CCNA Access List Sim 2
Question
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numberd access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications:
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing the OTHER server (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | permit ip any any |
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | permit ip any any |
| - Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| - Other types of access from host C to the Finance Web Server should be blocked – All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| - All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host <IP of Public Web Server> (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host <IP of Public Web Server> (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Other lab-sims on this site:
CCNA Configuration SIM Question (RIPv2 SIM)
hi friend how are you all ,i wont know what is egirp did it come for us today and which acl2
thank you all
@ Fatah:
There will be a question about EGRIP and ACL too. The ACL question i had was this:
http://www.9tut.com/ccna-lab-sim/78-ccna-access-list-sim-2
and this one for egrip:
http://www.9tut.com/ccna-eigrp-questions
pc-pt(pc4) does not provide http connection,replace with server or give ip address(172.22.242.29 )to public web server and provide accesslist to this ip as same as previously done .check
please correct me if i am wrong
PLEASE CORRECT ME IF IM WRONG !!!
in/out interface could be determined by source and packets flow direction.
in my case i have applied on interface fa0/0 which facing 192.168.0.0 subnet.
this acl does exactly same – just wonder if theres problems with going my way on this…
sorry forgot to be exact, i have applied :
interface fast0/0
ip access-group 100 in
i have problem in acl2 i did everything ,but i have Packet Tracer 5.0 so i can’t make practice tel me how i solf this problem
thnx
@you should download PT 5.1…. or give me your ID i’ll mail you its topology..so that you can practice it more efficiently
whr it s dwnd acl sim 2 ……..plz giv me tht link packet tracer
@hi..
dear just see below the topology…you find a “Download this sim here” just click on here,,
u’ll have it…
tc
hi all
and thinx mohsin for your re ably my email fatah6220@hotmail.com
i wait you ,i will be thinkful for you.
if baspol send me eigrb and vtp also
404 Not Found
The resource requested could not be found on this server!
Powered By LiteSpeed Web Server
LiteSpeed Technologies is not responsible for administration and contents of this web site!
@fatah….
dear i had send you 11 labs..which include ACL2, EIGRP,RIP, VTP…… and all other….
take care..and share your exam experience with us..we are waiting..for it
@fatah..
you can download packet tracer v5.3.1 which is latest..to open ACL2 lab..
http://hotfile.com/dl/81150708/025d779/PacketTracer531_setup_no_tutorials.exe.html
Hi
Friends
learn how to connect virtual machine with gns3 and test internet connectivity in virtual machine very easy and interesting lab
http://www.youtube.com/watch?v=MWi2S1wQWCo
Thanks
Muhammad Imran!!!!!!
Hi
Friends
learn how to connect make this same lab in gns3 and get 100% results
http://www.youtube.com/watch?v=qJVuCFHdoDk
Thanks
Muhammad Imran!!!!!!
hi mohsin soudaga i will do insh alaah
thnx mohsin acl2 it’s work in 5.3 thank you all friend in 9tut
show run command is not supported in ccna sim,so any alternative to this?
Plz reply………….
try sh ip interfaces (brief)
My suggestion (I had this question on the exam) try “do show run”, do not exit global config mode.
show run did work on the exam.
http 404 not found guys i want these sims i need to practice im writing monday
plz
@mohsin soudagar
Could you please send me the 11 labs too? My exam is on dec 16.
2891soif@gmail.com
Thanks !!
Hassan
i got my exam yesterday and passed with 974. especial thanks for the 9tut. pass4sure & testinside dumps are still valid. sims are eigrp,vtp & access-list only the ip addresses are changed. in access-list the the pc also changed. again thanks for the 9tut and all of the contributors
if any one need help from me pls email to
hasy_001@yahoo.com
@Hassan
yes dear..i had mailed you….. all the 12 labs topologies..
@mohsin soudagar
Thank you so much my friend! I’ve just did 1 simulation, only 11 to go ! :)
We gonna do it !!
