ASA Firewall Interview Questions and Answers [CCIE] _ Networker Interview



Comments



Description

11/4/2016 ASA Firewall Interview Questions and Answers [CCIE] | Networker InterviewNetworker Interview Prepare for CCNA, CCNP, CCIE Interview ! CCNA CCNP CCIE Q UICK NO TES CCNA PD F  D O W NLO AD ASA Firewall Interview Questions and Answers [CCIE] Search What is a Firewall? Firewall is a device that is placed between a trusted and an untrusted network. It deny or permit tra䖶�c that enters or leaves network based on pre-con刍gured policies. Firewalls protect inside networks from Buy CCNA  unauthorized access by users on an outside network. A 刍rewall can also protect inside networks from each other. For example - By keeping a Management network separate from a user network. Questions & A What is the di淜�erence between Gateway and Firewall? A Gateway joins two networks together and a network 刍rewall protects a network against unauthorized incoming or outgoing access. Network 刍rewalls may be hardware devices or software programs. Firewalls works at which Layers? Firewalls work at layer 3, 4 & 7.              What is the di淜�erence between Stateful & Stateless Firewall? Stateful 刍rewall - A Stateful 刍rewall is aware of the connections that pass through it. It adds and maintains information about users connections in state table, referred to as a connection table. It than uses this connection table to implement the security policies for users connections. Example of stateful 刍rewall are       Click fo PIX, ASA, Checkpoint. Stateless 刍rewalls -  (Packet Filtering) Stateless 刍rewalls on the other hand, does not look at the state of connections but just at the packets themselves. Buy VPN & A Example of a packet 刍ltering 刍rewall is the Extended Access Control Lists on Cisco IOS Routers. Interview Qu What information does Stateful Firewall Maintains? Answers  Stateful 刍rewall maintains following information in its State table:- 1.Source IP address. 2.Destination IP address. 3.IP protocol like TCP, UDP. 4.IP protocol information such as TCP/UDP Port Numbers, TCP Sequence Numbers, and TCP Flags. What are the security-levels in Cisco ASA? ASA uses Security levels to determine the Trustworthiness of a network attached to the respective interface. The security level can be con刍gured between 0 to 100 where higher numbers are more trusted Click for  than lower. By default, the ASA allows tra䖶�c from a higher security level to a lower security level only. http://networkerinterview.net/entries/asa­firewall/asa­firewall­interview­questions­and­answers 1/10 the IP header is translated if NAT is used and if the NAT rule speci刍es an egress interface.net/entries/asa­firewall/asa­firewall­interview­questions­and­answers 2/10 . Any other TCP packet that isn’t part of an existing connection Questions and Answers [C A visitor from Milan. To allow it we use command:- 1 friend likes this ASA(con刍g)# same-security-tra䖶�c permit inter-interface.2 minutes ICMP session . What is the security level of Inside and Outside Interface by default? Security Level of Inside interface by default is 100.60 minutes UDP session   . The 刍rewall allows limited access to the DMZ. protocol inspection is carried out on that packet. Ind arrived from www. the packet goes through protocol and viewed "CCNP | Netw inspection. the ASA checks if it matches an existing entry in the A visitor from Kumar. Networker Interview A visitor from New Delhi. ICMP session? Networker Interview A visitor from Wilson.. then the Layer-2 header of the packet is re-written Interview Questions and A [CCIE] | Networker Interv A visitor from India  and the packet is forwarded out the egress interface.in and viewed " Interview Questions and A What are the values for timeout of TCP session. connection table. Does ASA inspects ICMP? No. Interview" 20 mins ago City of arrived from  and viewed "ASA Firewal If a route is found that speci刍es the egress interface. Firewall Interview Questio Answers [CCIE] | Network A visitor from London. Same Security level tra䖶�c is allowed or denied in ASA? Like Page By default same security level tra䖶�c is not allowed. viewed "ASA Firewall Inte Questions and Answers [C ---------------------------------------------------------------------------------------------------------------------. ASA does not inspect ICMP by default.uk mins ago viewed "ASA Firewall Inte the 刍rst packet in the TCP 3-way handshake. Lom Networker Interview is likely an attack.11/4/2016 ASA Firewall Interview Questions and Answers [CCIE] | Networker Interview How can we allow packets from lower security level to higher security level (Override Security Levels)? Networke 1. Lo ---------------------------------------------------------------------------------------------------------------------. Explain DMZ (Demilitarized Zone) Server? If we need some network resources such as a Web server or FTP server to be available to outside users we Networker place these resources on a separate network behind the 刍rewall called a demilitarized zone (DMZ). What protocols are inspected by ASA? By default.424 likes We use ACLs to allow packets from lower security level to higher security level. Interview" 19 mins ago A visitor from New Delhi. arrived from networkerinte ---------------------------------------------------------------------------------------------------------------------.co. If