Chapter 9: Implementing the Cisco Adaptive Security Appliance
inside NAT
A network administrator has configured NAT on an ASA device. What type of NAT is used? inside NAT static NAT outside NAT bidirectional NAT
tcp
A network administrator is configuring an object group on an ASA device. Which configuration keyword should be used after the object group name SERVICE1? ip tcp udp icmp
Outside 40, Inside 100, DMZ 50
A network administrator is configuring the security level for the ASA. What is a best practice for assigning the security level on the three interfaces? Outside 0, Inside 35, DMZ 90 Outside 40, Inside 100, DMZ 0 Outside 0, Inside 100, DMZ 50 Outside 100, Inside 10, DMZ 40
The ASA will not allow traffic in either direction between the Inside interface and the DMZ
A network administrator is configuring the security level for the ASA. Which statement describes the default result if the administrator tries to assign the Inside interface with the same security level as the DMZ interface? The ASA console will display an error message. The ASA will not allow traffic in either direction between the Inside interface and the DMZ. The ASA allows inbound traffic initiated on the Internet to the DMZ, but not to the Inside interface. The ASA allows traffic from the Inside to the DMZ, but blocks traffic initiated on the DMZ to the Inside interface.
All service policy statistics data are removed.
A network administrator is working on the implementation of the Cisco Modular Policy Framework on an ASA device. The administrator issues a clear service-policy command. What is the effect after this command is entered? All service policies are removed. All class map configurations are removed. All policy map configurations are removed. All service policy statistics data are removed.
3 seconds
A network analyst needs to reset an ASA 5506-X device to its default as-shipped state after the next reboot. What is the minimum length of time the RESET pin should be pressed to take the this effect? 3 seconds 5 seconds 10 seconds 15 seconds
The dhcpd auto-config outside command was issued to enable the DHCP client. The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP server. The dhcpd enable inside command was issued to enable the D
According to the command output, which three statements are true about the DHCP options entered on the ASA 5505? (Choose three.) The dhcpd auto-config outside command was issued to enable the DHCP client. The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP client. The dhcpd enable inside command was issued to enable the DHCP client. The dhcpd auto-config outside command was issued to enable the DHCP server. The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP server. The dhcpd enable inside command was issued to enable the DHCP server.
The dhcpd enable inside command was issued to enable the DHCP client.
According to the command output, which three statements are true about the DHCP options entered on the ASA 5505? (Choose three.) The dhcpd auto-config outside command was issued to enable the DHCP client. The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP client. The dhcpd enable inside command was issued to enable the DHCP client. The dhcpd auto-config outside command was issued to enable the DHCP server. The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP server. The dhcpd enable inside command was issued to enable the DHCP server.
A - DMZ, B - Outside, C - Inside
An administrator creates three zones (A, B, and C) in an ASA that filters traffic. Traffic originating from Zone A going to Zone C is denied, and traffic originating from Zone B going to Zone C is denied. What is a possible scenario for Zones A, B, and C? A - DMZ, B - Inside, C - Outside A - Inside, B - DMZ, C - Outside A - DMZ, B - Outside, C - Inside A - Outside, B - Inside, C - DMZ
The no shutdown command should be entered on interface Ethernet 0/1.
An administrator has configured an ASA 5505 as indicated but is still unable to ping the inside interface from an inside host. What is the cause of this problem? An IP address should be configured on the Ethernet 0/0 and 0/1 interfaces. The no shutdown command should be entered on interface Ethernet 0/1. The security level of the inside interface should be 0 and the outside interface should be 100. VLAN 1 should be assigned to interface Ethernet 0/0 and VLAN 2 to Ethernet 0/1. VLAN 1 should be the outside interface and VLAN 2 should be the inside interface.
Traffic from the LAN and DMZ can access the Internet.
Based on the security levels of the interfaces on ASA1, what traffic will be allowed on the interfaces? Traffic from the Internet and DMZ can access the LAN. Traffic from the LAN and DMZ can access the Internet. Traffic from the Internet and LAN can access the DMZ. Traffic from the Internet can access both the DMZ and the LAN.
The administrator must enter the no forward interface vlan command before the nameif command on the third interface.
Two types of VLAN interfaces were configured on an ASA 5505 with a Base license. The administrator wants to configure a third VLAN interface with limited functionality. Which action should be taken by the administrator to configure the third interface? The administrator needs to acquire the Security Plus license, because the Base license does not support the proposed action. The administrator configures the third VLAN interface the same way the other two were configured, because the Base license supports the proposed action. The administrator must enter the no forward interface vlan command before the nameif command on the third interface. Because the ASA 5505 does not support the configuration of a third interface, the administrator cannot configure the third VLAN.
The interfaces of the ASA separate Layer 3 networks and require different IP addresses in different subnets. It is the traditional firewall deployment mode. NAT can be implemented between connected networks.
