1.

Question:
The Cisco IOS firewall offers the new Zone-Based Policy Firewall (ZFW) feature and continues to support the classic
Context-Based Access Control (CBAC) feature. Can they both be configured concurrently on the same router?

Correct Answer:
Yes.

Explanation:
Zone-Based Policy Firewall (ZFW) is a new enhanced Cisco IOS Firewall feature set. ZFW changes the firewall
configuration model from the older interface-based model (used in CBAC) to a more flexible zone-based model.
Interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones. Inter-zone
policies offer flexibility and granularity so that varying inspection policies can be applied to multiple host groups
connected to the same router interface.
The two IOS firewall configuration models (ZFW and CBAC) can co-exist on the same router, but are not combined
on "interfaces." An interface cannot be configured in ZFW as well as CBAC inspection simultaneously.

2. Question:
When configuring the Zone-Based Policy Firewall (ZFW) as shown in the exhibit, where will the inspection policy be
applied?

Correct Answer:
Inspection policy is applied to the zones (internal and Internet zones), not to the interfaces.

Explanation:
Zone-Based Policy Firewall (ZFW) changes the configuration model from the classic interface-based policy (CBAC)
to the new zone-based policy (ZFW). Interfaces are assigned to zones, and the inspection policy is applied to traffic
moving between the zones. Inter-zone policies offer flexibility and granularity so that varying inspection policies can
be applied to multiple host groups connected to the same router interface.
3. Question:
The exhibit shown describes which Cisco IOS feature set?

Correct Answer:
Zone-Based Policy Firewall (ZFW)

Explanation:
Zone-Based Policy Firewall (ZFW) is a new enhanced Cisco IOS Firewall feature set. ZFW changes the firewall
configuration model from the older interface-based model (used in CBAC) to a more flexible zone-based model.
Interfaces are assigned to zones, and the inspection policy is applied to traffic moving between the zones. Inter-zone
policies offer flexibility and granularity so that varying inspection policies can be applied to multiple host groups
connected to the same router interface.
4. Question:
When configuring the Zone-Based Policy Firewall (ZFW) with each zone having one interface, as shown in the
exhibit, how many inspection policies will be needed to protect the internal and DMZ zones?

Correct Answer:
There are three main policies, as follows:
1. Policy for internal zone connectivity to the Internet.
2. Policy for internal zone connectivity to DMZ hosts.
3. Policy for internet zone connectivity to DMZ hosts.

Explanation:
The answer to this can be subjective; however, the objective is to understand the importance of the security policy
and understanding traffic patterns between the zones and then decide on a best practice solution.
With the Web/DNS server in the DMZ zone, it is surely exposed to the external network (Internet); therefore, the
servers in the DMZ might be subject to undesired activity from malicious hosts who may succeed to compromise
DMZ servers. If no access policy is provided (as suggested here) for DMZ hosts to reach either internal zone or
Internet zone, the intruders will have no way to compromise the DMZ servers and thwart the possibility of using the
DMZ hosts to carry out further attack against internal or Internet hosts.
Zone-Based Policy Firewall (ZFW) imposes a default deny-all prohibitive policy. Therefore, unless the DMZ hosts are
specifically provided access to other networks, other networks are safeguarded against any connections from the
DMZ hosts.
Similarly, no access is provided for Internet hosts to access the internal zone hosts, so internal zone hosts are also
safe from unwanted access by Internet hosts.
5. Question:
When configuring the policy-map in the Zone-Based Policy Firewall (ZFW) configuration model, what are the three
types of actions available to be applied to traffic traversing between the zones?

Correct Answer:
Drop, Pass, and Inspect

Explanation:
Zone-Based Policy Firewall (ZFW) provides three types of actions that can be applied to traffic traversing between
the zones, as follows:
* Drop - Drop is the default action for all traffic, which is also applied to the default class. Other class maps within a
policy map can also be configured to drop unwanted traffic. Policies configured with drop action will block the traffic
"silently" without any notification to the relevant end host.
* Pass - Pass action allows the router to forward traffic from one zone to another in one direction (unidirectional)
without tracking the state of connections or sessions within the traffic. A corresponding policy must be applied to
allow return traffic to pass in the opposite direction, or else the return traffic will be dropped.
* Inspect - Inspect action offers state-based traffic control inspection. For example, if traffic from zone1-to-zone2
networks is configured with an inspect action, the router will maintain session information for all TCP and UDP traffic
moving from zone1 to zone2. Because the router maintains the state information, ZFW has the intelligence to permit
the return traffic from zone2 to zone1 in reply to zone1 connection requests.

