PrepKing. PrepKing

Transcription

1 PrepKing Number: Passing Score: 800 Time Limit: 60 min File Version: PrepKing Sections 1. Lab 2. Pre-Production Design 3. Complex Operations 4. Advanced Troubleshooting 5. New Questions 6. LAB

2 Exam A QUESTION 1 Using the default modular policy framework global configuration on the Cisco ASA, how does the Cisco ASA process outbound HTTP traffic? A. HTTP flows are not permitted through the Cisco ASA, because HTTP is not inspected bydefault. B. HTTP flows match the inspection_default traffic class and are inspected using HTTP inspection. C. HTTP outbound traffic is permitted, but all return HTTP traffic is denied. D. HTTP flows statefully inspected using TCP stateful inspection. Correct Answer: D Section: Pre-Production Design /Reference: QUESTION 2 Which Cisco ASA feature enables the ASA to do these two things? 1) Act as a proxy for the server and generate a SYN-ACK response to the client SYN request. 2) When the Cisco ASA receives an ACK back from the client, the Cisco ASA authenticates the client and allows the connection to the server. A. TCPnormalizer B. TCP state bypass C. TCP intercept D. basic threat detection E. advanced threat detection F. botnet traffic filter Correct Answer: C Section: Pre-Production Design /Reference: QUESTION 3 By default, which traffic can pass through a Cisco ASA that is operating in transparent mode without explicitly allowing it using an ACL? A. ARP B. BPDU C. CDP D. OSPF multicasts E. DHCP Correct Answer: A Section: Pre-Production Design /Reference:

3 QUESTION 4 Refertothe exhibit. Which Cisco ASA feature can be configured using this Cisco ASDM screen? A. Cisco ASA command authorization using TACACS+ B. AAA accounting to track serial,ssh, and telnet connections to the Cisco ASA C. Exec Shell access authorization using AAA D. cut-thru proxy E. AAA authentication policy for Cisco ASDM access Correct Answer: D Section: Pre-Production Design /Reference: QUESTION 5 Refer to the exhibit. The Cisco ASA is dropping all the traffic that is sourced from the internet and is destined to any security context inside interface. Which configuration should be verified on the Cisco ASA to solve this problem? A. The Cisco ASA has NAT control disabled on each security context.

4 B. The Cisco ASA is using inside dynamic NAT on each security context. C. The Cisco ASA is using a unique MAC address on each security context outside interface. D. The Cisco ASA is using a unique dynamic routing protocol process on each security context. E. The Cisco ASA packet classifier is configured to use the outside physical interface to assign the packets to each security context. Correct Answer: C Section: Complex Operations /Reference: QUESTION 6 Which four types of ACL object group are supported on the Cisco ASA (release 8.2)? (Choose four.) A. protocol B. network C. port D. service E. icmp-type F. host Correct Answer: ABDE Section: Pre-Production Design /Reference: QUESTION 7 Refer to the exhibit. Which two statements about the class maps are true? (Choose two.) A. These class maps are referenced within the global policy by default for HTTP inspection. B. These class maps are all type inspect http class maps.

5 C. These class maps classify traffic using regular expressions. D. These class maps are Layer 3/4 class maps. E. These class maps are used within the inspection_default class map for matching the default inspection traffic. Correct Answer: BC Section: Pre-Production Design /Reference: QUESTION 8 Refer to the exhibit. A Cisco ASA in transparent firewall mode generates the log messages seen in the exhibit. What should be configured on the Cisco ASA to allow the denied traffic? A. extended ACL on the outside and inside interface to permit the multicast traffic B. EtherType ACL on the outside and inside interface to permit the multicast traffic C. stateful packet inspection D. static ARP mapping E. static MAC address mapping Correct Answer: A Section: Advanced Troubleshooting /Reference: QUESTION 9 The Cisco ASA must support dynamic routing and terminating VPN traffic. Which three Cisco ASA options will not support these requirements? (Choose three.) A. transparent mode B. multiple context mode C. active/standby failover mode D. active/active failover mode E. routed mode F. no NAT-control Correct Answer: ABD Section: Complex Operations

6 /Reference: QUESTION 10 Refer to the exhibits. Which five options should be entered into the five fields in the Cisco ASDM Add Static Policy NAT Rule screen? (Choose five.) access-list POLICY_NAT_ACL extended permit ip host static (dmz,outside) access-list POLICY_NAT_ACL A. dmz = Original Interface B. outside = Original Interface C = Original Source D = Original Source E /24 = Original Destination F = Original Destination G. dmz = Translated Interface H. outside = Translated Interface I = Translated Use IP Address J = Translated Use IP Address Correct Answer: ACEHI Section: Pre-Production Design /Reference: QUESTION 11

