Sie sind auf Seite 1von 26

New Questions

1. Prime Infrastructure admin discovers the network and wants to use Web Services Management
Agent for configuring devices. Which protocol allows use of WSMA?
A. Telnet
B. SSHv2
C. SNMPv2
D. SNMPv3
• Prime Infrastructure mainly uses the CLI method (over Telnet or SSHv2) to configure the devices.
You can use WSMA (over SSHv2) for configuring specific features on the ASR and ISR devices. Cisco
Web Services Management Agent is a more efficient and more robust method to configure the devices.
Prime Infrastructure supports Zone Based Firewall and Application Visibility configuration via
WSMA on the ASR and ISR devices.

2. Which Cisco ASA feature is implemented by the ip verify reverse-path interface interface_name
command?
A. TCP intercept
B. botnet traffic filter
C. scanning threat detection
D. uRPF
E. IPS (IP audit)
• There is only strict uRPF in ASA (source network must be routable via input interface).
• There is no default option in ASA implementation.

3. Which credentials are used by Prime Infrastructure to access the devices via web?
A. SSH
B. Telnet
C. Serial console
D. RADIUS
E. 802.1X
Choose one of the following options from the Action drop-down list at the top right of the device 360°
view.
• Alarm Browser - Launches the Alarm Browser. See Monitoring Alarms for more information.
• Device Details - Displays device details.
• Support Community - Launches the Cisco Support Community. See Launching the Cisco
Support Community.
• Support Request - Allows you to open a support case. See Opening a Support Case for more
information.
• Ping - Allows you to ping the device.
• Traceroute - Allows you to perform a traceroute on the device.
• Connect to Device - Allows you to connect to the device using Telnet, SSH, HTTP, and HTTPS
protocols.

4. Which protocol is used by Prime Infrastructure to discover the devices via web?
A. ARP
B. OSPF
C. SNMP
D. BGP
E. NetFlow
• Devices must be configured with Cisco Discovery Protocol/LLDP, or SNMP (V1, V2, V3). Advanced
protocols OSPF and BGP can also be used.
• For successfully managing a device using Cisco Prime Infrastructure, it is crucial that all the
essential protocols be defined in the device credential for a given device. The following matrix shows
what protocols are needed for various wired and wireless device types.
Device Family SNMP RW Telnet/SSH HTTP
Wireless controllers ✓
Wireless controllers (Cisco IOS® XE Software) ✓ ✓
Access points ✓ ✓

Exam Page 1
Routers/switches ✓ ✓
Medianet-capable routers and switches ✓ ✓ ✓
Network Analysis Module ✓ ✓ ✓
Third-party devices ✓

5. Where to apply security policies on Nexus1000V for group of VMs instead of applying it
directly on interface?
A. port group
B. port profile
C. security group
D. security profile
• Security policies can be applied to port profile in ASDM or VNMC. Port profiles represent port
groups that are configured in Nexus 1000V environment.

6. What are mandatory policies needed to support IPSec VPN in CSM environment?
A. IKE Proposal
B. Group encryption
C. IPSec Proposal
D. GRE modes
E. Server load balance
• Internet Key Exchange (IKE) is a key management protocol that is used to authenticate IPsec peers,
negotiate and distribute IPsec encryption keys, and to automatically establish IPsec security
associations (SAs).
• The IKE negotiation comprises two phases. Phase 1 negotiates a security association between two
IKE peers, which enables the peers to communicate securely in Phase 2. During Phase 2 negotiation,
IKE establishes SAs for other applications, such as IPsec. Both phases use proposals when they
negotiate a connection.
• An IKE proposal is a set of algorithms that two peers use to secure the IKE negotiation between them.
IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states
which security parameters will be used to protect subsequent IKE negotiations. For IKE version 1
(IKEv1), IKE proposals contain a single set of algorithms and a modulus group. You can create
multiple, prioritized policies at each peer to ensure that at least one policy matches a remote peer’s
policy. Unlike IKEv1, in an IKEv2 proposal, you can select multiple algorithms and modulus groups
from which peers can choose during the Phase 1 negotiation, potentially making it possible to create
a single IKE proposal (although you might want different proposals to give higher priority to your
most desired options). You can define several IKE proposals per VPN.
• An IPsec proposal is used in Phase 2 of an IKE negotiation. The specific content of the proposal
varies according to topology type (site-to-site or remote access) and device type, although the
proposals are broadly similar and contain many of the same elements, such as IPsec transform sets.
0
7. Which FW mode which will keep high throughput and will make a fast and flexible
deployment?
A. single mode, routed context
B. multimode, routed context
C. single mode, transparent context
D. multimode, transparent context
• Transparent mode - fast deployment (it doesn't appear as hop in network).
• Multimode - multiple contexts enable active/active failover - availability is increased because there
can be two active contexts (one ASA can be active for first context while the second ASA can be active
for second context).

8. What is the benefit of centralized ESA management?


A. Protection against flash threats
B. Administration of multiple autonomous systems
C. Easier administration
D. Virtualised e-mail partitions
Feature Benefit
Global threat Get fast, comprehensive email protection backed by one of the largest threat detection networks in the
intelligence world. Cisco Email Security provides broad visibility and a large footprint, including:
● 100 terabytes (TB) of security intelligence daily
● 1.6 million deployed security devices including firewalls, Cisco Intrusion Prevention System (IPS)
sensors, and web and email appliances

