![](/user_photo/1438_p9ksI.png)
- •Icons Used in This Book
- •Network Security
- •Vulnerabilities
- •Threats
- •Types of Attacks
- •Network Security Policy
- •AVVID and SAFE
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Firewall Technologies
- •Cisco PIX Firewall
- •Foundation Summary
- •The Cisco Secure PIX Firewall
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of the Cisco PIX Firewall
- •Cisco PIX Firewall Models and Features
- •Foundation Summary
- •System Maintenance
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Accessing the Cisco PIX Firewall
- •Installing a New Operating System
- •Upgrading the Cisco PIX OS
- •Creating a Boothelper Diskette Using a Windows PC
- •Auto Update Support
- •Password Recovery
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How the PIX Firewall Handles Traffic
- •Address Translation
- •Translation Versus Connection
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Access Modes
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •TurboACL
- •Object Grouping
- •Advanced Protocol Handling
- •Foundation Summary
- •Syslog
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How Syslog Works
- •How Log Messages Are Organized
- •How to Read System Log Messages
- •Disabling Syslog Messages
- •Foundation Summary
- •Cisco PIX Firewall Failover
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •What Causes a Failover Event
- •What Is Required for a Failover Configuration
- •Failover Monitoring
- •Stateful Failover
- •LAN-Based Failover
- •Foundation Summary
- •Virtual Private Networks
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of VPN Technologies
- •Cisco VPN Client
- •PPPoE Support
- •Foundation Summary
- •Scenario
- •Completed PIX Configurations
- •PIX Device Manager
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •PDM Overview
- •PIX Firewall Requirements to Run PDM
- •Foundation Summary
- •Content Filtering with the Cisco PIX Firewall
- •“Do I Know This Already?” Quiz
- •Filtering Java Applets
- •Filtering ActiveX Objects
- •Filtering URLs
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of AAA and the Cisco PIX Firewall
- •Cisco Secure Access Control Server (CSACS)
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Specifying Your AAA Servers
- •Troubleshooting Your AAA Setup
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Multimedia Support on the Cisco PIX Firewall
- •Attack Guards
- •PIX Firewall’s Intrusion Detection Feature
- •ip verify reverse-path Command
- •Foundation Summary
- •Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
- •Chapter 1
- •Chapter 2
- •Chapter 3
- •Chapter 4
- •Chapter 5
- •Chapter 6
- •Chapter 7
- •Chapter 8
- •Chapter 9
- •Chapter 10
- •Chapter 11
- •Chapter 12
- •Chapter 13
- •Chapter 14
- •Chapter 15
- •Appendix B
- •What’s Wrong with This Picture?
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb372x1.jpg)
342 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
10True or false: It is possible to hide an entire Class C network behind a single IP using PAT.
Answer: True. PAT supports approximately 64,000 nodes.
11True or false: TCP is a much better protocol than UDP, because it does handshakes and randomly generates TCP sequence numbers.
Answer: False. Each transport protocol has its strengths and weaknesses. Because UDP is connectionless, it has much less overhead and is faster than TCP.
12Which of the following nat commands is/are correct?
A LabPIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0
B LabPIX(config)# nat (inside) 1 0.0
C LabPIX(config)# nat (inside) 1 0 0
D A and B
E A and C
F All of the above
Answer: E
13When would you want to configure NAT and PAT for the same inside segment?
Answer: When you have more users than addresses in your global pool.
14What is RFC 1918?
Answer: It sets aside IP addresses for private networks.
15True or false: By default, an embryonic connection terminates after 2 minutes.
Answer: False. The default timeout for an embryonic connection is unlimited.
16What command shows all active TCP connections on the PIX?
Answer: show conn
17 Why is there an id field in the nat command?
Answer: So that the PIX can tell what nat statement applies to what global statement.
Chapter 6
"Do I Know This Already?" Quiz
1 How do you access privileged mode?
Answer: Enter enable and the enable password.
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb373x1.jpg)
Chapter 6 343
2 What is the function of the nameif command?
Answer: You use it to name a Cisco PIX Firewall interface and assign a security level.
3What six commands produce a basic working configuration for a Cisco PIX Firewall?
Answer: nameif, interface, ip address, nat, global, route
4Why is the route command important?
Answer: It tells the PIX where to send packets. It is important especially because it is used to create the default route.
5What is the command to flush out the ARP cache on a Cisco PIX Firewall?
Answer: clear arp
6True or false: It is possible to configure the outside interface on a Cisco PIX Firewall to accept DHCP requests.
