CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
@ everybody
Any or Host x.x.x.x in the real exam ?
access-list 100 permit ip any host
(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any”
Hi everybody,
I got my certification on 04/05/2015, with a good study of 9tut questions and labs , the exam become easy.
Also, the Labs I had are :
EIGRP 12
ACL 1
ACL 2 mod 3
The other questions are as well from 9tut , only 2 or 3 question different .
Thanks 9tut and good luck .
can someone pls send me a ccna dumps on arungsaini@hotmail.com
Hello,
I would like to know if it is also possible to write the access-list 100 with another syntax:
ip access-list extended 110
permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
deny tcp any host 172.22.242.23 eq 80
permit ip any any
– >that’s the same thing?
thanks
Alhamdulillah!!!
Yesterday passd the CCNA exam.. 1000/1000
* ACL1- same questions and ip address.
*ACL 2 (modification 3) – same question and same diagram bt diffrents ip address.
* Eigrp – same question and same diagram. Bt AS number was changed.(122)
Thanks 9tut!!! :)
All the best guys!!!
tats encouraging guy tnks alot am 2 tk the exam on the 10th
Praise the almighty OVERLORD!!!!
Passed May 9th
LABS: ACL Simlet, ACL(MOD 1, Host D instead of B), EIGRP AS 112
3 Drag n Drops
what about ip numbers they are asking same ip or different one
can any one help me for modification 1——————
“deny host B from accessing other servers (not the whole network) access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15″……………… i cont understand this…………..
plz help me how to find this
can any one help me for modification 1——————
“deny host B from accessing other servers (not the whole network) access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15″……………… i cont understand this…………..
plz help me how to find this
Anna please reply / 0r any one else 100% surity
I have to go for exam on Saturday !!
In mod 3 statement :
- Other types of access from host C to the Finance Web Server should be blocked
- All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
we like to use
deny ip any host web server ip
but the second line of statement says only block all access from host and local LAN at Finance WEB server but access-list command will deny all services for core host and LAN
How it can be correct ??
today was modification 3. but was host b should be able to use a web browser to access the financial web server.Other types of access from host b to the finance web server should be blocked, and All access from hosts in the Core or local LAN to the Finance Web Server should be blocked. i
i got 1000/1000.
i have finished the exam today.
i got ACL 2 mod 3, but was host B should be able to use a web browser..
Thanx 9tut
In MOD3 and MOD4 use “access-list 100 permit ip any any”.. the bug in the sim still exists..
Access list 2 Packet Tracer sim is not working. it says that its not a valid packet tracer file. Someone please help..
Hey anna have u used access-list “100″?
Hey All,
I cleared my exam today !
got 2 labs EIGRP and ACL.
All the questions were from here. Good luck for your exam. Thank 9tut
Cheers,
Vishal
No routing was configured for this Access List Sim 2 Lab during the exam, so I could not check the connection (ping, web).
The commands Corp1(config)#router eigrp 200, Corp1(config)#router ospf 1, etc were not allowed.
Btw I passed the exam..
Thanks 9tut !!
This had came!..Thanx to 9tut!!…I passed with 958..
r233
\
Should be I able to use “TAB” and “?” mark during the exam?
I am no getting the o/p in cisco packet tracer though i use commands from 9tut.Can anyone please tell whats going wrong.
For mod 3, how about using:
access-list 100 permit tcp any host ip_addr eq 80
Passed my exam today. thanks alot 9tut…………….
hi guys, i passed on 14 may with 1000. thanks 9tut.
this question was there with modification 3, eigrp 222 and acl 1
Hey all got 986/1000.wrote my exam 21st may Thanks a lot 9tut and Watson. I got acl2 mod-3 eigrp 212. All the best for all.
there is one site called onecisco.net…but the ques are too hard..can anybody tell me whether that type of ques pop up in exam…
Latest dumps ps amanarora7777@gmail.com
In mod3, If I write ACL with these command:
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip 192.168.33.0 0.0.0.255 host 172.22.242.23
access-list 100 permit ip any any
Will it be alright ? or am wrong ? please help
Thanks
In Modification 1 “deny host B from accessing other servers (not the whole network)
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15″…
This is to deny the host B which has IP Address of 192.168.33.2 (Source or single host) to access IP (Internet Protocol) to 172.22.242.16 0.0.0.15(Destination Network). It means that if a different source host IP with same network with the source it will be able to access the 172.22.242.16 0.0.0.15.
