Network and Service Object Groups Quiz

Questions and Answers

What does the nat-id parameter signify in the NAT configuration?

It associates a global address pool with a specific internal network. (correct)

It determines the netmask used for translation.

It indicates the maximum number of simultaneous connections.

It specifies the IP range for the internal network.

Which command maps the second internal network of 192.168.2.0?

ciscoasa(config)# global (outside) 1 100.1.1.2-100.1.1.50 netmask 255.255.255.0

ciscoasa(config)# nat (inside) 2 192.168.2.0 255.255.255.0 (correct)

ciscoasa(config)# global (outside) 2 100.1.1.51-100.1.1.100 netmask 255.255.255.0

ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0

Which IP address range corresponds to the first internal network in the configuration?

192.168.1.0/24

100.1.1.51-100.1.1.100

100.1.1.2-100.1.1.50 (correct)

192.168.2.0/24

How does Cisco ASA version 8.3 differ in configuring NAT compared to earlier versions?

It uses a simplified syntax for defining the translation.

What is the netmask used for both global address pools in this scenario?

255.255.255.0

What does the command 'network-object host "ip_addr"' accomplish?

Creates a single host network object.

How do you define a whole subnet using the Cisco ASA commands?

network-object "net_addr netmask"

In the ACL example provided, what does 'permit tcp any object-group WEB_SRV eq 80' achieve?

Allows TCP traffic to the specified object group on port 80.

What type of ports does the command 'object-group service "group_name" {tcp | udp | tcp-udp}' allow you to define?

Both TCP and UDP ports.

What does the command 'port-object range 21 23' specify in a service object group?

Defines a range of service ports from 21 to 23.

Which command defines the service ports for DMZ_SERVICES as HTTP and HTTPS?

port-object eq http

What does the 'exit' command do in the context of the Cisco ASA configuration?

Ends the configuration mode for a specific object group.

Which command allows you to create a network object group for a subnet in the given example?

network-object 10.0.0.0 255.255.255.0

What is the main advantage of using Port Address Translation (PAT)?

It allows multiple internal hosts to access the internet using the same public IP address.

What command is used to show the contents of the PAT translation table?

show xlate

How does PAT manage numerous connections from internal hosts to external networks?

By multiplexing connections over a single global IP address with unique source port numbers.

What is the minimum source port number that PAT will use for internal hosts?

1024

In the example shown, what public IP address is assigned for PAT?

100.1.1.2

Which command indicates the network object configuration for dynamic NAT?

nat (inside,outside) dynamic 100.1.1.2

What scenario could lead to rapid depletion of the external public address pool when using Dynamic NAT?

When multiple internal hosts access the internet simultaneously.

What does the command 'object network internal_lan' signify in Cisco configuration?

It represents the configuration for an internal subnet.

Why is static routing recommended over dynamic routing on the ASA firewall?

It prevents the advertisement of internal network subnets.

In what scenario is dynamic routing configuration necessary on the ASA firewall?

When the ASA firewall is located deep within a large network campus.

Which of the following is NOT a type of static route on the ASA firewall?

Dynamic Route

What should be the configuration for networks that are directly connected to an ASA interface?

No static route configuration is necessary.

What type of route is automatically created when an IP address is configured on an ASA interface?

Directly Connected Route

When configuring static routes, what is crucial for networks more than one hop away?

Static routes should be used for these networks.

What is the primary purpose of a default static route in the ASA firewall configuration?

To direct traffic to the predefined next hop.

What could be a risk of using dynamic routing protocols on the ASA firewall?

Potential exposure of internal network structures.

What is the correct command to define a time-range for weekdays from 09:00 to 17:00?

time-range workhours periodic weekdays 09:00 to 17:00

Which statement accurately describes how the ACL behaves during the 'workhours' time-range?

Web access is denied if the time is within 'workhours'.

What is the purpose of defining a time-range in ACL configuration?

To enable traffic only during designated times.

Which command allows traffic for a specific DMZ server during updates every Sunday?

access-list DMZ-IN extended permit ip host 10.1.1.1 any time-range updatehours

What are the two types of routing supported by the Cisco ASA appliance?

