You issue the following commands on a Cisco ASA with no other configured interfaces:
asa(config)#interface gigabitethernet 0/1
asa(configif)#speed 1000 asa(configif)#duplex full asa(configif)#nameif inside asa(configif)#ip address 10.1.1.1 255.255.255.0 asa(configif)#no shutdown asa(configif)#exit asa(config)#telnet 10.1.1.0 255.255.255.0 inside asa(config)#telnet timeout 30
Which of the following statements is true regarding the resulting configuration? (Select the best answer.)
- Telnet sessions will time out after 30 seconds of inactivity.
- The ASA will assign the interface a security level of 0.
- The ASA will assign the interface a security level of 100.
- Telnet sessions will be denied until a security level is manually assigned.
In this scenario, the Cisco Adaptive Security Appliance (ASA) will assign the GigabitEthernet 0/1 interface a security level of 100. The block of commands in this scenario configures the GigabitEthernet 0/1 interface to operate in fullduplex mode at a speed of 1,000 megabits per second (Mbps), names the interface “inside”, and assigns an IP address 10.1.1.1 with a network mask of 255.255.255.0. In addition, the no shutdown command enables the interface. The telnet commands define a network range that is permitted to Telnet to the inside interface and configure a Telnet idletimeout value. Because no security level is manually assigned to the interface, the ASA will automatically assign the interface a security level. The default security level on an ASA is 0? however, the inside interface is an exception to this rule because it is automatically assigned a security level of 100 if a security level is not explicitly configured. An interface can be assigned any integervalued security level from 0 through 100.
Telnet sessions will not be denied to the GigabitEthernet 0/1 interface until a security level is manually assigned. Normally, Telnet traffic is not permitted to the interface with the lowest security. However, if there is only one configured interface and it has been configured with a security level of 100, Telnet traffic is permitted even though the interface simultaneously has the highest security and the lowest security. Because the ASA automatically assigns a security level of 100 to the inside interface, Telnet sessions will be able to access the interface. If there were other active interfaces on the ASA, a Telnet session would be permitted to the interface with the lowest security only if that session was protected by a virtual private network (VPN) tunnel terminating on the interface. Although there are several methods for working around Telnet access restrictions of the ASA, Cisco recommends disabling Telnet and using more secure methods for management access, such as Secure Shell (SSH) or Secure Hypertext Transfer Protocol (HTTPS) instead? neither HTTPS nor SSH is restricted by the security level of an interface.
Telnet sessions will not time out after 30 seconds of activity. The telnet timeout 30 command specifies an inactivity timeout length of 30 minutes, not 30 seconds. The telnet timeout command accepts an integer value from 1 through 1440 to specify the number of minutes a Telnet session can remain idle before the ASA closes the connection.