Testking_640-802_V13

For each interface, one access list for each protocol (IP, IPX, etc) can be applied in the inbound direction, and one for the outbound direction.

Incorrect Answers:

B. It is true that no more than two access lists can be applied per interface (inbound and outbound). However, this applies per layer 3 protocol, so it is possible to configure more than 2 access lists per interface.

Section 5: Troubleshoot ACL issues (5 questions)

QUESTION NO: 1

The following configuration line was added to router TK1:

Access-list 101 permit ip 10.25.30.0 0.0.0.255 any

What is the effect of this access list configuration?

A.It will permit all packets matching the host bits in the source address to all destinations

B.It will permit all packets to destinations matching the first three octets in the destination address

C.It will permit all packets from the third subnet of the network address to all destinations

D.It will permit all packets matching the first three octets of the source address to all destinations

E.It will permit all packets matching the last octet of the destination address and accept all source addresses

F.None of the above

Answer: D

QUESTION NO: 2

The TestKing network is shown below:

Leading the way in IT testing and certification tools, www.testking.com

- 611 -

The TK network administrator needs to troubleshoot an ACL issue. He would like to permit only hosts on the 172.30.16.0/24 network to access the Internet. Which wild card mask and address combination will only match addresses on this network?

A.172.30.0.0 0.0.0.0

B.172.30.16.0 0.0.0.255

C.172.30.0.0 0.0.15.255

D.172.30.16.0 0.0.31.255

E.172.30.16.0 0.0.255.255

Answer: B Explanation:

According to question, only the hosts from 172.30.16.30/24 network allow to access the Internet, for that we should use the wildcard masking. 172.168.16.0 0.0.0.255 where 0 means exact and 255 means 1-255 range.

For any particular host: 192.168.0.1 0.0.0.0

For Range: 192.168.0.1 0.0.0.3 means 1-4 total 4 hosts.

QUESTION NO: 3

In the TestKing network shown below, a network technician enters the following line into the router:

Tidmore1(config)# access-list 106 deny tcp 192.168.254.0 0.0.0.255 any eq www.

Leading the way in IT testing and certification tools, www.testking.com

- 612 -

What is the effect of this configuration, given that the router was already configured as shown below?

A.Web pages from the Internet cannot be accessed by hosts in the 192.168.254.0 LAN.

B.No hosts in the 192.168.254.0 LAN except 192.168.254.7 can access web pages from the Internet.

C.The change has no effect on the packets being filtered.

D.All traffic from the 192.168.254.0 LAN to the Internet is permitted.

Answer: C Explanation:

Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an "implied deny" for traffic that is not permitted. A single-entry ACL with only one "deny" entry has the effect of denying all traffic. You must have at least one "permit" statement in an ACL or all traffic is blocked. In this example, since the statement will be added to the end of the access list, and since there is already an entry that permits all IP traffic, the www traffic will be allowed, all traffic will never reach this access list entry.

Leading the way in IT testing and certification tools, www.testking.com

- 613 -

QUESTION NO: 4

For security reasons, the network administrator needs to prevent pings into the corporate networks from hosts outside the internetwork. Which protocol should be blocked with access control lists?

A.UDP

B.ICMP

C.IP

D.TCP

E.None of the above

Answer: B Explanation:

ICMP is used for error and control messages within the IP world and is very much integrated with IP. Ping is a computer network tool used to test whether a particular host is reachable across an IP network. Ping works by sending ICMP "echo request" packets to the target host and listening for ICMP "echo response" replies.

Leading the way in IT testing and certification tools, www.testking.com

- 614 -

QUESTION NO: 5

A TestKing network associate creates the configuration shown in the exhibit below:

Exhibit:

What will be the results of this configuration?

A.The configuration creates an access list that allows all the hosts in the 172.16.232.0/24 subnet to use Telnet but not to access web pages.

B.The configuration creates an access list that allow all traffic from the host 172.16.232.253 except Telnet and ping traffic.

C.The fourth line of the configuration creates an access list that allows only traffic from the host172.16.232.253 to anywhere in the network.

D.The configuration creates four access lists.

Answer: D Explanation:

With all access list entries, the order of entries is important. Normally, when a packet is evaluated against entries in an access list, the entries are evaluated in sequential order, and when a match occurs, no more entries are evaluated. However, this applies to access lists with the same number, but has multiple lines. When a different number is specified for each line, a different, separate, access list is actually created as is the case here.

Section 6: Explain the basic operation of NAT (4 questions)

Leading the way in IT testing and certification tools, www.testking.com

- 615 -

QUESTION NO: 1

You need to configure NAT on a TestKing router that is connected to the Internet. To do so, you must determine what the Inside Global IP addresses will be. What does the "Inside Global" address represent in the configuration of NAT?

A.The summarized address for all of the internal submitted addresses

B.A registered address that represents that represents an inside host to an outside network

C.A globally unique, private IP address assigned to a host on the inside network

D.The MAC address of the router used by inside hosts to connect to the Internet

E.None of the above

Answer: B

QUESTION NO: 2

Which one of the following varieties of NAT utilizes different ports to map multiple IP addresses to a single globally registered IP address?

