A real-looking Cisco ASA firewall admin console — 5 tabs of toggles, dropdowns, radios, and multi-select. The hardest PBQ format on the exam.
Tests: End-to-end device configuration, security hardening, the kind of multi-screen lab task you see on Security+, CySA+ and Cisco exams.
Scenario
You are configuring a Cisco ASA 5505 firewall protecting a DMZ. The web server (10.0.1.10) needs to be reachable from the internet on 443 only. Internal staff need SSH access (port 22). All other traffic must be denied. Apply defensible defaults across General, Interfaces, NAT, Access Control, and Logging tabs.
Cisco ASA 5505 — DMZ Firewall
Adaptive Security Device Manager (ASDM)
Device identity
Hostname
A descriptive name for this firewall (eg. "asa-dmz-01")
Domain name
Used in TLS cert generation and DNS lookups
Security defaults
Enable stateful packet inspection
Track connection state for each session. Required for most secure deployments.
Enable application inspection
Deep packet inspection for protocols like HTTP, FTP, DNS.
Enable basic threat detection
ASA built-in IDS that detects scanning and DoS attempts.
Default policy
Default action for unmatched traffic
What should happen if no ACL rule matches?