Back to Cisco SCOR / CCNP Security Core 350-701 questions

Scenario-based practice

Access Control List (ACL) Scenarios

Practise 350-701 ACL questions covering standard vs extended ACLs, top-down processing, implicit deny, inbound vs outbound placement, and troubleshooting traffic that is unexpectedly blocked or permitted.

15
scenario questions
350-701
exam code
Cisco
vendor

Scenario guide

How to approach access control list (acl) scenarios

ACL questions test your ability to read, write, and place access lists correctly. They appear as configuration tasks, troubleshooting scenarios, and exhibit-based questions showing ACL output. The CCNA covers standard and extended ACLs for both IPv4 and IPv6.

Quick answer

ACL questions usually test top-down rule processing, source and destination matching, protocol or port logic, and where the ACL should be applied.

Standard versus extended ACL behaviour.

Top-down processing and the implicit deny rule.

Source, destination, protocol and port matching.

Inbound versus outbound ACL placement.

Related practice questions

Related 350-701 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec VPN tunnel that fails to establish. The configuration includes a crypto map with a matching access list. Which command should be used to verify the security associations and error counters for the IPsec phase?

Question 2hardmultiple choice
Full question →

A financial company has a data center with Cisco FTD firewalls in a high-availability pair. They use Cisco ISE for network access control and Cisco Stealthwatch for network visibility. Recently, they deployed a new web application that is accessed by both internal employees and external customers. The application uses HTTPS on port 443. After deployment, the security team notices that the FTD is dropping some HTTPS sessions that appear legitimate. The drops are inconsistent and seem to occur only during peak hours. The FTD logs show the drop reason as 'TCP state violation'. The team has verified that the web server and clients are configured correctly. The Stealthwatch reports show no anomalies. What is the most likely cause and solution?

Question 3hardmulti select
Full question →

Which THREE of the following are features of Cisco Identity Services Engine (ISE) that can be used to enforce network access control?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An ASA is configured with the above access-list and NAT rule. A web server is reachable from the internet via the public IP 203.0.113.10. However, internal users from the inside network cannot access the web server using its public IP address. What is the most likely cause?

Exhibit

configure terminal
access-list OUTSIDE extended permit tcp any host 203.0.113.10 eq www
access-list OUTSIDE extended permit udp any host 203.0.113.10 eq domain
nat (inside,outside) source dynamic any interface
Question 5hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. An engineer has configured the ACL on the GigabitEthernet0/0 interface. Which of the following is true about the effect of this ACL?

Exhibit

interface GigabitEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip access-group INBOUND in
!
ip access-list extended INBOUND
 deny ip 10.0.0.0 0.255.255.255 any
 permit ip any any
!
interface Serial0/0/0
 ip address 172.16.1.1 255.255.255.252
!
router eigrp 100
 network 10.1.1.0 0.0.0.255
 network 172.16.1.0 0.0.0.3
Question 6mediummultiple choice
Study the full ACL explanation →

A company has a site-to-site VPN between two ASA firewalls using IKEv2. The tunnel was working but after an upgrade, it fails. The engineer verifies that the pre-shared keys match, IKE proposals are compatible, and the crypto ACL is correctly defined. What is the next likely cause to investigate?

Question 7mediummultiple choice
Study the full ACL explanation →

A company has a Cisco ASA firewall configured with multiple access-lists applied to the outside interface. The security team is investigating reports that legitimate HTTPS traffic to a public web server located on a DMZ is intermittently being blocked. The firewall configuration includes an ACL that permits traffic to the web server's IP address on TCP 443, but also includes a general deny rule for all other traffic. The engineer notices that the permit rule is placed after a deny rule that blocks traffic from a specific source subnet that is used by internal users for testing. The internal users report that they can access the web server, but external users sometimes experience timeouts. What is the most likely cause of the intermittent blocking?

Question 8hardmultiple choice
Full question →

An engineer is troubleshooting traffic drops on a Cisco Firepower Threat Defense (FTD) device. The traffic is allowed by the access control policy but is being dropped. Which feature should the engineer check to identify the cause of the drop?

Question 9hardmultiple choice
Full question →

During a security audit, a penetration tester discovers that a Cisco ASA firewall is configured with a rule that permits traffic from the inside interface with a source IP address in the RFC 1918 range to the outside interface. The rule uses the 'inspect' command for HTTP and FTP. Which potential vulnerability does this configuration introduce?

Question 10mediummultiple choice
Full question →

A company uses Cisco ISE for network access control. They want to allow employee-owned devices to access the guest network after a simple registration, while corporate devices get full access. Which ISE configuration best achieves this?

Question 11easymultiple choice
Study the full ACL explanation →

After applying a new extended ACL inbound on an interface, users report they can no longer reach a critical server on a different subnet. The ACL permits the server's IP and required ports. What is the most likely cause?

Question 12mediummultiple choice
Full question →

A security analyst notices that a Cisco Firepower Threat Defense (FTD) device is not applying file policies to detect malware in HTTP traffic. The access control policy has an HTTPS decryption rule that decrypts traffic from external sources. The file policy is associated with the same rule. What is the missing configuration?

Question 13easymultiple choice
Read the full wireless explanation →

A network administrator is configuring Cisco ISE to enforce access control based on user authentication. The company requires that only users who authenticate via Active Directory are allowed access to the corporate wireless network. Which policy should be configured in ISE to accomplish this?

Question 14mediumdrag order
Study the full AAA explanation →

Drag and drop the steps to configure a Cisco ISE as a RADIUS server for network access control into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15easymultiple choice
Study the full ACL explanation →

An engineer is troubleshooting a Cisco ASA firewall and notices that traffic from a specific subnet is being dropped. The engineer wants to verify if the drop is due to an access control list (ACL) or an inspection policy. Which command should be used to see the reason for packet drops?

These 350-701 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 350-701 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.