Module 21: Quiz – ASA Firewall Configuration (Answers) Network Security

1. Which two statements are true about ASA standard ACLs? (Choose two.)​

  • They identify only the destination IP address.
  • They are the most common type of ACL.
  • They are applied to interfaces to control traffic.
  • They specify both the source and destination MAC address.
  • They are typically only used for OSPF routes.

Explanation: ASA standard ACLs are used to identify the destination IP addresses, unlike IOS ACLs where a standard ACL identifies the source host/network. They are typically only used for OSPF routes and can be used in a route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic.

2. When dynamic NAT on an ASA is being configured, what two parameters must be specified by network objects? (Choose two.)

  • the inside NAT interface
  • the interface security level
  • the outside NAT interface
  • a range of private addresses that will be translated
  • the pool of public global addresses

Explanation: On an ASA, both the pool of addresses that will be used as inside global address and the range of internal private addresses that should be translated are configured through network objects.

3. Which command is used on an ASA to enable password encryption and encrypt all user passwords?

  • service password-encryption
  • key config-key password-encryption [ new-pass [ old-pass ]]
  • enable password password
  • password encryption aes

Explanation: The enable password command sets the password for privileged EXEC mode. The key config-key password-encryption command is used to generate the encryption key. The password encryption aes command enables password encryption and encrypts all user passwords. The service password-encryption is used on Cisco routers to encrypt user passwords.

4. Which type of NAT would be used on an ASA where 10.0.1.0/24 inside addresses are to be translated only if traffic from these addresses is destined for the 198.133.219.0/24 network?

  • policy NAT
  • dynamic NAT
  • static NAT
  • dynamic PAT

Explanation: Policy NAT is based on rules that determine when specific source addresses will get translated. Those source addresses are intended for specific destination addresses or for specific ports or for both a destination address and a specific port.

5. A network administrator has deployed object groups in order to make ACLs easier to implement and understand. Which two objects would be part of a service object group? (Choose two.)

  • top-level protocol
  • subnet
  • ICMP type
  • hostname
  • IP address

Explanation: A network object group is a group that contains hostnames, IP address, subnets, or ranges of IP addresses. A service object group is a group that contains top-level protocols, source and destination protocol ports, or ICMP types.​

6. What is a difference between ASA IPv4 ACLs and IOS IPv4 ACLs?

  • ASA ACLs use forward and drop ACEs, whereas IOS ACLs use permit and deny ACEs.
  • ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the wildcard mask.
  • Multiple ASA ACLs can be applied on an interface in the ingress direction, whereas only one IOS ACL can be applied.
  • ASA ACLs are always named, whereas IOS ACLs are always numbered.
  • ASA ACLs do not have an implicit deny any at the end, whereas IOS ACLs do.

Explanation: There are many similarities between ASA ACLs and IOS ACLs, including:

  • In both, there is an implicit deny any
  • Only one ACL per interface, per protocol, per direction still applies.
  • Both use deny and permit ACEs.
  • ACLs can be either named or numbered.

ASA ACLs differ from IOS ACLs in that they use a network mask (e.g., 255.255.255.0) instead of a wildcard mask (e.g. 0.0.0.255). Although most ASA ACLs are named, they can also be numbered.

7. Which object or object group is required to implement NAT on an ASA 5506-X device?

  • network object
  • protocol object group
  • service object
  • network object group

Explanation: Network objects are required in the implementation of NAT in ASA devices. A network object can contain only one entry such as a host or a subnet, or a range of IP addresses. It can be used in NAT implementations to indicate the pool of public IP addresses to be used for translation or the range of internal hosts allowed to be translated.

8. Which statement describes a feature of AAA in an ASA device?

  • Authorization is enabled by default.
  • Accounting can be used alone.
  • Both authorization and accounting require a user to be authenticated first.
  • If authorization is disabled, all authenticated users will have a very limited access to the commands.

Explanation: AAA services (authentication, authorization, and accounting) are disabled by default. Authentication can be used alone or with authorization and accounting. Authorization always requires a user to be authenticated first. Accounting can be used alone, or with authentication and authorization. Authorization controls the services and commands that are available to each authenticated user. If authorization is not enabled, authentication would provide the same access to services for all authenticated users.

9. What type of ACL is designed for use in the configuration of an ASA to support filtering for clientless SSL VPNs?

  • Standard
  • Webtype
  • EtherType
  • Extended

Explanation: Webtype access lists are used in ASA configurations to support filtering for clientless SSL VPNs. Standard ACLs used in ASA configurations ​typically identify destination IPs in OSPF routes. Extended ACLs are the most common type of ACL, and are not specifically designed for use with clientless SSL VPNs. Ethertype ACLs can only be configured if the ASA is running in transparent mode.

10. A network technician is attempting to resolve problems with the NAT configuration on an ASA. The technician generates a ping from an inside host to an outside host. Which command verifies that addresses are being translated on the ASA?

  • show ip address
  • show xlate
  • show running-config
  • show ip nat translation

Explanation: On an ASA, the network address translation is verified using the show xlate command.

11. Which two types of objects can be configured on an ASA device? (Choose two.)

  • protocol
  • ICMP-type
  • security
  • network
  • user
  • service

Explanation: The ASA supports objects and object groups. There are two types of objects that can be configured, namely, network object and service object. The types of object groups that can be configured include ICMP-type, protocol, security, and user.

12. Which option lists the four steps to configure the Modular Policy Framework on an ASA?

  • 1) Configure extended ACLS to identify specific granular traffic. This step may be optional.
    2) Configure the class map to define interesting traffic.
    3) Configure a policy map to apply actions to the identified traffic.
    4) Configure a service policy to identify which interface should be activated for the service.
  • 1) Configure a policy map to apply actions to the identified traffic.
    2) Configure a service policy to identify which interface should be activated for the service.
    3) Configure extended ACLS to identify specific granular traffic. This step may be optional.
    4) Configure the class map to define interesting traffic.
  • 1) Configure extended ACLS to identify specific granular traffic. This step may be optional.
    2) Configure the class map to define interesting traffic.
    3) Configure a service policy to identify which interface should be activated for the service.
    4) Configure a policy map to apply actions to the identified traffic.
  • 1) Configure a service policy to identify which interface should be activated for the service.
    2) Configure extended ACLS to identify specific granular traffic. This step may be optional.
    3) Configure the class map to define interesting traffic.
    4) Configure a policy map to apply actions to the identified traffic.

Explanation: Modular Policy Framework (MPF) configuration defines a set of rules for applying firewall features, such as traffic inspection and QoS, to the traffic that traverses the ASA. MPF allows granular classification of traffic flows, to apply different advanced policies to different flows. Configuration of MPF includes the specification of ACLs, class maps, policy maps, and service policies.

13. Which statement is true about ASA CLI and IOS CLI commands?

  • Only the ASA CLI requires the use of Ctrl-C to interrupt show commands.
  • The ASA CLI does not recognize the write erase command, but the IOS CLI does.
  • The show ip interface brief command is valid for both CLIs.
  • Both CLIs recognize the Tab key to complete a partial command.

Explanation: The ASA CLI recognizes the write erase command, not the erase startup-config command. The show ip int brief command is valid only for the IOS CLI. The ASA CLI recognizes the show interface ip brief command. The ASA CLI requires the use of Q to interrupt show commands.


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments