Sold to

irfan21in@[Link]

Page |1

NETWORKER INTERVIEW |
 Page |2

Preface
CCIE stands for Cisco Certified Internetwork Expert. CCIE certification is an
expert-level ideal certification program for experienced network engineers to
maximize their networking knowledge. It is one of the most respected and reputed
certification in the networking industry. This EBook is ideal for candidates who
have completed or are pursuing CCIE certification and intending to go for
interviews. This EBook will help you to prepare for interviews and to revise your
concepts which you have learned during your CCIE certification.

Copyright
Copyright © 2016. All rights reserved. No part of this book may be reproduced or
transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or by any information storage and retrieval system,
without written permission from the publisher.

NETWORKER INTERVIEW |
 Page |3

Warning and Disclaimer

This book is designed to help candidates prepare for VPN and ASA Firewall
interviews. Every effort has been made to make this book as complete and as
accurate as possible, but no warranty or fitness is implied.

The publisher and the author make no representations or warranties with respect to
the accuracy or completeness of the contents of this work and specifically disclaim
all warranties, including without limitation warranties of fitness for a particular
purpose. The advice and strategies contained herein may not be suitable for every
situation. Neither the publisher nor the author shall be liable for damages arising
here from.

To Our Readers
Thank you for looking to Networker Interview for your CCIE interview
preparation needs. We at Networker Interview are proud of our reputation for
providing candidates with the knowledge needed to succeed in the highly
competitive interviews.
As always, your feedback is important to us. If you believe you’ve identified an
error in the Book or if you have general comments or suggestions, feel free to
contact us through email at creatorstudio.s24@[Link]

Website
For CCNA, CCNP, CCIE and more visit [Link]

NETWORKER INTERVIEW |
 Page |4

What is VPN?
Virtual Private Network (VPN) creates a secure network connection over a public
network such as the internet. It allows devices to exchange data through a secure
virtual tunnel. It uses a combination of security features like encryption,
authentication, tunneling protocols, and data integrity to provide secure
communication between participating peers.

What is Authentication, Confidentiality & Integrity?

Authentication – It verifies that the packet received is actually from the claimed
sender. In short, it verifies the authenticity of sender. Pre-shared Key, Digital
Certificates are some methods that can be used for authentication.
Integrity – It ensures that the contents of the packet have not been altered or
modified in between by man-in-middle. Hashing algorithm includes MD5, SHA.
Confidentiality – It encrypts the message content through encryption so that data is
not disclosed to unauthorized parties. Encryption algorithms include DES (Data
Encryption Standard), 3DES (Triple-DES), AES (Advanced Encryption Standard).

What is Symmetric and Asymmetric Encryption?

In symmetric encryption, a single key is used both to encrypt and decrypt traffic. It
is also referred to as shared key or shared secret encryption. Symmetric encryption
algorithms include DES, 3DES, AES.
In Asymmetric encryption two keys are used to encrypt and decrypt traffic, one
key is used for encryption and other key is used for decryption. The most common
asymmetric encryption algorithm is RSA.

What is IPSec VPN?

IP Security Protocol VPN means VPN over IP Security. It allows two or more
users to communicate in a secure manner by authenticating and encrypting each IP
packet of a communication session. IPSec provides data confidentiality, data
integrity and data authentication between participating peers.

At what layer IPSec works?

IPSec secures traffic at the Layer 3 (Network Layer) of the OSI model.

What are the three main security services that IPSec VPN provides?
IPSec offers the following security services:-
1. Peer Authentication.
2. Data confidentiality.
3. Data integrity.

NETWORKER INTERVIEW |
 Page |5

Name a major drawback of IPSec?

IPSec only supports unicast IP traffic.

Define Digital Signatures?

Digital signature is an attachment to an electronic message used for security
purposes. It is used to verify the authenticity of the sender. Digital signature allows
a computer or organization to safely exchange information over internet.

What is Authorization?
Authorization is a security mechanism used to determine user privileges or access
levels related to network resources, including firewalls, routers, switches and
application features. Authorization is normally preceded by authentication and
during authorization, system verifies an authenticated user’s access rules and either
grants or refuses resource access.

What is Site to Site and Remote access VPN?

A site-to-site VPN allows offices in multiple locations to establish secure
connections with each other over a public network such as the Internet.
Remote Access VPN allows users to connect to the company’s network from a
remote location through a secure tunnel that is established over the Internet. The
remote user is able to access internal, private web pages and perform various
network tasks.
There are two primary methods of deploying Remote Access VPN:-
1. Remote access IPSec VPN.
2. Remote access Secure Sockets Layer (SSL) VPN.

Who initiates connection in site to site and remote access VPN?

In remote access VPN only client can initiate connection. In site to site VPN
anyone can initiate connection.

What are the 3 protocols used in IPSec?

1. Authentication Header (AH).
2. Encapsulating Security Payload (ESP).
3. Internet Key Exchange (IKE).

Explain IPSec Protocol Headers?

1. Encapsulating Security Payload (ESP) - It is an IP-based protocol which uses
port 50 for communication between IPSec peers. ESP is used to protect the
confidentiality, integrity and authenticity of the data and offers anti-replay
protection.

NETWORKER INTERVIEW |
 Page |6

Drawback - ESP does not provide protection to the outer IP Header

2. Authentication Header (AH) - It is also an IP-based protocol that uses port 51
for communication between IPSec peers. AH is used to protect the integrity and
authenticity of the data and offers anti-replay protection.
Unlike ESP, AH provides protection to the IP header also.
Drawback - AH does not provide confidentiality protection.

How ESP & AH provides anti-replay protection?

Both ESP and AH protocols provide an anti-reply protection based on sequence
numbers. The sender increments the sequence number after each transmission and
the receiver checks the sequence number and reject the packet if it is out of
sequence.