What are three characteristics of the ASA routed mode? (Choose three.) This mode does not support VPNs, QoS, or DHCP Relay. The interfaces of the ASA separate Layer 3 networks and require different IP addresses in different subnets. It is the traditional firewall deployment mode. NAT can be implemented between connected networks. This mode is referred to as a "bump in the wire." In this mode, the ASA is invisible to an attacker.
default DRAM memory in the device type of Ethernet ports in the backplane
What are two differences between an ASA 5505 and an ASA 5506-X with FirePOWER device? (Choose two.) SSL VPN support security level settings remote access VPN functions default DRAM memory in the device type of Ethernet ports in the backplane
The internal web server is disabled. VLAN 2 is configured with the name inside.
What are two factory default configurations on an ASA 5505? (Choose two.) The internal web server is disabled. VLAN 1 is assigned a security level of 100. VLAN 2 is configured with the name inside. PAT is configured to allow internal hosts to access remote networks through an Ethernet interface. DHCP service is enabled for internal hosts to obtain an IP address and a default gateway from the upstream device.
CCNAS-ASA(config)# dhcpd address 192.168.1.25-192.168.1.56 inside
What command defines a DHCP pool that uses the maximum number of DHCP client addresses available on an ASA 5505 that is using the Base license? CCNAS-ASA(config)# dhcpd address 192.168.1.20-192.168.1.50 inside CCNAS-ASA(config)# dhcpd address 192.168.1.25-192.168.1.56 inside CCNAS-ASA(config)# dhcpd address 192.168.1.30-192.168.1.79 inside CCNAS-ASA(config)# dhcpd address 192.168.1.10-192.168.1.100 inside
identifying interesting traffic
What function is performed by the class maps configuration object in the Cisco modular policy framework? restricting traffic through an interface applying a policy to an interface applying a policy to interesting traffic identifying interesting traffic
An ACL needs to be configured to explicitly permit traffic from an interface with a lower security level to an interface with a higher security level.
What is a characteristic of ASA security levels? The lower the security level on an interface, the more trusted the interface. Each operational interface must have a name and be assigned a security level from 0 to 200. Inbound traffic is identified as the traffic moving from an interface with a higher security level to an interface with a lower security level. An ACL needs to be configured to explicitly permit traffic from an interface with a lower security level to an interface with a higher security level.
ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the wildcard mask.
What is a difference between ASA IPv4 ACLs and IOS IPv4 ACLs? ASA ACLs do not have an implicit deny any at the end, whereas IOS ACLs do. ASA ACLs are always named, whereas IOS ACLs are always numbered. ASA ACLs use forward and drop ACEs, whereas IOS ACLs use permit and deny ACEs. ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the wildcard mask. Multiple ASA ACLs can be applied on an interface in the ingress direction, whereas only one IOS ACL can be applied.
ACL
What is needed to allow specific traffic that is sourced on the outside network of an ASA firewall to reach an internal network? NAT ACL dynamic routing protocols outside security zone level 0
no support for QoS
What is one of the drawbacks to using transparent mode operation on an ASA device? no support for IP addressing no support for using an ASA as a Layer 2 switch no support for management no support for QoS
to filter traffic for clientless SSL VPN users
What is the purpose of the webtype ACLs in an ASA? to restrict traffic that is destined to an ASDM to filter traffic for clientless SSL VPN users to inspect outbound traffic headed towards certain web sites to monitor return traffic that is in response to web server requests that are initiated from the inside interface
AAA
What must be configured on a Cisco ASA device to support local authentication? AAA RSA keys SSHv2 encrypted passwords the IP address of the RADIUS or TACACS+ server
a range of private addresses that will be translated the pool of public global addresses
When dynamic NAT on an ASA is being configured, what two parameters must be specified by network objects? (Choose two.) the inside NAT interface the interface security level a range of private addresses that will be translated the outside NAT interface the pool of public global addresses
To use a show command in a general configuration mode, ASA can use the command directly whereas a router will need to enter the do command before issuing the show command.
Which statement describes a difference between the Cisco ASA IOS CLI feature and the router IOS CLI feature? To indicate the CLI EXEC mode, ASA uses the % symbol whereas a router uses the # symbol. To complete a partially typed command, ASA uses the Ctrl+Tab key combination whereas a router uses the Tab key. ASA uses the ? command whereas a router uses the help command to receive help on a brief description and the syntax of a command. To use a show command in a general configuration mode, ASA can use the command directly whereas a router will need to enter the do command before issuing the show command.
Accounting can be used alone.
Which statement describes a feature of AAA in an ASA device? Accounting can be used alone. Authorization is enabled by default. Both authorization and accounting require a user to be authenticated first. If authorization is disabled, all authenticated users will have a very limited access to the commands.
They identify only the destination IP address. They are typically only used for OSPF routes.
Which two statements are true about ASA standard ACLs? (Choose two.) They are applied to interfaces to control traffic. They identify only the destination IP address. They are the most common type of ACL. They specify both the source and destination MAC address. They are typically only used for OSPF routes.
dynamic PAT
Which type of NAT would be used on an ASA where 10.0.1.0/24 inside addresses are to be translated only if traffic from these addresses is destined for the 198.133.219.0/24 network? dynamic NAT dynamic PAT policy NAT static NAT