CCNA Security Chapter 4 Answers v1.

2 Quiz Test CCNAS Questions Cisco

1. Refer to the exhibit. The ACL statement is the only one explicitly configured on the
router. Based on this information, which two conclusions can be drawn regarding
remote access network connections? (Choose two.)
SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are
allowed.*
Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are
allowed.
SSH connections from the 192.168.2.0/24 network to the 192.168.1.0/24 network are allowed.
Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are
blocked.*
SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked.
Telnet connections from the 192.168.2.0/24 network to the 192.168.1.0/24 network are
allowed.
_______________________________________________________________
2. Which two are characteristics of ACLs? (Choose two.)
Extended ACLs can filter on destination TCP and UDP ports.*
Standard ACLs can filter on source TCP and UDP ports.
Extended ACLs can filter on source and destination IP addresses.*
Standard ACLs can filter on source and destination IP addresses.
Standard ACLs can filter on source and destination TCP and UDP ports.
_______________________________________________________________
3. Which zone-based policy firewall zone is system-defined and applies to traffic
destined for the router or originating from the router?
self zone*
system zone
local zone
inside zone
outside zone
_______________________________________________________________

4. Refer to the exhibit. If a hacker on the outside network sends an IP packet with source
address 172.30.1.50, destination address 10.0.0.3, source port 23, and destination port 2447,
what does the Cisco IOS firewall do with the packet?
The packet is forwarded, and an alert is generated.
The packet is forwarded, and no alert is generated.
The initial packet is dropped, but subsequent packets are forwarded.
The packet is dropped.*
_______________________________________________________________
5. Which two parameters are tracked by CBAC for TCP traffic but not for UDP traffic?
(Choose two.)
source port
protocol ID
sequence number*
destination port*
SYN and ACK flags*
_______________________________________________________________
6. What is the first step in configuring a Cisco IOS zone-based policy firewall using the
CLI?
Create zones.*
Define traffic classes.
Define firewall policies.
Assign policy maps to zone pairs.
Assign router interfaces to zones.
_______________________________________________________________
7. Class maps identify traffic and traffic parameters for policy application based on
which three criteria? (Choose three.)
access group*
access class
policy map

protocol*
interface pairs
subordinate class map*
_______________________________________________________________
8. Which statement describes the characteristics of packet-filtering and stateful firewalls
as they relate to the OSI model?
Both stateful and packet-filtering firewalls can filter at the application layer.
A stateful firewall can filter application layer information, while a packet-filtering firewall
cannot filter beyond the network layer.
A packet-filtering firewall typically can filter up to the transport layer, while a stateful
firewall can filter up to the session layer.*
A packet-filtering firewall uses session layer information to track the state of a connection,
while a stateful firewall uses application layer information to track the state of a connection.
_______________________________________________________________
9. For a stateful firewall, which information is stored in the stateful session flow table?
TCP control header and trailer information associated with a particular session
TCP SYN packets and the associated return ACK packets
inside private IP address and the translated inside global IP address
outbound and inbound access rules (ACL entries)
source and destination IP addresses, and port numbers and sequencing information
associated with a particular session*
_______________________________________________________________
10. What is a limitation of using object groups within an access control entry?
It is not possible to append additional objects to a preexisting object group.
It is not possible to delete an object group or make an object group empty if the object
group is already applied to an ACE.*
To append additional objects to a preexisting object group that is applied to an ACE, the
original object group must be removed using the no object group command, and then
recreated and reapplied to the ACE.
To append additional objects to a preexisting object group that is applied to an ACE, the
access control list must be removed using the no access-list command, and then reapplied.
_______________________________________________________________
11. When using CCP to apply an ACL, the administrator received an informational
message indicating that a rule was already associated with the designated interface in
the designated direction. The administrator continued with the association by selecting
the merge option. Which statement describes the effect of the option that was selected?
Two separate access rules were applied to the interface.
A new combined access rule was created using the new access rule number. Duplicate
ACEs were removed.*
A new combined access rule was created using the new access rule number. Duplicate ACEs
and overriding ACEs were highlighted to allow the administrator to make adjustments
The existing rule was placed in a preview pane to allow the administrator to select specific

ACEs to move to the new access rule.

_______________________________________________________________
12. Which statement correctly describes how an ACL can be used with the access-class
command to filter vty access to a router?
It is only possible to apply a standard ACL to the vty lines.
An extended ACL can be used to restrict vty access based on specific source addresses,
destination addresses, and protocol.
An extended ACL can be used to restrict vty access based on specific source and destination
addresses but not on protocol.
An extended ACL can be used to restrict vty access based on specific source addresses
and protocol but the destination can only specify the keyword any.*
_______________________________________________________________
13. To facilitate the troubleshooting process, which inbound ICMP message should be
permitted on an outside interface?
echo request
echo reply*
time-stamp request
time-stamp reply
router advertisement
_______________________________________________________________
14. Which command is used to activate an IPv6 ACL named ENG_ACL on an interface
so that the router filters traffic prior to accessing the routing table?
access-group ipv6_ENG_ACL in
access-group ipv6_ENG_ACL out
ipv6 access-class ENG_ACL in
ipv6 access-class ENG_ACL out
ipv6 traffic-filter ENG_ACL in*
ipv6 traffic-filter ENG_ACL out
_______________________________________________________________
15. Which statement describes a typical security policy for a DMZ firewall
configuration?
Traffic that originates from the outside interface is permitted to traverse the firewall to the
inside interface with little or no restrictions.
Traffic that originates from the DMZ interface is permitted to traverse the firewall to the
outside interface with little or no restrictions.
Traffic that originates from the DMZ interface is selectively permitted to the outside
interface.(Similar Question warning! Use this answer if this answer available. Otherwise
use the other one)*
Traffic that originates from the inside interface is generally blocked entirely or very
selectively permitted to the outside interface.*
Return traffic from the outside that is associated with traffic originating from the inside is
permitted to traverse from the outside interface to the DMZ interface.

