This item contains several questions that you must answer. You can view these questions by clicking on the Questions button to the left. Changing questions can be accomplished by clicking the numbers to the left of each question. In order to complete the questions, you will need to refer to the SDM and the topology, neither of which is currently visible.
To gain access to either the topology or the SDM, click on the button to left side of the screen that corresponds to the section you wish to access. When you have finished viewing the topology the SDM, you can return to your questions by clicking on the Questions button to the left.
Off Shore Industries is a large worldwide sailing charter. The company has recently upgraded its Internet connectivity. As a recent addition to the network engineering team, you have been tasked with documenting the active Firewall configurations on the Annapolis router using the Cisco Router and Security Device Manager (SDM) utility.
Using the SDM output from Firewall and ACL Tasks under the Configure tab, answer the following questions:
Question 1
Which statement is true?
A - Both FastEthernet 0/0 and Serial 0/0/0 are trusted interface.
B - Both FastEthernet 0/0 and Serial 0/0/0 are untrusted interfaces.
C - FastEthernet 0/0 is a trusted interface and Serial 0/0/0 is an untrusted interface.
D - FastEthernet 0/0 is an untrusted interface and Serial 0/0/0 is a trusted interface.
Answer: C
Explanation:
The trusted interface is the inside interface and the untrusted interface is the outside interface. Moreover, from the above picture we see that the "Originating traffic" starts from FastEthernet0/0 to Serial0/0/0. So Fa0/0 is the inside interface and S0/0/0 is the outside interface.
Question 2
Which two statements would specify a permissible incoming TCP packet on a trusted interface in this configuration? (Choose two)
A - The packet has a source address of 10.79.233.107
B - The packet has a source address of 172.16.81.108
C - The packet has a source address of 198.133.219.40
D - The destination address is not specified within the inspection rule SDM_LOW.
Answer: A C
Explanation:
The "incoming TCP packet on a trusted packet" refers to the packet originates from the inside (trusted) interface.
The configured access list denies packets in the 172.16.81.108/30 subnetwork so it will only drop packets that have a source address of 172.16.81.108 while allow other packets to go through (except 255.255.255.255 and 127.0.0.0/8)
Question 3
Which two options would be correct for a permissible incoming TCP packet on an untrusted interface in this configuration? (Choose two)
A - The packet has a source address of 172.16.29.12
B - The packet has a source address of 10.94.61.29
C - The session originated from a trusted interface
D - The application is not specified within the inspection rule SDM_LOW
E - The packet has a source address of 198.133.219.144
Answer: C E
Explanation:
The "incoming TCP packet on an untrusted interface" refers to the traffic sent from the outside to the outer interface of the router.
(Notice: In the real exam, there may be more filter rules than the ones shown above)
The access list denies traffic from 172.16.29.12/30 and 10.0.0.0/8 networks so A and B are not correct. D is obviously incorrect because the SDM_LOW did specify the filter rule.
The access list 101 only filter packets from "returning traffic" and it does not proceed traffic originated from a trusted (inside) interface so C is correct.
E is correct because the IP address of 198.133.219.144 is not in the "deny" lists so it satisfies the "permit any" line.
