CCNA Security - Chapter 4 Exam Answers (Jawaban Cisco)
1. Which statement accurately describes Cisco IOS zone-based policy firewall operation?
Answer:
* The pass action works in only one direction.
2. Which location is recommended for extended numbered or extended named ACLs?
Answer:
* a location as close to the source of traffic as possible
3. When using Cisco IOS zone-based policy firewall, where is the inspection policy applied?
Answer:
* a zone pair
4. Refer to the exhibit. Based on the SDM screen shown, which statement describes the zone-based firewall component being configured?
Answer:
* a class map that inspects all traffic that uses the HTTP, SMTP, and DNS protocols
5. Refer to the exhibit. Based on the SDM screen shown, which two statements describe the effect this zone-based policy firewall has on traffic? (Choose two.)
Answer:
* HTTP traffic from the in-zone to the out-zone is inspected.
* Traffic from the in-zone to the out-zone is denied if the source address is in the 127.0.0.0/8 range.
6. Which type of packet is unable to be filtered by an outbound ACL?
Answer:
* router-generated packet
7. Refer to the exhibit. If a hacker on the outside network sends an IP packet with source address 172.30.1.50, destination address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS firewall do with the packet?
Answer:
* The packet is dropped.
8. Which zone-based policy firewall zone is system-defined and applies to traffic destined for the router or originating from the router?
Answer:
* self zone
9. Which statement correctly describes a type of filtering firewall?
Answer:
* A stateful firewall monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state.
10. In addition to the criteria used by extended ACLs, what conditions are used by CBAC to filter traffic?
Answer:
* application layer protocol session information
11. Which statement describes the characteristics of packet-filtering and stateful firewalls as they relate to the OSI model?
Answer:
* A packet-filtering firewall typically can filter up to the transport layer, while a stateful firewall can filter up to the session layer.
12. Refer to the exhibit. What is represented by the area marked as “A”?
Answer:
* DMZ
13. Which three actions can a Cisco IOS zone-based policy firewall take if configured with Cisco SDM? (Choose three.)
Answer:
* inspect
* drop
* pass
14. A router has CBAC configured and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table?
Answer:
* A dynamic ACL entry is added to the external interface in the inbound direction.
15. For a stateful firewall, which information is stored in the stateful session flow table?
Answer:
* source and destination IP addresses, and port numbers and sequencing information associated with a particular session
16. Refer to the exhibit. The ACL statement is the only one explicitly configured on the router. Based on this information, which two conclusions can be drawn regarding remote access network connections? (Choose two.)
Answer:
* SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are allowed.
* Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked.
17. When configuring a Cisco IOS zone-based policy firewall, which three actions can be applied to a traffic class? (Choose three.)
Answer:
* drop
* inspect
* pass
18. Refer to the exhibit. In a two-interface CBAC implementation, where should ACLs be applied?
Answer:
* inside and outside interfaces
19. Which two parameters are tracked by CBAC for TCP traffic but not for UDP traffic? (Choose two.)
Answer:
* sequence number
* SYN and ACK flags
20. What is the first step in configuring a Cisco IOS zone-based policy firewall using the CLI?
Answer:
* Create zones.
21. Which two are characteristics of ACLs? (Choose two.)
Answer:
* Extended ACLs can filter on destination TCP and UDP ports.
* Extended ACLs can filter on source and destination IP addresses.
22. Which type of packets exiting the network of an organization should be blocked by an ACL?
Answer:
* packets with source IP addresses outside of the organization's network address space
23. When logging is enabled for an ACL entry, how does the router switch packets filtered by the ACL?
Answer:
* process switching
blog.ceaster.com - www.ceaster.com Ceaster Corp
Posts
