Implement, verify, and troubleshoot NAT and ACLs

| Thursday, February 21, 2008

CCNA (640-802) exam topic Implement, verify, and troubleshoot NAT and ACLs in a medium-size Enterprise branch office network .

Question1:
What are two reasons that a network administrator would use access lists? (Choose two.)
A:to control vty access into a router
B:to control broadcast traffic through a router
C:to filter traffic as it passes through a router
D:to filter traffic that originates from the router
E:to replace passwords as a line of defense against security incursions

Answers: A, C


Question 2:
Refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two.)
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any


A:source ip address: 192.168.15.5; destination port: 21
B:source ip address:, 192.168.15.37 destination port: 21
C:source ip address:, 192.168.15.41 destination port: 21
D:source ip address:, 192.168.15.36 destination port: 23
E:source ip address: 192.168.15.46; destination port: 23
F:source ip address:, 192.168.15.49 destination port: 23

Answers: D, E

Explanation:
access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any
The above two access-list statements are configured on RTB router and placed in outbound direction on S 0/0 interface.

First ACL statement denies all telnet ( port 23) connections from source address range 192.168.15.32 - 192.168.15.47 to any destination hosts.

Since we need to find the two packets that will be denied when routed outside s 0/0 interface .
source ip address:, 192.168.15.36 destination port: 23 this matches the ACL statement so this packet is denied.

source ip address: 192.168.15.46; destination port: 23 also matches the ACL statment so this packet is denied.

Question 3:
Refer to the exhibit. Why would the network administrator configure RA in this manner?


A: to give students access to the Internet
B: to prevent students from accessing the command prompt of RA
C: to prevent administrators from accessing the console of RA
D: to give administrators access to the Internet
E: to prevent students from accessing the Internet
F: to prevent students from accessing the Admin network

Answers: B

Explanation:
The above config entered on RA by administrator is to allow only Admin people (10.1.1.0) to access RA command prompt using telnet . Since there is an implicit deny any statement at the end of access-list 2, so rest all (students) are prevented from accessing command prompt of RA using telnet.

Question 4:
What is the function of the Cisco IOS command ip nat inside source static 10.1.1.5 172.35.16.5?
A: It creates a global address pool for all outside NAT transactions.
B: It establishes a dynamic address pool for an inside static address.
C: It creates dynamic source translations for all inside local PAT transactions.
D: It creates a one-to-one mapping between an inside local address and an inside global address. E: It maps one inside source address to a range of outside global addresses.

Answers: D

Explanation:
This command creates a static NAT translation entry for inside local address(10.1.1.5) to inside global address(172.35.16.5) .

Question 5:
What is the effect of the following access list condition?

access-list 101 permit ip 10.25.30.0 0.0.0.255 any

A: permit all packets matching the first three octets of the source address to all destinations
B: permit all packets matching the last octet of the destination address and accept all source addresses
C: permit all packets from the third subnet of the network address to all destinations
D: permit all packets matching the host bits in the source address to all destinations
E: permit all packets to destinations matching the first three octets in the destination address

Answers: A

Explanation:
The wild card mask (0.0.0.255) " 0's in wildcard mask needs a definite match" .

So for the above access-list wildcard mask specifies that it need to match first three octets of source address.

Destination address for the ACL is any so it permits all packets that matches the first three octets of source address to all destinations

Question 6:
What does the "Inside Global" address represent in the configuration of NAT?

A: the summarized address for all of the internal subnetted addresses
B: the MAC address of the router used by inside hosts to connect to the Internet
C: a globally unique, private IP address assigned to a host on the inside network
D: a registered address that represents an inside host to an outside network

Answers: D

Explanation:
Inside global address— A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.

Question 7:
What three pieces of information can be used in an extended access list to filter traffic? (Choose three.)

A:protocol
B:VLAN number
C:TCP or UDP port numbers
D:source switch port number
E:source IP address and destination IP address
F:source MAC address and destination MAC address

Answers: A, C, E

Question 8:
An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?

A: access-list 10 permit 172.29.16.0 0.0.0.255
B: access-list 10 permit 172.29.16.0 0.0.1.255
C: access-list 10 permit 172.29.16.0 0.0.3.255
D: access-list 10 permit 172.29.16.0 0.0.15.255
E: access-list 10 permit 172.29.0.0 0.0.255.255

Answers: C

Explanation:
To combine all four ACL statements into one ACL statement with same effect we need new network that matches all 4 statements network statement and new wildcard mask for the new network we will use.

