CCNA Training CCNA Access List Sim 2 Page 1 of 8

Type text to search here... Submit Query

Home > CCNA Access List Sim 2

CCNA Access List Sim 2

February 15th, 2012 Go to comments

Question

A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from
the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the
corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.

The task is to create and apply a numberd access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts
will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.

All passwords have been temporarily set to cisco.

The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17

Answer and Explanation

(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-
list have been reported so you should read the Some modifications section at the end of this question to understand more. You can also download this sim to practice (open
with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt

Corp1>enable (you may enter cisco as it passwords here)

We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The
Server LAN network has been assigned addresses of 172.22.242.17 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30
is the number shown in the figure). Use the show running-config command to check which interface has the IP address of 172.22.242.30.

Corp1#show running-config

http://www.9tut.com/78-ccna-access-list-sim-2 8/12/2012
CCNA Training CCNA Access List Sim 2 Page 2 of 8

We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).

Corp1#configure terminal

Our access-list needs to allow host C 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)

Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80

Deny other hosts access to the Finance Web Server via web

Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80

All other traffic is permitted

Corp1(config)#access-list 100 permit ip any any

Apply this access-list to Fa0/1 interface (outbound direction)

Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out

Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If
we apply access list to the inbound interface we can only filter traffic from the LAN network.

In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or
not. If your configuration is correct then you can access it.

Click on other hosts (A, B and D) and check to make sure you cant access Finance Web Server from these hosts.

Finally, save the configuration

Corp1(config-if)#end
Corp1#copy running-config startup-config

(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic like FTP, SMTP then other hosts can access it,
too.)

Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.

Some modifications:

permit host B from accessing finance server access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
deny host B from accessing the OTHER server (not the whole network) access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
permit everything else permit ip any any
Only allow Host C to to access the financial server access-list 100 permit ip host 192.168.33.3 host 172.22.242.23
Not allow anyone else in any way communicate with the financial server access-list 100 deny ip any host 172.22.242.23
Allow all other traffic permit ip any any
- Host C should be able to use a web browser(HTTP)to access the
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Finance Web Server
- Other types of access from host C to the Finance Web Server
access-list 100 deny ip any host 172.22.242.23
should be blocked
(because the requirement says we can not use more than 3 statements so we have to use any here for
All access from hosts in the Core or local LAN to the Finance
the hosts in the Core and hosts in local LAN)
Web Server should be blocked
access-list 100 permit ip any host <IP of Public Web Server>
- All hosts in the Core and local LAN should be able to access the
(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you
Public Web Server *
should use access-list 100 permit ip any any
Host C should be able to use a web browser to access the financial
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
web server
Other types of access from host C to the finance web server should
access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
be blocked

http://www.9tut.com/78-ccna-access-list-sim-2 8/12/2012
CCNA Training CCNA Access List Sim 2 Page 3 of 8

access-list 100 permit ip any host <IP of Public Web Server>

All hosts in the core and on the local LAN should be able to access
(The IP of Public Web Server will surely be given in this question) but in the exam you should use
the Public web server *
access-list 100 permit ip any any

* There are some reports about the command of All hosts in the core and on the local LAN should be able to access the Public web server saying that the correct command
should be access-list 100 permit ip any any, not access-list 100 permit ip any host (IP of Public Web Server). Although I believe the second command is better but maybe
you should use the first command access-list 100 permit ip any any instead as some reports said they got 100% when using this command (even if the question gives you
the IP address of Public Web Server). It is a bug in this sim.

(Note: Dont forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out

And in the exam, they may slightly change the requirements, for example host A, host B instead of host C so make sure you read the requirement carefully and use the
access-list correctly)

I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).

Download this sim here

Notice: After typing the commands above, if you make a ping from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP
traffic, not ICMP traffic. To generate HTTP traffic, select Web Browser in the Desktop tab of these PCs. When a web browser opens, type the IP address of Finance Web
Server and you can see how traffic flows in Simulation Mode.

And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.

Other lab-sims on this site:

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

http://www.9tut.com/78-ccna-access-list-sim-2 8/12/2012
CCNA Training CCNA Access List Sim 2 Page 4 of 8

CCNA EIGRP LAB

CCNA Drag and Drop SIM

CCNA Implementation SIM

Comments
Comment pages
Previous 1 24 25 26 41

1. Anonymous
August 10th, 2012

I thought i understood but am still confused. So permit IP host and permit TCP host how do you know when to use the proper command? I am sorry i just need more
clairifcation to understand. Thanks to anybody who helps me with this.

