A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17
Corp1>enable
Password: cisco
We should create an access-list and apply it to the interface which is connected to the Servers LAN interface, because it can filter out traffic from both Sw-Hosts and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show ip interface brief” command to check which interface has the IP address of 172.22.242.30.
Corp1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.33.254 YES manual up up
FastEthernet0/1 172.22.242.30 YES manual up up
Serial0/0 198.18.196.65 YES manual up up
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.
Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.
Finally, save the configuration
Corp1(config-if)#end
Corp1#copy running-config startup-config
This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.
Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.
Modification #1
A network associate is adding security to the configuration of the Corp router. The user on host B should be able to access the Finance Web Server. Host B should be denied to access other server on S1-SRVS network. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host B access to the Finance Web Server. Deny host B from accessing the other servers. All other traffic is permitted.
access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
access-list 100 permit ip any any
Modification #2
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to access the Finance Web Server. No other hosts from the LAN nor the Core should be able access this server. All other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C access the Finance Web Server. No other hosts will have access to the Finance Web Server. All other traffic is permitted.
access-list 100 permit ip host 192.168.33.3 host 172.22.242.23
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
Modification #3
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. Other access from host C to Finance Web Server should be denied. No other hosts from the LAN nor the Core should be able to access the Finance Web Server. All other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. Also host C should be denied to access any other services of Finance Web Server. No other hosts will access to the Finance Web Server. All other traffic is permitted.
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
Modification #4
A network associate is adding security to the configuration of the Corp1 router. The user on host D should be able to use a web browser to access financial information from the Finance Web Server. Other access from host C to Finance Web Server should be denied. No other hosts from the LAN nor the Core should be able to access the Finance Web Server. All hosts from the LAN nor the Core should able to access public web server.
The task is to create and apply a numbered access-list with no more than three statements that will allow ONLY host D should be able to use a web browser(HTTP)to access the Finance Web Server. Other types of access from host D to the Finance Web Server should be blocked. All access from hosts in the Core or local LAN to the Finance Web Server should be blocked. All hosts in the Core and local LAN should be able to access the Public Web Server.
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
Download LAB file (need packet tracer to open)
https://app.box.com/s/yizuzzbkagp4v0j52a50
Mirror:
http://www.4shared.com/file/heZzTLiH/ACL_Sim.html?
Download Video file
https://app.box.com/s/uri1xwy29gw0qc0smlk0
what commands have you used for ACL?
ReplyDelete- Host D should be able to use a web browser(HTTP)to access the Finance Web Server
- Other types of access from host D to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked
- All hosts in the Core and local LAN should be able to access the Public Web Server
Answer 1:
Access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80
Access-List 100 deny ip any host 172.22.242.23
Access-list 100 permit ip any any
Answer 2:
Access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80
Access-List 100 permit ip any host 172.22.242.17
Access-list 100 deny ip any any
When asked – all can access to public server should I use answer 2 or answer 1?
i know if only said all other traffic is permitted I can use answer 1 without doubt. I am having confusion when it is said all can access to public server…both is correct for that may be and answer 2 fully satisfies the need, right? Please help me out to understand…
@ACME PLEASE:command 2 use eq 80????
ReplyDeleteModification #3
The user on host C should be able to access the Finance Web Server
Other access from host C to Finance Web Server should be denied
No other hosts from the LAN nor the Core should be able to access the Finance Web Server. All other traffic should be allowed:
access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23 use ((((( eq 80))))
access-list 100 permit ip any any
@acme i understand you ;)
ReplyDeleteOther access from host C to Finance Web Server should be denied ########## No other hosts from the LAN nor the Core should be able to use a web browser to access this server .
@mostapha
ReplyDeleteboth answers would not answer the question fully.
From your Answer 1, line 1 and 2 answer only the first two statements of the question. Remember that the last statement of the question was 'specifically' to allow Core and LAN access to Public Server, and the Public server has a different ip address. so the correct command would be:
Access-list 100 permit ip any host 172.22.242.17
From your Answer 2, line 1 answers the first part of the question, while line 2 answers the last part of the question. Remember that the question says 'Other types of access from host D to the Finance Web Server should be blocked. All access from hosts in the Core or local LAN to the Finance Web Server should be blocked'. It is stated SPECIFICALLY, to block all access to ONLY the Finance server and not to other servers. So the right command should be:
Access-list 100 deny ip any host 172.22.242.23
...I hope this helps
@Farah,
ReplyDeletethe question did not ask that you deny WEB access to the financial web server. it is only when web access is involved that you can add eq 80 to the command.
...I'd suggest you read the question carefully. Besides, try out the commands on your packet tracer and confirm which works. ;)
This comment has been removed by the author.
ReplyDeleteJust passed This Friday Oct 4. SIM Is valid. Thank you.
ReplyDeletePassed 200-120 exam Today with 958/1000. Do not waste time and money guys only testinside Purchased 100% valid dumps Lab was ACL2 Modifications & EIGRP with few but Same.
