CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
my previous comment does not deny anything but
access-list 100 permit ip host 172.22.242.23 host 192.168.33.3
int fa0/1
ip access-group 100 in
this one deny host a,b and d. im really confused.
some one tell me that labs in exam same like these or with some modifications ?
@Can
It is because of implicit deny in the and of every access-list. Study first, because it is basic, you must know this and after came here
@Zinger
its the same as this , i had the same one but on Host D not C
@Mike
I already know that but why my first access-list did not deny http request from host a,b and d. Can you explain that?
access-list 100 deny tcp host 172.22.242.23 any eq 80
this line should deny any http request. please don’t tell me i must apply access-list outbound, because i already know that too. I just need explanation.
@can
it will not work coz its wrong command
, u want to deny what ????????
u must do it like this ,
access-list 100 deny tcp any host 172.22.242.23 eq 80
hey guys….
how can i distinguish when i use tcp or ip????
which question do i have to use tcp? or ip ??
plz reply to me
@yazan
you are right if i’m going to apply this on fa0/1 out. but i apply inbound.
what i mean, for example, host a send http request to finance web server with port 80 it will reach the server its ok. however when finance server sends response to host a, it should denied by “access-list 100 deny tcp host 172.22.242.23 any eq 80″ line, but it not deny.
i hope i don’t confuse your mind also, i’m clear with access-list what i want to learn is why “access-list 100 deny tcp host 172.22.242.23 any eq 80″ command did not deny host access when it apply inbound.
@korean
if you are going to deny certain ports like http, ftp, telnet, dhcp you use tcp or udp. if you are going to deny whole traffic you are going to use ip. so learn carefully well known tcp and udp ports.
@Can
It is not deny because in access-list first going source second destination, so if you will check yours ACL you will find that you denied only one host (host C) to accessing any http server.
@Can
i am with Mike , with ur command u just deny the Finance server to ask HTTP out of F0/1 but if any host try to get HTTP request from it , it will respond normally .
@All
I have realized people who got ACL 2 sim in their Exam have different than 9tut…
just for your information please hands-on these questions too..
1. Host C should be able to browse finance web server
2. Other type of access from the host C to finance should be blocked. All access from core or LAN should be blocked to finance server
3. All host in core and LAN should be able to access public server
write the access list in 3 lines
Answers:
access-list 100 permit tcp host(IP address) host (Finance web server) eq 80/www
access-list 100 deny ip any host(Finance web server)
access-list 100 permit ip any host (Public web server)
good luck!!!
@Asif
thats the question i had in my exam .
is any one can tell me which site i have to study for A+ certification
pass 960 , I got this sim with third option ( host C …….. ) . They have omit the IP of public web server
Asif please tell me i want to know that after applying these three statement then i have to apply on fa0/1 as previously we did ?
OR
ip access-group 100 out
m i rite ?
Anonymous please viste http://www.computerhope.com it is usefull website
@zinger
yes
@ASIF
i think third command which u wrote should be
access-list 100 permit ip any any
not ip of public server
Isn’t it???
Hi! Ashley, congartulation.
can u plz help me with dumps which u have studied.
I m planning to give CCNA 640-802 exam in the next week.
Thanx in advance and all the best for ur further journey.
Can anyone tell is “AKS” is right or wrong…..
having my exam 2morrow
@All
access-list 100 permit ip any any – this is a right command, no matter if they giving you ip of PS or not. Why? Because as last requirement we have to permit access to PS. NOTE: They are NOT asking us to deny access to all other servers in the topology, right? If you will use command access-list 100 permit ip any host x.x.x.x (ip PS) , as a third statement, you will deny all hosts to access all other servers in the topology. Implicit deny will take effect.
all the best,
Mike
@Zinger @aks
in order to complete three ACL … we need to end up by following these command
interface fa 0/1
ip access-group 100 out
DONT FORGET TO COPY RUN START
@aks
please read the 3rd question again it says
3. All host in core and LAN should be able to access public server
we dont know the ip addresses of Core so we will write ‘any’ which you agree too but for the public server why would you write ‘any’ even though you know the ip address of this public server…
so the correct access-list should be for 3rd question
access-list 100 permit ip any host (Public web server)
@akkii
all the best dont forget to share your exp…
good luck
@Asif
You MUST write any any because you will block all other host to access other servers in a topology in you will write any host x.x.x.x . Please read my comment above.
All the best,
Mike
Did it, got 920….
exam was easy……sims were same vtp, eigrp with passive interface and ACL….
there were many questions from frame-relay….so make sure u do those questions too…
my dumps were brar and sheker……..many new qustions but all were in brar dump…….
exam was easy
Thank you my LORD for the knowledge….i passed the exam last nov. 9 with the score of 986/1000. thank you 9tut and sekhar…
SIMULATION
EIGRP AS 23
ACCESS-LIST
Host C should be able to use a web browser(HTTP)to access the Finance Web Server access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked access-list 100 deny ip any host 172.22.242.23
(because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN)
- All hosts in the Core and local LAN should be able to access the Public Web Server * access-list 100 permit ip any host
(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any”
VTP
2 4 5 6 8
in my exam there was no ip for the interface of – corp 1 – which connected to the server .. but there was (.32) instead of (.30) in this topology shown above .. so I Concluded the full ip 172.22.242.32
to be in the same subnet with finance and web server .. it was easy .. then i concluded the appropriate subnet mask .. i took time .. but it was so easy ..
