CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
Modification 1:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2:
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3:
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked - All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4:
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
@Anybody
@9tut
Whether can we use tab key to fill the full cmds??
Also can we use shortcut cmds in exam like we use in gns3 or packet tracer??
eg:sh run, sh ip int br, sh ip rout…
thanks..
This question came in my exam today. I remember i forgot to apply on interface and it cost me much points, though i got 960/1000. Master it if you want to pass exam.
@ Mostafa Nader
We are not allowed to use tab key
instead we can use “?” to check the command options
yes short forms of commands works
jerry ,,,, how many question in 9tut ,pls inform
@arul: Please read here for more information: http://www.9tut.com/ccna-faqs-a-tips
Hello, every1
Are u allowed to review the answers in the real exam after answering all the questions? Or ones submitted u cannot go back?
ACL 2 sim.can anyone please help me with a valid packet tracer file for this lab sim 2?
hi I”am pass today 960 : )
thanxxxxx for 9tut + Sekhar.697q.vce dumps
@justus
acl same question but simple different they need allow host D to access to The Finance Web
make sure about outbound
from
Router# sh ru
Please help me to find latest dumps and lab.
Thank you in advanced.
puerto_911@hotmail.com
@ROb
step 1
find
Sekhar.697q.vce dumps
step 2:
and u should be practice LABS : ACL + EIGRP +VTP
verrrrrry impotent
I rlealy wish there were more articles like this on the web.
what command we must to type to find this answer
What will be the destination MAC address of a packet with Source IP address 192.168.44.1 and destination IP address 192.0.2.X .
Thanks 9tut… Passed exam today got 894… lab EIGRP, VTP and ACL2..
thanks 9tut u r a real helper
can we score 600/1000 If we do all the simulations correctly ??
passing score is 800 right??
@Sanju: Normally each sim has 80 to 100 points. We have 3 sims in the exam so we can only get a maximum of 300 points.
I had this sim and the EIGRP one too. Screwed up on it. The exam sucks. 90 minutes is not enough! Just caused total panic as I didn’t have much time left on the clock. Glad I’ve found this.
Certain that there were 4 things to achieve, in 3 lines. Was definately something to do with accessing the public web server, in addition to the finance web server.
God I pass today thank be to you.
9tut,
I downloaded your the packet tracer ACL lab and somehow it does not seem to be working according to how it should. This is what I get after inputing the first line …….
Router-2#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router-2(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
^
% Invalid input detected at ‘^’ marker.
Could you please get back to me on this? Thanks
9tut, never mind .. I can not see why changing the hostname would affect the SIM but it did.
@Jamerican: Please try that command again. Changing the hostname cannot affect it. I tried your command and the router accepted it.
I passed ccna yesterday 933/ 1000 ,( last time i failed ) , as comment last time i saw bout 10q new .
SIM VTP ACL EIGRP same
VTP question 5 I confuse that question : From which switch did Sw-Ac3 receive VLAN information ?
when i type command : show vtp status , it did not show infomation which IP modified it , that SW is Client , have cost 19 ,
My answer is : SW .. ( locally ) , but i think it wrong ,
ACL2 : just 2 command permit host C to finance and all host to public server , all services is block
EIGRP same : AS 221 ,
Jerry are you saying that you only saw 10 new questions that you did not see here? Also, on the VTP question regarding which switch did Sw-Ac3 receive VLAN information ? what other command did you use to find the answer?
Thanks for your help.
Hey every one, I pass my exam 947/1000, Thanks a lot, it was very helpful .
The Sim Lab still valid ACL2 VTP EIGRP, ACl barely the same as here, just be careful which host you’ve been ask, in my case host A and of course different IP address from here.
9tut, with the packet tracer lab that I downloaded I am unable to test the ACL appropriately because the router will allow the syntax to do a source PING. Normally I should be able to do “ping X.X.X.X source interface or IP” and I can not. Therefore everything is pinging and I do not know else to test. Any pointers here as to what I should be doing? Thanks
@Jamerican: Maybe you are mentioning about extended ping in Packet Tracer. To make an extended ping on Packet Tracer, just type “ping” and the router will ask other information later.
9tut,
This is my first time using packet tracer, but I am pretty decent at figuring out thing most of the times and I can not figure out what I am doing wrong trying to ping from the different hosts in the SIM to test the ACL. This is my ACL:
Corp1#sh access-lists 100
Extended IP access list 100
permit tcp host 192.168.33.3 host 172.22.242.23 eq www
deny tcp any host 172.22.242.23 eq www
permit ip any any (8 match(es))
I went to the browser of each host and tried to ping the server and coulf not get it to work. However I can ping from their respective command prompt despite the access-list blocking everyone except HostC. Any help here? Thanks
TY 9tut.
Today I have passed the CCNA.
50 questions 3 labs (VTP, EIGRP, ACL). 35 questions from 9tut
The ACL lab was the same only the host was host B.
The request allow host B to www to the financee servere and only www. the rest no access to www but access to every thing else.
access-list 100 permit tcp host (host B) host (finance) eq www
access-list 100 deny IP 192.168.64.0 0.0.0.15 host (finance)
access-list 100 permit any any
apply outbound on int f0/1.
