Chapter 13 - IOS Zone Based Firewall Flashcards Preview

Cisco CCNA Security (640-554) > Chapter 13 - IOS Zone Based Firewall > Flashcards

Flashcards in Chapter 13 - IOS Zone Based Firewall Deck (7):
1

What are Class Maps used for?

Class maps are used to identify traffic. Class maps can refer to ACL's to to identify traffic. 

  • match-all condition = all entries must match
  • match-any condition = only a single entry must match

2

What do Policy Maps do?

These are the actions that should be taken on the traffic that is identified by class maps. The actions are as follows:

  • Inspect - Permit traffic and add an entry to the stateful database (for return traffic to come back)
  • Pass - Permit but do not make stateful database entry
  • Drop - Deny the packet
  • Log - Log the dropped packets

3

What are Service Policies used for?

This is where you apply the policies, identified from a policy map to a zone pair.

4

What command would be used to view "inspect" class maps?

# show class-map type inspect

5

How do you view policy map sessions?

# show policy-map type inspect zone-pair < zone-pair-name> sessions

6

What command can help you figure out if NAT is working?

# show ip nat translations

7

What are the four possible actions on traffic that meets a zone-based firewall policy map?

Inspect - Permit and statefully inspect the traffic (traffic that comes from a device that expects reply traffic)

Pass - Permits / allows the traffic but does not create an entry in the stateful database (traffic that does not need a reply)

Log - Log the packets (add this to the dropped action on a policy to see information about packets that were stopped)
Drop - Deny the packet