You issue the following commands on a Cisco ASA with no other configured interfaces:
asa(config)#interface gigabitethernet 0/1
asa(configif)#speed 1000
asa(configif)#duplex full
asa(configif)#nameif inside
asa(configif)#ip address 10.1.1.1 255.255.255.0
asa(configif)#no shutdown
asa(configif)#exit
asa(config)#telnet 10.1.1.0 255.255.255.0 inside
asa(config)#telnet timeout 30
Which of the following statements is true regarding the resulting configuration? (Select the best answer.)
A.
Telnet sessions will time out after 30 seconds of inactivity.
B.
The ASA will assign the interface a security level of 0.
C.
The ASA will assign the interface a security level of 100.
D.
Telnet sessions will be denied until a security level is manually assigned.
Explanation:
In this scenario, the Cisco Adaptive Security Appliance (ASA) will assign the GigabitEthernet 0/1 interface a
security level of 100. The block of commands in this scenario configures the GigabitEthernet 0/1 interface to
operate in fullduplex mode at a speed of 1,000 megabits per second (Mbps), names the interface “inside”, and
assigns an IP address 10.1.1.1 with a network mask of 255.255.255.0. In addition, the no shutdown command
enables the interface. The telnet commands define a network range that is permitted to Telnet to the inside
interface and configure a Telnet idletimeout value. Because no security level is manually assigned to the
interface, the ASA will automatically assign the interface a security level. The default security level on an ASA is
0? however, the inside interface is an exception to this rule because it is automatically assigned a security level
of 100 if a security level is not explicitly configured. An interface can be assigned any integervalued security
level from 0 through 100.
Telnet sessions will not be denied to the GigabitEthernet 0/1 interface until a security level is manually
assigned. Normally, Telnet traffic is not permitted to the interface with the lowest security. However, if there is
only one configured interface and it has been configured with a security level of 100, Telnet traffic is permitted
even though the interface simultaneously has the highest security and the lowest security. Because the ASA
automatically assigns a security level of 100 to the inside interface, Telnet sessions will be able to access the
interface. If there were other active interfaces on the ASA, a Telnet session would be permitted to the interface
with the lowest security only if that session was protected by a virtual private network (VPN) tunnel terminating
on the interface. Although there are several methods for working around Telnet access restrictions of the ASA,
Cisco recommends disabling Telnet and using more secure methods for management access, such as Secure
Shell (SSH) or Secure Hypertext Transfer Protocol (HTTPS) instead? neither HTTPS nor SSH is restricted by
the security level of an interface.
Telnet sessions will not time out after 30 seconds of activity. The telnet timeout 30 command specifies an
inactivity timeout length of 30 minutes, not 30 seconds. The telnet timeout command accepts an integer value
from 1 through 1440 to specify the number of minutes a Telnet session can remain idle before the ASA closes
the connection.Cisco: Cisco ASA 5500 Series Command Reference: securitylevel