04-28-2021, 08:52 PM
(04-28-2021, 06:51 PM)tminerd Wrote: [ -> ]I have an issue with two questions that appear to be identical but with different answers:
EC378 - A client with IP address 209.165.201.25 must access a web server on port 80 at 209.165.200.225. To allow this traffic, an engineer must add a statement to an access control list that is applied in the inbound direction on the port connecting to the web server. Which statement allows this traffic?
My answer: permit tcp host 209.165.201.25 host 209.165.200.225 eq 80
Correct answer: permit tcp host 209.165.200.225 eq 80 host 209.165.201.25.
I can accept that as the correct answer except we are trying to permit the client to access the web server here, not the other way around. The source should be 209.165.201.25.
EC072 - A client with IP address 209.165.201.25 must access a web server on port 80 at 209.165.200.225. To allow this traffic, an engineer must add a statement to an access control list that is applied in the inbound direction on the port connecting to the web server. Which statement allows this traffic?
This question is identical to EC378, but I actually got this answer correct where I didn't previously. I will try this in a test environment and let you know the result, but I'm suspecting that the answer should be the same for both of these, or we need to simply remove the duplicate question.
Ok, so the answer to EC378 is correct. I tested this with a configuration but using port 22 instead of 80 to test. If the ACL is applied inbound on the interface connected to the web server, you must specify the server first in the ACE. Technically, you would want to apply your ACL closest to the source, but in this case, the source becomes the web server with the extended ACL applied closest to the source. We should throw out EC072 as it is a duplicate question with an incorrect answer.