Sample Questions and Answers
What is the main purpose of ASA’s Modular Policy Framework (MPF)?
A) To inspect, classify, and take action on traffic flows
B) To perform NAT translation
C) To configure routing protocols
D) To manage user authentication
Answer: A) To inspect, classify, and take action on traffic flows
Explanation: MPF handles inspection, QoS, and policing of network traffic.
Which command on ASA enables SSH access for management on an interface?
A) ssh <IP range> <wildcard mask> <interface>
B) enable ssh
C) ssh server enable
D) ssh allow <IP>
Answer: A) ssh <IP range> <wildcard mask> <interface>
Explanation: Defines the IP addresses allowed to SSH into the ASA on a specific interface.
Which Cisco ASA feature is used to authenticate users against an external directory service?
A) AAA Server (e.g., RADIUS or LDAP)
B) NAT exemption
C) MPF
D) PAT
Answer: A) AAA Server (e.g., RADIUS or LDAP)
Explanation: ASA uses AAA servers for centralized authentication and authorization.
How does the ASA firewall handle traffic from a higher security level interface to a lower one by default?
A) Traffic is allowed by default
B) Traffic is blocked unless ACL permits
C) Traffic is dropped silently
D) Traffic requires NAT
Answer: A) Traffic is allowed by default
Explanation: Traffic flows freely from higher to lower security levels unless restricted.
Which command verifies the NAT translations on the ASA?
A) show xlate
B) show nat
C) show interface
D) show route
Answer: A) show xlate
Explanation: Displays NAT translation entries currently active.
What ASA feature would you use to protect the network from scanning and reconnaissance attacks?
A) Adaptive Security Algorithm (ASA) IPS
B) NAT exemption
C) Static routing
D) VPN tunneling
Answer: A) Adaptive Security Algorithm (ASA) IPS
Explanation: ASA’s built-in IPS detects and blocks scanning and reconnaissance.
Which Cisco ASA command allows you to configure a static NAT?
A) static (inside,outside) <outside_ip> <inside_ip>
B) nat (inside,outside) dynamic
C) nat-control
D) route outside <gateway>
Answer: A) static (inside,outside) <outside_ip> <inside_ip>
Explanation: Maps a static one-to-one IP address translation.
Which ASA command will display VPN tunnel statistics?
A) show vpn-sessiondb
B) show crypto ikev1
C) show access-list
D) show interface
Answer: A) show vpn-sessiondb
Explanation: Displays detailed VPN session information.
What is the function of ASA’s inspect dns command?
A) Allows ASA to inspect and monitor DNS traffic for security
B) Enables DNS forwarding
C) Blocks DNS requests
D) Disables DNS resolution
Answer: A) Allows ASA to inspect and monitor DNS traffic for security
Explanation: Protects against DNS-based attacks and ensures protocol compliance.
Which ASA command is used to enable DHCP relay?
A) dhcprelay server <IP address>
B) dhcp enable
C) ip helper-address
D) dhcp relay
Answer: A) dhcprelay server <IP address>
Explanation: ASA relays DHCP requests to the specified DHCP server.
Which command verifies the status of failover on Cisco ASA?
A) show failover
B) show redundancy
C) show failover state
D) show system redundancy
Answer: A) show failover
Explanation: Displays current failover status and synchronization.
Which ASA protocol is used to protect VPN tunnels at the network layer?
A) IPsec
B) SSL
C) FTP
D) HTTP
Answer: A) IPsec
Explanation: IPsec provides secure VPN tunneling at the network layer.
What ASA command is used to configure an interface with a security level of 0?
A) nameif outside followed by security-level 0
B) ip address 0.0.0.0 0.0.0.0
C) security-level 100
D) interface GigabitEthernet0/0
Answer: A) nameif outside followed by security-level 0
Explanation: Assigning security-level 0 indicates the least trusted interface, typically the outside.
What type of VPN does Cisco ASA support that uses SSL encryption for client connections?
A) AnyConnect SSL VPN
B) GRE VPN
C) IPsec Site-to-Site VPN
D) L2TP VPN
Answer: A) AnyConnect SSL VPN
Explanation: AnyConnect SSL VPN provides secure client access over SSL/TLS.
What does the ASA command crypto map configure?
A) Defines VPN policies including peer, transform sets, and ACLs
B) Configures access-lists
C) Sets interface IP addresses
D) Enables logging
Answer: A) Defines VPN policies including peer, transform sets, and ACLs
Explanation: crypto map is used to configure IPsec VPN parameters.
In ASA, what is the result of setting an interface security level to 100?
A) It is considered the most trusted interface
B) It is the least trusted interface
C) Traffic is blocked by default
D) It disables all traffic on the interface
Answer: A) It is considered the most trusted interface
Explanation: Security levels range from 0 (least trusted) to 100 (most trusted).
Which protocol does ASA use for dynamic routing by default?
A) OSPF
B) EIGRP
C) BGP
D) RIP
Answer: A) OSPF
Explanation: ASA supports OSPF and EIGRP, but OSPF is more commonly used for dynamic routing.
What is the function of the ASA command object network?
A) Defines a network object for NAT or ACLs
B) Creates a user object
C) Defines VLANs
D) Configures routing protocols
Answer: A) Defines a network object for NAT or ACLs
Explanation: Network objects simplify NAT and ACL management.
