Cisco Secure PIX Firewall Advanced (CSPFA)

Transcription

1 9E E0-571 Cisco Secure PIX Firewall Advanced (CSPFA) Version

2 Important Note Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 90 days after the purchase. You should check the products page on the TestKing web site for an update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1. Go to 2. Click on Login (upper right corner) 3. Enter and password 4. The latest versions of all purchased products are downloadable from here. Just click the links. For most updates, it is enough just to print the new questions at the end of the new version, not the whole document. Feedback Feedback on specific questions should be send to You should state 1. Exam number and version. 2. Question number. 3. Order number and login ID. Our experts will answer your mail promptly. Copyright Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws

3 Note: Section A contains 59 questions and Section B contains 170. The total numbers of questions are 229. Section A Study these questions carefully. QUESTION NO: 1 Which PIX feature denies a user the ability to perform Telnet? A. Accounting B. Authorization C. Authentication D. Accounting and authorization QUESTION NO: 2 Which two AAA protocols and servers does the PIX Firewall support? (Choose two) A. Access control list. B. Synchronous Communication Server. C. Remote Authentication Dial-In User Service. D. Terminal Access Controller Access Control System Plus., D QUESTION NO: 3 Enter the function of the PIX Firewall that provides a safeguard in case a PIX Firewall fails. Answer: Failover QUESTION NO: 4 What does the nat command allow you to do on the PIX Firewall? (Choose two) A. Enable address translation for internal addresses. B. Enable address translation for external addresses. C. Disable address translation for internal addresses. D. Disable address translation for external addresses. E. Enable address translation for both external and internal addresses. F. Disable address translation for both external and internal addresses

4 , C QUESTION NO: 5 Exhibit: Match the characteristics of the Adaptive Security Algorithm (ASA) security level with the correct levels

5 Answer: QUESTION NO: 6 Which four tasks should you perform to configure an IPSec-based VPN with the PIX Firewall? (Choose four) A. Configure accounting. B. Configure authorization. C. Configure authentication. D. Configure the PIX Firewall. E. Configure the IKE parameters. F. Configure the IPSec parameters. G. Prepare for configuring VPN support. H. Test and verify the VPN configuration. Answer: E, F, G, H QUESTION NO: 7 Any unprotected inbound traffic on the PIX Firewall that matches a permit entry in the crypto access list for a crypto map entry, flagged as IPSec, will be A. Dropped B. Completed C. Authorized D. Authenticated QUESTION NO: 8-5 -

6 What should you do to prepare for configuring VPN support on the PIX Firewall? A. Plan in advance. B. Minimize mis-configuration. C. Configure IPSec encryption correctly the first time. D. Define the overall security needs and strategy based on the overall company security policy. QUESTION NO: 9 Match the elements of the command for the PIX firewall to the description for the outbound command. Drag and drop. Exhibit: Answer: - 6 -

7 QUESTION NO: 10 What are packets inspected for on the PIX firewall? A. For invalid users. B. For mis-configuration. C. For incorrect addresses. D. For malicious application misuse. QUESTION NO: 11 With which two Cisco IOS Firewall security features is the authentication proxy compatible? (Choose two) A. Cisco router B. Network address translation C. Protocol address translation D. Content-Based Access Control, D QUESTION NO: 12 Which three thresholds does CBAC on the Cisco IOS Firewall provide against DoS attacks? (Choose Three) A. The number of half-open sessions based upon time. B. The total number of half open TCP or UDP sessions. C. The number of fully-open sessions based upon time. D. The number of half-open TCP-only sessions per host

8 E. The total number of fully-open TCP or UDP sessions. F. The number of fully-open TCP-only sessions per host., B, D QUESTION NO: 13 What does CBAC on the Cisco IOS Firewall do? A. Created specific security policies for each user. B. Protects the network from internal attacks and threats. C. Provides additional visibility at intranet, extranet and Internet perimeters. D. Provides secure, per-application access control across network perimeters. QUESTION NO: 14 What are three methods for configuring basic router security on the Cisco IOS Firewall? (Choose three) A. Turn off services. B. Set global timeouts. C. Set global thresholds. D. Use password encryption. E. Define inspection rules. F. Set console and VTY access., C, E QUESTION NO: 15 Why does aaa command reference the group tag on the PIX Firewall? A. To direct the interface name to the AAA server. B. To direct the IP address to the appropriate AAA server. C. To direct authentication, authorization or accounting traffic to the appropriate AAA server. D. To direct authentication, authorization or accounting traffic to the appropriate PIX Firewall

9 QUESTION NO: 16 Which two databases does the PIX Firewall use to authenticate cut-through proxy? (Choose two) A. ACS NT B. RADIUS+ C. ACS UNIX D. TACACS, D QUESTION NO: 17 Enter the command that enables failover between two PIX Firewalls. Answer: Failover active QUESTION NO: 18 Enter the command that allows the IP addresses to be updated in the translation table for the PIX Firewall lear xlate QUESTION NO: 19 Which portion of the conduit command denies access through the PIX Firewall in the conditions is met? Answer: deny QUESTION NO: 20 What does deny mean in regards to crypto access lists on the PIX firewall? A. It specifies that no packets are encrypted. B. It specifies that matching packets must be encrypted. C. It specifies that mismatched packets must be encrypted. D. It specifies that matching packets need no be encrypted

