CCNA Access List Control (ACL) Simulation

 

A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
clip_image002

Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17



Corp1>enable
Password: cisco
We should create an access-list and apply it to the interface which is connected to the Servers LAN interface, because it can filter out traffic from both Sw-Hosts and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show ip interface brief” command to check which interface has the IP address of 172.22.242.30.
Corp1#show ip interface brief
Interface        IP-Address      OK? Method Status Protocol
FastEthernet0/0  192.168.33.254  YES manual up     up
FastEthernet0/1  172.22.242.30   YES manual up     up
Serial0/0        198.18.196.65   YES manual up     up

We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal

Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80

Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80

All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)

Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out

Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config

This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.

Modification #1
A network associate is adding security to the configuration of the Corp router. The user on host B should be able to access the Finance Web Server. Host B should be denied to access other server on S1-SRVS network. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host B access to the Finance Web Server. Deny host B from accessing the other servers. All other traffic is permitted.
access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
access-list 100 permit ip any any

Modification #2
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to access the Finance Web Server. No other hosts from the LAN nor the Core should be able access this server. All other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C access the Finance Web Server. No other hosts will have access to the Finance Web Server. All other traffic is permitted.
access-list 100 permit ip host 192.168.33.3 host 172.22.242.23
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any

Modification #3
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. Other access from host C to Finance Web Server should be denied. No other hosts from the LAN nor the Core should be able to access the Finance Web Server. All other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. Also host C should be denied to access any other services of Finance Web Server. No other hosts will access to the Finance Web Server. All other traffic is permitted.
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any


Modification #4
A network associate is adding security to the configuration of the Corp1 router. The user on host D should be able to use a web browser to access financial information from the Finance Web Server. Other access from host C to Finance Web Server should be denied. No other hosts from the LAN nor the Core should be able to access the Finance Web Server. All hosts from the LAN nor the Core should able to access public web server.

The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY h
ost D should be able to use a web browser(HTTP)to access the Finance Web Server. Other types of access from host D to the Finance Web Server should be blocked. All access from hosts in the Core or local LAN to the Finance Web Server should be blocked. All hosts in the Core and local LAN should be able to access the Public Web Server.

access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any 



Download LAB file (need packet tracer to open)
https://app.box.com/s/yizuzzbkagp4v0j52a50

Mirror:
http://www.4shared.com/file/heZzTLiH/ACL_Sim.html?

Download Video file
https://app.box.com/s/uri1xwy29gw0qc0smlk0

41 Responses so far.

  1. what commands have you used for ACL?
    - Host D should be able to use a web browser(HTTP)to access the Finance Web Server
    - Other types of access from host D to the Finance Web Server should be blocked
    – All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
    - All hosts in the Core and local LAN should be able to access the Public Web Server
    Answer 1:
    Access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80
    Access-List 100 deny ip any host 172.22.242.23
    Access-list 100 permit ip any any
    Answer 2:
    Access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80
    Access-List 100 permit ip any host 172.22.242.17
    Access-list 100 deny ip any any
    When asked – all can access to public server should I use answer 2 or answer 1?
    i know if only said all other traffic is permitted I can use answer 1 without doubt. I am having confusion when it is said all can access to public server…both is correct for that may be and answer 2 fully satisfies the need, right? Please help me out to understand…

  2. @ACME PLEASE:command 2 use eq 80????
    Modification #3
    The user on host C should be able to access the Finance Web Server
    Other access from host C to Finance Web Server should be denied
    No other hosts from the LAN nor the Core should be able to access the Finance Web Server. All other traffic should be allowed:
    access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
    access-list 100 deny ip any host 172.22.242.23 use ((((( eq 80))))
    access-list 100 permit ip any any

  3. @acme i understand you ;)
    Other access from host C to Finance Web Server should be denied ########## No other hosts from the LAN nor the Core should be able to use a web browser to access this server .

  4. Nirates says:

    @mostapha
    both answers would not answer the question fully.

    From your Answer 1, line 1 and 2 answer only the first two statements of the question. Remember that the last statement of the question was 'specifically' to allow Core and LAN access to Public Server, and the Public server has a different ip address. so the correct command would be:

    Access-list 100 permit ip any host 172.22.242.17

    From your Answer 2, line 1 answers the first part of the question, while line 2 answers the last part of the question. Remember that the question says 'Other types of access from host D to the Finance Web Server should be blocked. All access from hosts in the Core or local LAN to the Finance Web Server should be blocked'. It is stated SPECIFICALLY, to block all access to ONLY the Finance server and not to other servers. So the right command should be:

    Access-list 100 deny ip any host 172.22.242.23

    ...I hope this helps

  5. Nirates says:

    @Farah,
    the question did not ask that you deny WEB access to the financial web server. it is only when web access is involved that you can add eq 80 to the command.

    ...I'd suggest you read the question carefully. Besides, try out the commands on your packet tracer and confirm which works. ;)

  6. This comment has been removed by the author.
  7. Anonymous says:

    Just passed This Friday Oct 4. SIM Is valid. Thank you.

