CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
what are the latest dumps guys?
First Thanks to Almighty ALLAH.
I passed CCNA exam today with 947/1000.
I used Brar and Sekhar dumps and 9tut.
Total 50 questions.
98% question came from Brar dump. 90% matches with Sekhar dump. 1 New question.
**** EXAM IS REALLY SO EASY ****
Thanks to ALL.
Hi. Can somebody tell me how to open the .vce files from the dumps. The trial version of certexam suite I downloaded only gives me access to 5 questions.
Please help me out…Thanks
ammarksam@gmail.com
Should i copy run start even if its not explicit mentioned?
Cobgrats Arif
Good evening
I want to say thanks first to God for give us such a good unit.Unit is a power,keep it up guyz, this is great working together we can do better.I have manage to kill the exam with 990/1000.Everything that I have learn from this site was on the exam.Brar 99%,Sekhar 90%.
Thanks everyone 9tut,Examcollection,9tut members.
@copy run start
Yes you have to do that. Otherwise you loose point for sure.
look guys
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny tcp any host 172.22.242.23 eq 80
access-list 100 permit ip any any
interface fa0/1
ip access-group 100 out
my problem when i do ping comand all host such as A,B,D they still have access to http ,what i can do sorve the problem?????????????!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
@soopros Ping will still work, because you ACL statements will only stop http traffic, no ICMP traffic.
** On a different question, i was wondering does it matter what ACL number you use??? as a force of habit i always use 101 for extended, therefore im scared i’ll get marked down for not using 100??? does anyone know the answer to this?
People please help me understand this :
All hosts in the Core and local LAN should be able to access the Public Web Server *
why do we use access-list 100 permit ip any any and now access-list 100 permit ip any host IP address of Public Web Server
This is really confusing for me so please have a moment and explain this !
Thanks!
@Cristina
You have to type permit ip any any because if you will type permit ip any host (ip of Public Web Server) you will deny access to all other servers in the network as implicit deny will take action in the end, but note that they do not asking to do it, they mention permit only to one server, I’m sure it is tricky question.
Hi soopros
access-list 100 deny tcp any host 172.22.242.23 eq 80 …it block tcp only but not block ping(icmp)
if u use
access-list 100 deny ip any host 172.22.242.23 it block all (tcp and ping (icmp))
cisco are cheeters
@saha and dandanm thanks alot
@dandanm u can use extended any number between the range of extended
I’m taking the exam on October 30th..
Is there any difference if I apply access list 124 or 190 instead of access list 100? Is the simulator dummy? Or as long as I use an extended access list range there will be no problem?
really 9tut ,,, is a great website ,,thank u 9tut,,
guys ,, i just passed my exam ,, got 933 ,,
also i had this Q and ,,,
for any help ,, it would be my pleasure ,,
bb5nn6@hotmail.com
Here you find the latest version of P4S cracked. If you study this site and you practice with these questions you pass 100%
http://depositfiles.com/files/vmtg6zpri
I’ll start this off noting that I have 2.5years networking experience, 18months working on WAN – for an ISP testing crkts, and the last year doing switching for global enterprise LAN.
Anyone who posts in these comments that they studied for a week and passed the CCNA is either a liar, or has been a network engineer for 5+ years. I have no professional experience implementing ACLs or routing configurations YET. The catch 22 about this cert is, HR recruiters consider this an entry level cert (ask any of them what the cert is below CCNA). But the level of knowledge you need to have to not just PASS this exam, but really know it, would come from many years of implementation. But how do you get a job doing this, if you don’t have the experience? You get this “entry level” cert. With all professional experience I have, it still took me about 2months of prep with P4S and this to consider myself ready. Got a 907 on it this am, so it was worth it. BTW, my sims were VTP, EIGRP, and ACL. The ACL commands were a little wonky, wouldn’t take the second line without ending it with “eq 80″. My tests confirmed it was configured correctly- one the designated host could access the Financial web server
I passed my exam on Friday….986/1000
i wanna thank the Almighty God 4making it possible, everyone @ 9tut, and some of the dumps i had to go through, CCNA isnt that easy, lots of things to cover……and if you dont get the concepts right, you wont get it.
to everyone else in this site, thank u all…….we need all to contribute
Hey guys, I’m taking CCNA exam this week, please send me the latest dumps I would really appreciate it…thanks in advance all !!! My e-mail: cr7cubanocr7@gmail.com
hi guys
Am taking my exam on 2nd Nov,,i’ve tackled eigrp,vtp,acl, all the theory part on 9tut and ps4sure,tell me what else do i have to check?
