CCNA Guide to Cisco Networking, Fourth Edition Chapter 10 Solutions

Chapter 10 Solutions
Review Questions
1. Which wildcard mask would appl an access list line to all packets !rom network 1"#.$#.0.0%
a. $##.$##.$##.0
&. $##.$##.0.0
c. $##.$#'.0.0
d. 0.0.$##.$##
$. Standard () access lists !ilter tra!!ic &ased on which o! the !ollowing% *Choose all that appl.+
a. destination () address
&. () protocol
c. port num&er
d. source () address
,. Wildcard masks use a ----0----- to signi! which &its o! an address are signi!icant.
'. Which command shows onl the () access lists on a router%
a. show access.lists
&. show ip/ access.lists
c. show ip access.lists
d. show inter!ace
#. Which commands allow ou to 0iew the inter!aces that ha0e () access lists applied to them%
*Choose all that appl.+
a. show inter!aces
&. show ip inter!ace
c. show ip tra!!ic
d. show ip counters
1. Which host and wildcard mask pair does the an keword represent%
a. $##.$##.$##.$## 0.0.0.0
&. 0.0.$##.$## 0.0.0.0
c. 0.0.0.0 0.0.0.0
d. 0.0.0.0 $##.$##.$##.$##
". Which command is used to appl an () access list to an inter!ace%
a. ip access.group 2list 34 2in5out4
&. ip access.group permit 100
c. ip access.group 2list 34 2permit5den4
d. show ip inter!ace
6. Access lists are ---------. *Choose all that appl.+
a. used to !ilter tra!!ic and control network securit
&. applied as either in&ound or out&ound !ilters
c. se7uential permit or den statements
d. &uilt into the router8s !irmware
9. Standard () access lists are represented & the --------- num&er range.
a. 100:199
1
CCNA Guide to Cisco Networking, Fourth Edition Chapter 10 Solutions
&. 1:99
c. 1000:1099
d. $00:$99
10. Which command could &e used to remo0e an access list !rom our router%
a. no ip access.group in
&. no ip access.list 1 in
c. no access.list 1
d. no ip access.list one
11. E/tended () access lists are represented & the --------- num&er range.
a. 100:199
&. $00:$99
c. 1000:1099
d. 1:99
1$. ;he show access.lists command displas ---------.
a. access lists applied to inter!aces
&. all access lists on the router
c. onl () access lists on the router
d. onl ()< access lists on the router
1,. At which o! the !ollowing prompts would ou create an access list%
a. routerC3
&. routerC=
c. routerC*con!ig.i!+3
d. routerC*con!ig+3
1'. At which o! the !ollowing prompts would ou appl an access list to an inter!ace%
a. routerC3
&. routerC=
c. routerC*con!ig.i!+3
d. routerC*con!ig+
1#. Which o! the !ollowing host and corresponding wildcard mask pairs represent the same 0alue as
host 1"$.$9.$.$%
a. 0.0.0.0 $##.$##.$##.$##
&. 1"$.$9.$.$ 0.0.0.0
c. $##.$##.$##.$## 0.0.0.0
d. 0.0.0.0 1"$.$9.$.$
11. A router can ha0e one access list per protocol, per direction on each inter!ace. ;rue or False%
1". Which o! the !ollowing is a &ene!it o! using named lists%
a. ;he snta/ is identical to using num&ered lists.
&. Fewer lists are allowed, so it is easier to remem&er them.
c. >ou are not constrained & the 100 lists per !ilter tpe limit.
d. ?sing named lists o!!ers no &ene!its.
16. What happens i! a list is applied to an inter!ace and then the list itsel! is remo0ed%
a. ;he commands will &e e/ecuted and all tra!!ic will &e denied.
&. ;he commands will &e e/ecuted and all tra!!ic will &e permitted.
$
CCNA Guide to Cisco Networking, Fourth Edition Chapter 10 Solutions
c. ;he commands will not &e e/ecuted and all tra!!ic will &e permitted.
d. None o! the a&o0e
19. What is true o! the host keword% *Choose all that appl.+
a. (t can onl &e used with e/tended () lists.
&. (t can &e used with standard and e/tended () lists.
c. (t replaces the 0.0.0.$## wildcard mask.
d. (t replaces the 0.0.0.0 wildcard mask.
e. (t is placed &e!ore the () address with which it is associated.
!. (t is placed a!ter the () address with which it is associated.