Which type of ACL is used to restrict management access to Cisco ASA?
A) Standard or extended ACL applied inbound on management interface
B) Reflexive ACL
C) Time-based ACL
D) None of the above
Answer: A) Standard or extended ACL applied inbound on management interface
Explanation: ACLs limit which IPs can access management services like SSH or ASDM.
Which command enables DHCP on the Cisco ASA?
A) dhcpd enable <interface>
B) ip dhcp server
C) dhcp server enable
D) enable dhcp
Answer: A) dhcpd enable <interface>
Explanation: Enables the DHCP server on a specified ASA interface.
What is the purpose of ASA’s inspect feature?
A) To perform deep packet inspection on specific protocols
B) To enable NAT translations
C) To configure VPN tunnels
D) To configure interfaces
Answer: A) To perform deep packet inspection on specific protocols
Explanation: inspect allows detailed protocol checks for security and compliance.
Which Cisco ASA component stores active sessions and connection states?
A) Connection table (conn table)
B) Routing table
C) NAT table
D) Access-list table
Answer: A) Connection table (conn table)
Explanation: Maintains stateful information about active connections.
What is the function of the Cisco ASA feature called ‘Context Mode’?
A) Allows multiple virtual firewalls on a single physical device
B) Enables VPN client access
C) Provides NAT translations
D) Configures routing protocols
Answer: A) Allows multiple virtual firewalls on a single physical device
Explanation: Context mode partitions the ASA into separate virtual firewalls.
What ASA command can be used to check the license status?
A) show version
B) show license
C) show running-config
D) show ip interface
Answer: B) show license
Explanation: Displays information about installed licenses.
Which ASA VPN authentication method uses digital certificates?
A) IKE with RSA signatures
B) PAP
C) CHAP
D) Password authentication
Answer: A) IKE with RSA signatures
Explanation: Digital certificates are used for authentication via RSA signatures.
What does the ASA feature ‘NAT exemption’ accomplish?
A) Prevents NAT translation between specified networks
B) Enables PAT
C) Configures static NAT
D) Disables NAT globally
Answer: A) Prevents NAT translation between specified networks
Explanation: NAT exemption allows direct routing without NAT for certain traffic.
What type of VPN tunnel uses GRE encapsulation and IPsec for encryption?
A) Site-to-site VPN with GRE over IPsec
B) SSL VPN
C) L2TP VPN
D) MPLS VPN
Answer: A) Site-to-site VPN with GRE over IPsec
Explanation: GRE tunnels can be secured using IPsec encryption.
Which ASA command will show the currently active interfaces and their IP addresses?
A) show interface ip brief
B) show ip interface
C) show interface
D) show ip route
Answer: C) show interface
Explanation: Displays detailed info on interfaces including IP addresses and status.
Which protocol does ASA use for establishing IKE Phase 1?
A) UDP port 500
B) TCP port 443
C) UDP port 4500
D) TCP port 22
Answer: A) UDP port 500
Explanation: IKE Phase 1 uses UDP 500 for initial key exchange.
What is a common use case for ASA’s Identity Firewall feature?
A) To enforce user-level access policies based on user identity
B) To block all incoming traffic
C) To NAT all inside addresses
D) To manage DHCP pools
Answer: A) To enforce user-level access policies based on user identity
Explanation: Identity Firewall applies security policies per user identity.
Which ASA command can be used to reboot the device?
A) reload
B) restart
C) reboot
D) shutdown
Answer: A) reload
Explanation: reload restarts the ASA.
Which command is used to view ASA logs in real time?
A) terminal monitor
B) show logging
C) logging enable
D) debug logging
Answer: A) terminal monitor
Explanation: Enables viewing logging output on the console or SSH session.
What type of VPN tunnel uses SSL/TLS instead of IPsec on ASA?
A) Clientless SSL VPN (WebVPN)
B) GRE VPN
C) L2TP VPN
D) IPsec Site-to-Site VPN
Answer: A) Clientless SSL VPN (WebVPN)
Explanation: WebVPN provides browser-based VPN access over SSL.
What is the default security level for the ASA’s inside interface?
A) 100
B) 0
C) 50
D) 10
Answer: A) 100
Explanation: The inside interface is usually assigned the highest trust level, 100.
Which ASA feature provides protection against Denial of Service (DoS) attacks?
A) TCP Intercept
B) NAT
C) ACLs
D) Routing protocols
Answer: A) TCP Intercept
Explanation: ASA can intercept and validate TCP connections to protect against DoS.
Which ASA command will display active VPN sessions with detailed info?
A) show vpn-sessiondb
B) show crypto ikev2 sa
C) show access-list
D) show nat
Answer: A) show vpn-sessiondb
Explanation: Displays info about active VPN sessions.
How does ASA handle traffic from a lower security level interface to a higher one by default?
A) Traffic is blocked unless explicitly permitted by ACL
B) Traffic is allowed
C) Traffic is redirected
D) Traffic is dropped silently without logging
Answer: A) Traffic is blocked unless explicitly permitted by ACL
Explanation: Traffic from low to high security requires explicit ACL permission.
Which Cisco ASA command is used to clear the connection table?
A) clear conn
B) clear xlate
C) clear nat
D) clear interface
Answer: A) clear conn
Explanation: Clears active connections from the connection table.
Reviews
There are no reviews yet.