ReplyDelete200-120 dumps Testindie Q307 with secondary Key # in cheap price contact me at Mubasher95@Gmail.com
Good Luck!
This comment has been removed by a blog administrator.
ReplyDeletecan I add command: "no ip domain-lookup"
ReplyDeleteto prevent stupid annoying translate.. error message?
I just finished my ccna exam... scored 958 in second attempt .... almost all the questions from 9tut,examtut, acme spintry...... I could have passed if I knew this excellent site before.... thank youuuuuu
ReplyDeletegot ACL1, ACL2, EIGRP..... same sim with slight modifications....
I confused about command answer Modification #3 and #4, why same command?
ReplyDeleteIn Modification #4, I think Host D ip address is 192.168.33.4.
Why "Request Timeout" when using the Web Browser of "D"????
ReplyDelete(Modification 4)
@ Rajiv Widyaratne
ReplyDeletethe ip of host D in the answer is wrong ... it should be 192.168.33.4 ... not 192.168.33.3 , a copy paste simple mistake
try
access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80
access-list 100 deny ip any host 172.22.242.23
access-list 100 permit ip any any
it will work ;)
MODIFICATION #4
ReplyDeleteHow can you complete all of the tasks without adding a "Access-list 100 permit ip any host 172.22.242.17" as a fourth statement?
Thanks!!
Modification #4
ReplyDeleteaccess-list 100 permit ip any any
will allow all hosts to public and others so there is no problem i think !!
and cuz in this ques it requires only 3 statements ..
MODIFICATION #1:If this correct way to do things MINUS that I should have checked the access list BEFORE I copied it? I am still a newbie at this but trying hard. Thanks.
ReplyDeleteCorp1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Corp1(config)#access-list 100 permit tcp host 192.168.33.2 host 172.22.242.23
Corp1(config)#access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
Corp1(config)#access-list 100 permit ip any any
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Corp1(config-if)#end
Corp1#
%SYS-5-CONFIG_I: Configured from console by console
Corp1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Corp1#show access-list
Extended IP access list 100
permit tcp host 192.168.33.2 host 172.22.242.23 (6 match(es))
deny ip host 192.168.33.2 172.22.242.16 0.0.0.15 (30 match(es))
permit ip any any
Corp1#
i had passed my ccna exam with 972/1000 score on 12 feb.
ReplyDeletethe labs were acl1,acl2 and eigrp
acl 1 (same as it is)
eigrp (just change od AS and advertising a network (same as it is) with NO issue about passive interfaces and default network )
acl 2 (with bit modification)
"The task is to create and apply a numbered access-list with no more than three statements that
-> will allow ONLY host A web access to the Finance Web Server.
->All other traffic from A to finance server is denied.
->All traffic from lan servers(B,C,D) and core to the Finance Web Server is denied.
-> All other traffic is permitted to public server.
MODIFICATION 1 CAN´T BE DONE IN 3 SENTENCES,the question need to be wrong.
ReplyDeleteIn the second modification which is HOST B. which said that to ALLOW only host B to access finance server and deny host B from other servers.
ReplyDeleteI tired many times but It's possible to access finance server and public web server through all hosts. I copied the commands as it's mentioned there and I got the same problem. is it a bug in SIM or it's all right when other hosts access whole servers ?
MODIFICATION 1 GUYS ISN'T CORRECT. SOME ONE HELP PLEASE.
ReplyDeleteCan anyone tell me wats acl sim1 and acl sim2?
ReplyDeleteithink for MOD1 following will be right
ReplyDeleteaccess-list 100 permit tcp host 192.168.33.2 host 172.22.242.23 eq 80
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
access-list 100 permit ip any any
Mod 1 suggestion below is wrong:
ReplyDeleteaccess-list 100 permit tcp host 192.168.33.2 host 172.22.242.23 eq 80
access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
access-list 100 permit ip any any
As written, all hosts would have access to the Financial Web server.
Agree that it is impossible (as the requirements are outlined) to complete this in 3 statements.
Scored 1000/1000. Thanks to examcollection for dumps and 9tut for Labs. Watson dumps are the most valid of all. One or two questions might not be from any dumps so one can only score full if the concepts are right to the mark. If anyone needs to discuss anything or needs help,
ReplyDeleteemail me on mj_nottinghamian@hotmail.com or add me on
skype: mohsin.jawed
Looking forward to help anyone with networking queries as indirectly I will be helping myself to explore more about networking.
Thank you once again examcollection.
Modification #1 is CORRECT, is not indicate that "No other hosts will have web access to the Finance Web Server".
ReplyDeleteModification no 3 require deny other access then tcp for host C only to financial web server so why ACL no 2 denying all hosts from LAN and Core ?
ReplyDeleteAlso this is not relevant to modification no 1. where in the same way host B is denied to Financial Web Serwer
I think mofification 3 is as below :
Corp1(config)#access list 100 permit tcp host 192.168.33.3 host 172.242.22.23 eq 80
Corp1(config)# access list 100 deny ip host 192.168.33.3 host 172.242.22.23
Corp1(config)#access list 100 permit ip any any
This comment has been removed by the author.
