CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
Hi,please can anyone help me send the new dumps to elshen.rehim@gmail.com
Thanks
dear sir about deny host B from accessing other servers……
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15…
the dest. ip must ip the finance web server 172.22.242.23 why u write (172.22.242.16)???????
are these is correct ??
dear sir what’s the different between the 2 command to allowed host C… i mean which one the best for use ….
access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 …
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
@bilal in my understanding it depends on the requirements which protocol you will use. It says web server which is port 80 and under tcp so you will use it else use ip. correct me here,though. I am planning to take also here in Dubai.
@AnonymousJuly25th- it says in the lab that other servers.. but not the whole network..so just take the sub=network in which all the ip address will be covered(including the .17 to .30 servers) so from the show run command the subnet is 255.255.255.240 which is a sub-net by 16…and that the .17 to 30 is within that sub-network of .16……… correct me if my understanding and explanation is wrong
just passed ccna yestrday…………………………………………..all questions from 9tut
labs were acl1,acl2(with 2nd modification and changed ip addressess) and eigrp(with difrnt Atonms no and diffrnt ip adresses)
thnx 9tut
score : 972/1000
can any 1 tel me plz about pmp ? is there any website for pmp like ccna ???
He is denying the whole network, not only the host…
it depends what they are asking what to permit… permit only the web Access (web browser usually port 80) or if they want you to permit all kind of packets to the server (permit ip)
HELP PLEASE!! i am going to take ccna exam in august..will watson,examtut,9tut,mathew dumps will be valid ? i mean to say for how many months are ccna dumps valid and they wont change the pool of questions?
29/7/2014
hi guys just passed the exams… 972/1000
labs acceslist 1 – acceslist 2 mod3 – eigrp all questions fron 9tut and dumps…
if any one one needs dumps contact me on game.rose@hotmail.com
stavros or anyone who already passed the exam can answer this please.
Does ACL1 questions are really same questions and answers here in 9tut?
I passed CCNA exam today, i got 958/1000. i just want to thank 9tut,watsons and Gilbeast. it helps a lot!eigrp is almost the same, acl1 and acl2 mod3..thanks..
what is the difference if I use “tcp” rather than “ip” protocol for the extended ACL?
what should i use?? permit ip any any right?
we just passed! thanks to 9tut!
i got the eigrp lab, acl 1 & 2 (mod 3) with some changes on IP addresses only
Passed today. All questions from 9tut (thanks a lot).. acl, acl2, eigrp. In acl2 modification 4, I putted as a 3rd line: permit ip any any – result 100%, BUT there have been just Finance Web Server and Public Web Server connected to switch (no DNS Server), then permit ip any any is logical
hi to all, i have scheduled my exam for next week, i have a question in this acl 1 sim do we have to configure it or just to choose the right answer and click next and one more thing what about vtp and nat are they going to come in the exam too? please reply thanx
Hi guys i have scheduled my exam in two weeks time. Anyone to send for me watson dumbs to aguirehachimbi@gmail.com
Thanking you in anticipation
I just want to have downloaded practiced labsim for ICND1 to the email gentle_oj@yahoo.com
from anyone.
Hi guys passed my Exams: 958, on 1-augst-14. Sim question was ACL & ACL2 (Modification 3), EIGRP…….practice the sims here at 9tut n try understanding it so no matter d small changes u will still have a hold of it, and always test ur configurations when you are tru.
Hi guys, I passed. Thanks to 9tut. Sims were ACL and ACL2 mod 3 and EIGRP. Good luck to all.
Hi guys, please help me. I am failing to open my VCE file they are saying i should upgrade to the newer version but i have tried the other versions which i have and it cant still work. Its saying i should buy from avanset.com. Would someone help me please. aguirehachimbi@gmail.com is my address
I passed my exam yesterday (Aug 4) with the score of 1000. Thanks 9tut! My sims were EIGRP(AS 23) ,ACL1(exactly as it is), ACL2(mod3). All questions are from 9tut. I used watson, matthew, NS32 and examtut dumps.