it does. arrived from networkerinte If the packet is allowed by ACLs and is also veri刍ed by translation rules.co.google. ---------------------------------------------------------------------------------------------------------------------. When a packet is received on the ingress interface. and viewed BGP Interview Questions and Answers | N A visitor from Bangalore.in and viewed " will virtually forward the packet to this egress interface and then perform a route lookup.The reason it needs to be a TCP-SYN packet is because a SYN packet is [CCIE] | Networker Interv arrived from google. No Carolina arrived from  Real­time view · Get Feedjit TCP session    .co.2 seconds http://networkerinterview. but because the DMZ only includes the public servers. mins ago google. an attack there only a淜�ects the servers and does not a淜�ect the inside network. min ago Karnataka arrived from  If it does not match an existing connection and the packet is either a TCP-SYN packet or UDP packet. UDP session. Live Traffic Feed A visitor from United Stat How does a 刍rewall process a packet? viewed ASA Firewall Inte Questions and Ans. TCP and UDP are inspected by ASA. and viewed "CCNP | Netw Interview" 20 mins ago A visitor from India  Then. the and viewed "ASA Firewal Interview Questions and A A visitor from United King packet is subjected to ACL checks. the ASA google. Security Level of Outside Interface by default is 0.. the connection າ�ags shown for each TCP connection provide information about the state of TCP connections to the ASA.2? In ASA 8. Wildcard mask concept is not present in ASA. In ASA. What if we apply ACL as global in ASA? It will be applied on all interfaces towards inbound.2 What is the di淜�erence in ACL on ASA than on Router? In router. if we will delete one access-control entry whole ACL will not be deleted.# capture abc interfacer inside To see it:. What is the command to see timeout timers? # sh run timeout What is the Di淜�erence between ports in ASA 8. if we delete one access-control entry whole ACL will be deleted. Name some concepts that cannot be con刍gured on ASA? Line VTY cannot be con刍gured on ASA.4 all ports are Gig ports and in ASA 8.net/entries/asa­firewall/asa­firewall­interview­questions­and­answers 3/10 .# sh capture abc What is the command to enable HTTP on ASA? # http server enable How to give static route on ASA? # route outside <Destination IP> <Subnet Mask> < Next Hop> http://networkerinterview. Loopback cannot be con刍gured on ASA. What is the command to capture packets in ASA? To capture packet from inside interface:.4 not in ASA 8. It forwards it without decrementing the TTL Value. What is the command to check connection table? # sh conn How ASA works in reference to Traceroute? ASA does not decrement the TTL value in traceroute because it does not want to give its information to others for security purpose.4 and ASA 8. Global option is only in ASA 8.11/4/2016 ASA Firewall Interview Questions and Answers [CCIE] | Networker Interview Explain TCP Flags? While troubleshooting TCP connections through the ASA.2 all are Ethernet ports. Webtype ACL (SSL VPN) What is Tranparent Firewall? In Transparent Mode. What are the features that are not supported in Transparent mode? 1. 2.Dynamic Routing.Multicasting. Switch process tra䖶�c at layer 1 & layer 2 while ASA can process tra䖶�c from layer 1 to layer 7. What is the need of Transparent Firewall? If we want to deploy a new 刍rewall into an existing network it can be a complicated process due to various issues like IP address recon刍guration. ASA acts as a Layer 2 device like a bridge or switch and forwards Ethernet frames based on destination MAC-address. 5. What are the di淜�erences between switch and ASA (in Transparent mode) ? ASA does not າ�oods unknown unicast frames that are not found in mac address table. We can easily insert a transparent 刍rewall in an existing segment and control tra䖶�c between two sides without having to readdress or recon刍gure the devices.net/entries/asa­firewall/asa­firewall­interview­questions­and­answers 4/10 . current 刍rewall etc.VPNs like IPSec and WebVPN cannot be terminated.11/4/2016 ASA Firewall Interview Questions and Answers [CCIE] | Networker Interview How to give default route on ASA? # route outside 0 0 < Next Hop> What are the di淜�erent types of ACL in Firewall? 1. We create Ether-Type ACL to allow NON-IP tra䖶�c.ASA cannot act as DHCP relay agent.Extended ACL 3. network topology changes.QOS. What are the similarities between switch and ASA (in Transparent mode) ? Both learns which mac addresses are associated with which interface and store them in local mac address table.Ethertype ACL (Transparent Firewall) 4. 4. Explain Ether-Type ACL? In Transparent mode. We can control tra䖶�c like BPDU.Standard ACL 2. What is the command to convert ASA into Transparent mode? # 刍rewall transparent What is the command to see mode (routed or transparent)? # sh 刍rewall http://networkerinterview. 3. IPX etc with Ether-Type ACL. ASA does not participate in STP. unlike TCP/IP tra䖶�c for which security levels are used to permit or deny tra䖶�c all non-IP tra䖶�c is denied by default. In Active/Active Failover. Software Requirements . Explain Active/Standby Failover? In Active/Standby Failover. Clients need to re-establish connections when the new active unit takes over.Active or standby. 