An engineer wants to connect a single IP subnet through a Cisco FTD firewall and enforce policy. There is a requirement to present the internal IP subnet to the outside as a different IP address. What must be configured to meet these requirements?
A.
Configure the Cisco FTD firewall in routed mode with NAT enabled.
B.
Configure the upstream router to perform NAT.
C.
Configure the Cisco FTD firewall in transparent mode with NAT enabled.
D.
Configure the downstream router to perform NAT.
To meet the requirements of presenting the internal IP subnet as a different IP address while enforcing policy, the engineer needs to configure the Cisco FTD firewall with NAT.
Option A is the correct answer: Configure the Cisco FTD firewall in routed mode with NAT enabled.
Option D is also not the best solution because it would require configuring the downstream router to perform NAT, which may not be desirable or feasible in some environments.
Not exactly, to represent any IP through 2 different interfaces (i.e. inside and outside), then NAT is required in conjunction with routed mode for traffic forwarding (TX/RX). So, the answer might be (A).
C. does not make any sense, just think about it for a second, if you have the same single subnet on both side of the FTD, why would you want to do NAT? The questions even states that "There is a requirement to present the internal IP subnet to the outside as a different IP address", so it needs to be a different IP address. FTD in routed mode with NAT enabled will accomplish this.
I am leaning towards A, they mention internal & outside networks in the question indicating that this could be on the Internet edge? If there were an edge router acting as CPE then I would say transparent but who is directly connected to the outside network?.
Cisco being Cisco.... What a shitty question. The key here is one subnet. That means transparet firewall mode, and BVI will acts as proxy arp for that NAT-ed IP.
Typical cisco, trying to complicate simple question. Instead of . The firewall in in routed/Transparent mode, they say An engineer wants to connect a single IP subnet THROUGH a Cisco FTD firewall and enforce policy. In my opinion that means transparent mode.
maybe A? A. Configure the Cisco FTD firewall in routed mode with NAT enabled.
To meet the requirements of presenting the internal IP subnet to the outside as a different IP address and enforcing policy, the Cisco FTD firewall should be configured in routed mode with Network Address Translation (NAT) enabled. This will allow the firewall to perform the necessary IP address translation while enforcing security policies on traffic passing through it. Configuring the upstream or downstream router to perform NAT would not allow for policy enforcement by the Cisco FTD firewall. Configuring the Cisco FTD firewall in transparent mode would not allow for IP address translation
I vote C
https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/network_address_translation_nat_for_firepower_threat_defense.html#ID-2091-0000034e
upvoted 1 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Joe_Blue
Highly Voted 1 year, 5 months agowhysohardwhy
Most Recent 1 week, 1 day agoKris92
5 months, 4 weeks agoMB2222
4 months agoLangaMos
1 year, 1 month agoSegaMasterSystemAdmin
1 year, 2 months agoTHEODORABLE
1 year, 3 months agoBbb78
1 year, 3 months agoInitial14
1 year, 4 months agoInitial14
1 year, 5 months agotanri04
1 year, 5 months agofreho
1 year, 6 months agoBaumb
1 year, 6 months agoMevijil
1 year, 6 months ago