What is IKE?
It is a hybrid protocol that implements Oakley and SKEME key exchanges inside
the Internet Security Association and Key Management Protocol (ISAKMP)
framework. It defines the mechanism for creating and exchanging keys. IKE
derives authenticated keying material and negotiates SAs like hashing algorithm,
encryption mechanism, Diffie-Hellman group, authentication method.

Which protocol and port does IKE use?

IKE uses UDP port 500.

What are Security Associations?

The SAs define the protocols and algorithms to be applied to sensitive packets and
specify the keying material to be used by the two peers. SAs are unidirectional and
are established per security protocol (AH or ESP).

Explain how IKE/ISAKMP Works?

IKE is a two-phase protocol:-
Phase 1
IKE phase 1 negotiates the following:-
1. It protects the phase 1 communication itself (using crypto and hash algorithms).
2. It generates session key using Diffie-Hellman groups.
3. Peers will authenticate each other using pre-shared, public key encryption, or
digital signature.
4. It also protects the negotiation of phase 2 communication.
There are two modes in IKE phase 1:-
Main mode - Total six messages are exchanged in main mode for establishing
phase 1 SA.

NETWORKER INTERVIEW |
 Page |7

Aggressive mode - It is faster than the main mode as only three messages are
exchanged in this mode. It is faster but less secure.
At the end of phase 1, a bidirectional ISAKMP/IKE SA (phase 1 SA) is established
for IKE communication.

Phase 2
IKE phase 2 protects the user data and establishes security association for IPSec
tunnel.
There is one mode in IKE phase 2:-
Quick mode - In this mode three messages are exchanged to establish the phase 2
IPSec security associations.
At the end of phase 2 negotiations, two unidirectional IPSec SAs (Phase 2 Security
Associations) are established for user data—one for sending and another for
receiving encrypted data.

Explain the Messages exchange between the peers in IKE/ISAKMP?

Phase 1 - Main Mode

MESSAGE 1: Initiator offers policy proposal which includes encryption,

authentication, hashing algorithms (like AES or 3DES, PSK or PKI, MD5 or
RSA).
MESSAGE 2: Responder presents policy acceptance (or not).
MESSAGE 3: Initiator sends the Diffie-Helman key and nonce.
MESSAGE 4: Responder sends the Diffie-Helman key and nonce.
Only First Four messages were exchanged in clear text. After this all messages are
encrypted.
MESSAGE 5: Initiator sends ID, preshare key or certificate exchange for
authentication.
MESSAGE 6: Responder sends ID, preshare key or certificate exchange for
authentication.

Phase 2 - Quick Mode

MESSAGE 7: Initiator sends Hash, IPSec Proposal, ID, nonce.

MESSAGE 8: Responder sends Hash, IPSec Proposal, ID, nonce.
MESSAGE 9: Initiator sends signature, hash, ID.
All messages in Quick mode are encrypted.

NETWORKER INTERVIEW |
 Page |8

Explain the Messages exchange in Main mode (Detail)?

Total six messages are exchanged in main mode. Before the message exchange
takes place both initiator and responder will calculate the cookies which will be
used as session identifier.
Basically cookie is created by performing hash of source IP address, destination IP
address, source port, destination port, locally generated random number, time and
date.

Cki (initiator’s cookie) = md5{[Link], [Link], [Link], [Link], random no, time, date}
Ckr (responder’s cookie) = md5{[Link], [Link], [Link], [Link], random no, time, date}

1. The first message is sent from initiator to responder. It contains the initiator’s
cookie, responder’s cookie is set to zero and IKE policy proposal or security
associations like Encryption mechanism, Hash algorithm, Authentication
method, Diffie-Hellman group and lifetime of IKE SAs.
2. Upon receiving first message from initiator, the responder will try to match
the received IKE policies with its own locally configured IKE policies.
Assuming the responder finds a match, it responds with second message which
contains the IKE policies accepted basically the SAs with which the responder
agrees. It also contains both the initator’s and responder’ cookie. Now the IKE
policy has been negotiated between peers.

Uptill now two messages have been exchanged. Now both the peers will
calculate their DH public key and nonce value.
Initiator will calculate its DH public key by using formula, g to the power
private key of initiator mod p

Xi = G^pr_i mod p [Where g is the generator and p is a large prime no]

Similarly, responder will also calculate its Diffie-Hellman public key.

Xr=G^pr_r mod p

Besides this both the peers will also calculate nonce value which is very large
random number and will be used in calculation of keying material.

3. Third message will be sent from initiator to responder. It will contain the
Diffie-Hellman public key of initiator in key exchange payload and nonce value
of initiator in nonce payload.
On receiving this responder will calculate its shared secret by using the formula
DH public key of initiator to the power private key of responder mod p.

NETWORKER INTERVIEW |
 Page |9

SSr=Xi^pr_r mod p

4. Now similarly, responder also sends its DH public key value and nonce value
in fourth message.
On receiving this initiator will also calculate its shared secret by using the
formula DH public key of responder to the power private key of initiator mod p.
SSi=Xr^pr_i mod p

Now both the peers have shared secret which should be same.
After this both the peers will calculate three session keys using shared secret,
nonce value and pre-shared key. These session keys will be same on both sides.

SKEYID = PRF (Preshared key, Ni/Nr)

SKEYID_d = PRF(SKEYID, shared secret, Cki, CKr,0)
SKEYID_a = PRF(SKEYID, SKEYID_d, shared secret, Cki, CKr,1)
SKEYID_e = PRF(SKEYID, SKEYID_a, shared secret, Cki, CKr,2)
Here Cki= initor’s cookie, CKr= responder’s cookie, PRF= A pseudo random
function based on negotiated hash.

Uptill now all the messages exchanged were in clear text. Now all the messages
will be in encrypted form.

