CCIE Security FAQ Security Technologies
Q1. DMZ stands for what?
a. Demilitarized zone
b. Demitted zone
c. Domain main zone
d. Domain name
Q2. When defining an extended access list, what TCP port numbers can you use?
a. Only predefined Cisco keywords
b. 0 to –65,000
c. 0 to –65,535
d. 1 to 65,534
e. None of the above
Explanation: TCP port numbers from 0 to –65,535; devices such as PCs go from 1025 to 65535.
Q3. When defining an extended access list, what UDP port numbers can you use?
a. Only predefined Cisco keywords
b. 0 to 65000
c. 0 to 65535
d. 1 to 65534
e. None of the above
Explanation: UDP port numbers from 0 to 65535.
Q4. Which of the following is not a TCP service?
Explanation: who is a UDP service.
Q5. Which of the following is not a UDP service?
Explanation: BGP runs over TCP port 179.
Q6. For how many translations does PAT allow you to use one IP address?
Explanation: Port Address Translation (PAT) occurs when the local port number is modified, allowing more than one host the ability to share one public address, for example. The Port number in a TCP frame can be numbered from 0 to –65,535, so answer b is closet to the actual number of allowed translations.
Q7. PAT translates all private addresses based on what?
a. Source port
b. Destination port
c. Both source and destination
Explanation: PAT is based on source port; the destination port is not altered. For example, a Telnet connection is based on the local port number (a random number generated by the device between 0 and –65,535) and the destination port number 23.
Q8. NAT is which of the following?
a. Network Architectural Language
b. National anthem of Latvia
c. Network translation
d. Network Address Translation
Q9. NAT is defined in which RFC?
Explanation: NAT is defined by Request for comment (RFC) number 1631.
Q10. The following defines which NAT terminology: “A legitimate registered IP address as assigned by the InterNIC?”
a. Inside local address
b. Outside global address
c. Inside global address
d. Outside local address
Q11. What IOS command defines a pool of addresses that will be translated to a registered IP address?
a. ip nat inside
b. ip nat outside
c. ip nat pool
d. ip nat inside pool
e. ip nat outside pool
Q12. PIX stands for what?
a. Protocol interchange
b. Cisco Private Internet
c. Private Internet Exchange
d. Public Internet Exchange
Q13. To define how a PIX will route IP data, what is the correct syntax for a PIX 520?
a. ip route
c. ip route enable
Explanation: A PIX can run RIP or be configured for static routing; a default route is typically required so that end-user data can be sent to the Internet, for example.
Q14. What is the alias command’s function on a PIX firewall?
a. To define a local host name
b. To define the DNS server
c. Used in NAT environments where one IP address is translated into another.
d. Only applicable to Cisco IOS
Explanation: The PIX alias command is used for NAT configurations. The alias command translates one IP address into another address. For example, one private network might be using unregistered IP address space, and to allow users access to outside address space, the alias command is used. This command is applied differently on a Cisco IOS router.
Q15. CBAC stands for what?
a. CBAC is not a valid term
b. Cisco Business architectural centre
c. Context-based Access Control
d. Context-based Accelerated controller
e. Content-based arch. Centre
Q16. What is IKE used to accomplish?
a. NAT translations
b. Ensures that data is not sourced by the right sources
c. Ensures that data is not sourced by the wrong sources
d. No use
e. Both a and c
Explanation: Internet Key Exchange (IKE) allows a network confidentially from unauthorized sources.
Q17. To create a simple VPN tunnel (unencrypted) between two sites, what must you do on a Cisco router?
a. Create a GRE tunnel
b. Create a routing map
c. Nothing, use a PIX
d. Create an IPSec tunnel
Explanation: A simple VPN tunnel requires a generic routing encapsulation (GRE) tunnel between two Cisco routers.
Q18. What does the term DMZ refer to?
Q19. What is the perimeter router’s function in a DMZ?
Answer: The perimeter router sits between the DMZ and the public domain. It is typically a high performance router or routers that perform a number of duties, including the following:
- Access lists to ensure access to IP is restricted
- Restrictions to TCP services
- Restrictions on what applications can be run
- Routing protocols (typically, BGP)
Q20. What two main transport layer protocols do extended access lists filter traffic through?
Q21. Which of the following is not a TCP service?
Explanation: Echo is part of the UDP protocol suite. Ident, ftp, and pop2/pop3 are TCP services.
Q22. Name five UDP services that can be filtered with an extended access-list.
