Implementing and Operating Cisco Security Core Technologies (SCOR) — Question 145

What is a functional difference between a Cisco ASA and Cisco IOS router with Zone-Based Policy Firewall?

Answer options

• A. The Cisco ASA can be configured for high availability, whereas the Cisco IOS router with Zone-Based Policy Firewall cannot.
• B. The Cisco IOS router with Zone-Based Policy Firewall can be configured for high availability, whereas the Cisco ASA cannot.
• C. The Cisco ASA denies all traffic by default, whereas the Cisco IOS router with Zone-Based Policy Firewall starts out by allowing all traffic, even on untrusted interfaces.
• D. The Cisco IOS router with Zone-Based Policy Firewall denies all traffic by default, whereas Cisco ASA starts out by allowing traffic until rules are added.

Correct answer: C

Explanation

Option C is correct because the Cisco ASA defaults to a deny-all policy, meaning it blocks all traffic unless explicitly allowed, while the Cisco IOS router with Zone-Based Policy Firewall allows all traffic by default. Options A and B incorrectly address high availability capabilities, which are comparable in both devices. Option D reverses the default traffic handling policies of both devices.