Exam Page 2
sensors, and web and email appliances
● 150 million endpoints
● 13 billion web requests per day
● 35 percent of the world’s enterprise email traffic
Cisco Talos provides a 24-hour view into global traffic activity. It analyzes anomalies, uncovers new
threats, and monitors traffic trends. Cisco Talos helps prevent zero-hour attacks by continually
generating new rules that feed updates to the Cisco ESAs. These updates occur every three to five
minutes, providing industry-leading threat defense.
Spam Spam is a complex problem that demands a sophisticated solution. Cisco makes it easy. To stop spam from
blocking reaching your inbox, a multilayered defense combines an outer layer of filtering based on the reputation of
the sender and an inner layer of filtering that performs a deep analysis of the message. With reputation
filtering, more than 80 percent of spam is blocked before it even hits your network. Recent enhancements
include contextual analysis and enhanced automation, as well as autoclassification, to provide a strong
defense against snowshoe campaigns.
Customers that experience large volumes of email within short periods will be able to apply filters based on
the sender or subject, which will block the associated messages or place them in quarantine.
Advanced Cisco ESAs now include Advanced Malware Protection (AMP), a malware-defeating solution that takes
malware advantage of the vast cloud security intelligence network of Sourcefire (now a part of Cisco). It delivers
protection protection across the attack continuum: before, during, and after an attack. It also features file reputation
scoring and blocking, file sandboxing, and file retrospection for the continuous analysis of threats, even
after they have traversed the email gateway. Users can block more attacks, track suspicious files, mitigate
the scope of an outbreak, and remediate quickly. AMP is available to all Cisco ESA customers as an
additionally licensed feature.
Outbound Cisco ESAs control outbound messages through DLP, email encryption, and optional integration with the
message RSA Enterprise Manager. This control helps ensure that your most important messages comply with
control industry standards and are protected in transit. Additionally, outbound antispam and antivirus scanning,
along with outbound rate limiting, can be used to keep compromised machines or accounts from getting
your company on email blacklists. New: The ESA now supports Secure/Multipurpose Internet Mail
Extensions (S/MIME) encryption and signing in addition to Transport Layer Security (TLS).
Excellent Cisco ESAs quickly block new inbound email viruses. Domain delivery queues keep undeliverable emails
performance from causing a backup of critical deliveries to other domains.
DLP You can use one or more predefined policies (there are more than 100 to choose from) to help prevent
confidential data from leaving the network. If you prefer, you can use parts of those predefined policies to
create your own custom policies. The built-in RSA email DLP engine uses pretuned data structures along
with your own optional data points such as words, phrases, dictionaries, and regular expressions to quickly
create accurate policies with a minimum of false positives. The DLP engine scores violations by severity, so
you can apply different levels of remediation to fit your needs.
Low cost A small footprint, an easy setup, and the automated management of updates mean savings for the life of
your Cisco Email Security solution. Cisco’s solution has one of the lowest TCOs available.
Flexible All Cisco Email Security solutions share a simple approach to implementation. The system setup wizard
deployment can handle even complex environments and will have you up and protected in just minutes, making you
safer, fast. Licensing is user based, not device based, so you can apply it per user instead of per device to
provide inbound as well as outbound email gateway protection at no additional cost. This capability lets
you scan outbound messages with antispam and antivirus engines to fully support your business needs.
The Cisco ESAV offers all the same features as the Cisco ESA, with the added convenience and cost savings
of a virtual deployment model. The Cisco ESAV offers instant self-service provisioning. With a Cisco ESAV
license, you can deploy email security virtual gateways in your network without Internet connections. The
Cisco ESAV license has purchased software licenses embedded on it. You can apply licenses at any time to
a new Cisco ESAV virtual image file stored locally. Pristine virtual image files can be cloned if needed,
giving you the ability to deploy several email security gateways immediately.
You can run hardware and virtual Cisco Email Security solutions in the same deployment. So your small
branch offices or remote locations can have the same protection you get at headquarters without the need
to install and support hardware at that location. You can easily manage custom deployments with the Cisco
Content Security Management Appliance (SMA) or Cisco Content Security Management Virtual Appliance
(SMAV).
Solutions The cloud-based solution is a comprehensive and highly reliable service with software, computing power,
that fit your and support. The co-managed user interface is identical to that of the Cisco ESA and ESAV. You therefore
business get outstanding protection with little administrative overhead and no onsite hardware to monitor and
manage.
The hybrid solution gives you advanced outbound control of sensitive messages onsite while helping you
take advantage of the cost-effective convenience of the cloud.
On-premises hardware and virtual appliances come ready to plug in. You can choose the model that works
best for your environment to protect inbound and outbound messages at your gateway.

9. What security model enables both authentication and encryption in SNMPv3?


A. encr
B. auth
C. priv
D. encapsulation
E. tunnel

10. What is needed for the successful synchronization between NTP servers with enabled

Exam Page 3
10. What is needed for the successful synchronization between NTP servers with enabled
authentication?
A. NTP Trusted Key
B. TLS certification (NTP certificates)
C. Stratum hash
D. Something else
• You can configure the Cisco CG-OS router to authenticate the time sources to which the local
clock synchronizes. When you enable NTP authentication, the Cisco CG-OS router
synchronizes to a time source only if the source carries one of the authentication keys specified
by the ntp trusted-key command. The Cisco CG-OS router drops any packets that fail the
authentication check and prevents them from updating the local clock.

11. Hacker is intercepting CDP packets in the network. Which info he can get from captured CDP
packets?
A. Hardware Platform
B. Device ID
C. Name of security context
D. Routing protocol autonomous system number
E. VTP Domain
F. Interface statistics
• Some of key information: Cisco IOS version running on Cisco devices, Hardware platform of devices,
IP addresses of interfaces on devices, Locally connected devices advertising Cisco Discovery
Protocol, Interfaces active on Cisco devices including encapsulation type, Hostname, Duplex setting,
VLAN Trunking Protocol (VTP) domain, Native VLAN

12. How many servers Prime Infrastructure High Availability supports?


A. 2
B. 4
C. 6
D. 8
• The Cisco Prime Infrastructure High Availability (HA) implementation allows one primary Cisco
Prime Infrastructure server to failover to one secondary (backup) Cisco Prime Infrastructure server.
A second server is required that has sufficient resources (CPU, hard drive, network connection) in
order to take over Cisco Prime Infrastructure operation in the event that the primary Cisco Prime
Infrastructure system fails. In Cisco Prime Infrastructure, the only HA configuration is supported is
1:1 - 1 primary system, 1 secondary system.

13. You are going to add ASA to CSM (Cisco Security Manager). Which port on ASA must be
reachable for CSM to succeed?
A. 21
B. 22
C. 80
D. 443
• Security Manager can use these transport protocols:
• SSL (HTTPS)—Secure Socket Layer, which is an HTTPS connection, is the only transport
protocol used with PIX Firewalls, Adaptive Security Appliances (ASA), and Firewall Services
Modules (FWSM). It is also the default protocol for IPS devices and for routers running Cisco
IOS Software release 12.3 or higher.
If you use SSL as the transport protocol on Cisco IOS routers, you must also configure SSH on
the routers. Security Manager uses SSH connections to handle interactive command
deployments during SSL deployments.
Cisco Security Manager was using OpenSSL for the Transport Layer Security (TLS) and Secure
Sockets Layer (SSL) protocols. Beginning with version 4.13, Cisco Security Manager replaced
OpenSSL version 1.0.2 with Cisco SSL version 6.x. Cisco SSL enables FIPS compliance over
full FIPS Validation which results in fast and cost-effective connectivity. The Common Criteria
mode in Cisco SSL allows easier compliance. Cisco SSL is feature-forward when compared to
OpenSSL. The product Security Baseline (PSB) requirements for Cisco SSL ensures important
security aspects such as credential and key management, cryptography standards, antispoofing
capabilities, integrity and tamper protection, and session, data, and stream management and
administration are taken care of.
• SSH—Secure Shell is the default transport protocol for Catalyst switches and Catalyst
6500/7600 devices. You can also use it with Cisco IOS routers.
• Telnet—Telnet is the default protocol for routers running Cisco IOS software releases 12.1 and

Exam Page 4
• Telnet—Telnet is the default protocol for routers running Cisco IOS software releases 12.1 and
12.2. You can also use it with Catalyst switches, Catalyst 6500/7600 devices, and routers
running Cisco IOS Software release 12.3 and higher. See the Cisco IOS software
documentation for configuring Telnet.
• HTTP—You can use HTTP instead of HTTPS (SSL) with IPS devices. HTTP is not the default
protocol for any device type.
• TMS—Token Management Server is treated like a transport protocol in Security Manager, but
it is not a real transport protocol. Instead, by configuring TMS as the transport protocol of a
router, you are telling Security Manager to deploy configurations to a TMS. From the TMS, you
can download the configuration to an eToken, plug the eToken into the router’s USB bus, and
update the configuration. TMS is available only for certain routers running Cisco IOS Software
12.3 or higher.
• Security Manager can also use indirect methods to deploy configurations to devices, staging the
configuration on a server that manages the deployment to the devices. These indirect methods also
allow you to use dynamic IP addresses on your devices. The methods are not treated as transport
protocols, but as adjuncts to the transport protocol for the device. You can use these indirect
methods:
• AUS (Auto Update Server)—When you add a device to Security Manager, you can select the
AUS server that is managing it. You can use AUS with PIX Firewalls and ASA devices.
• Configuration Engine—When you add a router to Security Manager, you can select the
Configuration Engine that is managing it.

14. In which cases DHCP Snooping will drop DHCP packets?


• The switch receives a packet (such as DHCPOFFER, DHCPACK, DHCPNAK, or
DHCPLEASEQUERY packet) from DHCP server outside the network or firewall.
• The switch receives DHCP packet on an untrusted interface, and the source MAC address and the
DHCP client hardware address do not match. This check is performed only if the DHCP snooping
MAC address verification option is turned on (by default, it is turned on).
• The switch receives DHCP packet on that includes a relay agent IP address that is not 0.0.0.0 (DHCP
relay snooping is enabled by default).
• The switch receives DHCPRELEASE or DHCPDECLINE message from an untrusted host with an
entry in the DHCP snooping binding table, and the interface information in the binding table does not
match the interface on which the message was received.
• The switch receives DHCP packet with Option 82 on untrusted interface (ip dhcp snooping
information option allow-untrusted is not configured).

15. Which command enables uRPF on router’s interface?


A. ip protection source
B. ip source guard enable
C. ip reverse-path verify reachable-via any
D. ip verify unicast source reachable-via interface_name
E. ip verify reverse-path interface interface_name

16. Which command enables uRPF on ASA interface?


A. ip protection source
B. ip source guard enable
C. ip reverse-path verify reachable-via any
D. ip verify unicast source reachable-via interface_name
E. ip verify reverse-path interface interface_name

17. Adding Cisco Prime using discovery which protocol must be used when RTDM is processed?
A. OSPF
B. BGP
C. LLDP
D. ARP
• The ARP Discovery Module depends on the Routing Table Discovery Module (RTDM), and is
executed only when RTDM is processed. This precondition is identified based on the flags processed
by the ARP Discovery Module, which are part of the DeviceObject.
• The entries coming out of the ARP Discovery Module do not need to pass through RTDM because
(per the router Discovery algorithm) active routers are those that RTDM must process and identify.
• When the ARP table is fetched and the entries are not already discovered by RTDM, these entries
(though they may represent routers) are not active routers and need not be passed on to RTDM. This
is ensured by setting the ARP Discovery Module flag to Processed and leaving the RTDM flag set to

Exam Page 5
is ensured by setting the ARP Discovery Module flag to Processed and leaving the RTDM flag set to
Unprocessed.

18. Which two types of addresses can be blocked with BRF on the ASA?
A. instant messaging
B. ads
C. P2P
D. spyware
E. Games
Botnets are a collection of malicious software or “bots” covertly installed on endpoints and
controlled by another entity through a communications channel such as IRC, peer-to-peer (P2P), or
HTTP. The dynamic database includes the following types of addresses:
• Ads - These are advertising networks that deliver banner ads, interstitials, rich media ads, pop-
ups, and pop-unders for websites, spyware and adware. Some of these networks send ad-
oriented HTML emails and email verification services.
• Data Tracking - These are sources associated with companies and websites that offer data
tracking and metrics services to websites and other online entities. Some of these also run small
advertising networks.
• Spyware - These are sources that distribute spyware, adware, greyware, and other potentially
unwanted advertising software. Some of these also run exploits to install such software.
• Malware - These are sources that use various exploits to deliver adware, spyware and other
malware to victim computers. Some of these are associated with rogue online vendors and
distributors of dialers which deceptively call premium-rate phone numbers.
• Adult - These are sources associated with adult networks/services offering web hosting for adult
content, advertising, content aggregation, registration & billing, and age verification. These
may be tied to distribution of adware, spyware, and dialers.
• Bot and Threat Networks - These are rogue systems that control infected computers. They are
either systems hosted on threat networks or systems that are part of the botnet itself.

19. Which feature do you enable to restrict the interface on which mgmt traffic can be received by
the routes on your network?
A. MPP
B. CPP with a port xxx
C. AAA
D. extended ACL on all int
• control-plane host
management-interface G0/0 allow ssh https snmp

20. Where are database files for BTF stored on the ASA?
A. Flash
B. NVRAM
C. running memory
D. ASA-CX module memory
• dynamic database that is downloaded from SIO and DNS host cache

21. SSHv2 is not explicitly allowed on router by command “ip ssh version 2”. Which statement is
true?
A. only SSHv1 is allowed
B. only SSHv2 is allowed
C. both SSHv1 and SSHv2 are allowed
D. SSH version must be explicitly specified

22. What configuration can affect snmp-server ID modification?


A. Earlier snmp configuration
B. Earlier snmp group
C. Earlier snmp user
D. SNMP is disabled
E. SNMP is set to version 3
• To configure a remote user, specify the IP address or port number for the remote SNMP agent of the
device where the user resides. Also, before you configure remote users for a particular agent,
configure the SNMP engine ID, using the command snmp-server engineID with the remote option.
The remote agent's SNMP engine ID is needed when computing the authentication/privacy digests
from the password. If the remote engine ID is not configured first, the configuration command will
fail.

Exam Page 6
fail.

23. There is some custom application that on first communication channel negotiates second data
channel for data transfer. What allows traffic from second negotiated data channel?
A. packet reflection feature
B. packet inspection feature
C. host table
D. communication table

24. What is the default threat level in botnet traffic filtering?


A. between Low and Moderate
B. between Very Low and Low
C. between High and Very High
D. between Moderate and Very High

25. Which activity is performed by the switch when DAI inspection is configured?
A. It drops all ARP responses on untrusted ports
B. It monitors DHCP messages and compares host MAC addresses with addresses in ARP frames
C. It intercepts all ARP requests and response on untrusted ports
D. It drops all traffic except ARP messages

26. You are network engineer at some company. There are issues with Internet access. Which
capture ACL must be used to capture only return web traffic?
A. access-list CAPT-ACL line 1 permit tcp any eq 80 10.10.1.0 255.255.255.0
B. access-list CAPT-ACL line 1 permit tcp any 10.10.1.0 255.255.255.0 eq 80
C. access-list CAPT-ACL line 1 permit tcp any 10.10.1.0 255.255.255.0 eq 80
D. capture access-list CAPT-ACL line 1 permit tcp any eq 80 10.10.1.0 255.255.255

