An engineer is tasked with deploying an internal perimeter firewall that will support multiple DMZs. Each DMZ has a unique private IP subnet range. How is this requirement satisfied?
A.
Deploy the firewall in transparent mode with access control policies
B.
Deploy the firewall in routed mode with access control policies
C.
Deploy the firewall in routed mode with NAT configured
D.
Deploy the firewall in transparent mode with NAT configured
another tricky question that I don't like. DMZ does NOT mean that we need NAT because internal DMZ without internet access (not NAT) is possible based on question. Thus I will go C
a DMZ concept is partly internal, own by organization. Some set up of organization's web servers that are facing internet reside in DMZ, with NAT configured.
We need to know the meaning of DMZ first by Cisco. Go through this link below.
https://www.cisco.com/c/dam/assets/sol/sb/isa500_emulator/help/guide/ad1681599.html
what do they mean by "internal perimeter" firewall? my guess is that it is entirely within the private address space so why would it need NAT? but the word perimeter makes me wonder if the person who wrote this meant it to be a site level Internet edge device and they are just bad at describing things.
With Routed Mode you can have each DMZ with different routing table and unique private IP subnet range, ACP can be used to control traffic between the different DMZs, NAT could be used but is not required in this case.
To support multiple DMZs with unique private IP subnet ranges, the engineer should deploy the firewall in routed mode with access control policies. Therefore, the correct answer is option B. By deploying the firewall in routed mode with access control policies, the engineer can configure the firewall to route traffic between the DMZs and the internal network based on their unique private IP subnet ranges. The access control policies can be used to enforce security policies to control which traffic is allowed between the DMZs and the internal network. This provides a secure and efficient way to manage traffic between the DMZs and the internal network.
Although ACPs seem obvious, the concept of perimeter firewall is generalized as well as the private IP addressing, implying the need for NAT..., as their are no more specific variables.
A perimeter firewall could mean internet but it does not explicit say internet, so does not explicit say a need for NAT. However it does excplicit ask for support of DMZ:s, and you can't have working DMZs without ACPs. You can have working DMZ:s without NAT. I'd go with B.
I think what we need to look at there is how the question is formed, and it says "Firewall" not FTD, og IPS or firepower. So in pure firewall mode, there is no IDS, so we need to assume that a "Perimiter" firewall is connected to the internet, regardles of the "internal" statement. And so we need NAT configured.
C is the answer
Answers with NAT are wrong because it's an INTERNAL firewall, so no public routers are in play, the DMZs are all private ranges, and obscurity of IPs isnt beneficial against insiders. You'll definitely need routed interfaces, and access control policies to prevent unsolicited traffic from DMZ to inside.
Its not possible to assign multiple ACPs to a firewall in a non-multidomain setup. If this was a multidomain setup, the question would/should have stated that. If the question reads "policy" during your test, choose B. If it reads "policies", go with C, as B will be incorrect. Using NAT is not incorrect. Like kaka says, there might be scenarios where u want to use NAT.
I would have gone for B if the answer had said "access control policy". It does however state "access control policies", and having multiple ACPs for one firewall makes no sense. The question is very bad, as we dont know details on the setup, and scenarios without NAT are possible, but I think the answer is C
Also, the fact that they point out that the DMZ interfaces do not have public ranges configured tells me that they want the NAT answer "Each DMZ has a unique private IP subnet range".
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
houhou12322
4 months, 3 weeks agogwb
11 months, 3 weeks agoachille5
1 year, 5 months agoachille5
12 months agoTHEODORABLE
1 year, 8 months agoureis
1 year, 9 months agoJoe_Blue
1 year, 10 months agofelagund
1 year, 11 months agoWeyland
2 years, 4 months agoSoter
2 years, 7 months agoxziomal9
2 years, 7 months agoGrandslam
2 years, 10 months agotrickbot
2 years, 11 months agonetwguy
2 years, 10 months agokplost
3 years, 4 months agoSarbi
3 years, 4 months agonetwguy
3 years, 5 months agonetwguy
3 years, 5 months agoJavimc
3 years, 5 months agokakakayayaya
3 years, 5 months agoBobster02
3 years, 6 months ago