342 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
10True or false: It is possible to hide an entire Class C network behind a single IP using PAT.
Answer: True. PAT supports approximately 64,000 nodes.
11True or false: TCP is a much better protocol than UDP, because it does handshakes and randomly generates TCP sequence numbers.
Answer: False. Each transport protocol has its strengths and weaknesses. Because UDP is connectionless, it has much less overhead and is faster than TCP.
12Which of the following nat commands is/are correct?
A LabPIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0
B LabPIX(config)# nat (inside) 1 0.0
C LabPIX(config)# nat (inside) 1 0 0
D A and B
E A and C
F All of the above
Answer: E
13When would you want to configure NAT and PAT for the same inside segment?
Answer: When you have more users than addresses in your global pool.
14What is RFC 1918?
Answer: It sets aside IP addresses for private networks.
15True or false: By default, an embryonic connection terminates after 2 minutes.
Answer: False. The default timeout for an embryonic connection is unlimited.
16What command shows all active TCP connections on the PIX?
Answer: show conn
17 Why is there an id field in the nat command?
Answer: So that the PIX can tell what nat statement applies to what global statement.
Chapter 6
"Do I Know This Already?" Quiz
1 How do you access privileged mode?
Answer: Enter enable and the enable password.
Chapter 6 343
2 What is the function of the nameif command?
Answer: You use it to name a Cisco PIX Firewall interface and assign a security level.
3What six commands produce a basic working configuration for a Cisco PIX Firewall?
Answer: nameif, interface, ip address, nat, global, route
4Why is the route command important?
Answer: It tells the PIX where to send packets. It is important especially because it is used to create the default route.
5What is the command to flush out the ARP cache on a Cisco PIX Firewall?
Answer: clear arp
6True or false: It is possible to configure the outside interface on a Cisco PIX Firewall to accept DHCP requests.
Answer: False. Only the inside interface can be configured to accept DHCP requests and assign IP addresses.
7What type of environment uses the PIX DHCP client feature?
Answer: Small office/home office (SOHO)
8What command releases and renews an IP address on the PIX?
Answer: ip address outside dhcp
9Give at least one reason why it is beneficial to use NTP on the Cisco PIX Firewall.
Answer: 1. For certificate revocation list (CRL) because it is time-stamp- sensitive. 2. Troubleshooting events is easier.
10Why would you want to secure the NTP messages between the Cisco PIX Firewall and the NTP server?
Answer: To prevent the Cisco PIX Firewall from synchronizing the unauthorized NTP servers.
Q&A
1What command tests connectivity?
A ping
Bnameif
Cip address
Dwrite terminal Answer: A
Chapter 7 345
7 True or false: The DHCP client feature can be configured on the PIX's inside interface.
Answer: False. The DHCP client can be enabled only on the PIX's outside interface.
8 How do you access privileged mode?
AEnter the enable command and the enable password.
BEnter the privilege command and the privilege password.
CEnter the super-secret password.
DEnter the privilege command only.
Answer: A
9How do you view the current configuration on your PIX? (Select all that apply.)
A write terminal
B show current
C write memory
D save config Answer: A
10In a DHCP client configuration, what is the command to release and renew the IP address on the outside interface?
Aipconfig release
Bip address dhcp outside
Coutside ip renew
Dip address renew outside Answer: B
Chapter 7
"Do I Know This Already?" Quiz
1 What do static NAT settings do?
Answer: They create a one-to-one mapping between a host/network on the inside to a global IP address that can be accessed by external hosts.
346 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
2 True or false: Static NAT is the only configuration that lets inbound access in.
Answer: False. ACL/conduits are required to decide what type of access should be made available to the host/network identified by the static nat command.
3 Can the conduit command be used in place of the access-list command?
Answer: Yes. However, the preferred command is access-list beginning with PIX version 5.3. ACLs provide improved flexibility compared to conduits.
4About how many access list entries (ACEs) in one access list does TurboACL support?
Answer: 16,000
5What is the minimum memory required to run TurboACL?
Answer: 2.1 MB
6What is the command to enable TurboACL globally on the PIX Firewall?
Answer: access-list compiled
7What is the minimum number of access list entries needed for TurboACL to compile?
Answer: 19
8What is the function of object groups?
Answer: Object groups are used to group hosts/networks, services, and more. A single security policy (ACL) can be applied to the group.
9What is the command to enable a network object group?
Answer: object-group network group id
10What are the four object type options when you're creating object groups?
Answer: network, protocol, service, icmp-type
Q&A
1What is the maximum number of access list entries in one access list that TurboACL supports?
A19
B2000
C16,000
D10
Answer: C
Chapter 7 347
2What is the minimum number of access list entries needed in an access list for TurboACL to compile?
A4
B19
C16,000
DNo minimum is required
Answer: B
3Which of the following is not one of four options for object types when you create an object group?
ANetwork
BProtocol
CApplication
DServices
Answer: C
4True or false: By default, traffic initiated from the outside (external to the PIX) is allowed in through the PIX.
Answer: False
5What command lets you create a network object group?
A object-group network group-id
B enable object-group network group-id
C create network object-group
D network object-group enable Answer: A
6What command enables TurboACL globally on the PIX Firewall?
A turboacl global
B access-list compiled
C access-list turboacl
D You cannot enable TurboACL globally
Answer: B