Hassan
hi there, could you send me the 12 lab topologies as well? I’m to take the exam the week of the December 20th. Thank you. s_aleck911@hotmail.com and the latest dumps if at all possible
hello mohsin soudagar
If you can also send me the 11 labs i am planning to do my exam first week of jan kapil.watts@gmail.com
hi friend can u please send me the 12 lab topologies . examin this friday. cheers brad_gemini at hotmail dot com
hi,
plz send me all lab topologies , my exam on this Thursday , mail id is rayan.equinox@gmail.com, thanks ..
hello,
can u lz send me the topologies.
mail: muzzie00@hotmail.com
Thnx
hello
Anyone Plz forward me all topologies @ qaisars82@hotmail.com.
Thank u so much…… looking forward………
Cheers
Hey all
can one send me lab topologies, exam this week. (ptrck.tremblay@gmail.com)
This site has been most excellent with exam prep.
Thanks so much!!
Please add me to the list for the 12 labs. peter.cole@dasher.com
Thanks
please could someone please send me the packet tracer version of this please, got my exam this week
many thanks
hi iam harish iam having exam this week can anyone send me all lab topologies my add is harisrexgmail.com
Hi,
I see that someone already asked the same question above but wasn’t answered yet. Instead of applying ACL on Fa0/1 as outbound, shouldn’t we apply it on Fa0/0 as inbount?
As per CBT Nuggests, extended ACLs should be applied as close as you can to the source that should be filtered. On the other hand, standard ACLs should be applied as close as you can to the destination (to avoid redundant permission denial). And since the ACL above is extended, I expected that it will be applied on Fa0/0 as inbound one.
What do you think about this?
Thanks,
Marko
@Marko: I agree that standard ACLs should be applied as close as you can to the destination but in this case we must apply it to Fa0/1 (outbound), not Fa0/0 (inbound) because we also need to prevent Core network from accessing the Finance Web Server. If we apply access-list to Fa0/0, only packets from hosts A B C D will be filtered.
You’re absolutely right! Thank you very much for this clarification and pointing me to the part of the text that I overseen. In the 3rd sentence of the text, it says: “No other hosts from the LAN nor the Core should be able to use a web browser to access this server.”, just like you said. My suggestion would affect only “hosts from the LAN”, while “the Core” could still access the Web server.
Thanks,
Marko
thanku 9tut.
packet trcr for access list 2 is working fine..
hi guys, where can i get the packet tracer? this is what i need like a router simulation program ,right? can somebody email me where to find it and how i could use it for this type of labs? my email address is jac1294@gmail.com. i would like to practice the labs before writing the exam next week. thanks in advance. much appreciated.
Hi, can u pls send me d 12 labs as i’ve been lookin 4 what to practice with. Thanks 4 d gud work.
my1759@yahoo.com
@mohsin soudagar
Could you please send me the 12 labs, my exam is on dec 21.
my emai address is farhad_dnv@yahoo.com
thnx
today i pass ccan exam ,acl2,vtp,eigrp
vce dumps it’s valid thank you 9tut and exam collatio
i wont thank my friend mohsen coz he is help me also
Hi, engineers and potential engineers, i wrote my exam on 12 December and scored 1000/1000, it is possible, please don’t panic.
Sims were: VTP, Eigrp as no. 23, with wrong as no. of 22, Access-list sim 2 with different addresses.
All questions from Acme, Mashti and i also used the pass4sure frm certuniverse.blogspot.com with 473Qs. Be careful, there are many wrong questions on Acme’s dump.
I am excited but i have a problem at the same time, my name was misspelled and when i went to the certification tracking system on the “update personal info” i can’t edit my name, anyone help!!!!!!!!!!!!!!
I wouldn’t recommend creating additional statements. The question says to do it in 3 statements.
@fatah
i am really happy that u passed it..
its absolutely my pleasure to help you..
may god always bless you :) :)
On the Lab acl lab sim 2 how do you ping from the pc? I get host name unresolved when I ping. Also on router rip instead of 172.16.0.0 it should be 172.22.0.0.
Very nice job on packet tracer. Thank you I appreciate it.
Hi I have my exam on the 30th! I would appreciate it if anyone kind enough to send me all the labs! my email is ptt15@yahoo.com.
Congrats to those who have passed and good luck to those with the upcoming tests!!
hi, i am new here and find it quite interesting. Well would anyone be kind enough to send me the lab sims available. i am having my exam on the 24th of this month.
