This is an Updated CCNA exam question (2015). You might see a different IP addressing, Port allocation and Configurations.
As usual, take time and read through the question (thrice if you have to) so as to clearly understand what Cisco want you to do. As you read the question try and match the emphasis components on the graphics; this will help you to create a mental picture of what its all about.
Note: This ACL LAB sim are used for demonstration only,you will see a slight different IP addressing, Port allocation in the real CCNA exam. But it all works the same way if you could just grasp the technique.
I suggest you use packet tracer for practice.
Read a refresher on Access Control List.
A network administrator is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply an access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco“.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.10.1 – 192.168.10.254
Host A 192.168.10.1
Host B 192.168.10.2
Host C 192.168.10.3
Host D 192.168.10.4
The servers in the Server LAN have been assigned addresses of 172.26.222.17 – 172.26.222.30
The Finance Web Server is assigned an IP address of 172.26.222.23.
Answer and Explanation
Looking with the above question in mind, you need to create and apply an access list to the interface connected to the server to filter traffic from Sw2 and core (internet) network. IP addresses 172.26.222.17 – 172.26.222.30 are assigned to the LAN network, looking at the figure above; you can see.30 labeled to one of the connected interface.
To verify which interface, use the show running-config command:
Corp1>enable (type “cisco” as password here)
below will be your output:
From the output, you can verify that interface FastEthernet0/1 is connected to Server LAN network, so you apply the access-list on this interface ( outbound ).
To accomplish this, Use the following commands:
- To enables host C – 192.168.10.3 to access the Finance Web Server 172.26.222.23 via web (port 80)
Corp1(config)#access-list 100 permit tcp host 192.168.10.3 host 172.26.222.23 eq 80
- This denies other hosts access to the Finance Web Server via web. All other traffic is permitted, use the following commands:
Corp1(config)#access-list 100 deny tcp any host 172.26.222.23 eq 80
Corp1(config)#access-list 100 permit ip any any
Then, Apply this access-list to the Fa0/1 interface. this filters traffic coming from the Core network. (outbound direction)
Corp1(config-if)#ip access-group 100 out
Next and final step:
Click on host C to open its web browser. In the address box type http://172.26.222.23 to verify your access to Finance Web Server. If no access, check your configuration.
Click on other hosts (A, B and D) and verify if you are denied access to Finance Web Server.
Finally, save your configuration with the following command:
Corp1#copy running-config startup-config (don’t forget this bit)