Ty again 9tut
final statement….
access-list 100 permit IP any any
@9tut
On the exam, does entering the wrong command deduct mark? Because the keyboard i was using kept entering while i was typing and i got a few errors displayed by the sim. I had to let the vigilante know about the issue and he asked me to show him, which i had to type and then half way through the command will be entered as if i’m pressing the “Enter” key….. He had to power off the machine and login me in again in another computer, luckily my progress was saved and i got to continue from the question i left off. But could this have affected my final score? I followed the steps on all the sims you have here and i’m checking again to see where i went wrong and i cant see it…
There were some changes in each tasks but i did notice that and responded accordingly, on the VTP sim, i even checked all the Hosts using the web browser to see if my access-list worked and all apart from Host D (as requested) were denied access to the the Finance web server! so i dont understand why i got low marks for the configurations unless i have been deducted mark for entering wrong command which wasnt my fault!
Anyway I got 815 :(, Sims still VTP, ACL and EIGRP!
@Nebiyu: Entering wrong command does not deduct your mark. But for some commands you cannot change after typing them.
I saw on PrepKing the solution to one of the variants0.3 of ACL2 and I wonder if this is right or wrong. My instinct is telling me it is wrong. Please clarify…
A corporation wants to add security to its network. The requirements are:
- Host B should be able to use a web browser (HTTP) to access the Finance Web Server.
- Other types of access from Host B to the Finance Web Server should be blocked.
- All access from hosts in the Core or local LAN to the finance Web Server should be blocked.
- All host in the Core and on local LAN should be able to access the Public Web Server.
access-list 100 permit tcp host 192.168.33.3 host 172.22.63.17 eq www
access-list 100 permit ip any host 172.22.63.18
access-list 100 deny ip any any
My second question for the deny part of the AcL. Is it better to use “192.168.64.0 0.0.0.15″ or “any”?
Thanks
Thanks it is pretty good!!!
I am still looking for comments on this. Can 9 TUT or anybody please help
ACL Sim 2 – modification
*********************
Hi 9 Tut,
Thank you for yoru response.
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
The range above covers ip addresses from 172.22.242.17 to 172.22.242.31.
The question says deny host B from accessing the OTHER server (not the whole network).
I take it that the other server is the Public Server with the ip address of 172.22.242.17 so why block the access to the entire network.
This is the reason why I went with the following
deny ip host 192.168.33.2 172.22.242.16 0.0.0.1
So that the ACL blocks only the first valid host in the above range which is 172.22.242.17 Please correct me if I am wrong.
@Joe: In fact, in the real exam there are 4 requirements while we are only allowed to use 3 statements. That’s why we have to block whole network.
But recently there is no report about the requirement “deny host B from accessing the OTHER server (not the whole network)”. So you will not see this requirement in the exam.
Is there any responce to my question above. I found the answer on PrepKing and I am wondering where the error is coming from.
Thanks 9tut for your response.
please help me to find correct one???????????
On ACL, Host B was allowed to use HTTP access to the finance web server. Other forms of access from host B or any other host on the LAN or core was blocked from accessing the finance web server. Access to the Public web server was allowed.
NO- 1
access-list 110 permit tcp host (ip add of B) host (ip add of Finance web server) eq http
access-list 110 permit ip any host (ip add of Public Web Server)
access-list 110 deny ip any any
OR
NO-2
access-list 110 permit tcp host (ip add of B) host (ip add of Finance web server) eq http
access-list 110 deny ip any host (ip add of Finance web server )
access-list 110 permit ip any any
applied to the fa0/1 of the Rtr interface in the outbound direction
??????????? NO-1 OR NO-2 IS CORRECT ANSWER????????
Hi JJJJJJJJJJ if NO – 1 after permit statements end we have implicit deny so I think there is no point adding the last deny statement. Someone please correct me if I am wrong.
welcome all :)
what is the reason for applying th acl on fa 0/1 out and not on fa 0/0 and serial in???
@eltoroloco So that we can also filter the traffic coming from the Core Network
yes, but I’m thinking about applying the acl to the fa 0/0 INBOUND and to serial INBOUND, so the router would discard the packets and not waste time to processing it;
as far as I am concernde, the extended acls should be as close to the sourses as possible
generally speaking, both options are correct? but how will they be treat at CCNA? has anyone tried?
what is correct for ACL2 ACL2
permit host c to finance server through web server,
block host c’s all other access to finance server,
block core and all other host from accessing finance server,
allow core and hosts in the LAN to access public server.
ans.
access-list 100 permit tcp host source host destination eq 80
access-list 100 deny tcp any host destination eq 80
access-list 100 permit ip any any
and apply this in outbound direction
ip access-list group out
Just passed CCNA now..
Thanks a lot 9tut ..
Sims are the same..ACL SIM has only Finance server and Web Server..
Some new qns from VTP..
Just passed CCNA now..
Thanks you Jesus and a lot 9tut ..
whatabout the EIGRP LAB and the questions is it similar to 9tut
exactly this sim came or changing . 3sim( acl,vtp,eigrp)would come from this site . Answer any body .
@raj in acl which server was asked to be accessed by which host….. could u tell me
@cowboy
pls reply for my above ques….