6. Question:
What is the main difference between the inspect action and the pass action when used in policy-map in the Zone-
Based Policy Firewall (ZFW) configuration model?

Correct Answer:
Inspect action is state-based and maintains the session information for all traffic moving between zones, thus
allowing the return traffic. However, pass action allows traffic one-way (unidirectional) and requires a corresponding
policy to allow the return traffic.

Explanation:
Zone-Based Policy Firewall (ZFW) provides three types of actions that can be applied to traffic traversing between
the zones, as follows:
* Pass - Pass action allows the router to forward traffic from one zone to another in one direction (unidirectional)
without tracking the state of connections or sessions within the traffic. A corresponding policy must be applied to
allow return traffic to pass in the opposite direction, or else the return traffic will be dropped.
* Inspect - Inspect action offers state-based traffic control inspection. For example, if traffic from zone1-to-zone2
networks is configured with an inspect action, the router will maintain session information for all traffic moving from
zone1 to zone2. Because the router maintains the state information, ZFW has the intelligence to permit the return
traffic from zone2 to zone1 in reply to zone1 connection requests.
* Drop - Drop is the default action for all traffic, which is also applied to the default class. Other class maps within a
policy map can also be configured to drop unwanted traffic. Policies configured with drop action will block the traffic
"silently" without any notification to the relevant end host.
7. Question:
Review the Zone-Based Policy Firewall (ZFW) configuration shown in the exhibit. Identify the one configuration
mistake in the ZFW configuration.

Correct Answer:
The default class "class-default" cannot have an inspect action.

Explanation:
When configuring the Zone-Based Policy Firewall (ZFW) configuration, and when a policy-map type inspect is
created, a default class named class class-default is applied at the end automatically. The class-default's default
policy action is drop, although it can be changed to pass action. An inspect action, however, cannot be applied on
class class-default; it is not supported.
Sample output from the router is as follows:

R1# config terminal

Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#policy-map type inspect mypolicy
R1(config-pmap)#class class-default
R1(config-pmap-c)#inspect
%Action inspect cannot be added to class-default

8. Question:
Can the Zone-Based Policy Firewall (ZFW) be configured in a transparent mode and inspect traffic crossing the
bridge-group?

Correct Answer:
Yes.

Explanation:
Zone-Based Policy Firewall (ZFW) supports stateful inspection and transparent firewall implementation.

9. Question:
The Cisco IOS Zone-Based Policy Firewall (ZFW) feature offers protocol inspection capability up to which OSI layer?

Correct Answer:
Layer 7 (Application Layer)

Explanation:
Cisco IOS Zone-Based Policy Firewall (ZFW) supports advanced protocol inspection applied at Layer 7 of the OSI
model. ZFW offers Application Inspection and Control (AIC) capabilities on the following application services:
* HTTP
* SMTP
* POP3
* IMAP
* Sun RPC
* P2P Application Traffic
* Instant Messaging (IM) Applications
10. Question:
Which Cisco IOS router feature can prevent the bad HTTP packets from tunneling malicious traffic, as shown in the
exhibit?

Correct Answer:
Zone-Based Policy Firewall (ZFW)

Explanation:
Cisco IOS Zone-Based Policy Firewall (ZFW) supports advanced Application Layer (HTTP) protocol inspection. ZFW
offers new port-misuse inspection capability that can prevent HTTP/80 from being misused for other applications,
such as IM, P2P, and tunneling.
Modern intrusions are using embedding techniques and crafting malformed packets to carry viruses, worms, Trojans,
or any other malicious activity. Conventional firewalls cannot detect the non-HTTP traffic embedded or tunneled in the
HTTP payload.
With the introduction of the enhanced Application Inspection and Control (AIC) engine, ZFW can prevent HTTP port
80 from being misused for other applications, such as IM, P2P, and tunneling malicious traffic.
11. Question:
The exhibit shown describes which Cisco IOS feature set?

