Chapter 16. Answer Key 1

Answers A, B, and C are correct. An access list on the PIX can filter on source and destination IP addresses as well as the source and destination port number. The protocol number can also be used for a match within the access list. Answer D is incorrect because the PIX does not support IPX.

Answer D is correct. The write memory command saves the configuration on the PIX to persistent memory (flash) on the PIX. Answers A and C are not valid PIX commands and are therefore incorrect. Answer B is incorrect because the write terminal command shows the configuration on the terminal but does not save it to flash.

Answers A and B are correct. The nameif command assigns a name to each perimeter interface on the PIX firewall and specifies its security level. Answer C is incorrect because the interface command enables an interface and configures its type and speed. There is no security-level command on the PIX, so answer D is incorrect.

Answer B is correct. The reload command reboots the PIX and loads the configuration saved to flash memory upon bootup . The init commands ” cycle , init , and restart ”are not native commands on the PIX operating system for performing a reboot of the PIX, so answers A, C, D, and E are incorrect. When issuing the reload command and confirming the reboot, any unsaved commands in the configuration will be not be present upon bootup.

Answer B is correct. Normally, syslog messages are sent to the syslog specified in the configuration of the PIX. In the event that a configured syslog server cannot be reached, 100 messages are buffered, which makes answers A, C, D, and E incorrect. Any additional messages overwrite the previous messages, beginning with the oldest in a first in first out (FIFO) manner.

Answer A is correct. One of the options an IP phone can use is the address of a TFTP server. The phone can then use the TFTP server information to download configuration information the phone needs for correct operation. You use option 66 to forward a single TFTP IP address or option 150 to forward a list of TFTP server IP addresses. This information is useful only to the DHCP clients who need the TFTP information, such as IP telephones. Answers B, C, D, and E are not the correct syntax and are therefore incorrect.

Answers C and E are correct. Translations occur at the Network layer. A host going through NAT would have a layer 3 translation from the inside local to the inside global. The same computer can have multiple connections to servers using the same translation but multiple connections. One TCP session could be to www.site1.com , whereas another could be to www.site2.com and another to ftp.site3.com . Connections occur at the Transport layer. One translated IP address can support multiple connections to these servers. Connections are a subset of translations. Answers A, B, and D are therefore incorrect.

Answer A is correct. If a client on an inside network requests DNS resolution of an inside resource from an external or outside DNS, the DNS A-Record is translated by the PIX correctly before it is forwarded to the inside client. This enables the inside client to receive the inside IP address for the server and correctly reach that resource. The dns option in the nat or static command replaces the need to use an alias command, which makes answer B incorrect. The alias command, in earlier versions of the PIX operating system, performed the same function as the new dns option on the nat or static command and does not filter or restrict, which makes answers C and D incorrect.

Answer C is correct. Globally enabling Turbo access lists is a simple configuration. You use the access-list compiled command to configure Turbo ACLs, which makes answer D incorrect. This command causes the Turbo ACL process to scan through all existing ACLs. You can also use Turbo ACLs on a specific access list, as opposed to enabling them globally. Answers A, B, and E are not the correct syntax and are therefore incorrect.

Answers A and D are correct. For object groups to be nested, they must be of the same type. You can group two or more network object groups together, but you cannot nest different group types together, such as a protocol group and a network group. Therefore, answers C and E are incorrect. Nesting an object group within another object group is possible using the command-line interface, but no group object exists, so answer B is incorrect.

Answers A, B, C, D, and E are correct. A good firewall inspects packets above the Network layer and securely opens and closes negotiated ports or IP addresses for legitimate connections through the PIX. This is important, especially in multimedia applications where ports are assigned on-the-fly and manual configuration for each application is reasonably accomplished in a busy network. The stateful nature of the PIX dynamically compensates for advanced protocols, such as h.323.

Answers A and D are correct. The PIX can detect two signature types: informational and attack. Therefore, answers C and E are incorrect. Information class signatures are triggered by normal network activity, whereas attack signatures are triggered by an activity known to be, or that could lead to, unauthorized data retrieval, system access, or privileged escalation. Because A is correct, B is incorrect.

Answer B is correct. The access server IP address is the IP address of the PIX firewall that will be using the ACS services. From the ACS server perspective, any devices that will be requesting AAA services via TACACS+ or RADIUS from the ACS server are considered clients. During installation, the access server IP address is requested . This access server is the PIX that will be the AAA client, and the PIX IP address should be supplied. Therefore, answers A, C, and D are incorrect.

Answers B, C, and E are correct. The 501, 506E, 515E, 525, and 535 models are all valid firewall models. Answers A and D are incorrect because these models do not exist.

