Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Stateful inspection
Application inspection
Packet filtering
URL filtering
Transparent firewall (implementation method)
Support for virtual routing and forwarding (VRF)
ACLs are not required as a filtering method to implement policy
d. Policy maps are top to bottom with the class maps. If one class-map is not
matched, top to bottom comparison until none are matched; hitting the implicit
deny. The only zone that does not have an implicit deny is the self zone.
Table 13-2 Policy Map Actions
Policy
Description
When to Use It
Action
Inspect
Permit and
statefully inspect
the traffic
Pass
Permits/allows the
traffic but does not
create an entry in
the stateful
database
Traffic that does not need a reply. Also in the case of protocols that do
not support inspection, this policy could be applied to the zone pair for
specific outbound traffic, and be applied to a second zone pair for
inbound traffic
Drop
Traffic you do not want to allow between the zones where this policy
map is applied
Log
If you want to see log information about packets that were dropped
because of policy, you can add this option
5. Services Policies
Table 13-3 Traffic Interaction Between Zones
Ingress Interface
Member of Zone
Egress Interface
Member of Zone
Result
No
No
Traffic is forwarded
No
Traffic is dropped
Yes (zone A)
Yes (zone A)
Traffic is forwarded
Yes (zone A)
Yes (zone B)
No
Traffic is dropped
Yes (zone A)
Yes (zone B)
Yes
Policy is applied. If
policy is inspect
Zone A
No
Traffic is passed
Zone A
Self
No
Traffic is passed
Self
Zone A
Yes
Policy is applied
Zone A
Self
Yes
Policy is applied
2. Select interfaces and select which interfaces are trusted and not trusted
3. Interfaces not assigned to a zone cannot pass traffic to or between interfaces assigend
to a zone.
4. If CME is applicable, click yes to allow CME traffic through firewall, otherwise click
no.
5. The above indicates that the untrusted interface cannot be used to access the routers
management plane through that particular interface(s).
6. The above asks which security level you want to implement, details about them:
a. High Security With this setting, the firewall identifies and drops instant
messaging and peer-to-peer traffic. It does application inspection for web and
email traffic and drops noncompliant traffic. It does generic inspection of TCP and
UDP applications.
b. Medium Security This is similar to the High Security option, but does not check
web and email traffic for protocol compliance
c. Low Security The router does not perform any application inspection. It does
do generic TCP and UDP inspection
8. After clicking next, you get a summary of the features that will be implemented
9. Below are the commands that CCP issued to configure your zone based firewall policy.
3. f
4. f
5. f
6. f
7. f
8. f
9. f
1. To edit and verify using CCP Configure > Security > Firewall > Firewall click Edit
2. If using a DMZ with a server that must be able to be reached from the outside, you
would use Advanced NAT, however we are using basic nat for the following examples.
3. Launch the Selected Task
4. Select the outside interface, and then check the networks you want to be translated
1-4
5-8
1. Which zone is implied by default and does not need to be manually created?
a. Inside
b. Outside
c. DMZ
d. Self
2. If interface number 1 is in zone A, and interface number 2 is in zone B, and there is no
policy or service commands applied yet to the configuration, what is the status of
transit traffic that is being routed between these two interfaces?
a. Denied
b. Permitted
c. Inspected
d. Logged
3. When creating a specific zone pair and applying a policy to it, policy is being
implemented on initial traffic in how many directions?
a. 1
b. 2
c. 3
d. Depends on the policy
4. What is the default policy between an administratively created zone and the self zone?
a. Deny
b. Permit
c. Inspect
d. Log
5. What is one of the added configuration elements that the Advanced security setting has
in the ZBF Wizard that is not included in the Low security setting?
a. Generic TCP inspection
b. Generic UDP inspection
c. Filtering of peer-to-peer networking applications
d. NAT
6. Why is it that the return traffic, from previously inspected sessions, is allowed back to
the user, in spite of not having a zone pair explicitly configured that matches on the
return traffic?
a. Stateful entries (from the initial flow) are matched, which dynamically allows
return traffic
b. Return traffic is not allowed because it is a firewall
c. Explicit ACL rules need to be placed on the return path to allow the return traffic
d. A zone pair in the opposite direction of the initial zone pair (including an applied
policy) must be applied for return traffic to be allowed
7. What does the keyword overload imply in a NAT configuration?
a. NAT is willing to take up to 100 percent of available CPU
b. PAT is being used
c. NAT will provide best effort but not guaranteed service, due to an overload
d. Static NAT is being used
8. Which of the following commands shows the current NAT translations on the router?
a. Show translations
b. show nat translations
c. show ip nat translations
d. show ip nat translations
Page
Number
Text
294
List
294
List
296
Table 13-2
297
Table 13-3
298
299
Table 13-4
300
List
304
322
323
Windows XP
SP2 x64 (64
bit)
Cache
Keystroke
Cleaner (32- Logger
Bit Browsers Detection
Only)
Host
Emulation
Detection
Windows XP
SP2 and SP3
x86 (32 bit)
Windows
Vista x86 (32
bit) and x64
(64 bit)
X
requires
KB935855
X
requires
KB935855
X
requires
KB935855
Windows 7
x86 (32 bit)
and x64 (64
bit)
Windows
Mobile 6.0,
6.1, 6.1.4,
and 6.5
Mac OS X
10.6, 10.6.1,
10.6.2x86
and x64
Mac OS X
10.5.x x86
and x64
Red Hat
Enterprise
Linux 3 x86
and x64
biarch
Red Hat
Enterprise
Linux 4 x86
and x64
biarch
Fedora Core
4 and later
x86 and x64
biarch
Ubuntu
Table 13-3 CSD Privilege Levels Required for Installation with AnyConnect Client
AnyConnect Client
AnyConnect Client and Executable File
Installed
CSD Install Together
Administrative
privileges required?
No
Yes
Yes
When to Use It
Pass
Permits/allows the
traffic but does
not create an entry
in the stateful
database
Traffic that does not need a reply. Also in the case of protocols that
do not support inspection, this policy could be applied to the zone
pair for specific outbound traffic, and be applied to a second zone
pair for inbound traffic
Drop
Traffic you do not want to allow between the zones where this policy
map is applied
Log
If you want to see log information about packets that were dropped
because of policy, you can add this option
Result
No
No
Traffic is forwarded
No
Traffic is dropped
Yes (zone A)
Yes (zone A)
Traffic is forwarded
Yes (zone A)
Yes (zone B)
No
Traffic is dropped
Yes (zone A)
Yes (zone B)
Yes
Policy is applied. If
policy is inspect or pass,
the initial traffic is
forwarded. If the policy
is drop, the initial traffic
is dropped
Self
Zone A
No
Traffic is passed
Zone A
Self
No
Traffic is passed
Self
Zone A
Yes
Policy is applied
Zone A
Self
Yes
Policy is applied
zones zone pairs class map type inspect policy map type inspect service policy stateful inspection PAT -
Description
Class-map type inspect match-any MY-CLASS- Create a ZBF-related class map that will be a match
MAP
if any of its entries is a match
Policy-map type inspect MY-POLICY-MAP