2. Clients are not required to reconnect to keep the same communication session. http://networkerinterview.Active/Standby Failover.The active unit continually passes per-connection state information to the standby unit.net/entries/asa­firewall/asa­firewall­interview­questions­and­answers 5/10 . When  Failover occurs.Mac Addresses. They must have the same software version. The Layer 2 bridge table (when running in transparent 刍rewall mode). it occurs at the Failover group level. The standby unit does not actively pass tra䖶�c. The ARP table. both ASAs can pass network tra䖶�c. 5. Each group is assigned to be active on a speci刍c ASA in the failover pair. A Failover Group is simply a logical group of one or more security contexts. It requires two identical ASAs to be connected to each other through a dedicated failover link. We can use Active/Standby Failover for ASAs in both single or multiple context mode. Stateful Failover .When failover occurs all active connections are dropped. 2. After a failover occurs. which then becomes active. TCP connection states.Hello Messages. should have same number and types of interfaces. When  Failover occurs.The two units in a failover con刍guration must be in the same operating modes (routed or transparent single or multiple context). What is the di淜�erence between Stateful failover and Stateless failover? Stateless Failover . the same connection information is available at the new active unit.Network Link Status.The two units in a failover con刍guration must be the same model. It is used to provide redundancy.Con刍guration Replication and Synchronization.11/4/2016 ASA Firewall Interview Questions and Answers [CCIE] | Networker Interview Explain Failover? Failover is a cisco proprietary feature. we divide the security contexts on the ASA into Failover Groups. What Information Active unit passes to the standby unit in Stateful Failover? NAT translation table. What are type of Failover? 1.State .Active/Active Failover. ICMP connection state etc. What are the Failover Requirements between two devices? Hardware Requirements . What information is exchanged between ASAs over a Failover link? 1. one unit is the active unit which passes tra䖶�c. the active unit fails over to the standby unit. In an Active/Active Failover con刍guration. 4. Explain Active/Active Failover? It is only available for ASAs in multiple context mode. 3. Health of active interfaces and units are monitored to determine if failover has occurred or not. to 刍nd whether or not the other unit is responsive. Multiple contexts are similar to having multiple standalone devices. it becomes the active unit. Name some commands replicated to standby unit? All con刍guration commands except for mode. How active unit is determined in Active/Standby Failover? 1. Firewall features. it sends hello messages on each interface.net/entries/asa­firewall/asa­firewall­interview­questions­and­answers 6/10 .If a unit boots and does not detect active unit. 3. The failover link is marked as failed. and the secondary unit becomes the standby unit.If the ASA does not receive a response on the failover link. then it does not failover. In Active/Active Failover preemption is optional. IPS.If a unit boots and detects another unit already running as active. Based upon the response from the other unit it takes following actions:- 1. http://networkerinterview. When a unit does not receive three consecutive hello messages on the failover link. it becomes the standby unit. 2. 3. # copy running-con刍g startup-con刍g # write memory Name some commands that are not replicated to standby unit? All forms of the copy command except for # copy running-con刍g startup-con刍g all forms of the write command except for # write memory Explain Active/Standby Failover & Active/Active Failover in terms of preemption? In Active/Standby Failover there is no preemption. with its own security policy.If the ASA receives a response on the failover interface. What features are not supported in multiple context mode? VPN and Dynamic Routing Protocols. Each Context acts as an independent device. Explain Security Context? We can partition a Single ASA into multiple virtual devices. and failover lan unit are replicated to standby unit.If both units boot simultaneously. 2. known as Security Contexts. and administrators. and Management. then the primary unit becomes the active unit.11/4/2016 ASA Firewall Interview Questions and Answers [CCIE] | Networker Interview What is the command to enable Failover? # Failover What is the command to see Failover? # sh failover Explain Unit Health Monitoring in Failover? How Failover occurs? The ASA unit determines the health of the other unit by monitoring the failover link. then the standby unit switches to active mode and classi刍es the other unit as failed. interfaces. including the failover interface.If the ASA does not receive a response on any interface. What features are supported in multiple context mode? Routing tables. 刍rewall. then the unit does not failover. but it does receive a response on another interface. one context is automatically created called Admin Context which defaults to being the administrative context. In Static NAT it is called as Static Policy NAT. It allows only Unidirectional tra䖶�c initiation. ASA lets us assign a di淜�erent MAC address in each context to the same shared interface. 