nerdexam
Exams312-50V13Questions#349
EC-CouncilEC-Council

312-50V13 · Question #349

312-50V13 Question #349: Real Exam Question with Answer & Explanation

The correct answer is B: The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router. The initial Access Control List (ACL) rule access-list 102 deny tcp any any globally denies all TCP traffic, causing all subsequent TCP permit rules for FTP and web access to be ignored.

Submitted by tyler.j· Mar 6, 2026Evading IDS, Firewalls, and Honeypots

Question

The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router, nobody can access the ftp, and the permitted hosts cannot access the Internet. According to the next configuration, what is happening in the network? access­list 102 deny tcp any any access­list 104 permit udp host 10.0.0.3 any access­list 110 permit tcp host 10.0.0.2 eq www any access­list 108 permit tcp any eq ftp any

Options

  • AThe ACL 104 needs to be first because is UDP
  • BThe first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
  • CThe ACL for FTP must be before the ACL 110
  • DThe ACL 110 needs to be changed to port 80

Explanation

The initial Access Control List (ACL) rule access-list 102 deny tcp any any globally denies all TCP traffic, causing all subsequent TCP permit rules for FTP and web access to be ignored.

Common mistakes.

  • A. The order of ACLs primarily matters when specific rules could be overshadowed by more general rules later on; however, a broad deny tcp any any at the very beginning will block all TCP traffic regardless of subsequent permit rules for that protocol. UDP traffic is handled by a separate protocol and ACLs.
  • C. While the order of specific permit rules can be important for granular control, the overarching problem here is the initial blanket denial of all TCP traffic, rendering any order of subsequent TCP permit rules irrelevant.
  • D. Changing eq www to eq 80 would not resolve the issue because 'www' is the well-known port alias for port 80, making them functionally equivalent, and the primary problem is the initial deny tcp any any rule blocking all TCP traffic.

Concept tested. Cisco ACL processing order and implicit deny

Reference. https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Topics

#ACLs#firewall rules#network security#packet filtering

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 312-50V13 PracticeBrowse All 312-50V13 Questions