Return traffic from the inside that is associated with traffic originating from the outside is
permitted to traverse from the inside interface to the outside interface.
_______________________________________________________________
16. When configuring a Cisco IOS zone-based policy firewall, which two actions can be
applied to a traffic class? (Choose two.)
log
hold
drop*
inspect*
copy
forward
_______________________________________________________________

17. Refer to the exhibit. Which statement describes the function of the ACEs?
These ACEs allow for IPv6 neighbor discovery traffic.*
These ACEs must be manually added to the end of every IPv6 ACL to allow IPv6 routing to
occur.
These ACEs automatically appear at the end of every IPv6 ACL to allow IPv6 routing to
occur.
These are optional ACEs that can be added to the end of an IPv6 ACL to allow ICMP
messages that are defined in object groups named nd-na and nd-ns.
_______________________________________________________________
18. When implementing an inbound Internet traffic ACL, what should be included to
prevent the spoofing of internal networks?
ACEs to prevent HTTP traffic
ACEs to prevent ICMP traffic
ACEs to prevent SNMP traffic
ACEs to prevent broadcast address traffic
ACEs to prevent traffic from private address spaces*
_______________________________________________________________
19. Which statement describes one of the rules governing interface behavior in the
context of implementing a zone-based policy firewall configuration?
An administrator can assign an interface to multiple security zones.
An administrator can assign interfaces to zones, regardless of whether the zone has been
configured.
By default, traffic is allowed to flow among interfaces that are members of the same
zone.*
By default, traffic is allowed to flow between a zone member interface and any interface that

is not a zone member.

_______________________________________________________________

20. Refer to the exhibit. Which statement is true about the effect of this Cisco IOS zonebased policy firewall configuration?
The firewall will automatically drop all HTTP, HTTPS, and FTP traffic.
The firewall will automatically allow HTTP, HTTPS, and FTP traffic from s0/0 to fa0/0 and
will track the connections. Tracking the connection allows only return traffic to be permitted
through the firewall in the opposite direction.
The firewall will automatically allow HTTP, HTTPS, and FTP traffic from fa0/0 to s0/0
and will track the connections. Tracking the connection allows only return traffic to be
permitted through the firewall in the opposite direction.*
The firewall will automatically allow HTTP, HTTPS, and FTP traffic from fa0/0 to s0/0, but
will not track the state of connections. A corresponding policy must be applied to allow return
traffic to be permitted through the firewall in the opposite direction.
The firewall will automatically allow HTTP, HTTPS, and FTP traffic from s0/0 to fa0/0, but
will not track the state of connections. A corresponding policy must be applied to allow return
traffic to be permitted through the firewall in the opposite direction.
_______________________________________________________________

New Questions Section CCNA Security v1.2

21. In addition to the criteria used by extended ACLs, what conditions are used by a
classic firewall to filter traffic?
TCP/IP protocol numbers
IP source and destination addresses
application layer protocol session information*
TCP/UDP source and destination port numbers
_______________________________________________________________
22. Refer to the exhibit. Which Cisco IOS security feature is implemented on router
FW?
classic firewall*
reflexive ACL firewall
zone-based policy firewall
AAA access control firewall
_______________________________________________________________
23. Which three statements describe zone-based policy firewall rules that govern
interface behavior and the traffic moving between zone member interfaces? (Choose
three.)
An interface can be assigned to multiple security zones.
Interfaces can be assigned to a zone before the zone is created.
Pass, inspect, and drop options can only be applied between two zones.*
If traffic is to flow between all interfaces in a router, each interface must be a member of
a zone.*
Traffic is implicitly prevented from flowing by default among interfaces that are members of
the same zone.
To permit traffic to and from a zone member interface, a policy allowing or inspecting
traffic must be configured between that zone and any other zone.*
_______________________________________________________________
24. When logging is enabled for an ACL entry, how does the router switch packets
filtered by the ACL?
process switching*
autonomous switching
topology-based switching
optimum switching
_______________________________________________________________
25. When a Cisco IOS zone-based policy firewall is being configured, which two actions
can be applied to a traffic class? (Choose two.)
log
copy
inspect*
hold
drop*

forward
_______________________________________________________________
26. A router has been configured as a classic firewall and an inbound ACL applied to
the external interface.
Which action does the router take after inbound-to-outbound traffic is inspected and a
new entry is created in the state table.
A dynamic ACL entry is added to the external interface in the inbound direction.*
The internal interface ACL is reconfigured to allow the host IP address access to the Internet.
The entry remains in the state table after the session is terminated so that it can be reused by
the host.
When traffic returns from its destination, it is reinspected, and a new entry is added to the
state table
_______________________________________________________________
27. Refer to the exhibit. What is represented by the area marked as A?
DMZ*
internal network
perimeter security boundary
trusted network
untrusted network
_______________________________________________________________
28. What are two characteristics of ACLs? (Choose two.)
Extended ACLs can filter on source and destination IP addresses.*
Extended ACLs can filter on destination TCP and UDP ports.*
Standard ACLs can filter on source and destination IP addresses.
Standard ACLs can filter on source TCP and UDP ports.
Standard ACLs can filter on source and destination TCP and UDP ports.