Sample questions
Cisco SCOR / CCNP Security Core 350-701 practice questions
A network engineer is troubleshooting an IPsec VPN tunnel that fails to establish. The configuration includes a crypto map with a matching access list. Which command should be used to verify the security associations and error counters for the IPsec phase?
Trap 1: show crypto engine statistics
Shows crypto engine utilization, not SA details.
Trap 2: debug crypto isakmp
Debug command that can impact performance; not a verification show command.
Trap 3: show crypto isakmp sa
Shows IKE phase 1 SAs, not IPsec phase 2 SAs.
- A
show crypto ipsec sa
Displays IPsec security associations and packet/error counters.
- B
show crypto engine statistics
Why wrong: Shows crypto engine utilization, not SA details.
- C
debug crypto isakmp
Why wrong: Debug command that can impact performance; not a verification show command.
- D
show crypto isakmp sa
Why wrong: Shows IKE phase 1 SAs, not IPsec phase 2 SAs.
An engineer is configuring Cisco ISE for guest access. The requirement is that guests must accept an acceptable use policy (AUP) before being granted network access. Which portal type should be used?
Trap 1: Sponsored guest portal
Requires a sponsor, not suitable for self-service AUP acceptance.
Trap 2: Hotspot guest portal
Provides open access without authentication.
Trap 3: BYOD portal
Used for device onboarding, not guest access.
- A
Sponsored guest portal
Why wrong: Requires a sponsor, not suitable for self-service AUP acceptance.
- B
Hotspot guest portal
Why wrong: Provides open access without authentication.
- C
BYOD portal
Why wrong: Used for device onboarding, not guest access.
- D
Self-registration guest portal
Allows guests to register and accept AUP.
A financial company has a data center with Cisco FTD firewalls in a high-availability pair. They use Cisco ISE for network access control and Cisco Stealthwatch for network visibility. Recently, they deployed a new web application that is accessed by both internal employees and external customers. The application uses HTTPS on port 443. After deployment, the security team notices that the FTD is dropping some HTTPS sessions that appear legitimate. The drops are inconsistent and seem to occur only during peak hours. The FTD logs show the drop reason as 'TCP state violation'. The team has verified that the web server and clients are configured correctly. The Stealthwatch reports show no anomalies. What is the most likely cause and solution?
Trap 1: Enable SSL decryption to inspect the encrypted traffic
SSL decryption does not solve TCP state violations.
Trap 2: Increase the TCP timeout values on the FTD to accommodate longer…
Longer timeouts may help but the issue is state mismatch, not timeout.
Trap 3: Block all traffic to the web server except from trusted IPs
This is too restrictive and would block legitimate external customers.
- A
Enable SSL decryption to inspect the encrypted traffic
Why wrong: SSL decryption does not solve TCP state violations.
- B
Increase the TCP timeout values on the FTD to accommodate longer sessions
Why wrong: Longer timeouts may help but the issue is state mismatch, not timeout.
- C
Block all traffic to the web server except from trusted IPs
Why wrong: This is too restrictive and would block legitimate external customers.
- D
Configure TCP state bypass on the FTD for the web server traffic
Bypassing state tracking allows packets that may be asymmetric to pass without being dropped.
A company is implementing Cisco Umbrella to provide DNS-layer security. They want to block access to known malicious domains while allowing all other traffic. Which policy configuration should be used?
Trap 1: Enable selective proxy for all traffic
Selective proxy is not a policy type in Umbrella.
Trap 2: Create an allow list with only safe domains
That would block all domains not on the list, which is too restrictive.
Trap 3: Use a custom policy with both allow and block lists
While possible, it is not the simplest and typically block list is sufficient.
- A
Create a block list with known malicious domains
Block list allows all traffic except specified malicious domains.
- B
Enable selective proxy for all traffic
Why wrong: Selective proxy is not a policy type in Umbrella.