$0. What is the purpose o! the @esta&lishedA parameter%
a. to esta&lish a connection &etween the sender and recei0er
&. to pre0ent an tra!!ic into a network
c. to pre0ent an tra!!ic into a network that didn8t originate !rom that network
d. to permit all ;C) tra!!ic &ut not () tra!!ic into the esta&lished network
$1. All access lists presented in this chapter, e/cept standard () lists, should &e placed where%
a. as close to the source as possi&le
&. as close to the destination as possi&le
c. as close to the serial inter!ace as possi&le
d. as close to the t!tp ser0er as possi&le
$$. Which command links an access list to the B;> lines%
a. ip access.group
&. ip access.class
c. 0t access.class
d. access.class
$,. Which SCD wiEard allows ou to con!igure a CDF%
a. Firewall con!iguration wiEard
&. Securit con!iguration wiEard
c. Gasic Firewall WiEard
d. Ad0anced Firewall WiEard
$'. Hist the three Gasic Firewall WiEard securit settings.
Iigh Securit
Dedium Securit
How Securit
$#. ;he SCD cannot &e used to create comple/ access control lists. ;rue or False%
,
CCNA Guide to Cisco Networking, Fourth Edition Chapter 10 Solutions
Case Projects
Case Project 1
Hisa8s proposed list will &lock all tra!!ic !rom the 1"0.##.0.0 network. Since it is a
standard ACH, it cannot pro0ide the le0el o! control ou need to meet the case proJect
re7uirements. ;he correct wa to accomplish the task is with an e/tended ACH such as
the !ollowingK
access-list 100 deny tcp 170.55.0.0 0.0.255.255 host
164.106.105.3 eq www
access-list 100 permit ip any any
;his access list should &e placed on the router that is as close to the we& ser0er as
possi&le.
Case Project 2
Himiting access to B;> lines 0ia ACHs is a simple process. First, ou ha0e to create the
proper ACH and then appl it to the B;> line with the access.class command.
(n order to limit B;> access to a single workstation, ou !irst create the appropriate ACH.
(n the case stud, ou must limit access to Just the 1",.1,.1.1L$' host. ;he commands to
per!orm this task are as !ollowsK
access.list 1 permit host 1",.1,.1.1
>ou must then appl the ACH to the B;> lineK
access-class 1 in
(n order to allow access onl !rom the 1",.1,.1.0L$' su&net, ou must use the !ollowing
commandsK
access-list 1 permit 173.13.6.0 0.0.0.255
access-class 1 in
'
CCNA Guide to Cisco Networking, Fourth Edition Chapter 10 Solutions
Case Project 3
Creating a frewall to block peer-to-peer networking using the SDM is a simple
task. The paragraph shoul escribe the use o! the "asic #irewall
confguration wi$ar applie with the %igh Securit& Setting. ' router using
these settings ientifes an rops all inboun an outboun (nstant
Messaging an Peer-to-Peer tra)c. The paragraph shoul inclue comman
output shown in the te*t such as+
ip name-server 192.168.12.12
ip inspect lo drop-p!t
ip inspect name "#$%&'(& app)w "#$%&'(&
ip inspect name "#$%&'(& icmp
ip inspect name "#$%&'(& dns
ip inspect name "#$%&'(& esmtp
ip inspect name "#$%&'(& https
ip inspect name "#$%&'(& imap reset
ip inspect name "#$%&'(& pop3 reset
ip inspect name "#$%&'(& tcp
ip inspect name "#$%&'(& *dp
+
app)w policy-name "#$%&'(&
application im aol
service de)a*lt action reset alarm
service te,t-chat action reset alarm
server deny name loin.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.-l*e.aol.com
a*dit-trail on
application im msn
service de)a*lt action reset alarm
service te,t-chat action reset alarm
server deny name messener.hotmail.com
server deny name ateway.messener.hotmail.com
server deny name we-messener.msn.com
a*dit-trail on
application http
strict-http action reset alarm
port-mis*se im action reset alarm
port-mis*se p2p action reset alarm
port-mis*se t*nnelin action reset alarm
#
CCNA Guide to Cisco Networking, Fourth Edition Chapter 10 Solutions
application im yahoo
service de)a*lt action reset alarm
service te,t-chat action reset alarm
server deny name scs.ms.yahoo.com
server deny name scsa.ms.yahoo.com
server deny name scs-.ms.yahoo.com
server deny name scsc.ms.yahoo.com
server deny name scsd.ms.yahoo.com
server deny name cs16.ms.dcn.yahoo.com
server deny name cs19.ms.dcn.yahoo.com
server deny name cs42.ms.dcn.yahoo.com
server deny name cs53.ms.dcn.yahoo.com
server deny name cs54.ms.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.la*nch.vip.dal.yahoo.com
server deny name in1.ms.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.m*d.yahoo.com
server deny name edit.messener.yahoo.com
server deny name messener.yahoo.com
server deny name http.paer.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name cs-.yahoo.com
server deny name csc.yahoo.com
a*dit-trail on
1