CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
yes its more than sufficient
hello house my networking associate pls i need d latest dumps pls u cn send it to adekiitn4faith@yahoo.com
am writen my exam next month kindly help me o latest dumps for 32bit laptop
Hello dear concern,
if i use __access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq www
instead of __access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Then it will serve the same purpose definitely.But will it be accepted as an answer by the simulator?
I have the same question … www or 80. The simulator will take 80 but how is it graded?
You will put eq www or eq 80 but when you will do sh run it will show eq www for both of them.
There is no difference. You can use any
Hi guy’s alhamd llah i passed in my exam CCNA 200-120. i got 945 / 1000. is came the lab’s 1-ACL1 & 2-ACL2 & 3-EIGRP. this lab it was mastic in A.S and incorrect and incorrect in network eigrp these about lab. the question 51 multiple chose syslog % netflow % snmp & HSRP & VRRP & GLBP. good luck for all
just finished my exam today, got a perfect score :) thanks 9tut
Passed today 1000/1000, labs EIGRP ACL1 and ACL still. With modification on ACL2:
Host “B” should be able to use a web browser(HTTP)to access the Finance Web Server.
you should use permit ip any any on last part to get perfect score.
Is some one having the crack of the latest VCE.
i passed my ccna exam yerterday
Thank very much 9tut. almost the questions were here.
Thank, thank and thank 9tut
Tons of great information on the 9tut site to help you prepare. But I am not real good at memorizing answers and I want to really learn the information. So I read the questions on the site and I also bought my own lab with some CCNA lab help from here http://www.certificationkits.com/cisco-lab-suggestions/ and then I actually did the lab scenarios like this one and it really helped me understand the answer so when I interview I can speak about what I learned versus just brain dumps. I hope this helps.
Thank God, Alhamdulillah, and thanks to the staff of 9tut I passed my CCNA exam today…..
ACL, ACL2 and EIGRP were in the exam
ACL with modification no three (you can see these modifications on the same page by scrolling up……..that has this part in it….. ” Host C should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked…..”Host A instead of host C, plus pay attention to the ip address
If anyone writing CCNA shortly, send me an email….I’d forward you an email with Dumps and about 45 questions, short listed which were in today’s exam.
adnanwaheed74@gmail.com
@ Adnan.. hi can u please send the dumps at yreywayze_19@yahoo.com.. thanks a lot
I wrote the CCNA exam today, I passed with 945/1000 big thanks to 9tut… Sim questions were (ACL_1, ACL_2 with some modifications, and EIGRP with modification)
wrote the exam today and passed ! … the 2 sim questions were : ACL ( finance web server from host C ) .. .and EIGRP – this is a sim I haven’t seen in any of the practice exams before. was quite new. The EIGRP AS number was 222 .. and you were meant to trouble shoot a new router that was inserted into a an existing area . the new router couldn’t connect to the internet. I couldn’t figure out this one. let me know if you guys have seen this one before.
Hi,Friends I need your help .I am going to appear in CCNA exam shortly please send me CCNA Dumps and simulation at palshatrughan@yahoo.com .I look forward hearing from here,thanking you
hi,
Kindly send me the latest dump ccna exam. going to take exam this 8th april. Please send to my email, muhammadfirdaus1346@gmail.com
really appreciate.thank you
I passed today , acl 2 modification ,New Q god etherchannel
A network administrator is configuring an EtherChannel between SW1 and SW2. The SW1
configuration is shown. What is the correct configuration for SW2?
A. interface FastEthernet 0/1
channel-group 1 mode active
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet 0/2
channel-group 1 mode active
switchport trunk encapsulation dot1q
switchport mode trunk
B. interface FastEthernet 0/1
channel-group 2 mode auto
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet 0/2
channel-group 2 mode auto
switchport trunk encapsulation dot1q
switchport mode trunk
C. interface FastEthernet 0/1
channel-group 1 mode desirable
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet 0/2
channel-group 1 mode desirable
switchport trunk encapsulation dot1q
switchport mode trunk
D. interface FastEthernet 0/1
channel-group 1 mode passive
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet 0/2
channel-group 1 mode passive
switchport trunk encapsulation dot1q
switchport mode trunk
Answer: C
Hi,
Im planning to take my ccna exam next week. Will anyone please send me the latest dumps? my email is sallyspace2@gmail.com thanks a million. Please help me.
Hello, I have a exam next weekend..It would be kind of you if u send me the latest dumps to
ashray-malla@hotmail.com Thank you very much sir
Sandip what exactly are you saying about eigrp, was it different from the usual eigrp sim here, where you need to find the wrong AS, and reconfigure it with the right AS for adjacency to be established?
Your statement seems to be confusing. You actually scare people -the way you saying it. How was your Eigrp sim different from everyone else’s?
Hello All,
I have my exam next week. Can someone please send me the latest CCNA dumps if you have any at smile4ever65@yahoo.com. Really appreciate your help. Thank you.