- C
Create an allow list with only safe domains
Why wrong: That would block all domains not on the list, which is too restrictive.
- D
Use a custom policy with both allow and block lists
Why wrong: While possible, it is not the simplest and typically block list is sufficient.
Which THREE are characteristics of Cisco Stealthwatch?
Trap 1: Acts as a next-generation firewall
Stealthwatch is not a firewall; it's a traffic analysis tool.
Trap 2: Functions as an intrusion prevention system (IPS)
It does not perform inline prevention; it is a detection and analysis tool.
- A
Can integrate with Cisco ISE for automated threat response
Integration allows ISE to enforce policies based on Stealthwatch alerts.
- B
Provides behavioral analysis to detect threats
It uses machine learning to establish baselines and detect anomalies.
- C
Acts as a next-generation firewall
Why wrong: Stealthwatch is not a firewall; it's a traffic analysis tool.
- D
Uses NetFlow and IPFIX for network traffic visibility
Stealthwatch collects flow data from network devices.
- E
Functions as an intrusion prevention system (IPS)
Why wrong: It does not perform inline prevention; it is a detection and analysis tool.
Which TWO are valid methods for implementing Network Admission Control (NAC) in a Cisco environment?
Trap 1: Dynamic ARP Inspection (DAI)
DAI prevents ARP spoofing, not NAC.
Trap 2: IP source guard
IP source guard prevents IP spoofing, not NAC.
Trap 3: DHCP snooping
DHCP snooping is a security feature for DHCP, not NAC.
- A
802.1X authentication
802.1X is a standard for network access control.
- B
Dynamic ARP Inspection (DAI)
Why wrong: DAI prevents ARP spoofing, not NAC.
- C
IP source guard
Why wrong: IP source guard prevents IP spoofing, not NAC.
- D
DHCP snooping
Why wrong: DHCP snooping is a security feature for DHCP, not NAC.
- E
MAC Authentication Bypass (MAB)
MAB is used for devices that cannot perform 802.1X.
A network administrator is configuring Cisco ASA with FirePOWER services. The administrator wants to inspect SSL traffic but is concerned about certificate pinning in modern applications. Which action should the administrator take to ensure that SSL inspection does not break applications that use certificate pinning?
Trap 1: Configure SSL inspection to bypass all traffic to avoid any issues
This would defeat the purpose of SSL inspection.
Trap 2: Install a custom root CA on all clients and configure the ASA to…
This is a general requirement for SSL inspection, but it does not address certificate pinning issues.
Trap 3: Use a decryption policy that decrypts the traffic but does not…
SSL inspection inherently requires re-encryption; you cannot leave traffic decrypted.
- A
Configure SSL inspection to bypass all traffic to avoid any issues
Why wrong: This would defeat the purpose of SSL inspection.
- B
Install a custom root CA on all clients and configure the ASA to use that CA
Why wrong: This is a general requirement for SSL inspection, but it does not address certificate pinning issues.
- C
Create an SSL decryption rule to exclude traffic from applications known to use certificate pinning
Excluding pinned applications prevents the ASA from interfering with certificate validation.
- D
Use a decryption policy that decrypts the traffic but does not re-encrypt
Why wrong: SSL inspection inherently requires re-encryption; you cannot leave traffic decrypted.
A network engineer is troubleshooting an issue where users on VLAN 10 cannot access the internet, but they can reach internal resources. The firewall is configured with a default route pointing to the ISP router. The engineer notices that NAT is configured but traffic is not being translated. Which configuration is most likely missing?
Trap 1: A NAT pool with available public IP addresses
A NAT pool is needed for dynamic NAT, but the immediate issue is the missing ACL to match traffic.
Trap 2: Port Address Translation (PAT) configuration
PAT is a type of NAT, but the missing element is the ACL to identify traffic for translation.
Trap 3: A route map to apply NAT based on destination
Route maps are optional for policy-based NAT; standard NAT requires an ACL first.