ReplyDeleteDear all,
ReplyDeleteCan anyone tell me which software will be used in the exam, I heard it will not be packet tracer and the other software which will be used has no help '? ' feature, so am I supposed to memorize all these commands by heart ?
there is a typo on Mod4:
ReplyDeleteonly host D able to web access to Finance server, so IP address should be 192.168.33.4
ACL1 ACL2 EIGRP
ReplyDeletehttps://www.youtube.com/watch?v=FO3eD6oAIRQ&index=2&list=PLW2Xk7jJ5ZSoFn2G_x0ql_S5AlKvaDaOZ
Hello Guys good news for you that CCNA discounted and Microsoft vouchers are now available. Now New CCNA (200-120) vouchers on special discount of 58% for World wide, with six months expiry date till you purchase.
ReplyDeleteDetails Required For CCNA Voucher For Discount Processing:
1-First Name.
Last Name. (as your name written in your National Identity card)
2-Country.
3-City.
4-State.
5-Pin Code (or Area Code)
6-Residential Address (or where you can collect your Certificate or further correspondence
can be received)
7-Date of birth
Add me on Skype through this information which is written below:
Skype Name: rockon660
you can also email me at this email address which is written below:
madeelqaiser@gmail.com
If you have any Questions feel free to contact me.
Thanks,
Best regards,
Adeel
full ccna exam and dump
ReplyDeletehttps://www.youtube.com/watch?v=Q7cTJsVxebc&list=UUyppZ-pXVGuzXQEq8L8HEhg
Find new CCNA test questions at exams.cf/cisco and exams.eu.pn/cisco
ReplyDeleteThey helped me a lot, but the sims from examtut are also a great preperation
LATEST DUMPS AVAILABLE CCNA 200-120 GUARANTEED VALID AT BELOW LINK
ReplyDeletehttp://ccna-dumps200-120.blogspot.com/
Modification 4 in 1st statement should be
ReplyDelete#access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80
as it says host D
Very good point
ReplyDeletemod 4 HOST D ( 192.168.33.4)
#access-list 100 permit tcp host 192.168.33.4 host 172.22.242.23 eq 80
I recommended http://www.grades4sure.com/200-120-exam-questions.html ! I passed my CCNA Routing and Switching 200-120 exam yesterday with the score 92%. You can try the demo before you pay for the order. 100% money back guarantee. You will lose nothing.
ReplyDeleteHere on Cisexams you'll be able to get all Cisco certification exams. If you're not ready for your Cisco 200-120 certification exams and you need assistance of someone so you don’t need to take any tension. we are here to resolve your all issues that you're facing throughout the study. Our study material, certification exams questions Answers are 100% correct, reliable and 100% free for all students around the world. You don’t need to pay cash for your IT exams study material. simply visit Cisexams.com and get all Cisco certification exams dumps in one place. Keep visiting and feel free to ask any question about Cisco exams.
ReplyDeletehttp://www.cisexams.com/200-120-dumps
Modification 1 (Mod 1):
ReplyDeletepermit host B from accessing finance server access-list 100 permit ip host 192.168.33.2 host 172.22.242.23
deny host B from accessing other servers (not the whole network) access-list 100 deny ip host 192.168.33.2 172.22.242.16 0.0.0.15
permit everything else access-list 100 permit ip any any
Modification 2 (Mod 2):
Only allow Host C to to access the financial server access-list 100 permit ip host 192.168.33.3 host 172.22.242.23
Not allow anyone else in any way communicate with the financial server access-list 100 deny ip any host 172.22.242.23
Allow all other traffic access-list 100 permit ip any any
Modification 3 (Mod 3):
– Host C should be able to use a web browser(HTTP)to access the Finance Web Server access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
– Other types of access from host C to the Finance Web Server should be blocked
– All access from hosts in the Core or local LAN to the Finance Web Server should be blocked access-list 100 deny ip any host 172.22.242.23
(because the requirement says we can not use more than 3 statements so we have to use “any” here for the hosts in the Core and hosts in local LAN)
– All hosts in the Core and local LAN should be able to access the Public Web Server * access-list 100 permit ip any host
(If the question asks this, surely it has to give you the IP of Public Web Server) but in the exam you should use “access-list 100 permit ip any any”
Modification 4 (Mod 4):
Host C should be able to use a web browser to access the financial web server access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Other types of access from host C to the finance web server should be blocked access-list 100 deny ip host 192.168.33.3 host 172.22.242.23
All hosts in the core and on the local LAN should be able to access the Public web server * access-list 100 permit ip any host
(The IP of Public Web Server will surely be given in this question) but in the exam you should use “access-list 100 permit ip any any”
We CertBus.com update the 200-125 exam dumps. New version have 1227 Q&As.
ReplyDelete