5. In the fifth message, initiator will send hash and identification values.
Identification payload basically contains the information about the identity of
initiator like IP address or Host name. Hash is used for authentication purpose.
On receiving this message, responder calculates the same hash on its end. If two
hash matches authentication have taken place (Initiator has been authenticated).
Message 5 was encrypted using SKEYID_e
6. Sixth message will be sent from responder to initiator which is similar to
message 5. It will contain the identity of responder and hash of responder.
On receiving this message, initiator will also calculate the same hash. If the
hash generated is equal to received hash value, authentication succeeds
(responder have been authenticated)

Explain three session keys that are generated during negotiation?

Three keys are generated at the end of message 4 and will be used to authenticate
two peers to each other as well as to encrypt subsequent IKE message exchange.
i. SKEYID_d - used to calculate subsequent IPSec keying material.
ii. SKEYID_a – used to provide data integrity and authentication to subsequent
IKE messages.

NETWORKER INTERVIEW |
 P a g e | 10

iii. SKEYID_e – used to encrypt subsequent IKE messages.

Explain the Messages exchange in Quick mode (In Detail)?

Three messages are exchanged in quick mode. All messages are encrypted and
hashed with the keys generated in phase 1.
1. First message will be sent from initiator to responder. It contains a hash,
IPSec proposals, a nonce and optionally another Diffie-Hellman public value
and identities. Hash is used to authenticate the message to the responder. IPSec
proposals are used to specify parameters such as protocol (ESP or AH), IPSec
mode (tunnel or transport), encryption mechanism, hashing algorithm. Diffie-
Hellman public value is exchanged only if PFS (perfect forward secrecy) is set.
Nonce is used to protect against replay attacks and can be used as keying
material. Identities basically proxy identities define what traffic supposed to be
encrypted.
2. Second message will be send by responder which will contain the hash (used
by initiator to authenticate responder), IPSec Proposals accepted, Nonce value,
DH value and identities. These serve the same purpose as those sent by initiator.
3. Third and last message is sent by initiator containing a hash to verify that the
responder is alive.

Explain Aggressive Mode?

Aggressive mode is faster than main mode but less secure. In Aggressive mode,
only three messages are exchanged in phase 1.
1. First message is sent from initiator to responder. It contains initiator’s cookie,
IKE Policies, nonce value of initiator, DH public key of initiator, ID_i (identity
of initiator).

On receiving this, the responder generates the shared secret and then the session
keys. Having generated the session keys it uses the SKEYID to generate hash_r
for authentication.

2. Second message is sent from responder to initiator. It contains both initiator’s

and responder’s cookie, accepted IKE policy, nonce value of responder, DH
public key value of responder, ID_ r (identity of responder), and hash_r used by
initiator to authenticate responder. Message 2 is only hashed but not encrypted.

Upon receiving message 2, initiator will calculate shared secret and will
generate session keys. Now initiator will also calculate the hash_r and if
generated hash is equal to received hash, responder is authenticated.

NETWORKER INTERVIEW |
 P a g e | 11

Now initiator will generate hash_i to allow responder to do authentication as

well.

3. Third message will be sent from initiator to responder. It contains the hash_i
which was generated. On receiving this, responder also generates hash_i and if
the generated hash_i is equal to received hash_i, authentication succeeds.

Why is aggressive mode less secure than main mode?

In aggressive mode, both the peers exchange their identities in first two messages
which are unencrypted.

What is the difference between Transport and Tunnel mode?

Tunnel mode - Protects data in network-to-network or site-to-site scenarios. In
Tunnel mode, which is the default mode on Cisco routers, the original source and
destination IP addresses are encrypted and an ESP header is added followed by a
new IP header.

Transport mode - Protects data in host-to-host or end-to-end scenarios. In transport

mode, no new IP header will be added because tunnel is in between public IP’s
unlike tunnel mode where tunnel is between private IPs. In transport mode, IP
header is not protected (IPsec protects the payload of the original IP datagram by
excluding the IP header)
IPSec protocols AH and ESP can operate either in tunnel or transport mode.

What is Diffie-Hellman?
DH is a public-key cryptography protocol which allows two parties to establish a

NETWORKER INTERVIEW |
 P a g e | 12

shared secret over an insecure communication channel. Diffie-Hellman is used

within IKE to establish session keys and is a component of Oakley.

How Diffie-Hellman works?

Each side has a private key which is never passed and a Diffie-Hellman Key
(Public Key used for encryption). When both sides want to do a key exchange they
send their Public Key to each other. for example Side A get the Public Key of Side
B, then using the RSA it creates a shared key which can only be opened on Side B
with Side B's Private Key So, even if somebody intercepts the shared key he will
not be able to do reverse engineering to see it as only the private key of Side B will
be able to open it.

What is Transform set?

An IKE transform set is a combination of security protocols and algorithms.
During the IPSec SA negotiation, the peers agree to use a particular transform set
for protecting a particular data flow.

What are Crypto access lists?

Crypto access lists specifies which IP traffic is protected by crypto and which
traffic is not protected by crypto. To protect IP traffic "permit" keyword is used in
an access list. If the traffic is not to be protected than "deny" keyword is used in
access list.

What are Crypto map?

Crypto map is used to pull together the various parts used to set up IPSec SAs
including:-
1. Which traffic should be protected by IPSec (crypto access list).
2. Where IPSec-protected traffic should be sent (remote IPSec peer).
3. What IPSec SA should be applied to this traffic (transform sets).
Multiple interfaces can share the same crypto map set in case we want to apply the
same policy to multiple interfaces.
If more than one crypto map is created for a given interface than use the sequence
number of each map entry to rank the map entries, the lower the seq-num argument
the higher the priority.

How do you check the status of the tunnel’s phase 1 & 2?

