Chapter 8. Access Lists and Network Address Translation

1:	An administrator creates an access list prohibiting Telnet on his router. He then successfully initiates a Telnet session from the router. What is the most likely reason the access list failed? A. The access list should be changed to stop UDP traffic. B. The access list should be changed to stop TCP traffic. C. The access list should be changed to block port 23 traffic. D. The access list cannot stop the administrator's action.
2:	Which of the following are valid reasons to implement access lists? (Choose three.) A. Priority queuing B. Route filtering C. Dial-on-demand routing D. Console port security
3:	Which of the following are types of access lists? (Choose three.) A. Standard B. Extended C. Restricted D. Static E. Named F. Unnamed
4:	Which types of access lists can filter traffic based on the source port? (Choose two.) A. Standard B. Extended C. Restricted D. Static E. Named F. Unnamed
5:	Which type of access list can filter based only on the source address of a packet? A. Standard B. Extended C. Dynamic D. Static E. Named F. Unnamed
6:	Which of the following identifiers can be used for standard access lists? (Choose two.) A. 91 B. 107 C. 1270 D. 1902
7:	Which of the following identifiers can be used for extended access lists? (Choose two.) A. 99 B. 100 C. 2500 D. 2700
8:	Which access list type allows you to delete entries in a specific access list? A. Standard B. Extended C. Named D. Unnamed
9:	You are filtering traffic to an FTP site and you want only FTP traffic to reach the server. You do not want additional traffic to reach the server. Which traffic should be allowed? A. TCP on ports 20 and 21 B. UDP on ports 20 and 21 C. TCP on port 21 D. TCP and UDP on ports 20 and 21
10:	You have established a DNS server on one of your networks. You need to permit traffic, including queries and zone transfers, to the DNS server using access lists. Which traffic should be allowed? A. TCP and UDP on ports 53 B. TCP and UDP on port 69 C. TCP and UDP on port 67 D. TCP on port 67
11:	What happens to a packet that does not meet the conditions of any access list filters? A. The packet is routed normally. B. The packet is flagged and then routed. C. The packet is dropped. D. The administrator is notified.
12:	Which of the following statements regarding outbound access lists are correct? (Choose two.) A. Outbound access lists cannot filter packets originating from the router. B. Outbound access lists filter packets before a routing decision has been made. C. Outbound access lists drop packets that are not routable. D. Outbound access lists can drop packets based on protocol numbers.
13:	Which of the following statements regarding inbound access lists are correct? (Choose three.) A. Inbound access lists cannot filter packets originating from the router. B. Inbound access lists filter packets before a routing decision has been made. C. Inbound access lists drop packets that are not routable. D. Inbound access lists can drop packets based on protocol numbers.
14:	You create an access list with a single entry to deny all FTP traffic. Which of the following is the most accurate statement regarding this access list? A. Only FTP traffic is denied. B. All traffic is denied. C. All traffic is permitted. D. All traffic except FTP traffic is denied.
15:	You have an IP address and wildcard mask of 172.16.99.25 0.0.255.255. Which of the following IP addresses are affected by this rule? (Choose two.) A. 172.16.99.1 B. 192.168.99.25 C. 172.30.99.25 D. 172.16.1.1
16:	You have an IP address and wildcard mask of 10.0.20.5 255.255.0.0. Which of the following IP addresses are affected by this rule? (Choose two.) A. 10.0.0.10 B. 192.168.20.5 C. 172.30.20.5 D. 10.2.1.1
17:	Which of the following is an abbreviation for the access list entry 172.16.32.3 0.0.0.0? A. Single 172.16.32.3 B. Host 172.16.32.3 C. 172.16.32.3 0 D. One 172.16.32.3
18:	What is the abbreviation for the wildcard mask of all ones? A. all B. none C. any D. full
19:	You want to create an access list to filter all traffic from the 172.16.16.0 255.255.240.0 network. What wildcard mask is appropriate? A. 0.0.7.255 B. 0.0.15.255 C. 0.0.31.255 D. 0.0.63.255
20:	You want to create an access list to filter all traffic from the 10.0.64.0 255.255.224.0 network. What wildcard mask is appropriate? A. 0.0.7.255 B. 0.0.15.255 C. 0.0.31.255 D. 0.0.63.255
21:	Regarding access lists, which of the following statements is correct? A. Only one access list per protocol, per direction, per interface B. Only one access list per port number, per protocol, per interface C. Only one access list per port number, per direction, per interface D. Only one access list per port number, per protocol, per direction
22:	Which of the following is accurate regarding the ordering of access lists? A. Named access list lines can be added anywhere in an access list. B. The ordering of an access list is not important, as all rules are checked. C. More specific rules in an access list should be placed lower in the list. D. Access lists are processed from the top of the access list to the end.
