CCNP Security FAQ : Configuring Access

CCNP Security FAQ : Configuring Access

Q1. Which of the following are constraints when configuring policy NAT?
A. A global address can be used concurrently for NAT and PAT.
B. An access list must be used only twice with the nat command.
C. Access lists for policy NAT cannot contain deny statements.
D. An access list must be used only once with the nat command

Answer: C, D

Q2. Which of the following is not one of four options for object types when you create an object group?
A. Network
B. Protocol
C. Application
D. Services

Answer: C

Q3. Which command lets you create a network object group?
A. object-group network group-id
B. enable object-group network group-id
C. create network object-group
D. network object-group enable

Answer: A

Q4. What command can you configure the Security Appliance to allow access to higher-security subnets?
A. nat (outside) 0
B. nat (inside) 0
C. global
D. static
E. None of these answers are correct.

Answer: B

Q5. How many SMTP commands are made by the ASA application inspection function?
A. 3
B. 2
C. 7
D. 5

Answer: C

Q6. How do you change the port of an FTP inspection?
A. Using a class-map to create a traffic class
B. fixup protocol ftp port
C. inspect ftp port
D. redirect ftp port

Answer: A

Q7. Which of the following is the correct syntax for mapping an internal web server with an IP address of to an outside IP address of for HTTP traffic?
A. static (inside, outside) 80 netmask eq www
B. static (inside, outside) 80 netmask
C. static (inside, outside) tcp 80 www netmask
D. static (inside, outside) 80 netmask

Answer: E

Q8. What do static NAT settings do?

Answer: Static NAT creates a one-to-one mapping between a host/network on both the interfaces.

Q9. What is the difference between regular NAT and policy-based network translation?

Answer: The policy NAT feature lets you identify traffic for address translation by specifying the source and destination addresses (or ports) in an access list, whereas regular NAT uses only source addresses/ports.

Q10. True or false: The following commands constitute the correct way to set up NAT on a ASA 5520?

Answer: False. Deny statements are not supported in policy NAT.

Q11. Which command would you use to create a description/remark “Linda’s group extranet server access” for access list 112?

Answer: access-list 112 remark Linda’s group extranet server access

Q12. How would you change the default port assignment for FTP?

Answer: To change the port for FTP inspection or any form of inspection, you must create a class map that directs traffic from that specific port into a traffic class for inspection.

Q13. What is the function of object groups?

Answer: Object groups are used to group hosts/networks, services, protocols, and icmptypes. Object grouping provides a way to reduce the number of access rules required to describe complex security policies.

Q14. What are the four object type options available when you are creating object groups?

Answer: network, protocol, service, and icmp-type

Q15. How would you specify the maximum number of concurrent deny flows that can be created with an access list?

Answer: With the access-list deny-flow-max num-of-flows command.

Q16. What are the seven SMTP commands allowed by SMTP inspection?


More Resources

About the author


Leave a Comment