Question 1,156 of 1,819
Network Services and SecurityhardTroubleshootingObjective-mapped

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

R1# show running-config | section interface GigabitEthernet0/0
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group BLOCK_SERVER in
 duplex auto
 speed auto
!
R1# show running-config | section ip access-list
ip access-list extended BLOCK_SERVER
 deny tcp any host 203.0.113.5 eq 80
 permit ip any any
!

You are connected to R1. The network has two routers (R1 and R2) connected via a serial link (S0/0/0). R1's GigabitEthernet0/0 connects to the 192.168.1.0/24 LAN. An extended ACL must be configured on R1 to permit only HTTPS traffic (TCP port 443) from host 192.168.1.10 to server 203.0.113.5 (reachable via R2), and deny all other traffic from the LAN to the server. Currently, the ACL is applied inbound on G0/0 but valid HTTPS traffic is being blocked. Troubleshoot and fix the configuration.

Question 1hardTroubleshooting
Study the full ACL explanation →

Exhibit

R1# show running-config | section interface GigabitEthernet0/0
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group BLOCK_SERVER in
 duplex auto
 speed auto
!
R1# show running-config | section ip access-list
ip access-list extended BLOCK_SERVER
 deny tcp any host 203.0.113.5 eq 80
 permit ip any any
!

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The ACL is missing an explicit permit statement for HTTPS traffic from host 192.168.1.10 to server 203.0.113.5, and the current permit ip any any allows all traffic, including HTTP, which violates the requirement to deny HTTP.

The ACL BLOCK_SERVER is intended to block HTTP (port 80) to the server but permit HTTPS (port 443). However, the ACL denies TCP traffic to port 80 from any source, but the permit ip any any statement permits all IP traffic, including HTTPS. The implicit deny at the end would block HTTPS only if the permit were removed. The actual fault is that the ACL is applied inbound on G0/0, but the source address for traffic from the LAN is 192.168.1.10 (not any), and the destination port is 443 (not 80). The current ACL permits all traffic, including HTTPS, so the problem must be that the ACL is too permissive (allowing HTTP) or that the implicit deny is blocking HTTPS due to a misordering. In this case, the ACL is actually permitting everything (including HTTP) because of permit ip any any. To fix, the ACL should explicitly permit HTTPS from host 192.168.1.10, deny HTTP from that host, and deny all other traffic to the server, with a permit ip any any only for other destinations. The correct sequence: permit tcp host 192.168.1.10 host 203.0.113.5 eq 443, deny tcp host 192.168.1.10 host 203.0.113.5 eq 80, permit ip any any.

Key principle: NAT direction and interface roles matter as much as the IP address mapping. Inside/outside designation controls which traffic is translated.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The ACL is missing an explicit permit statement for HTTPS traffic from host 192.168.1.10 to server 203.0.113.5, and the current permit ip any any allows all traffic, including HTTP, which violates the requirement to deny HTTP.

    Why this is correct

    The correct fix is to add a permit statement for HTTPS (TCP port 443) from the specific host to the server, and then deny HTTP (port 80) from that host to the server, while still allowing other traffic with permit ip any any. The current ACL permits everything, so HTTPS is allowed, but HTTP is also allowed, which should be denied. The problem described says HTTPS is blocked, which suggests the ACL might be misapplied or the implicit deny is blocking HTTPS if the permit ip any any is removed. However, the most likely issue is that the ACL is too permissive and does not meet the requirement to deny HTTP. To fix, the ACL should explicitly permit HTTPS and deny HTTP from that host.

    Related concept

    Static NAT maps one inside address to one outside address.

  • The ACL is applied inbound on G0/0, but it should be applied outbound on G0/0 to filter traffic leaving the LAN.

    Why it's wrong here

    This is incorrect because applying the ACL inbound on G0/0 is appropriate for filtering traffic entering the router from the LAN. The traffic from the LAN to the server enters R1 via G0/0, so inbound application is correct.

  • The ACL should be applied to the serial interface S0/0/0 instead of G0/0 to filter traffic going to R2.

    Why it's wrong here

    This is incorrect because applying the ACL on S0/0/0 would filter traffic after it has already been routed, but the requirement is to filter traffic from the LAN before it leaves the router. Applying on G0/0 inbound is more efficient and standard.

  • The ACL is missing a deny statement for all other traffic from the LAN to the server, and the permit ip any any allows everything, including unwanted traffic.

