Some questions on ISCW

Unanswered Question
Feb 16th, 2009


I am getting ready for the ISCW exam. I studied Ciscopress study guide and have some doubts. As there is no errata for this book, 3 months ago I sent an e-mail to CiscoPress to verify the answer of some questions, but still no answer. I need your help to clarify if the study guide's answers are correct or not. Here are the questions :

1- Which protocols/ports must be permitted so that IPsec VPNs can be created (select all that apply)?

a. Protocol AHP

b. Protocol ESP

c. Protocol ISAKMP

d. UDP port ESP

e. UDP port AHP

The correct answers are A, B but I beleive that C is correct as well.

2- When completing the configuration of the site-to-site VPN tunnel in the Summary window, which options are available (select all that apply)?

a. Return to the configuration with the <Back button

b. Advance to the next summary screen with the Next> button

c. Complete the configuration with the Finish button

d. Edit the configuration with the Edit button

e. Abort the configuration with the Cancel button.

The correct answers are C, E but I beleive that A is correct as well.

3- Which routing options are appropriate when using both a primary and a backup GRE tunnel (select all that apply)?

a. RIP



d. BGP

e. Static

The correct answers are A, B, C but I beleive that the correct answers should be B, C, E

4- What type of firewall is best used when only UDP is used for access?

a. Packet filter

b. Authentication proxy

c. ALG

d. Stateful packet filter

The correct answer is D but I beleive that A should be correct.

Thanks for your help,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Istvan_Rabai Mon, 02/16/2009 - 10:57

Hi Mehdi,

Question 1:

Correct answer is A and B.

C is wrong because of its wording. You cannot permit the isakmp protocol in an access-list.

You can enable the following:

access-list 100 permit udp any eq isakmp any eq isakmp.

So actually you permitted protocol udp, port 500.

Question 2:

I don't know the answer. You should run SDM and check how it works.

Question 3:

A, B and C are the correct answers, when it applies to configuring GRE tunnels with SDM.

If you use static routes your routers will not converge to use the backup GRE tunnel if the primary GRE tunnel fails.

Generally speaking, GRE tunnels were created to allow broadcasts and multicasts through the IPSec tunnel, so the routing protocols can send and receive updates and convergence can take place.

Question 4:

I think answer D is better than A.

A stateful packet filter creates a temporary opening through the router and checks if the incoming traffic (reply) has the proper parameters (like source and destination addresses and ports) and protocol characteristics defined in the RFCs. In addition, when no traffic is sent, it closes the temporary opening after a configurable idle time.

So a stateful filter does a better job than a traditional packet filter (access-list).



Mehdi Talei Mon, 02/16/2009 - 11:07

Hello Istvan,

Thanks for your reply.

1- hum, I understand what you mean, you are right. I hate this kind of questions!!! They are not technical, as you mentioned, wording changes everything!

2- I ran SDM and yes I have Back option tochange the configuration. I only hope that I understand the Cisco exam question as I should ;-)

3- I tried this one on SDM also. When I chose to have the Backup tunnel, I do not have anymore the option for RIP. It becomes gray!!! In this case the only options are OSPF, EIGRP and static! Am I making mistake?

4- I totally understand your logic and stateful is better of course.

Thanks again for your time,



This Discussion