23:	You have an internal web server that must be accessed from the corporate Internet connection. This internal web server has the IP address 172.16.55.10. The router accesses the Internet through the FastEthernet0/1 interface. What NAT syntax is necessary to forward HTTP requests to the internal web server? A. ip nat outside destination tcp 80 fastEthernet0/1 172.16.55.10 80 B. ip nat inside source static tcp 172.16.55.10 80 interface fastEthernet 0/1 80 C. ip nat outside source tcp 80 172.16.55.10 80 interface fastEthernet0/1 80 D. ip nat inside destination static tcp 172.16.55.10 80 interface fastEthernet 0/1 80
24:	You would like to configure NAT for a small office DSL connection, as shown in the figure below. Users on the 192.168.254.0/24 network should share the public address assigned to the router's Ethernet 0/3 interface for public access. In addition, one of the internal users (192.168.254.32) is running an FTP server containing files that need to be accessed from the Internet. Which of the following configurations accomplishes these objectives? Small office DSL connection. A. interface fastethernet 2/0 ip nat inside interface Ethernet 0/3 ip nat outside ip nat inside source interface Ethernet 0/3 interface fastethernet 2/0 overload B. interface fastethernet 2/0 ip nat inside interface Ethernet 0/3 ip nat outside ip nat inside source static 192.168.254.32 interface fastethernet 2/0 ip nat inside source interface ethernet 0/3 interface fastethernet 2/0 overload C. interface fastethernet 2/0 ip nat inside interface Ethernet 0/3 ip nat outside access-list 50 permit 192.168.254.0 0.0.0.255 ip nat inside source static tcp 192.168.254.32 21 interface fastethernet 2/0 21 ip nat inside source list 50 interface fastethernet 2/0 overload D. interface fastethernet 2/0 ip nat inside interface Ethernet 0/3 ip nat outside access-list 50 permit 192.168.254.0 0.0.0.255 ip nat inside source static tcp interface ethernet 0/3 21 interface fastethernet 2/0 21 ip nat inside source list 50 interface fastethernet 2/0
25:	You create an access list in Notepad in preparation to apply it to an interface. Before you add the lines to the access list, you apply the list to the intended interface. What is the result? A. You receive an error message to create the access list. B. You permit all traffic through the interface. C. All traffic through the interface is denied. D. You receive a syntax error message.
26:	Network Address Translation (NAT) typically translates between one or more internal private addresses to public Internet addresses. What ranges are defined in RFC 1918 as internal private addresses? (Choose three.) A. 10.0.0.0/8 B. 172.16.0.0/16 C. 169.254.0.0/16 D. 172.16.0.0/16–172.31.255.255/16 E. 192.168.0.0/24–192.168.255.255/24 F. 224.0.0.0/24
27:	You are troubleshooting a NAT configuration on your 2514 router. It seems that all of the syntax is in place, but users are not able to access the Internet. You are able to ping Internet websites from your router successfully. What is the most likely cause of the problem? Relevant router configuration: interface fastethernet 0 ip address 192.168.1.1 255.255.255.0 interface fastethernet 1 ip address dhcp ip nat outside ip route 0.0.0.0 0.0.0.0 fastethernet 1 access-list 50 permit 192.168.1.0 0.0.0.255 ip nat inside source static tcp 192.168.1.50 80 interface fastethernet 1 80 ip nat inside source list 50 interface fastethernet 1 overload A. The static route is incorrect. It needs to be pointed to the ISP next-hop address rather than the router's local interface. B. The NAT configuration is incomplete. C. Static NAT features cannot be combined with the NAT Overload features. D. All of the above.
28:	Which of the following creates a standard access list that allows traffic from the 172.16 subnet? A. access-list 1 permit 172.16.0.0 0.0.255.255 B. access-list 100 permit 172.16.0.0 255.255.0.0 C. access-list 1 permit 172.16.0.0 255.255.0.0 D. access-list 100 permit 172.16.0.0 0.0.255.255
29:	Which of the following access list lines denies access to a computer with an IP of 172.16.0.5? A. access-list 1 172.16.0.5 0.0.0.0 deny B. access-list 1 deny host 172.16.0.5 C. access-list 1 deny 172.16.0.5 255.255.255.255 D. access-list 101 deny 172.16.0.5 0.0.0.0
30:	You want to create an access list that denies port 23 TCP traffic from the 172.30.10.0 network and that is destined for the 172.30.20.0 network. Which of the following commands accomplishes this? A. access-list 101 tcp deny 172.30.10.0 0.0.0.255 172.30.20.0 0.0.0.255 eq 23 B. access-list 91 tcp deny 172.30.10.0 0.0.0.255 172.30.20.0 0.0.0.255 eq 23 C. access-list 101 deny tcp 172.30.10.0 0.0.0.255 172.30.20.0 0.0.0.255 eq 23 D. access-list 91 deny tcp 172.30.10.0 0.0.0.255 172.30.20.0 0.0.0.255 eq 23
31:	You want to create an access list that denies all outbound traffic to port 80 from the 10.10.0.0 network. Which access list entry meets your requirements? A. access-list 101 deny tcp 10.10.0.0 0.0.255.255 eq 80 B. access-list 91 deny tcp 10.10.0.0 0.0.255.255 any eq 80 C. access-list 101 deny tcp 10.10.0.0 0.0.255.255 all eq 80 D. access-list 101 deny tcp 10.10.0.0 0.0.255.255 any eq 80
32:	Which of the following forms of NAT allows you to translate one group of IP addresses to another in a 1:1 relationship with minimal configuration? A. Port Address Translation B. Static NAT C. NAT Overload D. Dynamic NAT
33:	You are configuring the Internet connection for the network pictured in the figure below. The initial NAT Overload configuration has been set up; you must now publish the internal FTP and web server to the Internet. What commands accomplish this? (Choose two.) Internet network connection. A. ip nat inside source static tcp 80 192.168.254.100 80 24.15.240.9 B. ip nat inside source static tcp 192.168.254.50 20 24.15.240.9 20 C. ip nat inside source static tcp 192.168.254.50 21 24.15.240.9 21 D. ip nat inside source static tcp 192.168.254.100 80 24.15.240.9 80 E. ip nat inside source static tcp 21 192.168.254.50 21 24.15.240.9
34:	You want to use access list 1 to filter traffic on your inbound vty lines. What command do you enter? A. access-group 1 in B. access-group 1 vty in C. access-list 1 in D. access-class 1 in
35:	Which of the following statements are correct regarding the placement of access lists? (Choose two.) A. Place extended access lists close to the source. B. Place extended access lists close to the destination. C. Place standard access lists close to the source. D. Place standard access lists close to the destination.