- A
An ACL to match the traffic to be translated
The ACL defines interesting traffic for NAT; without it, no packets are matched for translation.
- B
A NAT pool with available public IP addresses
Why wrong: A NAT pool is needed for dynamic NAT, but the immediate issue is the missing ACL to match traffic.
- C
Port Address Translation (PAT) configuration
Why wrong: PAT is a type of NAT, but the missing element is the ACL to identify traffic for translation.
- D
A route map to apply NAT based on destination
Why wrong: Route maps are optional for policy-based NAT; standard NAT requires an ACL first.
A network administrator is configuring IKEv2 on a Cisco router and wants to ensure that the router does not initiate connections but only responds to incoming IKEv2 requests. Which configuration command should be applied?
Trap 1: crypto ikev2 no initiate
Not a valid command in Cisco IOS.
Trap 2: crypto ikev2 limit max-incoming-sa 10
Limits number of incoming SAs, but does not prevent initiation.
Trap 3: crypto ikev2 limit max-negotiations 10
Limits simultaneous negotiations, but router can still initiate.
- A
crypto ikev2 no initiate
Why wrong: Not a valid command in Cisco IOS.
- B
crypto ikev2 passive
This command disables IKEv2 initiation, making the router respond-only.
- C
crypto ikev2 limit max-incoming-sa 10
Why wrong: Limits number of incoming SAs, but does not prevent initiation.
- D
crypto ikev2 limit max-negotiations 10
Why wrong: Limits simultaneous negotiations, but router can still initiate.
A multinational corporation is migrating its on-premises data center to a public cloud provider. The security policy requires that all traffic between cloud VPCs and the on-premises network must be inspected by a next-generation firewall (NGFW) deployed in the cloud. The on-premises network uses BGP for dynamic routing. Which design meets the requirement while minimizing latency and administrative overhead?
Trap 1: Use AWS Transit Gateway with static routes pointing to the NGFW…
Static routing is less flexible and does not support dynamic route exchange with on-premises BGP.
Trap 2: Create a site-to-site VPN between each VPC and the on-premises…
Traffic would not be inspected in the cloud; on-premises inspection introduces latency for cloud-to-cloud traffic.
Trap 3: Use AWS Direct Connect to connect all VPCs to the on-premises…
Direct Connect provides connectivity but does not inspect traffic; on-premises inspection adds latency.
- A
Deploy a transit VPC with an NGFW instance and configure BGP dynamic routing between the transit VPC, other VPCs, and the on-premises network.
Transit VPC with NGFW and BGP allows traffic inspection and dynamic route exchange.
- B
Use AWS Transit Gateway with static routes pointing to the NGFW instance for inspection.
Why wrong: Static routing is less flexible and does not support dynamic route exchange with on-premises BGP.
- C
Create a site-to-site VPN between each VPC and the on-premises network, and configure the NGFW on-premises.
Why wrong: Traffic would not be inspected in the cloud; on-premises inspection introduces latency for cloud-to-cloud traffic.
- D
Use AWS Direct Connect to connect all VPCs to the on-premises network and place the NGFW on-premises.
Why wrong: Direct Connect provides connectivity but does not inspect traffic; on-premises inspection adds latency.
A security team suspects that malware is exfiltrating data by encoding it in DNS queries. Which Cisco security solution is specifically designed to analyze DNS traffic for malicious activity?
Trap 1: Cisco Firepower NGFW
Firepower can inspect DNS but is not the primary solution for DNS tunneling detection.
Trap 2: Cisco Stealthwatch
Stealthwatch analyzes network flows, not specifically DNS payloads.
Trap 3: Cisco Email Security Appliance
ESA focuses on email threats, not DNS.
- A
Cisco Firepower NGFW
Why wrong: Firepower can inspect DNS but is not the primary solution for DNS tunneling detection.
- B
Cisco Stealthwatch
Why wrong: Stealthwatch analyzes network flows, not specifically DNS payloads.
