CCNP Security FAQ : Understanding Cisco Security Appliance Translation and Connection
Q1. By default, how long will an embryonic connection remain open?
A. 2 minutes
B. 3600 seconds
C. 1800 seconds
D. Unlimited
E. 30 minutes
Q2. You have configured two additional DMZ interfaces on your ASA Security Appliance. How do you prevent nodes on DMZ1 from accessing nodes on DMZ2 without adding rules to the security policy?
A. Route all traffic for DMZ2 out the outside interface.
B. Dynamically NAT all DMZ2 nodes to a multicast address.
C. Assign a higher security level to DMZ2.
D. All of the above.
Q3. Which of the following is not a method of address translation supported by the PIX Firewall?
A. Network Address Translation
B. Socket Address Translation
C. Port Address Translation
D. Static Address Translation
Q4. What happens if you configure two interfaces with the same security level?
A. Traffic will pass freely between those connected networks.
B. Traffic will not pass between those interfaces.
C. Specific ACLs must allow traffic between those interfaces.
D. The two interfaces will not apply the nat or global commands.
Q5. When should you run the command clear xlate?
A. When updating a conduit on the firewall
B. When editing the NAT for the inside segment
C. When adding addresses to the global pool
D. All of the above
Q6. How do you define the global addresses used when configuring NAT?
A. Define a subnet.
B. Define an address range.
C. Define individual IP addresses.
D. You can define only /24 address segments for global addresses.
E. None of the above.
Q7. How many external IP addresses are required to configure PAT?
A. A single address
B. A /24 subnet
C. A defined address range
D. Any of the above
E. None of the above
Q8. What command shows all active TCP connections on the PIX Firewall?
A. show conn
B. show xlate
C. show connection status
D. show tcp active
E. None of the above
Q9. Why is it difficult to penetrate the Security Appliance over UDP port 53?
A. The Security Appliance allows multiple outbound queries but randomizes the UDP sequence numbers.
B. The Security Appliance allows queries to go out to multiple DNS servers but drops all but the first response.
C. The Security Appliance allows responses only to outbound DNS queries.
D. All of the above
Q10. How many connections can you hide behind a single global address?
A. 65,536
B. 255
C. 17,200
D. An unlimited number
E. None of the above
Q11. What is the difference between TCP and UDP?
Q12. What is the default security for traffic origination on the inside network segment going to the outside network?
Q13. True or false: You can have multiple translations in a single connection.
Q14. What commands are required to configure NAT on a Cisco Security Appliance?
Q15. How many nodes can you hide behind a single IP address when configuring PAT?
Q16. What is an embryonic connection?
Q17. What is the best type of translation to use to allow connections to web servers from the Internet?
Q18. How does the Cisco Security Appliance handle outbound DNS requests?
Q19. True or false: The quickest way to clear the translation table is to reboot the Cisco Security Appliance.
Q20. True or false: If you configure a static translation for your web server, everyone can connect to it.
Q21. What does a Security Appliance, such as a PIX Firewall, normally change when allowing a TCP handshake between nodes on different interfaces and performing NAT?
Q22. What does the Cisco Security Appliance normally change when allowing a TCP handshake between nodes on different interfaces and performing PAT?
Q23. True or false: TCP is a much better protocol than UDP because it does handshakes and randomly generates TCP sequence numbers.
Q24. What are the two commands (syntax) to perform NAT of all internal addresses?
Q25. When would you want to configure NAT and PAT for the same inside segment?
Q26. What is RFC 1918?
Q27. Why is there an id field in the nat command?
More Resources