10 QUESTION NO: 21 What is the goal of pre-planning before configuring an IPSec based VPN when using the PIX Firewall? A. To plan in advance. B. To minimize misconfiguration. C. To identify IPSec peer router Internet Protocol addresses and host names. D. To determine key distribution methods based on the numbers and locations of IPSec peers. QUESTION NO: 22 Which three probables can ActiveX cause for network clients using the PIX Firewall? (Choose three) A. It can attack servers. B. It can block HTML commands. C. It can block HTML comments. D. It can download Java applets. E. It can cause workstations to fail. F. It can introduce network security problems.,?,? QUESTION NO: 23 How does passive mode FTP on the PIX firewall support inside clients without exposing them to attack? A. There is no data connection. B. Port 20 remains open from outside to inside. C. Port 21 remains open from inside to outside. D. The client initiates both the command and data connections

11 QUESTION NO: 24 Enter the command that enables the AAA access control system in the global configuration. Answer: aaa new-model QUESTION NO: 25 Enter the command that encrypts all use passwords within the Cisco IOS Firewall. Answer: no service password-encryption QUESTION NO: 26 Each session allows you four attempts to correctly authenticate to the PIX Firewall before it drops the connection? A. FTP B. HTPP C. Telnet D. Accounting QUESTION NO: 27 Enter the command that allows the PIX Firewall to enable and configure accounting for all services and to select services. Answer: aaa accounting QUESTION NO: 28 Why does failover begin a series of interface tests on the PIX Firewall? A. To check the failover cable. B. To clear the received packets. C. To determine which PIX Firewall has failed. D. To determine which interface has the failover packet

12 QUESTION NO: 29 Match the command to the correct interface when configuring the PIX Firewall. Exhibit: Answer: QUESTION NO: 30 What does deny instruct the PIX Firewall to do when configuring IPSec parameters for the PIX firewall?

13 A. It routes traffic in the clear. B. It configures the transform set. C. It encrypts Internet Protocol packets. D. It causes all Internet protocol traffic to be protected by crypto. QUESTION NO: 31 Each IPSec peer individually enrolls with the CA server and obtains which two keys, using the PIX Firewall? (Choose two) A. Public encryption B. Private encryption C. Public authorization D. Public authentication E. Private authorization F. Private authentication, B QUESTION NO: 32 Which three statements about DNS Guard on the PIX Firewall are true? (Choose three) A. It is always enabled. B. It is always disabled. C. IT causes UDP session hijacking and denial-of-service attacks. D. It prevents UDP session hijacking and denial-of-service attacks. E. It automatically creates a UDP conduit as soon as the DNS response is received. F. It automatically tears down a UDP conduit as soon as the DNS response is received., D, F QUESTION NO: 33 Which part of the command specifies the service users are allowed to access, when configuring user authorization profiles? A. protocol B. host ip_addr C. eq auth_service D. ip_addr wildcard mask

14 QUESTION NO: 34 What does the authentication proxy feature of the Cisco IOS Firewall allow network administrators to do? A. Tailor access privileges on an individual basis. B. Use a general policy applied across multiple users. C. Use a single security policy that us applied to an entire user group or subnet. D. Keep user policies active even when there is no active traffic from the authenticated users. QUESTION NO: 35 What happens when you see the "Authentication Successful" message during the virtual Telnet authentication of the PIX Firewall? A. The user is automatically logged out. B. All entries in the uauth cache are cleared. C. The user must provide a username and password. D. Authentication credentials are cached in the PIX Firewall for the duration of the uauth timeout. QUESTION NO: 36 What happens at the end of each test during failover interface testing on the PIX firewall? A. Network traffic is generated. B. The PIX Firewall receives traffic for a test. C. Each PIX Firewall looks to see if it has received any traffic. D. Each PIX Firewall clears its received packet count for its interface. QUESTION NO:

15 Enter the command that assigns a name and a security level to each interface of the PIX Answer: nameif ethernet0 perimeter1 security100 QUESTION NO: 38 Which four steps are used to configure IKE parameters when configuring PIX Firewall IPSec? (Choose Four) A. Test VPN. B. Verify VPN. C. Apply crypto map. D. Configure crypto map. E. Enable or disable IKE. F. Verify IKE phase 1 details. G. Configure phase 1 policy. H. Configure IKE pre-shared key. Answer: E, F, G, H QUESTION NO: 39 Match the VPN features that IPSec enables through the PIX Firewall with the correct descriptions. Exhibit:

16 - 16 -

17 Answer: QUESTION NO: 40 Which four items does the outbound command let you specify on the PIX Firewall? (Choose four) A. Whether inside users can access outside servers. B. Whether outside users can access outside servers. C. Whether inside users can use outbound connections. D. Whether outside users can use inbound connections. E. Whether outbound connections can execute Java applets on the inside network. F. Whether inbound connections can execute Java applets on the outside network. G. Which services outside users can use for inbound connections and for accessing inside servers. H. Which services inside users can use for outbound connections and for accessing outside servers., C, E, H QUESTION NO: 41 How does the user trigger the authentication proxy after the idle timer expires? A. By authenticating the user. B. By initiating another HTTP session. C. By entering a new user name and password. D. By entering a valid user name and password

18 QUESTION NO: 42 Which three features does Cisco IOS Firewall use? (Choose three) A. PIX Firewall B. Flash memory C. Stateful Failover D. Authentication proxy E. Intrusion detection systems F. Content based access control, E, F QUESTION NO: 43 A user is allowed to perform FTP but not HTTP. Which feature performs this function within the PIX Firewall? A. Accounting only. B. Authorization only. C. Authentication only. D. Accounting and authentication. QUESTION NO: 44 Which addressed does the primary PIX Firewall use when in active mode? A. Media access control addresses only. B. System Internet Protocol addresses and media access control addresses. C. Failover Internet Protocol addresses and media access control addresses. D. System Internet Protocol addresses and failover Internet Protocol addresses. QUESTION NO: 45 What is the purpose of verifying the IKE Phase 1 policy with the PIX Firewall? A. To specify the hash algorithm. B. To configure the IPSec parameters. C. To specify the authentication method

