Zone-based Firewall SDM Simlet
Instructions
To access the Cisco Router and Security Device Manager(SDM) utility click on the console host icon that is connected to a ISR router.You can click on the grey buttons below to view the different windows.
Each of the windows can be minimized by clicking on the [-].You can also reposition a window by dragging it by the title bar.
The “Tab” key and most commands that use the “Control”or “Escape” keys are not supported and are not necessary to complete this simulation.
(Note: If you don’t understand how Zone-Based-Firewall works, check out my article at http://www.securitytut.com/ccna-security-knowledge/cisco-ios-zone-based-firewall-tutorial/)
(Notice: the access list, class-map, policy-map, zones, zone-pair… in the real exam might be different!)
Question 1
Which two options correctly Identify the associated interface with the correct security zone? (Choose two)
A. FastEthernet0/1 is associated to the “out-zone” zone.
B. FastEthernet0/0 is associated to the “in-zone” zone.
C. FastEthernet0/0 and 0/1 are associated to the “self” zone.
D. FastEthernet0/0 and 0/1 are associated to the “in-zone” zone.
E. FastEthernet0/0 and 0/1 are associated to the “out-zone” zone.
F. FastEthernet0/0 and 0/1 are not associated to any zone.
Answer: A B
Explanation
Under the Additional Tasks, click on the Zones group. At the right side box we will see the FastEthernet0/0 is assigned to the in-zone and the FastEthernet0/1 is assigned to the out-zone.
(Notice: In the real exam, you might see more zones than the image above)
Question 2
Which statement is correct regarding the “sdm-permit” policy map?
A. Traffic not matched by any of the class maps within that policy map will be inspected .
B. Traffic matching the “sdm-access” traffic class will be inspected.
C. Traffic matching the “SDM_CA_SERVER” traffic class will be dropped.
D. That policy map is applied to traffic sourced from the “self” zone and destined to the “out-zone” zone.
Answer: B or C
Explanation
A is not correct because there is a default class-map at the end of this policy map named “class-default”. This class-map will drop all the traffic that is not matched with the SDM_CA_SERVER class-map (it works in the same way as the implicit “deny all” line at the end of each access list). Therefore traffic not matched by any of the class maps within that policy map will be dropped.
D is not correct because the policy map is applied from the source “out-zone” to the destination “self”.
We haven’t had enough information about the correct answer yet, hope someone will describe this question clearly after taking the exam.
Question 3
Which three protocols are matched by the “sdm-cls-insp-traffic” class map? (Choose three)
A. sql-net
B. pop3
C. 12tp
D. ftp
Answer: A B D
Explanation
Click on the C3PL\Class Map\Inspection group and click on the sdm-cls-insp-traffic line at the upper right side box to see which protocols are matched by the “sdm-cls-insp-traffic” class map.
Question 4
Within the “sdm-permit” policy map, what is the action assigned to the traffic class “class-default”?
A. inspect
B. pass
C. drop
D. police
Answer: C
Explanation
Under the C3PL\Policy Map\Protocol Inspection group we can see the policy maps, which class-maps and which actions are assigned to the class-maps.
Question 5
Which policy map is associated to the “sdm-zp-in-out” security zone pair?
A. sdm-permit-icmpreply
B. sdm-permit
C. sdm-inspect
D. sdm-insp-traffic
Answer: C
Explanation
There are 2 places where you can get information about the policy map associated to the “sdm-zp-in-out” security zone pair:
+ At the “Home” tab (you might click on the 
to see the Firewall policies)
+ At the Zone-pair group in the Additional Tasks
Question 6
Within the “sdm-inspect” policy map, what is the action assigned to the traffic class “sdm-invalid-src”, and which traffic is matched by the traffic class “sdm-invalid-src” ? (Choose two)
A. traffic matched by ACL 105
B. traffic matched by the nested “sdm-cls-insp-traffic” class map
C. drop/log
D. traffic matched by ACL 104
Answer: A C
Explanation
Under the “Firewall and ACL” tab, search for the “sdm-inspect” policy map we can see the access list 105 is used by this policy map. We can also see the action assigned to the traffic class “sdm-invalid-src” (drop/log).
Notice that the Access list number can be also seen in the C3PL\Class Map\Inspection and the Drop/log action can be seen in the C3PL\Policy Map\Protocol Inspection group.
(Reference: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1063104)
Hi all
The correct answer in question 2 is B>Traffic matching the “sdm-access” traffic class will be inspected.
Its just screenshot here showing “sdm-permit” policy map is slightly different then I had today on the egzam (sdm-access class map is missing here). That policy should be like this:
Match Class Name Action
SDM_CA_SERVER Inspect
sdm-access Inspect
class-default Drop
Hope that helps
for Q 2 i think it’s depend on what class-map has been assigned to that policy
so by going to policy map than select the sdm-permit we can see the matched class name has been associated with sdm-permit policy and beside the match class name we see the action gonna be taken
so i think its depend whether the Q has the sdm-access or SDM_CA_SERVER in policy matched class
by default when we creating the sdm basic firewall medium the
policy sdm-permit come with class sdm-access , sdm-VOICE and sdm-default
and by the way when we looking to Q 4 we can see
sdm-permit policy has the following
Match Class Name -> SDM_CA_SERVER Action -> Inspect
if the Q2 come with same information as Q4 i think the best answer well be option 3
best regards
Hi guys,
I passed the exam an hour ago with a score of 1000/1000.
