You issue the following commands on a Cisco ASA. No other interfaces have been configured.
asa(config)#interface gigabitethernet 0/1 asa(configif)#speed 1000 asa(configif)#duplex full asa(configif)#securitylevel 0 asa(configif)#nameif inside asa(configif)#ip address 10.1.1.1 255.255.255.0 asa(configif)#no shutdownasa(configif)#exit asa(config)#telnet 10.1.1.0 255.255.255.0 inside asa(config)#telnet timeout 30
Which of the following statements is true regarding the resulting configuration? (Select the best answer.)
- Telnet sessions will time out after 30 seconds of inactivity.
- The ASA will deny SSH connections to the interface.
- The ASA will reassign the interface a security level of 100.
- Telnet sessions will be denied because a security level is manually assigned.
In this scenario, the Cisco Adaptive Security Appliance (ASA) will deny Telnet sessions to the
GigabitEthernet 0/1 interface because a security level is manually assigned. Normally, Telnet traffic is not permitted to the interface with the lowest security. However, if there is only one configured interface and it has been configured with a security level of 100, Telnet traffic is permitted even though the interface is simultaneously the interface with the lowest security and the highest security. Because the interface in this scenario has been manually assigned the lowest security level of 0, the Telnet session will be denied. If there were other active interfaces on the ASA, a Telnet session would be permitted to the interface with the lowest security only if that session was protected by a virtual private network (VPN) tunnel terminating on the interface.
The ASA will not deny Secure Shell (SSH) connections to the interface. Although there are several methods for working around Telnet access restrictions of the ASA, Cisco recommends disabling Telnet and using more secure methods for management access, such as SSH or Secure Hypertext Transfer Protocol (HTTPS) instead? neither HTTPS nor SSH is restricted by the security level of an interface.
The block of commands in this scenario configures the GigabitEthernet 0/1 interface to operate in full duplex mode at a speed of 1000 megabits per second (Mbps), assigns the interface a security level of 0, names the interface “inside”, and assigns an IP address 10.1.1.1 with a network mask of 255.255.255.0. In addition, the no shutdown command enables the interface. The telnet commands define a network range that is permitted to Telnet to the inside interface and configure a Telnet idletimeout value. The default security level on an ASA is 0? however, the inside interface is an exception to this rule because it is automatically assigned a security level of 100 if a security level is not explicitly configured. An interface can be assigned any integervalued security level from 0 through 100.
Telnet sessions will not time out after 30 seconds of activity. The telnet timeout 30 command specifies an inactivity timeout length of 30 minutes, not 30 seconds. The telnet timeout command accepts an integer value from 1 through 1440 to specify the number of minutes a Telnet session can remain idle before the ASA closes the connection.