Task 9.1


The SG leaves the tcp intercept mode as intercept (the default setting) and sets the watch-timeout to 30 sec (this isn't needed as it is the default). This is confusing to me. You are leaving the mode as intercept by not setting watch, but then you configure the watch-timeout.

Is the SG mistaken or am I not understanding something?


I think the answer should be:



ip tcp intercept list 100

ip tcp intercept max-incomplete low 500

ip tcp intercept max-incomplete high 1000

ip tcp intercept mode watch


access-list 100 permit tcp any host 167.x.4.119


the watch-timeout is 30 sec by default according to the 12.4 configuration guide, so it is not needed.


  • I have got the same question - however I think we should use connection-timeout here instead of watch timeout as we are using Intercept mode -- Could someone please clarify for us ??

  • This one got me too.  I re-read the configuation guide under this section, matched up the watch-timeout out and ruled out my original intention of using intercept mode.  The first part of the question states that the router should proxy the connections, that should dictate intercept mode.  Setting connection-timeout produces the same 30 second timeout as the default watch mode.



  • I agree, for this task I'm not sure the SG is correct. In the archives there are 10 comments about this task, but none is sure what is correct. This is a "ask the proctor" task.

Sign In or Register to comment.