Lab Simulation Question – ACL-3
Answer:
Corp1>enable
Corp1#configure terminal
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host
172.22.242.23 eq 80
Corp1(config)#access-list 100 deny tcp 192.168.33.0 0.0.0.255 host
172.22.242.23 eq 80
Corp1(config)#access-list 100 permit ip any any
Corp1(config)#interface fa 0/1 sh ip int brief
Corp1(config-if)#ip access-group 100 out
Corp1(config-if)#end
Corp1#copy running-config startup-config
Explanation:
Select the console on Corp1 router
Configuring ACL
Corp1 >enable
Corp1#configure terminal comment: To permit only Host C (192.168. 33. 3){source addr} to access finance server address (172.22. 242. 23){destination addr} on port number 80 (web)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host
172.22.242.23 eq 80
Comment: To deny any source to access finance server address (172. 22. 242. 23) {destination addr} on port number 80 (web)
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
Comment: To permit ip protocol from any source to access any destination because of the implicit deny any any statement at the end of ACL.
Corp1(config)#access-list 100 permit ip any any
Applying the ACL on the Interface comment: Check show ip interface brief command to identify the interface type and number by checking the IP address configured.
Corp1(config)#interface fa 0/1
If the ip address configured already is incorrect as well as the subnet mask, this should be corrected in order ACL to work type this commands at interface mode :
no ip address 192. x. x. x 255. x. x. x (removes incorrect configured ip address and subnet mask)
Configure Correct IP Address and subnet mask:
ip address 172. 22. 242. 30 255. 255. 255. 240 (range of address specified going to server is given as 172. 22. 242. 17-172. 22. 242. 30)
Comment: Place the ACL to check for packets going outside the interface towards the finance web server.
Corp1(config-if)#ip access-group 100 out
Corp1(config-if)#end
Important: To save your running config to startup before exit.
Corp1#copy running-config startup- config
Verifying the Configuration:
Step1: show ip interface brief command identifies the interface on which to apply access list.
Step2: Click on each host A,B,C & D. Host opens a web browser page, Select address box of the web browser and type the ip address of finance web server(172. 22. 242. 23) to test whether it permits /deny access to the finance web Server.
Step 3: Only Host C (192.168. 33. 3) has access to the server. If the other host can also access then maybe something went wrong in your configuration check whether you configured correctly and in order.
Step 4: If only Host C (192.168. 33. 3) can access the Finance Web Server you can click on
NEXT button to successfully submit the ACL SIM.
Corp1>enable
Corp1#configure terminal
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host
172.22.242.23 eq 80
Corp1(config)#access-list 100 deny tcp 192.168.33.0 0.0.0.255 host
172.22.242.23 eq 80
Corp1(config)#access-list 100 permit ip any any
Corp1(config)#interface fa 0/1 sh ip int brief
Corp1(config-if)#ip access-group 100 out
Corp1(config-if)#end
Corp1#copy running-config startup-config
Explanation:
Select the console on Corp1 router
Configuring ACL
Corp1 >enable
Corp1#configure terminal comment: To permit only Host C (192.168. 33. 3){source addr} to access finance server address (172.22. 242. 23){destination addr} on port number 80 (web)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host
172.22.242.23 eq 80
Comment: To deny any source to access finance server address (172. 22. 242. 23) {destination addr} on port number 80 (web)
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
Comment: To permit ip protocol from any source to access any destination because of the implicit deny any any statement at the end of ACL.
Corp1(config)#access-list 100 permit ip any any
Applying the ACL on the Interface comment: Check show ip interface brief command to identify the interface type and number by checking the IP address configured.
Corp1(config)#interface fa 0/1
If the ip address configured already is incorrect as well as the subnet mask, this should be corrected in order ACL to work type this commands at interface mode :
no ip address 192. x. x. x 255. x. x. x (removes incorrect configured ip address and subnet mask)
Configure Correct IP Address and subnet mask:
ip address 172. 22. 242. 30 255. 255. 255. 240 (range of address specified going to server is given as 172. 22. 242. 17-172. 22. 242. 30)
Comment: Place the ACL to check for packets going outside the interface towards the finance web server.
Corp1(config-if)#ip access-group 100 out
Corp1(config-if)#end
Important: To save your running config to startup before exit.
Corp1#copy running-config startup- config
Verifying the Configuration:
Step1: show ip interface brief command identifies the interface on which to apply access list.
Step2: Click on each host A,B,C & D. Host opens a web browser page, Select address box of the web browser and type the ip address of finance web server(172. 22. 242. 23) to test whether it permits /deny access to the finance web Server.
Step 3: Only Host C (192.168. 33. 3) has access to the server. If the other host can also access then maybe something went wrong in your configuration check whether you configured correctly and in order.
Step 4: If only Host C (192.168. 33. 3) can access the Finance Web Server you can click on
NEXT button to successfully submit the ACL SIM.
Pass Cisco CCNA 200-301 Exam in First AttemptFULL Printable PDF and Software. VALID exam to help you pass. |
Explanation differs from the answer given creating confusion for starters. The answer given is not correct, at least it is not 100% whereas the explanation is correct.
The “ANSWER” is not good enough where it did not meet all the requirements.
In the question, 2nd and the 3rd line, it states that “no other hosts for the LAN NOR THE CORE should be able to use the web browser to access this server (Finance Web)” Where the access list failed to prevent Core from accessing the server.
However, in the “explanation” the access list is differs and able to meet all the requirements.