Cisco CCNA Security, chapter 4 Exam.

Questions and answers 95.8% correct.

1. Which statement accurately describes Cisco IOS zone-based
zone based policy firewall
operation?
The pass action works in only one direction.
A router interface can belong to multiple zones.
Service policies are applied in interface configuration mode.
Router management interfaces must be manually assigned to the self zone.

2. Which location is recommended for extended numbered or extended named ACLs?

a location as close to the destination of traffic as possible
a location as close to the source of traffic as possible
a location centered between traffic destinations and sources to filter as much
traffic as possible
if using the established keyword, a location close to the destination to ensure that
return traffic is allowed

3. When using Cisco IOS zone-based

zone based policy firewall, where is the inspection policy
applied?
a global service policy
an interface
a zone
a zone pair

4.

Refer to the exhibit. Based on the SDM screen

screen shown, which statement describes the
zone-based
based firewall component being configured?
 a class map that inspects all traffic that uses the HTTP, IM, P2P, and email
protocols
a class map that prioritizes traffic that uses HTTP first, followed by SMTP, and
then DNS
a class map that denies all traffic that uses the HTTP, SMTP, and DNS protocols
a class map that inspects all traffic that uses the HTTP, SMTP, and DNS
protocols
a class map that inspects
inspects all traffic, except traffic that uses the HTTP, SMTP, and
DNS protocols

5.

Refer to the exhibit. Based on the SDM screen

screen shown, which two statements describe
the effect this zone-based
based policy firewall has on traffic? (Choose two.)
HTTP traffic from the in-zone
in to the out-zone is inspected.
Unmatched traffic to the router from the out-zone
out is permitted.
ICMP replies from the router to the out-zone
out are denied.
Traffic from the in-zone
zone to the out-zone
out e is denied if the source address is in the
127.0.0.0/8 range.
Traffic from the in-zone
zone to the out-zone
out zone is denied if the destination address is in
the 10.1.1.0/29 range.

6. Which type of packet is unable to be filtered by an outbound ACL?

ICMP packet
broadcast packet
multicast packet
router-generated
generated packet
7.

Refer to the exhibit. If a hacker on the outside network sends an IP packet with
source address 172.30.1.50, destination address 10.0.0.3, source port 23, and
destination port 2447, what
what does the Cisco IOS firewall do with the packet?
The packet is forwarded, and an alert is generated.
The packet is forwarded, and no alert is generated.
The initial packet is dropped, but subsequent packets are forwarded.
The packet is dropped.

8. Which zone-based
based policy firewall zone is system-defined
system defined and applies to traffic
destined for the router or originating from the router?
self zone
system zone
local zone
inside zone
outside zone

9. Which statement correctly describes a type of filtering firewall?

A transparent firewall is typically implemented on a PC or server with firewall
software running on it.
A packet-filtering
filtering firewall expands the number of IP addresses available and hides
network addressing design.
An application gateway firewall
firewall (proxy firewall) is typically implemented on a
router to filter Layer 3 and Layer 4 information.
A stateful firewall monitors the state of connections, whether the connection is in
an initiation, data transfer, or termination state.

10. In addition to the criteria used by extended ACLs, what conditions are used by
CBAC to filter traffic?
TCP/IP protocol numbers
IP source and destination addresses
 application layer protocol session information
TCP/UDP source and destination port numbers
num

11. Which statement describes the characteristics of packet-filtering

packet filtering and stateful
firewalls as they relate to the OSI model?
Both stateful and packet-filtering
packet filtering firewalls can filter at the application layer.
A stateful firewall can filter application layer information, while a packet-
packet
filtering firewall cannot filter beyond the network layer.
A packet-filtering
filtering firewall typically can filter up to the transport
transport layer, while a
stateful firewall can filter up to the session layer.
A packet-filtering
filtering firewall uses session layer information to track the state of a
connection, while a stateful firewall uses application layer information to track
the state of a connection.

12.

Refer to the exhibit. What is represented

represented by the area marked as “A”?
DMZ
internal network
perimeter security boundary
trusted network
untrusted network

13. Which three actions can a Cisco IOS zone-based

zone based policy firewall take if configured
with Cisco SDM? (Choose three.)
inspect
 evaluate
drop
analyze
pass
forward

14. A router has CBAC configured and an inbound ACL applied to the external
interface. Which action does the router take after inbound-to-outbound
inbound outbound traffic is
inspected and a new entry is created in the state table?
A dynamic ACL entry is added to the external
external interface in the inbound
direction.
The internal interface ACL is reconfigured to allow the host IP address access
to the Internet.
The entry remains in the state table after the session is terminated so that it
can be reused by the host.
h
When traffic returns from its destination, it is reinspected, and a new entry is
added to the state table.

15. For a stateful firewall, which information is stored in the stateful session flow table?
TCP control header and trailer information associated with a particular session
TCP SYN packets and the associated return ACK packets
inside private IP address and the translated inside global IP address
outbound and inbound access rules (ACL entries)
source and destination IP addresses, and port numbers and sequencing
information associated with a particular session

16
.

Refer to the exhibit. The ACL statement is the only one explicitly configured on the
router. Based on this information, which two conclusions can be drawn regarding
remote access network connections? (Choose two.)
SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network
are allowed.
Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24
192.168.2.
network are allowed.
SSH connections from the 192.168.2.0/24 network to the 192.168.1.0/24 network
are allowed.
Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24
network are blocked.
ctions from the 192.168.1.0/24 network to the 192.168.2.0/24 network
SSH connections
are blocked.
Telnet connections from the 192.168.2.0/24 network to the 192.168.1.0/24
network are allowed.
17. When configuring a Cisco IOS zone-based
zone based policy firewall, which three actions can
be applied to a traffic class? (Choose three.)
drop
inspect
pass
reroute
queue
shape

18.

Refer to the exhibit. In a two-interface

two CBAC implementation, where should ACLs
be applied?
inside interface
outside interface
inside and outside interfaces
no interfaces

19. Which two parameters are tracked by CBAC for TCP traffic but not for UDP
traffic? (Choose two.)
source port
protocol ID
sequence number
destination port
SYN and ACK flags

20. What is the first step in configuring a Cisco IOS zone-based

zone based policy firewall using
the CLI?
Create zones.
Define traffic classes.
Define firewall policies.
Assign policy maps to zone pairs.
Assign router interfaces to zones.
21. Which two are characteristics of ACLs? (Choose two.)
Extended ACLs can filter on destination TCP and UDP ports.
Extended ACLs can filter on source and destination IP addresses.
Extended ACLs can filter on source and destination IP addresses.
Standard ACLs can filter on source and destination IP addresses.
Standard ACLs can filter on source and destination TCP and UDP ports.

22. Which type of packets exiting the network of an organization should be blocked by
an ACL?
packets that are not encrypted
packets that are not translated with NAT
packets with source IP addresses outside of the organization's network address
space
packets with destination IP addresses outside of the organization's network
ne
address space

23. When logging is enabled for an ACL entry, how does the router switch packets
filtered by the ACL?
topology-based
based switching
autonomous switching
process switching
optimum switching
hing