For Part 1 of this series, click here.
The following questions will be added to the Core Knowledge Simulation once the new version/engine is complete. Enjoy! Answers will be provided in the comments section.
Implement secure networks using Cisco ASA Firewalls
The PC at 20.20.20.101 can ping both R1 and the ASA. Based on the network diagram, what would allow the PC to reach the 10.10.10.0 network?
Implement secure networks using Cisco IOS Firewalls
Based on the exhibit, what technology is being used, and what traffic is being allowed?
show policy-map type inspect zone-pair Zone-pair: inside-to-outside Service-policy inspect : pmap_outbound Class-map: cmap_outbound (match-any) Match: protocol ssh 0 packets, 0 bytes 30 second rate 0 bps Match: protocol http 0 packets, 0 bytes 30 second rate 0 bps Match: protocol icmp 2 packets, 88 bytes 30 second rate 0 bps Inspect Packet inspection statistics [process switch:fast switch] icmp packets: [0:96] Session creations since subsystem startup or last reset 2 Current session counts (estab/half-open/terminating) [2:0:0] Maxever session counts (estab/half-open/terminating) [2:1:0] Last session created 00:00:32 Last statistic reset never Last session creation rate 2 Maxever session creation rate 2 Last half-open session total 0 Class-map: class-default (match-any) Match: any Drop (default action) 0 packets, 0 bytes Zone-pair: outside-to-inside Service-policy inspect : pmap_inbound Class-map: cmap_inbound (match-any) Match: protocol icmp 0 packets, 0 bytes 30 second rate 0 bps Inspect Session creations since subsystem startup or last reset 0 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [0:0:0] Last session created never Last statistic reset never Last session creation rate 0 Maxever session creation rate 0 Last half-open session total 0 Class-map: class-default (match-any) Match: any Drop (default action) 2 packets, 48 bytes
Implement secure networks using Cisco VPN solutions
During a cryptographic process, a clear text message is used with a key and processed by a mathematical function. What is this mathematical function often called?
During asymmetric encryption, which key is exchanged with another party?
About Keith Barker, CCIE #6783:
Keith Barker excelled as a Network Engineer beginning in 1986 with EDS. Before opting for a career in IT Education, Keith’s practical experience culminated with the position of IT Manager for Paramount Pictures. Once joining the field of IT Education, Keith became a top-rated Microsoft and Cisco Certified Instructor. Keith Barker, along with Jeremy Cioara and Anthony Sequeira helped to make KnowledgeNet, the most respected Online IT Training organization of its time. You will find Keith Barker in Live Classroom, Live Online, and Self-Paced Route/Switch and Security classes here at INE.
You can leave a response, or trackback from your own site.
13 Responses to “New CCIE Security Core Knowledge Questions-Part 2”
Leave a Reply
Loading ...
Question: The PC at 20.20.20.101 can ping both R1 and the ASA. Based on the network diagram, what would allow the PC to reach the 10.10.10.0 network?
Answer: Allow the ASA to redirect traffic received on E0/1 with the same-security-traffic permit intra-interface command.
More information:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
Question: Based on the exhibit, what technology is being used, and what traffic is being allowed.
Answer: Zone Based Firewall. SSH, HTTP and ICMP “RETURN” traffic permitted inbound. ICMP echo replies permitted as return traffic outbound to the outside.
More information:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#topic9
Question: During a cryptographic process, a clear text message is used with a key and processed by a mathematical function. What is this mathematical function often called?
Answer: Cipher or algorithm
More Information:
http://en.wikipedia.org/wiki/Cipher
Question: During asymmetric encryption, which key is exchanged with another party?
Answer: The Public key
More Information:
http://en.wikipedia.org/wiki/Public-key_cryptography
Nice to see Such detailed and exhibit based questions on Core Knowledge Simulation.
Looking forward to more of these
Zeeshan Sanaullah , CCIE #25196
Great resource..thanks a lot guys!
I liked the “same-security-traffic permit intra-interface” 
Nice one
It looks like more joy and fun is comming on Security Track. Thanks Keith
Very nice article Keith.
I wrote about DNS resolution issues and their workarounds, one such being hairpinning ( redirection on an interface alongwith with NAT) here http://iptechtalk.wordpress.com/2009/09/04/the-need-for-dns-doctoring-on-asa-methods-and-workarounds/.
It should present an interesting case of same security interface traffic with NAT Control.
Can this answer: Cipher or algorithm be replaced by “Encryption”?
Thanks
Barooq- I read your article, and it looks like you put a lot of work into it, way to be! By taking the time to lab that up and write your findings, you are benefiting others and especially your self. Keep up the great work! I have another post that focuses on troubleshooting and will include elements of the dns manipulation and about 5 other problems as well. I should have it done by tonight, you are going to love it. Thanks again for the great post!
Rizzo- You are welcome! You are right: More Joy and Fun IS definitely on their way to the Security Track. Thanks again for the feedback.
for the answer of chiper or algorithm:
IS the output is chiper but the opertation is the hash???
[...] CCIE Security Core Knowledge Questions – Part 3 By Keith Barker, CCIE #6783 For Part 2 of this series, click here. [...]
For Zone Based Firewall, Is it opposite ? I think SSH, HTTP and ICMP permitted outbound and ICMP permitted inbound ???
Irom- You are absolutely right! I updated the comments on the post. “Return” traffic for those 3 protocols is allowed from the outside inbound. Thanks.
In the first question, we would have to use the following coommand as well.
failover timeout -1
static (inside,inside) 10.10.10.6 10.10.10.6 norandomseq nailed
global (inside) 1 interface
nat (inside) 1 0 0
this is needed else the return packet would reach the host machine directly from the router and not the firewall.