We use following commands to check the status of tunnel phases:-
Phase 1 - show crypto isakmp sa
Phase 2 - show crypto ipsec sa

NETWORKER INTERVIEW |
 P a g e | 13

What is IPSec Virtual Tunnel Interface?

IPSec VTI is the concept of using a dedicated IPSec interface called IPSec Virtual
Tunnel Interface for highly scalable IPSec-based VPNs. IPSec VTI provides a
routable interface for terminating IPSec tunnels. VTI also allows the encrypting of
multicast traffic with IPSec.

What is the difference between Static Crypto Maps and Dynamic Crypto Maps?
Static Crypto Maps are used when peers are predetermined. It is basically used in
IPSec site to site VPNs.
Dynamic crypto maps are used with networks where the peers are not always
predetermined. It is basically used in IPSEC Remote Access VPNs.

What is Perfect forward Secrecy (PFS)?

Normally for phase 2 key is regenerated based on SKEY_ID (Session key ID) of
phase 1 but if we will enable PFS than again Diffie-Hellman will take place and
totally new keying material will be generated.

Troubleshooting IPSec VPN

IPSec can fail due to phase 1 failure or phase 2 failure.

First we have to verify IKE phase 1 negotiation between peers. Once this has been
verified, we have to verify phase 2 after which we have to verify that the user
traffic is being transported successfully over IPSec tunnel.

Phase 1 is use to establish IKE SAs and phase 2 is used to establish IPSec SAs. If
phase 1 fails, phase 2 cannot begin.

Phase 1 failure

1. IKE negotiation is not initiated.

i. Routing issue exists on initiator (initiator has no route to peer). We can
verify the route using command #show ip route
ii. Crypto map is applied to wrong interface. We can verify using command
#show crypto map tag name of crypto map
iii. Crypto access-list is misconfigured. We can verify using command
#show crypto map tag name of crypto map

NETWORKER INTERVIEW |
 P a g e | 14

iv. ISAKMP is disabled. We can verify using command #show crypto

ISAKMP (It will show ISAKMP is turned off). We can enable ISAKMP
using command #crypto ISAKMP enable.
v. Peer’s IP address is misconfigured in preshared key. We can verify using
command #show crypto ISAKMP key.

2. Initiator sends ISAKMP messages but they are not received by responder.
i. IP connectivity has failed. We can verify using ping command.
ii. ISAKMP is blocked by ACL or Firewall. We have to permit UDP eq
ISAKMP in access-list.

3. Responder does not have preshared key, certificates or route to iniator.

We will get error messages like ―no preshared key with peer or preshared key
offered but does not match” while debugging using command #debug crypto
isakmp.

4. IKE Policy mismatches. While debugging we will get error message phase1
SA not acceptable. We can verify policies using command #sh crypto
isakmp policy

5. Authentication failure
i. Preshared key mismatch - In this case we will get error message ―sanity
checked failed‖ and negotiation will stuck after message 5.
ii. Certificates mismatch – It can be due to certificate is expired, clock is
incorrectly set on router, certificate validity period is incorrect. We can
verify using command #show crypto ca certificates

Phase 2 failure

1. IPSec Transform set mismatches – In this case we will get error messages
like ―phase 2 SA policy not acceptable‖ and negotiation will stuck after
message 1 of quick mode.

2. Crypto ACL is asymmetric. We can verify using command #show crypto

ipsec sa

3. User traffic not successfully crossing the IPSec tunnel.

i. ESP or AH packets not allowed by firewall or access-list.
ii. A NAT device in path to remote peer.

NETWORKER INTERVIEW |
 P a g e | 15

IPSec VPN Troubleshooting Commands

# Show crypto isakmp policy

It shows the security associations (policies) configured for phase 1 including
Encryption mechanism, Hashing algorithm, Diffie-Hellman group, Authentication
Method, Lifetime of IKE SAs. This command also shows the default security
associations which is generally used when none of the configured policies
matched.

# Show crypto isakmp SA

It shows the current IKE SAs. If it says QM_IDLE, this indicates that the quick
mode has been successfully completed and connection has been fully established
between the peers. "Active" status means ISAKMP SA is in active state. The
Source IP address indicates which peer initiated the IKE negotiation

NETWORKER INTERVIEW |
 P a g e | 16

# Show crypto ipsec sa

It shows the IPSec SA’s. It also shows the number of packets that passed through
IPSec tunnel successfully and also verifies, if we are receiving traffic back from
the remote end of the VPN tunnel. In below example, we can see that encrypted
tunnel is built between [Link] and [Link] for traffic that goes between networks
[Link] and [Link]. You can see the two Encapsulating Security Payload (ESP)
SAs built inbound and outbound but AH SA’s are empty which means that we are
using ESP header. We can also see the number of packets encapsulated,
decapsulated, encrypted, decrypted, digest and verify in this output. If packets are
only encapsulating but not decapsulating implies that we are able to send packets
but we are not receiving packets which mean there is a problem on peer side.

NETWORKER INTERVIEW |
 P a g e | 17

# Show crypto isakmp sa | i [Link]

# Show crypto ipsec sa | i [Link]
This command is handy if we have multiple tunnels with different peers and want
to see information regarding the tunnel with any particular peer.

# Show crypto engine connections active

This command shows the current active IPSec VPN connections and allows you to
check the packets are being encrypted or decrypted.

# Show crypto map tag cryptomap _name

This command shows information which includes the peer IP address, access-list
configured, SA’s Lifetime, name of transform-set, Interface on which the crypto-
map is applied.

NETWORKER INTERVIEW |
 P a g e | 18

# Show crypto ipsec transform-set

If the transform set does not match between peers, phase 2 of tunnel will fail.
This command allows us to verify the transform set configuration.

# Show crypto isakmp peer

It shows the IP address of the peer.

# Show crypto isakmp Key

It shows the pre-shared key configured for the peer.

# Show crypto session

It shows the current status of the tunnel.

Give the command to tear down SA for Phase 2?

# clear crypto sa

Give the command to tear down SA for Phase 1?

# clear crypto isakmp

NETWORKER INTERVIEW |
 P a g e | 19

What are the commands to verify certificates on router?

# show crypto key pubkey-chain
# show crypto key mypubkey

What is DMVPN?
DMVPN allows IPSec VPN networks to better scale hub-to-spoke and spoke-to-
spoke topologies optimizing the performance and reducing latency for
communications between sites.
It offers following benefits:-
1. It optimizes network performance.
2. It reduces router configuration on the hub.
3. Support for dynamic routing protocols running over the DMVPN tunnels.
4. Support for multicast traffic from hub to spokes.
5. The capability of establishing direct spoke-to-spoke IPSec tunnels for
communication between sites without having the traffic to go through the hub.

Explain Next Hop Resolution Protocol (NHRP)?

It is a Layer 2 protocol which is used to map a tunnel IP address to NBMA
address. It functions similar to ARP. Hub maintains NHRP database of the public
addresses for each spoke. When the spoke boots up, it registers its real address to
the hub and queries the NHRP database for real addresses of other spokes so that
they can build direct tunnels.

What are the three phases of DMVPN?

Phase 1 - In phase 1 we use NHRP so that spokes can register themselves with the
hub. Only Hub uses a multipoint GRE interface, all spokes will be using regular
point-to-point GRE tunnel interfaces which means that there will be no direct
spoke-to-spoke communication, all traffic has to go via hub.
The only advantage of the phase 1 setup is the fact the hub router’s configuration is
much simpler. Summarization is possible in phase 1.
Phase 2 - In phase 2 all spokes routers also use multipoint GRE tunnels so we do
have direct spoke to spoke tunneling. When a spoke router wants to communicate
to another spoke it will send an NHRP resolution request to the hub to find the
NBMA IP address of the other spoke. Summarization is not possible in phase 2.
Full Process
1. Spoke 1 forward a packet with a next hop which is another spoke (spoke 2).
There is no NHRP map entry for this spoke so an NHRP resolution request is sent
to the hub.
2. The request from spoke 1 contains the tunnel IP address of the spoke 2 so the
hub relays the request to spoke 2.

NETWORKER INTERVIEW |
 P a g e | 20

3. Spoke 2 receives the request, adds its own address mapping to it and sends it as
an NHRP reply directly to spoke 1.
4. Spoke 2 then sends its NHRP resolution request to the hub that relays it to
spoke1.
5. Spoke 1 receives the request from spoke 2 via hub and replies by adding its own
mapping to it and sending it directly to spoke 2.
Spoke to Spoke tunnel is established.
Phase 3 - In phase 3 NHRP redirect configured on the hub tells the initiator spoke
to look for a better path to the destination spoke. On receiving the NHRP redirect
message the spokes communicate with each other over the hub and they have their
NHRP replies for the NHRP Resolution Requests that they sent out.
NHRP Shortcut configured on the spoke updates the CEF table. It basically
changes the next-hop value for a remote spoke from the initial hub tunnel IP
address to the NHRP resolved tunnel IP address of remote spoke.
Summarization is possible in phase 3.

What is Cisco Easy VPN?

Remote Access VPN when implemented with IPSec is called Cisco Easy VPN.
The Easy VPN is easy to set up, with minimal configuration required at the remote
client site. Cisco Easy VPN allows us to define centralized security policies at the
head-end VPN device (VPN Server) which are then pushed to the remote site VPN
device upon connecting.

What is GRE?
Generic Routing Encapsulation Protocol is a tunneling protocol developed by
Cisco designed to encapsulate IP unicast, multicast and broadcast packets. It uses
IP protocol number 47.

What are the advantages of GRE over IPSec?

1. In GRE, multicast and broadcast traffic can be passed across tunnel unlike
IPSec.
2. Non-IP traffic like IPx can be passed across tunnel securely.

Name a major drawback of both GRE & L2TP?

No encryption.

What is SSL VPN? How it is different from IPSec VPN?

SSL VPN provides remote access connectivity from any internet enabled device
through a standard web browser and its native SSL encryption. It does not require
any special client software at a remote site. In IPSec VPN, connection is initiated

NETWORKER INTERVIEW |
 P a g e | 21

using preinstalled VPN client software so it requires installation of special client

software. In SSL VPN connection is initiated through a web browser so it does not
requires any special purpose VPN client software, only a web browser is required
which is an advantage.

At which Layer does SSL VPN operates?

SSL is an Application layer (Layer 7) cryptographic protocol that provides secure
communications over the Internet for web browsing, e-mail and other traffic. It
uses TCP port 443.

What are different SSL VPN Modes?

SSL VPN can be deployed in one of the following three modes:-
1. Clientless mode - It works at Layer 7, Clientless mode provides secure access to
web resources and web-based content. This mode can be used for accessing most
content that you would expect to access in a web browser such as Internet,
databases and online tools. Clientless mode also supports common Internet file
system (CIFS). Clientless mode is limited to web-based content only. It does not
provide access to TCP connections such as SSH or Telnet.
2. Thin client mode - It works at Layer 7 and is also known as port forwarding.
Thin client mode provides remote access to TCP-based services such as Telnet,
Secure Shell (SSH), Simple Mail Transfer Protocol (SMTP), Internet Message
Access Protocol (IMAP) and Post Office Protocol (POP3) applications. Thin client
is delivered via a Java applet that is dynamically downloaded from the SSL VPN
appliance upon session establishment.
3. Thick client mode - It works at Layer 3 and is also known as tunnel mode or full
tunneling client. The thick client mode provides extensive application support
through dynamically downloaded SSL VPN Client software or the Cisco Any
Connect VPN client software from the VPN server appliance. This mode delivers a
lightweight, centrally configured, and easy-to-support SSL VPN tunneling client
that provides full network layer (Layer 3) access to virtually any application.

