Home > CCNA Access List Sim 2

CCNA Access List Sim 2

February 15th, 2014 Go to comments

Question

access_list_sim2.jpg

Answer and Explanation

(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt

Corp1>enable (you may enter “cisco” as it passwords here)

We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.

Corp1#show running-config

access_list_sim_show_running.jpg

We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).

Corp1#configure terminal

Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)

Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80

Deny other hosts access to the Finance Web Server via web

Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80

All other traffic is permitted

Corp1(config)#access-list 100 permit ip any any

Apply this access-list to Fa0/1 interface (outbound direction)

Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out

Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.

In the exam, just click on host C to open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server via HTTP or not. If your configuration is correct then you can access it.

Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.

Finally, save the configuration

Corp1(config-if)#end
Corp1#copy running-config startup-config

(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)

Notice: You might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.

Some modifications (mods):

Modification 1 (Mod 1):

permit host B from accessing finance server access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
deny host B from accessing other servers (not the whole network) access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
permit everything else access-list 100 permit ip any any

Modification 2 (Mod 2):

Only allow Host C to to access the financial server access-list 100 permit ip host 192.168.33.3 host 172.22.242.23
Not allow anyone else in any way communicate with the financial server access-list 100 deny ip any host 172.22.242.23
Allow all other traffic access-list 100 permit ip any any

Modification 3 (Mod 3):

– Host C should be able to use a web browser(HTTP)to access the Finance Web Server access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
– Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
access-list 100 deny ip any host 172.22.242.23
(because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN)
– All hosts in the Core and local LAN should be able to access the Public Web Server * access-list 100 permit ip any host
(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any”

Modification 4 (Mod 4):

Host C should be able to use a web browser to access the financial web server access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Other types of access from host C to the finance web server should be blocked access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
All hosts in the core and on the local LAN should be able to access the Public web server * access-list 100 permit ip any host
(The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any”

* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.

(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out

And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)

I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).

accesslist_sim2_packet_tracer.jpg

Download this sim here

Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.

accesslist2_test_http.jpg

And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.

Other lab-sims on this site:

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

CCNA EIGRP LAB

Comments
Comment pages
1 84 85 86 41
  1. like a bro
    December 11th, 2016

    @JM not sure what your asking but iam sure the exam lab sim allows use of tab and others like cntr + A etc

  2. sherlyn
    December 20th, 2016

    HI All

    HOW DO WE KNOW THE IP ADDRESS OF THE 3 SERVERS ?

    Thank you

  3. nnalhan
    December 20th, 2016

    @sherlyn
    you can enter to server and chose a config then go to enterface and click in fastethernet you will see the ip add :)

  4. Ahmed
    December 20th, 2016

    @sherlyn
    Click on Server >Desktop Tap > Ip Config
    You will see

  5. sandy
    December 20th, 2016

    OK great guys thanks

  6. Freya
    December 21st, 2016

    Please send me dump update to {email not allowed}

  7. cctry
    December 26th, 2016

    where is the question of this SIM please ?

  8. Mau
    December 29th, 2016

    Why the second line commands are different for both mod 3 and 4? please help am confused

  9. hamzard
    December 30th, 2016

    hello, I would like some advice, I’m 15 and have my CCNA exam in a couple weeks, best learning method, essentials??

  10. BottomTop
    December 31st, 2016

    @hamzard Lmao, I’m 15 too, and my exam is in 2 days, just go through the dumps, that’s what I’m doing, and practice these sims.

  11. hamzard
    January 1st, 2017

    @BottomTop lol thanks, where’s the dumps??

  12. John D. Ngowi
    January 3rd, 2017

    Hi guys, any one done CCNA Routing and Switching recently? Please alert us on number of questions in valid dump please. Thank you in advance

  13. Ezio
    January 7th, 2017

    Is there a PKT of all lab sims which I can use for study?

  14. madrocks
    January 11th, 2017

    hello guys planning to write ccna r&s by next month plz fwd me the latest dumps and also suggest me where can I find the .vce files for the practice exams.
    MAIL ID IS : {email not allowed}

    please suggest me what are the labs I need to practice …

  15. madrocks
    January 11th, 2017

    hello guys planning to write ccna r&s by next month plz fwd me the latest dumps and also suggest me where can I find the .vce files for the practice exams.
    MAIL ID IS : m a d k r i s 4 m a d g m a i l . com

    remove spaces and please put @ instead of please suggest me what are the labs I need to practice …

  16. Aper
    January 18th, 2017

    Modification 4 (Mod 4): doesn’t work when i am testing i can access finance web server from PC a — PC d. but based on the currect answer. you can only access to finance web server just from pc c.

    what is the difference between Modification 4 and Modification 3 code. if both ask have same question. Thanks

  17. Nowol
    January 19th, 2017

    @Aper hey there man, the Mod 4 doesn’t have the requirement of blocking Host A-D so it is correct. The second line “Other types of access from host C to the finance web server should be blocked” just says that host c can’t do anything other than to access the webserver based on line 1. :)

  18. Anonymous
    January 20th, 2017

    Can you also use?