- C
Cisco Email Security Appliance
Why wrong: ESA focuses on email threats, not DNS.
- D
Cisco Umbrella
Umbrella provides DNS security and can detect tunneling.
An engineer is troubleshooting a site-to-site IPsec VPN between two Cisco routers. The tunnel is not establishing. Which command would verify that IKE phase 1 negotiations have completed successfully?
Trap 1: show crypto ipsec sa
This command shows IPsec phase 2 SAs, not IKE phase 1.
Trap 2: show crypto map
This shows the crypto map configuration, not negotiation status.
Trap 3: debug crypto isakmp
Debug commands are for real-time troubleshooting, not for verification.
- A
show crypto ipsec sa
Why wrong: This command shows IPsec phase 2 SAs, not IKE phase 1.
- B
show crypto isakmp sa
This command displays IKE phase 1 security associations.
- C
show crypto map
Why wrong: This shows the crypto map configuration, not negotiation status.
- D
debug crypto isakmp
Why wrong: Debug commands are for real-time troubleshooting, not for verification.
An organization uses Cisco Umbrella for DNS-layer security. They want to block access to a newly discovered malicious domain (malware.example.com) immediately. Which action should the administrator take in the Umbrella dashboard?
Trap 1: Add the domain to the 'Global Block List' under 'Managed Networks'.
Global block list is for permanent blocks across all policies; adding to policy block list is immediate for that policy.
Trap 2: Add the domain to the 'Temporary Block List' under 'Security…
Temporary block list is typically for IP addresses, not domains.
Trap 3: Add the domain to the 'IP Layer Enforcement' list.
IP Layer Enforcement blocks traffic based on IP addresses, not domain names.
- A
Add the domain to the 'Global Block List' under 'Managed Networks'.
Why wrong: Global block list is for permanent blocks across all policies; adding to policy block list is immediate for that policy.
- B
Add the domain to the 'Temporary Block List' under 'Security Settings'.
Why wrong: Temporary block list is typically for IP addresses, not domains.
- C
Add the domain to the 'Block List' under the policy's 'Destination Lists'.
Policy block list immediately blocks DNS queries to the domain for users under that policy.
- D
Add the domain to the 'IP Layer Enforcement' list.
Why wrong: IP Layer Enforcement blocks traffic based on IP addresses, not domain names.
A security engineer is configuring Cisco Web Security Appliance (WSA) to block access to social media sites during business hours. The company wants to allow access to LinkedIn for the HR department. Which policy configuration approach should the engineer use?
Trap 1: Enable HTTPS decryption and block social media based on content.
Decryption does not provide time-based or identity-based access control.
Trap 2: Create a global URL filtering policy to block social media and add…
A global block would affect all users, including HR, unless an identity exception is added.
Trap 3: Configure Data Loss Prevention (DLP) to block social media posts.
DLP is for data loss, not access control.
- A
Create a time-based access policy to block social media during business hours, and an identity-based policy to allow LinkedIn for HR.
Time-based policies restrict access during specific hours, and identity policies can exempt HR.
- B
Enable HTTPS decryption and block social media based on content.
Why wrong: Decryption does not provide time-based or identity-based access control.
- C
Create a global URL filtering policy to block social media and add an exception for LinkedIn.
Why wrong: A global block would affect all users, including HR, unless an identity exception is added.
- D
Configure Data Loss Prevention (DLP) to block social media posts.
Why wrong: DLP is for data loss, not access control.
You are a security engineer for a multinational corporation with 5,000 employees. The company uses Cisco Umbrella for DNS-layer security, Cisco Web Security Appliance (WSA) for proxy services in the data center, and Cisco Email Security Appliance (ESA) for email security. Recently, the security team has received multiple reports of users receiving phishing emails that bypass the ESA. The emails contain links to malicious websites that are also not blocked by Umbrella or WSA. Upon investigation, you find that the phishing emails use newly registered domains (less than 24 hours old) and the malicious websites are hosted on cloud infrastructure with frequently changing IP addresses. The company's current security policies rely on signature-based detection and static blocklists. Which action should you take to most effectively mitigate these threats?