Explain SSL Handshake?

1. Client initiates by sending a CLIENT HELLO message which contains SSL
Version that the client supports, in what order the client prefer the versions, Cipher
Suite (cryptographic algorithms) supported by the client, Random number.
2. Server will send back a SERVER HELLO message which contains Version
Number (Server selects SSL version that is supported by both the server and the
client), Cipher Suite (selected by server the best cipher suite version that is
supported by both of them), Session ID, and Random Data.
3. Server also sends PKI certificate for authenticating himself signed and verified

NETWORKER INTERVIEW |
 P a g e | 22

by Certificate Authority along with the public key for encryption.

4. Server will than send SERVER HELLO DONE indicating that the server has
finished sending its hello message, and is waiting for a response from the client.
5. Client will sends its certificate if the server has also requested for client
authentication in server hello message.
6. Client will send CLIENT KEY EXCHANGE message after calculating the
premaster secret with the help of the random values of both the server and the
client. This message is sent by encrypting it with the server's public key which was
shared through the hello message.
Server will decrypt the premaster secret with its private key. Now both client and
server will perform series of steps to generate session keys (symmetric) which will
be used for encryption and decryption of data exchanges during SSL session and
also to verify its integrity.
7. Client will send CHANGE CIPHER SUITE message informing the server that
future messages will be encrypted using session key.
8. Client will send CLIENT FINISH (DONE) message indicating that client is
done.
9. Server will also send CHANGE CIPHER SUITE message.
10. Client will also send CLIENT FINISH (DONE) message.

NETWORKER INTERVIEW |
 P a g e | 23

Firewall Interview Questions and

Answers
What is a Firewall?
Firewall is a device that is placed between a trusted and an untrusted network. It
deny or permit traffic that enters or leaves network based on pre-configured
policies. Firewalls protect inside networks from unauthorized access by users on an
outside network. A firewall can also protect inside networks from each other. For
example - By keeping a management network separate from a user network.

What is the difference between Gateway and Firewall?

A Gateway joins two networks together and a network firewall protects a network
against unauthorized incoming or outgoing access. Network firewalls may be
hardware devices or software programs.

Firewall works at which Layers?

Firewalls work at layer 3, 4 & 7

What is the difference between Stateful & Stateless Firewall?

Stateful firewall - A Stateful firewall is aware of the connections that pass through
it which means it adds and maintain information about users connections in state
table, referred to as a connection table. It than uses this connection table to
implement the security policies for users connections. Example of stateful firewall
are PIX, ASA, and Checkpoint.
Stateless firewall - (Packet filtering) Stateless firewalls on the other hand, does not
look at the state of connections but just at the packets themselves.
Example of a packet filtering firewall is the extended access control lists on Cisco
IOS routers.

What information does Stateful Firewall Maintains?

Stateful firewall maintains following information in its state table:-
1. Source IP address.
2. Destination IP address.
3. IP protocol like TCP, UDP.
4. IP protocol information such as TCP/UDP Port Numbers, TCP Sequence
Numbers, and TCP Flags.

NETWORKER INTERVIEW |
 P a g e | 24

What are the security-levels in Cisco ASA?

ASA uses Security levels to determine the trustworthiness of a network attached to
the respective interface. The security level can be configured between 0 to 100
where higher numbers are more trusted than lower. By default, the ASA allows
traffic from a higher security level to a lower security level only.

How can we allow packets from lower security level to higher security level
(override security levels)?
We can use ACLs to allow packets from lower security level to higher security
level.

By default, same security level traffic is allowed or denied in ASA?

By default, same security level traffic is not allowed in ASA.
To allow it we use command:-
ASA(config)# same-security-traffic permit inter-interface

What is the security level of Inside and Outside interface by default?

Security Level of inside interface by default is 100. Security Level of outside
interface by default is 0.

What protocols are inspected by ASA?

By default, TCP and UDP are inspected by ASA.

Does ASA inspect ICMP?

By default, ASA does not inspect ICMP.

Explain DMZ (Demilitarized Zone) Server?

If we need some network resources such as a Web server or FTP server to be
available to outside users we place these resources on a separate network behind
the firewall called a demilitarized zone (DMZ). The firewall allows limited access
to the DMZ, but because the DMZ only includes the public servers, an attack there
only affects the servers and does not affect the inside network.

What is the command to see timeout timers?

# show run timeout

What is the command to check connection table?

# show conn

NETWORKER INTERVIEW |
 P a g e | 25

How does a firewall process a packet?

When a packet is received on the ingress interface, the ASA checks if it matches an
existing entry in the connection table. If it does, protocol inspection is carried out
on that packet.
---------------------------------------------------------------------------------------------------------------------
If it does not match an existing connection and the packet is either a TCP-SYN
packet or UDP packet, the packet is subjected to ACL checks. The reason it needs
to be a TCP-SYN packet is because a SYN packet is the first packet in the TCP 3
way handshake. Any other TCP packet that isn’t part of an existing connection is
likely to be an attack.
---------------------------------------------------------------------------------------------------------------------
If the packet is allowed by ACLs and is also verified by translation rules, the
packet goes through protocol inspection.
---------------------------------------------------------------------------------------------------------------------
Then, the IP header is translated if NAT is used and if the NAT rule specifies an
egress interface, the ASA will virtually forward the packet to this egress interface
and then perform a route lookup.
---------------------------------------------------------------------------------------------------------------------
If a route is found that specifies the egress interface, then the Layer-2 header of the
packet is re-written and the packet is forwarded out the egress interface.

Explain TCP Flags?

While troubleshooting TCP connections through the ASA, the connection flags
shown for each TCP connection provide information about the state of TCP
connections to the ASA.

The green circles in the image above indicates two way traffic is seen for that
connection which means the connection is good and healthy usually.

NETWORKER INTERVIEW |
 P a g e | 26

What are the values for timeout of TCP session, UDP session, ICMP session?
TCP session - 60 minutes
UDP session - 2 minutes
ICMP session - 2 seconds

How ASA works in reference to Traceroute?

ASA does not decrement the TTL value in traceroute because it does not want to
give its information to others for security purpose. It forwards it without
decrementing the TTL Value.

What if we apply ACL as global in ASA?

It will be applied on all interfaces towards inbound. Global option is only in ASA
8.4 not in ASA 8.2

What is the Difference between ports in ASA 8.4 and ASA 8.2?
In ASA 8.4 all ports are Gig ports and in ASA 8.2 all are Ethernet ports.

What is the difference in ACL on ASA than on Router?

In router, if we delete one access-control entry whole ACL will be deleted. In
ASA, if we will delete one access-control entry whole ACL will not be deleted.

Name some concepts that cannot be configured on ASA?

Line VTY cannot be configured on ASA.
Wildcard mask concept is not present in ASA.
Loopback cannot be configured on ASA.

What is the command to capture packets in ASA?

To capture packet from inside interface: -
# capture abc interface inside
To see it: -
# show capture abc

What is the command to enable HTTP on ASA?

# http server enable

How to give static route on ASA?

# route outside <Destination IP><Subnet Mask>< Next Hop>

NETWORKER INTERVIEW |
 P a g e | 27

How to give default route on ASA?

# route outside 0 0 < Next Hop>

What are the different types of ACL in Firewall?

1. Standard ACL
2. Extended ACL
3. Ethertype ACL (Transparent Firewall)
4. Webtype ACL (SSL VPN)

What is Tranparent Firewall?

In Transparent Mode, ASA acts as a Layer 2 device like a bridge or switch and
forwards Ethernet frames based on destination MAC-address.

What is the need of Transparent Firewall?

If we want to deploy a new firewall into an existing network it can be a
complicated process due to various issues like IP address reconfiguration, network
topology changes, current firewall etc. We can easily insert a transparent firewall
in an existing segment and control traffic between two sides without having to
readdress or reconfigure the devices.

What are the similarities between switch and ASA (in transparent mode)?
Both learns which mac addresses are associated with which interface and store
them in local mac address table.

What are the differences between switch and ASA (in Transparent mode)?
1. ASA does not floods unknown unicast frames that are not found in MAC
address table.
2. ASA does not participate in STP.
3. Switch process traffic at layer 1 and layer 2 while ASA can process traffic from
layer 1 to layer 7.

What are the features that are not supported in transparent mode?
1. Dynamic Routing.
2. Multicasting.
3. QOS.
4. VPNs like IPSec and WebVPN cannot be terminated.
5. ASA cannot act as DHCP relay agent.

NETWORKER INTERVIEW |
 P a g e | 28

Explain Ether-Type ACL?

In Transparent mode, unlike TCP/IP traffic for which security levels are used to
permit or deny traffic all non-IP traffic is denied by default. We create Ether-Type
ACL to allow Non-IP traffic. We can control traffic like BPDU, IPX etc with
Ether-Type ACL.

What is the command to convert ASA into Transparent mode?

# firewall transparent

What is the command to see mode (routed or transparent)?

# show firewall

Explain Failover?
Failover is a Cisco proprietary feature. It is used to provide redundancy. It requires
two identical ASAs to be connected to each other through a dedicated failover link.
Health of active interfaces and units are monitored to determine if failover has
occurred or not.

What are types of Failover?

1. Active/Standby Failover.
2. Active/Active Failover.

What information is exchanged between ASAs over a Failover link?

1. State - Active or standby.
2. Hello Messages.
3. Network Link Status.
4. Mac Addresses.
5. Configuration Replication and Synchronization.

What is the difference between stateful failover and stateless failover?

Stateless Failover - When failover occurs all active connections are dropped.
Clients need to re-establish connections when the new active unit takes over.
Stateful Failover - The active unit continually passes per-connection state
information to the standby unit. After a failover occurs, the same connection
information is available at the new active unit. Clients are not required to reconnect
to keep the same communication session.

What information active unit passes to the standby unit in stateful Failover?
NAT translation table, TCP connection states, The ARP table, The Layer 2 bridge
table (when running in transparent firewall mode), ICMP connection state etc.

NETWORKER INTERVIEW |
 P a g e | 29

What are the Failover Requirements between two devices?

Hardware Requirements - The two units in a failover configuration must be the
same model, should have same number and types of interfaces.
Software Requirements - The two units in a failover configuration must be in the
same operating modes (routed or transparent single or multiple context). They
must have the same software version.

Explain Active/Standby Failover?

In Active/Standby Failover, one unit is the active unit which passes traffic. The
standby unit does not actively pass traffic. When Failover occurs, the active unit
fails over to the standby unit, which then becomes active. We can use
Active/Standby Failover for ASAs in either single or multiple context mode.

Explain Active/Active Failover?

It is only available for ASAs in multiple context mode. In an Active/Active
Failover configuration, both ASAs can pass network traffic. In Active/Active
Failover, we divide the security contexts on the ASA into Failover Groups. A
Failover Group is simply a logical group of one or more security contexts. Each
group is assigned to be active on a specific ASA in the failover pair.
When Failover occurs, it occurs at the Failover group level.

What is the command to enable Failover?

# Failover

What is the command to see Failover?