    Corp1(config)#interface fa0/0
    Corp1(config-if)#ip access-group 100 in

  19. Forever21
    January 20th, 2017

    Guys I wrote the exam and passed today. 171q very valid. Also sims from here are definite, only up addresses and such change. Didn’t get EIGRP but got two RIPV2, OSPF, ACL and DHCP. Thank you 9tut and Ppap.

  20. Marry
    January 23rd, 2017

    may any one explain me about this question pleas pleas ?

    interface fa 0/0
    ip address x.x.33 255.255.255.224
    router bgp XXX
    neighbor x.x.x.x remote as x.x.x.x

    You need to advertise the network of Int fa0/0.
    A. x.x.x.32 mask 255.255.255.224
    B. x.x.x.32 255.255.255.224
    C. x.x.x.32 mask 0.0.0.31=
    D. x.x.x.33 mask 255.255.255.224

    correct Answer A . but why not the answer will be D???

    Thank you!

  21. AsadBabel
    January 24th, 2017

    @Marry because you want to advertise the net ID not the IP address belong to the interface and this ip belong to net ID x.x.x.32
    regards

  22. Vvs
    January 25th, 2017

    hello everyone, i’m confused, why “deny host B from accessing other servers (not the whole network)” is this “access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15”. Wildcard 0.0.0.15 is netmask 255.255.255.240, meaning it’s whole server network?

  23. Rad
    January 25th, 2017

    @Vvs yes, all 172.16.242.16 network

  24. marllouie
    January 27th, 2017

    MOD 1
    “deny host B from accessing other servers (not the whole network)”

    “access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15”. – packet tracer is not accepting this line, whyy???

  25. Almighty
    January 29th, 2017

    I’m curious as to why would you apply acl to fa0/1 outbound for CCNA exam. Since the CCNA specifically states they want you to grab the best-practice to apply extended ACLs closest to the source. Meaning fa0/0 – if not even to the link to the core.
    From my point of view, fa0/0 would be the best place for this (I don’t know the specific question to this scenario) since you state you want to deny or allow hosts from accessing Finance Web Server. Core network is not likely to have any hosts – hence the name Core (again, recall CCNA access/distribution/core hierarchy). This ACL would surely be sufficient to prohibit or allow what you need but would be less effective than this ACL being applied to fa0/0 – lan with hosts, since it consumes more processing power for every packet exiting fa0/1 to the servers (Imagine in live scenario when servers are heavily used).

    Considering all this, I’d apply the ACL to fa0/0 without any overthinking this situation.

  26. Vvs
    January 30th, 2017

    @Rad
    but the auestion is “deny host B from accessing other servers (NOT the whole network)”. And by typing “access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15” we deniying whole network.

  27. samsepiol
    February 3rd, 2017

    how did he get this ip ?
    172.22.242.16

  28. Christy
    February 3rd, 2017

    Los puticlubs bajo coste pueden ser un buen sitio para follar
    en la capital española si deseas gastarte poco
    dinero. http://sachitours.com/index.php/component/k2/itemlist/user/927006

  29. Southern
    February 8th, 2017

    I think that there is some errors in the subnet masks of servers, they all should be 255.255.255.240

  30. Southern
    February 8th, 2017

    @Vvs: the denial of the whole server network is applied after applying the host permit access-list, so the host can still access the server but not the other two servers.

  31. Southern
    February 8th, 2017

    @samsepiol:
    172.22.242.16 is obtained by using the subnet mask 255.255.255.240, 240 sits in 16th bit position, so we increment our networks by 16 i.e 0-16-32-64, and all servers ip’s sit in the following range of usuable addresses 172.22.242.17 – 172.22.242.30 that excludes the network address 172.22.242.16 and the broadcast address 172.22.42.31, hope this helps a little

  32. Vvs
    February 9th, 2017

    @Southern, yes, i see that. But whe wildcard for netmask 255.255.255.240 is 0.0.0.15, And that’s mean that by typing “access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15” we are deniying access to the WHOLE network (except server taht we permitted). But the auestion is “deny host B from accessing other servers (NOW THE WHOLE network)”.

