CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
I am confused…, why do you have to put ‘access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15′ for
deny host B from accessing the OTHER server (not the whole network). when you could just block access the other server’s ip address ie. ”deny ip host 192.168.33.2 host 172.22.242.17”
really confused about that one, if someone could help…
@AD
It was a numbered acl…i thought my config was right since i tested it from the 4 hosts after saving and applying the acl. Wish cisco would give us something like where we made a mistake even without telling the answer..hehe..
Can any one please tell me in detail that in modification part when we need to “deny host B from accessing the OTHER server (not the whole network)”
The answer given is
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
i know in wild how we get first three zeros to exactly match the ip address but i don’t understand how we get .15 at the end
@meekal
wildcard masks are just like that to represent a /28 subnet you do .15, the trick is -1 of the increment host bits
/25 = .127
/26 = .63
/27 = .31
/28 = .15
and so on.
get it?
@ mEEKAL
172.22.242.17 – 172.22.242.30
Increment 16
16 –> 240
255-240 = 15 0.0.0.15
get it? :-)
guy’s which one is the correct one on 9tut it says permit any any
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
@Meeka
I thinks is should be like this
access-list 100 deny ip any host 172.22.242.16 0.0.0.15
() Block traffic from core and lan to finance
If this is the question:
deny host B from accessing the OTHER server (not the whole network)
Why is the awnser:
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
And not:
access-list 100 deny ip host 192.168.33.2 host 172.22.242.17
172.22.242.17 is the only other server right?
@9tut
pls say the ans
@anyone …
As per the question we need to block web access. And so we do by blocking http:80
However, does anybody know if we need to block https:443 as well…?
I mean… it would kind of count as… web too, wouldn´t it..?
@Erick
Yes it would, but most scenario states specifically if you need to actually block https if there’s a “secure” or “prevent from securely browsing” or “secured web access”.
That’s only my opinion.
Cheers!
@barry
Hi, the reqt’s says “The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17″ , I think we should consider the range of server IP addresses not just the live one. so the most appropriate answer would be access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15. hope this helps.
anyway, thats what I understand from the problem. =)
ACL Sim 2 – modification
*******************
Hi 9 tut,
I really appreciate the great way you guys are doing. It is a great site and you have the patience to explain things clearly and in a simple way.
Please refer to the following:
permit host B from accessing finance server access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
deny host B from accessing the OTHER server (not the whole network) access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
permit everything else permit ip any any
The following solution you have suggested doesn’t seem to work
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
permit ip any any
The acl shown below works and I have tested the conditions. Please let me me know your thoughts.
Corp1#sh access-lists
Extended IP access list 110
permit ip host 192.168.33.2 host 172.22.242.23 (9 match(es))
deny ip host 192.168.33.2 172.22.242.16 0.0.0.1 (8 match(es))
permit ip any any (4 match(es))
Thanks,
Joe
@KEL
Thanks for your reply but I just can’t understand…
I’ll try to explain why i don’t understand it:
Tey ask: “the OTHER server (not the whole network)”
the OTHER server -> I think its only: 172.22.242.17 (they are not talking about serverS)
(not the whole network) -> so why take a range of 16? (maybe this is the whole range for this network)
Hope i explained my stupidiness a bit :)
@Joe: Please try again, the command “access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15″ surely works because it covers the range of “deny ip host 192.168.33.2 172.22.242.16 0.0.0.1″.
Can someone explain to me why do we use tcp sometimes and ip for the protocol in the access list command. What is the deciding factor?
@N,no need for other dumpz,just concentrate on shekhar dumpz
I passed today my exam.My score was 973/1000..The sims where the same from 9tut(access-list2,eigrp,vtp)..The only difference was at the AS number on eigrp..The questions where the same from the dumps with only one new..I studied shekhar dump and brar dump (from examcollection.com) which as i figuered out had 20 questions that shekhar didn’t..I strongly recommend studying these two dumps and only the lab sims from 9tut..Thank you people for the good job..
Hy guys,
Can someone who got 100 pourcent for this ACL 2 in the CCNA exam tell us if the third statement in the ACL was: “permit ip any any” or permit ip any host”, just to get a final answer about the problem
Thanks a million
Wow passed my exam today! it was that simple, GLORY TO GOD ALMIGHTY.
Study your dumps and your SIMS VTP,ACL2 AND EIGRP.
9TUT THANKS A BUNCH
@ Macadam
The third statement is permit ip any any
GREAT THANKS…..!
STUDY SHEKAR, BRAR and 9tut.com………. you ill surely passs……….!
i got 960/1000 on 28/11/2012… thank you all
passed exam today thanks God the same acl, eigrp and vtp sims just like as in 9tut thanks 9tut you are a great site
Passed with 986/1000 …Big thanks to 9tut..
There is a major bug with sim in actual exam
configure acl 100 at the fa 0/0 of router 2 with inbound direction
but i get the result , i wanna known , is it correct answer ?
plz answer me
@Pravin
Can you share what bug you encountered during your exam?
Thanks
may be the bug he refer is about domain ,some where in this configuration will cum this result domain server (255.255.255.255) that you must type this comand
#no ip domain-lookup
ACL Sim 2 – modification
*********************
Hi 9 Tut,
Thank you for yoru response.
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
The range above covers ip addresses from 172.22.242.17 to 172.22.242.31.
The question says deny host B from accessing the OTHER server (not the whole network).
