Home > Zone-based Firewall SDM Simlet

Zone-based Firewall SDM Simlet

September 14th, 2010 Go to comments

Instructions

To access the Cisco Router and Security Device Manager(SDM) utility click on the console host icon that is connected to a ISR router.You can click on the grey buttons below to view the different windows.
Each of the windows can be minimized by clicking on the [-].You can also reposition a window by dragging it by the title bar.
The “Tab” key and most commands that use the “Control”or “Escape” keys are not supported and are not necessary to complete this simulation.

(Note: If you don’t understand how Zone-Based-Firewall works, check out my article at https://www.securitytut.com/ccna-security-knowledge/cisco-ios-zone-based-firewall-tutorial/)

(Notice: the access list, class-map, policy-map, zones, zone-pair… in the real exam might be different!)

Question 1

Which two options correctly Identify the associated interface with the correct security zone? (Choose two)

A. FastEthernet0/1 is associated to the “out-zone” zone.
B. FastEthernet0/0 is associated to the “in-zone” zone.
C. FastEthernet0/0 and 0/1 are associated to the “self” zone.
D. FastEthernet0/0 and 0/1 are associated to the “in-zone” zone.
E. FastEthernet0/0 and 0/1 are associated to the “out-zone” zone.
F. FastEthernet0/0 and 0/1 are not associated to any zone.


Answer: A B

Explanation

Under the Additional Tasks, click on the Zones group. At the right side box we will see the FastEthernet0/0 is assigned to the in-zone and the FastEthernet0/1 is assigned to the out-zone.

ZBF_Zones.jpg

(Notice: In the real exam, you might see more zones than the image above)

Question 2

Which statement is correct regarding the “sdm-permit” policy map?

A. Traffic not matched by any of the class maps within that policy map will be inspected .
B. Traffic matching the “sdm-access” traffic class will be inspected.
C. Traffic matching the “SDM_CA_SERVER” traffic class will be dropped.
D. That policy map is applied to traffic sourced from the “self” zone and destined to the “out-zone” zone.


Answer: B or C

Explanation

A is not correct because there is a default class-map at the end of this policy map named “class-default”. This class-map will drop all the traffic that is not matched with the SDM_CA_SERVER class-map (it works in the same way as the implicit “deny all” line at the end of each access list). Therefore traffic not matched by any of the class maps within that policy map will be dropped.

D is not correct because the policy map is applied from the source “out-zone” to the destination “self”.

We haven’t had enough information about the correct answer yet, hope someone will describe this question clearly after taking the exam.

Question 3

Which three protocols are matched by the “sdm-cls-insp-traffic” class map? (Choose three)

A. sql-net
B. pop3
C. 12tp
D. ftp


Answer: A B D

Explanation

Click on the C3PLClass MapInspection group and click on the sdm-cls-insp-traffic line at the upper right side box to see which protocols are matched by the “sdm-cls-insp-traffic” class map.

ZBF_class-map_sdm-cls-insp-traffic.jpg

Question 4

Within the “sdm-permit” policy map, what is the action assigned to the traffic class “class-default”?

A. inspect
B. pass
C. drop
D. police


Answer: C

Explanation

Under the C3PLPolicy MapProtocol Inspection group we can see the policy maps, which class-maps and which actions are assigned to the class-maps.

ZBF_sdm-permit_class-default.jpg

Question 5

Which policy map is associated to the “sdm-zp-in-out” security zone pair?

A. sdm-permit-icmpreply
B. sdm-permit
C. sdm-inspect
D. sdm-insp-traffic

Answer: C

Explanation

There are 2 places where you can get information about the policy map associated to the “sdm-zp-in-out” security zone pair:

+ At the “Home” tab (you might click on the ZBF_doubled_head-down-arrows.jpg to see the Firewall policies)

ZBF_sdm-zp-in-out-policy.jpg

+ At the Zone-pair group in the Additional Tasks

ZBF_sdm-zp-in-out-policy_ZonePairs.jpg

Question 6

Within the “sdm-inspect” policy map, what is the action assigned to the traffic class “sdm-invalid-src”, and which traffic is matched by the traffic class “sdm-invalid-src” ? (Choose two)

A. traffic matched by ACL 105
B. traffic matched by the nested “sdm-cls-insp-traffic” class map
C. drop/log
D. traffic matched by ACL 104


Answer: A C

Explanation

Under the “Firewall and ACL” tab, search for the “sdm-inspect” policy map we can see the access list 105 is used by this policy map. We can also see the action assigned to the traffic class “sdm-invalid-src” (drop/log).

ZBF_Firewall_access_list.jpg

Notice that the Access list number can be also seen in the C3PLClass MapInspection and the Drop/log action can be seen in the C3PLPolicy MapProtocol Inspection group.

(Reference: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1063104)

Comments
  1. danishbhatti2000@hotmail.com
    October 10th, 2019

    kindly send me latest CCNA Security DUmps…

  2. kiki3213
    November 6th, 2019

    hell dear
    The most favorable price this year!
    Dumps for 70% off and Gifts for you.
    Free LAB, Free WRITTEN DUMPS.
    End this Black Friday Month.

    ciscodumps09 dot livejournal dot com/1509.html

  3. RAJ
    December 19th, 2019

    passed the Exam with 9xx/1000.

    – Read the study guide to understand the Basics.
    – Do as much practice questions as much as possible.

    67 Questions in the exam and a minimum 860/1000 to pass.
    – one SIM on SSL VPN (ADSM)
    – 4 Questions
    – one drag and drop

    link for the Dumps and book:
    https: // drive.google.com /uc?id=155YUjcJ9lMunvrcPW_JUxkVQ2taLGk8t&export=download

  4. Harry
    February 17th, 2020

    hi everybody, i will take an exam this week.
    Please, send latest ccna security dumps to my email
    {email not allowed}

    i appreciate your help.

  5. Test
    February 17th, 2020

    Please, send latest ccna security dumps to my email – {email not allowed}

  1. No trackbacks yet.
Add a Comment