Zero can I have sekhar dumps….crow4life@yahoo.com
ZERO
in the exam if give has give the IP of Public Web Server??????
access-list 100 permit ip any any”
or
access-list 100 permit ip any host ( )
please help me my exam in 13-11
sorry if give me the ip
@ahmad
it will be “ip any any”
@ ahmad
The last line statement should be “access-list (extended#) permit ip any any”
okay
thanks all
you mean i any way i type this one
Download packet tracer 5.3.2
Packet Tracer is created by Cisco SystemsTM and provided for free distribution to faculty, students, and alumni who are or have participated in the Networking AcademyTM program. Self-learners are not allowed to download this software.
Packet Tracer 5.3.2 is currently available for download from the Packet Tracer resource page on Cisco Networking AcademyTM pages.
To access this page, log in to Academy Connection (CiscoTM website) and click the Packet Tracer graphic on the left of the page, select Software Downloads, then select the appropriate download package for your needs.
Find alternate download links
i have exam 2morrow any advice ?
@Kawawy don’t worry =))) everything gonna be alright)) dont forget Share your CCNA Experience
@ Kawawy
Determine the task given :-)
you stupid moron’s
hahahahah
Hi,
I had my exam yesterday. and i failed.
…………………………………………………………………………………………………………………………
The user on host C should be able to use a web browser to access financial information from the Finance Web Server, The user on host C should not be able to use a web browser to access other servers.
………………………………………………………………………………………………………………………
How can i deny Host c from other servers whwn i add PERMIT ANY ANY .
Ill be grateful if somone can help me.
Thanks.
HI fafa!
I think it look like:
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq www
access-list 100 deny tcp host 192.168.33.3 172.22.242.16 0.0.0.15 eq www
access-list 100 permit ip any any
this ACL will allow access from web browser to the FinServer, and deny another http traffic from host to Servers. In end of ACL permit all another traffic
Hi All ,
Can u please tell me what 10.0.0.5 refers to ?
Hi Network Addicts,
I got my CCNA today, I got more than 90% points :)
********************************************************
Talking about my today’s exam:
I had the three most known simulations which are: EIGRP, VTP, and ACL2.
* EIGRP SIM had 122 as a AS in few routers, and 12 in one so i followed steps as dictated in this site, i found a passive-interface between ISP and Router “1″ so i leave it, i also delete one network that was advertised by router “1″ and which wasn’t lied/configured in any physical interface, so i guess that allows me to get 100% in this section. (15min)
* Locate VTP SIM in this site it was the same with only 5 questions.
* IMPORTANT:————————————-
ACL2 I took all my time there, I spent more than 25min, I was very sure in each step BUT at last i get 40% which i was expecting unfortunately !!
the exhibit was exactly as below:
- Host C should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host C to the Finance Web Server should be blocked
- All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
- All hosts in the Core and local LAN should be able to access the Public Web Server
The Finance Web Server and Public Web Server had different IP Addresses.
The Task was the same as on top
My unsuccessful response -because at the end i wasn’t able to access Finance Web Server via Web from Host C- was:
Corp1#conf t
Corp1(config)#access-list 102 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Corp1(config)#access-list 102 deny ip any host 172.22.242.23
Corp1(config)#access-list 102 permit ip any any
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 102 out
Corp1#copy run start
I check everything more than once but i didn’t succeed to figure out !!
What i could say is that i noticed each time i tried to access Finance Web Server from Host C, i got a message over the Router interface which i can’t remember exactly sorry but it was smth like that “…… domain server (255.255.255.255) ……”
So, now after a bit search over internet i guess i ought to use “NO IP DOMAIN-LOOKUP” which prevents router from looking for DNS resolution !!!
with all my consideration, It will be helpful for future candidates if somebody can confirm or correct me
———————————————————–
All MCQs was familiar, if you have no doubt in concepts and you give sufficient time and concentration to all of 9tut sections, question became obvious and you figured out instantly the correct answer !!
**********************************************************
This is my email: ohaysama5@gmail.com If I can be of any help feel free to ask.
CCNP Route i’m coming :D
They didn’t give me the assigned ip address to the finance server on the exam. How do you figure that out?
hie thanks for the sims can someone send me the latest sims i am taking the exam in a week
my email address macharks5024@gmail.com
The application of the access-list 100 that you created in the sim above to the OUT of interface fa0/0 seems wrong to me. Host C, other hosts from the LAN and CORE are going to be accessing resources in the server LAN. The acces-list should be applied inwards because they are coming in through the router into the server LAN.
ip access-group 100 in
Let me know your thought.
Cheers.
Which command allow you to verify encapsulation type (Cisco or IETF ) for a frame relay link ?
Show frame Lmi
Show framelay map
@aranbada
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks.