Here you will find answers to Cisco IOS Firewall questions:
Question 1
Which two statements are true about the Cisco Classic (CBAC) IOS Firewall set? (Choose two)
A - It can be used to block bulk encryption attacks.
B - It can be used to protect against denial of service attacks.
C - Traffic originating from the router is considered trusted, so it is not inspected.
D - Based upon the custom firewall rules, an ACL entry is statically created and added to the existing ACL permanently.
E - Temporary ACL entries that allow selected traffic to pass are created and persist for the duration of the communication session.
Answer: B E
Question 2
Study this exhibit carefully. What information can be derived from the SDM firewall configuration displayed?
| NetworkTut# show running-config | include access-list Access-list 100 remark Autogenerated by SDM firewall configuration Access-list 100 remark SDM_ACL Category=1 Access-list 100 deny ip 200.0.0.0 0.0.0.3 any Access-list 100 deny ip host 255.255.255.255 any Access-list 100 deny ip 127.0.0.0 0.255.255.255 any Access-list 100 permit ip any any Access-list 101 remark Autogenerated by SDM firewall configuration Access-list 101 remark SDM_ACL Category=1 Access-list 101 deny ip 10.1.1.0 0.0.0.255 any Access-list 101 permit icmp any host 200.0.0.1 echo-reply Access-list 101 permit icmp any host 200.0.0.1 time-exceeded Access-list 101 permit icmp any host 200.0.0.1 unreachable Access-list 101 deny ip 10.0.0.0 0.255.255.255 any Access-list 101 deny ip 172.16.0.0 0.15.255.255 any Access-list 101 deny ip 192.168.0.0 0.0.255.255 any Access-list 101 deny ip 127.0.0.0 0.255.255.255 any Access-list 101 deny ip host 255.255.255.255 any Access-list 101 deny ip host 0.0.0.0 any Access-list 101 deny ip any any log |
A - Access-list 101 was configured for the trusted interface, and access-list 100 was configured for the untrusted interface.
B - Access-list 100 was configured for the trusted interface, and access-list 101 was configured for the untrusted interface.
C - Access-list 100 was configured for the inbound direction, and access-list 101 was configured for the outbound direction on the trusted interface.
D - Access-list 100 was configured for the inbound direction, and access-list 101 was configured for the outbound direction on the untrusted interface.
Answer: B
Explanation:
The last line of access-list 100 is used to "permit" all the traffic so it is the inside (trusted) interface. The last line of access-list 101 is used to "deny" all traffic so it is the outside (untrusted) interface.
Question 3
Which three statements accurately describe IOS Firewall configurations ? (Choose three)
A - The IP inspection rule can be applied in the inbound direction on the secured interface.
B - The IP inspection rule can be applied in the outbound direction on the unsecured interface.
C - The ACL applied in the inbound direction on the unsecured interface should be an extended ACL.
D - For temporary openings to be created dynamically by Cisco IOS Firewall, the access-list for the returning traffic must be a standard ACL.
Answer: A B C