A.Static NAT

B.Port loading

C.NAT Overloading

D.Dynamic NAT

E.None of the above

Answer: C Explanation:

Port address translation, or NAT overloading, uses transport layer port information to dynamically create NAT entries. This is also known as one to many network address translation.

Incorrect Answers:

A. Static NAT is known as one to one NAT, and is used to map a single IP address to a single registered IP address. It is often used for servers that need to be accessed via the Internet.

B, D: This is the incorrect term, and is not used.

QUESTION NO: 3

Leading the way in IT testing and certification tools, www.testking.com

- 616 -

Part of the TestKing network is shown below:

The TestKing network administrator would like to implement NAT in the TestKing network segment shown in the graphic to allow inside hosts to use a private addressing scheme. In this network segment, where should NAT be configured?

A.All routers

B.All routers and switches

C.TestKing1 router

D.TestKing2 router

E.TestKing3 router

F.None of the above

Answer: C Explanation:

Network Address Translation (NAT) can be used to hide the private IP addressing scheme of the entire network from the Internet. To do this, NAT needs to only be configured on the router that resides between the Internet and the rest of the private internal network. In this case, it needs to only be implemented on the Corporate router.

QUESTION NO: 4

Leading the way in IT testing and certification tools, www.testking.com

- 617 -

In any NAT (network address translation) configuration, what is the Inside Global IP address?

A.The summarized address for all internal subnetted addresses.

B.A private IP address assigned to a host on the inside network.

C.A registered address that represents an inside host to an outside network.

D.A unique IP address used on an internal network

E.Non of the above

Answer: C

Explanation:

With NAT, Cisco defines 4 different types of addresses as follows:

*Inside local address - The IP address assigned to a host on the inside network. This is the address configured as a parameter of the computer's OS or received via dynamic address allocation protocols such as DHCP. The address is likely not a legitimate IP address assigned by the Network Information Center (NIC) or service provider.

*Inside global address - A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.

*Outside local address - The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.

*Outside global address - The IP address assigned to a host on the outside network by the host's owner. The address is allocated from a globally routable address or network space.

The above definitions still leave a lot to be interpreted. For this example, this document redefines these terms by first defining "local address" and "global address." Keep in mind that the terms "inside" and "outside" are NAT definitions. Interfaces on a NAT router are defined as "inside" or "outside" with the NAT configuration commands, ip nat inside and ip nat outside. Networks to which these interfaces connect can then be thought of as "inside" networks or "outside" networks, respectively.

*Local address - A local address is any address that appears on the "inside" portion of the network.

*Global address - A global address is any address that appears on the "outside" portion of the network.

Leading the way in IT testing and certification tools, www.testking.com

- 618 -

Section 7: Configure NAT for given network requirements using (including: CLI/SDM) (6 questions)

QUESTION NO: 1 SIMULATION

Network topology exhibit:

You work as a network technician at TestKing.com. Study the exhibit carefully. You are required to perform configurations to enable internet access. The TestKing ISP has given you six public IP addresses in the 198.18.227.25 198.18.227.30 range. TestKing.com has 30 clients that needs to have simultaneous internet access. These local hosts use private IP addresses in the 192.168.107.33 - 192.168.107.62 range.

You need to configure Router TestKing1 using the TestKingA console.

You have already made basic router configuration. You have also configured the appropriate NAT interfaces; NAT inside and NAT outside respectively.

Now you are required to finish the configuration of TestKing1.

Answer:

Explanation:

Testking1#config t

Testking1(Config)#access-list 1 permit 192.168.107.33 0.0.0.30

Leading the way in IT testing and certification tools, www.testking.com

- 619 -

Testking1(Config)#access-list 1 deny any Testking1(Config)#inteface fa0/0 Testking1(Config-if)#ip nat inside Testking1(Config-if)#exit Testking1(Config)#inteface s0/0 Testking1(Config-if)#ip nat outside Testking1(Config-if)#exit

Testking1(Config)#ip nat pool test_nat 198.18.227.25 198.18.227.30 prefix-length 24 Testking1(Config)#ip nat inside source list 1 pool test_nat override

Verify using:

Testking1#show ip nat translations

QUESTION NO: 2

TestKing has 25 computers and decides to connect the network to the Internet. TestKing would like for all of the computers to have access to the Internet at the same time, but TestKing only has four usable publicly routable IP addresses. What should be configured on the router so that all computers can connect to the Internet simultaneously?

A.Static NAT

B.Global NAT

C.Dynamic NAT

D.Static NAT with ACLs

E.Dynamic NAT with overload

Answer: E Explanation:

NAT overload, also called many to one NAT or Port Address Translation (PAT) allows for many IP hosts to share a single IP address when connecting to the outside. In this case, the use of dynamic NAT with overloading will allow for the 25 hosts to use an IP address from the NAT pool, which will contain the 4 public IP addresses.

QUESTION NO: 3

A TestKing router has been configured with the following command:

IP nat pool nat-test 192.168.6.10 192.168.6.20 netmask 255.255.255.0

Leading the way in IT testing and certification tools, www.testking.com

- 620 -