19 D. To display configured and default IKE policies. QUESTION NO: 46 What is the purpose of WebSENSE with the PIX Firewall? A. To control or monitor activity. B. To control or monitor Internet activity. C. To control or monitor inside client activity. D. To control or monitor outside client activity. QUESTION NO: 47 What happens if the user fails to authenticate with the AAA server on a CSIS router? A. A password is requested. B. Authentication is completed. C. The connection request is dropped. D. The connection request is completed. QUESTION NO: 48 What is the default for Interface Configuration during basic configuration of the Cisco Secure ACS Network Access Server on the PIX Firewall? A. Enabled B. Disabled C. Automatically enabled D. Identical passwords required QUESTION NO: 49 Why is the ASA important for the PIX Firewall? (Choose three)

20 A. It monitors return packets to assure validity. B. It allows two-way connections on all systems. C. It allows one-way connection with an explicit configuration on each internal system. D. It allows one-way connection with an explicit configuration on each external system E. It allows one-way connection without an explicit configuration on each internal system. F. It randomizes the TCP sequence number, which minimizes the risk of attack., C, F QUESTION NO: 50 How do you choose the specific values for each IKE parameter when using the PIC Firewall? A. Using host names. B. Using the remote level you desire and the host peer you will connect to. C. Using the remote level you desire and the destination peer you will connect to. D. Using the security level you desire and the type of IPSec peer you will connect to. QUESTION NO: 51 What is the purpose of UDP resend on the PIX Firewall when using Real Networks' RDT mode? A. It connects the client to the server. B. It connects the outside client to the inside client. C. The client requests that the server try to resend lost data packets. D. Media delivery uses the standard UDP packet format to fo from the server to the client. QUESTION NO: 52 What happens in the aggressive mode of the CBAC on the Cisco IOS Firewall? A. CBAC deletes all half-open sessions. B. CBAC re-initiates half-open sessions. C. CBAC completes all half-open sessions, making them fully-open sessions. D. CBAC deletes half-open sessions as required to accommodate new connection requests

21 QUESTION NO: 53 Enter the command that writes the configuration into Flash memory of the PIX Firewall. Answer: write memory QUESTION NO: 54 Enter the command that defines a static or default route for an interface on the PIX Firewall. Answer: ip route QUESTION NO: 55 What does permit mean in regards to crypto access lists on the PIX Firewall? A. It specifies that no packets are encrypted. B. It specifies that matching packets must be encrypted. C. It specifies that mismatched packets must be encrypted. D. It specifies that matching packets need not be encrypted. QUESTION NO: 56 How does the PIX firewall provide secure connections for Real Audio and CUSeeME? A. It statically opens UDP ports. B. It statically closes UDP ports. C. It statically opens and closes UDP ports. D. It dynamically opens and closes UDP ports

22 QUESTION NO: 57 What does a half-open TCP session on the Cisco IOS Firewall mean? A. The session was denied. B. The firewall detected return traffic. C. A three-way handshake has been completed. D. The session has not reached the established state. QUESTION NO: 58 Why do the connections remain with stateful failover on the PIX Firewall? A. Stateful failover passes per-connection stateful information to the active PIX Firewall. B. Stateful failover passes per-connection stateful information to the standby PIX Firewall. C. Stateful failover does not pass per-connection stateful information to the active PIX Firewall. D. Stateful failover does not pass per-connection stateful information to the standby PIX Firewall. QUESTION NO: 59 Which command limits the hosts that are allowed to Telnet to the Cisco IOS Firewall router? A. password B. access-list C. enable mode D. disable mode

23 Section B Study these questions as well. QUESTION NO: 1 What is the default TCP timeout for inactivity on CBAC? A. 360 seconds B seconds C. 255,000 seconds D seconds QUESTION NO: 2 What is NAT? A. Access control B. Default hostname of the Cisco PIX C. Network access translations D. IP addressing translating QUESTION NO: 3 What does PAM stand for? A. Port address mapping B. Port allocation mapping C. Port to application mapping D. Port address management QUESTION NO: 4 What are the two types of PIX firewall translations? A. Dynamic B. PAM C. Default

24 D. Static, D QUESTION NO: 5 No packets can traverse the PIX Firewall without a connection and state? A. True B. False QUESTION NO: 6 How do you save the PAM mappings? A. Copy pam-mappings flash B. They are automatically saved C. Save pam-mappings D. Copy run start QUESTION NO: 7 What command enables the failover feature on the PIX506? A. Failover is not supported on the PIX506 B. Failover standby C. Enable failover D. Enable standby QUESTION NO: 8 What needs to be done to the clients in case of a PIX stateful failover situation? A. A router is required to redirect to the PIX in case of failover B. The arp table must be cleared on all client computers C. All clients must have the default gateway changed to the now active PIX

25 D. Nothing. Actually, nothing needs to be done if two PIXs are hooked up and failover is active, and the Primary fails. With stateful failover, all the actual connection states that are created in the Primary PIX are replicated to the standby PIX. In the event of a failover, the XLATE table is the same on standby unit so when it becomes the Primary, nothing needs to be done. It is transparent to all the hosts on the network. QUESTION NO: 9 What three commands are required for stateful failover? A. failover ip address inside B. stateful failover C. failover on D. failover link intf2, C, D QUESTION NO: 10 What is a limitation of PAT? A. Very processor intensive B. Supports very few clients C. Only supported on Cisco IOS routers D. Does not support multi-media protocols QUESTION NO: 11 What protocols trigger authentication proxy? A. FTP B. SSL C. Telnet D. HTTP

