Exam Prep Questions

RFC 2827 filtering refers to what on a (non-ISP) router? (Choose two.)

• A. Dropping traffic from the outside with an inside source address

• B. NATing traffic from the inside with an outside source address

• C. Dropping traffic from the outside with a source address from the private address blocks

• D. Dropping traffic from the inside with a source address from your network address blocks

Answers A and C are correct. RFC 2827 filtering prevents traffic entering your network from the outside with source addresses that shouldn't come from outside: addresses within the address space inside the router (answer A) and addresses from the private address blocks (RFC 1918 private address spaceanswer C). It also recommends dropping traffic egressing your network with a source address that is not within the correct address block (which was written for ISPs but is good practice for all networks). NATing traffic (answer B) is not addressed by RFC 2827. Dropping traffic from the inside with an inside address (answer D) would prevent legitimate traffic from exiting your networkunless you really do operate a networking black hole (nothing escapes ).

Unicast RPF depends on the router using what kind of processing?

• A. Silicon switching.

• B. Cut-through switching and forwarding.

• C. Process switching.

• D. None of these is correct.

Answer D is correct. Unicast RPF depends on the use of Cisco Express Forwarding (CEF) because it does a reverse lookup in the Forwarding Information Base (FIB) created by CEF. CEF, silicon switching (answer A), and process switching (answer C) are all methods used by routers to determine the next hop for a packet. Cut-through forwarding (answer B) is a made-up term , combining cut-through switching and forwarding.

If an IOS router with the Firewall Feature Set has so many filtering capabilities, why would you want to use a PIX firewall instead?

• A. The PIX can filter more flexibly by using CBAC and PAM.

• B. The PIX is a less-expensive solution than adding the more-capable FFS to a router.

• C. The PIX performs filtering in hardware, which is faster than the software proceeding on the router, even with the FFS.

• D. All of these are correct.

Answer C is correct. The PIX firewall offloads the filtering functions to specialized ASICs, which can perform more inspections faster. This is just one more example of the general rule that processing in hardware is faster than the same processing in software (where the circuits are not optimized for the data manipulation). CBAC and PAM (answer A) are two of the many features in the FFS. Whether a PIX is more or less expensive than adding FFS to an existing IOS depends on the actual hardware present (the router) and whether it has sufficient memory and Flash, as well as on which model of PIX is needed. In general, though, dedicated appliances are more expensive than a software module for doing the same thing (which probably does it less well, as noted already). You often do get what you pay for.

When would you use the command overload when NATing on the router?

• A. When you need to borrow Flash memory space to be added to RAM

• B. When multiple outside addresses can be used for a few inside addresses

• C. When path MTU discovery has indicated that fragmenting will occur downstream

• D. When you need to speed packet processing due to bandwidth problems

• E. When multiple inside addresses must be translated into fewer outside addresses

Answer E is correct. The overload command enables you to NAT more inside addresses than you have outside addresses: You can exceed the one-to-one mapping. This is done by invoking port address translation (PAT). Memory management (answer A), packet fragmentation (answer C), and packet processing speed (answer D) have nothing to do with NAT, per se. Answer B is backward (multiple inside addresses for fewer outside addresses is correct).

Which of these is not a command that you would use in configuring NAT on a router?

• A. global (outside) 1 192.168.47.99 (global configuration mode)

• B. ip nat inside (interface configuration mode)

• C. access-list 12 permit 172.18.22.0 0.0.0.255 (global configuration mode)

• D. ip nat pool test11 192.168.12.3 192.168.12.3 255.255.255.0 (global configuration mode)

Answer A is correct. Answers B, C, and D are all valid IOS NAT commands. Answer A is a valid command on a PIX firewall, but not on a router.

Which of the following steps in configuring IPSec with preshared keys on a router are used for configuring IKE? (Choose two.)

• A. Create a crypto ipsec transform set

• B. Create a key and assign the key to a peer address

• C. Create an access list to designate the traffic to be encrypted

• D. Apply the crypto map to the outgoing interface

• E. Create a crypto isakmp policy

• F. Create a crypto map

Answers B and E are correct. The two steps in configuring IKE on the router are to create a crypto isakmp policy and then to create a key and designate a peer with which to use the preshared key. The other four steps (answers A, C, D, and F) are all a part of configuring IPSec on the router.

What is the purpose of the crypto ACL used as a part of IPSec configuration on a router or a PIX?

