CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
passed with score of 1000.
labs: eigrp, acl, acl2- mod3 (host A)
go through 9tut and actual tests.
practicing from watson and doing labs on packet tracer will help a lot.
Is acl refering to access list sim? Thank you,
Pass the Exam today, Alhamdulilah (917/1000)
Just study watson & Gillbest VCE guys, simulation ACL1 & ACL2 (modification 2 using user pc D–they change the IP address) , EIGRP (they change it to AS 2 on R1) make sure to issue command ‘sh ip route’ for testing purpose.
Frankly speak, its a lot easier then version CCNA before (640-802)
CCNP switching next!!!!Insyallah….
@Brendan what do you mean with they change EIGRP to AS 2 on R1?? Thank you very much.
passed my CCNA exam 2day with 931/1000!!! really so thankful to 9tut !! just study watson and gillbest vce simulation its more than enough. lab simuation ACL1, ACL2 and EIGRP !! for safer side study other lab sim in 9tut. !! I finished my exam within 45 minutes!! thanks to 9tut.
Passed. This was in exam today except host B. Mod 3. Use Watson314 and check questions on right on this site.
@ernesto the AS number for R1 they set it to number 2..so i just change it from AS212 (on R3) to AS2…And check all the routing via command ‘sh ip route’..and its correct if the subnet is advertise on R1.
if any one need latest dumps send us a working g mail id with password on
game.rose@hotmail.com
Do you know if mentioned bug * in ACL2 modifications 3/4 has been corrected within exam?
I don’t know whether use “access-list 100 permit ip any any” or IP server.
thanks a lot, having my exam planned on 17th Sep.
anyone to verify the bug on ACL2 modifications 3 and 4?
i’ll have the exam tomorrow, thanks ;)
use d ‘permit ip any any in exam’..
can please any one explain to me
why we r using
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
because i think that
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
will include that also other users will be blocked in 172.22.242.23
pls send the latest ccna dumps… hemnath25@yahoo.com
http://www.bubblews.com/news/7026831-cisco-ccna
do we have to modificate corp 1 ip adress,dns,default gateway adress etc. ?
ACL, ACL2, EIGRP SIM is enough for pass mark
just done my exam 1 hr ago and passed 945. its not hard 9tut is enough to make anyone pass.thanks alot to 9tut
labs eigrp, acl1 and acl2
dumps watson
just passed the exam today… got 986/1000 all thanks to sir james, 9tut, watson dumps, acme.
the lab is still ACL 1 and 2 modification2… the eirgp has passive interface int the r1 to r3. just remove it and input the networks.. same process… God Bless… email me if you need help… alfechekurt@gmail.com
CCNA Access List Sim 2 And CCNA Access List Sim And EIGRP but with 3rd modification laps are exist in exam today i passed it with 972/1000 allhamdu llah (Thanks God)
CCNA Access List Sim 2 And CCNA Access List Sim And EIGRP but with 3rd modification laps are exist in exam today i passed it with 972/1000 allhamdu llah (Thanks God)
This lab is very similar (if not identical) to the Extended Access List example in Lammle’s CCNA study guide from Sybex. Page 522, Chapter 12.
same questions as Slid :
“Do you know if mentioned bug * in ACL2 modifications 3/4 has been corrected within exam?
I don’t know whether use “access-list 100 permit ip any any” or IP server.
thanks a lot.”
Or maybe there is an explanation of permit ip any any?
im gonna take exam 18th sept. are there any new question please share experience?
Hello friends… Go to ccnalearn.cf to know all about ccna / dumps / exam problems / new questions.. etc all for free.
Hope it helps all to learn and clear ccna 200-120 exam. http://www.ccnalearn.cf
Can we use ? (Help) during configurations.. in exam..
pass my test today September 17, with 931/1000 Laboratories ACL, ACL 2 MOD 3 and EIGRP are all questions 9 tut.
9tut study and VCE
Thanks 9tut
I just pass my CCNA today Sept 17, got 1000/1000
exam is very very very very easy.
