Refer to the exhibit. What is represented by the area marked as “A”? DMZ trusted network perimeter security boundary untrusted network internal network.
For a stateful firewall, which information is stored in the stateful session flow table? TCP SYN packets and the associated return ACK packets outbound and inbound access rules (ACL entries) source and destination IP addresses, and port numbers and sequencing information associated with a particular session inside private IP address and the translated inside global IP address TCP control header and trailer information associated with a particular session.
A router has CBAC configured and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table? A dynamic ACL entry is added to the external interface in the inbound direction. The entry remains in the state table after the session is terminated so that it can be reused by the host. The internal interface ACL is reconfigured to allow the host IP address access to the Internet. When traffic returns from its destination, it is reinspected, and a new entry is added to the state table.
What is the first step in configuring a Cisco IOS zone-based policy firewall using the CLI? Create zones Assign router interfaces to zones. Assign policy maps to zone pairs. Define firewall policies. Define traffic classes.
Which type of packet is unable to be filtered by an outbound ACL? ICMP packet router-generated packet multicast packet broadcast packet.
Which statement correctly describes a type of filtering firewall? A stateful firewall monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state. An application gateway firewall (proxy firewall) is typically implemented on a router to filter Layer 3 and Layer 4 information. A transparent firewall is typically implemented on a PC or server with firewall software running on it. A packet-filtering firewall expands the number of IP addresses available and hides network addressing design.
Refer to the exhibit. If a hacker on the outside network sends an IP packet with source address 172.30.1.50, destination address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS firewall do with the packet? The packet is forwarded, and no alert is generated. The packet is dropped. The initial packet is dropped, but subsequent packets are forwarded. The packet is forwarded, and an alert is generated.
When logging is enabled for an ACL entry, how does the router switch packets filtered by the ACL? optimum switching autonomous switching process switching topology-based switching.
Refer to the exhibit. Based on the SDM screen shown, which two statements describe the effect this zone-based policy firewall has on traffic? (Choose two.) Unmatched traffic to the router from the out-zone is permitted. Traffic from the in-zone to the out-zone is denied if the source address is in the 127.0.0.0/8 range. HTTP traffic from the in-zone to the out-zone is inspected. ICMP replies from the router to the out-zone are denied. Traffic from the in-zone to the out-zone is denied if the destination address is in the 10.1.1.0/29 range.
When using Cisco IOS zone-based policy firewall, where is the inspection policy applied? a zone a zone pair an interface a global service policy.
Which statement describes the characteristics of packet-filtering and stateful firewalls as they relate to the OSI model? Both stateful and packet-filtering firewalls can filter at the application layer. A packet-filtering firewall typically can filter up to the transport layer, while a stateful firewall can filter up to the session layer. A stateful firewall can filter application layer information, while a packet-filtering firewall cannot filter beyond the network layer. A packet-filtering firewall uses session layer information to track the state of a connection, while a stateful firewall uses application layer information to track the state of a connection.
Which two parameters are tracked by CBAC for TCP traffic but not for UDP traffic? (Choose two.) sequence number SYN and ACK flags destination port source port protocol ID.
When configuring a Cisco IOS zone-based policy firewall, which three actions can be applied to a traffic class? (Choose three.) shape reroute inspect pass queue drop.
Which two are characteristics of ACLs? (Choose two.) Extended ACLs can filter on source and destination IP addresses. Standard ACLs can filter on source and destination TCP and UDP ports. Extended ACLs can filter on source and destination IP addresses. Extended ACLs can filter on destination TCP and UDP ports. Standard ACLs can filter on source and destination IP addresses.
Which three actions can a Cisco IOS zone-based policy firewall take if configured with Cisco SDM? (Choose three.) forward inspect evaluate pass analyze drop.
Which location is recommended for extended numbered or extended named ACLs? a location centered between traffic destinations and sources to filter as much traffic as possible if using the established keyword, a location close to the destination to ensure that return traffic is allowed a location as close to the source of traffic as possible a location as close to the destination of traffic as possible.
Which type of packets exiting the network of an organization should be blocked by an ACL? packets that are not encrypted packets with destination IP addresses outside of the organization's network address space packets with source IP addresses outside of the organization's network address space packets that are not translated with NAT.
Which statement accurately describes Cisco IOS zone-based policy firewall operation? A router interface can belong to multiple zones. Router management interfaces must be manually assigned to the self zone. The pass action works in only one direction. Service policies are applied in interface configuration mode.
Which zone-based policy firewall zone is system-defined and applies to traffic destined for the router or originating from the router?
local zone outside zone self zone inside zone system zone.
Refer to the exhibit. Based on the SDM screen shown, which statement describes the zone-based firewall component being configured? a class map that prioritizes traffic that uses HTTP first, followed by SMTP, and then DNS a class map that inspects all traffic that uses the HTTP, SMTP, and DNS protocols a class map that inspects all traffic, except traffic that uses the HTTP, SMTP, and DNS protocols a class map that denies all traffic that uses the HTTP, SMTP, and DNS protocols a class map that inspects all traffic that uses the HTTP, IM, P2P, and email protocols.
Refer to the exhibit. In a two-interface CBAC implementation, where should ACLs be applied? inside and outside interfaces no interfaces outside interface inside interface.
In addition to the criteria used by extended ACLs, what conditions are used by CBAC to filter traffic? TCP/IP protocol numbers application layer protocol session information IP source and destination addresses TCP/UDP source and destination port numbers.
Refer to the exhibit. The ACL statement is the only one explicitly configured on the router. Based on this information, which two conclusions can be drawn regarding remote access network connections? (Choose two.) SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked. SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked. SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked. SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked. SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked. SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked.
|
