ASA Midterm Review
What command disables pinging to an interface on the ASA firewall itself? (2) Note: * Pinging an ASA interface from a host on that interface is allowed by default?
icmp deny
Information security deals principally with _ _
risk management
What can standard ACLs be used for?
route update filters VPN split-tunneling definitions
Same-security access allows traffic between same security interfaces to be permitted without any requirement for access lists. What command can be used to enable this ability?
same-security-traffic permit inter-interface
What command can you use to permit hairpin traffic?
same-security-traffic permit intra-interface
How can you view the startup configuration in flash? Note: * Startup config is stored in the 2nd partition along with the crash dump file
show startup-config
Auto NAT allows only how many NAT rules per network object?
1
For TCP, a connection will be removed from the state table if it is idle for more than _ hour by default.
1
How many maximum ACLs can you apply to a firewall interface in a specific direction?
1
When a client connects to a server via telnet, FTP, and HTTP simultaneously, the translation table would create _ translation slot(s) and _ connection slot(s)
1, 3
Two ways in which to launch ASDM:
1. Local appliance (use asdm-launcher.msi) 2. Java Web Start application
The NAT policy output consists of what 3 things?
1. MATCH CLAUSE for the traffic that should be matched 2. ACTION to be taken after a match (type of translation) 3. COUNTERS which includes translate_hits and untranslate_hits
If there is no ACL, outbound traffic is ____ by default
permitted
Static PAT is also called what? (2)**
port redirection
In 8.3 and above, the ACL must always reference the _ destination address.
real
(true/false) ACLs are not used to inspect a connection's state
true
(true/false) By default, a Cisco Security Appliance drops all traffic originating from a lower security boundary destined for a higher security boundary.
true
(true/false) If you define any explicit rules within a global ACL, all implicit interface ACLs (permit high to low) are removed.
true
(true/false) In ASA 8.3 and above, NAT Control is no longer a supported option.
true
(true/false) The ASA firewall permits only a single reply to an ICMP request.
true
(true/false) There is an implicit permit rule for outbound ICMP connections however the expected echo reply is dropped by the implicit deny for inbound connections.
true
For connectionless protocols such as ICMP, the ASA establishes _ sessions.
unidirectional
ASA provides a stateful process for which two types of traffic by default?
TCP, UDP
3 ways that an image can be transferred to the firewall.
TFTP, HTTP, AUS
(true/false) You can nest object groups of different types (network object and a service object group)
false
(true/false) You cannot configure multiple interfaces with the same level of security.
false
The ASA family of products is what type of firewall?
hybrid
What criteria can be matched to remove a TCP connection from the state table? (4 different things)
- FIN and FIN/ACK in TCP header control field - RST in TCP header control field (from client > server) - Connection is idle for more than 1 hr - Connection is removed with the clear xlate command
The NAT ID can be in the range of _ to _ billion.
0,2
Translation operations are evaluated in which order?
1. Static NAT 2. Static PAT 3. Identity NAT 4. Dynamic NAT 5. Dynamic PAT
What's the maximum throughput for stateful inspection with ASA 5505? (2)
150 mbps
ASA factory default configuration: What IP address is assigned by default for VLAN 1?
192.168.1.1
ASA factory default configuration: Which VLAN belongs to the outside and includes the E0/0 interface? Note: This VLAN derives its IP address using DHCP
2
For a UDP connection to be removed, it needs to be idle for more than _ minutes by default.
2
For an ICMP connection to be removed, it needs to be idle for more than _ seconds by default.
2
How many network objects are required to configure dynamic NAT?
2
If NAT is used, the ICMP connection is open for how many seconds after the ICMP reply?
2
Which Unified NAT section is used for translation rules that could conflict with the entries in the other sections? Note: * These entries are generally less specific * Used only if a packet does not match any translation rules from the other sections
3
A packet filter firewall works at which layer(s)?
3, 4
ASA interface command naming scheme
5505: ethernet0/(number) 5510: ethernet (slot)/(number) * Slot 0 = four fixed interfaces on the chassis * Slot 1 = optional SSM card * e0/0 = RIGHTMOST data interface on the chassis 5520: gigabitethernet0/0
PAT can handle a theoretical maximum of how many connections?
64000
What additional configuration does static NAT require? (long sentence)
ACL to permit traffic in the inbound direction
Once the enterprise's assets and their corresponding threats have been identified, risk management can take the form of what 4 things?
Acceptance, Mitigation, Transference, Avoidance
Typically what two conditions are required for a connection between firewall interfaces?
