Chapter Review

Chapter Review

This chapter looked at the basic commands and techniques for configuring a PIX Firewall device. These commands make up the six basic commands for initial PIX Firewall configuration.

  • The nameif command

  • The interface command

  • The ip address command

  • The nat command

  • The global command

Network Time Protocol (NTP) is an Internet standard protocol to synchronize network devices and computers, which is accurate to a millisecond. You learned about the Cisco NTP implementation that allows PIX Firewalls to synchronize with an established NTP time server, so events and processes can be coordinated and correlated when system logs are created and other time-specific events occur.

The PIX Firewall syslog message facility is a useful means to view and store troubleshooting messages and to watch for network events, such as attacks and service denials. The logging commands specify how system messaging will be handled and how to work with a Syslog server to provide reliable logging of PIX activities and processes.

You also learned how having the option to configure a firewall to act as a DHCP client can be useful in working with cable and DSL connections in small offices and SOHO implementations. The capability to act as a DHCP server providing critical network configuration information to host devices is another strong feature of the line, particularly the smaller platforms.

Questions

1.?

Which one of the following is not one of the six basic commands for initial PIX Firewall configuration?

  1. The ip address command

  2. The nat command

  3. The route command

  4. The conduit command

 D. The conduit command. This is an old (v4. x ) command and would come after basic configuration to create exceptions

2.?

Which of the following commands would bring up (enable) a properly configured interface?

  1. no shutdown

  2. nameif ethernet2 dmz sec50

  3. interface e0 auto

  4. ip address outside 1.1.1.1 255.255.255.0

 C.  interface e0 auto

3.?

Which of the following firewall commands would allow a LAN host to successfully ping an Internet site?

  1. icmp permit any echo-reply outside

  2. icmp permit any echo-reply inside

  3. both would be required

  4. None of the above

 D. None of the above. The firewall icmp commands only manage ICMP traffic directed at router interfaces, not traffic passing through the device.

4.?

Which command generated the following output?

1: Outbound ICMP echo request (len 32 id 7 seq 1004) 192.168.1.2 > 
172.16.1.78 > 172.16.4.50
2: Inbound ICMP echo reply (Len 32 id 26 seq 1004) 172.16.4.50 >
172.16.1.78 > 192.168.1.2
  1. show icmp

  2. show icmp traffic

  3. show icmp trace

  4. debug icmp trace

 D.  debug icmp trace

5.?

Which one of the following is not true about Network Time Protocol (NTP)?

  1. It’s an Internet standard protocol.

  2. It’s based on Coordinated Universal Time (UTC).

  3. Cisco Firewalls support all NTP service stratum.

  4. NTP devices are organized into associations.

 C. Cisco Firewalls support all NTP service stratum. PIX Firewalls do not support stratum 1.

6.?

Which command enables NTP services on a PIX Firewall?

  1. ntp authentication-key 9146 md5 HopeThisWorks

  2. ntp authenticate

  3. ntp trusted-key 9146

  4. ntp server 192.168.4.2 key 9146 source inside prefer

 B.  ntp authenticate

7.?

Which command shows the NTP configuration?

  1. show ntp config

  2. show ntp status

  3. show ntp associations

  4. show ntp

 D.  show ntp

8.?

Which logging level would need to be set to capture the following output?

%PIX-5-304001: user 192.168.1.10 accessed URL 192.168.4.5/pr_sjones.gif
  1. 1

  2. 3

  3. 4

  4. 5

 D. 5. The number after PIX indicates the level %PIX-5-304001:

9.?

Which of the following will stop UDP-based logging?

  1. The PIX Firewall is unable to reach the Syslog server.

  2. The Syslog server is misconfigured.

  3. The disk on the Syslog server is full.

  4. None of the above.

 D. None of the above. Each situation will stop TCP-based logging.

10.?

Which PIX Firewall interface does the DHCP client default to?

  1. Inside

  2. Outside

  3. DMZ

  4. No default. It can be enabled anywhere.

 B. Outside

11.?

Which of the following is not a PIX Firewall dhcp command?

  1. dhcpd address 192.168.1.6-192.168.1.254

  2. dhcpd dns 192.168.100.5 192.168.101.5

  3. dhcpd wins 192.168.100.5

  4. dhcpd ftp 192.168.100.5

  5. dhcpd enable

 D.  dhcpd ftp 192.168.100.5

12.?

Which command specifies a Syslog server for logging messages?

  1. logging trap

  2. logging history

  3. logging on

  4. logging host

 D.  logging host

13.?

For the command pix(config)#logging trap 4, what severity levels will be logged?

  1. Level 4

  2. Levels 4 through 7

  3. Levels 1 through 4

  4. Levels 0 through 4

 D. Levels 0 through 4

14.?

What severity level must be trapped to get FTP commands and WWW URLs?

  1. 3

  2. 5

  3. 6

  4. 7

 C. 6

15.?

Where does the dhcpd auto_config command get its source information?

  1. Firewall configuration

  2. CDP packets

  3. DHCP server service

  4. DHCP client service

 D. DHCP client service

Answers

1.?

D. The conduit command. This is an old (v4.x) command and would come after basic configuration to create exceptions

2.?

C. interface e0 auto

3.?

D. None of the above. The firewall icmp commands only manage ICMP traffic directed at router interfaces, not traffic passing through the device.

4.?

D. debug icmp trace

5.?

C. Cisco Firewalls support all NTP service stratum. PIX Firewalls do not support stratum 1.

6.?

B. ntp authenticate

7.?

D. show ntp

8.?

D. 5. The number after PIX indicates the level %PIX-5-304001:

9.?

D. None of the above. Each situation will stop TCP-based logging.

10.?

B. Outside

11.?

D. dhcpd ftp 192.168.100.5

12.?

D. logging host

13.?

D. Levels 0 through 4

14.?

C. 6

15.?

D. DHCP client service




Part III: Virtual Private Networks (VPNs)