I had 51 questions
ACL 1 (same), ACL 2 (Modification 3 with Ip address differen), Eigrp ( AS 23, I added a network missing on borderROUTER and change AS on ROUTERDISCK1)
ALL questions here were in exam
WATSON and MATTHEW DUMPS is enough
Thanks 9tuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuut
Actually thanks 9tuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuut
pls send the latest ccna dumps olivermwangovya@gmail.com
thanks a lot, I passed my exam 945/1000. LABS: EIGRP, ACL1 (same), ACL2 Mod3
Saad,
Yes, “?” works.
Thanks 9tut.Today Passed with 903. ACL modification 1 & Eigrp sim. And study watson dump on examcollection. Try to understand the question & answers. Yo will get it.
Everyone is passing but no inone is mentioning about the BUG in modification 3 & 4 , what shall we write in last
Can anyone mention please that in modification 3 and 4 , we must write access-list 100 permit ip any any” or we shall mention the address of the server , exam on monday , Admin !!!!!
Passed today with a score of 1000.. labs were ACL 1, ACL 2 (mod 3, but the host was B) and EIGRP slight change..
Studied : 9tut for labs.. watson dumps for Questions
@Bilal yes.. i wrote permit any any.. got 100%..
@Bilal.. want any help regarding the exam.. skype id: saadnawaz8
ccna update!!!! must check this
http://www.bubblews.com/news/7026831-cisco-ccna
Can anyone please explain to me about Standard and Extend ACL.
I know that,
standard acl = inside source
extend acl = outside source.
But what it is the diff.
Could anyone please explain, thank you in advance.
the best everyone going for take CCNA EXAM
Please can someone help me out with WATSON and MATTHEW DUMPS (ojenagborjnr@gmail.com) ? Thanks in advance.
Thanks to 9tut for providing this platform. I hear everyone giving remarks to 9tut SIMs, WATSON and MATTHEW DUMPS as an aid to passing the CCNA test. However, I has access to only 9tut. I have my test in 1 week time.
I will be grateful if someone can kindly help me the the dumps (WATSON and MATTHEW). Thanks in advance.
Hiiiii everyone. I have cleaned CCNA exam. My score:1000/1000.
1.you can use “?” In simulation. Surely it works so you can see all possible commands.
2.You can you use short cut key words, 100% it works.
3.You can’t use tab for few commands:Ex: While declaring Eigrp autonomous system number.
4.If you need any kind of information or help mail me: mrsrpy@gmail.com.
5.Make yourself free to revise all 9tut question on the day of exam , means before taking the exam not after the exam
6.Stop reading half an hour prior to the CCNA exam.
I hope,the above information will help you to score 1000/1000.
Regards,
SUDHAKAR
passed with 1000
hint: just understand the concept of all questions , dont try cramming,cisco will throw you off rail and unless you have photgraphic memory to cram all the damps.
read 9tut and watson.
so, u mean to say that questions were different from 9tut?
Thanks 9Tut just passed the exam… Sim ACL 1 & 2 and EIGRP AS 122…
Hi, I will take the exam on September 27 2014.
I have a question regarding ACL 2 modification 3
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
shouldn’t it be like this: ?
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny tcp any host 172.22.242.23 eq 80
access-list 100 permit ip any any
need your help.
Cleared CCNA Today with 1000/1000..Thanks 9tut..and specially for friends who were shared their experience…Prepared Whatson and Matthew dumps…9tut Sims.
Hey Kasmot,
It’s “access-list 100 deny ip any host 172.22.242.23″ because you are blocking all other traffic to the web server.
“access-list 100 deny tcp any host 172.22.242.23 eq 80″ only denies other web traffic
Hello kasmot.
Note that 2nd requirement of ACL2 Mod 3, states:
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
So we need block all other traffic to Finance server (except web traffic from host c)
So we need to use ip instead of tcp. So second statement should be:
access-list 100 deny ip any host 172.22.242.23
Passed Today with 1000/1000
Whatson and Matthew dumps
EiGRP , ACL1,ACL2
passed 917 last September 13