CCNA Security Chapter 9

1.

1 point

When dynamic NAT on an ASA is being configured, what two parameters must be specified by network objects? (Choose two.)

a range of private addresses that will be translated

the pool of public global addresses

the interface security level

the outside NAT interface

the inside NAT interface

2.

1 point

A network administrator is working on the implementation of the Cisco Modular Policy Framework on an ASA device. The administrator issues a clear service-policy command. What is the effect after this command is entered?

All service policies are removed.

All service policy statistics data are removed.

All policy map configurations are removed.

All class map configurations are removed.

3.

1 point

What function is performed by the class maps configuration object in the Cisco modular policy framework?

applying a policy to an interface

applying a policy to interesting traffic

restricting traffic through an interface

identifying interesting traffic

4.

1 point

What is one of the drawbacks to using transparent mode operation on an ASA device?

no support for QoS

no support for using an ASA as a Layer 2 switch

no support for management

no support for IP addressing

5.

1 point

What is a difference between ASA IPv4 ACLs and IOS IPv4 ACLs?

ASA ACLs are always named, whereas IOS ACLs are always numbered.

ASA ACLs use forward and drop ACEs, whereas IOS ACLs use permit and deny ACEs.

ASA ACLs do not have an implicit deny any at the end, whereas IOS ACLs do.

Multiple ASA ACLs can be applied on an interface in the ingress direction, whereas only one IOS ACL can be applied.

ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the wildcard mask.

6.

1 point

Refer to the exhibit. An administrator has configured an ASA 5505 as indicated but is still unable to ping the inside interface from an inside host. What is the cause of this problem?

The no shutdown command should be entered on interface Ethernet 0/1.

The security level of the inside interface should be 0 and the outside interface should be 100.

VLAN 1 should be the outside interface and VLAN 2 should be the inside interface.

An IP address should be configured on the Ethernet 0/0 and 0/1 interfaces.

VLAN 1 should be assigned to interface Ethernet 0/0 and VLAN 2 to Ethernet 0/1.

7.

1 point

What are three characteristics of the ASA routed mode? (Choose three.)

NAT can be implemented between connected networks.

The interfaces of the ASA separate Layer 3 networks and require different IP addresses in different subnets.

This mode is referred to as a “bump in the wire.”

It is the traditional firewall deployment mode.

This mode does not support VPNs, QoS, or DHCP Relay.

In this mode, the ASA is invisible to an attacker.

8.

1 point

What is needed to allow specific traffic that is sourced on the outside network of an ASA firewall to reach an internal network?

NAT

ACL

outside security zone level 0

dynamic routing protocols

9.

1 point

What is the purpose of the webtype ACLs in an ASA?

to inspect outbound traffic headed towards certain web sites

to filter traffic for clientless SSL VPN users

to restrict traffic that is destined to an ASDM

to monitor return traffic that is in response to web server requests that are initiated from the inside interface

10.

1 point

What must be configured on a Cisco ASA device to support local authentication?

RSA keys

SSHv2

AAA

the IP address of the RADIUS or TACACS+ server

encrypted passwords

11.

1 point

Refer to the exhibit. A network administrator is configuring an object group on an ASA device. Which configuration keyword should be used after the object group name SERVICE1?

udp

tcp

icmp

ip

12.

1 point

Refer to the exhibit. According to the command output, which three statements are true about the DHCP options entered on the ASA 5505? (Choose three.)

The dhcpd enable inside command was issued to enable the DHCP client.

The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP server.

The dhcpd auto-config outside command was issued to enable the DHCP server.

The dhcpd enable inside command was issued to enable the DHCP server.

The dhcpd auto-config outside command was issued to enable the DHCP client.

The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP client.

13.

1 point

Refer to the exhibit. Two types of VLAN interfaces were configured on an ASA 5505 with a Base license. The administrator wants to configure a third VLAN interface with limited functionality. Which action should be taken by the administrator to configure the third interface?

The administrator needs to acquire the Security Plus license, because the Base license does not support the proposed action.

Because the ASA 5505 does not support the configuration of a third interface, the administrator cannot configure the third VLAN.

The administrator must enter the no forward interface vlan command before the nameif command on the third interface.

The administrator configures the third VLAN interface the same way the other two were configured, because the Base license supports the proposed action.

14.

1 point

What are two factory default configurations on an ASA 5505? (Choose two.)

DHCP service is enabled for internal hosts to obtain an IP address and a default gateway from the upstream device.

The internal web server is disabled.

PAT is configured to allow internal hosts to access remote networks through an Ethernet interface.

VLAN 2 is configured with the name inside.

