CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
In reply to
“So I had a variance. Basically the exact same set up minus the DNS server. So in this sim I only had 2 servers.
1.Allow host X web access to the Finance server.
2.No other access to the Finance should be allowed.
3.All hosts in the core and on the local LAN should be able to access the Public web server.
So my question is what is the difference between the following.
Access-list 100 Permit tcp host host eq 80
Access-list 100 Permit ip any host
Access-list 100 Deny ip any any
V.S
Access-list 100 Permit tcp host host eq 80
Access-list 100 Deny ip any host
Access-list 100 Permit ip any any
I completed this and I was able to do it with less than 3 commands. So my question is why would someone mark this as wrong if I was not able to access the Finance server from 3 hosts and able to access web and everything from Host x.”
The problem with yours is that it states that “all other traffic is permitted.” It only puts restrictions on web access. If you use the “deny ip any” then you will be blocking all other protocols from accessing the server and not just the web access.
In reply to
“The problem with yours is that it states that “all other traffic is permitted.” It only puts restrictions on web access. If you use the “deny ip any” then you will be blocking all other protocols from accessing the server and not just the web access.”
“all other traffic is permitted” would mean allowing all traffic but mine stated specifically to the web server
2.No other access to the Finance should be allowed. It did not state block web traffic, it specifically said block all traffic other than host x
3.All hosts in the core and on the local LAN should be able to access the Public web server.
Access-list 100 Permit tcp host x host finance eq 80
Access-list 100 Permit ip any host to public web server allowing all traffic through to pwbser
Access-list 100 Deny ip any any blocking all traffic other than host x to finance
If I am correct on this with 2 servers, this would allow only host x access to web or port 80 in finance. It would allow all traffic to the public web server and block all other traffic to finance. Now while I understand if there was a third server there, that would not be the case then I would use 3 acl’s statements. However isn’t the whole point of being Cisco certified to use the least amount of commands possible while doing the job?
so for 2 servers
Access-list 100 Permit tcp host x host finance eq 80
Access-list 100 Permit ip any host public web server allowing all traffic to the web server
Access-list 100 Deny ip any any blocking all traffic to finance
V.S
and 3 servers
Access-list 100 Permit tcp host x host finance eq 80
Access-list 100 Deny ip any host to finance blocking all traffic to finance
Access-list 100 Permit ip any any allowing all traffic to everything else
So with there being 2 possible answers to my specific question I am unsure why the test would have marked me wrong even though I did what it asked and the statement said use no more than 3 statements it never said use 3. So I am a little confused on why that specific lab would be like that.
Unless I am comprehending this wrong, every other variance from this site states 3 servers mine had 2. Can someone explain this one to me please?
kindly mail me latest dums of ccna
and labs please
m.naseer.aslam@gmail.com
why in modification 1 wildmask is 0.0.0.15? shouldn’t be 0.0.15.255 since the subnet of the servers in the PT is 255.255.240.0?
Hey Anonymous, in response to your question:
So I had a variance. Basically the exact same set up minus the DNS server. So in this sim I only had 2 servers.
1.Allow host X web access to the Finance server.
2.No other access to the Finance should be allowed.
3.All hosts in the core and on the local LAN should be able to access the Public web server
It really does not matter if u had 3 or 2 servers, the answer is still the same.
Answer:
1. access-list 100 permit tcp host X host Finance server
2. access-list 100 deny ip any host Finance server
3. access-list 100 permit ip any any
Note: using the implicit deny at the end of your statement is irrelevant as there is an implicit deny all statement at the end of access-lists and with ur statement, you end up denying everything countering the instruction to allow other traffic to the public server
There is an eq 80 statement added to answer 1….forgot abt that.
CHEERS!!!
Guys I cleared exam with score 986/1000 on 17th Jan 2015. All questions & labs from 9tut only.
I had ACL 2 sim with modification 3.
For that modification u ve to use “access-list 100 permit ip any any” for “All hosts in the Core and local LAN should be able to access the Public Web Server “.
If u dont use it u ll not gate 100% mark for that sim. Since i didnt use this i got 986 else it would be 1000.
Passed Exam with 1000/1000 marks.
Watson314q dumps are valid..
9tut Labs .. ACL1, ACL 2 (Mod 3) EIGRP 212 ( AS=221 in Exam)
Thanks 9tut …..
Hi Guys, i m sujath nd taking exam in the first week of Feb 2015. i didnt understand by ACL 2 (mod3) is that means ACL Simulator 2
and also didnt understand EIGRP 212 & EIGRP 22?