Answers A, C, and D are correct. Restricted, unrestricted, and failover are the types of licenses for PIX firewall models 515E, 525, and 535. Answer B is incorrect because the unlimited license does not exist.

Answers A, B, C, and D are correct. The clock command sets the Pix firewall clock and enables you to specify the time, month, date, and year. It is retained in memory by a battery on the motherboard.

Answer D is correct. If two interfaces, such as E2 and E3, were both set to a security level of 50, no packets would be capable of flowing directly between the two interfaces. This is a valid configuration, such as when a provider has two servers that should never communicate directly. Therefore, answer A is incorrect. Answers B and C are incorrect because the physical number of the interface has nothing to do with the logical security levels the PIX uses to identify higher or lower security interfaces.

Answer C is correct. Traffic that needs to go from a lower security interface to a higher needs to have permission to do so. The application of an access list could provide this permission. Answers A, B, and D are incorrect because they do not provide the permissions from lower to higher security levels.

Answer D is correct. Security level 100 is the most trusted interface security level. Answers A and B are incorrect because they apply to security level 0. Answer C is incorrect because security level 100 is the default and cannot be changed. Answer E is incorrect because it correlates to security levels 1 “99.

Answers B and D are correct. The multicast interface command on each interface enables multicast forwarding, and the mroute command creates a static route from the transmission source to the next -hop router; therefore, answer E is incorrect. The igmp forward command could allow clients on the inside to receive a multicast stream from the outside, so answer A is incorrect. multicast routing is an IOS command, but it is not a valid command on the PIX, so answer C is incorrect.

Answer A is correct. The nat command, when used with the global command, can enable translation for a single host or a range of hosts . Answers B and D are incorrect because they aren't the commands to configure translation. Answer C is incorrect because this command does not exist.

Answer E is correct. Answers A, B, C, and D are all events that syslog is used to document.

Answer E is correct. The PIX operating system is Cisco proprietary and is called Finesse. Answers A, B, C, and D are incorrect because the OS is not based on any flavor of Unix nor NT.

Answer C is correct. The only options for authentication with the PIX are HTTP, FTP, and Telnet. By using virtual Telnet, users could Telnet to the PIX, authenticate, and then use their email applications through the PIX. Answer A is incorrect because it is not a valid option on the PIX. Answer B is incorrect because virtual HTTP does not provide a user interface for authentication to the PIX. Answer D is incorrect because the SMTP fixup protocol doesn't provide the authentication needed by the users.

Answer E is correct. Configuration replication occurs over the serial failover cable from the primary/active PIX firewall to the secondary/standby PIX firewall. Therefore, answers A, B, C, and D are incorrect.

Answer D is correct. The nat command's companion is the global command. Both are used together to translate IP addresses. Answers A, B, and C are incorrect commands for this task.

Answer B is correct. By default, only interfaces with higher security levels can access interfaces with lower security levels, which makes answers A, C, and D incorrect.

Answers A, B, and C are correct. A connection table is used for TCP and UDP sessions, and a translation table is used for NAT sessions. A stateful database is used for tracking sessions, so answer D is incorrect.

Answer D is correct. The PIX 535 firewall can be configured with up to 10 interfaces, making answers A, B, C, and E incorrect.

Answer A is correct. ACLs do not improve performance for matching packets; rather they slow down the processor. Answers B, C, and D are all correct concerning ACLs.

Answer A is correct. The Cisco Secure ACS allows specific user traffic through the PIX while denying packets from unknown users. Traffic Director, Management Center, and Cisco Secure Policy Manager don't provide per-user access control, which makes answers B, C, and D incorrect.

Answer B is correct. The ca zeroize rsa command is used to delete a saved RSA key from flash memory. Answer A is incorrect because this command erases the configuration but not the RSA key(s). Answers C and D are not valid PIX commands and are therefore incorrect.

Answers A and D are correct. The MailGuard feature is enabled by default and allows only the RFC 821 legal SMTP commands through the PIX. The IDS feature can protect against spam, so answer C is incorrect. The MailGuard feature is part of the PIX OS and is not limited to PIX firewalls that have at least 32MB of RAM, making answer B incorrect.

Answers A and C are correct. the object-group command names your object group and enables a subcommand mode for the type of object you specify. Answer B is completely false regarding the command, and answer D is incorrect because the clear object-group command removes all defined object groups.

Answer B is correct. The PIX firewall transmits default route updates using an IP destination of 224.0.0.9. if configured for RIP version 2 with the keyword default . Answer A is incorrect because RIP version 2 does not have an aggressive mode. Answer C is incorrect because the IP destination is 224.0.0.9. Answer D is incorrect because the question does have a correct answer.