Correct Answer:
Context-Based Access Control (CBAC) or Stateful Packet Inspection (SPI)

Explanation:
Context-Based Access Control (CBAC) or Stateful Packet Inspection (SPI) is the legacy IOS Firewall feature set that
provides a per-application per-interface access control mechanism. Stateful Packet Inspection (SPI) was known as
Context-Based Access Control (CBAC) in early versions of Cisco IOS Firewall, but the naming convention was
updated as the revised feature set was enhanced and improved far beyond the original CBAC capability.
However, CBAC/SPI is now replaced with Zone-Based Policy Firewall (ZFW), which is the latest and most enhanced
Cisco IOS Firewall feature set. ZFW changes the firewall configuration model from the older interface-based model
(used in CBAC) to a more flexible zone-based model. Interfaces are assigned to zones, and the inspection policy is
applied to traffic moving between the zones. Inter-zone policies offer flexibility and granularity so that varying
inspection policies can be applied to multiple host groups connected to the same router interface.
12. Question:
When configuring the Context-Based Access Control (CBAC) as shown in the exhibit, where can the inspection rules
be applied?

Correct Answer:
Inbound on Gig0/0 or outbound on Gig0/1

Explanation:
Context-Based Access Control (CBAC) or Stateful Packet Inspection (SPI) is the legacy IOS Firewall feature set that
provides a per-application per-interface access control mechanism.
CBAC requires creating inspection rules and applying inspection to the router interface (inbound to the protected-side
interface or outbound to the unprotected-side interface).
13. Question:
When Context-Based Access Control (CBAC) with ACLs on both interfaces is configured as shown in the exhibit, is it
allowed, and will the CBAC inspection work?

Correct Answer:
Yes, as long as outbound traffic toward the Internet is permitted in both ACL, in the inbound ACL facing the source
and in the outbound ACL facing the destination.

Explanation:
CBAC inspects the packet after it passes the inbound ACL of an input interface if ip inspect in is applied, or after the
outbound ACL of output interface if ip inspect out is used. Thus, outbound traffic must be permitted by input ACL
facing the source and outbound ACL facing the destination.
14. Question:
When configuring the Context-Based Access Control (CBAC) with ACL on both interfaces, as shown in the exhibit,
where can the inspection rules be applied?

Correct Answer:
Inbound on Gig0/0 or outbound on Gig0/1

Explanation:
Context-Based Access Control (CBAC) or Stateful Packet Inspection (SPI) is the legacy IOS Firewall feature set that
provides a per-application per-interface access control mechanism.
CBAC requires creating inspection rules and applying inspection to the router interface (inbound to the protected-side
interface or outbound to the unprotected-side interface).
CBAC inspects the packet after it passes the inbound ACL of an input interface if ip inspect in is applied, or after the
outbound ACL of output interface if ip inspect out is used. Thus, outbound traffic must be permitted by input ACL
facing the source, and outbound ACL facing the destination.

15. Question:
Can Context-Based Access Control (CBAC) inspect SMTP protocol using the nonstandard TCP port 2025 instead of
the default port 25?

Correct Answer:
Yes, as long as the nonstandard port is defined in the port-application mapping (PAM) table.

Explanation:
The Context-Based Access Control (CBAC) engine integrates with port-application mapping (PAM) to support
applications running on nonstandard ports.PAM allows customizing TCP or UDP port numbers for applications to
nonstandard ports (for example, HTTP service running on TCP port 8888 instead of the default TCP port 80).

16. Question:
If port-application mapping (PAM) was configured for SMTP protocol mapping to the nonstandard TCP port 2025 in
addition to its default port 25, what happens when CBAC inspection for SMTP protocol is enabled?

Correct Answer:
CBAC will inspect both TCP ports, the user-defined port 2025 and the system-defined port 25, when performing
SMTP protocol inspection.

Explanation:
The Context-Based Access Control (CBAC) engine integrates with port-application mapping (PAM) to support
applications running on nonstandard ports.
PAM allows customizing TCP or UDP port numbers for applications to nonstandard ports and supports both the user-
defined and system-defined port definitions.
17. Question:
The exhibit shown describes which Cisco IOS feature set?