7 By default, which access rule is applied inbound to the inside interface? A. All IP traffic is denied. B. All IP traffic is permitted. C. All IP traffic sourced from any source to any less secure network destinations is permitted. D. All IP traffic sourced from any source to any more secure network destinations is permitted Correct Answer: C Section: Pre-Production Design /Reference: QUESTION 12 In which type of environment is the Cisco ASA MPF set connection advanced-options tcp-statebypass option the most useful? A. SIP proxy B. WCCP C. BGP peering through the Cisco ASA D. asymmetric traffic flow E. transparent firewall Correct Answer: D Section: Complex Operations /Reference: QUESTION 13 Which Cisco ASA platform should be selected if the requirements are to support 35,000 connections per second, 600,000 maximum connections, and traffic shaping? A B C D Correct Answer: B Section: Pre-Production Design /Reference: QUESTION 14 Refer to the exhibit. What is the resulting CLI command?

8 A. match requesturi regex _default_gotomypc-tunnel drop-connection log B. match regex _default_gotomypc-tunnel drop-connection log C. class_default_gotomypc-tunnel drop-connection log D. match class-map _default_gotomypc-tunnel drop-connection log Correct Answer: C Section: Pre-Production Design /Reference: QUESTION 15 A customer is ordering a number of Cisco ASAs for their network. For the remote or home office, they are purchasing the Cisco ASA When ordering the licenses for their Cisco ASAs, which two licenses must they order that are "platform specific" to the Cisco ASA 5505? (Choose two.) A. AnyConnect Essentials license B. per-user Premium SSL VPN license C. VPN shared license D. internal user licenses E. Security Plus license Correct Answer: DE Section: Pre-Production Design

9 /Reference: QUESTION 16 With Cisco ASA active/standby failover, what is needed to enable sub-second failover? A. Use redundant interfaces. B. Enable the stateful failover interface between the primary and secondary Cisco ASA. C. Decrease the default unit failover polltime to 300 msec and the unit failover holdtime to 900 msec D. Decrease the default number of monitored interfaces to 1. Correct Answer: C Section: Complex Operations /Reference: QUESTION 17 Which Cisco ASA feature is implemented by the ip verify reverse-path interface interface_name command? A. urpf B. TCP intercept C. botnet traffic filter D. scanning threat detection E. IPS (IP audit) Correct Answer: A Section: Pre-Production Design /Reference: QUESTION 18 Refer to the exhibit. What can be determined about the connection status?

10 A. The output is showing normal activity to the inside web server. B. Many HTTP connections to the web server have successfully completed the threeway TCP handshake C. Many embryonic connections are made from random sources to the web server. D. The host is triggering SYN flood attacks against random hosts on the outside. E. The web server is terminating all the incoming HTTP connections. Correct Answer: C Section: Advanced Troubleshooting /Reference: QUESTION 19 When troubleshooting a Cisco ASA that is operating in multiple context mode, which two verification steps should be performed if a user context does not pass user traffic? (Choose two.) A. Verify the interface status in the system execution space. B. Verify the mac-address-table on the Cisco ASA. C. Verify that unique MAC addresses are configured if the contexts are using non-shared interfaces. D. Verify the interface status in the user context. E. Verify the resource classes configuration by accessing the admin context. Correct Answer: AD Section: Advanced Troubleshooting /Reference:

11 QUESTION 20 Which statement about the default ACL logging behavior of the Cisco ASA is true? A. The Cisco ASA generates system message for each denied packet when a deny ACE is configured B. The Cisco ASA generates system message for each packet that matched an ACE. C. The Cisco ASA generates system message only for the first packet that matched an ACE. D. The Cisco ASA generates system message for each packet that matched an ACE. E. No ACL logging is enabled by default. Correct Answer: A Section: Advanced Troubleshooting /Reference: QUESTION 21 When will a Cisco ASA that is operating in transparent firewall mode perform a routing table lookup instead of a MAC address table lookup to determine the outgoing interface of a packet? A. if multiple context mode is configured B. if the destination MAC address is unknown C. if the destination is more than a hop away from the Cisco ASA D. if NAT is configured E. if dynamic ARP inspection is configured Correct Answer: D Section: Advanced Troubleshooting /Reference: QUESTION 22 Which flags should the show conn command normally show after a TCP connection has successfully been established from an inside host to an outside host? A. ab B. saa C. slo D. AIO E. UIO F. F Correct Answer: E Section: Advanced Troubleshooting /Reference: QUESTION 23 Refer to the exhibit. Which three configuration commands will enable the VPN client to get PATed to the IP address when accessing the DMZ? (Choose three.)