Trap 1: Configure the WSA to block all domains registered within the last…
Blocking all new domains would block many legitimate websites and cause business disruption.
Trap 2: Enable Data Loss Prevention (DLP) on the ESA to scan email content…
DLP does not detect malicious URLs or unknown domains.
Trap 3: Increase the frequency of signature updates on the ESA and WSA to…
Signatures are ineffective against newly registered domains that have not been analyzed yet.
- A
Deploy Cisco Threat Response to enable automated threat hunting and blocking across all security products.
Cisco Threat Response uses real-time intelligence to block emerging threats across the entire security stack.
- B
Configure the WSA to block all domains registered within the last 30 days.
Why wrong: Blocking all new domains would block many legitimate websites and cause business disruption.
- C
Enable Data Loss Prevention (DLP) on the ESA to scan email content for sensitive data.
Why wrong: DLP does not detect malicious URLs or unknown domains.
- D
Increase the frequency of signature updates on the ESA and WSA to every hour.
Why wrong: Signatures are ineffective against newly registered domains that have not been analyzed yet.
Which TWO configuration steps are required to enable Cisco AMP for Endpoints to use the Threat Grid appliance for file analysis?
Trap 1: Enable SSL decryption in the AMP connector policy.
SSL decryption is not a prerequisite for Threat Grid file analysis; it may be used for other purposes.
Trap 2: Ensure the firewall allows inbound traffic to the Threat Grid…
The firewall should allow outbound traffic from endpoints to the Threat Grid appliance, not inbound.
Trap 3: Install the Cisco Threat Grid Connector on each endpoint.
The Threat Grid Connector is a separate product; AMP connectors do not require it for file submission.
- A
Configure the AMP connector policy to submit files to the on-premises Threat Grid appliance.
The connector policy must specify the Threat Grid appliance as the target for file analysis.
- B
Enable SSL decryption in the AMP connector policy.
Why wrong: SSL decryption is not a prerequisite for Threat Grid file analysis; it may be used for other purposes.
- C
Register the Threat Grid appliance in the AMP cloud as a private analysis provider.
The AMP cloud needs to know the Threat Grid appliance exists to route file analysis requests.
- D
Ensure the firewall allows inbound traffic to the Threat Grid appliance from the internet.
Why wrong: The firewall should allow outbound traffic from endpoints to the Threat Grid appliance, not inbound.
- E
Install the Cisco Threat Grid Connector on each endpoint.
Why wrong: The Threat Grid Connector is a separate product; AMP connectors do not require it for file submission.
A network administrator is troubleshooting an issue where users in the finance VLAN are unable to access a critical server in the server VLAN. The switch logs show multiple 'Authentication failed' messages for MAC addresses in the finance VLAN. The switchport security feature is enabled on the access ports. What is the most likely cause of the issue?
Trap 1: The switch ports are configured as trunks and are not allowing the…
Trunk configuration would affect all VLANs, not just specific MAC addresses.
Trap 2: 802.1X authentication is failing for the finance users.
802.1X would show authentication failures, but the logs mention 'switchport security', not 802.1X.
Trap 3: Spanning Tree Protocol (STP) is blocking the ports in the finance…
STP blocking would affect the entire VLAN, not individual MAC addresses.
- A
The switch ports are configured as trunks and are not allowing the finance VLAN.
Why wrong: Trunk configuration would affect all VLANs, not just specific MAC addresses.
- B
802.1X authentication is failing for the finance users.
Why wrong: 802.1X would show authentication failures, but the logs mention 'switchport security', not 802.1X.
- C
Spanning Tree Protocol (STP) is blocking the ports in the finance VLAN.
Why wrong: STP blocking would affect the entire VLAN, not individual MAC addresses.
