CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
There is no bug in this sim. It’s a catch. Rule N1: you should always use “permit ip any any” in the end of ACL(if not asked otherwise). So there is no need to use others permit command before “permit ip any any”.
Hello, passed this morning with 900/1000 WITH EIGRP + ACL 2 (version 1) thanks 9tut
See this video:
https://www.youtube.com/watch?v=UuCLqhthVcg
https://www.youtube.com/watch?v=Yuc1di7lihs
Passed CCNA Today with SCORE = 1000/1000
Thanks to 9tut
Labs ACL 1 ACL 2 mod 3 EIGRP Sim AS 221
All Questions from Watson 325Q Dump which is enough to pass the exam.
I passed today with 1000/1000 and for ACL2 Mod 3 or 4 I used permit ip any any in 3rd statement.
I passed today with 31/03 986/1000 in London – still valid. The questions 90% from 9tut and some you can find in the other VCE file on the internet. ACL, ACL2 and EIGRP but with different names and IPs for the hosts and others. You can easily pass if you study a few times this questions from 9tut plus a little from books(very important to know about ospf, eigrp, vlans and others). I can help with any tips if somebody wants.
michael.pat86@ymail.com
Thanks 9tut and thanks God!!!
ACL2(Mode3)&ACL1,EIGRP today~ pass~ thank you~
Hi every one I passed today 1-4-2015 in 7:00 AM (GMT) and I am happy thanks 9tut
today EIGRP + ACL 1+2
Passed today…1000/1000.
All questions were from 9tut.
Sim : Acl 1 & 2 , Eigrp
I read only 9tut…Both questions as well as concepts.
Thanks lot 9tut.
So much Thanks to 9tut
1.04.15 Passed whith SCORE = 1000/1000. Sim : Acl 1 & 2 (mod 4) , Eigrp
please confirmed ACL2 mode 4 command
please explain acl2 mode or mode 4 difference
Can (?) question mark works on online ccna exam?
Guys please answer
please explin command acl2 mode 4
@Swapnil…Yes, (?) works in exam.
It worked for one of my friend..I did’t try it in exam.
But it might depend on the version of simulator the exam center is using.
https://www.facebook.com/redhat7bdgroup
I have solved ACL2 Lab with modification here.
Passed the exam yesterday 970/1000 labs were access list 2 with modification 3 ,access list 1 and Eigrp
903/1000 marks today. ACL 1&2, EIGRP SIMs on exam. Cheers
can someone tell me if the names of the router are the same for ACL2 and EIGRP like here?
o the EIGRP the network command is appled on a class C ?
Passed CCNA today with 1000/1000… Thanks a lot 9tut. You guys Rock.
SIM:- ACL2 (modification 3 but router A), ACL and eigrp [router ip and names changed so be careful ]
47 question from 9tut. So 9tut is enough, i would say to crack the CCNA exam.
My advice:- Practice SIM using packet tracer, dont forget to use “copy run start-config command”. See yon on other side.
@9tut- Thank u for providing d appropriate dumps n info for crackin up d exam with gud score.
I came across similarities between watson n 9tut dumps..If very less time for exam, Rely only on 9tut for gaining knowledge n dumps to pass dats enuf.
“Be tension-free if using 9tut”.
@vinu, Congrats. did u use the “ip any any” command on d interface or you used the ip of d server.
@Ani did you d “ip any any” command on the access-list
hi guys
what is the mistake if use this configuration?
access-list 120 permit ip host 192.168.33.3 host 172.22.242.23
access-list 120 deny ip any host 172.22.242.23
access-list 120 permit ip any any
all dumbs are valid.. I only referred 9 tut.com.. Passed today
@fikky— nope i didn get “ip any any” command .. de had given ip add of public web server to access..
@vinu
then, are you get perfect score?
better to practise all modifications,,,i scored 972,,,,,,,,,,thanks a lot to 9tut
Ahmed 99
hi guys
what is the mistake if use this configuration?
access-list 120 permit ip host 192.168.33.3 host 172.22.242.23
access-list 120 deny ip any host 172.22.242.23
access-list 120 permit ip any any
With this script you are basically the first line you are giving Host C access to everything on the financial server (all access on the server e.g. http ), 2nd line you are denying everyone access from the financial server (all access denied on the server e.g. http )and 3rd line you are giving everyone access to everything (all access besides the financial server)
This ACL works in stages 1..2..3..
