CCNP Security FAQ : Understanding Cisco Security Appliance Translation and Connection

CCNP Security FAQ : Understanding Cisco Security Appliance Translation and Connection

Q1. By default, how long will an embryonic connection remain open?
A. 2 minutes
B. 3600 seconds
C. 1800 seconds
D. Unlimited
E. 30 minutes

Answer: D

Q2. You have configured two additional DMZ interfaces on your ASA Security Appliance. How do you prevent nodes on DMZ1 from accessing nodes on DMZ2 without adding rules to the security policy?
A. Route all traffic for DMZ2 out the outside interface.
B. Dynamically NAT all DMZ2 nodes to a multicast address.
C. Assign a higher security level to DMZ2.
D. All of the above.

Answer: C

Q3. Which of the following is not a method of address translation supported by the PIX Firewall?
A. Network Address Translation
B. Socket Address Translation
C. Port Address Translation
D. Static Address Translation

Answer: B

Q4. What happens if you configure two interfaces with the same security level?
A. Traffic will pass freely between those connected networks.
B. Traffic will not pass between those interfaces.
C. Specific ACLs must allow traffic between those interfaces.
D. The two interfaces will not apply the nat or global commands.

Answer: B

Q5. When should you run the command clear xlate?
A. When updating a conduit on the firewall
B. When editing the NAT for the inside segment
C. When adding addresses to the global pool
D. All of the above

Answer: D

Q6. How do you define the global addresses used when configuring NAT?
A. Define a subnet.
B. Define an address range.
C. Define individual IP addresses.
D. You can define only /24 address segments for global addresses.
E. None of the above.

Answer: B

Q7. How many external IP addresses are required to configure PAT?
A. A single address
B. A /24 subnet
C. A defined address range
D. Any of the above
E. None of the above

Answer: A

Q8. What command shows all active TCP connections on the PIX Firewall?
A. show conn
B. show xlate
C. show connection status
D. show tcp active
E. None of the above

Answer: A

Q9. Why is it difficult to penetrate the Security Appliance over UDP port 53?
A. The Security Appliance allows multiple outbound queries but randomizes the UDP sequence numbers.

B. The Security Appliance allows queries to go out to multiple DNS servers but drops all but the first response.

C. The Security Appliance allows responses only to outbound DNS queries.

D. All of the above

Answer: B

Q10. How many connections can you hide behind a single global address?
A. 65,536
B. 255
C. 17,200
D. An unlimited number
E. None of the above

Answer: E

Q11. What is the difference between TCP and UDP?

Answer: TCP is a connection-oriented protocol, and UDP is a connectionless protocol.

Q12. What is the default security for traffic origination on the inside network segment going to the outside network?

Answer: By default, traffic is permitted from the inside (higher security level) to the outside (lower security level) network as long as the appropriate nat/global/static command has been configured.

Q13. True or false: You can have multiple translations in a single connection.

Answer: False. Multiple connections can take place in a single translation.

Q14. What commands are required to configure NAT on a Cisco Security Appliance?

Answer: nat and global are required to configure NAT on a Cisco Security Appliance.

Q15. How many nodes can you hide behind a single IP address when configuring PAT?

Answer: You can hide approximately 64,000 nodes. This is determined by subtracting the 1024 previously assigned ports from the 65,535 available ports. It is also estimated that that number could be significantly lower because there might be multiple connections occurring behind a single translation.

Q16. What is an embryonic connection?

Answer: An embryonic connection is a half-open TCP session.

Q17. What is the best type of translation to use to allow connections to web servers from the Internet?

Answer: Static translations provide a one-to-one translation from external to internal/ DMZ addresses.

Q18. How does the Cisco Security Appliance handle outbound DNS requests?

Answer: A Cisco Security Appliance allows multiple outbound queries but allows only a single query response. All responses after the first are dropped.

Q19. True or false: The quickest way to clear the translation table is to reboot the Cisco Security Appliance.

Answer: False. The command clear xlate is the fastest method of clearing the translation table.

Q20. True or false: If you configure a static translation for your web server, everyone can connect to it.

Answer: False. You also need to configure an ACL or conduit allowing the connection.

Q21. What does a Security Appliance, such as a PIX Firewall, normally change when allowing a TCP handshake between nodes on different interfaces and performing NAT?

Answer: The Cisco Security Appliance translates the local address to a global address and randomly generates a new initial TCP sequence number.

Q22. What does the Cisco Security Appliance normally change when allowing a TCP handshake between nodes on different interfaces and performing PAT?

Answer: The Cisco Security Appliance changes the local address and source port to a global address and random port and generates a random initial TCP sequence number.

Q23. True or false: TCP is a much better protocol than UDP because it does handshakes and randomly generates TCP sequence numbers.

Answer: False. Each transport protocol has its strengths and weaknesses. UDP is connectionless and has much less overhead than TCP; however, TCP is more reliable

Q24. What are the two commands (syntax) to perform NAT of all internal addresses?

Answer:
ccnp-security-faq-understanding-cisco-security-appliance-translation-connection

Q25. When would you want to configure NAT and PAT for the same inside segment?

Answer: You would want to configure NAT and PAT for the same inside segment when you have more internal users than addresses in the global pool. If you use only PAT, you limit all of your local addresses to a single global address.

Q26. What is RFC 1918?

Answer: RFC 1918 defines specific address ranges that are not routable across the Internet. These addresses are reserved for private networks.

Q27. Why is there an id field in the nat command?

Answer: The nat command has an id field so that the Cisco Security Appliance can map a specific NAT statement to a global statement.

More Resources

About the author

Scott

Leave a Comment