Helping You Pass Your CCNA Exams

New CCNA Access Control List  Lab Sim Question.

(Ths is one of the old sim questions. Recent CCNA exam takers said it appeared as one of the sim questions in recent exam.)

This is an Updated  CCNA exam question (Sept. 2013). You might see a different IP addressing, VLAN configuration and Port allocation and Configurations.

As usual, take time to read through the question so as to clearly understand what Cisco want you to do.

Note: This access control List Sim is used for demonstration only; you might see different IP addressing and Port allocation in the real CCNA exam. But it all works the same way if you could understand the technique.

I suggest you use packet tracer for practice.


A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.

The task is to create and apply an access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.

All passwords have been temporarily set to "cisco".
The Core connection uses an IP address of
The computers in the Hosts LAN have been assigned addresses of -
Host A
Host B
Host C
Host D
The servers in the Server LAN have been assigned addresses of -
The Finance Web Server is assigned an IP address of


Answer and Explanation

Looking at the above question, you need to create and apply access control list to the interface connected to the server to filter traffic from Sw2 and Core (internet) network. IP addresses – are assigned to the LAN network. Looking at the figure above; you can see .30 labelled to one of the connected interface.

To verify which interface, use the show running-config command:

Corp1>enable(type "cisco" as password here)

Corp1#show running-config


From the ouput, you can verify that  interface FastEthernet0/1 is connected to Server LAN network, so you apply the access-list on this interface ( outbound ).

To accomplish this, Use the following commands:

Corp1#configure terminal

 Corp1(config)#access-list 100 permit tcp host host eq 80

(This enables host C - to access the Finance Web Server172.26.222.23 via web (port 80)

Corp1(config)#access-list 100 deny tcp any host eq 80

 Corp1(config)#access-list 100 permit ip any any

(This denies other hosts access to the Finance Web Server via the web . All other traffic is permitted)

Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out

(Apply this access-list to Fa0/1 interface. this filters traffic coming from the Core network).


Next step:

Click on host C to open its web browser. In the address box type to verify your access to Finance Web Server.  If no access, check your configuration.

Click on other hosts A, B and D and verify if you are denied access to Finance Web Server .

Finally, save your configuration with the following command:

Corp1#copyrunning-config startup-config (don’t forget this bit)


Sign Up For Post Updates

* required


Email Marketing by VerticalResponse


 PrivacyPolicy  Contact Us  Advertise

Copyright  2012. Orbitco-Computer-Solutions.Com. All rights reserved.  

The information provided on this website is for informational purposes only.
orbitco-ccna-pastquestions.com makes no warranties, either expressed or implied, with respect to any information contained on this website.

orbitco-ccna-pastquestions.com reserves the right to change this policy at anytime without prior notice.
and All related product mentioned in any portion of this website are the registered trademarks of Cisco.com 

and their respective owners