CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
Congrats Juan & Kezii !!! What plan next ?
Hi guys can sum1 pls send me this matthew dump and watson dump on my email syleb1987@gmail.com pls
hi guys i passed today 931/1000 i got acl 1 and 2 and eigrp you read watson and mathew dumps they are absolutely valid gud luck guys don’t worry much..
hi guys
im ibrahim from somalia to i passed alxamdulilah
and this dums is 100% valid
-eigrp
-acl 1
-acl 2
all guys good luck
Passed today 1000/1000.
Watson dump and EIGRP (AS 222), ACL, ACL2.
Hello guys give it today passed, thanks 9tut, watson dumps are still valid in Italy
Huge confusion with the 3rd block of Mod3. If i give access only for Web server (means: don’t use “permit ip any any” command), then it will block the access to dns server. But ques didn’t ask me to block DNS.
I think the ques is created for hesitation. :)
any suggestion???
Hello Everyone,
Can anyone plz share the matthew dump and watson dump on my email rchoudhory@yahoo.com.
@modifcation 3
please read the explanation carefully . you’re just giving a nonsense argument that lead to the others a confusion. Thanks have a good day
Passed today. Thanks 9tut. And yes, watson dumps is still relevant.
passed today 1000/1000
go for watson dumps and 9tut enough for exam
access-list 100 permit tcp 192.168.33.3 0.0.0.255 172.22.242.23 0.0.15.255 eq 80…..i think you should use the wild card mask to get full mark?
Hi Bryan I thinks some subnet on file pkt are wrong.
Subnet is 255.255.255.240 ( Network 172.22.242.16 )
I have a question for KEYFE or others : which is the SIM EIGRP ??
configure EIGRP ??? or only show command to show configuration ??
Thanks
passed today 986/1000
watson damp
ACL1 , ACL2 , Eigrp
Best wishes to all
Can you please send me the Latest Dumps pdf on alexander17v@hotmail.com or alexander17v@gmail.com ple
for all cisco passers? how many multiple questions are there ? is it 50 to 65?
Passed my exam yesterday. I got ACL1, ACL2 and EIGRP LAB.
Also the 2 drag and drops – administrative distances, cable types.
Good luck to all…..
tik.kira@yahoo.com
passed my exam today, 1000/1000, ACL, ACL2(modification 4), EIGRP LAB – Different AS, and there is an additional network address on R1 that you should remove
sources : watson, premium, 9tut
God Bless everyone!!
anyone who want latest ccna dumps for free or any doubt on any question can contact me
i am ready to help
currently i m ccie security pursuing
skype id:ajaygilly1
facebook:ajaygrewal007@gmail.com
hi,
i want to ask about the latest valid dump
also in ACL2 mod 4 .. third line should i use
access-list 100 permit ip any host (IP of Public Web Server) or access-list 100 permit ip any any
thx in advance
Hi Amira,
Use access-list 100 permit ip any any
Regards
HI,
passed my exam today 986/100 ACL ACL2 (MOD 3) eigrp lab (as 112)
sources : watson,9tut
Thx in advance.
my exam is on dec 8. is watson dump is still valid? how many multiple quetions does it have. ?
Thanks alot MarioGB
This sim is in today’s exam. Thqnks 9tut. Pass with 931
this was on the test today . thanks 9tut!!!!
Kindly someone send the dumps of methew on karwankabeer@yahoo.com
Is watson and examtut dumbs are still valid
My exam will be 4/12/2014……………. is any new dumbs plz inform me…………
Today I passed with 1000/1000. I got ACL, ACL 2 (Mod 3) and EIGRP (AS 12). I wish luck to all of you
nice
http://www.learncisco.net
Hi guys, please share the matthew dump and watson dump on my email
prasath75@hotmail.com
Giving the exam on 16th dec.
please kindly send me the PDF format.
Hello guys!
Passed the exam 1000/1000! Got EIGRP, ACL, ACL2!
Goodluck to the others!
hallo guys anyone with the latest dumps to sent me …email me thru mathayochirchir@gmail.com
hy guys any body have ccna latest dumps …..
Aurangzaibffcl@gmail.com
use specific route at the end of question not permit ip any any
i gave it today 986
two new question
if you have any doubt on ccna exam
contact me on Skype : ajaygilly1
Egaaads.
Taking my exam in 5 hours.
Failed twice already (last year, and 3 yrs ago)
I’m going to switch career goals to “professional belly button lint remover” if I don’t pass today.
Wish me luck.
Hello to all
please sent me ccna latest dumps
nader_uts@hotmail.com
Hi Everyone …. I’ll sit exam next week …. Could you please send me a new dump ?? I really need it …. Thanks (airick.green@outlook.com)
Just passed CCNA today 1000/1000….EIGRP (AS 23) …ACL MOD 4… use access-list 100 permit ip any any…will give you full mark…;-)
Don’t worry about new dumps….just follow 9tut all tutorials +
Watson 314
Acme 261
GillBeast 299
Thanks 9tut..
bigup 2 9tut all de simulations whr deh acl1, acl2 nd eigrp nd I click click bang bang with 972…
Do I need to put access-list 100 permit ip any any
Or the ip add for public web server….
Taking my ICND2 tomorrow! I hope the weeks of studying pay off!
Any logic to applying the ACL to the outbound interface rather than the inbound?
I thought I remembered hearing something about extended ACLs being closer to the source that is being affected, and standard being closer to the destination.
In this example, it works either way you apply it, just have to use the correct syntax of “in” or “out” depending on the interface.
hi everyone i m going to take exam coming Monday i just want the latest dumps plz send me at syed.fahad27@yahoo.com if possible then send in pdf format its my humble request to all of you because i m a poor man and won’t be able to pay fee again plzzzzzzzzzzz help me and send real and valid dumps
Got this question in my certification test today, which I passed 931/1000
In my case Only host B could access the financial server, any other host should be denied
all host from the LAN network and from the core network could access the public service.
Good luck!
@ Ceasar
how would you write that form
acc-list 100 permit tcp host 192.168.33.2 host 172.22.242.23
acc-list 100 deny tcp any host 172.22.242.23
acc-list 100 permit ip any any
my exam is on mon. if the question says create a numbered access list.. statement should start at ip access-list extended or standard then the (number )???