2. Mike
August 10th, 2012

@Anonymous

If for a example they asking you to permit Web Access or HTTP from specific host to specific destination. HTTP=TCP+port 80. can be other service like deny Telnet.
Telnet=tcp+port 23.
IP we are using only in talking about whole or general access to specific destination. Know services their protocol, almost all of them TCP and corresponding port
number (well known ports)

3. Anonymous
August 10th, 2012

Perfect Mike, Thanks now I understand!

4. Anonymous
August 10th, 2012

I have a question I am doing the labs under modifications and am having issue I am having a hard time with the permit any any command on this modication section.
the modicfication

says access-list 100 permit ip host 192.168.33.3 host 172.22.242.23

And

access-list 100 deny ip any host 172.242.23 and here is my error below?

it doesnt let me put in the command permit ip any any? Any sugestions?

5. Anonymous
August 10th, 2012

here is a screen shot of whats happening:

Router>en
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 100 permit ip host 192.168.3.3 host 172.22.242.23
Router(config)#access-list 100 deny ip any host 172.22.242.23
Router(config)#permit ip any any
^
% Invalid input detected at ^ marker.

6. Anonymous
August 10th, 2012

The modifications says to put command permit any any but i think they meant

access-list 100 permit ip any any correct?

7. Anonymous
August 11th, 2012

I have a question:

All hosts in the Core and local LAN should be able to access the Public Web Server * access-list 100 permit ip any host
(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use access-list 100 permit ip any any

This says to say access-list 100 permit any any but dont we need to put the IP of the web server? If we so just an access-list 100 permit any any to what any any there
would be no IP?

Can somebody expain this question for me? On exam i think i would put access-list 100 permit any host then IP of web sever? am i wrong?

8. Anonymous
August 11th, 2012

If indeed what 9tut is saying is true, I should put the access-list 100 permit ip any any command how does this work within the access list if it doesnt apply to an
ACL? Doesnt an ACL need the IP so of the web server so it can work? i am lost of this guys.

http://www.9tut.com/78-ccna-access-list-sim-2 8/12/2012
CCNA Training CCNA Access List Sim 2 Page 5 of 8

9. vipkma
August 11th, 2012

i passed the exam yesterday ACL2, EIGRP, VTP(5 question)

10. jagzeer
August 11th, 2012

@anonymous

complete syntax should be

access-list 100 permit ip any any if youll just enter permit ip any any it does not define the numbered access-list you want to apply.

youll definitely get invalid output when you dont enter the complete command

11. Anonymous
August 11th, 2012

Jagzeer,
Thank you I thought that was the correct command. 9tut modification was a bit off no worries much appreciated Jagzeer!

12. dyoza
August 11th, 2012

@vipkma

What are the other exams? Is access-list sample above have the same scenario? Do you have subnetting in your exam yesterday?many tnx

13. amansufi
August 11th, 2012

hi friends
i have received my responses to my
mail asking doubts regarding ccna
exam so i started to write in my blog
entire details of ccna exam
friend just follow my blog you will definately benefited i will be
updated soon within 24 hours

validccnadumps.blogspot.com

14. Anonymous
August 11th, 2012

Are the colliso dumps good enough for the question pool on the exam? i noticed Colliso has 487 questiond but pass4sure is 634 any ideas why pass4sure has more
questions? I don;t want to look over more questions on pass4sure if Colliso is fine.

15. Newbie
August 11th, 2012

I have a question:

Ok the questions above says the following under modifications:

Other types of access from host C to the finance web server should be blocked access-list 100 DENY IP HOST 192.168.33.3 host 172.22.242.23

Then the other modifications says the following:

Other types of access from host C to the Finance Web Server should be blocked
access-list 100 deny ip ANY HOST 172.22.242.23

My question is the Deny ip any host and the Deny IP HOST this looks like the same question but one has deny IP host and the other deny ipANY host

Is this the difference in the exam if it says do this in 3 Statments?

Can somebody help explain to me?

Thanks!

16. jfrodo
August 11th, 2012

I have a question. I applied the access list on R2 on the access list 2 sim and when I tried to reach the browser from Host C (.3) to the financial server it says server
reset connection. Does that mean it works and only allows pc 3 to reach the financial server or is it configured incorrectly? All the other PC have web access to the
other server ip addresses. I can ping from any of the PCs to the server so there is connectivity. I m going to assume that it will work in real life unless Im missing
something here.

17. Newbie
August 11th, 2012

Can somebody help me with this as well. Mike you are always good maybe you can explain to me or anybody?