Answer B is correct. The command to change the enable password is enable password . The PIX has no enable secret command, so answer A is incorrect. The passwd command sets the Telnet password, making answer C incorrect. The set command shown in answer D is not a valid option and is therefore incorrect.

Answer D is correct. PAT provides for address expansion, it maps port numbers to a single IP address, and the PAT address can be different from the outside interface address. Answers A, B, and C are all correct statements regarding PAT.

Answers B and C are correct. DNS Guard tears down the UDP return path after the first response from a given DNS server is seen, which helps prevent UDP session hijacking. Answers A and D are incorrect because DNS Guard does not control which DNS servers the clients can access.

Answer C is correct. The isakmp enable outside command enables IKE on the PIX firewall's outside interface. Answers A and B are incorrect because the crypto command is not used for enabling IKE on an interface. Answer D is incorrect because the physical interface is being used instead of the name of the interface.

Answer D is correct. The passwd command sets the password for Telnet access to the PIX, making answers A and C incorrect. The enable password command sets the enable password, making answer B incorrect.

Answer D is correct. The PIX firewall SSH implementation functions only as a server, which means that the PIX can't initiate SSH outbound connections. Thus, answers A, B, and C are incorrect.

Answer B is correct. The nameif command assigns a name to an interface. The name command enables you to configure a list of name-to-IP address mappings, making answer A incorrect. hostname enables you to change the hostname on the PIX, so answer C is incorrect. ifName is not a valid command on the PIX, making answer D incorrect.

Answer A is correct. The noconfirm option permits the PIX to reload without user confirmation, which makes answer D incorrect. Answers B and C are incorrect because they are not options for the reload command.

Answer D is correct. The interface command enables an interface and configures its type and speed, making answer E incorrect. Answer A is not a valid PIX command and is therefore incorrect. Answer B is an option that can be used with the interface command and is not a correct answer. nameif is used to set the name and security level of an interface, so answer C is incorrect.

Answers B and C are correct. RADIUS and TACACS+ are methods used by a PIX to communicate with an AAA server, such as ACS. Downloadable ACLs are supported with RADIUS only. The downloadable ACLs are a function of AAA authentication and require RADIUS, so answer D is incorrect. Authorization, a separate function, is available only between the PIX and the ACS if TACACS+ is used; therefore, answer A is incorrect.

Answer C is correct. The global command specifies the IP addresses that will be used with dynamic NAT for a new translation. Answer D is incorrect because it is not a valid PIX command. Answer A is incorrect because it specifies which devices are allowed to be translated. Answer B is incorrect because the static command causes the same IP address to be used every time.

Answer A is correct. route outside 0.0.0.0 0.0.0.0 172.168.1.1 1 is the correct syntax for the PIX to use a default route of 172.168.1.1. Answers B, C, and D are incorrect because they're incorrect syntax.

Answers A, B, C, and D are correct. Dynamic and static inside and outside NAT are all valid options.

Answer B is correct. access-list ACL1 permit tcp 10.2.0.0 255.255.0.0 30.0.0.0 255.0.0.0 eq 80 , within an applied access list, would allow any host on the 10.2.0.0 / 16 network to reach a Web server on the 30.0.0.0 / 8 network, which makes answers A, C, and D incorrect.

Answer D is correct. The command used to apply an access list to an interface is access-group . interface , access-list , and nameif , though valid commands, are incorrect for this task. Therefore, answers A, B, and C are incorrect.

Answers A and C are correct. IPSec uses UDP port 500 for IKE phase 1 and protocol 50 (ESP) for encrypted traffic. TCP port 23 is not required, so answers B and D are incorrect.

Answer C is correct. AAA Flood Guard reclaims overused AAA resources to help prevent DoS attacks on AAA services and is enabled by default, which makes answer D incorrect. It does not protect against synflood attacks against AAA servers, which means answer A is incorrect. It also does not take back authorization from users, meaning answer B is incorrect.

Answers A, C, and D are correct. When the PIX detects an attack, it can be configured either to send an alarm to a syslog server and drop the offending packet or drop the packet and send a TCP reset to close the TCP session. The PIX can't, on its own power, apply a shun statement to block the attacker from future access, which makes answer B incorrect. To dynamically implement a shun requires an IDS appliance or a similar external resource.

Answer D is correct. Answers A, B, and C are all valid options for importing a device in the PIX MC. The MC does not have an import menu option to pull a configuration from CSPM.

Answers A, C, and D are correct. Rules are recognized as mandatory or default and can be applied at the global level, at a group level, or to an individual device. Thus, answer B is incorrect. In addition, default rules can be overridden.