312-50V11 · Question #800
To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can
The correct answer is A. If (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then. The firewall rule must correctly specify the workstation subnet in CIDR notation as source, the bank IP as destination, and port 443 for HTTPS-only enforcement.
Question
To reach a bank web site, the traffic from workstations must pass through a firewall. You have been asked to review the firewall configuration to ensure that workstations in network 10.10.10.0/24 can only reach the bank web site 10.20.20.1 using https. Which of the following firewall rules meets this requirement?
Options
- AIf (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 443) then
- BIf (source matches 10.10.10.0/24 and destination matches 10.20.20.1 and port matches 80 or
- CIf (source matches 10.20.20.1 and destination matches 10.10.10.0/24 and port matches 443) then
- DIf (source matches 10.10.10.0 and destination matches 10.20.20.1 and port matches 443) then
How the community answered
(27 responses)- A74% (20)
- B15% (4)
- C7% (2)
- D4% (1)
Why each option
The firewall rule must correctly specify the workstation subnet in CIDR notation as source, the bank IP as destination, and port 443 for HTTPS-only enforcement.
This rule correctly uses 10.10.10.0/24 CIDR notation to match all workstations in the subnet as the source, specifies 10.20.20.1 as the destination, and restricts traffic to port 443 which is the standard HTTPS port. Using /24 ensures all 254 usable host addresses in the subnet are covered, and port 443 enforces the HTTPS-only policy requirement.
Port 80 is the standard HTTP port, not HTTPS - permitting port 80 would allow unencrypted traffic and violates the HTTPS-only requirement.
Source and destination are reversed - 10.20.20.1 is the bank (destination), so this rule would match traffic originating from the bank rather than traffic from the workstations.
The source 10.10.10.0 without CIDR notation matches only that single host address (the network address), not the entire workstation subnet, so most workstations would be excluded.
Concept tested: Firewall ACL rule configuration for HTTPS subnet restriction
Source: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Topics
Community Discussion
No community discussion yet for this question.