27. What AIC features are supported by ZFW in Cisco IOS? (three answers)
A. protocol minimization
B. detection of covert tunneling
C. verification of IPSec tunnels establishment
D. global correlation
E. deep / specific DNS inspection
F. URL filtering
• Application-layer filtering generally provides the following functions:
○ It can prevent malicious protocol-level traffic (malfonned protocol units, access to vulnerable
protocol functions, and access to unwanted applications on the server) from being delivered to
the target, thus protecting the target before traffic even reaches it (for example, only permit
required HTTP protocol requests, and allow access only to a specific URL pattern).
○ It can prevent malicious content from being delivered to clients (for example, permit only
specific types of email or web content).
○ It can restrict or prevent covert tunneling channels.
○ Very importantly, it can act as an independent, strong layer of defense to build a defense-in-
depth solution. Network-based application-layer filtering is fully independent from the endpoint
defences, and works well even if the endpoint is. vulnerable or misconfigured.
○ The Zone-Based Policy Firewall provides a mechanism to allow, block, or simply log web
(HTTP URL) requests going through the router. The filtering is based on categories.
• You can implement application-layer controls on an AIC-capable firewall using the following four
main approaches, which are often combined to achieve the desired filtering goals:
○ Protocol minimization: The AIC-capable firewall allows only a minimal required set of
protocol features through to the endpoint.
○ Payload minimization: The AIC-capable firewall allows only a minimal required set of
application layer payloads (application data) through to the endpoint.
○ Application-layer signatures: The AIC-capable firewall drops specific bad content (described
by patterns known as signatures) inside application-layer protocols and payloads.
○ Protocol verification: The AIC-capable firewall drops application-layer sessions that contain
malfonned (nonstandard) application-layer protocol units.
BranchR(config)#class-map type inspect ?
WORD class-map name
aol Configure Firewall class-map for IM-AOL protocol
h323 Configure Firewall class-map for H323 protocol
http Configure Firewall class-map for HTTP protocol
icq Configure Firewall class-map for IM-ICQ protocol
imap Configure Firewall class-map for IMAP protocol

Exam Page 7
imap Configure Firewall class-map for IMAP protocol
match-all Logical-AND all matching statements under this classmap
match-any Logical-OR all matching statements under this classmap
msnmsgr Configure Firewall class-map for IM-MSN protocol
pop3 Configure Firewall class-map for POP3 protocol
sip Configure Firewall class-map for SIP protocol
smtp Configure Firewall class-map for SMTP protocol
sunrpc Configure Firewall class-map for RPC protocol
winmsgr Configure Firewall class-map for IM-WINMSGR protocol
ymsgr Configure Firewall class-map for IM-YAHOO protocol
BranchR(config)#class-map type ?
control Configure a control policy class-map
inspect Configure Firewall Class Map
logging Class map for control-plane packet logging
multicast-flows multicast class-maps
port-filter Class map for port filter
queue-threshold Class map for queue threshold
urlfilter Config Class map for local URL filtering
waas Configure a WAAS Class Map
BranchR(config)#parameter-map type ?
consent Parameter type consent
cws Cloud Web Security
inspect inspect parameter-map
ooo TCP out-of-order parameter-map for FW and IPS
protocol-info protocol-info parameter-map
regex regex parameter-map
urlf-glob URLF glob parameter-map
urlfpolicy Parameter maps for urlfilter policy
waas WAAS Parameter Map

28. Choose two correct statements about private-vlan.


A. Interface that is assigned to primary-vlan ID (access mode) can communicate with interface
with secondary vlan ID that belongs to same primary-vlan (same switch)
B. Interface that is assigned to community vlan can communicate with interface in the same
secondary vlan but it is also configured as protected (same switch)
C. You have to configure dhcp snooping for both primary and secondary VLANs
D. You have to configure DAI only for primary vlan
E. You cannot combine private-vlan feature with protected ports
• You can enable DHCP snooping on private VLANs. When you enable DHCP snooping on the primary
VLAN, it is propagated to the secondary VLANs. If you configure DHCP snooping on a secondary
VLAN, the configuration does not take effect if the primary VLAN is already configured. The same
statement is true about DAI.
• A private-VLAN port cannot be a secure port and should not be configured as a protected port.

29. Refer to the exhibit:


access-list 20 permit ip any host 192.168.1.5
capture CAPT-X type asp-drop acl-drop access-list 20
Capture does not get applied and we get an error about mixed policy. Choose two reason why
this is the case.
A. Ipv6 is enabled on the firewall
B. The any key in the access-list should be stated as IPv4 (kind of like any4)
C. Syntax of access-list command is wrong.
D. Syntax if capture command is wrong.
• The captures after version 9.0(1) does not support the use of the ANY as it will match both IPv4 and
IPv6 at the same time and that is not supported yet.

30. What is the correct statement about Cisco ASA operation mode?
A. ASA in routed mode will be not seen as new hop from the network
B. ASA operated on transparent mode will be seen as new hop from the network
C. The running configuration in ASA will be removed if operating mode is changed
D. Transparent mode doesn't support failover

31. What does BTF do when it receives a DNS reply from a domain?
A. It checks the domain against its BTF database
B. It queries a BTF server
C. It drops DNS reply
D. It verifies DNS reply using its own DNS server

Exam Page 8
32. With what commands you can configure unified access-list on ASA CLI (choose two)?
A. access-list
B. ipv6 access-list
C. ipv6 access-list website
D. object-group network
E. object network
• ACLs now support IPv4 and IPv6 addresses. You can even specify a mix of IPv4 and IPv6 addresses
for the source and destination. The any keyword was changed to represent IPv4 and IPv6 traffic. The
any4 and any6 keywords were added to represent IPv4-only and IPv6-only traffic, respectively. The
IPv6-specific ACLs are deprecated. Existing IPv6 ; are migrated to extended ACLs. See the release
notes for more information about migration.
• We modified the following commands: access-list extended , access-list webtype.
• We removed the following commands: ipv6 access-list, ipv6 access-list webtype, ipv6-vpn-filter.
• Network object groups can contain multiple network objects as well as inline networks. Network
object groups can support a mix of both IPv4 and IPv6 addresses.
• You cannot use a mixed IPv4 and IPv6 object group for NAT, or object groups that include FQDN
objects.

33. Choose correct statements about mixed ACLs and object groups (choose 2).
A. You can mix IPv4 and IPv6 addresses in the same ACE
B. You can mix IPv4 and IPv6 entries in a network object group, but you cannot use a mixed
object group for NAT
C. You cannot mix IPv4 and IPv6 addresses in the same ACL.
D. You cannot mix IPv4 and IPv6 addresses in the same ACE but you can mix IPv4 and IPv6
addresses in different ACEs of common ACL.

34. There is an exhibition on screen about NAT policies in ASDM. The first Manual NAT entries
was something like following lines in CLI:
nat (inside,outside) source static ENGINEERING-DEPT ENGINEERING-DEPT destination static
SALE-DEPT SALE-DEPT
nat (outside,inside) source static SALE-DEPT SALE-DEPT destination static NGINEERING-DEPT
ENGINEERING-DEPT
...
What is the correct statement about the configuration of the NAT policies (relation with VPN
traffic between two depts) ?
A. It allows any traffic originated from Sale dept to access Engineering Dept with performing
NAT.
B. It allows any traffic originated from Engineering dept to access Sale dept by leaving IP
addresses without NAT translation.
C. Any device from IP address pool can access Sale debt devices.
D. It allows any traffic originated from Sale dept to access Engineering dept by translation of only
source IP addresses.