Host B has been deny the LAN Server network wit the following command
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 OR
access-list 100 deny host 192.168.33.2 0.0.0.0 172.22.242.16 0.0.0.16
Yoooh the exam was so “easy an simple”
ACL 1&2 EIGRP 112 Mod 3
All questions ah in here on 9tut 4 those who ah buzy asking 4 dumps
Tips:
1. Don’t go writting whilst u aint ready
2. Study all those questions here on 9tut n the book also
3. Don’t crame pass n 4gt. learn,understand accumulate more infor
4. Please make no mistake learn 2 understand the simulators don’t b fooled n arrogant, when u dnt understand ask oh else u’l fail “wa swaba”
Good luck am a qualified CCNA advocate lol thnks 2 9tut gud9t fellers
This came up in the exam last May 23, Under Modification 3…
Thanks 9tut!! I passed today 945 points, 95% questions from 9tut.
Help.
hey guys in mod 1 above I was wondering where this part came from 172.22.242.16 0.0.0.15.
Thank you
Anon i have the same question please somebody , i’m clear with the 0.0.0.15 (that is the wildcard mask ) but i’m totally off with the 172.22.242.16 , so please somebody help me to clarify this question :)
Thank you
Sithum,
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30 So the severs Network Address is 172.22.242.16 and the broadcast 172.22.242.31
the entire network 172.22.242.16/24 which is 172.22.242.16 255.255.255.240 that it has 256 – 240 = 16 increment 172.22.242.0 -172.22.242.15
this one is the server network172.22.242.16- 172.22.242.31 So the Network address is 172.22.242.16
anon,
Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The network Address is not assignable which is 172.22.242.16 255.255.255.240
(255.255.255.255 – 255.255.255.240 = 0. 0. 0. 15)
@Hiwot
Thanks bro really appreciate your help bro :)
Thanks again
Hi all, just wondering why the configuration on modification 3 is correct. I use the same configuration but when I try to test it using ping and web browser, it doesn’t meet the requirements. Please help. Thanks
LATEST DUMPS PASS4SURE.
in both PDF and VCE. get here
ccna-2015.blogs*p*o*t*.*c*o*m
thank you 9tut i passed with 931 points EIGRP ACL1 ACL2 EIGRP 12.thumbs up to 9tut
Hi,
Why cant we just permanently ban spammers like RJay.
Hi everybody,
I got my certification on 28/05/2015, with a good study of 9tut questions and labs , the exam become easy.
Also, the Labs I had are :
EIGRP 12 AS ,ACL 1,ACL 2 web access
if anyone want dumpd jst mail me jawadkhan1001@gmail.com
Thanks 9tut and good luck .
Hi,
Passed today with 986, all questions here on 9tut. The labs I took:
EIGRP, ACL and ACL2 MOD4 (with host B instead of Host C)
Thanks 9tut.
guys i need some help!
for acl 1 simulation ( acl 1 simlet), shall i have to do the modification in the router or just select the right answer, or both??
could anyone tell me please!! thank you so much
I got passed CCNA today with 1000/1000, there are 51 questions 2 drag questions and laps are acl1 &2 mod 3 and eigrp 112,, Thanks 9tuts…
@anantheesan congrats!!!
could you tell me if in the acl1 questions i have to do something else like the modifications in the router or just answer the given questions??
thank you..
Wrote CCNA today.passed with 958/1000.thanks 9ut…Lab sims eigrp AS 212 acl1 acl mod 2
I was tensed tho…
@Tiana, @ Anantheesan any evaluation sim came????
I got a question, deny tcp any host server eq 80 <= that's mean is only http:
how about https:??? https still can access web server