Please send me the latest Dumps for CCNA 200-120 Mohsin on this email:sujath987ali@gmail.com
Latest CCNA 200-120 dumps 316 Questions & Answers including all labs available.
316 question dumps are 100% valid. I already purchased that, If you need, email me
azeemsarwar1@hotmail.com
passsed CCNA exam on 19 Jan 2015 51 q in EGYPT
thanx 4 9tut
valid dumps watson314q ,mattew319q
labs acl1,acl2(mod3),Eigrp(212) with different ip
Please Please requesting the latest 200-120 dumps really need it folks please I am pleading please
jasoncarrorig@gmail.com
need the latest test dumps please. about to take the test. thanks guys
theodoremarules@gmail.com
الحمد لله
I have passed CCNA exam on 19 JAN 2015 51q in EGYPT
Dumps: Watson, Matthew
Labs: acl1 ac2 (mod 3) eigrp (12)
score 972/1000 today
ACL 1, ACL 2, EIGRP AS 212
Yesturday, I passed thk very much 9tut
on MODIFICATIONS 1 and 2. SHouldn’t be there any “eq 80″ or none because there is no WEB keyword on the questions? TIA
I will take my 803 exam on Saturday.
Hi please mail me the latest dumps, I’m currently using Cisco.Actualtests.200-120.v2013-12-09.by.Watson.314q. Thanks in advance. riaanleibbrandt@gmail.com
any one have vce 1.2 crack than send me limon.tee61@gmail.com
Can someone send me the latest dumps to
napstershannon@live.com
Thanks :)
Passed with 931
focus on 9tut
EIGRP the best
Eigrp a must
Please send me the latest dumps guntercito@hotmail.com I thank you very much.
29th, Alhamdullah. Score passed 94%
This one came on exam today :)
acl, acl-2, eigrp 212, dumps: http://ccnalearn.cf/downloads.html
please can someone send me the latest dumps to haryormhide@gmail.com
Hi all.
Passed today with 972/1000. Watson dump valid! Thanks alot 9tut!! Couldn’t have done it without you! ACL1, ACL2 (mod 3) and eigrp 122. Good luck to all planning on taking the test :)
Hi, please mail me the latest dumps. Thank you very much. marco.melo@sapo.pt
I was wandering about the stated configuration. The description of the task says “…and apply a numbered access-list …”. We don’t have numbered access lists with the config above.
guys pls i need SAT dumps, writting my exams in 2 months time passmyexams@outlook.com
Pass4sure Latest 316 Q&A CCNA 200-120 dumps in PDF available. I already purchased that, if you need email me. zain.cisco@hotmail.com
Alhumdullah. i cleared exam today 945/1000 ACL1, ACL2, (mod3) EIGRP 122 in exam AS 22 Dumps Watson, Matthew, examtut thanks to 9tut….
Im on studying my learning materials and I’m planing to take exam on week 2 of this coming February 2015.
Advice Please….
Please can someone send me Watson dumps and VCE I’m having the exam on friday
evil_lord_@hotmail.com
much appreciated <3
please i want the certification guide of ccna 200.120
my email bautistaltb@gmail.com
Please can someone send me Watson dumps i have exam next weak
I planing write CCNA 5th Feb ,please share the latest
please share latest dumps to mail id :senthilt25@gmail.com
hi everybody,
I planning to take exam in 5 feb and I study in Rolland .313q is that the latest please any reply
In ACL 2 sim, they removed the DNS server as per my exam on Feb 2nd. So no confusion!
@wael
what are the labs in the in exam?
passed the exam today. ACl1, ACL2 mod 3 and eigrp with different ip and AS 122. thanks 9tut and watson dumps. 958/1000.
passed my exam just now and I got 1000/1000. Thank you my lord and 9tut.
9tut is enough to pass the exam. one new question regarding OSPF.
OSPFV3 QUESTION – What are 2 differences when comparing OSPFV3 and OSPFV2 ?
1. OSPFv3 is advertised on per-interface basis rather than networks.
2. OSPFv3 facilitates ipv6.
ACL1, ACL2 (Mod. 3, HOST B ) and EIGRP with AS 2.
Iuki28,
Please send the Dumbs to sarathrcssym@gmail.com
Monday is my exam please help me
Iuki28,
Please send latest dumps to rashedgmail.com@gmail.com
no need for the dumps.. just stick to 9tut and you will pass the exam with flying colors
why in Modification 1:
deny host B from accessing other servers (not the whole network)
use this ip 172.22.242.16 and wiild card 0.0.0.15