Ensurepass

 

QUESTION 131

Which type of NAT is used where you translate multiple internal IP addresses to a single global, routable IP address?

 

A.

policy NAT

B.

dynamic PAT

C.

static NAT

D.

dynamic NAT

E.

policy PAT

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_dynamic.html

 

Task Flow for Configuring Dynamic NAT and PAT

Use the following guidelines to configure either Dynamic NAT or PAT:

First configure a nat command, identifying the real addresses on a given interface that you want to translate.

Then configure a separate global command to specify the mapped addresses when exiting another interface.

(In the case of PAT, this is one address.) Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command. Note The configuration for dynamic NAT and PAT are almost identical; for NAT you specify a range of mapped addresses, and for PAT you specify a single address. Figure 29-9 shows a typical dynamic NAT scenario. Only translated hosts can create a NAT session, and responding traffic is allowed back. The mapped address is dynamically assigned from a pool defined by the global command.

 

Figure 29.9 Dynamic NAT

clip_image002

 

Figure 29-10 shows a typical dynamic PAT scenario. Only translated hosts can create a NAT session, and responding traffic is allowed back. The mapped address defined by the global command is the same for each translation, but the port is dynamically assigned.

 

Figure 29-10 Dynamic PAT

clip_image004

 

 

QUESTION 132

Which three statements about the Cisco ASA appliance are true? (Choose three.)

 

A.

The DMZ interface(s) on the Cisco ASA appliance most typically use a security level between 1 and 99.

B.

The Cisco ASA appliance supports Active/Active or Active/Standby failover.

C.

The Cisco ASA appliance has no default MPF configurations.

D.

The Cisco ASA appliance uses security contexts to virtually partition the ASA into multiple virtual firewalls.

E.

The Cisco ASA appliance supports user-based access control using 802.1x.

F.

An SSM is require
d on the Cisco ASA appliance to support Botnet Traffic Filtering.

 

Correct Answer: ABD

Explanation:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html

 

Security Level Overview

Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For example, you should assign your most secure network, such as the inside business network, to level 100. The outside network connected to the Internet can be level 0. Other networks, such as a home network can be in between. You can assign interfaces to the same security level. See the “Allowing Communication Between VLAN Interfaces on the Same Security Level” section for more information.

 

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html

 

Active/Standby Failover Overview

Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.

 

Active/Active Failover Overview

Active/Active failover is only available to security appliances in multiple context mode. In an Active/Active failover configuration, both security appliances can pass network traffic. In Active/Active failover, you divide the security contexts on the security appliance into failover groups. A failover group is simply a logical group of one or more security contexts. You can create a maximum of two failover groups on the security appliance. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.

 

The failover group forms the base unit for failover in Active/Active failover. Interface failure monitoring, failover, and active/standby status are all attributes of a failover group rather than the unit. When an active failover group fails, it changes to the standby state while the standby failover group becomes active. The interfaces in the failover group that becomes active assume the MAC and IP addresses of the interfaces in the failover group that failed. The inter
faces in the failover group that is now in the standby state take over the standby MAC and IP addresses.

 

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html

 

Security Context Overview

You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.

 

 

QUESTION 133

Which option is a characteristic of a stateful firewall?

 

A.

can analyze traffic at the application layer

B.

allows modification of security rule sets in real time to allow return traffic

C.

will allow outbound communication, but return traffic must be explicitly permitted

D.

supports user authentication

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.1/user/guide/fwinsp.html

 

Understanding Inspection Rules

Inspection rules configure Context-Based Access Control (CBAC) inspection commands. CBAC inspects traffic that travels through the device to discover and manage state information for TCP and UDP sessions. The device uses this state information to create temporary openings to allow return traffic and additional data connections for permissible sessions.

CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when inspected traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered inspection when exiting through the firewall.

 

Inspection rules are applied after your access rules, so any traffic that you deny in the access rule is not inspected. The traffic must be allowed by the access rules at both the input and output interfaces to be inspected. Whereas access rules allow you to control connections at layer 3 (network, IP) or 4 (transport, TCP or UDP protocol), you can use inspection rules to control traffic using application-layer protocol session information.

For all protocols, when you inspect the protocol, the device provides the following functions:

Automatically opens a return path for the traffic (reversing the source and destination addresses), so that you do not need to create an access rule to allow the return traffic. Each connection is considered a session, and the device maintains session state information and allows return traffic only for valid sessions. Protocols that use TCP contain explicit session information, whereas for UDP applications, the device models the equivalent of a session based on the source and destination addresses and the closeness in time of a sequence of UDP packets. These temporary access lists are created dynamically and are removed at the end of a session.

Tracks sequence numbers in all TCP packets and drops those packets with sequence numbers that are not within expected ranges.

Uses timeout and threshold values to manage session state information, helping to determine when to drop sessions that do not become fully established. When a session is dropped, or reset, the device informs both the source and destination of the session to reset the connection, freeing up resources and helping to mitigate potential D
enial of Service (DoS) attacks.

 

 

QUESTION 134

Which type of NAT would you configure if a host on the external network required access to an internal host?

 

A.

Outside global NAT

B.

NAT overload

C.

Dynamic outside NAT

D.

Static NAT

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/docs/security/a
sa/asa82/configuration/guide/nat_static.html

 

Information About Static NAT

Static NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and PAT, each host uses a different address or port for each subsequent translation. Because the mapped address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if an access list exists that allows it).

 

The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT allows a remote host to initiate a connection to a translated host (if an access list exists that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT.

