L1/L1.5 Network Security & Networking – Real-World Interview Q&A (Practical)
============================================SECTION A – FIREWALL BASICS (Cisco ASA / FTD / FMC concepts)
1) Q: What are the first checks if a remote site reports application not reachable via firewall?
A: Verify interface/link status (show interface), routing/default route, ACL hit counts, NAT rules/xlate, packet-tracer path, VPN status (Phase 1/2), and service-policy drops (ASA: show asp drop).
2) Q: Difference between ASA access-group and FMC Access Control Policy?
A: ASA uses interface-bound access-group (ACLs) for L3/L4. FMC pushes ACP to FTD which evaluates rules top-down with additional security intelligence, IPS, and logging; order/sections and rule hit counts matter.
3) Q: How do you simulate a flow on ASA to see where it breaks?
A: Use packet-tracer. Example:
packet-tracer input inside tcp (src ip) src port (dst ip) dest protocol
Review phases: ACL → NAT → Route lookup → VPN → Final action.
4) Q: What is same-security intra-interface (hairpinning) and when is it needed?
A: Traffic enters and exits the same interface (e.g., inside to inside via public IP). Enable:
same-security-traffic permit intra-interface
5) Q: Common reasons for drops on ASA?
A: Asymmetric routing, TCP state issues, invalid SYN, TTL expired, uRPF, connection limit, policy-map inspection, and ACL denies.
SECTION B – NAT TYPES & TROUBLESHOOTING (ASA/FTD)
-------------------------------------------------------------
6) Q: Name common NAT types and simple examples.
A: Dynamic PAT (Many-to-One): Inside users → single public IP.
Static NAT (One-to-One): Server mapped to fixed public IP.
Policy NAT: Match by source/destination/service and translate.
Twice NAT: Translate both source and destination in one rule.
7) Q: How do you check live translations on ASA?
A: show xlate (active translations), show nat detail (rules and hits).
8) Q: A server must be reached via its public IP from inside (hairpin NAT). What two things are necessary?
A: 1) Static NAT or twice NAT to map public→private; 2) same-security-traffic permit intra-interface. Optionally DNS doctoring if clients resolve public DNS.
9) Q: Users going to the internet fail intermittently after adding a new NAT rule. Why?
A: NAT rule order shadowing/overlap, missing route-lookup, or policy NAT precedence. Reorder NAT so specific rules appear before general PAT; verify route lookup behavior.
SECTION C – IPSEC VPN (ASA/FTD)
10) Q: IPSec Phase 1 is down—what to verify?
A: Peer reachability, IKE version, ISAKMP/IKE policy match (encryption, hash, DH group, lifetime), authentication (PSK/cert), NAT-T if behind NAT, and correct tunnel-group.
11) Q: Phase 2 not forming after adding a new subnet—root causes?
A: Proxy-ID/crypto ACL mismatch, NAT exemption missing, wrong routing, or ACL order preventing interesting traffic. Ensure both peers include the exact new subnet pair.
No comments:
Post a Comment