35. What feature must be enabled on Cisco ASA to inspect encrypted voice signalisation traffic
between IP Phones and UCM?
A. TLS Proxy
B. Mobility Proxy
C. Presence Federation Proxy
D. SCCP inspection
• TLS Proxy: Decryption and inspection of Cisco Unified Communications encrypted signalling
End-to-end encryption often leaves network security appliances “blind” to media and signalling
traffic, which can compromise access control and threat prevention security functions. This lack of
visibility can result in a lack of interoperability between the firewall functions and the encrypted
voice, leaving businesses unable to satisfy both of their key security requirements.
The ASA is able to intercept and decrypt encrypted signalling from Cisco encrypted endpoints to the
Cisco Unified Communications Manager (Cisco UCM), and apply the required threat protection and
access control. It can also ensure confidentiality by re-encrypting the traffic onto the Cisco UCM
servers.
Typically, the ASA TLS Proxy functionality is deployed in campus unified communications network.
This solution is ideal for deployments that utilize end to end encryption and firewalls to protect
Unified Communications Manager servers.
• Mobility Proxy: Secure connectivity between Cisco Unified Mobility Advantage server and Cisco

Exam Page 9
• Mobility Proxy: Secure connectivity between Cisco Unified Mobility Advantage server and Cisco
Unified Mobile Communicator clients
Cisco Unified Mobility solutions include the Cisco Unified Mobile Communicator (Cisco UMC), an
easy-to-use software application for mobile handsets that extends enterprise communications
applications and services to mobile phones and the Cisco Unified Mobility Advantage (Cisco UMA)
server. The Cisco Unified Mobility solution streamlines the communication experience, enabling
single number reach and integration of mobile endpoints into the Unified Communications
infrastructure.
The security appliance acts as a proxy, terminating and reoriginating the TLS signalling between the
Cisco UMC and Cisco UMA. As part of the proxy security functionality, inspection is enabled for the
Cisco UMA Mobile Multiplexing Protocol (MMP), the protocol between Cisco UMC and Cisco UMA.
• Presence Federation Proxy: Secure connectivity between Cisco Unified Presence servers and
Cisco/Microsoft Presence servers
Cisco Unified Presence solution collects information about the availability and status of users, such
as whether they are using communication devices, such as IP phones at particular times. It also
collects information regarding their communications capabilities, such as whether web collaboration
or video conferencing is enabled. Using user information captured by Cisco Unified Presence,
applications such as Cisco Unified Personal Communicator and Cisco UCM can improve
productivity by helping users connect with colleagues more efficiently through determining the most
effective way for collaborative communication.
Using the ASA as a secure presence federation proxy, businesses can securely connect their Cisco
Unified Presence (Cisco UP) servers to other Cisco or Microsoft Presence servers, enabling intra-
enterprise communications. The security appliance terminates the TLS connectivity between the
servers, and can inspect and apply policies for the SIP communications between the servers.
• The following table shows the Cisco Unified Communications applications that utilize the TLS proxy
on the ASA.
Application TLS Client TLS Server Client Security Appliance Server Security Appliance Client
Authenticatio Role Role
n
TLS Proxy IP phone Cisco UCM Yes Proxy certificate, self- Local dynamic certificate
signed or by internal CA signed by the ASA CA
Mobility Proxy Cisco UMC Cisco UMA No Using the Cisco UMA Any static configured
private key or certificate certificate
impersonation
Presence Cisco UP or Cisco UP or Yes Proxy certificate, self- Using the Cisco UP
Federation MS LCS/OCS MS LCS/OCS signed or by internal CA private key or certificate
Proxy impersonation
• The ASA supports TLS proxy for various voice applications. The TLS proxy running on the ASA has
the following key features:
• The ASA forces remote IP phones connecting to the phone proxy through the Internet to be in
secured mode even when the Cisco UCM cluster is in non-secure mode.
• The TLS proxy is implemented on the ASA to intercept the TLS signalling from IP phones.
• The TLS proxy decrypts the packets, sends packets to the inspection engine for NAT rewrite and
protocol conformance, optionally encrypts packets, and sends them to Cisco UCM or sends
them in clear text if the IP phone is configured to be in nonsecure mode on the Cisco UCM.
• The ASA acts as a media terminator as needed and translates between SRTP and RTP media
streams.
• The TLS proxy is a transparent proxy that works based on establishing trusted relationship
between the TLS client, the proxy (the ASA), and the TLS server.
For the Cisco Unified Mobility solution, the TLS client is a Cisco UMA client and the TLS
server is a Cisco UMA server. The ASA is between a Cisco UMA client and a Cisco UMA
server. The mobility proxy (implemented as a TLS proxy) for Cisco Unified Mobility allows the
use of an imported PKCS-12 certificate for server proxy during the handshake with the client.
Cisco UMA clients are not required to present a certificate (no client authentication) during the
handshake.
For the Cisco Unified Presence solution, the ASA acts as a TLS proxy between the Cisco UP
server and the foreign server. This allows the ASA to proxy TLS messages on behalf of the
server that initiates the TLS connection, and route the proxied TLS messages to the client. The
ASA stores certificate trustpoints for the server and the client, and presents these certificates on
establishment of the TLS session.

Exam Page 10
Drag-and-Drop Questions

1. Syslog Severity Levels

• Severity level 0 - emergencies.

2. Authentication, Authorization, and Accouting (AAA)

3. Configuration of SSH on ASA

• Cisco ASA correction:


domain-name <domain>
crypto key generate rsa modulus <modulus>
ssh version 2
enable password <password>
username <username> password <password>
aaa authentication ssh console LOCAL
ssh <network> <mask> <interface>
• Cisco IOS correction:
domain-name <domain>
crypto key generate rsa modulus <modulus>
ip ssh version 2
enable secret 0 <password>
username <username> secret 0 <password>
aaa new-model
aaa authentication login default local-case enable
line vty 0 4
transport input ssh
login authentication default

4. CSM Rules Inheritance

Exam Page 11
• Correction:
Step 1 Mandatory rules from parent policy
Step 2 Local rules in child policy
Step 3 Default rules from child policy
Step 4 Default rules from parent policy

Introduction
Shared policies enable you to configure and assign a common policy definition to multiple devices.
Rule inheritance takes this feature one step further by enabling a device to contain the rules defined in
a shared policy in addition to local rules that are specific to that particular device. Using inheritance,
Security Manager can enforce a hierarchy where policies at a lower level (called child policies) inherit
the rules of policies defined above them in the hierarchy (called parent policies).
Note If a policy bundle includes a shared policy that inherits from other shared policies, those
inherited rules are also applied to any devices on which the policy bundle is applied.