26 QUESTION NO: 12 How are outbound TCP sessions handled? A. TCP sessions are allowed inbound unless blocked by an access list B. PIX does not inspect TCP traffic C. TCP sessions are maintained in a state table D. TCP sessions are authorized inbound and outbound by default. QUESTION NO: 13 What are the three access modes in the PIX? A. Privileged B. Unprivileged C. Configuration D. Enable E. User, B, C QUESTION NO: 14 What would be the purpose of multiple interfaces? A. For redundant Internet connections B. To create separate secure networks C. For redundancy D. Multiple interfaces is not supported on the PIX QUESTION NO: 15 Pix firewall only supports TACACS+. A. False B. True

27 QUESTION NO: 16 What are some limitations of authentication proxy? A. Client browsers must have JavaScript enabled for secure authentication. B. Does not support AAA C. HTTP must be running on the standard port D. HTTP is the only triggering protocol, B, C, D QUESTION NO: 17 What are TCP half open sessions? A. TCP sessions that span several ports B. One way TCP sessions C. TCP sessions that have not complete the 3-way handshake D. TCP sessions initiated from inside the PIX QUESTION NO: 18 What is the purpose of inspection rules in CBAC configurations? A. Defines what IP traffic is denied B. Defines what application layer protocols will be denied C. Defines what IP traffic will be permitted D. Defines what application layer protocols will be inspected QUESTION NO: 19 What features are authentication proxy compatible with? A. NAT B. VPN Client C. IPSEC D. CBAC

28 , B, C, D QUESTION NO: 20 By default, how are outbound connections handled by the PIX? A. All outbound connections are allowed, except those specifically denied by access control lists. B. All ports on the PIX are open by default until you lock them down. Therefore all connections are allowed until access control list are implemented. C. Depends upon the user D. All outbound connections are denied, except those specifically allowed. QUESTION NO: 21 How do you save the running configuration to the startup configuration on the PIX firewall? A. Copy running-configuration flash B. Write memory C. Copy running-configuration startup-configuration D. Save configuration QUESTION NO: 22 What command enables authentication proxy? A. router(conf)#ip authentication-proxy <name> B. router#ip authentication-proxy <name> C. router(conf-if)#ip authentication-proxy <name> D. router#enable ip authentication proxy QUESTION NO:

29 What command enables activex blocking? A. activex filter B. no activex C. block activex D. filter activex QUESTION NO: 24 How do you view all active static translations? A. show static translations B. show all static translations C. show xlate state static D. show translations state static QUESTION NO: 25 The IP address assigned to the outside interface cannot be used for PAT. A. False B. True QUESTION NO: 26 What command is used to verify PAM? A. show port-map B. show pam C. show ip pam D. show ip port-map QUESTION NO:

30 What command is used to disable NAT? A. Disable NAT B. Disable IP NAT C. NAT 0 D. No NAT QUESTION NO: 28 What is the name of the two default interfaces on the PIX? A. public B. outside C. inside D. private, C QUESTION NO: 29 How much RAM/Flash does the PIX506 base model have? A. 32/8 B. 256/32 C. 16/16 D. 128/16 QUESTION NO: 30 What is the purpose of authorization with AAA? A. Authorization is not supported on the PIX B. To determine who has authorized access C. To determine what services a user is authorized to utilize. D. To determine which PIX is authorized to allow traffic to pass

31 QUESTION NO: 31 How do you enable URL filtering on the PIX? A. enable url-filtering B. It is enabled by default C. filter url D. url-filtering QUESTION NO: 32 What is data integrity? A. IPSec receiver can detect & reject replayed packets B. Packets are authenticated by receiver to ensure no alterations have been made C. Packets are encrypted before transmitting them across a network D. Receiver can authenticate source of IPSec packets QUESTION NO: 33 What is anti-replay? A. Receiver can authenticate source of IPSec packets B. Receiver authenticates packets to ensure no alterations have been made C. IPSec receiver can detect & reject replayed packets D. IPSec sender can encrypt packets before transmitting them across a network QUESTION NO: 34 How do you display dynamic ACL entries an authentication proxy router? A. Show access-list authentication proxy B. Show dynamic-entries access-list C. Show access-list D. Show authentication-proxy access-list entries

32 QUESTION NO: 35 What happens if the global timeouts are different on two IPSec peers? A. Nothing B. The highest value is used C. The lowest value is used D. The PIX default timeout is used QUESTION NO: 36 What is the purpose of the alias command? A. To allow internal users to use the FQDN that is registered an external DNS server B. To assign a name to an IP host C. To hide inside addresses from the Internet D. To assign a name to the PIX firewall QUESTION NO: 37 What three things does IKE provide? A. Security payload encapsulation B. IPSec peer authentication C. IPSec SA negotiations D. IPSec key establishment, C, D QUESTION NO: 38 What is required to perform a password recovery on the PIX520? A. Change to the boot sequence B. Change to the registry

33 C. Pix Password Lockout Utility D. Reboot, D QUESTION NO: 39 How do you edit a system defined PAM mapping? A. ip pam <port number> B. System defined mappings cannot be changed C. ip port-map <port number> D. ip port-map port <port number> QUESTION NO: 40 What is data origin authentication? A. Receiver authenticates packets to ensure no alterations have been made B. IPSec receiver can detect & reject replayed packets C. IPSec sender can encrypt packets before transmitting them across a network D. Receiver can authenticate source of IPSec packets QUESTION NO: 41 What does CBAC offer? A. Application layer examination B. PAM C. Routing D. Routing protocol encryption QUESTION NO: 42 What would be a reason to change the activation key on the PIX?

