CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
based on the question above”The task is to create and apply a numbered access-list with no more than three statements”
so my statement should starts at ip access-list extended/standard then the number??
or does it matter as long as my permit and deny are correct…??
or doesn’t matter as long as my permit and deny statements are correct like the exampple here…??
@ramon we have the same question …. coz the question here is “create and apply numbered access-list”
so if it is extended the statement should start at
ip access-list extended 101
then permit ip host 192.168.33.3 host 172.22.242.23
most of the comments here are using extended acl statements not the numbered acl
Passed….. thanks 9tut…
Eigrp lab….acl 1 acl 2 (host D to webserver)
For anyone who is writing soon… do not memorize the multiple choice question… they flip dem in different orders…
Understand the concept!!!!
That’s the best answer I can give for all…..
hi alize. for acl 2 did the question require to use numbered acl or just the extended/standard acls
Hi Alize, i will be taking up my exam in couple of weeks. can you please provide me the latest dumps?
@james…. it asks for extended access list…
@dolly all the dumps are on this site….. but do have dem on a pdf file
Make sure review the new questions 2…… etherchannel….
I did get q4 on my exam…
Passed today with 975/1000 ……….thanks a lot for 9tut ……Just study from 9tut…… Thanks again
plz tell me which simulation is “acl 1″ (everybody is talking about). Plz tell me i’ve exam after 2 days.
hi Magdy Souror can u tell me lab which lab came on your exam .
@sumit…. acl 1 is the multiple choice # below access list #2…
what are the most common simulation question in the exam
@ Alize Can u plz send me the “url link of acl 1″.
I think that is better apply Extended Access List near the orign of packets;.
Fa0/0 inbound and Se1/0 inbound
near of …
The access list is applied correctly on the outbound interface because it is supposed to stop even the traffic from the “CORE”. I hope that makes sense.
If you place the ACL on the interface that is facing the LAN, then traffic from the “CORE” will not be monitored
hi all,
I passed my exam last dec 8, 2014. 972/1000. sims are (ACL1, ACL2 and EIGRP) First i thank jesus for giving me this which ive been praying for a long time. second i thank 9tut , jeremy cbt nuggets, todd lamle and watson. i was so scared at first but during the exam it was easy which it lasted only for 45 min coz i wwas triple checking my sims.
no need for dumps guys. 9tut is enough but of course you should also understand the concepts so i used todd lamle and cbt nuggets.
guys during the exam just calm down. its easy if you really did study.
good luck to you all. and i pray you also passed.
for all passers. how long did it take to receive your certificate??
Alhumdulillah, I got passed yesterday with 931 Marks. Acl1, acl 2,and eigrp lab came. And watson dumps did really work.
Anyone need info regarding exam, can contact me at Salman4th@gmail.com
I passed today with 1000/1000, EIGRP( AS 221 and 1 network missed and AS different), ACL2 (MOD 3) ACL1(9tut)…………… watson and 1 question from mathew……….. I hopped u read all in 9tut…….thanks 9tut…..
I passed my exam today one of the simulator practical question is that above access list sim 2..for more about dumps mail me over leonard.joseph96@gmail.com
does da ip addresses change in real exam or i wl find find da same address only Differ by modulation?
should i use access list # 100 or 101 or any from the range 100-199 you can use in the access-list # for acl2
I passed yesterday with full mark. Sim were Eigrp, Acl 1 & 2. IP and hosts were different. I did spend lots of time on Acl 2, cause I typing too many errors, after I applied the ACL, I found it didn’t work. I had to go through all access-lists again, and even used “no access-list” to re-type and apply the ACL. So do pay attentions to your typing during the exam. ….Don’t need any dump, just stick to 9tut, it covers all questions.
plz use access-list 100 that is right dont use anything else………………….
i passed 10/12/2014 with 1000/1000 @ sri lanka.
acl1 (9tut q) , acl2 mod 2 (from host d) eigrp lab.other all questions from 9tut .
tnks 9tut.
can anyone explain how they got mod 1 deny host B from accessing other servers (not the whole network) got the wk mask?
does da ip addresses change in real exam or i wl
find find da same address only Differ by
modulation? plzzzzzzz helppppppppppppppppp
hey!!! yesterday i got 1000. Thanx to 9 tut, in sim. i got acl,acl 2, eigrp.
yeahh, i got 1000/1000 on 5 december, watson dump still valid and you need to chek the matthew dum just 2 or 3 new questions abour etherchannel, thanks 9tut sim ACL 2 user D, EIGRP, ACL 1
I failed the exam and taking it again in 2 days. I need to save the configuration before pressing next??? if so thats why i failed :D
I cleared the exam with a score of 1000/1000 . Thnku 9tut ,this site is really amazing. All the simulations were from it ACL1, ACL2 and EIGRP. A big thanks to all those who have made this site and regularly update it to help students clear d exam. Grt job!! (Y)
In MOD 1.
I dont understand this access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
can anyone please explain?
I found this LAB in my exam december 4th!!
Cleared with 849/1000. Thank you so much 9tut. Thumb up!
@can anyone help
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
means denying host 192.168.33.2 from accessing all servers cause the server LAN has the range of 172.22.242.17 – 172.22.242.30 which has 172.22.242.16 as network ID and wild mask should be 0.0.0.15
Hi, I know this is not part of actual CCNA exam but maybe some of you have experienced this. I plan to schedule an exam tomorrow 2PM, and its now 10PM and pay with my friend’s credit card. Now my questions are 1.) Can I still take an exam tomorrow if I schedule it now( the exam date is still available on pearson website) or do I need 24 hours in advance before taking the exam? 2.) Regarding my friend’s credit card, do I need to put my friend’s billing address or should I put my own house address? Sorry for the question but I have no experience with this. I also need to take the exam ASAP.
i passed 14/12/2014 with 1000/1000 @ tr.
acl1, acl2 mod 4 (from host d) eigrp lab (as 12)
new etherchannel question (DTP negotiation settings)
All Questions from Dumbs (watson, examtut)
and very special thanks to 9tut
I passed today with 986/1000.
Allmost all questions from 9tut.
Thank you very much “9tut”.
Good luck to you all.
@Isra
Thanks for the explanation.
I would like to understand how did u figure out the wildcard mask when they have not mentioned the subnet mask???
Correct me if am wrong************
So the address is from 172.22.242.16 to 172.22.242.31
in this 16 is the network id and 31 is the broadcast address which cant be assigned…..
I passed today.
Lab in Today Exam..
is same Watson file can helpful in Canada toronto also
why do we need to write ‘”access-list 100 deny tcp any host 172.22.242.23 eq 80″ when there is an IMPLICIT DENY at the end of each access-list. ??
thanks
Hi Nelson, we have to write ‘”access-list 100 deny tcp any host 172.22.242.23 eq 80″ because we need permit only the host 192.168.33.3 to access the server 172.22.242.23 on port 80, but the rest of the traffic is permitted in the command “access-list 100 permit ip any any”. So it is necessary , one time that there is an implict deny. Without the command ”access-list 100 deny tcp any host 172.22.242.23 eq 80″ we will go permit all the traffic.
i dont know why i am not able to save the config on corp#1 whenever i use command copy running-config satartup-config “Destination filename [startup-config]?” this command appera i dont know what to do now can any one help me with this . that what should i do
hi can someone send me latest dump please i have an exam on monday thanks!
here is my email : alfante.alfante@gmail.com
Any latest info, i am writing my CCNA R&S tomorrow. Thanks guys.