Rule Order When Using Inheritance


An access list (ACL) consists of rules (also called access control entries or ACEs) arranged in a table.
An incoming packet is compared against the first rule in the ACL. If the packet matches the rule, the
packet is permitted or denied, depending on the rule. If the packet does not match, the packet is
compared against the next rule in the table and so forth, until a matching rule is found and executed.
This first-match system means that the order of rules in the table is of critical importance. When you
create a shared access rule policy, Security Manager divides the rules table into multiple sections,
Mandatory and Default. The Mandatory section contains rules that cannot be overridden by the local
rules defined in a child policy. The Default section contains rules that can be overridden by local
rules.
Figure 5-2 describes how rules are ordered in the rules table when using inheritance.

Figure 5-2 Order of Rules When Using Inheritance

Benefits of Using Inheritance


The ability to define rule-based policies in a hierarchical manner gives you great flexibility when
defining your rule sets, and the hierarchy can extend as many levels as required. For example, you can
define an access rule policy for the device at a branch office that inherits rules from a parent policy
that determines access at the regional level. This policy, in turn, can inherit rules from a global access
rules policy at the top of the hierarchy that sets rules at the corporate level.
In this example, the rules are ordered in the rules table as follows:
• Mandatory corporate access rules
• Mandatory regional access rules
• Local rules on branch device

Exam Page 12
• Local rules on branch device
• Default regional access rules
• Default corporate access rules
The policy defined on the branch device is a child of the regional policy and a grandchild of the
corporate policy. Structuring inheritance in this manner enables you to define mandatory rules at the
corporate level that apply to all devices and that cannot be overridden by rules at a lower level in the
hierarchy. At the same time, rule inheritance provides the flexibility to add local rules for specific
devices where needed.
Having default rules makes it possible to define a global default rule, such as “deny any any”, that
appears at the end of all access rule lists and provides a final measure of security should gaps exist in
the mandatory rules and default rules that appear above it in the rules table.

Inheritance Example
For example, you can define a mandatory worm mitigation rule in the corporate access rules policy
that mitigates or blocks the worm to all devices with a single entry. Devices configured with the
regional access rules policy can inherit the worm mitigation rule from the corporate policy while
adding rules that apply at the regional level. For example, you can create a rule that allows FTP traffic
to all devices in one region while blocking FTP to devices in all other regions. However, the
mandatory rule at the corporate level always appears at the top of the access rules list. Any mandatory
rules that you define in a child policy are placed after the mandatory rules defined in the parent policy.
With default rules, the order is reversed - default rules defined in a child policy appear before default
rules inherited from the parent policy. Default rules appear after any local rules that are defined on the
device, which makes it possible to define a local rule that overrides a default rule. For example, if a
regional default rule denies FTP traffic to a list of destinations, you can define a local rule that permits
one of those destinations.

IPS Policy Inheritance


Event action filter policies for IPS devices can also use inheritance to add rules defined in a parent
policy to the local rules defined on a particular device. The only difference is that although active and
inactive rules are displayed together in the Security Manager interface, all inactive rules are deployed
last, after the inherited default rules.
Signature policies for IPS devices use a different type of inheritance that can be applied on a per-
signature basis.

5. ASA Capture

• asa_dataplane - Captures packets on the ASA backplane that pass between the ASA and a
module that uses the backplane, such as the ASA CX or IPS module.
ASA# cap asa_dataplace interface asa_dataplane
ASA# show capture
capture asa_dataplace type raw-data interface asa_dataplane [Capturing - 0
bytes]
• asp-drop drop-code - Captures packets that are dropped by the accelerated security path. The
drop-code specifies the type of traffic that is dropped by the accelerated security path.
ASA# capture asp-drop type asp-drop acl-drop
2 packets captured
1: 04:12:10.428093 192.168.10.10.34327 > 10.94.0.51.15868: S
2669456341:2669456341(0) win 4128 <mss 536> Drop-reason: (acl-drop)
Flow is denied by configured rule
2: 04:12:12.427330 192.168.10.10.34327 > 10.94.0.51.15868: S
2669456341:2669456341(0) win 4128 <mss 536> Drop-reason: (acl-drop)
Flow is denied by configured rule
2 packets shown
• ethernet-type type - Selects an Ethernet type to capture. Supported Ethernet types include

Exam Page 13
• ethernet-type type - Selects an Ethernet type to capture. Supported Ethernet types include
8021Q, ARP, IP, IP6, IPX, LACP, PPPOED, PPPOES, RARP, and VLAN.
ASA# cap arp ethernet-type ?
exec mode commands/options:
802.1Q
<0-65535> Ethernet type
arp
ip
ip6
ipx
pppoed
pppoes
rarp
vlan
cap arp ethernet-type arp interface inside
ASA# show cap arp
22 packets captured
1: 05:32:52.119485 arp who-has 10.10.3.13 tell 10.10.3.12
2: 05:32:52.481862 arp who-has 192.168.10.123 tell 192.168.100.100
3: 05:32:52.481878 arp who-has 192.168.10.50 tell 192.168.100.10
4: 05:32:53.409723 arp who-has 10.106.44.135 tell 10.106.44.244
5: 05:32:53.772085 arp who-has 10.106.44.108 tell 10.106.44.248
6: 05:32:54.782429 arp who-has 10.106.44.135 tell 10.106.44.244
7: 05:32:54.784695 arp who-has 10.106.44.1 tell 11.11.11.112:
• real-time - Displays the captured packets continuously in real-time. In order to terminate a real-
time packet capture, press Ctrl-C. In order to permanently remove the capture, use the no form
of this command. This option is not supported when you use the cluster exec capture command.
ASA# cap capin interface inside real-time

Use ctrl-c to terminate real-time capture
• trace - Traces the captured packets in a manner similar to the ASA packet tracer feature.
ASA#cap in interface Webserver trace match tcp any any eq 80
• ikev1/ikev2 - Captures only Internet Key Exchange Version 1 (IKEv1) or IKEv2 protocol
information.
• isakmp - Captures Internet Security Association and Key Management Protocol (ISAKMP)
traffic for VPN connections. The ISAKMP subsystem does not have access to the upper-layer
protocols. The capture is a pseudo capture, with the physical, IP, and UDP layers combined
together in order to satisfy a PCAP parser. The peer addresses are obtained from the SA
exchange and are stored in the IP layer.
• lacp - Captures Link Aggregation Control Protocol (LACP) traffic. If configured, the interface
name is the physical interface name. This might be useful when you work with Etherchannels in
order to identify the present behavior of LACP.
• tls-proxy - Captures decrypted inbound and outbound data from the Transport Layer Security
(TLS) proxy on one or more interfaces.
• webvpn - Captures WebVPN data for a specific WebVPN connection.