I also had the question 2 in my exam. The description of “andrus” is completely correct.
If you go to “C3PL/policy Map/Protocol Inspection” and choose “smd-permit”, you will see the following “Match Class Name” and “Action:
SDM_CA_SERVER Inspect
sdm-access Inspect
class-default Drop
Based on the above information, the action on Traffic matching the “SDM_CA_SERVER” traffic class is “inspect” not “Drop”. Therefore, the answer C is wrong.
The correct answer is B. Traffic matching the “sdm-access” traffic class will be inspected.
you are right @youssef based on the information you give B is the correct answer and congratulation for passing with full score
What about question 6? some places say the answer is a & B?
confirming that the answer is sdm-access…. scored 1000 all the rest are the same….!
I passed today with 1000/1000, confir de question 2 is answer B right. For the lab of Zone-based Firewall SDM are incorrect and you need to know how to navigate the SDM to find the right answer. I recommend using Dynamips to practice.
Sorry for bad English,it is not my original language.
I found another way to find the answer for Question 6 this is in 2 steps:
1. under C3PL ->Policy Map -> Protocol Inspection click “sdm-inspect” and check below under Match class Name “sdm-invalid-src” the action is Drop/Log
2. Click Class Map -> Inspection, scroll down and click “sdm-invalid-src” under Inspect class window and look below details of class map window “Match ACL 105 (this may be different)
Hope this would help everybody taking the test.
cheers
I can confirm without a doubt that the correct answer to Q 2 is B. This is in the scenario where the “C3PL/policy Map/Protocol Inspection” and choose “smd-permit shows:
SDM_CA_SERVER Inspect
sdm-access Inspect
class-default Drop
If you have other info simply evaluate your options in each answer. However in the presented scenario and the one i encountered in my exam yesterday it was B. The rest of the questions and answers were also identical.
I have doubt in the following question
Select two protocols from the following to enable cisco sdm to pull ips alerts from a cisco isr router
tftp syslog
sdee sdee
ssh ftp
https tftp
ssh
https
the first coloumn of option is from the p4s and second tis. The ans they have given is sdee and https. I think sdee and syslog. Any suggestion?
any 1 tell me that we have three labs in ccna security ?
zone based firwall through sdm, site vpn through sdm, and port security.
plz ..r email me any ccna security material polarbuzzard@yahoo.com
thaks alot
Kuru,
The key element of that question is “PULL” IPS alerts. In order to pull IPS you need to use SDEE which requires either http or https to be enabled on the router. This information is found on page 482 of the IINS Cisco Press book.
Thank you for your response.
Hi 9tut & friends
if u have any source for ccsp track like ccna ,ccna security.kindly provide the link.
if any sim
Still good. 988/1000.
Hi SecurityTut
I just passed the exam , thanx all securitytut. As Andrus mentioned about question 2 answer is B . coz i’ve it, and in that part I got 100% , but my advice for you all to check da answers for drag and drop espicialy IKE 1 & 2 be ware of the following questions
130/137 is wrong , same question 56/137 is the correct one
and
133/137 is wrong , same question 89/137 about attack mitigation is the correct one
i mean the answers wrong , u can exchange it by that i mentioned
thats all i observed , for any assistant u can ask me
ahmd_noraldeen@yahoo.com
thanks alot again , best wishes 4 all
Question 2. B is correct since the action “permit Firewall” = the command inspect.
Kuru
syslog does not pull events from router, only receive them
SDEE and HTTPS is correct
For he exam, Is site vpn with sdm through doing it on lab or like screenshots as it appears here? Pl let me know.
Do you know is there is any Juniper JN0-532 JNCIS web site?
Hi guys where can i get ccna security dumps can some one provide me the latest dumps, Thanks
@limat
gimme ur email id and i will forward you !!
@Raxa – Can you supply me with dumps pls: sb1mpo@hotmail.com
@Raxa – Here is my email Id plz send me latest dumps of CCNA security…I will be thankful to u. I have my exam on 3rd June 2011.
spyofhearts88@yahoo.com
Thanx.
@ Raxa – Can you please mail it to mee too @ skrocks22@gmail.com , it will be a great help ! Giving my exam on Monday 30th .Thank you
hi iam GURUPRASAD.GAIWKAD
I PASS THE CCNA SECURITY WITH 977 MARKS , DUMS STILL VALID
gaikwad.1984@gmail.com
I have CCNA security exam next week. Can you please forward me latest dumps of CCNA security. It will be freat help.
My email id id rsrdreams@gmail.com
Great Thanks,
Sujal
Posting again …..
Hi i need the dumps . can you please mail me … rsrdreams@gmail.com
.
