which of the following manners would meet the company’s objectives?

A firewall ACL is configured as follows:
10. Deny Any Trust to Any DMZ eq to TCP port 22
11. Allow 10.200.0.0/16 to Any DMZ eq to Any
12. Allow 10.0.0.0/8 to Any DMZ eq to TCP ports 80, 443
13. Deny Any Trust to Any DMZ eq to Any
A technician notices that users in the 10.200.0.0/16 network are unable to SSH into servers in the
DMZ. The company wants 10.200.0.0/16 to be able to use any protocol, but restrict the rest of the
10.0.0.0/8 subnet to web browsing only. Reordering the ACL in which of the following manners
would meet the company’s objectives?

A firewall ACL is configured as follows:
10. Deny Any Trust to Any DMZ eq to TCP port 22
11. Allow 10.200.0.0/16 to Any DMZ eq to Any
12. Allow 10.0.0.0/8 to Any DMZ eq to TCP ports 80, 443
13. Deny Any Trust to Any DMZ eq to Any
A technician notices that users in the 10.200.0.0/16 network are unable to SSH into servers in the
DMZ. The company wants 10.200.0.0/16 to be able to use any protocol, but restrict the rest of the
10.0.0.0/8 subnet to web browsing only. Reordering the ACL in which of the following manners
would meet the company’s objectives?

A.
11, 10, 12, 13

B.
12, 10, 11, 13

C.
13, 10, 12, 11

D.
13, 12, 11, 10

Explanation:



Leave a Reply 5

Your email address will not be published. Required fields are marked *


Lesedi

Lesedi

I don’t comprehend this question at all,and can anyone explain why the answer is A.

kayteefire

kayteefire

First of all, only rule 10 and 11 are important here:

>> 10. Deny Any Trust to Any DMZ eq to TCP port 22
This rule denies any SSH (Port 22) traffic going in or out of the DMZ network.

>> 11. Allow 10.200.0.0/16 to Any DMZ eq to Any
This rule allows anyone on the 10.200.0.0/16 network full access to the DMZ network.

A firewall goes through the rule list from top to bottom and gives precedence to the rules higher on that list. In this case, even though there is a rule giving full unrestricted access to the DMZ for anyone from the 10.200.0.0/16 network, the previous rule explicitly blocks all SSH traffic to the DMZ and it listens to that one first.

If you simply switch 10 and 11 around so rule 11 comes before 10, then it will apply full unrestricted access from the 10.200.0.0/16 network before putting a block on SSH traffic.

Lesedi

Lesedi

thank you!

Ahmad

Ahmad

A very good way of explaination. Thanks as well!

Ahmad

Ahmad

But I disagree with the part that 10 and 11 only are important because 12 is as important for the second part of question “but restrict the rest of the
10.0.0.0/8 subnet to web browsing only.”