Address translation policy ACL
The following describes what type of firewall? * Intercepts users' communications * Acts on behalf of the user * Can perform stateful packet inspection + layer 7 inspection * Reassembles UDP + TCP sessions & can perform Deep Packet Inspection * Memory and CPU-intensive
Application
The following describes what type of firewall? * Devices that operate as intermediary agents on behalf of clients in the internal network * Clients send connection requests to this firewall and the firewall sends the request on behalf of the client
Application Proxy
What are the two major kinds of NAT in ASA 8.3? _ _ * Done inside the object * Only the source is used as match criteria * Does not take into consideration the destination of the traffic * Referred to as OBJECT NAT _ _ *Can be used to configure a single NAT rule that can translate both source + dest addresses in a packet * Known as TWICE NAT (NAT can be performed once on source and once on dest IP) * Typically used when configuring remote-access IPsec/SSL VPNs
Auto NAT, Manual NAT
What is used in ASA for authenticating telnet, HTTP, and FTP connections? (2)
Cut-through Proxy
What two things are used to establish authenticity and non-repudiation of a document/message?
Digital signatures, encryption
How do you define an enhanced service object? (long sentence) Hint: * object-group service (NAME)
Do not specify the protocol type (tcp,udp) after "object-group service (NAME)"
What type of NAT meets the following criteria: (2) * Used mostly for end-user outbound connections (unidirectional) * Inside end user receives an address from a pool of available addresses
Dynamic NAT
What is the greatest motive for attacks? (1)
Financial
On ASDM, what section provides security-related information about traffic that passes through the ASA? (2)
Firewall Dashboard
What type of file images can be stored in the ASA flash?
Firewall OS Firewall management application Firewall configuration
If the NAT ID is 0, what special type of NAT is this? (2) Hint: * This allows you to bypass the NAT requirement * Might be necessary for an application that does not support NAT
Identity NAT
What type of NAT uses the same inside address as the outside address? (2)
Identity NAT
What type of group in ASA is used in Identity-based firewalling for filtering traffic based on user identity and its group membership within Active Directory? (3)
Local User Group
What are the three sections of the Unified NAT table? (in order)
Manual NAT, Auto NAT, Manual NAT
For a network intrusion to occur, what 3 things must exist?
Motive, Means, Opportunity
what are the 4 main types of objects? ___ Used to group client hosts, server hosts, or subnets ___ Used to group protocols, can contain keywords such as icmp, ip, tcp, udp ___ Used to group ICMP message types to which you permit or deny access ___ Used to group TCP, UDP, or TCP-UDP port names/numbers assigned to a different service
Network, Protocol, ICMP-type, Service
What term refers to the ability to ensure that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message? (2)
Non repudiation
The following describes what type of firewall? * Traffic is examined based solely on values found in the packet's header * Rules based on source/dest addresses or ports, protocol type, etc * Resides at layer 3 & 4 * Forward/block decisions are made on each packet independently * Stateless * Statically configured rules/ACLs
Packet Filter
Cisco ASA uses two flash partitions. Where are OS images, ASDM images, config files, logging files, arbritrary files stored?
Partition 1 (flash:/)
What type of NAT translates internal addresses only if they are going to a particular destination? (2)
Policy NAT
On the ASA CLI, you can interrupt the output of a show command by using which letter? Note: * This is unlike IOS where you use Ctrl+C
Q
What is used in ASA to secure TCP connections? (3)
Secure Number Randomization
What type of group is used in TrustSec for filtering traffic based on information that is downloaded from an external identity repository such as Cisco ISE? (2)
Security Group
The level of security in any system can be defined by the strength of which three components?
Security, Functionality, Usability
What term is given to an attack that exploits the default scripts/code that comes with an OS/Application? (2)
Shrink Wrap
What are two possible solutions to the issue of having an outside DNS server servicing requests from internal clients through the ASA?**
Split DNS DNS Rewrite/A-record translation
In ASA 8.3, what concept is introduced which allows translation policies to be inserted in any order? (3) Notes: * NAT rules are placed in a NAT table, which has three sections * First rule that matches the packet being analyzed is always applied
Unified NAT Table
Before you can use ASDM, what information do you need to enter/configure? (select all that apply) a. Time b. Inside IP address c. SSH d. http server enable e. http (IP addr of authorized hosts) f. Hostname & domain name
a,b,d,e,f
Which command is used to bind an access list to an interface?
access-group
What command would you use if you wanted to apply a global ACL named "GLOBAL1" for the ASA?