6. CSM (or Prime Infra) Dashboards

Firewall dashboards
• Top Destinations —This report ranks the session destinations of all built/deny firewall events
received by Security Manager. The report shows the destination IP address, the count of the
number of events for each address, and the percentage of the count compared to the sum of all
counts in the report. You can click on a data point in the Pie, XY, or Bar graph that represents a
specific destination to see report information about the top sources and top services associated

Exam Page 14
specific destination to see report information about the top sources and top services associated
with that destination (see Drilling Down into Report Data).
• Top Sources —This report ranks the session sources of all built/deny firewall events received
by Security Manager. The report shows the source IP address, the count of the number of events
for each address, and the percentage of the count compared to the sum of all counts in the
report. You can click on a data point in the Pie, XY, or Bar graph that represents a specific
source to see report information about the top destinations and top services associated with that
source (see Drilling Down into Report Data).
• Top Services —This report ranks the destination services of all built/deny firewall events
received by Security Manager. TCP and UDP services include the port number. The report
shows the service, the count of the number of events for each service, and the percentage of the
count compared to the sum of all counts in the report. You can click on a data point in the Pie,
XY, or Bar graph that represents a specific service to see report information about the top
destinations and top sources associated with that service (see Drilling Down into Report Data).
• Top Infected Hosts —This report ranks the top infected hosts for traffic originating from
infected hosts to black- or gray-listed sites based on all botnet events received by Security
Manager. The report shows the IP address of the infected host with the firewall interface name
on which the event was detected in parentheses, the count of the number of connections logged
to blacklisted or gray-listed sites for each address, the count of the number of connections that
were blocked (dropped) by botnet traffic filtering, and the percentage of the count compared to
the sum of all counts in the report.
• Top Malware Ports —This report ranks the top destination ports for traffic originating from
infected hosts to black or gray-listed sites based on all botnet events received by Security
Manager. The report shows the destination malware port, the count of the number of
connections logged to blacklisted or gray-listed sites for each port, the count of the number of
connections that were blocked (dropped) by botnet traffic filtering, and the percentage of the
count compared to the sum of all counts in the report.
• Top Malware Sites —This report ranks the top botnet sites (black or gray-listed sites) for all
inbound and outbound sessions based on all botnet events received by Security Manager. The
report shows the following information:
○ IP Address—The IP address that is indicated as the malicious host in botnet events, either
on the black list or the grey list.
○ Malware Site—The domain name or IP address in the dynamic filter database to which
the traffic was initiated.
○ List Type—Whether the site is on the black list or the grey list.
○ Connections Logged—The count of the number of connections logged or monitored for
each site.
○ Connections Blocked—The count of the number of connections that were blocked
(dropped) by botnet traffic filtering for each site.
○ Threat Level—The botnet threat level for the site, from very low to very high, or none.
○ Category—The category of threat the site poses as defined in the botnet database, such as
botnet, Trojan, spyware, and so on.
VPN dashboards
• Top Bandwidth Users —This report ranks the VPN users who consumed the most bandwidth.
The report shows the usernames, the bandwidth in total number of bytes sent and received, and
the percentage of reported bandwidth used by each user.
• Top Duration Users —This report ranks the VPN users who remained connected to the
network for the longest time. The report shows the usernames, the connection duration time in
days hours:minutes:seconds format, and the percentage of the reported duration by each user.
The chart shows duration in seconds.
• Top Throughput Users —This report ranks the VPN users who sent and received data at the
highest throughput rate. The report shows the usernames, the throughput for each user in kbps,
and the percentage of reported throughput by each user. The throughput is calculated as 8.0
*(bandwidth of the user in bytes)/(duration for which the user is connected in seconds*1000.0).
• Connection Profile Report —This report provides a count of user, session, and summary of
the bandwidth utilization and throughput usage for each remote access connection profile. The
default report contains this information for all devices for the previous hour. You can customize
the report in several different ways.
• User Report —This report provides a summary of the bandwidth utilization, connection
duration and throughput usage for each remote access VPN user. The report shows the
usernames, the bandwidth in total number of bytes sent and received, the connection duration
time in days hours:minutes:seconds format, and the throughput for each user in kbps. The
throughput is calculated as 8.0*(bandwidth of the user in bytes)/(duration for which the user is

Exam Page 15
throughput is calculated as 8.0*(bandwidth of the user in bytes)/(duration for which the user is
connected in seconds*1000.0). Beginning with Security Manager 4.7, the User Report provides
both user-level details and session-level details:
○ User-Level Details —For a particular user, the user-level details represent the combined
value of all that user’s sessions: Username, Total no. of Sessions, Bandwidth, Duration,
and Throughput.
○ Session-Level Details —Expanding the tree displays the session-level details for each
session that a particular user has a VPN connection with; the session-level details
encompass the Session ID, Login Time, Logout Time, Bandwidth, Throughput, and
Duration of the Session. (Here the logout time is calculated by using the formula Logout
Time = Login Time + Duration .)

7. NAT Scenario
Company A
• Host-A IP address: 172.16.1.100
• Proxy: 172.16.1.50
• Global IP address: 200.165.1.230
Company B:
• Host-B IP address: 200.165.1.228
Configure NAT for Host-B such that when host from company B sends traffic to public IP of ASA, it
will be translated to Proxy instead of keeping its original source IP address for security reasons.

From the view of Company A:


200.165.1.228 real packet source
200.165.1.230 real packet destination
172.16.1.50 translated packet source
172.16.1.100 translated packet destination

object network HOST-A


host 172.16.1.100
object network HOST-A-PROXY
host 172.16.1.50
object network HOST-B
host 200.165.1.228
nat (OUTSIDE,INSIDE) source static HOST-B HOST-A-PROXY destination dynamic
interface HOST-A

Exam Page 16
Hot-Spot Questions

1. SNMP configuration on ASDM

Which statement about how the Cisco ASA supports SNMP is true?
A. All SNMFV3 traffic on the inside interface will be denied by the global ACL.
B. The Cisco ASA and ASASM provide support for network monitoring using SNMP Versions
1,2c, and 3, but do not support the use of all three versions simultaneously.
C. The Cisco ASA and ASASM have an SNMP agent that notifies designated management,
stations if events occur that are predefined to require a notification, for example, when a link in
the network goes up or down.
D. SNMPv3 is enabled by default and SNMP v1 and 2c are disabled by default.
E. SNMPv3 is more secure because it uses SSH as the transport mechanism.

Exam Page 17
When you create a user, with which option must you associate it?
A. an SNMP group
B. at least one interface
C. the SNMP inspection in the global_policy
D. at least two interfaces

To configure SNMFV3 hosts, which option must you configure in addition to the target IP address?
A. the Cisco ASA as a DHCP server, so the SNMFV3 host can obtain an IP address
B. a username, because traps are only sent to a configured user
C. SSH, so the user can connect to the Cisco ASA
D. the Cisco ASA with a dedicated interface only for SNMP, to process the SNMP host traffic.

Exam Page 18
D. the Cisco ASA with a dedicated interface only for SNMP, to process the SNMP host traffic.

2. Syslog configuration on ASDM

In your role as network security administrator, you have installed syslog server software on a
server whose IP address is 192.168.85.1. According to the exhibits, why isn't the syslog server
receiving any syslog messages?
A. Logging is not enabled globally on the Cisco ASA.
B. The syslog server has failed.
C. There have not been any events with a severity level of seven.
D. The Cisco ASA is not configured to log messages to the syslog server at that IP address.
Newer version of test - the correct answer is B.

