CORRECT TEXT
Lab – Access List Simulation
A network associate is adding security to the configuration of the Corp1 router. The user on host C
should be able to use a web browser to access financial information from the Finance Web Server.
No other hosts from the LAN nor the Core should be able to use a web browser to access this server.
Since there are multiple resources for the corporation at this location including other resources on
the Finance Web Server, all other traffic should be allowed.
The task is to create and apply a numbered access-list with no more than three statements that will
allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the
Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host. All passwords have been
temporarily set to “cisco”. The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 92.168.33.254
Host A 192.168.33.1 Host B 192.168.33.2 Host C 192.168.33.3 Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30 The
Finance Web Server is assigned an IP address of 172.22.242.23. The Public Web Server is assigned an
IP address of 172.22.242.17
Answer: See the explanation
Explanation:
Corp1#configure terminal Our access-list needs to allow host C – 192.168.33.3 to the Finance Web
Server 172.22.242.23 via web (port 80) Corp1(config)#access-list 100 permit tcp host 192.168.33.3
host 172.22.242.23 eq 80 Deny other hosts access to the Finance Web Server via web
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80 All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any Apply this access-list to Fa0/1 interface (outbound
direction) Corp1(config)#interface fa0/1 Corp1(config-if)#ip access-group 100 out Explanation :
Select the console on Corp1 router Configuring ACL Corp1>enable Corp1#configure terminal
Comment: To permit only Host C (192. 168. 33. 3){source addr} to access finance server address
(172.
22.242. 23){destination addr} on port number 80 (web) Corp1(config)# access-list 100 permit tcp
host 192.168.33.3 host 172.22.242.23 eq 80 Comment: To deny any source to access finance server
address (172. 22. 242. 23) {destination addr} on port number 80 (web) Corp1(config)# access-list 100
deny tcp any host 172.22.242.23 eq 80 Comment: To permit ip protocol from any source to access
any destination because of the implicit deny any any statement at the end of ACL. Corp1(config)#
access-list 100 permit ip any any Applying the ACL on the Interface Comment: Check show ip
interface brief command to identify the interface type and number by checking the IP address
configured. Corp1(config)#interface fa 0/1 If the ip address configured already is incorrect as well as
the subnet mask. this should be corrected in order ACL to work type this commands at interfacemode : no ip address 192. x. x. x 255. x. x. x (removes incorrect configured ip address and subnet
mask) Configure Correct IP Address and subnet mask : ip address 172. 22. 242. 30 255. 255. 255. 240
( range of address specified going to server is given as 172.
22. 242. 17 172. 22. 242. 30 ) Comment: Place the ACL to check for packets going outside the
interface towards the finance web server. Corp1(config-if)#ip access-group 100 out Corp1(configif)#end
Important: To save your running config to startup before exit. Corp1#copy running-config startupconfig Verifying the Configuration : Step1: Show ip interface brief command identifies the interface
on which to apply access list . Step2: Click on each host A, B, C & D . Host opens a web browser page
, Select address box of the web browser and type the ip address of finance web server(172. 22. 242.
23) to test whether it permits /deny access to the finance web Server.