CCNA Security » Zone-based Firewall SDM Simlet

Ensurepass

Instructions

To access the Cisco Router and Security Device Manager(SDM) utility click on the console host icon that is connected to a ISR router.You can click on the grey buttons below to view the different windows.
Each of the windows can be minimized by clicking on the [-].You can also reposition a window by dragging it by the title bar.
The “Tab” key and most commands that use the “Control”or “Escape” keys are not supported and are not necessary to complete this simulation.

(Note: If you don’t understand how Zone-Based-Firewall works, check out my article at http://www.ccnatesting.com/ccna-security-knowledge/cisco-ios-zone-based-firewall-tutorial/)

(Notice: the access list, class-map, policy-map, zones, zone-pair… in the real exam might be different!)

Question 1

Which two options correctly Identify the associated interface with the correct security zone? (Choose two)

A. FastEthernet0/1 is associated to the “out-zone” zone.
B. FastEthernet0/0 is associated to the “in-zone” zone.
C. FastEthernet0/0 and 0/1 are associated to the “self” zone.
D. FastEthernet0/0 and 0/1 are associated to the “in-zone” zone.
E. FastEthernet0/0 and 0/1 are associated to the “out-zone” zone.
F. FastEthernet0/0 and 0/1 are not associated to any zone.


Answer: A B

Explanation

Under the Additional Tasks, click on the Zones group. At the right side box we will see the FastEthernet0/0 is assigned to the in-zone and the FastEthernet0/1 is assigned to the out-zone.

ZBF_Zones.jpg

(Notice: In the real exam, you might see more zones than the image above)

Question 2

Which statement is correct regarding the “sdm-permit” policy map?

A. Traffic not matched by any of the class maps within that policy map will be inspected .
B. Traffic matching the “sdm-access” traffic class will be inspected.
C. Traffic matching the “SDM_CA_SERVER” traffic class will be dropped.
D. That policy map is applied to traffic sourced from the “self” zone and destined to the “out-zone” zone.


Answer: B or C

Explanation

A is not correct because there is a default class-map at the end of this policy map named “class-default”. This class-map will drop all the traffic that is not matched with the SDM_CA_SERVER class-map (it works in the same way as the implicit “deny all” line at the end of each access list). Therefore traffic not matched by any of the class maps within that policy map will be dropped.

D is not correct because the policy map is applied from the source “out-zone” to the destination “self”.

We haven’t had enough information about the correct answer yet, hope someone will describe this question clearly after taking the exam.

Question 3

Which three protocols are matched by the “sdm-cls-insp-traffic” class map? (Choose three)

A. sql-net
B. pop3
C. 12tp
D. ftp


Answer: A B D

Explanation

Click on the C3PL\Class Map\Inspection group and click on the sdm-cls-insp-traffic line at the upper right side box to see which protocols are matched by the “sdm-cls-insp-traffic” class map.

ZBF_class-map_sdm-cls-insp-traffic.jpg

Question 4

Within the “sdm-permit” policy map, what is the action assigned to the traffic class “class-default”?

A. inspect
B. pass
C. drop
D. police


Answer: C

Explanation

Under the C3PL\Policy Map\Protocol Inspection group we can see the policy maps, which class-maps and which actions are assigned to the class-maps.

ZBF_sdm-permit_class-default.jpg

Question 5

Which policy map is associated to the “sdm-zp-in-out” security zone pair?

A. sdm-permit-icmpreply
B. sdm-permit
C. sdm-inspect
D. sdm-insp-traffic

Answer: C

Explanation

There are 2 places where you can get information about the policy map associated to the “sdm-zp-in-out” security zone pair:

+ At the “Home” tab (you might click on the ZBF_doubled_head-down-arrows.jpg to see the Firewall policies)

ZBF_sdm-zp-in-out-policy.jpg

+ At the Zone-pair group in the Additional Tasks

ZBF_sdm-zp-in-out-policy_ZonePairs.jpg

Question 6

Within the “sdm-inspect” policy map, what is the action assigned to the traffic class “sdm-invalid-src”, and which traffic is matched by the traffic class “sdm-invalid-src” ? (Choose two)

A. traffic matched by ACL 105
B. traffic matched by the nested “sdm-cls-insp-traffic” class map
C. drop/log
D. traffic matched by ACL 104


Answer: A C

Explanation

Under the “Firewall and ACL” tab, search for the “sdm-inspect” policy map we can see the access list 105 is used by this policy map. We can also see the action assigned to the traffic class “sdm-invalid-src” (drop/log).

ZBF_Firewall_access_list.jpg

Notice that the Access list number can be also seen in the C3PL\Class Map\Inspection and the Drop/log action can be seen in the C3PL\Policy Map\Protocol Inspection group.

(Reference: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1063104)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.