  8. Adi says:

    Hello Guys I hope you will be fine there.Now New CCNA (200-120) and CCNA security (640-554) Vouchers on special discount of 58% for World wide, with six months expiry date till you purchase. Each voucher cost 70USD.

    Details Required For CCNA Voucher For Discount Processing:

    1-Full Name. 1st Name & Last Name (as you want to appear on certificate & documents)
    2-Country.
    3-City.
    4-State.
    5-Pin Code (or Area Code)
    6-Residential Address (or where you can collect your Certificate or further correspondence
    can be received)
    7-Date of birth
    Add me on Skype through this information which is written below:
    Skype Name: rockon660
    you can also email me at this email address which is written below:
    madeelqaiser@gmail.com
    If you have any Questions feel free to contact me.

    Thanks,
    Best regards,
    Adeel

  9. m0bi says:

    Passed 200-120 exam Today with 958/1000. Do not waste time and money guys only testinside Purchased 100% valid dumps Lab was ACL2 Modifications & EIGRP with few but Same.
    200-120 dumps Testindie Q307 with secondary Key # in cheap price contact me at Mubasher95@Gmail.com
    Good Luck!

  10. Anonymous says:
    This comment has been removed by a blog administrator.
  11. Anonymous says:

    can I add command: "no ip domain-lookup"
    to prevent stupid annoying translate.. error message?

  12. Anonymous says:

    I just finished my ccna exam... scored 958 in second attempt .... almost all the questions from 9tut,examtut, acme spintry...... I could have passed if I knew this excellent site before.... thank youuuuuu

    got ACL1, ACL2, EIGRP..... same sim with slight modifications....

  13. Anonymous says:

    I confused about command answer Modification #3 and #4, why same command?

    In Modification #4, I think Host D ip address is 192.168.33.4.

  14. Why "Request Timeout" when using the Web Browser of "D"????
    (Modification 4)

  15. Anonymous says:

    @ Rajiv Widyaratne
    the ip of host D in the answer is wrong ... it should be 192.168.33.4 ... not 192.168.33.3 , a copy paste simple mistake
    try
    access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80
    access-list 100 deny ip any host 172.22.242.23
    access-list 100 permit ip any any

    it will work ;)

  16. Anonymous says:

    MODIFICATION #4

    How can you complete all of the tasks without adding a "Access-list 100 permit ip any host 172.22.242.17" as a fourth statement?

    Thanks!!

  17. Beso says:

    Modification #4
    access-list 100 permit ip any any

    will allow all hosts to public and others so there is no problem i think !!
    and cuz in this ques it requires only 3 statements ..

  18. Anonymous says:

    MODIFICATION #1:If this correct way to do things MINUS that I should have checked the access list BEFORE I copied it? I am still a newbie at this but trying hard. Thanks.

    Corp1#configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.
    Corp1(config)#access-list 100 permit tcp host 192.168.33.2 host 172.22.242.23
    Corp1(config)#access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
    Corp1(config)#access-list 100 permit ip any any
    Corp1(config)#interface fa0/1
    Corp1(config-if)#ip access-group 100 out
    Corp1(config-if)#end
    Corp1#
    %SYS-5-CONFIG_I: Configured from console by console

    Corp1#copy running-config startup-config
    Destination filename [startup-config]?
    Building configuration...
    [OK]
    Corp1#show access-list
    Extended IP access list 100
    permit tcp host 192.168.33.2 host 172.22.242.23 (6 match(es))
    deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 (30 match(es))
    permit ip any any
    Corp1#

  19. Adi says:

    Hello Guys good news for you that CCNA discounted and Microsoft vouchers are now available. Now New CCNA (200-120) vouchers on special discount of 58% for World wide, with six months expiry date till you purchase. Each voucher cost 70USD.

    Details Required For CCNA Voucher For Discount Processing:

    1-Full Name. 1st Name & Last Name (as you want to appear on certificate & documents)
    2-Country.
    3-City.
    4-State.
    5-Pin Code (or Area Code)
    6-Residential Address (or where you can collect your Certificate or further correspondence
    can be received)
    7-Date of birth
    Add me on Skype through this information which is written below:
    Skype Name: rockon660
    you can also email me at this email address which is written below:
    madeelqaiser@gmail.com
    If you have any Questions feel free to contact me.

    Thanks,
    Best regards,
    Adeel

  20. Anonymous says:

    i had passed my ccna exam with 972/1000 score on 12 feb.
    the labs were acl1,acl2 and eigrp
    acl 1 (same as it is)
    eigrp (just change od AS and advertising a network (same as it is) with NO issue about passive interfaces and default network )
    acl 2 (with bit modification)

    "The task is to create and apply a numbered access-list with no more than three statements that
    -> will allow ONLY host A web access to the Finance Web Server.
    ->All other traffic from A to finance server is denied.
    ->All traffic from lan servers(B,C,D) and core to the Finance Web Server is denied.
    -> All other traffic is permitted to public server.

  21. Anonymous says:

    MODIFICATION 1 CAN´T BE DONE IN 3 SENTENCES,the question need to be wrong.