- D
Switchport security violation has caused the ports to error-disable or drop traffic.
Switchport security violation can disable the port or drop traffic from unauthorized MAC addresses.
In a Cisco TrustSec deployment, security group tags (SGTs) are used to represent user and device roles. These tags must be propagated across the network. Which protocol is used to carry SGT information in Ethernet frames?
Trap 1: MPLS
MPLS is a WAN technology, not used for SGT in Ethernet frames.
Trap 2: VXLAN
VXLAN is used for network virtualization, not SGT propagation.
Trap 3: GRE
GRE is a tunneling protocol, not used for SGT.
- A
MPLS
Why wrong: MPLS is a WAN technology, not used for SGT in Ethernet frames.
- B
VXLAN
Why wrong: VXLAN is used for network virtualization, not SGT propagation.
- C
GRE
Why wrong: GRE is a tunneling protocol, not used for SGT.
- D
IEEE 802.1Q with SGT encapsulation (Cisco proprietary)
Cisco TrustSec uses SGT over 802.1Q or other L2 methods.
Which TWO of the following are valid methods for deploying Cisco Firepower Threat Defense (FTD) in high availability?
Trap 1: Active/Active failover
FTD does not support Active/Active failover; it supports Active/Standby.
Trap 2: Load balancing with external load balancer
External load balancing is not a native FTD HA method.
Trap 3: StackWise
StackWise is specific to Cisco switches, not FTD.
- A
Active/Active failover
Why wrong: FTD does not support Active/Active failover; it supports Active/Standby.
- B
Clustering
FTD supports clustering for high availability and scalability.
- C
Load balancing with external load balancer
Why wrong: External load balancing is not a native FTD HA method.
- D
Active/Standby failover
FTD supports Active/Standby high availability.
- E
StackWise
Why wrong: StackWise is specific to Cisco switches, not FTD.
Which THREE of the following are features of Cisco Identity Services Engine (ISE) that can be used to enforce network access control?
Trap 1: Application visibility
Application visibility is provided by Cisco Firepower, not ISE.
Trap 2: NetFlow analysis
NetFlow analysis is a feature of Cisco Stealthwatch, not ISE.
- A
Profiling
ISE can profile endpoints to identify device type and OS.
- B
Posture assessment
ISE checks endpoint compliance with security policies.
- C
Guest access management
ISE provides captive portal and guest access policies.
- D
Application visibility
Why wrong: Application visibility is provided by Cisco Firepower, not ISE.
- E
NetFlow analysis
Why wrong: NetFlow analysis is a feature of Cisco Stealthwatch, not ISE.
A network engineer is implementing Cisco TrustSec in an enterprise network. Which two components are required for TrustSec to function correctly? (Choose two.)
Trap 1: AAA server
While ISE includes AAA, a standalone AAA server is not sufficient for TrustSec policy management.
Trap 2: Firepower
Firepower is not a required component for TrustSec; it may integrate but is not mandatory.
Trap 3: SGACL
SGACL is a feature that is applied on access devices, not a required component itself.
- A
ISE
ISE is the policy server that defines TrustSec policies and distributes SGTs.
- B
AAA server
Why wrong: While ISE includes AAA, a standalone AAA server is not sufficient for TrustSec policy management.
- C
Firepower
Why wrong: Firepower is not a required component for TrustSec; it may integrate but is not mandatory.
- D
SXP
SXP is used to propagate SGTs to devices that do not support CTS natively.
- E
SGACL
Why wrong: SGACL is a feature that is applied on access devices, not a required component itself.
Refer to the exhibit. An ASA is configured with the above access-list and NAT rule. A web server is reachable from the internet via the public IP 203.0.113.10. However, internal users from the inside network cannot access the web server using its public IP address. What is the most likely cause?
