Which three statements are the default security policy on a Cisco ASA appliance? (Choose three.)
A.
Traffic that goes from a high security level interface to a lower security level interface is allowed.
B.
Outbound TCP and UDP traffic is statefully inspected and returning traffic is allowed to traverse the Cisco ASA appliance.
C.
Traffic that goes from a low security level interface to a higher security level interface is allowed.
D.
Traffic between interfaces with the same security level is allowed by default.
E.
Traffic can enter and exit the same interface by default.
F.
When the Cisco ASA appliance is accessed for management purposes, the access must be made to the nearest Cisco ASA interface.
G.
Inbound TCP and UDP traffic is statefully inspected and returning traffic is allowed to traverse the Cisco ASA appliance.
Explanation:
The security algorithm is responsible for implementing and enforcing your security policies. The algorithm uses a tiered hierarchy that allows you to implement
multiple levels of security. To accomplish this, each interface on the appliance is assigned a security level number from 0 to 100, where 0 is the least secure and
100 is the most secure. The algorithm uses these security levels to enforce its default policies.
Here are the four default security policy rules for traffic as it flows through the appliance:
Traffic flowing from a higher-level security interface to a lower one is permitted by default. Traffic flowing from a lower-level security interface to a higher one is
denied by default. Traffic flowing from one interface to another with the same security level is denied by default. Traffic flowing into and then out of the same
interface is denied by default http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_rules.html#wp 1120072
Implicit Permits
For routed mode, the following types of traffic are allowed through by default:
·IPv4 traffic from a higher security interface to a lower security interface. ·IPv6 traffic from a higher security interface to a lower security interface. For transparent
mode, the following types of traffic are allowed through by default:
·IPv4 traffic from a higher security interface to a lower security interface. ·IPv6 traffic from a higher security interface to a lower security interface.
·ARPs in both directions.
Implicit Deny
Interface-specific access rules do not have an implicit deny at the end, but global rules on inbound traffic do have an implicit deny at the end of the list, so unless
you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the adaptive security appliance except for
particular addresses, then you need to deny the particular addresses and then permit all others.When you have no global access rules in your configuration, the implicit deny rule is applied at the end of interface access rules. When you configure both an
interface access rule and a global access rule, the implicit deny (any any) is no longer located at the end of the interface-based access rule. The implicit deny (any
any) is enforced at the end of the global access rule. Logically, the entries on the interface-based access rule are processed first, followed by the entries on the
global access rule, and then finally the implicit deny (any any) at the end of the global access rule.
For example, when you have an interface-based access rule and a global access rule in your configuration, the following processing logic applies:
1. interface access control rules
2. global access control rules
3. default global access control rule (deny any any)
When only interface-based access rules are configured, the following processing logic applies:
1. interface access control rules
2. default interface access control rule (deny any any) For EtherType rules, the implicit deny does not affect IPv4 or IPv6 traffic or ARPs; for example, if you allow
EtherType 8037 (the EtherType for IPX), the implicit deny at the end of the list does not block any IP traffic that you previously allowed with an access rule (or
implicitly allowed from a high security interface to a low security interface). However, if you explicitly deny all traffic with an EtherType rule, then IP and ARP traffic is
denied.
Management access to an interface other than the one from which you entered the adaptive security appliance is not supported. For example, if your management
host is located on the outside interface, you can only initiate a management connection directly to the outside interface. The only exception to this rule is through a
VPN connection, and entering the management- access command. For more information about the management-access command, see the Cisco ASA 5500
Series Command Reference.