2. essentially bypassing NAT.If multiple contexts share an interface.NAT Con刍guration . Dynamic Port Address Translation (PAT) .” What is the command to switch back to single mode? # mode single What are di淜�erent types of NAT in ASA? Static NAT . It allows Bidirectional tra䖶�c initiation.A consistent mapping between a real and mapped IP address. What is the admin context? When the appliance boots up. shared interfaces do not have unique MAC addresses. not the destination address. The system area is used to create and manage the contexts.If only one context is associated with the ingress interface.11/4/2016 ASA Firewall Interview Questions and Answers [CCIE] | Networker Interview Explain System area? When we boot up in multiple mode from the CLI. the ASA classi刍es the packet into that context. create VLANs for trunking. Dynamic NAT . then the interface MAC address is used as classi刍er.A real address is statically translated to itself. Any context can be made administrative context.net/entries/asa­firewall/asa­firewall­interview­questions­and­answers 7/10 . http://networkerinterview. 3.cfg. We can set the MAC addresses manually or we can automatically generate MAC addresses by # mac-address auto command. then the mapped addresses in our NAT con刍guration are used to classify packets. We can also optionally specify the source and destination ports. An “*” beside a context name indicates that the context is the administrative context. create resource classes to restrict the context system resource usage. Identity NAT . How ASA classi刍es packets? The packet that enters is to be processed by which context is classi刍ed by ASA as follows:- 1. In Dynamic NAT it is called as Dynamic Policy NAT. Regular NAT can only consider the source addresses. The 刍le is called “old_running. By default. What is Policy NAT? Policy NAT allows you to NAT by specifying both the source and destination addresses in an extended access list. One of the contexts on our appliance must be the administrative context.A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses on a 刍rst come 刍rst served basis.Unique MAC Addresses .Unique Interfaces . we are taken into the system area.A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address.If we do not use unique MAC addresses. What is the command to switch to multiple context Mode? # mode multiple After entering this command the appliance will reboot itself and our current con刍guration is automatically backed up to າ�ash in case we want to switch back to single mode. con刍gure the physical properties of the interfaces. Manual NAT considers either only the source address or the source and destination address while performing NAT.net/entries/asa­firewall/asa­firewall­interview­questions­and­answers 8/10 . Unlike Auto NAT that is con刍gured within an object. Manual NAT (Twice NAT) . Auto NAT is con刍gured within an object.Dynamic Policy NAT . Give NAT Order in terms of Auto NAT & Manual NAT? NAT is ordered in 3 sections.Static PAT 4. policy NAT etc.Static Identity NAT . Auto NAT is only used for Static or Dynamic NAT.Dynamic PAT What is the di淜�erence between Auto NAT & Manual NAT? Auto NAT (Network Object NAT) .Static Policy NAT .11/4/2016 ASA Firewall Interview Questions and Answers [CCIE] | Networker Interview Give the order of preference between di淜�erent types of NAT? 1.NAT Zero . 2. Manual NAT is con刍gured directly from the global con刍guration mode. Section 1 – Manual NAT Section 2 – Auto NAT Section 3 – Manual Nat After-Auto What are the command to see NAT Translations? # sh xlate # sh nat   What is the command to see both NAT Table and Connection Table? # sh local-host   Buy VPN & ASA Firewall Interview Questions and Answers Pdf ­ 3 $ http://networkerinterview.Static NAT .Static NAT .Dynamic NAT .Nat exemption. So.It only considers the source address while performing NAT.Dynamic NAT . 3.Existing translation in Xlate. It can be used for almost all types of NAT like NAT exempt. net/entries/asa­firewall/asa­firewall­interview­questions­and­answers 9/10 . Thanks for sharing Comment Name: E-mail : Website : http://networkerinterview.. pls post for check point & juniper as well sujeet 5 Awesome.11/4/2016 ASA Firewall Interview Questions and Answers [CCIE] | Networker Interview Click for Preview Go Back 6 comments   ASA Firewall   Cisco asa 刍rewall cisco asa 刍rewall nameif asa failover transparent 刍rewall dmz server asa 刍rewall nat stateful 刍rewall asa tcp າ�ags asa security context asa activestandby failover asa activeactive failover asa statefull failover asa manual nat asa auto nat asa 刍rewall notes Share Jitendra Yadav 1 Its really amazing webside..... plz keep post good thing on this portal mandeep kumar 2 it is Awesome!!! Ashim 3 for study Janardan 4 very good site. thanks for sharing Dilip 6 Awesome book. 11/4/2016 ASA Firewall Interview Questions and Answers [CCIE] | Networker Interview Comment: Submit Contact us    About us    Privacy Policy Give your valuable suggestions and feedback through comments Copyright © Networker Interview. http://networkerinterview. All rights reserved.net/entries/asa­firewall/asa­firewall­interview­questions­and­answers 10/10 .
Copyright © 2024 DOKUMEN.SITE Inc.