Module 20: Quiz – Introduction to the ASA (Answers) Network Security

1. What is a characteristic of ASA security levels?​

  • An ACL needs to be configured to explicitly permit traffic from an interface with a lower security level to an interface with a higher security level.
  • Each operational interface must have a name and be assigned a security level from 0 to 200.
  • Inbound traffic is identified as the traffic moving from an interface with a higher security level to an interface with a lower security level.
  • The lower the security level on an interface, the more trusted the interface.

Explanation: The ASA assigns security levels to distinguish between inside and outside networks. The higher the level, the more trusted the interface. The security level numbers range between 0 to 100. When traffic moves from an interface with a higher security level to an interface with a lower security level, it is considered outbound traffic.

2. What are the two biggest differences among various ASA firewall models. (Choose two.)

  • in the VPN functionality
  • in the operating system version support
  • in the maximum traffic throughput supported
  • in the configuration method using either CLI or ASDM
  • in the number and types of interfaces

Explanation: ASA firewall models are mainly compared based on the maximum traffic throughput that is handled by each model and the number and types of their interfaces.

3. Which statement describes the Cisco ASAv product?

  • It is a Cisco ASA feature added on a Cisco router.
  • It is a cloud-based Cisco ASA firewall product.
  • It is a Cisco FirePOWER service that can be added on a Cisco router.
  • It is a virtual machine version of Cisco ASA product.

Explanation: The Cisco Adaptive Security Virtual Appliance (ASAv) brings the power of ASA appliances to the virtual domain. The Cisco ASAv operates as a virtual machine (VM) using the interfaces on a host server to process traffic.

4. What two features must match between ASA devices to implement a failover configuration? (Choose two.)​

  • device model
  • software configuration
  • source IP address
  • amount of RAM
  • next-hop destination

Explanation: In order for two Cisco ASA 5505 devices to work in a failover configuration, both devices must be identical models with the same hardware configuration, number and types of interfaces, and the same amount of RAM.

5. Which feature is specific to the Security Plus upgrade license of an ASA and provides increased availability?

  • routed mode
  • transparent mode
  • redundant ISP connections
  • stateful packet inspection

Explanation: The Security Plus upgrade license enables the ASA to support redundant ISP connections and stateless active/standby high-availability services.

6. What is the most trustworthy security level that can be configured on an ASA device interface?

  • 100
  • 255
  • 50
  • 0

Explanation: The higher the security level on an ASA device interface, the more trusted the interface. The security level numbers range from 0 to 100, where 100 is the most trustworthy.​

7. Which two statements describe the 8 Gigabit Ethernet ports in the backplane of a Cisco ASA 5506-X device? (Choose two.)

  • They are all routed ports.
  • Three of them are routed ports and 5 of them are switch ports.
  • Port 1 is a routed port and the rest are switch ports.
  • They all can be configured as routed ports or switch ports.
  • These ports all require IP addresses.

Explanation: Unlike the ASA 5505, the ASA 5506-X does not use switch ports. All Gigabit Ethernet ports in the backplane are routed and require IP addresses.

8. Which advanced ASA Firewall feature provides granular access control based on an association of IP addresses to Windows Active Directory login information?

  • ASA virtualization
  • high availability with failover
  • threat control and containment services
  • identity firewall

Explanation: With the identity firewall feature, Cisco ASA provides optional granular access control based on an association of IP addresses to Windows Active Directory login information.

9. What are two basic configuration requirements for each operational interface on an ASA 5506-X device? (Choose two.)

  • a name
  • an encryption key
  • an ACL assignment
  • a security level
  • a VLAN assignment

Explanation: The ASA assigns security levels to distinguish between inside and outside networks. Each operational interface must have a name and a security level from 0 (lowest) to 100 (highest) assigned.

10. What is one of the drawbacks to using transparent mode operation on an ASA device?​

  • no support for IP addressing
  • no support for QoS
  • no support for management
  • no support for using an ASA as a Layer 2 switch

Explanation: In transparent mode the ASA functions like a Layer 2 device. An ASA device can have an IP address assigned on the local network for management purposes. The drawbacks to using transparent mode include no support for dynamic routing protocols, VPNs, QoS, or DHCP Relay.

11. Which service is added to the Cisco ASA 5500 by the ASA 5500-X?

  • threat control and containment services
  • ASA virtualization
  • FirePOWER service
  • high availability with failover

Explanation: The Cisco ASA 5500-X series with FirePOWER service merges the ASA 5500 series devices with some new features such as advanced malware protection as well as application control and URL filtering. The services of ASA virtualization, high availability with failover, and threat control and containment services are already provided by ASA 5500 devices.

12. Which statement describes the default network access control on an ASA firewall device?

  • Inbound traffic from the DMZ network to the inside network is allowed.
  • Inbound traffic from the outside network to the DMZ network is allowed.
  • Returning traffic from the outside network to the inside network is allowed.
  • Outbound traffic from the inside network to the outside network is allowed without inspection.

Explanation: With the security levels properly configured on the inside, outside, and DMZ networks, outbound traffic is allowed and inspected by default. Hosts on the higher security interface can access hosts on a lower security interface. However, traffic that is initiated from a lower level security interface and going into a higher security level interface, is denied by default. Returning traffic is allowed because of stateful packet inspection.


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments