| Question 1 |  | Which of the following firewall policies can be enforced from the VPN 3000 Concentrator? (Choose three.) |
A. SEP B. CIC C. IS D. AYT E. CPP
|
| A1: | C, D, and E are correct. IS server policies, AYT, and CPP are all definable from the concentrator. Answer A is incorrect because SEP is an encryption accelerator module. Answer B is incorrect because CIC is the client's internal firewall and is not a policy that is implemented on the concentrator. |
| Question 2 | Which of the following are steps in enforcing a CPP firewall policy? (Choose all that apply.) A. Create a rule and assign it to a filter. B. Change the AYT timer to something other than the default polling interval. C. Select the filter in the "Policy Pushed" field. D. Configure the client to accept CPP policies.
|
| A2: | Answers A and C are correct. To configure a CPP firewall policy, you must first define the policy by creating rules and assigning them to a filter. After this step is finished, you must choose that filter in the Policy Pushed field. Answer B is incorrect because the AYT time is not utilized when using CPP as a firewall policy. Answer D is incorrect because no configurations are necessary on the client if it is to interact with the concentrator's firewall policy. |
| Question 3 | Which three incoming protocols are allowed through the Cisco Client's Stateful Firewall (Always On) policy? (Choose three.) A. RIP B. DHCP C. ESP D. Tunneled IP traffic E. VRRP F. HTTP
|
| A3: | Answers B, C, and D are correct. The Stateful Firewall (Always On) policy allows only DHCP, ESP, and tunneled traffic. Answers A, E, and F are incorrect because all other traffic is dropped because there is not a rule allowing other protocols through the stateful firewall. |
| Question 4 | The Stateful Firewall is active only when the tunnel is connected. (True or False) |
| A4: | Answer B is correct. The Stateful Firewall (Always On) policy is just that always on. This CIC firewall, if activated, remains on whether or not the VPN session is connected. Otherwise, it would be possible for attackers to compromise the client and launch an attack when the tunnel is connected. |
| Question 5 | Which of the following firewall vendors do not support the CPP feature? |
| A5: | Answer C is the correct answer. The BlackICE Defender does not support CPP. It supports only the AYT firewall policy. Answers A, B, and D are correct because Zone Labs ZoneAlarm and ZoneAlarm Pro, as well as the Cisco CIC firewall, support the Central Protection Policy. |
| Question 6 | Users are complaining that they cannot access Web pages from their client when connected to the main headquarters. However, the users are able to download and send email. Which of the following could be viable causes of this problem? (Choose all that apply.) A. The stateful firewall is enabled on the CIC client. B. The CPP policy is not allowing inbound and outbound HTTP traffic. C. Split tunneling is not enabled for the client's group on the VPN 3000 concentrator. D. The user's session has been disconnected because the AYT timer has expired.
|
| A6: | Answers B and C are correct. If a client cannot access certain services, most likely there is a configuration error in the Central Protection Policy's filter. Additionally, if split tunneling is not enabled, the client is forced to send all traffic across the tunnel. The central location may not have a routing configuration in place to allow tunneled traffic out of the corporate internet link. Answer A is incorrect because the stateful firewall client does not prohibit the client from initiating a TCP session for HTTP. If a session were initiated, it would be logged in the state table and subsequent packets would be permitted as long as they were similar to the state table's information. Answer D is incorrect because HTTP traffic would traverse out the Internet connection on the client's workstation if the tunnel were not connected. |
| Question 7 | | Based upon the following CPP firewall policy: |
Action | Direction | Source Address | Dest Address | Protocol | Source Port | Dest Port |
|---|
Forward | Inbound | 192.168.1.101 | Local | Any | N/A | N/A | Forward | Outbound | Local | 192.168.1.101 | Any | N/A | N/A | Forward | Inbound | 10.2.2.0 | Local | Any | N/A | N/A | Forward | Outbound | Local | 10.2.2.0 | Any | N/A | N/A | Drop | Inbound | Any | Local | Any | N/A | N/A | Drop | Outbound | Local | Any | Any | N/A | N/A | Forward | Outbound | Local | Any | 6 | Any | 80 | Forward | Inbound | Any | Local | 6 | 80 | Any |
What will happen to Internet HTTP traffic originating from this client? A. It will be tunneled across to the 10.2.2.0 network. B. It will be forwarded out to the Internet assuming that split tunneling is enabled. C. There is no rule specifying HTTP traffic, so it will be forwarded. D. Inbound and outbound HTTP traffic will be dropped.