All hosts in the Core and local LAN should be able to access the Public Web Server * access-list 100 permit ip any host

http://www.9tut.com/78-ccna-access-list-sim-2 8/12/2012
CCNA Training CCNA Access List Sim 2 Page 6 of 8

(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use access-list 100 permit ip any any

My question below:

If i say access-list permit ip any any how does the access-list know what to allow access to? So if i am on the router and put this command in what confuses me is how
the ACL knows this statment ip any any is for the web server with no being referenced

18. Newbie
August 11th, 2012

If i say access-list permit ip any any how does the access-list know what to allow access to? So if i am on the router and put this command in what confuses me is how
the ACL knows this statment ip any any is for the web server with no IP being referenced

19. RED
August 11th, 2012

Jfrodo,

I had this same issue and I was told to do this

Just take off PC from the topology and put instead Server Machine, and you will get your correct result

It worked for me. Give this a try I replaced pc 3 with a server.

20. cyt
August 12th, 2012

fail the exam on thursday with 749,its so painful,ACL was the same with 9tut but received an error during the configuration,can someone pls tell me what might have
happen bcos am about to write the same exam again this week.

21. Anonymous
August 12th, 2012

My understanding was that for extended access lists the cisco guidelines are that they are placed as close to the source as possible so shouldnt it be on interface fa 0/0
in the Inbound direction?

22. NEW1
August 12th, 2012

So in the modifications when it says IP any any do I put the IP of the web server is where the IP is or do I just put the command IP any any with NO IP? How does
the ACL know what server this is supposed to be applied to? Thanks.

Comment pages
Previous 1 24 25 26 41

1. No trackbacks yet.

Add a Comment
Name

Submit Comment
Subscribe to comments feed

CCNA VTP SIM Question Cisco Command Line Interface CLI

Premium Membership

Become a member to interact with all questions and read all tutorials, labs!

Find out more or Sign In

CCNA 640-802
CCNA Lab Sim
CCNA Basic Questions
CCNA Basic Questions 2
CCNA Cisco IOS Questions

http://www.9tut.com/78-ccna-access-list-sim-2 8/12/2012
CCNA Training CCNA Access List Sim 2 Page 7 of 8

CCNA Cisco IOS Questions 2

CCNA Cisco IOS Questions 3
CCNA OSI Model Questions
CCNA TCP/IP Model & Operation
CCNA Show Command Questions
CCNA Protocols & Services
CCNA Access List Questions
CCNA Access List Questions 2
CCNA WAN
CCNA WAN 2
CCNA IP Address Questions
CCNA IP Routing Questions
CCNA IP Routing Questions 2
CCNA RIP Questions
CCNA OSPF Questions
CCNA OSPF Questions 2
CCNA EIGRP Questions
CCNA EIGRP Questions 2
CCNA Security Questions
CCNA DHCP Questions
DHCP Group of Four Questions
CCNA NAT & PAT Questions
CCNA Drag and Drop 1
CCNA Drag and Drop 2
CCNA Drag and Drop 3
CCNA Drag and Drop 4
CCNA Drag and Drop 5
CCNA Switch Questions
CCNA Switch Questions 2
CCNA Switch Questions 3
CCNA VLAN Questions
CCNA VLAN Questions 2
CCNA VTP Questions
CCNA Hotspot
CCNA STP Questions
CCNA STP Questions 2
CCNA IPv6 Questions
CCNA Subnetting
CCNA Subnetting Questions 2
CCNA Subnetting Questions 3
CCNA Subnetting Questions 4
CCNA Operations 1
CCNA Operations 2
CCNA Operations 3
CCNA Troubleshooting 1
CCNA Troubleshooting 2
CCNA Wireless
CCNA FAQs & Tips
Share your CCNA Experience

CCNA Self-Study
Practice CCNA GNS3 Labs
CCNA Knowledge

Network Resources
Free Router Simulators

ICND1/ICND2 Website

CCNP - ROUTE Website

CCNP - SWITCH Website

CCNP - TSHOOT Website

CCNA Voice Website

CCNA Wireless Website

CCNA Security Website

CCDA Website

CCIP Website

CCIE Written Website

Support 9tut

http://www.9tut.com/78-ccna-access-list-sim-2 8/12/2012
CCNA Training CCNA Access List Sim 2 Page 8 of 8

Your contribution will help keep this site updated!

Top
Copyright 2010-2012 CCNA Training
Privacy Policy. Valid XHTML 1.1 and CSS 3.

http://www.9tut.com/78-ccna-access-list-sim-2 8/12/2012