336 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

CStateful proxy, stateful filtering, packet inspection

DCut-through proxy, ASA, proxy

Answer: B

3 How does cut-through proxy work in a PIX Firewall?

Answer: The user is authenticated against a user database of AAA server, the connection is compared to the security policy, and the connection is opened or dropped.

4What happens to the session object after a connection ends?

Answer: It is deleted from the state table.

5True or false: A PIX 501 is designed to support five network segments.

Answer: False. It supports only two segments.

6How many interfaces can the PIX 525 handle?

Answer: Eight

7How many PCI slots does the PIX 506 have?

Answer: None

8True or false: If the ACT LED on the front of a PIX 525 is lit, it means that everything is working correctly.

Answer: False

9True or false: The interfaces on a PIX 520 are numbered top to bottom and left to right.

Answer: True

10True or false: You don't need a license for any Cisco PIX Firewall. If you own the appliance, you can do anything you want with it.

Answer: False

Chapter 4

"Do I Know This Already?" Quiz

1 How many ways can you access the PIX Firewall?

Answer: You can access the PIX through Telnet, SSH, PIX Device Manager, and the console port.

Chapter 4 337

2What is the command to change the Telnet password?

Answer: passwd

3Which version of SSH does PIX support?

Answer: The PIX Firewall supports SSH version 1.

4 What is the activation key?

Answer: The activation key is the license key or number for the PIX Firewall.

5Give one reason why you would need to change the activation key on your PIX Firewall.

Answer: The PIX failover feature is not activated.

Q&A

1What command upgrades a PIX 525 device running a 5.3 OS version to 6.11?

A install

Bsetup

Ccopy 6.11

Dcopy tftp flash Answer: D

2What binary file is required to perform a password recovery procedure on a PIX device running OS version 5.2?

Anp52.bin

Bpix52.bin

Cbh52.bin

Dpass52.bin

Answer: A

3What circumstance(s) warrant(s) the use of a boothelper disk in the OS upgrade procedure?

AA corrupt binary image

BA PIX 520 device

CA PIX device running a 5.0 or earlier PIX OS

DNo circumstance warrants the use of a boothelper disk.

Answer: B, C

Chapter 5 339

9What is the command to configure Auto Update on the Cisco PIX Firewall?

A auto update

B auto-update server url

C config auto-update

D update server url

Answer: C

10Which version of SSH does the PIX support?

A2.1

B2.2

C3.1

D1

Answer: D

Chapter 5

"Do I Know This Already?" Quiz

1 What is the difference between TCP and UDP?

Answer: TCP is a connection-oriented transport protocol, and UDP is a connectionless transport protocol.

2 On which transport protocol does PIX change the sequence number?

Answer: PIX changes the TCP sequence number with a randomized number.

3What is the default security for traffic origination on the inside network segment going to the outside network?

Answer: By default, traffic is permitted from the inside (higher security level) to the outside (lower security level) network as long as the appropriate nat/global command has been configured.

4 True or false: You can have multiple translations in a single connection.

Answer: False. It is actually the opposite. Multiple connections can take place under a single translation.

340 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

5What commands are required to complete NAT on a Cisco PIX Firewall?

Answer: nat and global

6How many external IP addresses must be used to configure PAT?

Answer: Port Address Translation requires only a single external IP address.

7 True or false: NAT requires that you configure subnets for the external IP addresses.

Answer: False. To configure NAT, you need to define an external address range, not a subnet.

8 How many nodes can you hide behind a single IP address when configuring PAT?

Answer: Approximately 64,000. This is derived from 65,535 ports minus the 1024 already-assigned lower ports.

9 How does PAT support multimedia protocols?

Answer: PAT does not support multimedia protocols.

10What is an embryonic connection?

Answer: It is a half-open TCP session.

11What is the best type of translation to use to allow connections to web servers from the Internet?

Answer: Static translation provides a one-to-one translation from external to internal addresses.

12 How does the Cisco PIX Firewall handle outbound DNS requests?

Answer: PIX allows multiple outbound queries but allows only the first response to that query. All other responses to the initial query are dropped.

Q&A

1When should you run the command clear xlate?

A When updating a conduit on the firewall

BWhen editing the NAT for the inside segment

CWhen adding addresses to the global pool

DAll of the above

Answer: D

2What happens if you configure two interfaces with the same security level?

Answer: Traffic cannot pass between those interfaces.

Chapter 5 341

3True or false: The quickest way to clear the translation table is to reboot the PIX.

Answer: False. The command to do this is clear xlate.

4True or false: If you configure a static translation for your web server, everyone can connect to it.

Answer: False. You also need to configure a rule in the security policy allowing the connection.

5Which of the following is not a method of address translation supported by the PIX?

A Network Address Translation

B Socket Address Translation

C Port Address Translation

D Static

Answer: B

6True or false: It is easy to hack into a PIX over UDP 53, because it accepts DNS resolves from anyone.

Answer: False. The PIX allows queries to go out to multiple DNS servers but allows only the first response to return to the requesting host. All other responses are dropped.

7What the does the PIX normally change when allowing a TCP handshake between nodes on different interfaces and performing NAT?

Answer: It translates the local address and randomizes the TCP sequence number.

8What the does the PIX normally change when allowing a TCP handshake between nodes on different interfaces and performing PAT?

Answer: It translates the local address and source port number and randomizes the TCP sequence number.

9You have configured two additional DMZ interfaces on your PIX Firewall. How do you prevent nodes on DMZ1 from accessing nodes on DMZ2 without adding rules to the security policy?

ARoute all traffic for DMZ2 out the outside interface.

BDynamically NAT all DMZ2 nodes to a multicast address.

CAssign a higher security level to DMZ2.

DAll of the above

Answer: C