34 A. The activation key cannot be changed B. Enable DES C. Upgrade IOS version D. Install new memory QUESTION NO: 43 What does the AH security protocol provide? A. encrypted data routing B. data authentication C. peer identification D. anti-replay services, D QUESTION NO: 44 How do you clear all active translations? A. Delete translations B. Clear translations C. Clear xlate D. Clear translations * QUESTION NO: 45 What does the following command accomplish? IP port-map http port 21 A. It allows HTTP traffic to port 21 B. Nothing C. It allows HTTP & FTP traffic to port 21 D. It allows FTP traffic to port 80 and HTTP traffic to port

35 QUESTION NO: 46 What is supported on the PIX for stateful failover? A. Ethernet B. ATM C. Token Ring D. FDDI QUESTION NO: 47 How does activex blocking affect activex traffic to servers identified by an alias command? A. Allows activex traffic to the server B. Inspects the activex applet from the servers C. Does not block activex traffic from the server D. Blocks all activex traffic from the server QUESTION NO: 48 What command clears the IPSec security associations? A. clear ipsec sa B. clear security-associations C. clear ipsec D. clear sa QUESTION NO: 49 By default what are the two interface names on the PIX Firewall? A. Ethernet B. DMZ C. Serial D. 100Mb E. Inside F. Outside

36 Answer: E, F QUESTION NO: 50 What platforms support CBAC? A. PIX 515 B C. PIX 506 D. 2500, D QUESTION NO: 51 How do you view the running configuration? A. write terminal B. show running-configuration C. show all-configuration D. show configuration QUESTION NO: 52 What is the purpose of the "nameif" command? A. To shutdown an interface on the PIX B. To enable an interface on the PIX C. The nameif is not a valid PIX command. D. To assign a security level and name to an interface. QUESTION NO: 53 In the following command, what does the keyword "http" represent? Ip port-map http port 81 A. It identifies the table for the port-mapping to reference

37 B. Nothing, the command is invalid C. it identifies the application name D. it redirects all http traffic from port 80 QUESTION NO: 54 How does CBAC allow traffic through the router? A. All traffic is blocked by the router B. Traffic must be permitted in the pre-configured access-list C. All traffic is allowed through D. Using access-list entries QUESTION NO: 55 How is the configuration maintained between the primary PIX and the standby unit? A. Standby is configured and configuration is replicated to primary B. Primary is configured and configuration is replicated to standby C. Both must be configured separately D. The standby does not maintain a current configuration until failover occurs QUESTION NO: 56 What command saves the CA settings & policies? A. ca save all B. save ca C. Write memory D. They cannot be saved QUESTION NO:

38 How do you clear the logging buffer? A. clear buffer B. delete log C. clear logging D. delete log QUESTION NO: 58 What is the purpose of the xlate command? A. To configure translations B. To configure PIX global timeouts C. Xlate is not a valid command D. To view and clear translations QUESTION NO: 59 Which interfaces does the PIX send "hello" packets out of for failover? A. Only interfaces directly connected to each other B. Inside C. All including the failover cable D. None, just over the failover cable QUESTION NO: 60 What is the purpose of PAM? A. To identify users via port mapping B. To create address pools for NAT C. There is no such feature D. To customize TCP & UDP port numbers

39 QUESTION NO: 61 How do you determine the amount of memory and flash installed in the PIX? A. show flash B. show dram C. show version D. show memory QUESTION NO: 62 What are the two ways security associations can be established? A. Manual B. CRYPTO C. ISAKMP D. IKE., D QUESTION NO: 63 What does the "conduit" command do? A. Nothing, the conduit is not a valid command on the PIX B. Enables the conduit interface on the PIX. C. Permits/denies traffic if the specified conditions are met. D. Maps a local address to a global address. QUESTION NO: 64 What command enables AAA on a Cisco router? A. aaa radius B. aaa enable C. enable aaa D. aaa new-model

40 QUESTION NO: 65 How does a user receive a login screen through authentication proxy? A. Clicking on the authentication proxy icon on the desktop B. They do not, as authentication proxy uses their NT login C. By opening a Internet browser D. From a command prompt QUESTION NO: 66 How are outbound UDP sessions handled? A. A connection state is maintained on the PIX. B. All UDP traffic is permitted inbound unless blocked with an access-list C. The PIX does not recognize UDP sessions D. All UDP traffic is blocked outbound unless permitted with an access-list QUESTION NO: 67 What is the purpose of a Web sense server? A. To host our website B. It is a syslog server for the PIX C. URL filtering D. To monitor the state of your Internet connection QUESTION NO: 68 How does the PIX initiate new IPSec security associations using dynamic crypto maps? A. By sending its public key to the remote peer B. By sending an IKE key to the remote peer

41 C. By sending security association request to the remote peer D. The PIX cannot initiate an IPSec sa using dynamic crypto maps QUESTION NO: 69 What does CBAC stand for? A. Control Based on Access list B. Cisco Based Accounting Control. C. Context Based Access Control D. Cisco Based Access Control QUESTION NO: 70 When do you need an access-list applied inbound to the inside interface? A. When you want to block all outbound traffic B. When you want to control the outbound traffic C. Access-list cannot be applied to the inside interface D. When you want to control inbound public traffic QUESTION NO: 71 What command displays all security associations? A. show ipsec security-associations B. show ipsec security-associations C. show ip security-associations D. show ipsec security-associations all QUESTION NO: 72 How do you map a port to a specific host?

