Implement, verify and troubleshoot NAT and ACLs
These questions are based on 642-816 – Interconnecting Cisco Networking Devices Part 2.
Objective: Implement, verify and troubleshoot NAT and ACLs in a medium-size Enterprise branch office network
Sub-Objective: Describe the purpose and types of access control lists
Single Answer, Multiple Choice
Which access list will permit all HTTP sessions to subnet 192.168.144.0/24 containing Web servers?
- access-list 110 permit udp any 192.168.144.0 eq 80
- access-list 10 permit tcp 192.168.144.0 255.255.255.0 eq www
- access-list 110 permit tcp any 192.168.144.0 0.0.0.255 eq 80
- access-list 10 permit udp any 192.168.144.0 255.255.255.0 eq 80
C. access-list 110 permit tcp any 192.168.144.0 0.0.0.255 eq 80
The access-list 110 permit tcp any 192.168.144.0 0.0.0.255 eq 80 command is syntactically correct. HTTP sessions for a destination subnet 192.168.144.0/24 need to be permitted, and therefore, an extended IP access list is required. Access list number 110 is in the range of extended IP access lists. All HTTP sessions are permitted by using source address and wildcard mask 0.0.0.255 indicated in the whole 192.168.144/24 subnet.
The command access-list 110 permit udp any 192.168.144.0 eq 80 is incorrect because a wildcard mask is not provided for the subnet. HTTP uses TCP, not UDP.
Access list number 10 is in the range of a standard IP access list and filter traffic on the basis of only source IP address. These access lists cannot permit or deny traffic for a destination network 192.168.144.0/24. Standard IP access lists cannot filter traffic on the basis of Layer 4 protocol, whether TCP or UDP.
CCNA Self-Study CCNA ICND Exam Certification Guide, Chapter 12: IP Access Control List Security, pp. 439-440.