Exhibit
configure terminal access-list OUTSIDE extended permit tcp any host 203.0.113.10 eq www access-list OUTSIDE extended permit udp any host 203.0.113.10 eq domain nat (inside,outside) source dynamic any interface
Trap 1: The access-list does not permit traffic from inside to outside for…
The ACL is applied on the outside interface, so it does not filter inside-to-outside traffic.
Trap 2: The interface ACL is applied inbound on the inside interface.
The ACL is applied to the outside interface, not inside.
Trap 3: The default route is missing.
A missing default route would affect traffic to the internet, but not specifically internal access to a public IP.
- A
The NAT rule is missing a static NAT for the server.
Without a static NAT, internal users cannot access the server via the public IP due to lack of hairpinning.
- B
The access-list does not permit traffic from inside to outside for that destination.
Why wrong: The ACL is applied on the outside interface, so it does not filter inside-to-outside traffic.
- C
The interface ACL is applied inbound on the inside interface.
Why wrong: The ACL is applied to the outside interface, not inside.
- D
The default route is missing.
Why wrong: A missing default route would affect traffic to the internet, but not specifically internal access to a public IP.
Refer to the exhibit. An engineer has configured the ACL on the GigabitEthernet0/0 interface. Which of the following is true about the effect of this ACL?
Exhibit
interface GigabitEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip access-group INBOUND in ! ip access-list extended INBOUND deny ip 10.0.0.0 0.255.255.255 any permit ip any any ! interface Serial0/0/0 ip address 172.16.1.1 255.255.255.252 ! router eigrp 100 network 10.1.1.0 0.0.0.255 network 172.16.1.0 0.0.0.3
Trap 1: It blocks all IP traffic from entering G0/0 because of the deny…
The permit any any allows all traffic that is not denied.
Trap 2: It permits all traffic because the ACL is misconfigured.
The ACL is correctly configured and will block traffic from 10.0.0.0/8.
Trap 3: It blocks traffic destined to 10.0.0.0/8 entering G0/0, but allows…
The ACL filters on source address, not destination.
- A
It blocks all IP traffic from entering G0/0 because of the deny statement.
Why wrong: The permit any any allows all traffic that is not denied.
- B
It blocks traffic sourced from 10.0.0.0/8 entering G0/0, but allows other traffic.
The deny statement blocks source 10.0.0.0/8, and the permit any any allows all else.
- C
It permits all traffic because the ACL is misconfigured.
Why wrong: The ACL is correctly configured and will block traffic from 10.0.0.0/8.
- D
It blocks traffic destined to 10.0.0.0/8 entering G0/0, but allows other traffic.
Why wrong: The ACL filters on source address, not destination.
Refer to the exhibit. A security analyst sees this syslog message on a Cisco ASA. What does it indicate?
Exhibit
%ASA-4-106023: Deny tcp src outside:203.0.113.50/443 dst DMZ:10.10.10.10/80 by access-group "OUTSIDE"
Trap 1: A TCP connection from 10.10.10.10 to 203.0.113.50 was denied.
The message shows source as 203.0.113.50 and destination as 10.10.10.10.
Trap 2: A TCP connection from 203.0.113.50 to 10.10.10.10 was allowed and…
The message says 'Deny', not 'Allow'.
Trap 3: The ASA interface OUTSIDE is experiencing high CPU due to Denial of…
The message is a single deny log, not an indication of high CPU or DoS.
- A
A TCP connection from 10.10.10.10 to 203.0.113.50 was denied.
Why wrong: The message shows source as 203.0.113.50 and destination as 10.10.10.10.
- B
A TCP connection from 203.0.113.50 to 10.10.10.10 was denied by the ACL named OUTSIDE.
The syslog clearly indicates a deny by access-group OUTSIDE.
- C
A TCP connection from 203.0.113.50 to 10.10.10.10 was allowed and logged.
Why wrong: The message says 'Deny', not 'Allow'.
- D
The ASA interface OUTSIDE is experiencing high CPU due to Denial of Service.
Why wrong: The message is a single deny log, not an indication of high CPU or DoS.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.