 

Figure 28-1 shows a typical static NAT scenario. The translation is always active so both translated and remote hosts can originate connections, and the mapped address is statically assigned by the static command.

 

Figure 28-1 Static NAT

clip_image006

 

 

 

 

 

 

 

 

 

QUESTION 135

DRAG DROP

clip_image008

 

Correct Answer:

clip_image010

 

 

QUESTION 136

DRAG DROP

clip_image012

 

Correct Answer:

clip_image014

 

 

 

 

 

 

 

QUESTION 137

Which kind of table do most firewalls use today to keep track of the connections through the firewall?

 

A.

dynamic ACL

B.

reflexive ACL

C.

netflow

D.

queuing

E.

state

F.

express forwarding

 

Correct Answer: E

Explanation:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intro.html

 

Stateful Inspection Overview

All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process. A stateful firewall like the ASA, however, takes into consideration the state of a packet:

Is this a new connection?

If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the “session management path,” and depending on the type of traffic, it might also pass through the “control plane path.”

The session management path is responsible for the following tasks:

-Performing the access list checks

-Performing route lookups

-Allocating NAT translations (xlates)

-Establishing sessions in the “fast path”

The ASA creates forward and reverse flows in the fast path for TCP traffic; the ASA also creates connection state information for connectionless protocols like UDP, ICMP (when you enable ICMP inspection), so that they can also use the fast path.

Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels:

A data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.

Is this an established connection?

If the connection is already established, the ASA does not need to re-check packets; most matching packets can go through the “fast” path in both directions. The fast path is responsible for the following tasks:

-IP checksum verification

-Session lookup

-TCP sequence number check

-NAT translations based on existing sessions

-Layer 3 and Layer 4 header adjustments

Data packets for protocols that require Layer 7 inspection can also go through the fast path. Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection.

 

 

QUESTION 138

Refer to the exhibit. Based on the show policy-map type inspect zone-pair session command output shown, what can be determined about this Cisco IOS zone based firewall policy?

 

clip_image016

 

A.

All packets will be dropped since the class-default traffic class is matching all traffic.

B.

This is an inbound policy (applied to traffic sourced from the less secured zone destined to the more secured zone).

C.

This is an outbound policy (applied to traffic sourced from the more secured zone destined to the less secured zone).

D.

Stateful packet inspection will be applied only to HTTP packets that also match ACL 110.

E.

All non-HTTP traffic will be permitted to pass as long as it matches ACL 110.

F.

All non-HTTP traffic will be inspected.

 

Correct Answer: D

Explanation:

http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html

 

Match access-group

To configure the match criteria for a class map on the basis of the specified access control list (ACL), use the match access-group command in class-map configuration mode. To remove ACL match criteria from a class map, use the no form of this command.

match access-group {access-group | name access-group-name}

no match access-group access-group

match protocol

To configure the match criterion for a class map on the basis of a specified protocol, use the match protocol command in class-map configuration mode. To remove the protocol-based match criterion from the class map, use the no form of this command. Match protocol protocol-name no match protocol protocol-name

QUESTION 139

When using a stateful firewall, which information is stored in the stateful session flow table?

 

A.

the outbound and inbound access rules (ACL entries)

B.

the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session

C.

all TCP and UDP header information only

D.

all TCP SYN packets and the associated return ACK packets only

E.

the inside private IP address and the translated inside global IP address

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intro.html

 

Stateful Inspection Overview

All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process. A stateful firewall like the ASA, however, takes into consideration the state of a packet:

Is this a new connection?

If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the “session management path,” and depending on the type of traffic, it might also pass through the “control plane path.”

The session management path is responsible for the following tasks:

-Performing the access list checks

-Performing route lookups

-Allocating NAT translations (xlates)

-Establishing sessions in the “fast path”

The ASA creates forward and reverse flows in the fast path for TCP traffic; the ASA also creates connection state information for connectionless protocols like UDP, ICMP (when you enable ICMP inspection), so that they can also use the fast path.

Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels:

A data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.

Is this an established connection?

If the connection is already established, the ASA does not need to re-check packets; most matching packets can go through the “fast” path in both directions. The fast path is responsible for the following tasks:

-IP checksum verification

-Session lookup

-TCP sequence number check

-NAT translations based on existing sessions

-Layer 3 and Layer 4 header adjustments

Data packets for protocols that require Layer 7 inspection can also go through the fast path. Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection.

 

 

 

QUESTION 140

Which characteristic is a potential security weakness of a traditional stateful firewall?

 

A.

It cannot support UDP flows.

B.

It cannot detect application-layer attacks.

C.

It cannot ensure each TCP connection follows a legitimate TCP three-way handshake.

D.

It works only in promiscuous mode.

E.

The status of TCP sessions is retained in the state table after the sessions terminate.

F.

It has low performance due to the use of syn-cookies.

 

Correct Answer: B

Explanation:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html

 

Cisco IOS Firewall consists of several major subsystems:

 

clip_image018Stateful Packet Inspection provides a granular firewall engine

clip_image018[1]Authentication Proxy offers a per-host access control mechanism

clip_image018[2]Application Inspection features add protocol conformance checking and network use policy control Enhancements to these features extend these capabilities to VRF instances to support multiple virtual routers per device, and to Cisco Integrated Route-Bridging features to allow greater deployment flexibility, reduce implementation timelines, and ease requirements to add security to existing networks.

 

Free VCE & PDF File for Cisco 640-554 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

Comments are closed.