Back to Cisco CyberOps Associate 200-201 questions

Scenario-based practice

Access Control List (ACL) Scenarios

Practise 200-201 ACL questions covering standard vs extended ACLs, top-down processing, implicit deny, inbound vs outbound placement, and troubleshooting traffic that is unexpectedly blocked or permitted.

15
scenario questions
200-201
exam code
Cisco
vendor

Scenario guide

How to approach access control list (acl) scenarios

ACL questions test your ability to read, write, and place access lists correctly. They appear as configuration tasks, troubleshooting scenarios, and exhibit-based questions showing ACL output. The CCNA covers standard and extended ACLs for both IPv4 and IPv6.

Quick answer

ACL questions usually test top-down rule processing, source and destination matching, protocol or port logic, and where the ACL should be applied.

Standard versus extended ACL behaviour.

Top-down processing and the implicit deny rule.

Source, destination, protocol and port matching.

Inbound versus outbound ACL placement.

Related practice questions

Related 200-201 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Study the full ACL explanation →

An analyst reviews the ACL applied to the outside interface of a router. The analyst notices that traffic from 192.168.1.0/24 to 10.10.10.10 on port 443 is permitted, but all other traffic is denied and logged. Which of the following is a potential security issue with this ACL?

Exhibit

Refer to the exhibit.

! Output from show access-list 101
! Extended IP access list 101
!    10 permit tcp 192.168.1.0 0.0.0.255 host 10.10.10.10 eq 443
!    20 deny ip any any log
!
Question 2hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. An analyst configures an ACL to block traffic to a malicious host on port 443. After applying it inbound on the external interface, the analyst sees the ACL counters. What does the output indicate?

Exhibit

Refer to the exhibit.
```
Router# show ip access-lists
Extended IP access list BLOCK_MALICIOUS
    10 deny tcp any host 203.0.113.5 eq 443
    20 permit ip any any (2623 matches)
```
Question 3mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst reviews the ACL configuration applied outbound on the external interface. Which statement is true about traffic from the 192.168.1.0/24 network to the internet?

Exhibit

Refer to the exhibit.

Extended ACL 101:
10 permit tcp 192.168.1.0 0.0.0.255 any eq 80
20 permit tcp 192.168.1.0 0.0.0.255 any eq 443
30 deny tcp any any eq 22
40 permit ip any any

Interface GigabitEthernet0/0:
 ip access-group 101 out
Question 4hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst reviews this ACL on a firewall between a DMZ (10.0.1.0/24) and internal network (10.0.2.0/24). What is the effect of this ACL?

Exhibit

Refer to the exhibit.
```
! Access-list for DMZ to Inside
access-list DMZ_TO_INSIDE extended permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 eq 3306
access-list DMZ_TO_INSIDE extended deny ip any any
```

An analyst is examining a syslog message from a Cisco ASA showing: %ASA-4-106023: Deny udp src outside:192.0.2.1/123 dst inside:10.0.0.5/123. Which type of traffic is being denied?

Question 6mediummultiple choice
Review the full routing breakdown →

Refer to the exhibit. What traffic is the router permitting?

Exhibit

access-list 100 permit tcp any any eq 22
access-list 100 deny ip any any
Question 7mediummultiple choice
Full question →

Based on the exhibit, which traffic is permitted?

Exhibit

Refer to the exhibit.
access-list INTERNET extended permit tcp any host 198.51.100.10 eq 443
access-list INTERNET extended deny ip any any
Question 8mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. An analyst observes that the router's ACL is allowing all traffic to the web server at 192.168.1.100 on ports 80 and 443, but blocking all other TCP ports below 1024. However, the web server is also running an SSH service on port 22. What will happen to SSH traffic from the outside?

Exhibit

access-list 100 permit tcp any host 192.168.1.100 eq www
access-list 100 permit tcp any host 192.168.1.100 eq 443
access-list 100 deny tcp any host 192.168.1.100 range 1 1023
access-list 100 permit ip any any
Question 9easymultiple choice
Full question →

Refer to the exhibit. A security policy states that all remote desktop (RDP) and Telnet access from external networks must be blocked. Does the above access-list comply with the policy?

Exhibit

Refer to the exhibit.
ip access-list extended BLOCK_CRITICAL
 deny tcp any any eq 3389
 deny tcp any any eq 23
 permit ip any any
Question 10easymultiple choice
Study the full ACL explanation →

Refer to the exhibit. A network administrator applies this ACL to the WAN interface. What is the effect on BitTorrent traffic (which typically uses ports 6881-6889)?

Exhibit

Refer to the exhibit.

```
interface GigabitEthernet0/0
 ip access-group BLOCK_P2P in
!
ip access-list extended BLOCK_P2P
 deny tcp any any eq 6881 6889
 deny udp any any range 6881 6889
 permit ip any any
```
Question 11hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A Cisco router is configured with the shown access list applied inbound on the external interface. An external attacker sends a packet with source IP 10.0.0.1, destination IP 192.168.1.100, destination port 22. What will the router do?

Exhibit

Refer to the exhibit.
```
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group INBOUND in
!
access-list INBOUND deny tcp any host 192.168.1.100 eq 22
access-list INBOUND permit ip any any
```
Question 12easymultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst views these log entries from a Cisco router. What conclusion can be drawn about ACL 101?

Exhibit

%SEC-6-IPACCESSLOGS: list 101 denied tcp 192.0.2.5(12345) -> 10.1.1.100(23), 1 packet
%SEC-6-IPACCESSLOGS: list 101 permitted tcp 192.0.2.5(12345) -> 10.1.1.100(80), 1 packet
Question 13hardmulti select
Full question →

According to the principles of least privilege, which THREE of the following access controls should be implemented for a typical user account? (Choose three.)

Question 14hardmultiple choice
Full question →

During a merger, two companies have different security policies. Company A uses a discretionary access control (DAC) model, while Company B uses a mandatory access control (MAC) model. The merged entity must adopt a single policy. Which approach is most likely to be adopted and why?

Question 15hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. A network administrator applied this ACL inbound on the external interface of a firewall. An attacker sends a TCP SYN packet with source IP 192.0.2.1 to destination 10.1.1.100 port 80. Which statement accurately describes the packet's treatment?

Exhibit

access-list 101 permit tcp any host 10.1.1.100 eq 80
access-list 101 permit tcp any host 10.1.1.100 eq 443
access-list 101 deny ip any any
interface GigabitEthernet0/0
 ip access-group 101 in

These 200-201 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 200-201 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.