CCNA ACL Exam Lab with GNS3:
If you are preparing to attempt the
CCNA (200-120) Exam, then you must prepare for access-list, because in every
exam there is a lab related to assess-list where you have to complete the configuration
in order to make the access-list working. I have created the similar lab in
GNS3 so that you can practice it before going into the real Exam.
Lab Question:
A network-Engineer is making the
security configuration of the Corp1 router. You have to perform the following
task for completing these configurations:
- The user on host C must be able to use a web browser to access financial information from the Finance Web Server.
- No other hosts from the LAN nor the Core should be able to use a web browser to access this server.
- YOU ARE required to apply an access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web from Finance Web Server.
- All other traffic is permitted.
Other Information:
The Core user have the IP-address
of 198.18.196.65.
LAN PCs have been assigned with
IP addresses range from 192.168.33.1 - 192.168.33.254.
The servers in the Server LAN
have been assigned addresses of 172.22.242.17 - 172.22.242.30.
The Finance Web-Server has been
assigned with IP address of 172.22.242.23.
Solution / Required Configurations
You can achieve these required
task by following /configuration / commands on router Crop1:
Corp1>enable
Corp1#configure terminal
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host
172.22.242.23 eq 80
This command will allow the web
traffic to finance web server, Where 192.168.33.3 is the IP address of host C.
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
This
command will block the web access of any other host to finance web server
Corp1(config)#access-list 100 permit ip any host 172.22.242.23
Above
command will allow the any other traffic.
.
Apply the ACL to interface near
to destination:
Corp1(config)#interface fa 0/1
Corp1(config-if)#ip access-group
100 out
Corp1(config-if)#end
Corp1#copy running-config
startup-config
Verification of Configuration:
You can access the web only from
192.168.33.3 to Finance Web Server.
CCNA Access-list Exam lab In GNS3:
If you have some extra time you
can configure this lab in GNS3… J You can also
configure it with packet-tracer which is easy as compare to GNs3 But I have
configured the same lab in Gns3, you can download these configuration files
from here and can complete it with above configurations. Simply download the
files (link are given at the end of post), create the topology same like shown
in the figure and then upload these files on every router one by one. This will
provide the initial practice before going into the real exam.
IN GNS3 For making the
communications between Corp1, Lan Hosts (A,B,C,D) and finance servers I have
configured the EIGRP AS 100, while in the real lab you have the by default
communication between these devices.
For host-C and finance web
server and other servers I have used the VMs of VirtualBox. I have used
internet NIC with them With following IP configurations:
Host-C
192.168.33.3\24
Gateway=192.168.33.254
Host-B
192.168.33.2\24
Gateway=192.168.33.254
Finance-web-server
172.22.242.23\24
Gateway=172.22.242.30
For creating the web service on
finance server I simply install the IIS and hosted a web-page named index.html.
You can install the IIS on windows XP from
control panel\add & remove feautures\add&remove windows components and
the select the IIS and click on next and complete the wizard.
I have created a web-page (index.html)
for test and place it on c:\inetpub\wwwroot
of finance web-server. After completing the above configuration you
can test the configuration with the followiway.
- open the internet explorer and access the shared web page with URL “172.22.242.23\index.html”, it will be successful from host-c as shown in figure.
- Now try the same from Host-b page will be inaccessible.