Questions on ASA Firewall Multiple choice Questions and Answers pdf

11. Does ASA inspects ICMP?
No, ASA does not inspect ICMP by default.

12. Explain DMZ (Demilitarized Zone) Server?
If we need some network resources such as a Web server or FTP server to be available to outside users we place these resources on a separate network behind the firewall called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there only affects the servers and does not affect the inside network.

13. How does a firewall process a packet?
When a packet is received on the ingress interface, the ASA checks if it matches an existing entry in the connection table. If it does, protocol inspection is carried out on that packet.
----------------------------------------------------------------------------------------------------------------------
If it does not match an existing connection and the packet is either a TCP-SYN packet or UDP packet, the packet is subjected to ACL checks.The reason it needs to be a TCP-SYN packet is because a SYN packet is the first packet in the TCP 3-way handshake. Any other TCP packet that isn’t part of an existing connection is likely an attack.
----------------------------------------------------------------------------------------------------------------------
If the packet is allowed by ACLs and is also verified by translation rules, the packet goes through protocol inspection.
----------------------------------------------------------------------------------------------------------------------
Then, the IP header is translated if NAT is used and if the NAT rule specifies an egress interface, the ASA will virtually forward the packet to this egress interface and then perform a route lookup.
----------------------------------------------------------------------------------------------------------------------
If a route is found that specifies the egress interface, then the Layer-2 header of the packet is re-written and the packet is forwarded out the egress interface.

14. What are the values for timeout of TCP session, UDP session, ICMP session?
TCP session - 60 minutes
UDP session - 2 minutes
ICMP session - 2 seconds

15. Explain TCP Flags?
While troubleshooting TCP connections through the ASA, the connection flags shown for each TCP connection provide information about the state of TCP connections to the ASA.

16. What is the command to see timeout timers?
# sh run timeout

17. What is the Difference between ports in ASA 8.4 and ASA 8.2?
In ASA 8.4 all ports are Gig ports and in ASA 8.2 all are Ethernet ports.

18. What is the command to check connection table?
# sh conn

19. How ASA works in reference to Traceroute?
ASA does not decrement the TTL value in traceroute because it does not want to give its information to others for security purpose. It forwards it without decrementing the TTL Value.

20. What if we apply ACL as global in ASA?
It will be applied on all interfaces towards inbound. Global option is only in ASA 8.4 not in ASA 8.2

Read More Questions:
ASA Firewall Interview Questions Part1
ASA Firewall Interview Questions Part2
ASA Firewall Interview Questions Part3
ASA Firewall Interview Questions Part4
ASA Firewall Interview Questions Part5
ASA Firewall Interview Questions Part6

0 comments: