Scribd
Upload
153 views

CCNA Certification Access List Control ACL-3 Lab Simulation

Corp1 router was configured to allow only host C to access the finance web server through a web browser. An access list was created with three statements: 1) Permit host C TCP traffic on port 80 to the finance server, 2) Deny any other host TCP traffic on port 80 to the finance server, 3) Permit all other traffic. The access list was applied outbound on interface Fa0/1. Testing showed only host C could access the finance server web page as required.

Uploaded by

ergu vfuko fghui
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
153 views

CCNA Certification Access List Control ACL-3 Lab Simulation

Corp1 router was configured to allow only host C to access the finance web server through a web browser. An access list was created with three statements: 1) Permit host C TCP traffic on port 80 to the finance server, 2) Deny any other host TCP traffic on port 80 to the finance server, 3) Permit all other traffic. The access list was applied outbound on interface Fa0/1. Testing showed only host C could access the finance server web page as required.

Uploaded by

ergu vfuko fghui
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

CCNA Certification – Access List Control (ACL-3) Lab

Simulation
itexamanswers.net/ccna-certification-access-list-control-acl-3-lab-simulation.html

March 12,
2017

Lab Simulation Question – ACL-1


A network associate is adding security to the configuration of the Corp1 router. The user
on host C should be able to use a web browser to access financial information from the
Finance Web Server. No other hosts from the LAN nor the Core should be able to use a
web browser to access this server. Since there are multiple resources for the corporation
at this location including other resources on the Finance Web Server, all other traffic
should be allowed.
The task is to create and apply an access-list with no more than three statements that
will allow ONLY host C web access to the Finance Web Server. No other hosts will have
web access to the Finance Web Server. All other traffic is permitted.

Access to the router CLI can be gained by clicking on the appropriate host.

All passwords have been temporarily set to “cisco“.


The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 –
192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
1/3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 –
172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.

Answer:

Corp1>enable
Corp1#configure terminal
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
Corp1(config)#access-list 100 deny tcp 192.168.33.0 0.0.0.255 host 172.22.242.23 eq 80
Corp1(config)#access-list 100 permit ip any any
Corp1(config)#interface fa 0/1 sh ip int brief
Corp1(config-if)#ip access-group 100 out
Corp1(config-if)#end
Corp1#copy running-config startup-config

Explanation:
Select the console on Corp1 router
Configuring ACL

Corp1 >enable
Corp1#configure terminal

COMMENT: To permit only Host C (192.168. 33. 3){source addr} to access finance server
address (172.22. 242. 23){destination addr} on port number 80 (web)

Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80

COMMENT: To deny any source to access finance server address (172. 22. 242. 23)
{destination addr} on port number 80 (web)
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
COMMENT: To permit ip protocol from any source to access any destination because of
the implicit deny any any statement at the end of ACL.

Corp1(config)#access-list 100 permit ip any any

Applying the ACL on the Interface


COMMENT: Check show ip interface brief command to identify the interface type and
number by checking the IP address configured.

Corp1(config)#interface fa 0/1

If the ip address configured already is incorrect as well as the subnet mask, this should
be corrected in order ACL to work type this commands at interface mode :
no ip address 192. x. x. x 255. x. x. x (removes incorrect configured ip address and
subnet mask)
Configure Correct IP Address and subnet mask:
ip address 172. 22. 242. 30 255. 255. 255. 240 (range of address specified going to server
2/3
is given as 172. 22. 242. 17-172. 22. 242. 30 )
COMMENT: Place the ACL to check for packets going outside the interface towards the
finance web server.

Corp1(config-if)#ip access-group 100 out


Corp1(config-if)#end

Important: To save your running config to startup before exit.

Corp1#copy running-config startup- config

Verifying the Configuration:


Step 1: show ip interface brief command identifies the interface on which to apply access
list.
Step 2: Click on each host A,B,C & D. Host opens a web browser page, Select address box
of the web browser and type the ip address of finance web server(172. 22. 242. 23) to
test whether it permits /deny access to the finance web Server.
Step 3: Only Host C (192.168. 33. 3) has access to the server. If the other host can also
access then maybe something went wrong in your configuration check whether you
configured correctly and in order.
Step 4: If only Host C (192.168. 33. 3) can access the Finance Web Server you can click on
NEXT button to successfully submit the ACL SIM.

3/3

You might also like