354 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

Chapter 10

"Do I Know This Already?" Quiz

1Which encryption is stronger, Group 2 Diffie-Hellman or 3DES?

Answer: 3DES. Diffie-Hellman is not an encryption protocol.

2What is the command to apply an access list to a crypto map?

Answer: crypto-map map-name seq-num match address acl_name

3What is the difference between ESP and AH?

Answer: AH does only header authentication. ESP can both authenticate and encrypt the header and the data.

4What service uses UDP 500?

Answer: IKE

5What is the size of an MD5 hash?

Answer: 128 bits

6Why is manual-ipsec not recommended by Cisco?

Answer: The session keys are manually coded and never change.

7 What is the most scalable VPN solution?

Answer: IKE using certification authorities (CAs)

8 What is the difference between an access VPN and an intranet VPN?

Answer: Access VPNs require VPN client software on the remote machine.

9Which hash algorithm is configured by default for phase 1?

Answer: SHA

10What are the two methods of identifying SA peers?

Answer: IP address and host name

11What happens if you have different ISAKMP policies configured on your potential SA peers, and none of them match?

Answer: They cannot negotiate the connection.

12What command should you use to watch your IKE negotiation?

Answer: debug crypto isakmp

Chapter 10 355

13Where do you define your authentication method?

Answer: isakmp policy

14What are the three types of VPNs?

Answer: Access, intranet, extranet

Q&A

1What is the default lifetime if not defined in isakmp policy?

Answer: 86,400 seconds

2Do your transform sets have to match exactly on each peer?

Answer: No. The peers continue to go through the transforms until they find a match. If there is no match, they are unable to negotiate the connection.

3True or false: The X509v3 standard applies to the ESP header's format.

Answer: False. X509v3 applies to digital certificates.

4What is the difference between the isakmp lifetime and the crypto-map lifetime?

Answer: The isakmp lifetime initiates a renegotiation of IKE based on time only. The crypto-map lifetime initiates a renegotiation of the IPSec SA based on time of traffic (kilobytes).

5What command do you use to delete any active SAs?

Answer: clear crypto isakmp sa

6What is the command for defining a preshared key?

Answer: isakmp key string address | hostname peer-address netmask peer netmask | hostname

7What is the first thing you should check if you are unable to establish a VPN?

Answer: Verify that the peers' configurations match.

8What is the function of the access list with regard to VPNs?

Answer: It tells the PIX what traffic should be encrypted.

9What PIX firewalls support PPPoE?

Answer: 501, 506, 506E

356 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

Chapter 11

"Do I Know This Already?" Quiz

1What happens to traffic that is not explicitly permitted by an access rule in an access control list?

Answer: It is denied.

2True or false: PDM supports a mixed configuration with outbound or conduit commands and access-list commands.

Answer: False

3 What is a translation exemption rule?

Answer: The translation exemption rule specifies traffic that is exempt from being translated or encrypted. It is possible to create an exemption rule for traffic that is not to be encrypted and sent to the Internet or a less-secure interface. This makes it possible to allow certain traffic between hosts or networks to remain unencrypted. This can be useful if you want to encrypt some traffic to another remote VPN network but you want traffic destined for anywhere else to be unencrypted.

4 What are the six tabs on the PDM?

Answer: System Monitoring, Hosts/Networks, Access Rules, Translation Rules,

VPN, Monitoring

5 How do you connect to the PDM?

Answer: Through your browser by entering the PIX's inside interface IP address: https://inside_interface_ip

6What version of PIX Software is required of PDM version 1.1?

Answer: PDM Version 1.1 requires PIX version 6.0(1) at a minimum

7Which models of Cisco PIX Firewall are supported by PDM?

Answer: 501, 506, 515, 520, 525, 535

8What versions of Windows does PDM support?

Answer: Windows NT and Windows 2000

Chapter 11 357

9 What steps should you take before installing PDM?

Answer: Ensure that you have 8 MB or more of Flash memory and that PIX OS version 6.0 or later is on the PIX.

10True or false: PDM comes preinstalled on all PIX 5.3 and later software versions.

Answer: False. PDM is available only for Cisco PIX 6.0 and later.

11Where does PDM reside?

Answer: In the PIX's Flash memory

Q&A

1How many tabs does the PDM have for configuring and monitoring the Cisco PIX Firewall?

AThree

BFive

CEight

DSix

Answer: D

2 How do you connect to the PDM?

ABy accessing the PIX through Telnet and entering PDM

BBy entering http://inside_interface_ip in your browser

CBy entering https://inside_interface_ip in your browser

DBy entering https://PIX_PDM

Answer: C

3What version of the PIX is required for PDM to run?

A 5.1

B 5.2

C 5.3

D 6.0

Answer: D