access-group GLOBAL global
If you need to place a manual NAT rule after Auto NAT, what keyword should you specify when configuring a manual NAT rule?
after-auto
What command do you use to specify the ASDM image to use when booting? (2)
asdm image
For static NAT (permanent address assignments), the connection is _
bidirectional
What command should you use to specify which startup-config file/system image the system should use at the next reload? (1)
boot
Using a cloud hosting service for the purposes of insurance/using outside expertise is an example of what type of risk management? a. Acceptance b. Mitigation c. Transference d. Avoidance
c
What command would you use to delete ACLs?
clear config access-list
If you want to clear the entire running configuration on an ASA, what command would you type? (3)
clear configure all
If you wanted to clear all commands related to connectivity on the ASA, what command would you type (3)
clear configure primary
If you wanted to clear all commands not related to ASA connectivity, what would you enter? (3)
clear configure secondary
What command can be used to remove connections from the state table? (2)
clear xlate
Whenever you change a global pool, what command should you use to activate it correctly? (2)
clear xlate
What command can you issue on the ASA to load the default configuration back into the security appliance? Note: * This loads the configuration with the DHCP server and the management addresses preconfigured
configure factory-default
A Stateful Packet Filtering firewall maintains state information in a state table, referred to as a _ _ Note * The stateful packet inspection tracks source & dest ports & addresses, TCP seq numbers, flags
connection table
By default on an ASA, no packets can traverse the security appliance without which two things?
connection, state
What type of firewalls provide granular control of applications, comprehensive user identification, and location-based control? (2)
context aware
What details a set of actions that will be taken after the risk is realized and will lessen the impact of the compromise or loss of the asset? (2) Note: * This is what you would create if you accept a risk
contingency plan
When a Cisco ASA successfully authenticates a user, the firewall keeps the credentials cached so that additional connections can be quickly approved. The firewall acts as a ____authentication proxy so that no further authentication is needed.
cut-through
To enable DNS doctoring or DNS rewrite, what parameter must you add to a NAT static configuration?** Note: * DNS inspection must be enabled to support this functionality (check using show run policy-map)
dns
On the ASA, if you wanted to set the enable password to Cisco123, what would you type? Note: * Passwords that you enter will ALWAYS be encrypted after (no service password- encryption needed)
enable password Cisco123
What type of service group can contain a mix of protocols? (2)
enhanced service
Interface access rules are the most commonly used access control mechanism and permit or deny the ___ of connections through the ASA.
establishment
A security policy should be conceived at which level? Note: * A security policy should always take into account the vision, mission, and objectives of the organization
executive
Only which type of ACL can be used for applying to interfaces? (1)
extended
(true.false) The security appliance processes ACLs after address translation is performed.
false
(true/false) An ACL must be configured to allow returning traffic for established connections
false
(true/false) An ASDM image is loaded into flash. The ASA requires a reload.
false
(true/false) By default, ICMP is treated statefully on ASA
false
(true/false) By default, all ICMP packets through the ASA are permitted.
false
(true/false) If an interface ACL permits the initial outgoing packets on that interface you also need to make an ACL to permit return traffic.
false
(true/false) In the ASA, all packets in the same flow that match the connection are constantly checked against the ACL.
false
(true/false) On the ASA, you must use the "do" command in configuration mode
false
(true/false) There is a default username and password for ASDM.
false
(true/false) There is a greater risk of an attack from the inside than from the outside.
false
ASDM runs on an image stored on the ____ which is made available through an embedded Web server.
firewall
Where does the ASA OS originally reside? Hint: * The ASA will search for and run the first valid image file it can find from here
flash
Fill in the two types of proxies: _ proxy * Internet-facing proxy used to retrieve from a wide range of sources _ proxy * Internet-facing proxy used to control and protect access to a server on the private network (like an edge server) * Commonly also performs load balancing, authentication, decryption, caching
forward, reverse
Unlike Auto NAT which is configured inside an object, Manual NAT is configured directly in the _ configuration mode.
global
What was introduced in ASA 8.3 which allows inbound traffic (only) to be inspected coming in from ANY interface. (2) Note: * Interface ACLs take precedence
global ACL
By default, where does the ASA store its startup configuration in flash? (2)
hidden partition
An outbound packet arrives at a security appliance on a _ security level interface.
higher
By default, a Cisco Security Appliance allows traffic to flow from a _ security boundary/domain to a _ security boundary/domain. Note: * It uses security levels 0-100
higher, lower
To disable an extended access control entry, what keyword should be added at the end of the line?
inactive
You can deactivate a manual NAT statement by adding what keyword at the end of the statement?