  33. Mikasa
    February 9th, 2017

    so what was the question here? anyone?

  34. VMUG Group
    February 10th, 2017

    VMware Certified Advanced Professional 6 (Desktop and Mobility Deployment) – The industry-recognized VCAP6-DTM Deploy certification validates that you know how to deploy and optimize VMware Horizon 6 (with View) environments. It demonstrates that you have the knowledge and abilities essential to leverage best practices to provide a scalable and reliable Business Mobility platform for your business. Some of the topics involve: Configuring and managing Horizon View components, configuring cloud pod archituecture, configuring Group Policy settings related to Horizon View, Configuring and optimizing desktop images for Horizon View & Mirage, Configuring and managing App Volumes AppStacks, Configuring desktop pools, Configuring and deploying ThinApp packaged applications, Configuring VMWare Identity Manager, etc.Sebastian’s take on the VCAP6 exam: “In my own thoughts and opinions VCAP6 exam is much better experience as compared with VCAP5, the new examination appears just like VMware HOL. The interface is not difficult, questions are ordered on the right section of the screen, and could be hidden to the side or restored when wanted. My bits of advice to the questions windowpane: if you wish to make it floating, you should know how to restore it back. I ended up moving it all around because I forget about how to restore it back. The 2 arrows that appeared to be buttons on the top were designed to dock the window to left or right. Fonts could be resized, which i think was superior to scrolling up and down the question. The reaction speed of the whole interface was a lot faster compared to VCAP5.5, and there was no lagging period experienced when switching from window to window. Something to bear in mind: BACKSPACE key is not working! I do believe it is beneficial as you don’t reload your examination window by accident, however, it can be frustrating from time to time whenever you type something mistakenly and you have to select and press Del to remove. The Desktop and shortcuts were sorted very effectively, and important applications like internet browser or Mirage console can be easily launched. You will find a very good interface for Remote Desktop Manager where you’ll discover all required RDP connection to servers or desktops without the need to type username and password. The web browser had all the links in the Favorite Bar. At the time I am writing this, there’s no additional Thirty minute extension for Non-Native English speaker at No-Native English country, which is a bummer. You will find 39 question to respond within the three hours time, and this can be actually really hard for non-native English speakers just like me. A number of questions take time to complete, so it’s a good idea to avoid the questions that you cannot answer, and complete those you can. After the 39 questions, you’ll be able to visit the uncompleted questions should you have time. DO not waste a lot of time on one single question! The examination blue print is found on my blog at Szumigalski.com. It is well-organized and following it for the exam preparation can help a lot. Not surprisingly, the most suitable is if you’ll have numerous hands on experience! I’m truly extremely pleased with the exam experience, though I passed this time by small margin, however i know what I missed for the examination, study from the errors and practice harder to get familiar myself with the environment. This accreditation will definitely open up your career prospects!”

    http://www.szumigalski.com

  35. vty
    February 12th, 2017

    How will you know the IP of the finance web server?

  36. Anonymous
    February 14th, 2017

    @vty Click on Server >Desktop Tap > Ip Config

  37. FreshSent
    February 21st, 2017

    New mod; same concept, but using PC-3 different IPs.

    Just be sure to practice access list and you’ll be good. Also be sure to practice typing out the full syntax of Cisco commands. I was having an issue to where I had to completely start over, luckily the tab option worked to a certain extent. Good Luck.

  38. FreshSent
    February 21st, 2017

    To VTY: The finance server’s IP will be listed in the scenario tab of the question. You will also see a topology/diagram. From there, you can use a show run command on any device and compare the interface results to the network diagram. This will enable you to figure out the IP address of any interface you need to know.

  39. arsh
    February 22nd, 2017

    where is the question.

  40. anonymous
    February 23rd, 2017

    Had my ccna exam yesterday at cisco live:
    host d has to get access to finance server (ip .17) over port 80
    all other access from host d and all other host from lan and core should be blocked
    everyone should get access to public server(.18).

    here my accesslist:

    x = lan network
    y = server network

    access-list 100 permit tcp host x.x.x.4 host y.y.y.17 eq 80
    access-list 100 deny ip any host y.y.y.17
    access-list 100 permit ip any host y.y.y.18

  41. BetterThanSkipOne
    February 23rd, 2017

    The last comment refers actually to mod3. Only the Host changed to D (IP ends with. 4) and IP of the Public Web Server has been granted. Thus, I can confirm the comment. Made it yesterday as well.

Comment pages
1 84 85 86 41
  1. No trackbacks yet.