42 A. You cannot map to a specific host B. IP port-map http port 81 host C. An access-list permitting the host is required D. IP port-map http port QUESTION NO: 73 What traffic is identified in the inbound access-list on a CBAC router? A. Permitting traffic to be inspected by CBAC B. FTP C. Denying traffic to be inspected by CBAC D. HTTP QUESTION NO: 74 What is the default time-out for authentication proxy? A. 60 seconds B. 6 minutes C. 60 minutes D. 360 seconds QUESTION NO: 75 How is URL filtering accomplished? A. With a Web sense server B. With a Cisco IDS C. With a PIX failover unit D. URL filtering is not supported QUESTION NO:

43 How do you reset a security association with an IPSec peer? A. Clear ipsec sa <peer name> B. Disconnect the PIX from the network C. Delete security-association D. You must delete all IPSec configurations and reconfigure QUESTION NO: 77 What is the command to assign an IP address to an interface? A. nameif inside IP address B. ip address inside C. inside address D. inside ip address QUESTION NO: 78 What command is utilized to upgrade the IOS version of the PIX? A. Copy tftp flash B. Copy flash tftp C. Write tftp flash D. Save tftp flash QUESTION NO: 79 What are the two types of global timeouts for IPSec on the PIX? A. bandwidth B. uptime C. number of PPTP connections D. time, D

44 QUESTION NO: 80 What two commands enable viewing the url filtering information? A. show url-cache stats B. show url-filtering C. show filter-url D. show perfmon, D QUESTION NO: 81 How does CBAC handle ICMP? A. Only ICMP echo packets are inspected B. All ICMP traffic is inspected by CBAC C. ICMP traffic is not inspected by CBAC D. ICMP traffic is denied by CBAC QUESTION NO: 82 What two commands are needed for outbound access? A. PAT B. Access list C. NAT D. Global, D QUESTION NO: 83 What does the "clear filter" command accomplish? A. Clears all filter counters displayed by the show filters command B. Resets all filters to their original state C. Invalid PIX command

45 D. Removes all filters from the PIX configuration QUESTION NO: 84 How do you apply conduit statements to the outside interface? A. With the use of the conduit-outside statement B. With the use of the conduit-group statement C. No configuration required D. Conduit statements cannot be applied to the outside interface QUESTION NO: 85 A crypto map statement can contain multiple access-lists. A. False B. True QUESTION NO: 86 The PIX is a single point of failure and has no solution for redundancy. Cisco is working on a solution for this right now. A. True B. False QUESTION NO: 87 In CBAC, how are dynamic access-list entries saved? A. They are not saved B. Write memory C. Write tftp

46 D. Save access-list QUESTION NO: 88 How is outbound access enabled? A. Global B. Static C. NAT D. Access-list, C QUESTION NO: 89 How is inbound access controlled? A. Global B. Access-list C. Static D. NAT, C QUESTION NO: 90 You can configure conduit statements on a PIX Firewall, but not access-lit. A. False B. True QUESTION NO: 91 What is s data confidentiality? A. IPSec receiver can detect & reject replayed packets B. Receiver authenticates packets to ensure no alterations have been made C. Packets are encrypted before they are transmitted across a network

47 D. Receiver can authenticate source of IPSec packets QUESTION NO: 92 What is a false-positive alarms? A. Alarms that do not reach their intended destination B. Legitimate alarms that are not triggered C. Alarms caused by legitimate traffic D. Alarms that an administrator ignores QUESTION NO: 93 What command displays the authentication proxy configuration? A. Show version proxy-authentication B. Show proxy-authentication C. Show all proxy-authentication D. Show ip proxy-authentication QUESTION NO: 94 What is a dynamic crypto map? A. There is no such thing as a dynamic crypto map B. When the PIX gets the entire crypto map configuration from a CA C. A crypto map created solely by the PIX upon negotiation with an IPSec peer D. A crypto map without all the parameters configured QUESTION NO: 95 Authentication proxy only works with TACACS+. A. False

48 B. True QUESTION NO: 96 What command is required to save the configuration to a remote device? A. radius-server B. Copy C. Save D. write QUESTION NO: 97 What three protocols does the PIX provide credential prompts, with the proper configuration of an AAA server? A. HTTP B. TFTP C. FTP D. HTTPS E. Telnet F. SSL, C, E QUESTION NO: 98 In CBAC, where does the router get the state table information? A. By inspecting the packet B. From a PIX firewall C. From routing tables D. Configured by administrator QUESTION NO:

49 What command applies CBAC to an interface? A. router# ip inspect NAME in interface outside B. router(conf)#ip inspect NAME in C. router(conf-if)#ip inspect NAME in D. router(conf)#ip inspect NAME out QUESTION NO: 100 With the PIX Firewall, you can configure: A. Separate groups of TACACS+ or RADIUS servers for specifying different types of traffic B. None of the above. PIX does not support TACACS+ or RADIUS. C. Only TACACS+ for inbound & outbound connections D. Only RADIUS for inbound & outbound connections QUESTION NO: 101 What does ACS stand for? A. Another Cisco Server B. Authentication, Control, Secure C. Access Control Server D. Access, Control, Security QUESTION NO: 102 What is required for stateful failover? A. FDDI interface B. 1 interface interconnected C. PIX failover cable. D. 3 interfaces interconnected, C

