CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
Hello I am taking the CCNA exam on Jan. 17th.. I would appreciate any of the latest dumps emailed to me @ celodbd@yahoo.com if possible….I thank you in advance.
I passed the exam today wit a score of 988, got EIGRP, ACL nd acl 2, I got modification 4 in the ACL. I made a mistake in d last statement used “ip any host” instead of ” ip any any” pretty sure that was wt cost me the 1000 score plss bware . All other questions came out no new questions thks 9tuters!!!.
Ali/Friends,
can anyone please share with me the latest CCNA dumps ? I have booked slot on 01/19 to give my exam.. but I do not have even a single dumps . PDF’s will be convenient since we may face issue if its VCE file. Anyways whatever u have pls share it with me.
Thanks a bunch in advance.
sorry Guys,
I have missed to provide my email id. its nagendhira.mba@gmail.com.
thanks much.
can someone explain “access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15″ from mod 1 for me please. I have exam tomorrow
Hello
When they will change the versions my exam is next week is it the same?
Took the exams today and passed with a score of 945/1000 thanks 9tut not forgetting Tuan and Raya for their explanation.
hi guys,on 26th dec 2014, I passed my ccna 200-120 exam 1000/1000.almost all questions from the dumps which I purchase it, Eigrp (23). ACL 1 multiple choice question. no need to configure anything and ACL 2 with configuration.And I also know that wich questions comes from dumps.
anyone wana dumbs I have it,but in some cost,coz its latest purchased dumbs,all the question came from this.
networkingenginer@gmail.com
03449021480
guys could you send me the latest dumps i am writing the test on jan6
my mail id is “chandrasekhar9254@gmail.com”
This question came today… nailed it… who ever wants to prepare for CCNA 9tut is the best, just go through all the stuff and make sure u understand … Thankyou again friends… Have a Happy New Year
I passed the exam today with a score 986 , waston dump is valid 100% and 9tut,ACL1,ACL2 ( Mod 3) with ip host changes & EIGRP AS 23
hey misho or anybody help me out with the latest dumps please, pdf will be better as there is a issue going with the latest vce player, unless you can help me out with that aswell ?? please send to aishakhan67@mail.com
hi anybody can mail me the latest dumps or pdf of ccnp routing & swtching. and also labs.
or tell any site like 9tut. please
samadiqbal.q@hotmail.com
Hi this is Shailesh,
I am planning to write my CCNA R&S exam on this Monday i.e 5th Jan 2015,
If anyone has written the exam recently and passed, Please forward me the dumps that you guys have referred to pass the exam, to my email.
my email id is: shailx4@gmail.com
Thank You for Helping.
THE
THE BUG—-> Command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. STILL is present or has been fixed?
shail im gonna take it 7th jan, once you write your test share your experience here please.
Alhamdulillah…..got 1000/1000 I had 51 questions with three sims( Eigrp, ACL1 nd ACL2 (From Host B)…Thnx a lot 9tut nd Watson
hay guys, 4 students pass the exame 916/1000,945/1000,1000/1000,992/1000 and my dumps are valid,anyone wants it contact me on my email or cell phone number#03449021480.And I also have watson dumps 314 qs.
best of luck
hi guys, anyone have latest dumps like watson dump. my exam is on Jan 22. pdf better also having problem with vce player. please help. my email is terencejay21@yahoo.com.
thanks in advance.
I cleared the exam yesterday with a score of 1000/1000. Most of the questions were asked from Watson dumps and the simulations were access list 1 and 2, Eigrp(no passive-interface for the ISP interface). New questions that I got were 1)SNMP v2 encryption – I choose md5
2)Etherchannel – DTP validation 3)OSPF process identifier is local.Thanks a lot 9tut.
can any one give me watson dumb wiss_mun@hotmail.com
I have all valid dumps for January-March CCNA exam from VCE watson with lot of other materials. Please email me cyrus_dgreat2001@yahoo.com
same dumps for december watson 314 question in 2015 or not ???
