A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with
a security level of 100. The second interface is the DMZ interface with a security level of 50. The
third interface is the outside interface with a security level of 0.
By default, without any access list configured, which five types of traffic are permitted? (Choose
five.)
A.
outbound traffic initiated from the inside to the DMZ
B.
outbound traffic initiated from the DMZ to the outside
C.
outbound traffic initiated from the inside to the outside
D.
inbound traffic initiated from the outside to the DMZ
E.
inbound traffic initiated from the outside to the inside
F.
inbound traffic initiated from the DMZ to the inside
G.
HTTP return traffic originating from the inside network and returning via the outside interface
H.
HTTP return traffic originating from the inside network and returning via the DMZ interface
I.
HTTP return traffic originating from the DMZ network and returning via the inside interface
J.
HTTP return traffic originating from the outside network and returning via the inside interface
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intparam.html
Security Level Overview
Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should
assign your most secure network, such as the inside host network, to level 100. While the outside
network connected to the Internet can be level 0. Other networks, such as DMZs can be in between.
You can assign interfaces to the same security level. See the “Allowing Communication Between
Interfaces on the Same Security Level” section for more information.
The level controls the following behavior:
•Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface. If you enable
communication for same security interfaces (see the “Allowing Communication Between Interfaces
on the Same Security Level” section), there is an implicit permit for interfaces to access other
interfaces on the same security level or lower.
•Inspection engines—Some inspection engines are dependent on the security level. For same
security interfaces, inspection engines apply to traffic in either direction.
–NetBIOS inspection engine—Applied only for outbound connections.
–OraServ inspection engine—If a control connection for the OraServ port exists between a pair of
hosts, then only an inbound data connection is permitted through the security appliance.
•Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a
lower level).
For same security interfaces, you can filter traffic in either direction.
•NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security
interface (inside) when they access hosts on a lower security interface (outside).Without NAT control, or for same security interfaces, you can choose to use NAT between any
interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside
interface might require a special keyword.
•established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
For same security interfaces, you can configure established commands for both directions.