• A. To designate the traffic to be permitted to pass through the interface, if unencrypted

• B. To designate the traffic to be permitted to pass through the interface, if encrypted

• C. To designate the traffic to be denied passage through the interface unless it is encrypted

• D. To designate the data to be encrypted

Answer D is correct. Crypto access lists have nothing to do with permitting or denying passage through an interface (regular access lists perform that function). The only use of a crypto access list is to designate the "interesting traffic"the traffic to be encrypted. Thus, answers A, B, and C are incorrect because they all refer to permission to pass through the interface (whether to permit or deny passage).

Which of these is the correct syntax for configuring NAT on a PIX with a multiaddress global pool?

• A. global (outside) 1 192.168.47.3-192.168.47.12 netmask 255.255.255.0

• B. global (outside) 1 192.168.47.3-192.168.47.12 network mask 255.255.255.0

• C. global (outside) 1 192.168.47.3 192.168.47.12 network mask 255.255.255.0

• D. None of these is correct.

Answer A is correct. An address pool on a router is separated by a space between the first and the last address (answer C), but the router does not include the designator "network mask." The PIX uses a dash (hyphen) between the two endpoints, but it uses the designator netmask instead of network mask , invalidating answer B). If you are typing a command in a simulation and it is invalid, the pointer indicates where the software thinks a command is invalid; unfortunately , if you don't know the correct command syntax, you can consume precious time trying to get the command in the correct format. You might or might not have that time to spareknow the syntax and practice it (write it if you don't have equipment or a simulator).

What is the command sysopt connection permit-ipsec used for on a PIX?

• A. To permit incoming tunnels for system configuration

• B. To force system configuration connections to use IPSec

• C. To permit incoming IPSec traffic to bypass the conduit/ACL processing

• D. To use IPSec connections to optimize the ASA's packet-filtering process

Answer C is correct. The command sysopt connection permit-ipsec is used if you want to allow incoming IPSec-encrypted traffic to bypass ACL or conduit checking. Otherwise, IPSec traffic must be permitted passage before it can be further processed . Because the traffic must be decrypted anyway to discover the real destination address (remember, IPSec tunnel mode imposes an outside header, and the "real" header with the traffic's destination is part of the encrypted payload), checking the destination against the ACLs or conduits wastes CPU cycles. All the sysopt commands are used to fine-tune the PIX's performance, but none of them necessarily permits a tunnel for a given purpose (answer A), forces the use of a given protocol for connections intended for system configuration (again, how would it know the purpose of the connection?answer B), or modifies the processing of the Adaptive Security Algorithm (answer D).

Which additional encryption protocols does the VPN 3000 Series Concentrator offer that the IOS and PIX (before PIX OS 6.3(1)) do not? (Choose two.)

• A. AES-192

• B. SSLv4.3

• C. ESP-NULL

• D. 3DES

• E. AES-256

• F. AES-768

Answers A and E are correct. The IOS and PIX both offer DES, 3DES, and ESP-NULL (which is ESP without data encryption). This eliminates answers C and D. The PIX can offer AES encryption only beginning with PIX OS 6.3(1). The Cisco VPN concentrator and client also offer AES-128, AES-192, and AES-256. Higher levels of encryption might be available on other devices (such as AES-768answer F), but not on the Cisco products yet. There is no SSL version 4.3 (answer B).

What is a difference between the client update function from the concentrator to the hardware client and that of the software client? (Choose two.)

• A. The software client updates automatically, while the hardware client requires administrator intervention.

• B. The hardware client updates automatically, while the software client requires administrator intervention.

• C. The hardware client updates firmware as well as the software.

• D. The software client updates firmware as well as the software.

Answers B and C are correct. When the software client connects, if an update is needed, the concentrator sends an IKE packet that specifies the acceptable versions and a location from which an updated version can be downloaded. It is up to the client's administrator to actually do this (of course, if the client is not running an acceptable version, there won't be a tunnel until the client is updated). A software client is pure softwareit has no firmware to update, whereas a hardware client does (eliminating answer D). The "acceptable versions" IKE packet to a hardware client triggers an automatic update of the software and/or firmware via TFTP, after which the hardware client automatically reboots.

What feature of the hardware client enables it to serve as the only networking device for a branch office?

• A. A DHCP server

• B. A DNS server

• C. A WINS server

• D. A combined DNS and WINS server

Answer A is correct. The VPN 3002 Hardware Client includes a simple DHCP server (one scope, no exceptions), which facilitates networking for a branch office. As part of the DHCP options, if the addresses of DNS and WINS servers are entered in the 3002's configuration, it can include that in the configuration offered to DHCP clients (thus requiring very simple IP configuration on the branch's hosts ). However, the hardware client is not capable of actually serving as either a DNS or a WINS server (eliminating answers B, C, and D).