50 QUESTION NO: 103 What is the goal of a DDOS attack? A. To use the network to attack another network B. To steal vital information C. To take control of the network D. To stop the network from working QUESTION NO: 104 When configuring a security association in IPSec, the global lifetime default (the time when the security association is renegotiated) is 28,800 seconds. A. True B. False QUESTION NO: 105 How many hosts will PAT support? A B. unlimited C D. 1 QUESTION NO: 106 How do you configure a Web sense server on the PIX? A. server B. websense-server C. url-server D. websense

51 QUESTION NO: 107 What is one difference between conduit statements and access-list? A. Conduit statements can only contain permit statements B. Conduit statements list the destination address before the source address and accesslist contain the source address before the destination address C. Conduit statements do not contain the implicit deny any at the end D. Access-list cannot be applied to the interfaces of the PIX QUESTION NO: 108 The inbound access-list or conduit statements must include permit statements for all IPSec traffic. A. False B. True QUESTION NO: 109 What is the purpose of the "logging trap" command? A. Enables syslog traps B. This is not a valid PIX command C. Sends logs to a host named trap D. Enables SMTP traps QUESTION NO: 110 How do you configure a pool of public IP addresses? A. Global command B. Pool command

52 C. NAT command. D. Static command QUESTION NO: 111 PAT is not supported with the "fixup protocol rtsp" command. A. True B. False QUESTION NO: 112 You are required to have two crypto access-list for IPSec. One is to identify outbound traffic to be encrypted, and the other is to identify inbound traffic that should be encrypted. A. False B. True QUESTION NO: 113 What is the purpose of authentication proxy? A. Proxy of user logins B. To enable AAA C. Policies on per user basis D. For user accounting QUESTION NO: 114 Which PIX interface(s) do you apply the crypto map statements? A. To the outside interface B. To the inside interface

53 C. To any interfaces that IPSec packets will traverse D. All PIX interfaces QUESTION NO: 115 What three purposes does the failover cable serve? A. Power status of the other unit B. Communication link C. Unit identification of both units D. Stateful information, B, C QUESTION NO: 116 You have a PIX firewall and you are only given one public IP address from your ISP to use on the PIX. You do not have any type of servers that need be accessed from the Internet. What is a valid quick solution to your problem? A. Get a new ISP B. PAT C. Request additional IP addresses from your ISP D. NAT QUESTION NO: 117 How many default routes can be assigned to the PIX firewall? A. 1 per network B. 1. C. As many as required D. 1 per interface E. 1 for the primary PIX and 1 for the standby PIX

54 QUESTION NO: 118 Without stateful failover, how are active connections handled? A. Connections are maintained between the PIX and the failover unit B. Dropped C. UDP connections are maintained D. TCP connections are maintained QUESTION NO: 119 What is the purpose of the "fixup protocol" commands? A. To identify what protocols are permitted through the PIX B. Change PIX firewall application protocol feature C. To identify what protocols are to be blocked by the PIX D. To map a protocol to a TCP or UDP port QUESTION NO: 120 What version of IOS was the "ip port-map" command introduced? A. 13.(1) B C. 11.0(1) D (t) QUESTION NO: 121 What is the first step in configuring IPSec without CA? A. Crypto B. ISAKMP C. IKE D. IPSEC

55 QUESTION NO: 122 How do you delete the following PAM entry? IP port-map http port 81 A. clear IP port-map http port 81 B. This is a system-defined entry and cannot be deleted C. no IP port-map http port 81 D. delete IP port-map http port 81 QUESTION NO: 123 What is the purpose of the outbound access-list for a CBAC solution? A. To block all traffic, CBAC will then inspect the traffic and allow legitimate traffic out B. Packets you want inspected by CBAC C. The is no need for an outbound access-list in a CBAC solution D. To identify legitimate inbound traffic from the Internet QUESTION NO: 124 What does the " crypto access-list" command accomplish? A. There are no such access list B. They block non-encrypted traffic C. They identify crypto map statements D. Identifies which traffic is to be encrypted QUESTION NO: 125 "Logging timestamp" specifies that syslog messages sent to the syslog server should have a time stamp value on each message. A. True B. False

56 QUESTION NO: 126 What is the layer-4 difference between Radius and TACACS+? A. Radius uses TCP & TACACS+ uses UDP B. Radius uses UDP & TACACS+ uses TCP C. TACACS+ uses FTP & Radius uses TFTP D. There is no layer-4 difference between Radius & TACACS+ QUESTION NO: 127 What two concepts are included in data authentication? A. Anti replay B. Data origin authentication C. Data integrity. D. Data confidentiality, C QUESTION NO: 128 You decide you need more interfaces for your PIX 515 and you already have the unrestricted license installed. The PIX firewall only shipped with 2 Ethernet interfaces. You install a new Ethernet interface that you ordered from Cisco. After you power the PIX on, you assign an IP address to the interface and configure a NAT & global statement for the new network. But users on the new network are unable to browse the Internet. What else do you need to do? A. Enable the new interface in the configuration B. Add the "conduit permit any any" statement to your configuration C. Nothing. The problem is probably with the clients workstations, not the PIX. D. Add the Cisco client proxy software to each workstation on the new network

