Sep
10

For Part 1 of this series, click here.

The following questions will be added to the Core Knowledge Simulation once the new version/engine is complete. Enjoy! Answers will be provided in the comments section.

Implement secure networks using Cisco ASA Firewalls

The PC at 20.20.20.101 can ping both R1 and the ASA.  Based on the network diagram, what would allow the PC to reach the 10.10.10.0 network?

asa same-security-traffic

Implement secure networks using Cisco IOS Firewalls

Based on the exhibit, what technology is being used, and what traffic is being allowed?

show policy-map type inspect zone-pair
 Zone-pair: inside-to-outside

 Service-policy inspect : pmap_outbound

 Class-map: cmap_outbound (match-any)
 Match: protocol ssh
 0 packets, 0 bytes
 30 second rate 0 bps
 Match: protocol http
 0 packets, 0 bytes
 30 second rate 0 bps
 Match: protocol icmp
 2 packets, 88 bytes
 30 second rate 0 bps
 Inspect
 Packet inspection statistics [process switch:fast switch]
 icmp packets: [0:96]

 Session creations since subsystem startup or last reset 2
 Current session counts (estab/half-open/terminating) [2:0:0]
 Maxever session counts (estab/half-open/terminating) [2:1:0]
 Last session created 00:00:32
 Last statistic reset never
 Last session creation rate 2
 Maxever session creation rate 2
 Last half-open session total 0

 Class-map: class-default (match-any)
 Match: any
 Drop (default action)
 0 packets, 0 bytes
 Zone-pair: outside-to-inside

 Service-policy inspect : pmap_inbound

 Class-map: cmap_inbound (match-any)
 Match: protocol icmp
 0 packets, 0 bytes
 30 second rate 0 bps
 Inspect
 Session creations since subsystem startup or last reset 0
 Current session counts (estab/half-open/terminating) [0:0:0]
 Maxever session counts (estab/half-open/terminating) [0:0:0]
 Last session created never
 Last statistic reset never
 Last session creation rate 0
 Maxever session creation rate 0
 Last half-open session total 0

 Class-map: class-default (match-any)
 Match: any
 Drop (default action)
 2 packets, 48 bytes

Implement secure networks using Cisco VPN solutions

During a cryptographic process, a clear text message is used with a key and processed by a mathematical function. What is this mathematical function often called?

During asymmetric encryption, which key is exchanged with another party?


You can leave a response, or trackback from your own site.

14 Responses to “New CCIE Security Core Knowledge Questions-Part 2”

 
  1. Question: The PC at 20.20.20.101 can ping both R1 and the ASA. Based on the network diagram, what would allow the PC to reach the 10.10.10.0 network?

    Answer: Allow the ASA to redirect traffic received on E0/1 with the same-security-traffic permit intra-interface command.

    More information:
    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

    Question: Based on the exhibit, what technology is being used, and what traffic is being allowed.

    Answer: Zone Based Firewall. SSH, HTTP and ICMP “RETURN” traffic permitted inbound. ICMP echo replies permitted as return traffic outbound to the outside.

    More information:
    http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#topic9

    Question: During a cryptographic process, a clear text message is used with a key and processed by a mathematical function. What is this mathematical function often called?

    Answer: Cipher or algorithm

    More Information:
    http://en.wikipedia.org/wiki/Cipher

    Question: During asymmetric encryption, which key is exchanged with another party?

    Answer: The Public key

    More Information:
    http://en.wikipedia.org/wiki/Public-key_cryptography

  2. Nice to see Such detailed and exhibit based questions on Core Knowledge Simulation.

    Looking forward to more of these

    Zeeshan Sanaullah , CCIE #25196

  3. Tacack says:

    Great resource..thanks a lot guys! :) I liked the “same-security-traffic permit intra-interface” :D

  4. Rizzo says:

    Nice one

    It looks like more joy and fun is comming on Security Track. Thanks.

  5. Barooq says:

    Very nice article.
    I wrote about DNS resolution issues and their workarounds, one such being hairpinning ( redirection on an interface alongwith with NAT) here http://iptechtalk.wordpress.com/2009/09/04/the-need-for-dns-doctoring-on-asa-methods-and-workarounds/.

    It should present an interesting case of same security interface traffic with NAT Control.

    • Barooq- I read your article, and it looks like you put a lot of work into it, way to be! By taking the time to lab that up and write your findings, you are benefiting others and especially your self. Keep up the great work! I have another post that focuses on troubleshooting and will include elements of the dns manipulation and about 5 other problems as well. I should have it done by tonight, you are going to love it. Thanks again for the great post!

  6. HAT says:

    Can this answer: Cipher or algorithm be replaced by “Encryption”?

    Thanks

  7. mostafa says:

    for the answer of chiper or algorithm:

    IS the output is chiper but the opertation is the hash???

  8. [...] CCIE Security Core Knowledge Questions – Part 3 , click here. [...]

  9. irom says:

    For Zone Based Firewall, Is it opposite ? I think SSH, HTTP and ICMP permitted outbound and ICMP permitted inbound ???

  10. Irom- You are absolutely right! I updated the comments on the post. “Return” traffic for those 3 protocols is allowed from the outside inbound. Thanks.

  11. faisal says:

    In the first question, we would have to use the following coommand as well.

    failover timeout -1
    static (inside,inside) 10.10.10.6 10.10.10.6 norandomseq nailed
    global (inside) 1 interface
    nat (inside) 1 0 0

    this is needed else the return packet would reach the host machine directly from the router and not the firewall.

  12. ALaa says:

    Hi

    i want to aske you , about the PC , it can reach network 10.10.10.0
    by add static route on pc . in exam if i have question that has many answer , so how can i select any one .

    Regards

 

Leave a Reply

Categories

CCIE Bloggers