I’ve passed my exam today (Aug 5) with the score 986/1000. Almost every question were from 9tut – many thanks! I had ACL2 modification 4 ( I had an IP of public web server and I use it in the last statement of acl), ACL (exactly as it is), EIGRP (As 222 and some additional network in configuration of R1 – I removed it and added the correct on). Thank you 9tut!
Hi, Can you use “[command] ?” during sims on exam?
hi guys i just passed my exam today 1000/1000 thanks alot 9tut all question were from 9tut and watson
acl, acl2 and eigrp not tough it was very easy
once again many many thanx
god bless u all
hi all, thank you for this webiste, am currently finsihing my studies and preparing for the exam, so any one please send the dump that i should look before i go in to the exam..
Thank you in advance,here is my address filmaton@yahoo.com
Hi, I think Modification 3 should look like this:
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
deny ip host 192.168.33.3 host 172.22.242.23
permit ip any host 172.22.242.17
There is also deny any at the end, so we have only 3 statements and it should work, or am i wrong???
You are referring to Mod 4 . The permit statement should be
Permit ip any any And in exam if you put that command Permit ip any host 172.22.242.17 You will fail.
Understand the Question requirements so that you will determine whether the answer is under Mod 1,2,3 or 4
jay do you find job where you from here en Miami they ask for experience 5 to 10 years that suck
Hi to all.
Is it really correct to use for third command “access-list 100 permit ip any any” instead of “access-list 100 permit ip any host ipaddressofserver” in modifications 3 and 4 ?
Thank you!
both the commands are correct but i gave my ccna on 5 august where this sim was there and i used the cmd access-list 100 permit ip any any…this cmd definitely works and there are people who hav gotten 1000/1000 when they used this cmd!!
im writing on Friday….any advice
Passed 958/1000
Thanks 9tut! Exactly same EIGRP ACL ACL2 Sims…
also went through dumps really helped a lot!!!..
Whatson, Giilibeast, Jennie and Mathew Dumps (examcollection.com)
All 51 questions were from dumps…
even if u dont study book and only go though dumps a few times then you will pass easily…
just remember the answers given in dumps…
All dumps in 9tut are valid..I passed today 958/1000..9tut is all u need to pass
explanation please on modification 3 and 4 for this lab. thanks
No dumps are needed. This site is all you need. Passed the exam today 1000/1000.
ACL 2 lab case 2. Do not memorize the IP address. They will change.
slight changes to the labs but still they’re basically the same, 958/1000 (16/aug). 9tut is indeed all you need :)
Passed with 1000/1000,Acl1,Acl2(mode3),eigrpy(221)
DONT forget configuring access-list 100 permit ip any ay as the last statemet,even though IP of public server is given.
This sim was in my test Today!
Thnx 9tut
Which modification??
What is the difference between Modifications 3 & 4, please? They look and sound exactly the same. Thanks.
Hi All,
Can any one give me the explanation for the modification 4 with 3 statements.
Other types of access from host C to the finance web server should be blocked(mod 4 acl)
hi all,
i just want to ask a question. what if i did not copy running-config start-up config at the end of the sim? would it deduct my total score?
@ ibrahim
it means that, any kind of access to financial server should be deny like, pinging(icmp), telnet, ftp, etc. so it means, after you permitted host C from accessing port 80(WEB), you can now deny the whole access from host C (whole ip protocol, thats why in the configurations it is deny ip* ) in the next statement
Modification 1: As nothing is mentioned about core network, can the access-list be applied to Fa0/0 inbound?
I passed today, got 1000/1000.
I had acl, acl2 and eigrp labs. Acl was the same as it is here.
Eigrp was also the same, simple changes (ip addresses and eigrp 2). Passive interface command was on R1 and ISP link. Don’t remove it!
I got acl2 modification 3 and as a last statement I used: permit ip any any! In server lan I had only public web server and finance web server. There was no dns server.
I used the following dumps from examcollection.com: watson, matthew, examtut and gillbeast, but I think that watson’s dump is the best and quite enough to pass. All questions were from dumps!