Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
36 Cards in this Set
- Front
- Back
|
Which of the following features does the Cisco ASA provide? (Choose all that apply.) a. Simple packet filtering using standard or extended access lists b. Layer 2 transparent implementation c. Support for remote-access SSL VPN connections d. Support for site-to-site SSL VPN connections |
A, B, and C |
|
|
Which of the following Cisco ASA models are designed for small and branch offices?(Choose all that apply.) a. 5505 b. 5512-X c. 5555-X d. 5585-X with SSP10 |
A, and B |
|
|
When used in an access policy, which component could identify multiple servers? a. Stateful filtering b. Application awareness c. Object groups d. DHCP services |
C. Object Groups |
|
|
Which of the following is an accurate description of the word inbound as it relates to an ASA? (Choose all that apply.) a. Traffic from a device that is located on a high-security interface b. Traffic from a device that is located on a low-security interface c. Traffic that is entering any interface d. Traffic that is exiting any interface |
B and C |
|
|
When is traffic allowed to be routed and forwarded if the source of the traffic is from a device located off of a low-security interface if the destination device is located off of a high-security interface? (Choose all that apply.) a. This traffic is never allowed. b. This traffic is allowed if the initial traffic was inspected and this traffic is the return traffic. c. If there is an access list that is permitting this traffic. d. This traffic is always allowed by default. |
B and C |
|
|
Which of the following tools could be used to configure or manage an ASA? (Choose all that apply.) a. Cisco Security Manager (CSM) b. ASA Security Device Manager (ASDM) c. Cisco Configuration Professional (CCP) d. The command-line interface (CLI) |
A, B and D |
|
|
Which of the following elements, which are part of the Modular Policy Framework on the ASA, are used to classify traffic? a. Class maps b. Policy maps c. Service policies d. Stateful filtering |
A |
|
|
When you configure the ASA as a DHCP server for a small office, what default gateway will be assigned for the DHCP clients to use? a. The service provider’s next-hop IP address. b. The ASA’s outside IP address. c. The ASA’s inside IP address. d. Clients need to locally configure a default gateway value. |
C |
|
|
When you configure network address translation for a small office, devices on the Internet will see the ASA inside users as coming from which IP address? a. The inside address of the ASA. b. The outside address of the ASA. c. The DMZ address of the ASA. d. Clients will each be assigned a unique global address, one for each user. |
B |
|
|
You are interested in verifying whether the security policy you implemented is having the desired effect. How can you verify this policy without involving end users or their computers? a. Run the policy check tool, which is built in to the ASA. b. The ASA automatically verifies that policy matches intended rules. c. Use the Packet Tracer tool. d. You must manually generate the traffic from an end-user device to verify that thefirewall will forward it or deny it based on policy. |
C |
|
|
What ASA's are for small/branch offices |
ASA 5505 -5515 (05,06,10,12,15) |
|
|
Describe packet filtering, and how ASA's handle them. |
Packet filtering represents an access list. ASA's support standard and extended ACLs. The difference between a router and an ASA is that the ASA doesn't use wildcard masks |
|
|
Describe a stateful firewall, and how ASA's use them. |
By default the ASA enters stateful tracking info about packets that have left the firewall. If an ACL blocks particular inbound traffic, but that traffic left the firewall first and is coming back, then the stateful fw overrules the ACL. |
|
|
Describe application inspection/awareness as it pertains to the ASA |
ASA can listen in on conversations on both sides of device, this means it can listen to application layer information. ie. FTP connection b/w host and server. FTP server might need to send data to dynamically assigned ports. F/W sees this and allows the dynamic ports through. |
|
|
Describe object groups as it pertains to the ASA |
Object groups refer to one or more items. Can be used in ACLs so we can apply easily to a group, or set up network groups that refers to a network range. |
|
|
Describe botnet filtering |
ASA works with a system at Cisco that provides information about the Botnet Traffic Filter Database. |
|
|
Describe Advanced Malware Protection |
Only present in NGFW, and combine traditional firewall features. Allows an admin to protect the network from known threats, including advanced persistent threats |
|
|
What is the range of security levels? Which number has the highest trust value? |
0-100. 100 has the highest trust rating (used for inside) |
|
|
What security number would we give the outside? |
0 |
|
|
How do we make an interface operational? |
Assign a security level, assign a name, no shut. |
|
|
What is the DMZ |
Demilitarized zone. Available to outside, but cannot send traffic to inside without stateful connection first. |
|
|
What is the default flow of traffic |
High security level --> Low security 100-->50-->0 Traffic will not run uphill unless initiated from uphill and is returning in stateful filtering |
|
|
What does inbound mean from a security level perspective? Outbound? |
Inbound would mean traffic going uphill, low to high ie. dmz>inside, or outside>dmz. Outbound would be traffic flowing downhill. ie. inside>dmz, or dmz>outside |
|
|
How to allow traffic in, past the default configuration? |
We must create ACLs. Perhaps we need to allow out>dmz. so we allow all traffic to a specific IP/port. Don't forget the implicit deny at the end of the ACL. this somewhat breaks the default security level filtering. |
|
|
Modular policy framework on ASAs. How do class maps, policy maps and service policy commands treat traffic? |
class maps identify traffic, policy maps identify the actions, and service policy commands apply the policy |
|
|
What layers do class maps operate on? How do they inspect traffic? |
Layer 3/4, ACLs, TCP/UDP ports, RTP port numbers, VPN tunnel groups |
|
|
How do policy maps specify the actions to take on each class of traffic? |
reroute traffic to hardware module (IPS), perform inspection on traffic, give priority to forwarding of that traffic. |
|
|
Where can you apply a policy? |
You can apply globally or to an interface. Any given interface can only have one policy applied. |
|
|
How to configure Interfaces in the ASDM? |
Configuration Button>Configuration>Device Setup>Interfaces |
|
|
Will an ASA forward traffic between two interfaces of the same security level? |
No they will not, by default. |
|
|
How do we get the server to hand out IPs to it's clients using the ASDM? |
Configuration>Device Management>DHCP>DHCP Server |
|
|
Next we must configure basic routing to the internet. how can ASA's get routes? |
From dynamic routing protocols, directly connected networks, or default routes |
|
|
Where is routing located in the ASDM? |
Configuration>Device Setup>Routing |
|
|
So, ASA can now forward to the internet, inside hosts are getting DHCP addresses, but these are private addresses. We must translate these so they can go out and access internet using NAT or PAT. Where on the ASDM will we find this? |
Configuration > Firewall > NAT Rules |
|
|
Now we need to set some access rules, where are they located? |
Configuration>Firewall>Access Rules |
|
|
What can we use within ASDM (or CLI) to ensure that the rules we created are performing as intended? |
Packet Tracer |
