? please specify this clearly guys its confusing to some of us… I am fully prepared and I am ready to sit in the exam but I am not sure about these labs how would I go about doing this? I would really appreciate if someone please kindly specify in details with correct information. Those who have passed please provide further details in clear words what you guys did to accomplish this or any other task Thank You and any help will be much much appreciated….

  37. rohit
    March 22nd, 2014

    passed ccna today with 1000/1000…..feeling excited…..now looking for ccnp switching….can somebody help me which is best site for ccnp swithing preparation….

  38. mustafa ABUALKHAIR
    March 22nd, 2014

    Please rohit what you got the lab in exam. and congratulations for your passed . thanks

  39. Sa’ad
    March 22nd, 2014

    @rohit congrats buddy. What Labs you got ? I mean Host B ? because I’m ready but still all hosts can access finance server. hope you see my post as soon as possible. :)

  40. Anonymous
    March 23rd, 2014

    @sa’ad i got eigrp, Acl 1 and Acl 2….

    Host D should be able to access finance web server on port 80
    other types of access from host D to finance web server should be blocked, neither core and any d users should be able to access finance web server.
    All other types of access is permitted.

    I used following CMD:-

    access-list 102 permit tcp host Ip address of host D host ip address of finance web server eq 80
    access-list 102 deny ip any host host ip address of finance web server
    access-list 102 permit ip any any.

    Hope this will help u…

  41. Sa’ad
    March 23rd, 2014

    Thank you so much. It’s help . The problem I got while configuring modification of Host B. It say that only host B can access finance server but not others. But when I open the browser every host is able to access finance server, even through http. that’s made me worry.

  42. help me
    March 23rd, 2014

    I have question on exam is Inbound our outbound like on inter fa 0/1 I need to know that part plzzzzzzzzzzzz

  43. Kevin
    March 23rd, 2014

    Hi guys, to those who’ve given the exam. If you got ACL2 simulation question with slightly different IP addresses, can you tell me how different were they? Like, were the server IP addresses significantly different or slightly tweaked? Please let me know because I’m kinda getting confused with wildcard mask bit even though I feel I’ve gotten the hang of it. Thanks a lot!

  44. FLOURISH
    March 24th, 2014

    @ Siva, Congrat!, Can you pls send me softcopy of those dumps you use during your preparation. my E-mail is: flourishjoh@yahoo.com. I really appreciate.

  45. Francis
    March 24th, 2014

    Hi guys wrote my exam 2 days ago, passed with 986/1000 big thanks to jeremy from cbtnuggets, dumbs from examcollection and 9tut…. watson dumps is very valid and gillbeast also…Goodluck to those about to write the exam…..CCNP next!!!

  46. Miagi
    March 24th, 2014

    Hello guys, I have learned with dumps from last year and they are still valid, but I´ve got one Etherchannel question that was not in dump. You have seen two outputs from show port-channel. Question was why is port-channel down. Answer was wrong duplex on one fastEthernet port.
    To everybody how wants to know if TAB and ? help is working. YES it was, with every Lab SIM.
    But I was confused with one Access Lab. #ip access-list command was not supported. You have to type #access-list ip any any, etc.
    Regards and Good luck
    Miagi

  47. Anonymous
    March 25th, 2014

    hello guy i need lastest dumps to prepare for ccna rs exam.. (jimoh_abdol@yahoo.com)

  48. Konan
    March 26th, 2014

    Can i choose any number for extended access list (from 100-199 or from 2000-2699) ?
    Or i should use the first possible number which is 100?

  49. Anonymous
    March 27th, 2014

    You could choose any number.
    100-199

  50. rhonal
    March 28th, 2014

    helo pls im writing nxt week im practicing only with 9tut it is a good site to do the practice ,everything is posted here it si the exam?im worried.tell me ppl

Comment pages
1 33 34 35 36 37 63 41
  1. No trackbacks yet.
Add a Comment