Correct Answer:
The Cisco IOS Firewall URL filtering feature

Explanation:
The Context-Based Access Control (CBAC) engine integrates with the URL filtering feature.
The Cisco IOS Firewall URL filtering feature provides an Internet management application that enables you to control
web traffic on the basis of a specified security policy.
18. Question:
The exhibit shows two sets of Cisco IOS Firewall URL filtering steps. Which set is correct: A or B?

Correct Answer:
(A) is correct.

Explanation:
The Cisco IOS Firewall URL filtering feature provides an Internet management application that enables you to control
web traffic on the basis of a specified security policy.

19. Question:
What is the basic prerequisite to enable the Cisco IOS Firewall URL filtering feature on the router?

Correct Answer:
Enable HTTP inspection (CBAC) and specify the Websense URL filter server parameters.

Explanation:
The Context-Based Access Control (CBAC) engine integrates with the URL filtering feature.The Cisco IOS Firewall
URL filtering feature provides an Internet management application that enables you to control web traffic on the basis
of a specified security policy. HTTP inspection must be enabled to link the URL filtering configuration using the ip
inspect name http url-filter command. The urlfilter keyword associates URL filtering with HTTP inspection.
20. Question:
Which Cisco IOS security feature is enabled if the Syslog message shown in the exhibit was received?

Correct Answer:
The Cisco IOS Firewall URL filtering feature

Explanation:
The Cisco IOS Firewall URL filtering feature provides an Internet management application that enables you to control
web traffic on the basis of a specified security policy.

21. Question:
What is a major advantage of the Cisco AnyConnect Client software when installing the software on an end-user
computer?

Correct Answer:
The software can be installed via Web Launch (auto-download using ActiveX/Java).

Explanation:
The Cisco AnyConnect Client software can be installed and delivered to the end-user computer via Web Launch
(auto-download using ActiveX/Java) or manually using install files.

22. Question:
The Cisco IOS Authentication Proxy feature can be configured for which protocols?

Correct Answer:
HTTP, HTTPS, Telnet, and FTP

Explanation:
The Cisco IOS Authentication Proxy provides per-user authentication and access control to network resources. With
Auth proxy, per-user policy can be downloaded dynamically to the router using a TACACS+ or RADIUS
authentication server.

23. Question:
Which RADIUS attribute number is used to support downloadable ACL for the Cisco IOS Authentication Proxy
feature?

Correct Answer:
RADIUS Attribute 26 - Vendor-Specific Attributes (VSA)

Explanation:
The Cisco IOS Authentication Proxy provides per-user authentication and access control to network resources. With
Auth proxy, per-user policy can be downloaded dynamically to the router using a TACACS+ or RADIUS
authentication server.
Use RADIUS Attribute 26 Vendor-Specific Attributes (VSA) to support downloadable ACL to the router to allow or
deny the users through after authentication.
24. Question:
When deploying the Cisco ASA firewall in multi-context using shared interfaces, the packet classifier function is used
to determine the correct context path the packet will traverse. Name the three criteria that the packet classifier
function uses in the right order of selection.

Correct Answer:
(1) Unique interface, (2) Unique MAC address, (3) NAT configuration

Explanation:
When deploying the Cisco ASA firewall in multi-context using shared interface design, the packet classifier function is
used to determine the correct context path the packet will traverse.
Each packet entering the Cisco ASA firewall must determine the correct entry point depending on the destination of
the packet. The entry point determines which context the packet will enter and subsequently depart through the
firewall toward its final destination.
There are multiple criteria and conditions that need to be checked in order to make this decision. The function that
takes this decision within the firewall is called the classifier.
The classifier function uses one of the following three criteria to determine the correct context for the packet:
(1) Unique interface, (2) Unique MAC address, (3) NAT configuration
25. Question:
Review the exhibit. Which Cisco ASA feature is being illustrated in this diagram?
Correct Answer:
Asymmetric Routing Support (ASR)

Explanation:
When deploying the Cisco ASA firewall in multi-context using Active-Active (A/A) failover scenario, the ASA supports
an additional feature called Asymmetric Routing Support (ASR).
ASR mode adds support for asymmetric traffic flows though an A/A system. ASR is enabled by adding multiple A/A
units to the same ASR group. If traffic returns via ISP-B (as shown in the diagram), which does not contain state
information, it is automatically forwarded to the other member of the ASR group.