Thanks,
Sujal
@Anonymous or any one who has dumps practise exam ,please email to me:ccnp2020@gmail.com.Thanks in advance
please,anyone with valid/latest dump help me. I want to do the exam next week.
my email: eunicezawadi@yahoo.com
Thanks.
This dumps are very good i just passes my exam today with the total score of 988/1000
Thanx Guys.
Hi MOH, Can you please send me the Dumps as well. i have exam in 3 days. Thanks in advance ..
please mail me … rsrdreams@gmail.com
does the question on this site the same as real exams concerning this sim?
Hi guys where can i get ccna security (IINS-640-553) dumps can someone send me the latest dumps, Thanks a lot!!!!!!!!!!!!! please!send it in this email: neomeds@yahoo.com
I took this test last week and passed. I used Train Signal and Sybex books I also looked over the info here just to what is on the test. Train Signal was really great
ive got 1000 today. for Q2. B is the right answer..
please anyone tell me which question i should read or which pass4sure because i want to do the exam as soon as possible almagdob2002@yahoo.co.uk
HI everyone,
I’m going to take this exam. Anyone hae a latest dump, please share for me, Thanks in advance .
My email address: nguyenphong0612@gmail.com
Hi all,
Same here – doing the test in a couple of weeks so any latest dump would be great help!
My email – neilrhood@hotmail.com
Just cleared My Exam Scored 1000 xD .. All the very best to all.. The dumps are still Valid
HI every one ,
i just want to know in real exam do i have to do it in practical or it will be like here in screen shots please replay i’m writing my exam tomorrow
Pls assist me with the latest dump for 640-553. My email is mamakola@hotmail.com. Thanks
Mail me at if.then.but@gmail.com for latest Dumps
for drag and drop , answers can be placed in any order?
Dear all members
i want to give CCNA Security exam next week kindly send me latest dumps
thx in advance for kind help
asif_majeed22@yahoo.com
for abhi: You cna not place the answer in any order. You have to place the answer in order that them appear. From first to last..
I’m keep trying to configure the SDM on GNS3 for a week but I have the same result, when the sdm starts loading it shows “Please wait while sdm is loading the current configuration from your router. Discovering router hardware attributes.”
So now I’m looking for somebody who could help me to set up a virtual lab on mine or for remote login for some paypal donation.
Please contact me if you have some free time for some money, contact me on keleny@gmail.com
Thanks,
Attila
sorry the correct email is kelenyi@gmail.com
Dear all members
i want to give CCNA Security exam next week kindly send me latest dumps
faisaladnan83@gmail.com
thnx
In question 6 they changed acl number, so be aware !
Hi friends tomorrow I’m going to give my exam give.I need some advice to co clear the exam send me some latest dumps MANOJTHEKING007@GMAIL.COM
ia have exam after tomorrow did any one tell me about changes in the exam ??:(
Hi
I have to give CCNA Security exam next week kindly send me latest dumps. Thank you in advanced.
nasir4tech@yahoo.com
@Nasir,
Can u post u r exp if u have completed u r exam???
Perfect site….passed 100%
Hello ,
Could some one please share a link to download Train signal videos for ccna security ? Also please share the latest dumps too . Thankyou . My email id is austinmas@gmail.com .. Any help is highly appreciated …
Austin
Hello Guys,
Passed the exam with full score 1000/1000. The change I have observed in this simulation is Q6
Within the “sdm-inspect” policy map, what is the action assigned to the traffic class “sdm-invalid-src”, and which traffic is matched by the traffic class “sdm-invalid-src” ? (Choose two)
A. traffic matched by ACL 105
B. traffic matched by the nested “sdm-cls-insp-traffic” class map
C. drop/log
D. traffic matched by ACL 104
The correct option is now changed to ACL 104 as per my exam, I wrote the options C and D and I got full marks.. Please go through the simulation in exam carefully before answering this question.
Other suggestion is pls be carefull while answering drag and drop
even though u select correct options and if u drop the options in incorrect order then there is a chance of question being wrong.. Please check the order for the drag and drop also..
I am making this suggestions out of experience.. If any one want to add u can.
Love u 9tut……..
Bye
I have been looking at the different solutions for question 2, but the only valid option is “D” :
Which statement is correct regarding the “sdm-permit” policy map?
A. Traffic not matched by any of the class maps within that policy map will be inspected .
B. Traffic matching the “sdm-access” traffic class will be inspected.
C. Traffic matching the “SDM_CA_SERVER” traffic class will be dropped.
D. That policy map is applied to traffic sourced from the “self” zone and destined to the “out-zone” zone.
Simple really if you look :
+ At the “Home” tab
You can clearly see that the policy map is applied to traffic sourced from the self zone to
the out zone.
Ah oeps sorry i can see they switched
can someone send me the latest dumb please: pappie_kay@yahoo.co.uk.
Thanks
My exam is on wedneseday…. Pray I pass.
Hi
Is this Sim still valid?
can some one send me the latest dumps for CCNA security please: kumarbalimidi@gmail.com
Hi All,
Have configuration for this labs?
can someone assist ,do all SDM sim questions come come up like here on 9tut.com
How can I open this lab on packet tracer to practice the command? Please someone help, thank you guys.