Static and Dynamic Routing

Which statement is NOT true regarding the time-based ACLs?

They can only be defined using absolute time ranges.

Which routing protocols are supported by Cisco ASA?

RIP, OSPF, and EIGRP

What happens to traffic if a user tries to access the web outside of the 'workhours' period?

The second ACL entry permits the traffic.

Study Notes

Network Object Groups

• Define a network object group with the command object-group network “group_name”
• Add hosts to the network object group with the command network-object host “ip_addr”
• Add subnets to the network object group with the command network-object “net_addr netmask”
• Use the network object group with an ACL by replacing a source or destination address with the object group name
• For example, access-list OUT-IN extended permit tcp any object-group WEB_SRV eq 80 allows tcp access from any source to the WEB_SRV network group on port 80.

Service Object Groups

• Define a service object group with the command object-group service “group_name” {tcp | udp | tcp-udp}
• Specify the ports to be included with the command port-object {eq | range} “port_number”
• For example, object-group service DMZ_SERVICES tcp defines a service object group called DMZ_SERVICES, port-object eq http adds HTTP to the group, and port-object range 21 23 adds FTP and SSH
• Use the service object group with an ACL by replacing a source or destination port with the object group name.

Dynamic NAT Translation

• Cisco ASA versions prior to 8.3 required the use of nat-id to bind NAT and global commands together
• This allowed for translation of internal networks to specific global IP pools.
• For example, nat (inside) 1 192.168.1.0 255.255.255.0 would translate the internal network 192.168.1.0/24 to the global IP pool defined by global (outside) 1 100.1.1.2-100.1.1.50
• Cisco ASA versions 8.3 and later support a more flexible approach to dynamic NAT, allowing for defining a single Mapped IP address either as a network object or within the “nat” statement.
• For example, object network internal_lan defines an object, subnet 192.168.1.0 255.255.255.0 adds the subnet to the object, and nat (inside,outside) dynamic 100.1.1.2 specifies the single Mapped IP address 100.1.1.2 for NAT.

Port Address Translation (PAT)

• PAT allows multiple connections from different internal hosts to be multiplexed over a single global (public) IP address using different source ports.
• Cisco ASA versions prior to 8.3 configured PAT with commands like nat (inside) 1 192.168.1.0 255.255.255.0 and global (outside) 1 100.1.1.2 netmask 255.255.255.255.
• This would translate all private addresses on 192.168.1.0/24 to 100.1.1.2 using unique source port numbers.
• Cisco ASA versions 8.3 and later can also use network objects for PAT configuration.

Monitoring PAT Translations

• The show xlate command displays the PAT translation table.
• For example, PAT Global 100.1.1.2 (1024) Local 192.168.1.1 (4513) indicates a connection from 192.168.1.1 with source port 4513 is translated to 100.1.1.2 with source port 1024.

Time Based Access Lists

• Time-based access lists allow you to restrict or permit traffic based on time ranges.
• Define a time range with the command time-range “name” and specify the time period with periodic weekdays 09:00 to 17:00 for weekdays from 9am to 5pm, for example.
• Use the time range in an ACL with the time-range “name” clause.
• For example, access-list INSIDE-IN extended deny tcp any any eq www time-range workhours denies web access during the defined "workhours" time range.

Routing Protocol Support

• The ASA firewall supports static and several dynamic routing protocols including RIP, OSPF, and EIGRP.
• Static routing is recommended for most deployments as it provides more control and security.
• Dynamic routing should only be used in large networks where the ASA is located deep inside the network infrastructure.

Static Routing

• The ASA automatically creates a Directly Connected Route for each configured interface.
• This route allows the ASA to reach any network directly connected to the interface.
• Configure normal static routes with the ip route “destination_network” “mask” “next_hop” command to reach networks not directly connected.
• Configure a default static route with ip route 0.0.0.0 0.0.0.0 “next_hop” to send traffic to a default gateway for networks that are not explicitly defined.

Description

Test your understanding of network and service object groups in networking. This quiz covers commands for defining object groups, adding hosts and subnets, and using them with access control lists (ACLs). Sharpen your skills with practical examples.