Home > CCNA Access List Sim 2

CCNA Access List Sim 2

February 15th, 2014 Go to comments

Question

access_list_sim2.jpg

Answer and Explanation

(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://juquitiba.sp.gov.br/?exams=access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://juquitiba.sp.gov.br/?exams=download/9tut.com_Access-list_sim2.zip

Corp1>enable (you may enter “cisco” as it passwords here)

We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.

Corp1#show running-config

access_list_sim_show_running.jpg

We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).

Corp1#configure terminal

Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)

Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80

Deny other hosts access to the Finance Web Server via web

Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80

All other traffic is permitted

Corp1(config)#access-list 100 permit ip any any

Apply this access-list to Fa0/1 interface (outbound direction)

Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out

Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.

In the exam, just click on host C to open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server via HTTP or not. If your configuration is correct then you can access it.

Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.

Finally, save the configuration

Corp1(config-if)#end
Corp1#copy running-config startup-config

(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)

Notice: You might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.

Some modifications (mods):

Modification 1 (Mod 1):

permit host B from accessing finance server access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
deny host B from accessing other servers (not the whole network) access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
permit everything else access-list 100 permit ip any any

Modification 2 (Mod 2):

Only allow Host C to to access the financial server access-list 100 permit ip host 192.168.33.3 host 172.22.242.23
Not allow anyone else in any way communicate with the financial server access-list 100 deny ip any host 172.22.242.23
Allow all other traffic access-list 100 permit ip any any

Modification 3 (Mod 3):

– Host C should be able to use a web browser(HTTP)to access the Finance Web Server access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
– Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
access-list 100 deny ip any host 172.22.242.23
(because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN)
– All hosts in the Core and local LAN should be able to access the Public Web Server * access-list 100 permit ip any host
(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any”

Modification 4 (Mod 4):

Host C should be able to use a web browser to access the financial web server access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Other types of access from host C to the finance web server should be blocked access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
All hosts in the core and on the local LAN should be able to access the Public web server * access-list 100 permit ip any host
(The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any”

* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.

(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out

And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)

I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).

accesslist_sim2_packet_tracer.jpg

Download this sim here

Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.

accesslist2_test_http.jpg

And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.

Comments
Comment pages
1 91 92 93 94 95 41
  1. zebekers
    December 4th, 2017

    I got this question in the exam. Correct answer is:

    Corp1#configure terminal
    Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
    Corp1(config)#access-list 100 deny ip any host 172.22.242.23 <——
    Corp1(config)#access-list 100 permit ip any any
    Corp1(config)#interface fa0/1
    Corp1(config-if)#ip access-group 100 out
    Corp1(config-if)#end
    Corp1#copy running-config startup-config

  2. JA
    December 4th, 2017

    zebekers you got acl mod 3 right ????

  3. chukzy
    December 7th, 2017

    Zarathustra, I used IP any any and I got full marks. scored more than you did. So that’s not exactly correct

  4. Aziz
    December 8th, 2017

    Hi everyone! Could you please send me the latest dump , to {email not allowed}

  5. Aziz
    December 8th, 2017

    Hi everyone! Could you please send me the latest dump to azizxon9602 on mail ru

  6. Alaa
    December 10th, 2017

    why in modification 3 question last line should be “access-list 100 permit ip any any”I believe that it should be access-list 100 permit ip any host ?

  7. Alaa
    December 10th, 2017

    why in modification 3 & 4 questions last line should be “access-list 100 permit ip any any”I believe that it should be access-list 100 permit ip any host “IP of the public web server

  8. anon…
    December 11th, 2017

    any one else how passed the exam after 7 dec 2017
    if yes plx guide me about test from where questions came and also labs
    i m going to apply for exam most probably 18 dec

  9. Lei
    December 15th, 2017

    passed the exam today :):):)

  10. Timi
    December 15th, 2017

    Lei, what questions did you see in your exam.? Drag and drop and Sims hint, please. My exam is next week. Help me

  11. Sayed
    December 15th, 2017

    I have an exam and if any could share more SIM….Thanks

  12. Lei
    December 15th, 2017

    @Timi, i got DnD(cable types) and ACL sim and OSPF sim, good luck to u.

  13. Kikonyogo faustine
    December 15th, 2017

    I certified today and passed with 905
    64 questions
    no drag and drop
    labs: ACL mod 3 and OSPF neighbor lab

    used the chinese 2017.10.10 dump

  14. Holla
    December 15th, 2017

    Passed the exam.
    64 questions
    no drag and drop
    labs: ACL case 2 and DHCP

    thank you 9tut. 99% questions were from 9tut.

  15. Holla
    December 15th, 2017

    In Case 2 sim there is no DNS server

  16. DavidKing
    December 21st, 2017

    PASSED ON 20/12/17 WITH 9XX. SIMS ARE ACL MOD 3 AND EIGRP-TS. I USED CHINESE DUMP AND ITS STILL VALID

  17. Hari
    December 22nd, 2017

    How to prepare for CCNA lab question.How many lab question will be in 200-125 version.

  18. anon…
    December 26th, 2017

    i heard about it one new lab occur related to redistribution …is it true?

  19. BMw
    December 29th, 2017

    access-list 100 permit tcp host 192.168.125.2 host 172.22.109.17 eq 80
    access-list 100 deny ip any host 172.22.109.17
    access-list 100 permit ip host 172.22.109.18 any

    is this correct?

  20. fred
    January 2nd, 2018

    Hi. Im currently studying for CCNA 200-125 exam. Can you give me the latest dumps and some tips to pass the exam? Here is my email: fredryccomida at gmail dot com. Please. Thank you so much.

  21. OMAR
    January 2nd, 2018

    Hi everyone could you please send me the latest dumps on ({email not allowed}).Thank you inadvance…

  22. cisc0M
    January 7th, 2018

    I have mastered all the mod 0 to 4.
    Normally I will have my CCNA

  23. Nghia-CSC Viet Nam
    January 8th, 2018

    Today Pass with 9xx p

    China Dump is valid

    LAB got ACL SIM2 Mod 3 and OSPF troubleshoot

    one q D&D

  24. Ramon
    January 9th, 2018

    @Nghia-CSC Do you have any tip for me? I will perform my exam in 01/16.
    The Labs in Exam are the same in 9tut?

  25. Anonymous
    January 11th, 2018

    Modification 1 (Mod 1):

    deny host B from accessing other servers (not the whole network)( access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15)

    Hi,
    could any one explain this conf to me plz, how did you figure out 172.22.242.16 ip address with a wildcard mask 0.0.015
    cheers
    thanks

  26. cisc0M
    January 11th, 2018

    I did it this morning , didn’t pass (740/1000) minimum is 810/1000 !

    I had acl sim 3 ! but i did “copy run start” forget to assign the access-group and I put the the access-group after it and then I copy run start again.

    Do you think that after having done “copy run start” its finish ?

  27. majid choudary
    January 13th, 2018

    i have failed my test 790/1000 810 was passing score !
    i have get this lab SIM2 and only this lab was that i wasnt prepared for :(

  28. Edward
    January 15th, 2018

    hello,
    I’m reading in order to recertificate in february. Please someone can send me VCE application+key
    and chinese dumps at {email not allowed}?
    Thanks in advance

  29. what answer?
    January 20th, 2018

    i have Passed my test 840/1000 .
    i have get this lab SIM2 and lab sim 1 and lap GRE and lab ospf and lab ripv2 and lab VLAN

    and 10q Drag and drop

  30. Arslan
    January 20th, 2018

    @what answer can ou tell me which VLAN lab is come

  31. mozcan74
    January 24th, 2018

    Hello cisc0M can you please send me the dump PDF 450 Q&A please? Could you please send it to
    mozcan74 “@” gmail ? thank you very much

  32. clara
    January 25th, 2018

    im writting exams next week plz anyone send me the latest dump

  33. ciara
    January 25th, 2018

    can someone please send me the latest dump at {email not allowed}

  34. @sai
    January 28th, 2018

    questions of above simulation please

  35. Bulud
    January 29th, 2018

    Passed today) 943/1000
    80% of multiple questions were from 9tut.
    I got 8 labs. IPv6 ospf , GRE, RIPv2 Troubleshooting, DHCP , EIGRP Troubleshooting, OSPF Neighbor, Access list sim 2(mod 3) , Access list Sim 1.
    GRE, OSPF, Eigrp, RIPv2 , OSPF questions were different, new, but not difficult.
    4-5 Drag and Drop questions. 2 of them were from 9tut, others were new.

  36. Anonymous
    January 29th, 2018

    Where can i get the Vlan lab from? please someone adivse!! and also the IPv6 ospf is it in 9tut?

  37. Anonymous
    February 1st, 2018

    hi,guys do u know how many marks for Drag and Drop out of 53 question?

  38. pho sai
    February 1st, 2018

    hi,guys do u know how many marks for Drag and Drop out of 53 question?

  39. wajahat
    February 8th, 2018

    If i am learning ccna lab sim, is it enough for me to go for ccna exam?
    I saw many question doesn’t have proper questions and choices in it.

  40. SHASHI
    February 14th, 2018

    Where can i get the question for ACL sim ?

  41. TweeezY
    February 15th, 2018

    Passed exam today all the question and labs from 9tut :ACL+OSPF+EIGRP+4 DRAG

  42. @ANONYMOUS-
    February 15th, 2018

    got exact question in exam. only ip addresses lil bit chnaged. passed with 9xx marks

  43. lagrossebite
    February 23rd, 2018

    Just had my CCNA thanks to 9tut, got 873/1000, ACL lab2 mod3

  44. Raju
    February 27th, 2018

    Hi guys any latest dumps for 300-101.

    my exam is in next month.

    this is my email id :- raj09028 at gmail dot com

    thank you

  45. Raju
    February 27th, 2018

    Hi guys any latest dumps for 200-125

    my exam is in next month.

    this is my email id :- raj09028 at gmail dot com

    thank you

  46. Mr D
    March 8th, 2018

    1:N is for redundant master for a swt stack…

  47. Modu
    March 17th, 2018

    Any latest dumps for the CCNA exams

  48. Dave
    March 17th, 2018

    Guys, I will be taking the CCNA 200-125 exams end of this month. Can someone send me the latest dumps on my email davesk*41* @*gmail dot com. Please remove the start to get the email

  49. Trusted…Tested…Dumps for Free
    March 17th, 2018

    Latest Dumps inside:
    mediafire.com/folder/qfip8azi6e8yq/Latest%20Dumps

  50. Anonymous
    March 18th, 2018

    The command “access-list 100 permit ip any host” will block the access to the DNS server (apply a numbered access-list with no more than three statements), so the correct command is “access-list 100 permit ip any any”.

Comment pages
1 91 92 93 94 95 41
Add a Comment