Which three statements are the default security policy on a Cisco ASA appliance? (Choose three.)
A.
Traffic that goes from a high security level interface to a lower security level interface is
allowed.
B.
Outbound TCP and UDP traffic is statefully inspected and returning traffic is allowed to traverse
the Cisco ASA appliance.
C.
Traffic that goes from a low security level interface to a higher security level interface is
allowed.
D.
Traffic between interfaces with the same security level is allowed by default.
E.
Traffic can enter and exit the same interface by default.
F.
When the Cisco ASA appliance is accessed for management purposes, the access must be
made to the nearest Cisco ASA interface.
G.
Inbound TCP and UDP traffic is statefully inspected and returning traffic is allowed to traverse
the Cisco ASA appliance.
Explanation:
The security algorithm is responsible for implementing and enforcing your security policies.
The algorithm uses a tiered hierarchy that allows you to implement multiple levels of security. To
accomplish this, each interface on the appliance is assigned a security level number from 0 to 100,
where 0 is the least secure and 100 is the most secure. The algorithm uses these security levels
to enforce its default policies.
Here are the four default security policy rules for traffic as it flows through the appliance:
Traffic flowing from a higher-level security interface to a lower one is permitted by default.
Traffic flowing from a lower-level security interface to a higher one is denied by default.
Traffic flowing from one interface to another with the same security level is denied by default.
Traffic flowing into and then out of the same interface is denied by default
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_rules.html#wp11
20072
Implicit Permits
For routed mode, the following types of traffic are allowed through by default:
•IPv4 traffic from a higher security interface to a lower security interface.
•IPv6 traffic from a higher security interface to a lower security interface.
For transparent mode, the following types of traffic are allowed through by default:
•IPv4 traffic from a higher security interface to a lower security interface.
•IPv6 traffic from a higher security interface to a lower security interface.
•ARPs in both directions.
Implicit Deny
Interface-specific access rules do not have an implicit deny at the end, but global rules on inbound
traffic do have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot
pass. For example, if you want to allow all users to access a network through the adaptive security
appliance except for particular addresses, then you need to deny the particular addresses and
then permit all others.
When you have no global access rules in your configuration, the implicit deny rule is applied at the
end of interface access rules. When you configure both an interface access rule and a global
access rule, the implicit deny (any any) is no longer located at the end of the interface-based
access rule. The implicit deny (any any) is enforced at the end of the global access rule. Logically,
the entries on the interface-based access rule are processed first, followed by the entries on the
global access rule, and then finally the implicit deny (any any) at the end of the global access rule.
For example, when you have an interface-based access rule and a global access rule in yourconfiguration, the following processing logic applies:
1. interface access control rules
2. global access control rules
3. default global access control rule (deny any any)
When only interface-based access rules are configured, the following processing logic applies:
1. interface access control rules
2. default interface access control rule (deny any any)
For EtherType rules, the implicit deny does not affect IPv4 or IPv6 traffic or ARPs; for example, if
you allow
EtherType 8037 (the EtherType for IPX), the implicit deny at the end of the list does not block any
IP traffic that you previously allowed with an access rule (or implicitly allowed from a high security
interface to a low security interface). However, if you explicitly deny all traffic with an EtherType
rule, then IP and ARP traffic is denied.
Management access to an interface other than the one from which you entered the adaptive
security appliance is not supported. For example, if your management host is located on the
outside interface, you can only initiate a management connection directly to the outside interface.
The only exception to this rule is through a VPN connection, and entering the management-access
command. For more information about the management-access command, see the Cisco ASA
5500 Series Command Reference.