Hi,
Zim Zim
May you please assist me with pass4sure,i am under pressure.i would like to write as well.can you email it to gersonsellomogale0@gmail.com
i just passed my ccna today… with 920/1000
sims were acl 2, eigrp and vtp.. all r same as here
and my dumbs were jericho …strongly helped me
just last 2 weeks only i studied 9tut and sekher dumbs.
exam was soooooo easy actually i did it in a 40 mins
in the mcq section i faced nearly 15 switching que.. 5 routing.. 5 ip addressing.. 2 wireless.. 3 wan… 4 drag and drops and some others i cnt remember
in examcollection.com webpage has more valid dumbs go with these notes and study hard you will get sure pass and everyone who want to do ccna in future- all the very best it is the best and nice career certification
oh wait… ccnp? yeah i m coming
hi guy i don’t know if the packet tracer:
but when i configue this i still have access with all device let say i receive a reply with all so what is the poblem????????????????????????
Corp1#configure terminal
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
Corp1(config)#access-list 100 permit ip any any
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Corp1(config-if)#end
Corp1#copy running-config startup-config
when i
@inge there is no difference the range is 100 to 199
@Anonymous
Your access-list denied only http traffic for the specific host, all ICMP traffic permitted
hi guys
Am taking my exam on 15th Nov,,i m doing practice from EIGRP,ACL,AND VTP AND FROM BRAR DUMPS..is it enough for Exam……………….
@Anonymous..Your second statement only prevent any host to 172.22.242.23 thru http..if you want to deny the other host, remove eq 80 on the second statement
just pass the exam today and got 907
This sim was one of them.
Passed on the 2 november scored 907,,thank you God,,thanx a lot 9tut,,,,ACL,eirp,vtp,drag n drop,
could hv scored more on eigrp,there was an extra network 2 b removed,Change AS to 112,ping yo serialsACL -allow host c on web server,all core and lan
to be able to access public server, pls guys verify yo links by pinging hosts it really add marks,Good luck 2 all,,CCNP
am on my way
@Gerson Morgen
u can buy it on the internet and it will only be downloaded on your machine if you bought it alone,unfortunatly its not transferable,
taking test tomorrow morning…cheerz
Just passed my exam.
Sims were eigrp,acl2 and vtp.
Make sure you know the modifications table for the acl2 and practice them to get used to it.
Keep going through the questions so you know them well.
Take your time on the vtp because its difficult to find the information. Keep hitting enter to see the whole configuration (i noticed this after a while)
Good luck guys…let me know if you got any questions.
hi guys am about to take my exam in 2 weeks from today kindly update me on which sims to concentrate on! and if you can help me wit the latest dumps my email iz kambileni@gmail.com please help.
Random,zim zim,Ahmed kindly help me wit da latest dumps my email add iz kambileni@gmail.com pliz guyz.
Am taking my exam on 15th Nov plzzzzzzzzzzzzzzz send me latest dumps…i will be very thankful email add is umaralhasni@hotmail.com
Sorry guys won’t be able to tell you what dumps because I just used pass4sure which my company paid for.
Can someone let me know that in the above SIM, how do we know which protocol is being used for various hosts?
Can someone let me know that in the above SIM, how do we know which protocol is being used for various hosts?
Because in some cases for host C we are saying tcp and some cases as IP.
plzzz send me latest dumps my mail id bsaikrishna66@gmail.com
@shiva,,Man we use tcp because on the above statement you should have noticed that we should allow HTTP,port 80 which resides on TCP only,not UDP or IP.,I hope that clear things up.
hi everyone!
Which statement is correct regarding the operation of DHCP?
a. If an address conflict is detected, the address is removed from the pool and an administrator must resolve the conflict.
b. If an address conflict is detected, the address is removed from the pool for an amount of time configurable by the administrator.
Which one is true??? At 9tut the answer is a , at Brar the answer is b. I am not sure what is right!!!
i passed yesterday and i got the score 990..Sims are vtp,acl, and eigrp..it’s not hard..you must more on practicing in configuration and determine your doing..good luck to those who intend to exam..
hi guys, I took the exam 2 weeks ago and passed with 970/1000…I had actl, eigrp and vtp sims. Sims were the same as here only small changes (IP address or Port assignment ) had been made. Godd luck, I think it’s very easy, so don’t worry about it.
I failed my CCNA exam because Ididn’t study.
Score 709. :’(
any body plz give me link of packet tracer updated version for these simulations??
hi guys, i just passed my exam today. i got 933. in my exam, the simulation are eigrp, vtp and acl2. as for my dump, i am using shekar, you could also check the questions here at 9tut. i also got 4 drag and drop. in my exam on drag and drop, you could check here at 9tut.
good luck to everyone.
Hello, if anyone can answer this one i will be really appreciated. I understand this sim, but why following configuration is not working?
access-list 100 permit tcp host 172.22.242.23 host 192.168.33.3 eq 80
access-list 100 deny tcp host 172.22.242.23 any eq 80
access-list 100 permit ip any any
int fa0/1
ip access-group 100 in
this is really important to erase my doubts in my head.