Also i would start with 100 instead of 120 because that is the beginning of the extened list and I suggest going back to ACL’s on 9tut to get a better understanding.
But nothing really wrong her
hi guys just want to ask clarification what is the difference between declaring permit tcp and permit ip?
Passed today…1000/1000.
All questions coming from 9tut.
Sim : Acl 1 & 2 , Eigrp 12
new question on Etherchannel
thanks 9tut the best!!!!!!!!
Need help! I’m having trouble in understanding and how to perform modification 3 and 4 in acl sim 2 :-(
Hello, is there any frame relay multiple choice questions in the exam?
@alex do you remember the new question on Etherchannel?
nick, it was like parameter can be different on ports for etherchannel/DTP is the answer
Thank You 9tut, i passed my exams yesterday 9th of April 2015, The Objectives are really so simple
Only 2 Drag and Drop questions came out.. One subnetting question and 2 VLSM qustns.
The sims were ACL1, ACL2 with MOD 4, EIGRP 212..
For the ACL2, below was my config
access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any host 172.22.242.17
For those that want to write the CCNA, pls, just save all the questions on 9tut and study them, All the questions are from here, NO NEED for ANY DUMPS, i repeat NO NEED FOR ANY DUMPS
@A.y why you not use command “access-list 100 permit ip any any ” ?
12324
pls could someone explain to me how come in the modification 1 wherein host B should be deny from accessing other servers (not the whole network) have that command? I am wondering where did the address 172.22.242.16 with wild card mask 0.0.0.15 come from?
@ neel, I guess even if you use “access-list 100 permit ip any any” you will still be correct, i scored 1000/1000 so i guess both commands will work perfectly.
Thanks
Hey everyone…I just Passed my CCNA composite exam two days ago. I was scared as hell but once I sat for the exam, everything started to become smooth as water. I was really amazed to see that the question were exactly the same as 9tut. Even the options are same. Not only I PASSED, i GOT 1000/1000. Credit goes to 9tut. Without you guys, it would have been impossible. So those of you who wants to sit for the exam just do this 3 things to prepare.
1) Finish all the questions available in 9tut.( Dont just do them, understand them and do them
2) Finish some latest dumps such as Watson
3) Try to practice all types of lab but certainly practice and learn ACL1, ACL2 and EIGRP.
If this 3 things are done properly, be sure that you will get 1000/1000. (email me only if you really need more help) Thank you.
passed today.
All qns were from Watson,9 tuts.
Acl2, acl, eigrp sim were inside.
Thanks for this webpage which covers all
love you admin
passed 1000/1000
11/4/2015
watson 314 & 9tut
labs acl1 + acl2 + EIGRP 23
Watson still valid. 100%
I am planning to do my ccna certification in June.. I read here different posts about acl1 and acl 2. where can i find these? also i se lots of labs here about EGIRP and ospf and so on.. do you guys study all these??
I really appreciate your help. I am in toronto… here is my email if anyone is kind enough to help guiding me here.
torontoman66@gmail.com
@A.Y Thank you for your input man! We appreciate it, but I have one question…
to apply the access-list 100 will it be this command on fa0/1?
(config-if)#ip access-group 100 out
To Cyrus : I too had the same doubt ,In the question it said block all the servers but not the entire network . The server address are in the range 172.22.242.17 – 172.22.242.30 . So for the IP 172.22.242.16 the min and max host are falling between the range .
172.22.242.16/28
Address: 172.22.242.16 10101100.00010110.11110010.0001 0000
Netmask: 255.255.255.240 = 28 11111111.11111111.11111111.1111 0000
Wildcard: 0.0.0.15 00000000.00000000.00000000.0000 1111
=>
Network: 172.22.242.16/28 10101100.00010110.11110010.0001 0000 (Class B)
Broadcast: 172.22.242.31 10101100.00010110.11110010.0001 1111
HostMin: 172.22.242.17 10101100.00010110.11110010.0001 0001
HostMax: 172.22.242.30 10101100.00010110.11110010.0001 1110
Hosts/Net: 14 (Private Internet)
Hi Where can I get watson , much appreciated.
Thanks
Sam