Back to CCNA 200-301 v2 questions

Scenario-based practice

Access Control List (ACL) Scenarios

Practise 200-301 ACL questions covering standard vs extended ACLs, top-down processing, implicit deny, inbound vs outbound placement, and troubleshooting traffic that is unexpectedly blocked or permitted.

15
scenario questions
200-301
exam code
Cisco
vendor

Scenario guide

How to approach access control list (acl) scenarios

ACL questions test your ability to read, write, and place access lists correctly. They appear as configuration tasks, troubleshooting scenarios, and exhibit-based questions showing ACL output. The CCNA covers standard and extended ACLs for both IPv4 and IPv6.

Quick answer

ACL questions usually test top-down rule processing, source and destination matching, protocol or port logic, and where the ACL should be applied.

Standard versus extended ACL behaviour.

Top-down processing and the implicit deny rule.

Source, destination, protocol and port matching.

Inbound versus outbound ACL placement.

Related practice questions

Related 200-301 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

You are connected to R1 in a small office network. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 LAN can access the Internet via the public IP 203.0.113.1 (the IP assigned to interface G0/0). Also configure a static NAT for the internal web server at 192.168.1.10 to the public IP 203.0.113.6. The current configuration has errors: the inside/outside interface assignments are swapped, the ACL for PAT does not match the inside subnet, and the PAT rule points to the wrong ACL. Fix all issues so that both PAT and static NAT work correctly.

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.10 80 203.0.113.6 80
!
ip nat inside source list 2 interface GigabitEthernet0/0 overload
!
interface GigabitEthernet0/0
 ip address 203.0.113.1 255.255.255.248
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A branch router is configured for NAT overload. The inside interface Gi0/0 is correctly marked ip nat inside, and the outside interface Gi0/1 is ip nat outside. The NAT statement uses access-list 1 permit 10.1.1.0 0.0.0.255 with ip nat inside source list 1 interface Gi0/1 overload. Inside hosts are in the 192.168.1.0/24 subnet and still reach the ISP with their private addresses. What is the most likely reason?

Exhibit

access-list 1 permit 10.10.20.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/0 overload

interface GigabitEthernet0/0
 ip address 198.51.100.2 255.255.255.252
 ip nat outside

interface GigabitEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside

Users are in 10.10.10.0/24.
Question 3mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. Users on the inside network can browse the web, but return traffic is failing for some sessions. A partial configuration shows:

interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat outside

!

interface GigabitEthernet0/1
 ip address 203.0.113.10 255.255.255.0
 ip nat inside

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload
access-list 1 permit 192.168.10.0 0.0.0.255

Based on this configuration, which change is required to make PAT work correctly?

Exhibit

interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 203.0.113.10 255.255.255.252
 ip nat inside
!
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload
Question 4hardmultiple choice
Full question →

An administrator wants to permit SSH management access but block Telnet access to a device. Which statement best reflects that design goal?

Question 5hardmultiple choice
Study the full ACL explanation →

An administrator wants to prevent users from browsing to one specific web server while still allowing them to reach other web destinations. Which ACL design principle is most important here?

Question 6mediummulti select
Study the full ACL explanation →

A network team wants an ACL that permits HTTPS from 10.1.50.0/24 to a web server at 203.0.113.10 and denies all Telnet traffic from that subnet to any destination. Which two ACEs are required?

Question 7hardmultiple choice
Study the full ACL explanation →

A standard ACL and an extended ACL are both available for a design. Which requirement most strongly indicates that an extended ACL is needed?

Question 8mediummultiple choice
Study the full ACL explanation →

An ACL entry reads:

access-list 25 permit 192.168.8.0 0.0.0.15

Which address range does this statement match?

Question 9hardmultiple choice
Study the full ACL explanation →

An ACL is intended to block Telnet from 10.1.1.0/24 to router VTY access while still allowing SSH from the same subnet. Which statement best explains why an extended ACL is appropriate here?

Question 10easymultiple choice
Study the full ACL explanation →

An ACL on R1 contains only these entries:

access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 443
access-list 
101 permit icmp any any

What happens to an HTTP packet sourced from 10.10.10.25 and destined for 198.51.100.10 if ACL 101 is applied in the traffic path?

Question 11hardmultiple choice
Study the full ACL explanation →

A named standard ACL is configured to permit only the 192.168.30.0/24 subnet, but users from 192.168.31.0/24 are still passing traffic. What is the most likely reason?

Exhibit

ip access-list standard USERS_ONLY
 permit 192.168.30.0 0.0.0.255
 deny any

interface g0/1
 ip access-group USERS_ONLY out
Question 12mediumdrag order
Study the full ACL explanation →

Drag and drop the following steps into the correct order to configure and apply an extended IPv4 ACL on a Cisco router to block Telnet traffic from subnet 192.168.1.0/24 to host 10.0.0.1 and permit all other IP traffic.

Question 13hardScenario
Study the full ACL explanation →

You are connected to R1. The network has a web server at 203.0.113.10 and a DNS server at 203.0.113.20. Hosts in the 192.168.1.0/24 subnet should be able to access HTTP to the web server and DNS queries to the DNS server, but all other traffic from that subnet to the servers must be blocked. Configure an extended ACL on R1 to achieve this, and apply it inbound on the correct interface. The current configuration is shown below.

Exhibit

hostname R1
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
Question 14hardScenario
Study the full ACL explanation →

You are connected to R1. The network has two routers (R1 and R2) connected via a serial link (S0/0/0). R1's GigabitEthernet0/0 connects to the 192.168.1.0/24 LAN. An extended ACL must be configured on R1 to permit only HTTPS traffic (TCP port 443) from host 192.168.1.10 to server 203.0.113.5 (reachable via R2), and deny all other traffic from the LAN to the server. Currently, the ACL is applied inbound on G0/0 but valid HTTPS traffic is being blocked. Troubleshoot and fix the configuration.

Exhibit

R1# show running-config | section interface GigabitEthernet0/0
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group BLOCK_SERVER in
 duplex auto
 speed auto
!
R1# show running-config | section ip access-list
ip access-list extended BLOCK_SERVER
 deny tcp any host 203.0.113.5 eq 80
 permit ip any any
!
Question 15hardScenario
Study the full ACL explanation →

You are connected to R1. The network has two routers (R1, R2) and a switch (SW1) in between. R1's G0/0 connects to SW1 (192.168.1.1/24), SW1 connects to R2's G0/0 (192.168.1.2/24). R2 has a loopback (Lo0: 203.0.113.1/32) used as a management address. Configure an extended ACL on R1 so that only SSH (TCP/22) traffic from the 10.0.0.0/24 network is permitted to reach R2's loopback; all other traffic to that loopback must be denied. Then apply the ACL in the correct direction on the correct interface.

Exhibit

R1# show running-config | section interface
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/1
 ip address 10.0.0.1 255.255.255.0
 no shutdown
!
R1# show ip route
Codes: L - local, C - connected, S - static
      10.0.0.0/24 is subnetted, 1 subnets
C        10.0.0.0/24 is directly connected, GigabitEthernet0/1
      192.168.1.0/24 is subnetted, 1 subnets
C        192.168.1.0/24 is directly connected, GigabitEthernet0/0
      203.0.113.1/32 [1/0] via 192.168.1.2

These 200-301 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 200-301 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.