CCIE Security FAQ Security Technologies
Q1. DMZ stands for what?
a. Demilitarized zone
b. Demitted zone
c. Domain main zone
d. Domain name
Q2. When defining an extended access list, what TCP port numbers can you use?
a. Only predefined Cisco keywords
b. 0 to –65,000
c. 0 to –65,535
d. 1 to 65,534
e. None of the above
Explanation: TCP port numbers from 0 to –65,535; devices such as PCs go from 1025 to 65535.
Q3. When defining an extended access list, what UDP port numbers can you use?
a. Only predefined Cisco keywords
b. 0 to 65000
c. 0 to 65535
d. 1 to 65534
e. None of the above
Explanation: UDP port numbers from 0 to 65535.
Q4. Which of the following is not a TCP service?
a. who
b. whois
c. finger
d. ftp
e. pop3
Explanation: who is a UDP service.
Q5. Which of the following is not a UDP service?
a. BGP
b. echo
c. domain
d. discard
e. rip
f. snmp
Explanation: BGP runs over TCP port 179.
Q6. For how many translations does PAT allow you to use one IP address?
a. 32,000
b. 64,000
c. 96,000
d. 128,000
e. 256,000
Explanation: Port Address Translation (PAT) occurs when the local port number is modified, allowing more than one host the ability to share one public address, for example. The Port number in a TCP frame can be numbered from 0 to –65,535, so answer b is closet to the actual number of allowed translations.
Q7. PAT translates all private addresses based on what?
a. Source port
b. Destination port
c. Both source and destination
d. None
Explanation: PAT is based on source port; the destination port is not altered. For example, a Telnet connection is based on the local port number (a random number generated by the device between 0 and –65,535) and the destination port number 23.
Q8. NAT is which of the following?
a. Network Architectural Language
b. National anthem of Latvia
c. Network translation
d. Network Address Translation
Q9. NAT is defined in which RFC?
a. 1700
b. 1701
c. 2002
d. 1631
e. 1613
Explanation: NAT is defined by Request for comment (RFC) number 1631.
Q10. The following defines which NAT terminology: “A legitimate registered IP address as assigned by the InterNIC?”
a. Inside local address
b. Outside global address
c. Inside global address
d. Outside local address
Q11. What IOS command defines a pool of addresses that will be translated to a registered IP address?
a. ip nat inside
b. ip nat outside
c. ip nat pool
d. ip nat inside pool
e. ip nat outside pool
Q12. PIX stands for what?
a. Protocol interchange
b. Cisco Private Internet
c. Private Internet Exchange
d. Public Internet Exchange
Q13. To define how a PIX will route IP data, what is the correct syntax for a PIX 520?
a. ip route
b. route
c. ip route enable
d. default-network
Explanation: A PIX can run RIP or be configured for static routing; a default route is typically required so that end-user data can be sent to the Internet, for example.
Q14. What is the alias command’s function on a PIX firewall?
a. To define a local host name
b. To define the DNS server
c. Used in NAT environments where one IP address is translated into another.
d. Only applicable to Cisco IOS
Explanation: The PIX alias command is used for NAT configurations. The alias command translates one IP address into another address. For example, one private network might be using unregistered IP address space, and to allow users access to outside address space, the alias command is used. This command is applied differently on a Cisco IOS router.
Q15. CBAC stands for what?
a. CBAC is not a valid term
b. Cisco Business architectural centre
c. Context-based Access Control
d. Context-based Accelerated controller
e. Content-based arch. Centre
Q16. What is IKE used to accomplish?
a. NAT translations
b. Ensures that data is not sourced by the right sources
c. Ensures that data is not sourced by the wrong sources
d. No use
e. Both a and c
Explanation: Internet Key Exchange (IKE) allows a network confidentially from unauthorized sources.
Q17. To create a simple VPN tunnel (unencrypted) between two sites, what must you do on a Cisco router?
a. Create a GRE tunnel
b. Create a routing map
c. Nothing, use a PIX
d. Create an IPSec tunnel
Explanation: A simple VPN tunnel requires a generic routing encapsulation (GRE) tunnel between two Cisco routers.
Q18. What does the term DMZ refer to?
Q19. What is the perimeter router’s function in a DMZ?
Answer: The perimeter router sits between the DMZ and the public domain. It is typically a high performance router or routers that perform a number of duties, including the following:
- Access lists to ensure access to IP is restricted
- Restrictions to TCP services
- Restrictions on what applications can be run
- Routing protocols (typically, BGP)
Q20. What two main transport layer protocols do extended access lists filter traffic through?
Q21. Which of the following is not a TCP service?
a. Ident
b. ftp
c. pop3
d. pop2
e. echo
Explanation: Echo is part of the UDP protocol suite. Ident, ftp, and pop2/pop3 are TCP services.
Q22. Name five UDP services that can be filtered with an extended access-list.