I take it that the other server is the Public Server with the ip address of 172.22.242.17 so why block the access to the entire network.
This is the reason why I went with the following
deny ip host 192.168.33.2 172.22.242.16 0.0.0.1
So that the ACL blocks only the first valid host in the above range which is 172.22.242.1. Please correct me if I am wrong.
sorry my last line should have read:
So that the ACL blocks only the first valid host in the above range which is 172.22.242.17 Please correct me if I am wrong.
Running Dams name
hello everybody I have doubt about following–>>
- Host C should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
- All hosts in the Core and local LAN should be able to access the Public Web Server *
maybe this way is better ?—>>>
Extended IP access list 100
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
permit ip any host 172.22.242.17
deny ip any any
@Smile
No, it is not right.
Yes I agree with Joe.
“The question says deny host B from accessing the OTHER server (not the whole network).”
That “OTHER sever” must be the public web server with an IP address of 172.22.242.17.
please correct us if we are wrong. thanks :)
thanx for 9tut
and
Cisco.ActualTests.640-802.v2012-07-15.by.Sekhar.697q
plzzzzz use Sekhar.697q dump
very very good
answers with explain
i am confuse in the quested
I fail yesterday , many new question about 15q , Sim VTP , ACL2 , GIGRP same
I study Cisco.ActualTests.640-802.v2012-07-15.by.Sekhar.697q but not enough
Passed with 947 today thanks lord ..acl 2 ,eigrp and vtp 5 questions..sekhar and brar dump very valid..nt to 4get 9tut
today 1000/1000 …all questions seen in sekhar, prepking 680q,9tut…all valid
About SMILES axample, i have similar question about exact same sim. The first one is same as what i did, allow HOST C to access eq 80 on Finance server. At this point, because of implicit deny, everything else is blocked out that router interface. So when it says block all other services, they already are by implied dent. So then, i get to part about allowing hosts on LAN and hosts in core to access public www server. I would now say permit tcp any (server ip) eq 80?
And so in just 2 statements its accomplished?
I think initially i was confused about the CORE. It only gives the IP address on opposite end of the serial link. So you dont know what all IP are in use there. So it has to be an “any” to allow everyone. And then ensure its to eq 80, so its just www resources accessed by that statement.
@ certifeied
can you send to me prepking 680q ???
help me . my email : nguyentientai@live.com
thank so much
@xyz: the lab turns non responsive to the commands sometimes and works again after few mins
hello everybody…..
i am going to appear ccna on 10th of this december. so if anybody has additional source of dumps please send me on this emailid
dhakadsunil111@gmail.com
thanks everybody
@Jerry
what are the newest 15q? did you remember? can you share with us….
@ bruch ,
I don’t remember it , but i had summary and checked with 3 dump , i saw 9 new question .
Cisco.PrepKing.640-802.v2012-08-03.by.Brar.631q , Cisco.ActualTests.640-802.v2012-07-15.by.Sekhar.697q ,Cisco.CertifyMe.640-801.v2011-08-24.by.elmostfa.173q
Sim VTP need carefully : Another question on the VTP SIM was” What will be the destination MAC address of a packet with Source IP address 192.168.44.1 and destination IP address 192.0.2.X .
@jerry
when did you take the exam??..why youre not remember?
Took the exam last December 4. Same simulations and almost every question appears to be familiar.
only got 1 mistake on the VTP Simulation part.
Good luck to everyone who will take their exams.
Study the concepts and practice configuring devices.
@ buch
i tried but can not anyway next week i will do again , i think with 03 dump enough pass with minimum 825 point ,i did not carefully in last exam ,
@ Smile you’re correct.
I got exactly the same question that’s why I got confused because I can solve the access list lab sim w/ using only 2 statements because the 3rd statement you typed is unnecessary because of the implicit deny all statement that is hidden at the end of all access list statements.
Let me compare these 2 scenarios that I guess is what you are confused about like what happened to me too: One of the requirements about access-list given by 9tut is: No other hosts from the LAN nor the Core should be able to use a web browser to access this server. But in the CCNA exam, one of the requirements was: All access from hosts in the Core or local LAN to the Finance Web Server should be blocked… Take note that it didn’t specify a web browser access to the Finance Web Server coming from any hosts of Core and local LAN compared the one that was given by 9tut here….. So I answered only by using 2 (not 3) access-list statements. I know it did satisfy the question because I tried it many times before in packet tracer and it worked exactly the same….. @Smile, I omitted your 3rd statement (deny ip any any) because that’s an implicit deny all statement automatically provided in the program and need not to be issued anymore, so it’s like saving 1 access-list statement….. With respect to 9tut, he’s answer is also correct if the question goes exactly what he also said in this lab sim above. But again in the exam the question is slightly different and what I remember is that @Smile got it exactly as it was in the exam I took last month November…
But when I checked my grade summary report I didn’t get 100% on that particular access list lab sim. So I conclude that we have to follow 9tut’s way of answering which is by answering it in 3-statement access to satisfy the question of issuing access-list statements not more than 3. So basically we have to follow the instruction which is to issue 3 access-list statements although we can actually solve the problem using only 2 statements….
Our CCNA exam is checked by a computer. And computer doesn’t consider if your access-list statement can be also correct as it can work exactly the same as it is in real world. The computer does only what it is told to do, which is to compare if you’re answer is exactly the same as to the key-to-correction saved in the question bank.
Cheers! :D
Muito bom esse site ….
Bons estudos!