According to the logging configuration on the Cisco ASA, what will happen if syslog server fails?
A. New connections through the ASA will be blocked and debug system logs will be sent to the
internal buffer.
B. New connections through the ASA will be blocked and informational system logs will be sent
to the internal buffer.
C. New connections through the ASA will be blocked and system logs will be sent to server on
192.168.85.0/24 network.
D. New connections through the ASA will be allowed and system logs will be sent to server on
192.168.85.0/24 network.
E. New connections through the ASA will be allowed and informational system logs will be sent
to the internal buffer.
F. New connections through the ASA will be allowed and debug system logs will be sent to the
internal buffer.

Which statement is true of the logging configuration on the Cisco ASA?

Exam Page 19
Which statement is true of the logging configuration on the Cisco ASA?
A. The contents of the internal buffer will be saved to an FTP server before the buffer is
overwritten.
B. The contents of the internal buffer will be saved to flash memory before the buffer is
overwritten.
C. System log messages with a severity level of six and higher will be logged to the internal buffer.
D. System log messages with a severity level of six and lower will be logged to the internal buffer.

Exam Page 20
Exam Page 21
Lab Simulations

1. NAT Lab

You are a network security engineer for the Secure-X network. You have been tasked with
implementing dynamic network object NAT with PAT on a Cisco ASA. You must configure the
Cisco ASA such that the source IP addresses of all internal hosts are translated to a single IP address
(using different ports) when the internal hosts access the Internet.
To successfully complete this activity, you must perform the following tasks:
• Use the Cisco ASDM GUI on the Admin PC to configure dynamic network object NAT with
PAT using the following parameters:
○ Network object name: Internal-Networks
○ IP subnet: 10.10.0.0/16
○ Translated IP address: 192.0.2.100
○ Source interface: inside
○ Destination interface: outside
NOTE: The object (TRANSLATED-INSIDE-HOSTS) for this translated IP address has
already been created for your use in this activity.
NOTE: Not all ASDM screens are active for this exercise.
NOTE: Login credentials are not needed for this simulation.
• In the Cisco ASDM, display and view the auto-generated NAT rule.
• From the Employee PC, generate traffic to SP-SRV by opening a browser and navigating to
http://sp-srv.sp.public.
• From the Guest PC, generate traffic to SP-SRV by opening a browser and navigating to
http://sp-srv.sp.public.
• At the CLI of the Cisco ASA, display your NAT configuration. You should see the configured
policy and statistics for translated packets.
• At the CLI of the Cisco ASA, display the translation table. You should see dynamic translations
for the Employee PC and the Guest PC. Both inside IP addresses translate to the same IP
address, but using different ports.
You have completed this exercise when you have configured and successfully tested dynamic network
object NAT with PAT.

Exam Page 22
% Tested on ICMP traffic, not HTTP traffic !!!
ciscoasa# show xlate
9 in use, 10 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net

ICMP PAT from INSIDE:10.10.9.3/25410 to OUTSIDE:192.0.2.100/25410 flags ri idle

Exam Page 23
ICMP PAT from INSIDE:10.10.9.3/25410 to OUTSIDE:192.0.2.100/25410 flags ri idle
0:00:28 timeout 0:00:30
ICMP PAT from INSIDE:10.10.9.3/25154 to OUTSIDE:192.0.2.100/25154 flags ri idle
0:00:29 timeout 0:00:30
ICMP PAT from INSIDE:10.10.9.3/24898 to OUTSIDE:192.0.2.100/24898 flags ri idle
0:00:30 timeout 0:00:30
ICMP PAT from INSIDE:10.10.9.3/24386 to OUTSIDE:192.0.2.100/24386 flags ri idle
0:00:30 timeout 0:00:30
ICMP PAT from INSIDE:10.10.11.1/29506 to OUTSIDE:192.0.2.100/29506 flags ri idle
0:00:12 timeout 0:00:30
ICMP PAT from INSIDE:10.10.11.1/29250 to OUTSIDE:192.0.2.100/29250 flags ri idle
0:00:14 timeout 0:00:30
ICMP PAT from INSIDE:10.10.11.1/28994 to OUTSIDE:192.0.2.100/28994 flags ri idle
0:00:14 timeout 0:00:30
ICMP PAT from INSIDE:10.10.11.1/28738 to OUTSIDE:192.0.2.100/28738 flags ri idle
0:00:16 timeout 0:00:30
ICMP PAT from INSIDE:10.10.11.1/28482 to OUTSIDE:192.0.2.100/28482 flags ri idle
0:00:17 timeout 0:00:30

% Tested on ICMP traffic, not HTTP traffic !!!


ciscoasa# show nat
Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source dynamic Internal-Networks TRANSLATED-INSIDE-HOSTS
translate_hits = 10, untranslate_hits = 0

2. Botnet Traffic Filtering Lab

You are the network security engineer for the Secure-X network. The company has recently detected
increase of traffic to malware Infected destinations. The Chief Security Officer deduced that some
PCs in the internal networks are infected with malware and communicate with malware infected
destinations.
The CSO has tasked you with enable Botnet traffic filter on the Cisco ASA to detect and deny further
connection attempts from infected PCs to malware destinations. You are also required to test your
configurations by initiating connections through the Cisco ASA and then display and observe the
Real-Time Log Viewer in ASDM.
To successfully complete this activity, you must perform the following tasks:
• Download the dynamic database and enable use of it.
• Enable the ASA to download of the dynamic database
• Enable DNS snooping for existing DNS inspection service policy rules..
• Enable Botnet Traffic Filter classification on the outside interface for All Traffic.
• Configure the Botnet Traffic Filter to drop blacklisted traffic on the outside interface. Use the

Exam Page 24
• Configure the Botnet Traffic Filter to drop blacklisted traffic on the outside interface. Use the
default Threat Level settings
NOTE: The database files are stored in running memory; they are not stored in flash memory.
NOTE: DNS is enabled on the inside interface and set to the HQ-SRV (10.10.3.20).
NOTE: Not all ASDM screens are active for this exercise.
• Verify that the ASA indeed drops traffic to blacklisted destinations by doing the following:
• From the Employee PC, navigate to http://www.google.com to make sure that access to the
Internet is working.
• From the Employee PC, navigate to http://bot-sparta.no-ip.org. This destination is classified as
malware destination by the Cisco SIO database.
• From the Employee PC, navigate to http://superzarabotok-gid.ru/. This destination is classified
as malware destination by the Cisco SIO database.
• From Admin PC, launch ASDM to display and observe the Real-Time Log Viewer.
You have completed this exercise when you have configured and successfully tested Botnet traffic
filter on the Cisco ASA.

Exam Page 25
CLI configuration:
dynamic-filter updater-client enable
dynamic-filter enable interface OUTSIDE
dynamic-filter drop blacklist interface OUTSIDE
dynamic-filter use-database
policy-map global_policy
class inspection_default
no inspect dns preset_dns_map
inspect dns preset_dns_map dynamic-filter-snoop

Exam Page 26

Das könnte Ihnen auch gefallen