CCNA Access List Sim 2
Question
Answer and Explanation
(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: https://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: https://www.9tut.com/download/9tut.com_Access-list_sim2.zip
Corp1>enable (you may enter “cisco” as it passwords here)
We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.
Corp1#show running-config
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the exam, just click on host C to open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server via HTTP or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)
Notice: You might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Some modifications (mods):
Modification 1 (Mod 1):
| permit host B from accessing finance server | access-list 100 permit ip host 192.168.33.2 host 172.22.242.23 |
| deny host B from accessing other servers (not the whole network) | access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 |
| permit everything else | access-list 100 permit ip any any |
Modification 2 (Mod 2):
| Only allow Host C to to access the financial server | access-list 100 permit ip host 192.168.33.3 host 172.22.242.23 |
| Not allow anyone else in any way communicate with the financial server | access-list 100 deny ip any host 172.22.242.23 |
| Allow all other traffic | access-list 100 permit ip any any |
Modification 3 (Mod 3):
| – Host C should be able to use a web browser(HTTP)to access the Finance Web Server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| – Other types of access from host C to the Finance Web Server should be blocked – All access from hosts in the Core or local LAN to the Finance Web Server should be blocked |
access-list 100 deny ip any host 172.22.242.23 (because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN) |
| – All hosts in the Core and local LAN should be able to access the Public Web Server * | access-list 100 permit ip any host (If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any” |
Modification 4 (Mod 4):
| Host C should be able to use a web browser to access the financial web server | access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80 |
| Other types of access from host C to the finance web server should be blocked | access-list 100 deny ip host 192.168.33.3 host 172.22.242.23 |
| All hosts in the core and on the local LAN should be able to access the Public web server * | access-list 100 permit ip any host (The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any” |
* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.
(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out
And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)
I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).
Download this sim here
Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.
And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.
Hi
I can not see the question can somebody share it, please
Hi Guys
Can someone kindly please share packet tracer lab for GRE Multilink Sim and EIGRP GRE Troubleshooting Sim packet tracer lab as well as packet tracer for OSPF Neighbor Sim and I am writing my CCNA 200 – 125 at the end of this month
Your prompt response in connection herewith will be highly appreciated.
Marry Christmas folks
Kind regards,
latest dumps please taking exam on 28th jeremy g november (at) hotmail dot com
Took ccna R&S exam on 28-dec-2019.this ACL lab was in exam. Passed 895/1000.
Can somebody jus explain me if I am doing something wron on this website… I am not being able to see the quiestions It just has the title “Question” and that is it. Thanks in advance BTW just took the test, did not pass but this sim was there.
This sim was in today’s exam without the dns server ,addresses were different but everything else was the same.
latest dumps , please email me via mchezoe (at) gmail.com
pls share dumps on hammadkhan1995(attherate)gmaildotcom
sh run
Cleared the CCNA R&S Exam with 957/1000. All thanks to @9TUT…it would not have been possible without you guys!!
Got four Labs, and all the Labs including this one were from 9TUT. But the configurations like IP addresses were changed to create confusion. So, dont just cram,learn with real understanding. In this Lab DNS server was missing in the exam. Other Labs were ACCESS LIST SIM with the exact configurations, DHCP SIM.
Thank you so much 9TUT !!! It was a complete hard work of 10-12 months. Be very careful about learning the practical aspects. Approx. 75% of the questions were from here and the rest were from IT Libraries practice Dumps etc
Really good practice questions!!
Are all the labs from here only ??
Yeah….at least this is what I got !!
Thanks 9tut. I studied for three months and passed my ccna 200-125. Everything is from here and this ACL was exactly at the exam with different ip address.
-ACL configuration
– EIGRP gre troubleshooting
– 2 drag and drop
– The multiple choice questions are not that easy but as long as you master the labs, you can compensate that. Multiple choice questions are tricky but avoid the most obvious wrong answer so that your probability of getting the right answer is high. Don’t just guess! And time was a big factor. If you are slow , you might be in danger! Be aware of the most unnoticed chapters like WAN technologies, Infrastructure services. And my most valuable technique was to read practice exams till the last moment. There are resources at every tab. 9tut community share their resources at the comment section of each topic. If you need contact me as well, I can share. Good luck everyone !
@Pushkin please share with e the latest dumps via my email blinyoloekangu at gmail.com my exam is on Friday the 31/01/2020
Thanks
Hello
Please CCNAv3 questions 7
Thanks
oa554537@gmail (.)com
Please share with e the latest dumps via my email poweredbycai2 at hotmail.com
I will take in early February 2020. Please share with e the latest dumps via my email gi667799@gmail (.) com
If you get this ACL 2 lab, and get MOD 2……does MOD 2 replace the original configurations? Or do you have to complete the original steps and the additional MOD 2 steps? Thanks.
Hello
Pushkin
Please CCNAV3 questions 1-7
I’m going To have CCNA 200-125 exam next week. I would be glad if you share with me the latest questions. Thanks in advance
oa554537@gmail (.)com
@Pushkin
Plz CCNAv3 Question 1-7.
I’m going to have my exam CCNA 200-125 next week.I would be glad if you share that questions with me.
Thanks ..
{email not allowed}
@Pushkin
plz CCNAv3 question 1-7.
email: ummeyjahanprima (at) gmail (.)com
What is CCNAv3 question 1-7?? if you have the latest dump (i sent you mail i guess), that is just fine!
i am taking the CCNA 200-125 on the 17th of February 2020, pleas kindly send me the latest dumps to my email swdbaddoe@gmail(.)com
@Pushkin
i am taking the CCNA 200-125 on the 17th of February 2020, pleas kindly send me the latest dumps to my email swdbaddoe@gmail(.)com
@Pushkin
i am taking the CCNA 200-125 on the 19th of February 2020, please help me send me the latest dumps to my email mgueslin21@gmail(.)com
I will take in early February 11/02/2020. Please share with the latest dumps via my email (aqelmemon88@gmail(.)com watsapp no 03340763310)
Hello
I’m going to have CCNA 200-125 exam on Feb 12.
CCNAV3 questions 1-7
. Thanks in advance
please share latest dump grnthinkbig@gmail(.)com
Thanks!!
Passed 950 yesterday. I have dumps