CCNA Security Chapter 4 Quiz

1. When logging is enabled for an ACL entry, how does the router
switch packets filtered by the ACL?
(A)topology-based switching
(B)autonomous switching
(C)process switching
(D) optimum switching

2. Which two are characteristics of ACLs? (Choose two.)

(A)Extended ACLs can filter on destination TCP and UDP ports.
(B)Standard ACLs can filter on source TCP and UDP ports.
(C)Extended ACLs can filter on source and destination IP
addresses.
(D) Standard ACLs can filter on source and destination IP
addresses.
(E)Standard ACLs can filter on source and destination TCP and
UDP ports.

3. Refer to the exhibit. The ACL statement is the only one explicitly
configured on the router. Based on this information, which two
conclusions can be drawn regarding remote access network
connections? (Choose two.)

(A)SSH connections from the 192.168.1.0/24 network to the

192.168.2.0/24 network are allowed.
(B)Telnet connections from the 192.168.1.0/24 network to the
192.168.2.0/24 network are allowed.
(C)SSH connections from the 192.168.2.0/24 network to the
192.168.1.0/24 network are allowed.
(D) Telnet connections from the 192.168.1.0/24 network to the
192.168.2.0/24 network are blocked.
(E)SSH connections from the 192.168.1.0/24 network to the
192.168.2.0/24 network are blocked.
(F) Telnet connections from the 192.168.2.0/24 network to the
192.168.1.0/24 network are allowed.
4. Which location is recommended for extended numbered or
extended named ACLs?
(A)a location as close to the destination of traffic as possible
(B)a location as close to the source of traffic as possible
(C)a location centered between traffic destinations and sources
to filter as much traffic as possible
(D) if using the established keyword, a location close to the
destination to ensure that return traffic is allowed

5. Which statement describes the characteristics of packet-filtering

and stateful firewalls as they relate to the OSI model?
(A)Both stateful and packet-filtering firewalls can filter at the
application layer.
(B)A stateful firewall can filter application layer information, while
a packet-filtering firewall cannot filter beyond the network
layer.
(C)A packet-filtering firewall typically can filter up to the
transport layer, while a stateful firewall can filter up to the
session layer.
(D) A packet-filtering firewall uses session layer information to
track the state of a connection, while a stateful firewall uses
application layer information to track the state of a
connection.

6. Which statement correctly describes a type of filtering firewall?

(A)A transparent firewall is typically implemented on a PC or
server with firewall software running on it.
(B)A packet-filtering firewall expands the number of IP addresses
available and hides network addressing design.
(C)An application gateway firewall (proxy firewall) is typically
implemented on a router to filter Layer 3 and Layer 4
information.
(D) A stateful firewall monitors the state of connections,
whether the connection is in an initiation, data transfer, or
termination state.

7. For a stateful firewall, which information is stored in the stateful

 session flow table?
(A)TCP control header and trailer information associated with a
particular session
(B)TCP SYN packets and the associated return ACK packets
(C)inside private IP address and the translated inside global IP
address
(D) outbound and inbound access rules (ACL entries)
(E)source and destination IP addresses, and port numbers and
sequencing information associated with a particular session

8. A router has CBAC configured and an inbound ACL applied to the

external interface. Which action does the router take after
inbound-to-outbound traffic is inspected and a new entry is
created in the state table?
(A)A dynamic ACL entry is added to the external interface in the
inbound direction.
(B)The internal interface ACL is reconfigured to allow the host IP
address access to the Internet.
(C)The entry remains in the state table after the session is
terminated so that it can be reused by the host.
(D) When traffic returns from its destination, it is reinspected,
and a new entry is added to the state table.

9. Which two parameters are tracked by CBAC for TCP traffic but not
for UDP traffic? (Choose two.)
(A)source port
(B)protocol ID
(C)sequence number
(D) destination port
(E)SYN and ACK flags

10. Refer to the exhibit. If a hacker on the outside network sends an

IP packet with source address 172.30.1.50, destination address
10.0.0.3, source port 23, and destination port 2447, what does
the Cisco IOS firewall do with the packet?
 (A)The packet is forwarded, and an alert is generated.
(B)The packet is forwarded, and no alert is generated.
(C)The initial packet is dropped, but subsequent packets are
forwarded.
(D) The packet is dropped.

11. Which statement accurately describes Cisco IOS zone-based

policy firewall operation?
(A)The pass action works in only one direction.
(B)A router interface can belong to multiple zones.
(C)Service policies are applied in interface configuration mode.
(D) Router management interfaces must be manually assigned
to the self zone.

12. When configuring a Cisco IOS zone-based policy firewall, which

three actions can be applied to a traffic class? (Choose three.)
(A)drop
(B)inspect
(C)pass
(D) reroute
(E)queue
(F) shape

13. Which zone-based policy firewall zone is system-defined and

applies to traffic destined for the router or originating from the
router?
(A)self zone
(B)system zone
(C)local zone
 (D) inside zone
(E)outside zone

14. Which three actions can a Cisco IOS zone-based policy firewall
take if configured with Cisco SDM? (Choose three.)
(A)inspect
(B)evaluate
(C)drop
(D) analyze
(E)pass
(F) forward

15. Refer to the exhibit. Based on the SDM screen shown, which
statement describes the zone-based firewall component being
configured?

(A)a class map that inspects all traffic that uses the HTTP, IM,
P2P, and email protocols
(B)a class map that prioritizes traffic that uses HTTP first,
followed by SMTP, and then DNS
(C)a class map that denies all traffic that uses the HTTP, SMTP,
and DNS protocols
(D) a class map that inspects all traffic that uses the HTTP,
SMTP, and DNS protocols
(E)a class map that inspects all traffic, except traffic that uses
the HTTP, SMTP, and DNS protocols

16. Refer to the exhibit. Based on the SDM screen shown, which two
statements describe the effect this zone-based policy firewall has
 on traffic? (Choose two.)

(A)HTTP traffic from the in-zone to the out-zone is inspected.

(B)Unmatched traffic to the router from the out-zone is
permitted.
(C)ICMP replies from the router to the out-zone are denied.
(D) Traffic from the in-zone to the out-zone is denied if the
source address is in the 127.0.0.0/8 range.
(E)Traffic from the in-zone to the out-zone is denied if the
destination address is in the 10.1.1.0/29 range.

17. Which type of packet is unable to be filtered by an outbound

ACL?
(A)ICMP packet
(B)broadcast packet
(C)multicast packet
(D) router-generated packet

18. Which type of packets exiting the network of an organization

should be blocked by an ACL?
(A)packets that are not encrypted
(B)packets that are not translated with NAT
(C)packets with source IP addresses outside of the organization's
network address space
(D) packets with destination IP addresses outside of the
organization's network address space

19. When using Cisco IOS zone-based policy firewall, where is the
 inspection policy applied?
(A)a global service policy
(B)an interface
(C)a zone
(D) a zone pair

20. Refer to the exhibit. In a two-interface CBAC implementation,

where should ACLs be applied?

(A)inside interface
(B)outside interface
(C)inside and outside interfaces
(D) no interfaces

21. What is the first step in configuring a Cisco IOS zone-based

policy firewall using the CLI?
(A)Create zones.
(B)Define traffic classes.
(C)Define firewall policies.
(D) Assign policy maps to zone pairs.
(E)Assign router interfaces to zones.