36:	What command allows you to view access lists applied to interface serial 0/1? A. show access list serial 0/1 B. show access-group serial 0/1 C. show ip interface serial 0/1 D. show ip access-lists serial 0/1
37:	You want to view all entries in all access lists on your router. What is the appropriate command to enter? A. show ip access-lists B. show all access-lists C. show access-lists D. show all ip access-lists
38:	You need to link an extended access list to an Ethernet interface on your router. What command properly configures the interface? A. ip access-group 120 e0 B. ip access-group 120 out C. access-list 120 e0 D. access-list 120 in e0
39:	You need to permit SSH traffic. What port do you need to allow in your access lists? A. 22 B. 23 C. 69 D. 443
40:	You are hosting a POP3-based email server that users need to access. You need to deny all traffic except to the POP3 server. What port must you allow? A. 25 B. 143 C. 110 D. 443
41:	You want to prevent Telnet access to your router. After the access list is created, what configuration mode is appropriate to apply it? A. Privileged EXEC mode B. Global Configuration mode C. Interface Configuration mode D. Line Configuration mode
42:	You want to prevent Telnet access through your router. What configuration mode is appropriate? A. Privileged EXEC mode B. Global Configuration mode C. Interface Configuration mode D. Line Configuration mode
43:	You want to create access lists for vty lines. You also want to create an admin access list and a regular user access list. You've been told you should use the same access list for each line. Why should the same access lists be applied to all vty lines? A. To keep intruders out. B. To apply equal levels of security. C. You have to apply the same lists to each line. D. External users can't choose which lines they connect to.
44:	You are troubleshooting a standard access list and realize that an incorrect entry has been made. You want to remove the incorrect entry. What steps must you take? A. Delete all the lines starting from the last one until the incorrect line; then add the necessary lines. B. Delete all the lines starting from the first one until the incorrect line; then add the necessary lines. C. Delete all the lines and re-create the list. D. Delete the incorrect line.
45:	You are troubleshooting a named access list and realize that an incorrect entry has been made. You want to remove the incorrect entry. What steps must you take? A. Delete all the lines starting from the last one until the incorrect line; then add the necessary lines. B. Delete all the lines starting from the first one until the incorrect line; then add the necessary lines. C. Delete all the lines and re-create the list. D. Delete the incorrect line.
46:	You are configuring an office to use a Cisco router to connect to the Internet. The onsite network administrator would like to publish an internal email server, two internal web servers, and an internal FTP server to the Internet so outside users can access them. What is necessary for this configuration? A. You need a public Internet IP address for each internal server. These addresses can be mapped using Static NAT features. B. You need a single public Internet IP address for this configuration and use NAT Overload to share it among all four internal servers. C. You need a single public Internet IP address for this configuration and use Static NAT to map specific ports to all four internal servers. D. You need two public Internet IP addresses to accommodate the internal web servers. The FTP and email server can be mapped to individual ports on either of the addresses.
47:	You are creating an access list entry to control access to a vty line. Which configuration mode should you be in to create the entry? A. Privileged EXEC mode B. Global Configuration mode C. Interface Configuration mode D. Line Configuration mode
48:	Which keyword, when used with the access-list command, sends a message to the console? A. console B. log C. report D. send
49:	You want to remove access restrictions on your vty lines, after previously applying access list filters. What command should you enter? A. no access-list 1 B. no access-group 1 C. no access-class 1 D. access-group 1 delete
50:	You need to devise a wildcard mask that checks the first four bits of an octet. Which of the following is correct? A. 00001111 B. 11110000 C. 11000000 D. 00000011