inactive
A common strategy used with Cisco ASAs is to apply only ___ access rules to the various ASA interfaces. Note: * This simplifies configuration by using a consistent approach
inbound
Static NAT is used mostly for _ server connections.
inbound
Static NAT is used mostly for ____ server connections.
inbound
You are able to enable stateful processing of ICMP. What command can be used to achieve this? (2)
inspect icmp
What is created for any host that forwards traffic to or through the security appliance? (2)
local host
Fill in the blank: _ (inside) 1 10.0.1.0 255.255.255.0 * Used to allow a group of host to be translated * A mask is not required, however if it is not there then it will be treated as a single address (even if ends with 0) _ (outside) 1 50.1.1.5-50.1.1.10 * Used to assign a pool of public addresses to be used by NAT * If you specify a SINGLE address here, you configure PAT * If you specify a range, you configure NAT
nat, global
What command can be used to enforce NAT control? Note: * NAT enforcement is optional in ASA versions 7.0-8.2 * NAT control drops packets that have no translation rule (this can create another layer of access control)
nat-control
When you use static NAT to configure a range-to-range mapping, what is this called? (2) Note: * This is mapping one range of addresses in a network to a second network with the same range of addresses (10.10.10.0/26 - 172.20.10.0/26) * The advantage of this is the appliance can distinguish between host, network, and directed broadcast for a network number
net static
What are the two main types of objects? _____ * Can be used to define a single IP address, a range, or a subnet * This is used to identify the REAL or non-translated IP address in the NAT configuration _____ * Includes protocols or ports
network, service
What allows you to nest similar objects together to make for efficient configuration of ACEs in access lists? (2) This is used for the following reasons: * Simpler configuration * Mitigate misconfigurations * No performance impact
object groups
In ASA version 8.3+, what is NAT built around? (1)
objects
Dynamic NAT is used mostly for _ user connections.
outbound
Dynamic NAT is used mostly for ___ connections.
outbound
When undertaking risk transference, the details of the arrangement should be clearly stated in what type of contract? (3)
service level agreement
To show ACL hitcounts as well as expanded object groups, what command should be used?
show access-list
What command displays the number of active TCP and UDP connections and provides info about connections of various types? (2)
show conn
What command can you use to view the internal Flash memory?
show flash:
What command lets you display the network states of local hosts? (2) Note: * This command lets you show the translation and connection slots for the local hosts
show local-host
To view the order of NAT as well as translation hit counts, what command can you use? (2)
show nat
What command displays the policies that are looked up when translations are performed? (2)
show nat
What command can be used to show a "logical" view of configured ACLs?
show run access-list
To view a NAT configuration, which two places must you check to see what is being NAT'ed? (2 commands)
show run nat, show run object
What command displays the contents of the translation slots? (2)
show xlate
Organization policy terms: ___ * Mandatory rules, regulations, or activities (example: A certain cryptographic algorithm must be used for certain traffic) ___ * Recommendations, reference actions, operational guides ___ * Step-by-step instructions for performing specific tasks * Defines how all other documents are implemented within the operating environment ___ * Minimum level of security required for a given system type * Example: A list of unnecessary network services that should be disabled on every router
standards, guidelines, procedures, baselines
What is useful when you want an ASA to statically map multiple inside servers to one global IP address? (2) Note: * This is basically like having 2 servers on the inside network. One server accept requests on port 80 (web server), and another for port 25 (SMTP) * This allows you to save on global IP addresses
static PAT
ACLs applied to interfaces filter traffic flowing ____ the appliance.
through
Where should the more specific access control entries be placed?
top
In the NAT policy output (from show nat), there are two types of counters: ___hits * Provide counters for real to mapped address conversion ___hits * Provide counters for mapped to real address conversion
translate, untranslate
For traffic moving from a lower to higher security, the destination address argument of the ACL command is the ___ address
translated
When the first packet in a series of packets arrives at the security appliance from the inside interface, the appliance creates a _ _.
translation slot
Identity NAT creates what type of mapping? (1) Hint: * IP addresses on the higher security interface translate to themselves on all lower security interfaces
transparent
(true/false) A mapped network object or group can be used in multiple NAT rules. Note: object network (object-name) range/host (ip addr)
true
Cisco ASA maintains a translation called what? (2) Notes: * It maintains this for each protected host that can participate in connections * It contains the following: - Protocol used (ICMP,UDP,TCP) - Local and global interfaces, IP addrs, port #s - Flags - Connections - Timers - Uath bindings
xlate table