In the notice section…We have to create an access-list that can filter this traffic too.
basicly i just create an acces list on fa0/0 inbound and filter core ip in whatever way they ask for it or i dont have to worry about that one in the exam?
So. I downloaded that Simulation for the Cisco Packet tracer here and found out that the eq 80 command is not recognized by the packet tracer. I got this INFO that the simulations in the exams are all using Cisco Packet Tracer, how would one go about it if the eq command is not accepted or is my Packet tracer out of date?
We can use other ACL number other 100 right or will it be wrong to do so??? Anyone who did so?
Alhumdulillah I have passed CCNA 200-120 Score 917.
1. ACL 1 is same.
2. ACL 2 same but Ip Range diffrent and target Web Browser access Host B.
3. EIGRP same but Ip Range diffrent diffrent EIGRP 23.
Thanks 9tut……,
Noor Mohammad, has the wildcard mask 0.0.0.15 changed as well. If it has what is the new wildcard mask?
The 3 servers has two different subnet masks or CIRDs /20 and /28 which of the two do you choose to determine your wildcard mask and why?
Dear Rock:
1st: CCNA Access List Sim same lab.
2nd: EIGRP Lab:
R3>enable (you have to enter cisco as its password here)
R3#configure terminal
R3(config)#no router eigrp 22
R3(config)#router eigrp 23
R3(config-router)#network 192.168.60.0
R3(config-router)#network 192.168.70.0
R3(config-router)#no auto-summary
R3(config-router)#end
R3#copy running-config startup-config
R1>enable (you have to enter cisco as its password here)
R1#show running-config
R1#configure terminal
R1(config)#router eigrp 23
R1(config-router)#network 192.168.70.0
R1(config-router)#end
R1#copy running-config startup-config
3rd: CCNA Access List Sim 2
I forgot ip address all ips changed but network same and allow web browser access host B and host A,C,D web browser access deny.
Thanks Noor Mohammad for your quick response. My question is on how you solved sim alc2. Was it like this or different?
access-list 100 permit ip host192.168.x.x host 172.22.242.23
access-list 100 deny ip host 192.168.x.x 172.22 242.16 0.0.0.15
access-list 100 permit ip any any
All I want to know is if the address range for the servers remains the same, especially the subnet mask.
Thanks in advance Noor
Today I passed my CCNA (200-120) exam, scored 903. Thanks to 9tut and examcollection.
This is great site to understand and learn about networking and ofcourse its a great help for writing exam. Kudos to owner of this site. But folks atleast learn basic of networking like subnetting, calculating wildcard mask, classes, how to read config files etc. I see comments on top from people like Kevin, The Rock and more are asking most retarded and dumbest questions!! They want this site to feed them with exact mask,ip’s from exam. Watch Youtube videos, do labs, Understand the basic concept and we all are here to help but please ..SO PLEASE STOP ASKING MOST BASIC QUESTIONS.
Can any one email me the latest video training of labs i need it on urgent bases at haroon.talha@gmail.com
can any one help about CCNA dumps contact this email FB ID: Acha Bacha
intelligent_noor@hotmail.com.
deny host B from accessing other servers (not the whole network) access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 is not valid config anyone tell me what is valid config for this is this type of config ask in CCNA exam?
Hello All,
I have my exam on 17 april . Can someone please send me the latest CCNA dumps if you have any atroy.asmi@yahoo.com. Really appreciate your help. Thank you.
Hello All,
I have my exam on 17 april . Can someone please send me the latest CCNA dumps if you have any at roy.asmi@yahoo.com.i have problem to open vce file plz send me the latest apllication to ope this file .
Really appreciate your help. Thank you.
I have my exam on 17 april .
Can someone please send me the latest CCNA dumps if you have at imad.alzahrawy@yahoo.com
Many thanks
Pls send me latest dump. I will sit for the exam in this week.
fa847789@gmail.com
Pls send me latest dump. I will sit for the exam in this week. wal2_23@hotmail.com
Many thanks
Please send me latest dump as well. I’m going to sit exam on coming Friday. myoo.ydnb@gmail.com . Thanks
—
i and more than 29 friend passed yesterday 17-4-2014 with score 1000
— ACL sim 2 is valid with the 3rd modification & note that ( permit ip any any is the valid and got 1000 – who used {permit ip any host lost 14 degree} )
—CCNA EIGRP LAB Question as it with change in AS 221 and R3 not in the same AS &
Access List Sim as it
good luck
hey what did you prepare from and any change in the exam ??
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
we can still use the network address to block any other trafffic in this statement……
Corp1(config)#access-list 100 deny tcp 192.168.33.0 0.0.0.254 host 172.22.242.23 eq 80
Taking this test soon, please send me latest dumps @ phoenix.down.1@gmail.com Thanks! :)
Taking exam next week, can some one send me the latest updates @ samitey@yahoo.com PLEASE!!
hello guys
will u send me the latest dump questions kcwanka@gmail.com
regards
Passed CCNA exam today with 960 marks……thanx to 9tut questions and examcollection.
ACL2,ACL and EIGRP sim questions were asked.