Hi Friends,
I am having exam on 27 th, can u pls share the latest Simulation dumps,
Pls share the documents @ karthik.ece.t@gmail.com
waiting for ur inputs
Thanks in Advance :-)
Dear All,
I have scheduled my CCNA exam in within 48hrs. If there is any changes in SIM please let me know.
Thanks for folks.
Guys, please don’t send Karthik any dumps.
Hi I have planned to do CCNA exam on jan 2011. can anyone send me all the lab simulation for practise. I would be very thankful
mansoor.m@hotmail.com
Hi everyone, I have to appear for CCNA in next 24 hours, If any one can help me to send Latest dumps of testinside.
PLEASE HELP I HAVE TO PASS THIS EXAM INSHALLAH
Kindly send any helping stuff at………….( azhar_iqra@hotmail.com)
WISH ME BEST OF LUCK AND CONGRATS TO ALL PASSED CANDIDATES.I LUV U ALL.
hello dears i have dumps of testinside v17.14 and i has 356 question.plz do inform me that is it valid or not .plz plz if not so plz send me dumps on my e mail rafaqat_edu@yahoo .com i have exam on 15 jan
In the exam are the questions totally random or do they come in section, such as, say for example, 10 question on switching, then 10 questions on routing protocols, etc, etc.
Thanks on advance, got my CCNA exam in Jan 2011, hope they don’t change the sims for 2011.
@mohsin soudagar
I am planning to take the exam this coming jan 2011, please send me the 12 labs. My email add is magsinoas@yahoo.com
Thanks =)
@ fabulous and everyone ….i studied Acme Dumps and 9tut labs… am gonna write exam tomorrow.. r u all sure that in ACME dumps all the questions are correct and valid.. plzzzz reply me fast..
got this 2day in ma exam , host A , thxx 9tut
CCNA 640-802 study guide
Can anybody pleasssse tel me in the question it is given “No other hosts from the LAN nor the Core should be able to use a web browser to access this server”. But thos answer given here allows the core network to access the Finance Server.
Are we suppose 2 configure only tht much in the CCNA exam or more configuration r needed.
Please help me…i hve my exam 2mrw.Pleaaasssee..
I have a simulation to this question if u want it get to me via mail at stizzler04@yahoo.com
Hi everybody,
Today I scored 949/1000 in CCNA 640-802 exam
Heartly Thanks to 9tut they have explained very well all the simulators here just do that perfectly
Sims are ACL2, EIGRP and VTP
But make sure about IP addresses and PCs
Eigrp sim
I got 192.168.66.0 and 192.168.36.0 Network IDs for Regional2 router and the AS number was 122
It was not misconfigured with 22 number, so I didn’t say no router eigrp 22 in configuration
ACL2
There were PC1 insteed of PC3 should be access finance server IP was different
Finance server IP address was 172.22.173.28
Take care about VTP sim I lost some points in there you have to understand and find the correct answers
I studied from Todd Lammle’s 6th edition book and prepared from acme 17.14 356qs are pretty valid
I am not sure about Jan 2011
For acme 17.14 vce 356qs just go through this link
http://www.examcollection.com/cisco/Cisco.TestInside.640-802.v17.11.by.Acme.310q.vce.file.html
to open all questions you have to get VCE cert exam designer and manager as well as exam formater
Wish you all the best
And HAPPY NEW YEAR 2011
How can you verify your results
i know 9tut u say in real exam
i shld oopen browser of host c
but currently can i verify this from topology
because when i type the address of f inance browser
either nothing happens or either some hsot restart error messgae
commands are correct
have tried many times
And i cant verify difference in host c and others in accessing
just one question from u? FROM TOPOLOGY WHICH u have given us, i cant verify my connectivity by typing finance browser from host c. right? i can only do it in real exam or can i also do it in this topology
please do reply
many thanks in advance
You can do it in this topology by using the “Real-Time” simulation function in Packet Tracer. You will see the packets from other hosts (than host C) being denied and dropped at the router.
@Riya: The Core network can’t access the Finance Web Server too because we apply the access list at the outbound interface (Fa0/1).
So, if ACL-110 is applied correctly (in PT v3) what should I see when using host 3′s web browser and entering 172.22.242.33 as I get “request timeout”
Can you explain how to use the “real time” function in PT, as the panel is and remains blank.
Thanks for your help.
Sorry, I mean Access-List 100 not 110, a typo.