    Why it's wrong here

    This is incorrect because the requirement is to permit only HTTPS and deny all other traffic from the LAN to the server. The current ACL permits all traffic (including HTTPS) but also permits HTTP and other traffic to the server. However, the problem states that HTTPS is blocked, not that HTTP is allowed. So the issue is not that other traffic is allowed, but that HTTPS is blocked. The missing deny statement for other traffic is not the cause of HTTPS being blocked.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

The ACL is missing an explicit permit statement for HTTPS traffic from host 192.168.1.10 to server 203.0.113.5, and the current permit ip any any allows all traffic, including HTTP, which violates the requirement to deny HTTP.Correct answer

Why this is correct

The correct fix is to add a permit statement for HTTPS (TCP port 443) from the specific host to the server, and then deny HTTP (port 80) from that host to the server, while still allowing other traffic with permit ip any any. The current ACL permits everything, so HTTPS is allowed, but HTTP is also allowed, which should be denied. The problem described says HTTPS is blocked, which suggests the ACL might be misapplied or the implicit deny is blocking HTTPS if the permit ip any any is removed. However, the most likely issue is that the ACL is too permissive and does not meet the requirement to deny HTTP. To fix, the ACL should explicitly permit HTTPS and deny HTTP from that host.

The ACL is applied inbound on G0/0, but it should be applied outbound on G0/0 to filter traffic leaving the LAN.Wrong answer — click to see why

Why this is wrong here

The direction of ACL application is correct; inbound on the interface where traffic enters the router is standard for filtering traffic from the LAN.

Why candidates choose this

Candidates often confuse inbound and outbound ACL application, thinking that outbound is needed to filter traffic going out to the server.

The ACL should be applied to the serial interface S0/0/0 instead of G0/0 to filter traffic going to R2.Wrong answer — click to see why

Why this is wrong here

ACLs should be applied as close to the source as possible to deny traffic early. Applying on the serial interface would still work but is less efficient and not the best practice.

Why candidates choose this

Candidates might think that since the server is reachable via R2, the ACL should be on the serial link to R2.

The ACL is missing a deny statement for all other traffic from the LAN to the server, and the permit ip any any allows everything, including unwanted traffic.Wrong answer — click to see why

Why this is wrong here

The permit ip any any allows all traffic, so HTTPS should be allowed. The problem says HTTPS is blocked, so the issue must be something else, like a missing explicit permit or a misordering.

Why candidates choose this

Candidates might think that because the ACL does not explicitly permit HTTPS, it is blocked by the implicit deny, but the permit ip any any overrides that.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: NAT rules depend on direction and matching traffic

NAT is not only about the public address. The inside/outside interface roles and the ACL or rule that matches traffic are just as important.

Detailed technical explanation

How to think about this question

NAT questions usually test address translation, overload/PAT behaviour, static mappings and whether the right traffic is being translated. Read the interface direction and address terms carefully.

KKey Concepts to Remember

  • Static NAT maps one inside address to one outside address.
  • PAT allows many inside hosts to share one public address using ports.
  • Inside local and inside global describe the private and translated addresses.
  • NAT ACLs identify traffic for translation, not always security filtering.

TExam Day Tips

  • Identify inside and outside interfaces first.
  • Check whether the scenario needs static NAT, dynamic NAT or PAT.
  • Do not confuse NAT matching ACLs with normal packet-filtering intent.

Key takeaway

NAT direction and interface roles matter as much as the IP address mapping. Inside/outside designation controls which traffic is translated.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Review the four NAT address types (inside local, inside global, outside local, outside global), PAT port overload, and static vs dynamic NAT use cases. Then practise related 200-301 NAT questions on configuration and troubleshooting.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — Static NAT maps one inside address to one outside address..

What is the correct answer to this question?

The correct answer is: The ACL is missing an explicit permit statement for HTTPS traffic from host 192.168.1.10 to server 203.0.113.5, and the current permit ip any any allows all traffic, including HTTP, which violates the requirement to deny HTTP. — The ACL BLOCK_SERVER is intended to block HTTP (port 80) to the server but permit HTTPS (port 443). However, the ACL denies TCP traffic to port 80 from any source, but the permit ip any any statement permits all IP traffic, including HTTPS. The implicit deny at the end would block HTTPS only if the permit were removed. The actual fault is that the ACL is applied inbound on G0/0, but the source address for traffic from the LAN is 192.168.1.10 (not any), and the destination port is 443 (not 80). The current ACL permits all traffic, including HTTPS, so the problem must be that the ACL is too permissive (allowing HTTP) or that the implicit deny is blocking HTTPS due to a misordering. In this case, the ACL is actually permitting everything (including HTTP) because of permit ip any any. To fix, the ACL should explicitly permit HTTPS from host 192.168.1.10, deny HTTP from that host, and deny all other traffic to the server, with a permit ip any any only for other destinations. The correct sequence: permit tcp host 192.168.1.10 host 203.0.113.5 eq 443, deny tcp host 192.168.1.10 host 203.0.113.5 eq 80, permit ip any any.

What should I do if I get this 200-301 question wrong?

Review the four NAT address types (inside local, inside global, outside local, outside global), PAT port overload, and static vs dynamic NAT use cases. Then practise related 200-301 NAT questions on configuration and troubleshooting.

What is the key concept behind this question?

Static NAT maps one inside address to one outside address.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 6, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.