Answer: False. Only the inside interface can be configured to accept DHCP requests and assign IP addresses.
7What type of environment uses the PIX DHCP client feature?
Answer: Small office/home office (SOHO)
8What command releases and renews an IP address on the PIX?
Answer: ip address outside dhcp
9Give at least one reason why it is beneficial to use NTP on the Cisco PIX Firewall.
Answer: 1. For certificate revocation list (CRL) because it is time-stamp- sensitive. 2. Troubleshooting events is easier.
10Why would you want to secure the NTP messages between the Cisco PIX Firewall and the NTP server?
Answer: To prevent the Cisco PIX Firewall from synchronizing the unauthorized NTP servers.
Q&A
1What command tests connectivity?
A ping
Bnameif
Cip address
Dwrite terminal Answer: A
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb374x1.jpg)
344 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
2What command saves the configuration you made on the Cisco PIX Firewall?
A write terminal
B show start-running config
C write memory
D save config Answer: C
3What command assigns security levels to interfaces on the PIX?
Aip address
Broute
Cnameif
Dsecureif Answer: C
4What command flushes the ARP cache on a PIX?
A flush arp cache
B no arp cache
C clear arp
D You cannot flush the ARP cache.
Answer: C
5True or false: The DHCP client feature is primarily designed for large corporate enterprise networks and ISPs.
Answer: False. The DHCP server is usually used in SOHO environments with lower-end models of the Cisco PIX Firewall, such as the 501 and 506 units.
6Why would you want authentication enabled between the PIX and the NTP server? (Select all that apply.)
ATo ensure that the PIX does not synchronize with an unauthorized NTP server
BTo maintain the integrity of the communication
CTo increase the speed of communication
DTo reduce latency
Answer: A, B
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb375x1.jpg)
Chapter 7 345
7 True or false: The DHCP client feature can be configured on the PIX's inside interface.
Answer: False. The DHCP client can be enabled only on the PIX's outside interface.
8 How do you access privileged mode?
AEnter the enable command and the enable password.
BEnter the privilege command and the privilege password.
CEnter the super-secret password.
DEnter the privilege command only.
Answer: A
9How do you view the current configuration on your PIX? (Select all that apply.)
A write terminal
B show current
C write memory
D save config Answer: A
10In a DHCP client configuration, what is the command to release and renew the IP address on the outside interface?
Aipconfig release
Bip address dhcp outside
Coutside ip renew
Dip address renew outside Answer: B
Chapter 7
"Do I Know This Already?" Quiz
1 What do static NAT settings do?
Answer: They create a one-to-one mapping between a host/network on the inside to a global IP address that can be accessed by external hosts.
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb376x1.jpg)
346 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
2 True or false: Static NAT is the only configuration that lets inbound access in.
Answer: False. ACL/conduits are required to decide what type of access should be made available to the host/network identified by the static nat command.
3 Can the conduit command be used in place of the access-list command?
Answer: Yes. However, the preferred command is access-list beginning with PIX version 5.3. ACLs provide improved flexibility compared to conduits.
4About how many access list entries (ACEs) in one access list does TurboACL support?
Answer: 16,000
5What is the minimum memory required to run TurboACL?
Answer: 2.1 MB
6What is the command to enable TurboACL globally on the PIX Firewall?
Answer: access-list compiled
7What is the minimum number of access list entries needed for TurboACL to compile?
Answer: 19
8What is the function of object groups?
Answer: Object groups are used to group hosts/networks, services, and more. A single security policy (ACL) can be applied to the group.
9What is the command to enable a network object group?
Answer: object-group network group id
10What are the four object type options when you're creating object groups?
Answer: network, protocol, service, icmp-type
Q&A
1What is the maximum number of access list entries in one access list that TurboACL supports?
A19
B2000
C16,000
D10
Answer: C
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb377x1.jpg)
Chapter 7 347
2What is the minimum number of access list entries needed in an access list for TurboACL to compile?
A4
B19
C16,000
DNo minimum is required
Answer: B
3Which of the following is not one of four options for object types when you create an object group?
ANetwork
BProtocol
CApplication
DServices
Answer: C
4True or false: By default, traffic initiated from the outside (external to the PIX) is allowed in through the PIX.
Answer: False
5What command lets you create a network object group?
A object-group network group-id
B enable object-group network group-id
C create network object-group
D network object-group enable Answer: A
6What command enables TurboACL globally on the PIX Firewall?
A turboacl global
B access-list compiled
C access-list turboacl
D You cannot enable TurboACL globally
Answer: B