ch4 answer

8/13/2019 Ch4 Answer

http://slidepdf.com/reader/full/ch4-answer 1/7

1. Which statement accurately describes Cisco IOS zone-based policy firewall

operation?

The pass action works in only one direction.

A router interface can belong to multiple zones.Service policies are applied in interface configuration mode.

Router management interfaces must be manually assigned to the self zone.

2.Which location is recommended for extended numbered or extended named

ACLs?

a location as close to the destination of traffic as possible

a location as close to the source of traffic as possible

a location centered between traffic destinations and sources to filter as much traffic aspossible

if using the established keyword, a location close to the destination to ensure that

return traffic is allowed

3. When using Cisco IOS zone-based policy firewall, where is the inspection policy

applied?

a global service policy

an interfacea zone

a zone pair

4.

Refer to the exhibit. Based on the SDM screen shown, which statement describes

the zone-based firewall component being configured?

a class map that inspects all traffic that uses the HTTP, IM, P2P, and email protocols

a class map that prioritizes traffic that uses HTTP first, followed by SMTP, and then DNS

a class map that denies all traffic that uses the HTTP, SMTP, and DNS protocols

a class map that inspects all traffic that uses the HTTP, SMTP, and DNS protocols

a class map that inspects all traffic, except traffic that uses the HTTP, SMTP, and DNS

protocols



5.Refer to the exhibit. Based on the SDM screen shown, which two statements

describe the effect this zone-based policy firewall has on traffic? (Choose two.)

HTTP traffic from the in-zone to the out-zone is inspected.

Unmatched traffic to the router from the out-zone is permitted.ICMP replies from the router to the out-zone are denied.

Traffic from the in-zone to the out-zone is denied if the source address is in the

127.0.0.0/8 range.

Traffic from the in-zone to the out-zone is denied if the destination address is in the

10.1.1.0/29 range.

6. Which type of packet is unable to be filtered by an outbound ACL?

ICMP packet broadcast packet

multicast packet

router-generated packet

7.

Refer to the exhibit. If a hacker on the outside network sends an IP packet with

source address 172.30.1.50, destination address 10.0.0.3, source port 23, and

destination port 2447, what does the Cisco IOS firewall do with the packet? The packet is forwarded, and an alert is generated.

The packet is forwarded, and no alert is generated.

The initial packet is dropped, but subsequent packets are forwarded.

The packet is dropped.

8. Which zone-based policy firewall zone is system-defined and applies to traffic

destined for the router or originating from the router?

self zone

system zone

local zone

inside zone

outside zone



9. Which statement correctly describes a type of filtering firewall?

A transparent firewall is typically implemented on a PC or server with firewall software

running on it.

A packet-filtering firewall expands the number of IP addresses available and hidesnetwork addressing design.

An application gateway firewall (proxy firewall) is typically implemented on a router to

filter Layer 3 and Layer 4 information.

A stateful firewall monitors the state of connections, whether the connection is in

an initiation, data transfer, or termination state.

10. In addition to the criteria used by extended ACLs, what conditions are used by

CBAC to filter traffic? TCP/IP protocol numbers

IP source and destination addresses

application layer protocol session information

TCP/UDP source and destination port numbers

11. Which statement describes the characteristics of packet-filtering and stateful

firewalls as they relate to the OSI model?

Both stateful and packet-filtering firewalls can filter at the application layer.A stateful firewall can filter application layer information, while a packet-filtering

firewall cannot filter beyond the network layer.

A packet-filtering firewall typically can filter up to the transport layer, while a

stateful firewall can filter up to the session layer .

A packet-filtering firewall uses session layer information to track the state of a

connection, while a stateful firewall uses application layer information to track the state

of a connection.

12.

Refer to the exhibit. What is represented by the area marked as “A”?

DMZ

internal network

perimeter security boundary

trusted network

untrusted network



13. Which three actions can a Cisco IOS zone-based policy firewall take if

configured with Cisco SDM? (Choose three.)

inspect

evaluatedrop

analyze

pass

forward

14. A router has CBAC configured and an inbound ACL applied to the external

interface. Which action does the router take after inbound-to-outbound traffic is

inspected and a new entry is created in the state table? A dynamic ACL entry is added to the external interface in the inbound direction.

The internal interface ACL is reconfigured to allow the host IP address access to the

Internet.

The entry remains in the state table after the session is terminated so that it can be

reused by the host.

When traffic returns from its destination, it is reinspected, and a new entry is added to

the state table.

15. For a stateful firewall, which information is stored in the stateful session flow

table?

TCP control header and trailer information associated with a particular session

TCP SYN packets and the associated return ACK packets

inside private IP address and the translated inside global IP address

outbound and inbound access rules (ACL entries)

source and destination IP addresses, and port numbers and sequencing

information associated with a particular session



16.Refer to the exhibit. The ACL statement is the only one explicitly configured on

the router. Based on this information, which two conclusions can be drawn

regarding remote access network connections? (Choose two.)

SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 networkare allowed.

Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network

are allowed.

SSH connections from the 192.168.2.0/24 network to the 192.168.1.0/24 network are

allowed.

Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24

network are blocked.

SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are

blocked.

Telnet connections from the 192.168.2.0/24 network to the 192.168.1.0/24 network

are allowed.

17. When configuring a Cisco IOS zone-based policy firewall, which three actions

can be applied to a traffic class? (Choose three.)

drop

inspect

pass

reroute

queue

shape

18.Refer to the exhibit. In a two-interface CBAC implementation, where should

ACLs be applied?

inside interface

outside interface

inside and outside interfaces

no interfaces



19. Which two parameters are tracked by CBAC for TCP traffic but not for UDP

traffic? (Choose two.)

source port

protocol IDsequence number

destination port

SYN and ACK flags

20. What is the first step in configuring a Cisco IOS zone-based policy firewall

using the CLI?

Create zones.

Define traffic classes.Define firewall policies.

Assign policy maps to zone pairs.

Assign router interfaces to zones.

21. Which two are characteristics of ACLs? (Choose two.)

Extended ACLs can filter on destination TCP and UDP ports.

Extended ACLs can filter on source and destination IP addresses.

Extended ACLs can filter on source and destination IP addresses. Standard ACLs can filter on source and destination IP addresses.

Standard ACLs can filter on source and destination TCP and UDP ports.

22. Which type of packets exiting the network of an organization should be

blocked by an ACL?

packets that are not encrypted

packets that are not translated with NAT

packets with source IP addresses outside of the organization’s network address

space

packets with destination IP addresses outside of the organization’s network address

space



23. When logging is enabled for an ACL entry, how does the router switch packets

filtered by the ACL?

topology-based switching

autonomous switchingprocess switching

optimum switching

ch4 answer

Documents