Cisco Security Chapter 9

Outside 0, Inside 100, DMZ 50

Refer to the exhibit. A network administrator is configuring the security level for the ASA. What is a best practice for assigning the security level on the three interfaces?

The ASA will not allow traffic in either direction between the Inside interface and the DMZ

Refer to the exhibit. A network administrator is configuring the security level for the ASA. Which statement describes the default result if the administrator tries to assign the Inside interface with the same security level as the DMZ interface?

ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the wildcard mask

What is a difference between ASA IPv4 ACLs and IOS IPv4 ACLs?

no support for QoS

What is one of the drawbacks to using transparent mode operation on an ASA device?

CCNAS-ASA(config)# dhcpd address 192.168.1.25-192.168.1.56 inside

What command defines a DHCP pool that uses the maximum number of DHCP client addresses available on an ASA 5505 that is using the Base license?

A – DMZ, B – Outside, C – Inside

Refer to the exhibit. An administrator creates three zones (A, B, and C) in an ASA that filters traffic. Traffic originating from Zone A going to Zone C is denied, and traffic originating from Zone B going to Zone C is denied. What is a possible scenario for Zones A, B, and C?

- They are typically only used for OSPF routes

- They identify only the destination IP address

Which two statements are true about ASA standard ACLs? (Choose two.)

An ACL needs to be configured to explicitly permit traffic from an interface with a lower security level to an interface with a higher security level

What is a characteristic of ASA security levels?

AAA

What must be configured on a Cisco ASA device to support local authentication?

To use a show command in a general configuration mode, ASA can use the command directly whereas a router will need to enter the do command before issuing the show command

Which statement describes a difference between the Cisco ASA IOS CLI feature and the router IOS CLI feature?

- PAT is configured to allow internal hosts to access remote networks through an Ethernet interface

- VLAN 1 is assigned a security level of 100

What are two factory default configurations on an ASA 5505? (Choose two.)

The administrator must enter the no forward interface vlan command before the nameif command on the third interface

Refer to the exhibit. Two types of VLAN interfaces were configured on an ASA 5505 with a Base license. The administrator wants to configure a third VLAN interface with limited functionality. Which action should be taken by the administrator to configure the third interface?

to filter traffic for clientless SSL VPN users

What is the purpose of the webtype ACLs in an ASA?

inside NAT

Refer to the exhibit. A network administrator has configured NAT on an ASA device. What type of NAT is used?

tcp

Refer to the exhibit. A network administrator is configuring an object group on an ASA device. Which configuration keyword should be used after the object group name SERVICE1?

- a range of private addresses that will be translated

- the pool of public global addresses

When dynamic NAT on an ASA is being configured, what two parameters must be specified by network objects? (Choose two.)

identifying interesting traffic

What function is performed by the class maps configuration object in the Cisco modular policy framework?

Traffic from the LAN and DMZ can access the Internet

Refer to the exhibit. Based on the security levels of the interfaces on ASA1, what traffic will be allowed on the interfaces?

- The interfaces of the ASA separate Layer 3 networks and require different IP addresses in different subnets

- It is the traditional firewall deployment mode

- NAT can be implemented between connected networks

What are three characteristics of the ASA routed mode? (Choose three.)

The no shutdown command should be entered on interface Ethernet 0/1

Refer to the exhibit. An administrator has configured an ASA 5505 as indicated but is still unable to ping the inside interface from an inside host. What is the cause of this problem?

- The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP server

- The dhcpd auto-config outside command was issued to enable the DHCP client

- The dhcpd enable inside command was issued to enable the DHCP server

Refer to the exhibit. According to the command output, which three statements are true about the DHCP options entered on the ASA 5505?(Choose three.)

range 192.168.1.10 192.168.1.20

Refer to the exhibit. What will be displayed in the output of the show running-config object command after the exhibited configuration commands are entered on an ASA 5505?

policy NAT

Which type of NAT would be used on an ASA where 10.0.1.0/24 inside addresses are to be translated only if traffic from these addresses is destined for the 198.133.219.0/24 network?

Accounting can be used alone

Which statement describes a feature of AAA in an ASA device?

All service policy statistics data are removed

A network administrator is working on the implementation of the Cisco Modular Policy Framework on an ASA device. The administrator issues a clear service-policy command. What is the effect after this command is entered?

ACL

What is needed to allow specific traffic that is sourced on the outside network of an ASA firewall to reach an internal network?