Answer:Cisco IOS can filter a number of UDP services, including the following:
- biff—Biff (mail notification, comsat, 512)
- bootpc—Bootstrap Protocol (BOOTP) client (68)
- bootps—Bootstrap Protocol (BOOTP) server (67)
- discard—Discard (9)
- dnsix—DNSIX security protocol auditing (195)
- domain—Domain Name Service (DNS, 53)
- echo—Echo (7)
- isakmp—Internet Security Association and Key Management Protocol (500)
- mobile-ip—Mobile IP registration (434)
- nameserver—IEN116 name service (obsolete, 42)
- netbios-dgm—NetBIOS datagram service (138)
- netbios-ns—NetBIOS name service (137)
- netbios-ss—NetBIOS session service (139)
- ntp—Network Time Protocol (123)
- pim-auto-rp—PIM Auto-RP (496)
- rip—Routing Information Protocol (router, in.routed, 520)
- snmp—Simple Network Management Protocol (161)
- snmptrap—SNMP traps (162)
- sunrpc—Sun Remote Procedure Call (111)
- syslog—System Logger (514)
- tacacs—TAC Access Control System (49)
- talk—Talk (517)
- tftp—Trivial File Transfer Protocol (69)
- time—Time (37)
- who—Who service (rwho, 513)
- xdmcp—X Display Manager Control Protocol (177)
Q23. What RFC defines NAT?
Q24. In NAT, what is the inside local address used for?
Q25. What does the IOS command ip nat inside source list accomplish?
Q26. What are the four possible NAT translations on a Cisco IOS router?
Answer: The four NAT translation versions are as follows:
- Static NAT—Maps an unregistered IP address to a registered IP address on a one-to-one basis.
- Dynamic NAT—Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.
- Overloading—A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address using different ports. Known also as Port Address Translation (PAT), single address NAT, or port-level multiplexed NAT.
- Overlapping—When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses.
Q27. How many connections can be translated with a PIX firewall for the following RAM configurations: 16 MB, 32MB, or 128MB?
Q28. When the alias command is applied to a PIX, what does it accomplish?
Q29. What security features does the Cisco IOS Firewall feature set allow a network administrator to accomplish?
Answer: The Cisco IOS features set consists of the following:
- Context-based Access Control (CBAC) provides internal users secure, perapplication-based access control for all traffic across perimeters, such as between private enterprise networks and the Internet.
- Java blocking protects against unidentified, malicious Java applets.
- Denial-of-service detection and prevention defends and protects router resources against common attacks, checking packet headers and dropping suspicious packets.
- Audit trail details transactions, recording time stamp, source host, destination host, ports, duration, and total number of bytes transmitted.
- Real-time alerts log alerts in case of denial-of-service attacks or other preconfigured conditions.
Q30. What does CBAC stand for?
Q31. Name the eight possible steps to take when configuring CBAC.
Answer: To configure CBAC, the following tasks are required or optional:
- Pick an internal or external interface. (Required)
- Configure IP access lists at the interface. (Required)
- Configure global timeouts and thresholds. (Required)
- Define an inspection rule. (Required)
- Apply the inspection rule to an interface. (Required)
- Configure logging and audit trail. (Required)
- Follow other guidelines for configuring a firewall. (Required)
- Verify CBAC. (Optional)
Q32. What is a virtual private network?
Q33. The following configuration is installed on a PIX 520. Users from the inside network 10.0.0.0/8 report to you that they cannot browse the Internet. What is the problem, and what command or commands will rectify the problem?
pix# write terminal
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
no logging standby
logging console debugging
no logging monitor
logging buffered debugging
no logging trap
logging facility 20
logging queue 512
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address inside 22.214.171.124 255.255.255.
ip address outside 126.96.36.199 255.255.255.0
route inside 10.0.0.0 255.0.0.0 188.8.131.52
route outside 0.0.0.0 0.0.0.0 131.018.1.2
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 184.108.40.206-220.127.116.11 netmask 255.255.255.224
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:00:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
terminal width 80
Answer: Cisco PIX Firewalls need to NAT any nonregistered IP address space. In particular, the Class A 10.0.0.0/8 is not routable in the Internet, so you must use NAT to permit access, or you could re-address your entire network, which clearly is not an exercise you will do often.
The following command will NAT all inside addresses:
nat (inside) 1 0.0.0.0 0.0.0.0
Before you can access the Internet, you must also tell the PIX (remember the PIX is not as intelligent as a router; RIP can be configured by the network administrator), and you must route IP data with the command shown here:
route outside 0.0.0.0 0.0.0.0 <default-gateway>
This command installs a default route where IP datagrams will be sent, typically, the perimeter router or ISP router.