Answer:Cisco IOS can filter a number of UDP services, including the following:
- biff—Biff (mail notification, comsat, 512)
- bootpc—Bootstrap Protocol (BOOTP) client (68)
- bootps—Bootstrap Protocol (BOOTP) server (67)
- discard—Discard (9)
- dnsix—DNSIX security protocol auditing (195)
- domain—Domain Name Service (DNS, 53)
- echo—Echo (7)
- isakmp—Internet Security Association and Key Management Protocol (500)
- mobile-ip—Mobile IP registration (434)
- nameserver—IEN116 name service (obsolete, 42)
- netbios-dgm—NetBIOS datagram service (138)
- netbios-ns—NetBIOS name service (137)
- netbios-ss—NetBIOS session service (139)
- ntp—Network Time Protocol (123)
- pim-auto-rp—PIM Auto-RP (496)
- rip—Routing Information Protocol (router, in.routed, 520)
- snmp—Simple Network Management Protocol (161)
- snmptrap—SNMP traps (162)
- sunrpc—Sun Remote Procedure Call (111)
- syslog—System Logger (514)
- tacacs—TAC Access Control System (49)
- talk—Talk (517)
- tftp—Trivial File Transfer Protocol (69)
- time—Time (37)
- who—Who service (rwho, 513)
- xdmcp—X Display Manager Control Protocol (177)
Q23. What RFC defines NAT?
Q24. In NAT, what is the inside local address used for?
Q25. What does the IOS command ip nat inside source list accomplish?
Q26. What are the four possible NAT translations on a Cisco IOS router?
Answer: The four NAT translation versions are as follows:
- Static NAT—Maps an unregistered IP address to a registered IP address on a one-to-one basis.
- Dynamic NAT—Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.
- Overloading—A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address using different ports. Known also as Port Address Translation (PAT), single address NAT, or port-level multiplexed NAT.
- Overlapping—When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses.
Q27. How many connections can be translated with a PIX firewall for the following RAM configurations: 16 MB, 32MB, or 128MB?
Q28. When the alias command is applied to a PIX, what does it accomplish?
Q29. What security features does the Cisco IOS Firewall feature set allow a network administrator to accomplish?
Answer: The Cisco IOS features set consists of the following:
- Context-based Access Control (CBAC) provides internal users secure, perapplication-based access control for all traffic across perimeters, such as between private enterprise networks and the Internet.
- Java blocking protects against unidentified, malicious Java applets.
- Denial-of-service detection and prevention defends and protects router resources against common attacks, checking packet headers and dropping suspicious packets.
- Audit trail details transactions, recording time stamp, source host, destination host, ports, duration, and total number of bytes transmitted.
- Real-time alerts log alerts in case of denial-of-service attacks or other preconfigured conditions.
Q30. What does CBAC stand for?
Q31. Name the eight possible steps to take when configuring CBAC.
Answer: To configure CBAC, the following tasks are required or optional:
- Pick an internal or external interface. (Required)
- Configure IP access lists at the interface. (Required)
- Configure global timeouts and thresholds. (Required)
- Define an inspection rule. (Required)
- Apply the inspection rule to an interface. (Required)
- Configure logging and audit trail. (Required)
- Follow other guidelines for configuring a firewall. (Required)
- Verify CBAC. (Optional)
Q32. What is a virtual private network?
Q33. The following configuration is installed on a PIX 520. Users from the inside network 10.0.0.0/8 report to you that they cannot browse the Internet. What is the problem, and what command or commands will rectify the problem?
pix# write terminal nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname pix fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 logging timestamp no logging standby logging console debugging no logging monitor logging buffered debugging no logging trap logging facility 20 logging queue 512 interface ethernet0 10full interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address inside 201.201.201.1 255.255.255. ip address outside 131.108.1.1 255.255.255.0 route inside 10.0.0.0 255.0.0.0 201.201.201.2 route outside 0.0.0.0 0.0.0.0 131.018.1.2 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 global (outside) 1 192.192.1.2-192.192.1.30 netmask 255.255.255.224 no rip outside passive no rip outside default no rip inside passive no rip inside default timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:00:00 absolute no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps telnet timeout 5 terminal width 80 : end
Answer: Cisco PIX Firewalls need to NAT any nonregistered IP address space. In particular, the Class A 10.0.0.0/8 is not routable in the Internet, so you must use NAT to permit access, or you could re-address your entire network, which clearly is not an exercise you will do often.
The following command will NAT all inside addresses:
nat (inside) 1 0.0.0.0 0.0.0.0
Before you can access the Internet, you must also tell the PIX (remember the PIX is not as intelligent as a router; RIP can be configured by the network administrator), and you must route IP data with the command shown here:
route outside 0.0.0.0 0.0.0.0 <default-gateway>
This command installs a default route where IP datagrams will be sent, typically, the perimeter router or ISP router.
More Resources