VLAN 1 is assigned a security level of 100.

15.

1 point

What is a characteristic of ASA security levels?

Each operational interface must have a name and be assigned a security level from 0 to 200.

An ACL needs to be configured to explicitly permit traffic from an interface with a lower security level to an interface with a higher security level.

The lower the security level on an interface, the more trusted the interface.

Inbound traffic is identified as the traffic moving from an interface with a higher security level to an interface with a lower security level.

16.

1 point

What command defines a DHCP pool that uses the maximum number of DHCP client addresses available on an ASA 5505 that is using the Base license?

CCNAS-ASA(config)# dhcpd address 192.168.1.25-192.168.1.56 inside

CCNAS-ASA(config)# dhcpd address 192.168.1.10-192.168.1.100 inside

CCNAS-ASA(config)# dhcpd address 192.168.1.20-192.168.1.50 inside

CCNAS-ASA(config)# dhcpd address 192.168.1.30-192.168.1.79 inside

17.

1 point

Which statement describes a difference between the Cisco ASA IOS CLI feature and the router IOS CLI feature?

ASA uses the ? command whereas a router uses the help command to receive help on a brief description and the syntax of a command.

To complete a partially typed command, ASA uses the Ctrl+Tab key combination whereas a router uses the Tab key.

To indicate the CLI EXEC mode, ASA uses the % symbol whereas a router uses the # symbol.

To use a show command in a general configuration mode, ASA can use the command directly whereas a router will need to enter the do command before issuing the show command.

18.

1 point

Which type of NAT would be used on an ASA where 10.0.1.0/24 inside addresses are to be translated only if traffic from these addresses is destined for the 198.133.219.0/24 network?

dynamic NAT

policy NAT

static NAT

dynamic PAT

19.

1 point

Refer to the exhibit. A network administrator has configured NAT on an ASA device. What type of NAT is used?

outside NAT

bidirectional NAT

static NAT

inside NAT

20.

1 point

Refer to the exhibit. A network administrator is configuring the security level for the ASA. Which statement describes the default result if the administrator tries to assign the Inside interface with the same security level as the DMZ interface?

The ASA console will display an error message.

The ASA allows inbound traffic initiated on the Internet to the DMZ, but not to the Inside interface.

The ASA allows traffic from the Inside to the DMZ, but blocks traffic initiated on the DMZ to the Inside interface.

The ASA will not allow traffic in either direction between the Inside interface and the DMZ.

21.

1 point

Which two statements are true about ASA standard ACLs? (Choose two.)

They identify only the destination IP address.

They are typically only used for OSPF routes.

They are applied to interfaces to control traffic.

They specify both the source and destination MAC address.

They are the most common type of ACL.

22.

1 point

Refer to the exhibit. A network administrator is configuring the security level for the ASA. What is a best practice for assigning the security level on the three interfaces?

Outside 100, Inside 10, DMZ 40

Outside 40, Inside 100, DMZ 0

Outside 0, Inside 35, DMZ 90

Outside 0, Inside 100, DMZ 50

23.

1 point

Refer to the exhibit. What will be displayed in the output of the show running-config objectcommand after the exhibited configuration commands are entered on an ASA 5505?

range 192.168.1.10 192.168.1.20

host 192.168.1.4

host 192.168.1.3 and host 192.168.1.4

host 192.168.1.4 and range 192.168.1.10 192.168.1.20

host 192.168.1.3, host 192.168.1.4, and range 192.168.1.10 192.168.1.20

host 192.168.1.3

24.

1 point

Which statement describes a feature of AAA in an ASA device?

Authorization is enabled by default.

Accounting can be used alone.

If authorization is disabled, all authenticated users will have a very limited access to the commands.

Both authorization and accounting require a user to be authenticated first.

25.

1 point

Refer to the exhibit. An administrator creates three zones (A, B, and C) in an ASA that filters traffic. Traffic originating from Zone A going to Zone C is denied, and traffic originating from Zone B going to Zone C is denied. What is a possible scenario for Zones A, B, and C?

A – Outside, B – Inside, C – DMZ

A – DMZ, B – Inside, C – Outside

A – DMZ, B – Outside, C – Inside

A – Inside, B – DMZ, C – Outside

26.

1 point

Refer to the exhibit. Based on the security levels of the interfaces on ASA1, what traffic will be allowed on the interfaces?

Traffic from the Internet can access both the DMZ and the LAN.

Traffic from the Internet and DMZ can access the LAN.

Traffic from the Internet and LAN can access the DMZ.

Traffic from the LAN and DMZ can access the Internet.