please tell us as am having my test on friday :)
hii everyone… i cleared exam on 5th jan with 100 % score … ACL(1),acl (2), eigrp(122)..exam was simple.. so don’t bother so much just read out all que of 9tut … thanks 9tut :) :)
Do you see any problems with the ACL:
access-list 100 permit tcp host 172.22.242.23 eq 80 host 192.168.33.3
access-list 100 deny tcp host 172.22.242.23 eq 80 192.168.33.0 0.0.0.7
access-list 100 permit ip any any
interface fastEthernet 0/1
ip access-group 100 in
ACL(modification)says permint all hosts n core for public web server..this is the cmd one should use as a 3rd statement “access-list 100 permit ip any any” otherwise you loose your score
today i got ccna exam host c with modofy 3 deffrence ips idid it thanks 9tut and the labs
january -6-2015
acl1- eigrp 221
958/1000 the sccoure
pls mail me al dumps…so that i cn just clear the exam.,id is:shabnumbanu2@gmail.com
hello guys, please email me the dumps so I can take exam. Or guide me to where I can find the dumps. I have test scheduled for early feb. email: chemguy90@yahoo.com
Guys please send me dumps i have my exam in 3 days. jaikiran123@gmail.com
Thankyou
lhamdulillah!
Passed today
This dump is 100% valid (200-120.v2013-12-10.by.Watson)
1Q new
sims (ACL1 & ACL2 & Eigrp AS 212)
good luck for all :)
Passad today ….with 945 ..100% valid 9tut and watson. only 5 new question….
Best of luck to all :)
Tnx 9tut. I pass today. With Eigrp, ACL1 & ACL2 (mod 2, Ass 122
on host B. )
Please email me the dumps someone at ellisbs@lineon bet, thanks
Please email me the dumps someone at ellisbs@lineon e.net, thanks
any new questions?
Hello Passers and Takers.. Is it true that the show running-config command is not working on the exam??
please can any one send me the Dump’s Version 19 at
badar_muneer@hotmail.com
Thanks
I have passed the exam with score of 958/1000, on the 7-1-15, all questions here are 100 % valid , thank you 9tut!!!!
I had 3 labs , ACL ACL2 EIGRP area was 12 , modification in ACL is all cannot have any access to web finance
Waston is valid !!!
I have passed the exam with score of 958/1000, on the 12-1-15, all questions here are 100 % valid , thanks you 9tut!!!!
I had 3 labs , ACL ACL2 EIGRP area was 12 to 212 , modification 4 ,just have HostD .
if any one need latest dumps , mail me at msnafridi@hotmail.com ,i’ll be send u latest dumps ….again thanks 9tut ..
today any one write the 200-120 exam,pls inform me which simulation questions u got.my mail dudipala.karthik@gmail.com.
Please send me the dumps in this email: jjj_dawood@hotmail.com
So I had a variance. Basically the exact same set up minus the DNS server. So in this sim I only had 2 servers.
1.Allow host X web access to the Finance server.
2.No other access to the Finance should be allowed.
3.All hosts in the core and on the local LAN should be able to access the Public web server.
So my question is what is the difference between the following.
Access-list 100 Permit tcp host host eq 80
Access-list 100 Permit ip any host
Access-list 100 Deny ip any any
V.S
Access-list 100 Permit tcp host host eq 80
Access-list 100 Deny ip any host
Access-list 100 Permit ip any any
I completed this and I was able to do it with less than 3 commands. So my question is why would someone mark this as wrong if I was not able to access the Finance server from 3 hosts and able to access web and everything from Host x.
Plzzz send me letest dums
Vishal.thanki6@gmail.com
I took my 200-120 and scored 986. ACl 1 and 2 and EIGRP 23. Guys please focus on whats inside 9tut. All area hereso dont waste your time to read other.
@ Charleston, do you mean EIGRP 22? I don’t see any Eigrp 23 :)
Passed today. …acl1, acl2 mod 3 & eigrp 12. Watson,
examtut n Gilbeast dumps super valid. Maximum thanks to
9tut…good luck to everyone