  22. Anonymous says:

    In the second modification which is HOST B. which said that to ALLOW only host B to access finance server and deny host B from other servers.
    I tired many times but It's possible to access finance server and public web server through all hosts. I copied the commands as it's mentioned there and I got the same problem. is it a bug in SIM or it's all right when other hosts access whole servers ?

  23. Anonymous says:

    MODIFICATION 1 GUYS ISN'T CORRECT. SOME ONE HELP PLEASE.

  24. Anonymous says:

    Can anyone tell me wats acl sim1 and acl sim2?

  25. Anonymous says:

    ithink for MOD1 following will be right

    access-list 100 permit tcp host 192.168.33.2 host 172.22.242.23 eq 80
    access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
    access-list 100 permit ip any any

  26. Barry says:

    Mod 1 suggestion below is wrong:
    access-list 100 permit tcp host 192.168.33.2 host 172.22.242.23 eq 80
    access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
    access-list 100 permit ip any any

    As written, all hosts would have access to the Financial Web server.
    Agree that it is impossible (as the requirements are outlined) to complete this in 3 statements.

  27. Anonymous says:

    Scored 1000/1000. Thanks to examcollection for dumps and 9tut for Labs. Watson dumps are the most valid of all. One or two questions might not be from any dumps so one can only score full if the concepts are right to the mark. If anyone needs to discuss anything or needs help,
    email me on mj_nottinghamian@hotmail.com or add me on
    skype: mohsin.jawed
    Looking forward to help anyone with networking queries as indirectly I will be helping myself to explore more about networking.
    Thank you once again examcollection.

  28. Roberto says:

    Modification #1 is CORRECT, is not indicate that "No other hosts will have web access to the Finance Web Server".

  29. Jerzy says:

    Modification no 3 require deny other access then tcp for host C only to financial web server so why ACL no 2 denying all hosts from LAN and Core ?
    Also this is not relevant to modification no 1. where in the same way host B is denied to Financial Web Serwer
    I think mofification 3 is as below :
    Corp1(config)#access list 100 permit tcp host 192.168.33.3 host 172.242.22.23 eq 80
    Corp1(config)# access list 100 deny ip host 192.168.33.3 host 172.242.22.23
    Corp1(config)#access list 100 permit ip any any

  30. This comment has been removed by the author.
  31. Dear all,

    Can anyone tell me which software will be used in the exam, I heard it will not be packet tracer and the other software which will be used has no help '? ' feature, so am I supposed to memorize all these commands by heart ?

  32. Anonymous says:

    there is a typo on Mod4:
    only host D able to web access to Finance server, so IP address should be 192.168.33.4

  33. ACL1 ACL2 EIGRP
    https://www.youtube.com/watch?v=FO3eD6oAIRQ&index=2&list=PLW2Xk7jJ5ZSoFn2G_x0ql_S5AlKvaDaOZ

  34. Adi says:

    Hello Guys good news for you that CCNA discounted and Microsoft vouchers are now available. Now New CCNA (200-120) vouchers on special discount of 58% for World wide, with six months expiry date till you purchase.

    Details Required For CCNA Voucher For Discount Processing:

    1-First Name.
    Last Name. (as your name written in your National Identity card)
    2-Country.
    3-City.
    4-State.
    5-Pin Code (or Area Code)
    6-Residential Address (or where you can collect your Certificate or further correspondence
    can be received)
    7-Date of birth
    Add me on Skype through this information which is written below:
    Skype Name: rockon660
    you can also email me at this email address which is written below:
    madeelqaiser@gmail.com
    If you have any Questions feel free to contact me.

    Thanks,
    Best regards,
    Adeel

  35. full ccna exam and dump
    https://www.youtube.com/watch?v=Q7cTJsVxebc&list=UUyppZ-pXVGuzXQEq8L8HEhg

  36. Maka says:

    Find new CCNA test questions at exams.cf/cisco and exams.eu.pn/cisco
    They helped me a lot, but the sims from examtut are also a great preperation

  37. LATEST DUMPS AVAILABLE CCNA 200-120 GUARANTEED VALID AT BELOW LINK
    http://ccna-dumps200-120.blogspot.com/

  38. Anonymous says:

    Modification 4 in 1st statement should be

    #access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80

    as it says host D

  39. Anonymous says:

    Very good point
    mod 4 HOST D ( 192.168.33.4)
    #access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80

  40. Alishtan says:

    I recommended http://www.grades4sure.com/200-120-exam-questions.html ! I passed my CCNA Routing and Switching 200-120 exam yesterday with the score 92%. You can try the demo before you pay for the order. 100% money back guarantee. You will lose nothing.

  41. Aminda says:

    Here on Cisexams you'll be able to get all Cisco certification exams. If you're not ready for your Cisco 200-120 certification exams and you need assistance of someone so you don’t need to take any tension. we are here to resolve your all issues that you're facing throughout the study. Our study material, certification exams questions Answers are 100% correct, reliable and 100% free for all students around the world. You don’t need to pay cash for your IT exams study material. simply visit Cisexams.com and get all Cisco certification exams dumps in one place. Keep visiting and feel free to ask any question about Cisco exams.
    http://www.cisexams.com/200-120-dumps

Leave a Reply

Popular Posts