|
| A7: | Answer D is correct. CPP rules act like an IOS access list. As such, the rules are processed from the top down. When a match is made, the rest of the rules are not compared. The client's CPP rule output states that traffic to and from 192.168.1.101 and the 10.2.2.0 network will be forwarded. If a match does not occur for those four rules, the next two rules state that any traffic with any source to any destination will be dropped. Because the HTTP traffic is destined for the Internet, it does not match the first four rules; however, it does match the next two rules because the rules specify traffic for any source and any destination. Because there was a match for these rules, any subsequent rules are not processed. Thus, HTTP traffic is dropped despite the last two rules that forward HTTP traffic (TCP port 80). Answer A is incorrect because the HTTP traffic is destined for the Internet, not the 10.2.2.0 network. Answer B is incorrect because the order of the rules does not forward HTTP. Answer C is incorrect because the rules to forward HTTP exist; they are just not prioritized correctly. |
| Question 8 | Several users are complaining that their clients cannot connect to the concentrator. They were able to connect yesterday and you have not made any password changes. However, you recently applied a firewall policy to several groups. What is the most likely cause of the problem? A. The AYT timer is expiring and the session is being disconnected. B. You configured the policy to Firewall Optional and the users do not have an active firewall on the client. C. You configured the policy to Firewall Required and the users do not have an active firewall on the client. D. The stateful firewall is blocking IPSEC-ESP.
|
| A8: | Answer C is correct. If a client attempts to connect to a concentrator and its group has a required firewall policy, the client must have that firewall active on the client to connect. Answer A is incorrect because the clients are having trouble with connecting, as opposed to being disconnected after a duration of time. AYT disconnects a session after a period of inactivity, not upon initial connection. Answer B is incorrect because the Firewall Optional setting only sends a warning message to the connecting client; it does not disconnect the session. Answer D is incorrect because the stateful firewall allows IPSEC-ESP packets through the firewall. |
| Question 9 | | Based upon the following CPP firewall policy: |
Action | Direction | Source Address | Dest Address | Protocol | Source Port | Dest Port |
|---|
Forward | Inbound | 192.168.1.101 | Local | Any | N/A | N/A | Forward | Outbound | Local | 192.168.1.101 | Any | N/A | N/A | Forward | Inbound | 10.2.2.0 | Local | Any | N/A | N/A | Forward | Outbound | Local | 10.2.2.0 | Any | N/A | N/A | Forward | Outbound | Local | Any | 6 | Any | 23 | Drop | Outbound | Local | Any | Any | N/A | N/A | Drop | Inbound | Any | Local | Any | N/A | N/A |
What happens to Telnet traffic originating from this client? (Choose all that apply.) A. Telnet traffic destined for 10.2.2.0 is forwarded. B. Telnet traffic destined for 192.168.1.101 is forwarded. C. Telnet sessions out to the Internet is connected. D. Telnet sessions out to the Internet do not connect.
|
| A9: | Answers A, B, and D are correct. In accordance with the rules of the CPP filter, all traffic (including Telnet) destined for 192.168.1.101 and the 10.2.2.0 network is forwarded. Telnet traffic (TCP port 23) can also be forwarded out from the client's workstation; however, there is no rule allowing the return traffic to be forwarded. Without this explicit rule, a Telnet session will never be able to connect. |
| Question 10 | How often are AYT messages sent to the firewall clients? A. Every 10 seconds B. Every 30 seconds C. Every 300 seconds D. Every 100 seconds
|
| A10: | Answer B is correct. AYT messages are sent every 30 seconds to detect whether an active firewall exists on the client. Answers A, C, and D are incorrect because AYT messages are sent only every 30 seconds. |
