PrepAway - Latest Free Exam Questions & Answers

What could be the most likely cause?

Two BGP peers connected through a routed firewall are unable to establish a peering relationship.
What could be the most likely cause?

PrepAway - Latest Free Exam Questions & Answers

A.
BGP peers must be Layer 2-adjacent.

B.
EBGP multihop is not configured.

C.
The firewall is not configured to allow IP protocol 89.

D.
The firewall is not configured to allow UDP 179.

Explanation:
Routed Mode Overview
In routed mode, the security appliance is considered to be a router hop in the network. It can
perform NAT between connected networks, and can use OSPF or RIP (in single context mode).
Routed mode supports many interfaces. Each interface is on a different subnet. You can share
interfaces between contexts.
This section includes the following topics:
IP Routing Support
Network Address Translation
How Data Moves Through the Security Appliance in Routed Firewall Mode
IP Routing Support
The security appliance acts as a router between connected networks, and each interface requires
an IP address on a different subnet. In single context mode, the routed firewall supports OSPF
and RIP. Multiple context mode supports static routes only. We recommend using the advanced
routing capabilities of the upstream and downstream routers instead of relying on the security
appliance for extensive routing needs.
Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the security appliance even if you allow
it in an access list. The transparent firewall, however, can allow almost any traffic through using
either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).

Note
The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any
packets that do not have a valid EtherType greater than or equal to 0x600. For example, you
cannot pass IS-IS packets. An exception is made for BPDUs, which are supported.
For example, you can establish routing protocol adjacencies through a transparent firewall; you
can allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise,
protocols like HSRP or VRRP can pass through the security appliance.
Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through
using an EtherType access list.
For features that are not directly supported on the transparent firewall, you can allow traffic to pass
through so that upstream and downstream routers can support the functionality. For example, by
using an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay
feature) or multicast traffic such as that created by IP/TV.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/fwmode.html#wp120169
1


Leave a Reply