CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
Please send mo a link or installer to VCE player 1.3.0 or higher and crack. send to rmr_101429@yahoo.com. Thanks in advance.
hello could someone explain this to me ACL2 – Modification 3
3rd Statement
“access-list 100 permit ip any host
(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any””
hello
in a week I have to do the exam.
I have 2 questions about this lab:
1- if you’re wrong to enter a statement in the ACL, people told me that the “no access-list 100 …” command does not work, how can you do to fix it?
2- has someone done the test with modification 3 and 4 with “access-list 100 permit ip any host (IP of Public Web Server)”? I also think this is the best solution.
Thanks and regards
tomorrow am going to take exam
hey guys.. the solution for these labs is online so why dont you check it and make sure you master it before u do the exam ?
hello
i need a ccna voucher if any one help me then contact me on my eamil add rizwanx@hotmail.com..
pls send the last waston dump file to wasim1112@yahoo.com i hv exam in 5 day
I’m going to take the exam in 15 days. Any suggestion?. Do they change all questions sometime? or they are only adding some new ones from time to time?
Many thanks in advance.
I took the exam last April 23, 2015. Watson dump and access list 1 and 2 and eigrp here in 9tut. I had the modification 3 on this access list, use “access-list 100 permit ip any any” since it is still a bug in the exam. the IP of public web server is the correct one but for the exam, use “any” instead to avoid getting deducted. All the best for you guys as well.
Thanks a lot Dadap
Hi, again
Thanks Dadap for your answer about ACL!!
anyone knows…..?
if you’re wrong to enter a statement in the ACL, people told me that the “no access-list 100 …” command does not work, how can you do to fix it?
regards!!!!
base on my exam, it just asked to put in any AS number and set this on my access-list and guys, don’t forget to put copy running-config startup-config at the end or else you’ll have large deductions.
hey guys… what is AS????
GUYS one more question please…
When you apply the modifications.. I see the solution above.. My question is .. do you apply it on Fa .
GUYS one more question please…
When you apply the modifications.. I see the solution above.. My question is .. do you apply it on Fa0/1 ?
hay john
AS means Autonomous system number . it is used in eigrp
its range 1 – 65535
we should apply interface before copy run start?? otherwise it will not work?
passed my exam today 945/1000, ACL 2 mod 3
Hi, I will take the exam in 15 days, in May. I can see that most of people who did the exam in May got Labs about ACLs and EIGRP.
Does anyone know how often Labs & questions change?
Many thanks
sorry, I wanted to mean people who did the exam in April
i had a problem when i had to configure, i got a blank sheet ready to type
corp1>enable
Password:
so when i tryd to type the password, i g2 a message saying “press reload to start” an i couldn’t find it an it ddn”t allow me to type anything…..
how do i reload to start? i’l be taking my exam this friday please help
Hi All
I have a question
“access-list 1 permit 192.168.100.16 0.0.0.15″
can any one explain this cording.. how they get “192.168.100.16″?????
Steve,
“access-list 1 permit 192.168.100.16 0.0.0.15″
can any one explain this cording.. how they get “192.168.100.16″?????
are you referring to the “172.22.242.16 0.0.0.15″ ? —- the 172.22.242.16 is the network IP address for the hosts ranging 172.22.242.17 – 172.22.242.30, and the 0.0.0.15 is from the block of 16-1 to have the wildcard mask.
hello everyone.. I have one question I noticed that ACL lab is multiple choice.. so in the exam will be like this too? same thing for troubleshooting EIGRP
Please guys clear this as my exam in on May6th…
Hello,can anyone send me the latest dump plz ? fsl_metal@yahoo.com.Regards
Reasking the question :-)
Hi, I will take the exam in 14 days, in May. I can see that most of people who did the exam in April got Labs about ACLs and EIGRP.
Does anyone know how often Labs & questions change?
Many thanks
Mr mike sir i need a little help here
last month i wrote ccna exam 100-120 lol i failed with 780,i guess i managed to answer all those questions except for the simulators.
i had a problem where i was told to press “reload to start” that’s where i should have configured.and i tried to get it therefore i couldn’t.
am planning on writing probably next week Wednesday. am afraid that the same incidence might occur again
if u get this please help how to get the reload
here is my email: khutsomashamaite@gmail.com
one of my friend wrote
and he used access-list “120″ permit…
this is were destruction occur
I have passed today 972/1000 thanks 9tut.
EIGRP 221 ACL 1 ACL2 MOD 3
Can we use named access list in the real exam?
Well it depends Raju because in the exam it will indicate if it’s going to be a number or what to use, most of the time it’s number
Anyone took the exam on Friday 01st May? if so, can you please add your comments about questions and Labs?
Many thanks
Hello everybody,
Elhamdulillah (All praise is due to Allah), Allah’a şükürler olsun (Thanks to Allah ) I passed the CCNA exam on the 22/April/2015. I want to provide some advice for the exam. First of all, WATSON, EXAMTUT, 9tut questions are correct. This dumps are valid.
1- There was total 51 questions. {2 simulations(EIGRP, ACL2 Modification1), 1 simlet (CCNA Access List Sim- ACL1), There was no drog and drop}
2- There are some small changes in questions. For example, place of answers are different. IP address can be different in simulation questions. AS numbers can be different. Pay attention to them.
3- There was a new question about Etherchannel.
Please forgive me for my bad English. I wish you success.
and
Thank you very much 9tut.
@poyraz please share new question in your exam ?
Hi everybody,
Al Hamdoo lilah, I got my certification on 30/04/2015, with a good study of 9tut questions and labs the exam become easy.
Also, the Labs I had are :
EIGRP 112
ACL 1
ACL 2
Thanks 9tut for your wonderful web site and hope everybody succeeds :)
Hello, can anyone send me the latest dump plz ? alanziahmed33@gmail.com
Hello guys who spent the CCNA 200-120 recently and can tell me what the laboratory has found in the exam?
Thanks
Sorry for my bad english
I passed today and my score is 986/1000. All the question and simulation from ninetut.
Azharul Islam ,…..
congrats… can u please tell me about the labs and simulations u had?
were they actual packet tracer?
Hello guys.. I want to book the CCNA exam. On CISCO site i found two CCNA EXAMS..
Exam:
200-120: CCNA Cisco Certified Network Associate (803)
Exam:
200-120PT: CCNA Test Bundle + MeasureUp Practice Test (includes 200-120 exam and practice test)
Which one you guys choose when you did you exam???
Please help …
@Mourad
can you tell me where are the
EIGRP 112
ACL 1
ACL 2
On 9tut thanks
@poyraz
Where are : 2 simulations(EIGRP, ACL2 Modification1), 1 simlet (CCNA Access List Sim- ACL1)
on 9tut because i had already passed the ccna 5 year ago and i had failed due to SIM LAB !
??
I have got three simulation and there is listed below:
1. ACL MOD 2
2. ACL MOD 1
3. EIGRP 221(same as ninetut sim)
simulation environment same as packet tracer.
guys am confused ah we using 100 permit oh 120 permit
as much as i can c many of u seems lyk u using 100 and my friend wrote today an he says he used 120 and it has denied host A,B, and D to access finance web
another thing how do we ”press reload to start” troubleshooting? i can across thing kind thing any one please help a fellow brother out am writing dis Friday…
here is my email address : khutsomashamaite@gmail.com oh bonganicylester@yahoo.com
I just did my exam and finished it.. 1000/1000 if you need any help email me
how could we solve the problem of ” Reload and Start ” ?
how could we solve the problem of ” Reload and Start ” in z lab