# show failover

Explain Unit Health Monitoring in Failover? How Failover occurs?

The ASA unit determines the health of the other unit by monitoring the failover
link. When a unit does not receive three consecutive hello messages on the failover
link, it sends hello messages on each interface, including the failover interface, to
find whether or not the other unit is responsive.
Based upon the response from the other unit it takes following actions:-
1. If the ASA receives a response on the failover interface, then it does not
failover.
2. If the ASA does not receive a response on the failover link, but it does receive a
response on another interface, then the unit does not failover. The failover link is
marked as failed.

NETWORKER INTERVIEW |
 P a g e | 30

3. If the ASA does not receive a response on any interface, then the standby unit
switches to active mode and classifies the other unit as failed.

How active unit is determined in Active/Standby Failover?

1. If a unit boots and detects another unit already running as active, it becomes the
standby unit.
2. If a unit boots and does not detect active unit, it becomes the active unit.
3. If both units boot simultaneously, then the primary unit becomes the active unit,
and the secondary unit becomes the standby unit.

Name some commands replicated to standby unit?

# copy running-config startup-config
# write memory
All configuration commands except for mode, firewall, and failover lan unit are
replicated to standby unit.

Name some commands that are not replicated to standby unit?

All forms of the copy command except for # copy running-config startup-config
All forms of the write command except for # write memory

Explain Active/Standby Failover & Active/Active Failover in terms of

preemption?
In Active/Standby Failover there is no preemption.
In Active/Active Failover preemption is optional.

Explain Security Context?

We can partition a single ASA into multiple virtual devices, known as security
context. Each context acts as an independent device, with its own security policy,
interfaces, and administrators. Multiple contexts are similar to having multiple
standalone devices.

What features are supported in multiple context mode?

Routing tables, firewall features, IPS, and management.

What features are not supported in multiple context mode?

VPN and Dynamic routing protocols.

Explain system area?

When we boot up in multiple context mode from the CLI, we are taken into the
system area. The system area is used to create and manage the contexts, configure

NETWORKER INTERVIEW |
 P a g e | 31

the physical properties of the interfaces, create VLANs for trunking, create
resource classes to restrict the context system resource usage.

What is the admin context?

When the appliance boots up, one context is automatically created called admin
context which defaults to being the administrative context. Any context can be
made administrative context. One of the contexts on our appliance must be the
administrative context. An ―*‖ beside a context name indicates that the context is
the administrative context.

How ASA Classifies Packets?

The packet that enters is to be processed by which context is classified by ASA as
follows:-
1. Unique Interfaces - If only one context is associated with the ingress interface,
the ASA classifies the packet into that context.
2. Unique MAC Addresses - If multiple contexts share an interface, then the
interface MAC address is used as classifier. ASA lets us assign a different MAC
address in each context to the same shared interface. By default, shared interfaces
do not have unique MAC addresses. We can set the MAC addresses manually or
we can automatically generate MAC addresses by # mac-address auto command.
3. NAT Configuration - If we do not use unique MAC addresses, then the mapped
addresses in our NAT configuration are used to classify packets.

What is the command to switch to multiple context Mode?

# mode multiple
After entering this command the appliance will reboot itself and our current
configuration is automatically backed up to flash in case we want to switch back to
the single mode. The file is called ―old_running.cfg.‖

What is the command to switch back to single mode?

# mode single

What are different types of NAT in ASA?

Static NAT - A consistent mapping between a real and mapped IP address. It
allows bidirectional traffic initiation.
Dynamic NAT - A group of real IP addresses are mapped to a (usually smaller)
group of mapped IP addresses on a first come first served basis. It allows only
unidirectional traffic initiation.
Dynamic Port Address Translation (PAT) - A group of real IP addresses are
mapped to a single IP address using a unique source port of that IP address.

NETWORKER INTERVIEW |
 P a g e | 32

Identity NAT - A real address is statically translated to itself, essentially bypassing

NAT.

What is Policy NAT?

Policy NAT allows you to NAT by specifying both the source and destination
addresses in an extended access list. We can also optionally specify the source and
destination ports. Regular NAT can only consider the source addresses, not the
destination address.
In Static NAT it is called as Static Policy NAT.
In Dynamic NAT it is called as Dynamic Policy NAT.

Give the order of preference between different types of NAT?

1. Nat exemption.
2. Existing translation in Xlate.
3. Static NAT
- Static Identity NAT
- Static Policy NAT
- Static NAT
- Static PAT
4. Dynamic NAT
- NAT Zero
- Dynamic Policy NAT
- Dynamic NAT
- Dynamic PAT

What is the difference between Auto NAT & Manual NAT?

Auto NAT (Network Object NAT) - It only considers the source address while
performing NAT. So, Auto NAT is only used for static or dynamic NAT. Auto
NAT is configured within an object.
Manual NAT (Twice NAT) - Manual NAT considers either only the source
address or the source address and destination address while performing NAT. It
can be used for almost all types of NAT like NAT exempt, policy NAT etc.
Unlike Auto NAT that is configured within an object, Manual NAT is configured
directly from the global configuration mode.

Give NAT Order in terms of Auto NAT & Manual NAT?

NAT is ordered in 3 sections.
Section 1 – Manual NAT
Section 2 – Auto NAT
Section 3 – Manual Nat After-Auto

NETWORKER INTERVIEW |
 P a g e | 33

What are the command to see NAT Translations?

# show xlate
# show nat

What is the command to see both NAT Table and Connection Table?

# show local-host

----------------------------------------------------------------------------------------------------
End of Document

If you have any suggestions, demands, feedback or if you have any problem with
the content of this book, please send a mail to creatorstudio.s24@[Link].
Alternatively you can also comment on the website. We will surely work on it.

Copyright © 2016 By [Link]

NETWORKER INTERVIEW |