Hi all, Can somebody please send me the 12 Lab sims. I will be soOOOO greatful…
I am taking the exam within 1 week. Pleas.. guys..
email: shamal_22@hotmail.com
This is my second time and I can’t fail again !!!!!!!!!
Thanks in advance…
HELP please…!!
Hi friends, compliments 2 u all! Please i need the 12 lab sims topology, as i will be written my exam on saturday.
Pls i need it very urgently to practice.
God bless u all
Email: my1759@yahoo.com
Hello all, how the value 100 is decided ? ? Can anyone please explain?
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 ..
How 100 came up after access-list ? Because i was looking some other stuff in testinside, ip adresses are different and the value was 128.? I am confused..
Any help would be greatly appreciated. Thanks..
Also, do we have to save before typing the commands end and copy running-config startup-config ? Will there be any save option ?
can anyone plzzzzzzzzzzzzz help me…..
i urgently need all the latest sims and dumps…
questions have been increased i guess…
plz send at parry_eminem@yahoo.com
@ 9tut: What to do in simulation
i created 2 complex pdu one from host c to the specified server
and soem other from host d or a or b to this server
in filter i selected http
but nothing is happening when i play play/capture button why??????????
Why do my posts keep getting deleted :(
@mohsin, @ fatah, @anybody, pls am writing on friday, 7/jan; can anyone send me the 12 labs. please!!
my email is Cenjeff@ymail.com, thankx so much
Hi ,
I have exams on next week. So Please send your dumps ahamed5zal@yahoo.co.in This is for your kind information. pls send 12 labs…pls pls ..help
Thanks
Learn Cisco Tips at http://www.youtube.com/user/imeezz that would be helpful for your exam and real world
Thanks
Muhammad Imran
Instead of denying the other host like this>
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
Could I use this line and get same result?
Corp1config)# access-list 100 deny tcp 192.168.30.0 0.0.0.255 172.22.242.23 eq 80
It seems to work in the simulation but will it be marked as the same in the actual exam???
Hi all,
Happy new year!
Please send me the 12 labs.. fajardo.joseantonio@yahoo.com
Thanks in advance!
@TiredEyes: There are a spam protection on 9tut and maybe some of your comments have been filtered, I am sorry about that.
This is really a very interestig simulation,
It clears all my doubts about an access-list,that where to apply access-list to filter the traffic exacly.
Thanks to 9tut.com
isn’t extended acl should be configured to the interface closest to the source?how come it is configured outbound in fa0/1?i think it should be configured inbound on fa0/0.
Hi all
Can anyone send me the 12 labs ? My email: morshed.shahed@yahoo.com
I will be grateful.
Thanks
hii guys….
plz send me d 12 labs…id is justin80808@gmail.com
THANK YOU 9 TUT TODAY I PASS and am CCNA. Could not have done it without 9tut!
Eigrp ACL2 VTP labs.
Acme Masthi Dumps.
Thanks you 9 tut.
I open IE in PC 2 that I already fix all It show me
“Server reset connection” It normal or not?
But when I check trafic flow in simulate mode it ok
only PC 2 can success send-recive with web server
Can anyone tell me please
PLeaseeeeeeee Tell me how to check traffic flow in Simulate mode????????///
Are these labs accurate? please send any updated labs to vahustler@ymail.com. Thank you so much!
ppl when i ping i see request time out….i will cry
ppl at acl2 if i tried to make this acl at 172.22.242.30 instead of 172.22.242.23 while it states that the lan server is from 172.22.242.17 – 172.22.242.30
so any number is correct? and if not they why he choose 23 instead of 30 that is shown in running configurations ?
i have exam tmrw 14th 3pm ,,, if any body can help,plz help my contact kianoushf@gmail.com
i really appreciate
by the way a special tnx for 9tut for all efforts
Hi 9tut,
one small question why we use 100 as access list and NOT an standart list?
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
thx.
@Bouhdila,
i am not 9tut but to answer your question. Standard Access Lists allows you to permit or deny by IP address. An Extended Access List allows you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to specify different types of traffic such as ICMP, TCP, UDP
Can someone send me this lab sim to vennela.sweety16@yahoo.com asap I have an exam tomorrow.Above download link is not opening in my laptop