Chapter 13 - IOS Zone Based Firewall

Question 1

What are Class Maps used for?

Answer 1

Class maps are used to identify traffic. Class maps can refer to ACL’s to to identify traffic.

• match-all condition = all entries must match
• match-any condition = only a single entry must match

Question 2

What do Policy Maps do?

Answer 2

These are the actions that should be taken on the traffic that is identified by class maps. The actions are as follows:

• Inspect - Permit traffic and add an entry to the stateful database (for return traffic to come back)
• Pass - Permit but do not make stateful database entry
• Drop - Deny the packet
• Log - Log the dropped packets

Question 3

What are Service Policies used for?

Answer 3

This is where you apply the policies, identified from a policy map to a zone pair.

Question 4

What command would be used to view “inspect” class maps?

Answer 4

show class-map type inspect

Question 5

How do you view policy map sessions?

Answer 5

show policy-map type inspect zone-pair < zone-pair-name> sessions

Question 6

What command can help you figure out if NAT is working?

Answer 6

show ip nat translations

Question 7

What are the four possible actions on traffic that meets a zone-based firewall policy map?

Answer 7

Inspect - Permit and statefully inspect the traffic (traffic that comes from a device that expects reply traffic)

Pass - Permits / allows the traffic but does not create an entry in the stateful database (traffic that does not need a reply)

• *Log** - Log the packets (add this to the dropped action on a policy to see information about packets that were stopped)
• *Drop **- Deny the packet