57 QUESTION NO: 129 What are some advantages of using the PIX firewall over other firewalls such as Microsoft Proxy? A. No security problems from running on top of other operating systems B. PIX firewall is plug and play, no configuration required C. PIX inspects on lower layer protocols D. PIX does stateful packet inspections E. One box solution, C, D, E QUESTION NO: 130 How many interfaces does the PIX 515R support? A. 3 B. 4 C. 2 D. 6 QUESTION NO: 131 How do you configure a PAT address? A. Nat (Outside) B. IP PAT (Outside) C. PAT (Outside) D. Global (Outside) QUESTION NO: 132 What are the two transport layer protocols? A. TCP B. IP C. ICMP D. UDP

58 , D QUESTION NO: 133 How many hello packets must be missed before the failover unit will become active? A. 2 B. 3 C. 1 D. 5 QUESTION NO: 134 Only one IPSec tunnel can exist between two peers. A. False B. True QUESTION NO: 135 What are two purposes of NAT? A. To build routing tables B. To expedite packet inspection C. To connect two separate interfaces D. To conserve non-rfc1918 addresses E. To hide internal servers and workstations real IP addresses from the Internet, E QUESTION NO: 136 What does IKE Extended authentication provide? A. Authentication of multiple IPSec peers B. Auto-negotiation of IPSec security associations C. User authentication using Radius/TACACS

59 QUESTION NO: 137 How do you view active NAT translations? A. show nat-translations B. show ip-nat translations C. show xlate D. show translations * QUESTION NO: 138 Access-list are supported with Radius authorization. A. True. B. False QUESTION NO: 139 How are transform sets selected in manually established security associations? A. Transform sets are not used in manually established security associations B. Manually established security associations only have one transform set C. The first transform set is always used D. The first common transform set is used QUESTION NO: 140 What are the two licenses supported on the PIX515? A. Unrestricted B. Limited C. Restricted D. Unlimited

60 , C QUESTION NO: 141 What is the purpose of the "clear access-list" command? A. Remove an access-list from an interface B. To clear all access-list from the PIX C. To clear all access-list counters D. Invalid command QUESTION NO: 142 At what layer of the OSI model does IPSec provide security? A. 4 B. 7 C. 8 D. 3 QUESTION NO: 143 A transform set is a combination of &. A. access-list B. crypto maps C. security protocols D. algorithms, D QUESTION NO: 144 AAA stands for authentication, authorization, &. A. application B. accounting

61 C. access control D. authenticity QUESTION NO: 145 In CBAC, how are half-open sessions measured? A. Both TCP & UPD half-open sessions are calculated B. Only UDP half-open sessions are calculated C. CBAC does not calculate half-open sessions D. Only TCP half-open sessions are calculated QUESTION NO: 146 What does DDOS stand for? A. Distributed denial of service B. Dedicated Department of Security C. Dead, Denied, Out of Service D. Demand denial of service QUESTION NO: 147 What is the purpose of the "route 0 0" command? A. To configure a static route B. To enable routing on the PIX C. To configure a default route D. To route between 2 interfaces QUESTION NO:

62 You establish an IPSec tunnel with a remote peer. You verify by viewing the security associations. You view the security associations two days later and find they are not there. What is the problem? A. This would not happen B. You have used an incorrect command to view the security associations C. Your PIX is not powered up. D. No traffic was identified to be encrypted. QUESTION NO: 149 In CBAC, where are dynamic access entries added? A. A new access-list is configured for each access entry B. At the beginning of the access-list C. A separate access-list is created for access entries D. At the end of the access-list QUESTION NO: 150 How do you identify a syslog server on the PIX? A. logging host B. TFTP server C. syslog-server D. syslog server QUESTION NO: 151 CBAC inspection can only be configured in one direction. A. False B. True

63 QUESTION NO: 152 What is anti-replay? A. IPSec peer will not accept old or duplicated packets B. IPSec peer listens for all traffic from IPSec peer (at other end of tunnel), as to not require any resends C. The IPSec peer sends duplicates of each packet as to not have to resend any packets D. The IPSec peer will not resend packets. QUESTION NO: 153 During IPSec security associations negotiation, if there are multiple transform sets, which one is used? A. Is does not matter B. The first common one C. The first one D. The last one QUESTION NO: 154 What three types of entries does the PAM table provide? A. User defined B. Internet specific C. Host specific D. System defined., C, D QUESTION NO: 155 In AAA, what does the method keyword "local" mean? A. That the AAA server is local B. Deny if login request is local C. Use the local database for authentication

64 D. Authenticate if login request is local QUESTION NO: 156 At what frequency does the PIX send hello packets to the failover unit? A. 15 seconds B. 60 seconds C. 6 seconds D. 20 seconds QUESTION NO: 157 What command deletes all authentication proxy entries? A. Clear ip authentication-proxy cache B. Clear ip authentication-proxy cache all C. Clear ip authentication-proxy cache * D. Clear authentication-proxy all entries QUESTION NO: 158 What is the purpose of the access-group command? A. To apply an access-list to an interface B. This is not a valid command on the PIX firewall C. To create an ACL D. To group access-list together QUESTION NO: 159 Default "fixup protocol" commands cannot be disabled. A. True

65 B. False QUESTION NO: 160 What is the purpose of a syslog server? A. To host websites B. To collect system messages C. To maintain current backup configurations D. To maintain URL filtering information QUESTION NO: 161 What is required for stateful failover on the PIX 515? A. Unrestricted software license B. Cisco failover cable C. Cisco IOS failover feature set D. 2 Ethernet interfaces interconnected, B, D QUESTION NO: 162 In CBAC, what is a state table? A. A table containing access-list information B. A table containing information about the state of CBAC C. A table containing information about the state of the packet's connection D. A table containing routing information QUESTION NO: 163 What two commands are needed for inbound access? A. Static