Chapter 14 - Cisco ASA Flashcards Preview

Cisco CCNA Security (640-554) > Chapter 14 - Cisco ASA > Flashcards

Flashcards in Chapter 14 - Cisco ASA Deck (9):
1

What is the default behavior for two interfaces that have the exact same security level?

Traffic is not allowed between those two interfaces.

For example:

F0/1 = security 50

F0/2 = security 50

Traffic will not go between these two.

2

What is "hairpin routing"?

Hairpin routing is a situation where (for example on an ASA) where traffic comes in on a specific interface and is supposed to be routed right back out the same interface.

3

What are the default security levels for inside, dmz, and outside interfaces (respectively on an ASA)

inside = 100

dmz = 50

outside = 0

Remember, highest score = the most trusted.

4

How does a transparent firewall function?

A pair of interfaces act as a bridge (for example on an ASA) and traffic is sent in one interface and right out the other.

As traffic traverses the two ports, it is subject to rules and inspection that is applied (ACL's, packet filtering, etc)

5

How many DHCP clients are allowed on a ASA5505?

32

6

How do you add a static route in an ASA via command line?

(config)# route outside 0.0.0.0 0.0.0.0 24.2.51.2

"outside" indicates which interface the static route needs to use to reach that hop

7

What is the basic syntax for enabling dynamic PAT (NAT Tranlsation) on an ASA?

(config)# nat (inside,outside) 1 source dynamic inside_nets interface

inside_nets is an object group for all subnets routed through the inside interface on the ASA.

8

What is the basic syntax to use packet tracer via the command line?

# packet-tracer input inside tcp 192.168.1.100 1065 22.33.44.55 80

This would show results of a simulated host at 192.168.1.100 sending a packet to a web server via destination port 80 at the IP address 22.33.44.55

Note that most source port TCP requests will be an arbitrary port higher than 1023.

9

How are access-lists applied differently in an ASA as opposed to an IOS router?

They use the "access-group" command globally to apply an ACL to an interface. (in routers this is done via interface config mode).

ex:

(config)# access-group inside_access_in in interface inside

(applies the ACL called inside_access_in on the inside interface in the direction IN to the router).