New Network for the ACL statement: AND operation needs to be perform on all four statements.
AND operation: (AND: The output is true only when both inputs A and B are true.)

A - B = Output
0 -0 = 0; 0-1 = 0 ; 1-0 = 0; 1-1= 1
Following above AND operations procedure
172.29.16.0 = 10101100.00011101.00010000.00000000
172.29.17.0 = 10101100.00011101.00010001.00000000
172.29.18.0 = 10101100.00011101.00010010.00000000
172.29.19.0 = 10101100.00011101.00010011.00000000
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
172.29.16.0 = 10101100.00011101.00010000.00000000
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

new network after AND operation is 172.29.16.0

Now to find out Wildcard mask to match all four networks we need to perform XOR operations.

XOR operation: (XOR: The output is true when either inputs A or B are true, but not if both A and B are true.)

A - B = Output
0 - 0 = 0 ; 0 - 1 = 1 ; 1-0 = 1 ; 1 - 1 = 0

Following above XOR operations procedure
172.29.16.x = 10101100.00011101.00010000.x
172.29.17.x = 10101100.00011101.00010001.x
172.29.18.x = 10101100.00011101.00010010.x
172.29.19.x = 10101100.00011101.00010011.x
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
0.0.3.x = 00000000.00000000.00000011.x
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Since we are only concern about first three octets the last octet can be 255 so the new wildcard mask is 0.0.3.255

The complete single acl statement with new network and wildcard mask that matches all four networks is
access-list 10 permit 172.29.16.0 0.0.3.255

Question 9:
An inbound access list has been configured on a serial interface to deny packet entry for TCP and UDP ports 21, 23 and 25. What types of packets will be permitted by this ACL? (Choose three.)

A:FTP
B:Telnet
C:SMTP
D:DNS
E:HTTP
F:POP3

Answers: D, E, F

Explanation:
Ports 21, 23 and 25 are denied by ACL.
21 = FTP ; 23= Telnet ; 25= SMTP
Remaining ports are permited so DNS, HTTP and POP3 ports are permitted by ACL.

Quesstion 10:
Refer to the exhibit. The FMJ manufacturing company is concerned about unauthorized access to the Payroll Server. The Accounting1, CEO, Mgr1, and Mgr2 workstations should be the only computers with access to the Payroll Server. What two technologies should be implemented to help prevent unauthorized access to the server? (Choose two.)



A:access lists
B:encrypted router passwords
C:STP
D:VLANs
E:VTP
F:wireless LANs

Answers: A, D

Explanation:
Access-lists are created to permit only Accounting1, CEO, Mgr1, and Mgr2 workstations to Payroll server.
VLAN can be created which creates a separate Broadcast domain with vlan members only Accounting1, CEO, Mgr1, and Mgr2 workstations including Payroll server.

Question 11:
A network administrator would like to implement NAT in the network shown in the graphic to allow inside hosts to use a private addressing scheme. Where should NAT be configured?



A: Corporate router
B: Engineering router
C: Sales router
D: all routers
E: all routers and switches

Answers: A

Question 12:

An access list has been designed to prevent HTTP traffic from the Accounting Department from reaching the HR server attached to the Holyoke router. Which of the following access lists will accomplish this task when grouped with the e0 interface on the Chicopee router?




A: permit ip any any
deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80
B: permit ip any any
deny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 80
C: deny tcp 172.17.17.252 0.0.0.0 172.16.16.0 0.0.0.255 eq 80
permit ip any any
D: deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 eq 80
permit ip any any

Answers: D


Explanation:.
We need to create a ACL which denies Account department network from accessing HTTP on HR server.

Source address is account department network: 172.16.16.0 mask 255.255.255.0
Destination address is HR server : 172.17.17.252
Port number for HTTP traffic on destination addresss : 80

First create deny statement
access-list 100 deny tcp 172.16.16.0 0.0.0.255 172.17.17.252 0.0.0.0 80

Since there is a implicit deny any any statement at the end of ACL we need to permit remaining traffic.
access-list 100 permit ip any any

0 comments:

eXTReMe Tracker