12 A. access-list client extended permit ip any B. access-list client extended permit ip any C. access-list client extended permit ip any D. nat (outside) 1 access-list client E. nat (dmz) F. nat (dmz) 1 access-list client Correct Answer: ACD Section: Pre-Production Design /Reference: QUESTION 24 Refer to the exhibit. What is a reasonable conclusion?

13 A. The maximum number of TCP connections that the host can establish will be B. All the connections from the have completed the TCP three-way handshake. C. The hosts are generating a vast number of outgoing connections, probably due to a virus D. The host on the inside is under a SYN flood attack. E. The host operations on the inside look normal. Correct Answer: C Section: Advanced Troubleshooting /Reference: QUESTION 25 In one custom dynamic application, the inside client connects to an outside server using TCP port 4444 and negotiates return client traffic in the port range of 5000 to The server then starts streaming UDP data to the client on the negotiated port in the specified range. Which Cisco ASA feature or command supports this custom dynamic application? A. TCPnormalizer B. TCP intercept C. ip verify command D. established command E. tcp-map and tcp-options commands F. set connection advanced-options command Correct Answer: D Section: Complex Operations

14 /Reference: QUESTION 26 Which two statements about Cisco ASA failover troubleshooting are true? (Choose two.) A. With active/active failover, failover link troubleshooting should be done in the system execution space. B. With active/active failover, ASR groups must be enabled. C. With active/active failover, user data passing interfaces troubleshooting should be done within the context execution space. D. The failed interface threshold is set to 1. Using the show monitor-interface command, if one of the monitored interfaces on both the primary and secondary Cisco ASA appliances is in the unknown state, a failover should occur. E. Syslog level 1 messages will be generated on the standby unit only if the logging standby command is used. Correct Answer: AC Section: Advanced Troubleshooting /Reference: QUESTION 27 A Cisco ASA is operating in transparent firewall mode, but the MAC address table of the Cisco ASA is always empty, which causes connectivity issues. What should you verify to troubleshoot this issue? A. if ARP inspection has been disabled B. if MAC learning has been disabled C. if NAT has been disabled D. if ARP traffic is explicitly allowed using EtherType ACL E. if BPDU traffic is explicitly allowed using EtherType ACL Correct Answer: B Section: Advanced Troubleshooting /Reference: QUESTION 28 When configuring security contexts on the Cisco ASA, which three resource class limits can be set using a rate limit? (Choose three.) A. address translation rate B. Cisco ASDM session rate C. connections rate D. MAC-address learning rate (when in transparent mode) E. syslog messages rate F. stateful packet inspections rate Correct Answer: CEF Section: Complex Operations /Reference:

15 QUESTION 29 Refer to the exhibit. Which statement about the Telnet session from to is true? A. The Telnet session should be successful. B. The Telnet session should fail because the route lookup to the destination fails. C. The Telnet session should fail because the inside interface inbound access list will block it D. The Telnet session should fail because no matching flow was found. E. The Telnet session should fail because inside NAT has not been configured. Correct Answer: C Section: Pre-Production Design

16 /Reference: QUESTION 30 Which Cisco ASA show command groups the xiates and connections information together in its output? A. show conn B. show conn detail C. show asp D. show local-host Correct Answer: D Section: Advanced Troubleshooting /Reference: QUESTION 31 By default, how does the Cisco ASA authenticate itself to the Cisco ASDM users? A. The administrator validates the Cisco ASA by examining the factory built-in identity certificate thumbprint of the Cisco ASA. B. The Cisco ASA automatically creates and uses a persistent self-signed X.509 certificate to authenticate itself to the administrator C. The Cisco ASA automatically creates a self-signed X.509 certificate on each reboot to authenticate itself to the administrator. D. The Cisco ASA and the administrator use a mutual password to authenticate each other. E. The Cisco ASA authenticates itself to the administrator using a one-time password. Correct Answer: C Section: Pre-Production Design /Reference: QUESTION 32 Refer to the exhibit. Which command enables the stateful failover option?

17 A. failover link MYFAILOVER GigabitEthernetO/2 B. failover Ian interface MYFAILOVER GigabitEthernetO/2 C failover interface ip MYFAILOVER standby C. preempt D. failover group 1 primary E. failover Ian unit primary Correct Answer: A Section: Complex Operations /Reference: QUESTION 33 On Cisco ASA version 8.2, which four inspections are enabled by default in the global_policy? (Choose four.) A. HTTP B. ESMTP C. SKINNY D. ICMP E. TFTP F. SIP Correct Answer: BCEF Section: Pre-Production Design /Reference: QUESTION 34 Which flag shown in the output of the show conn command is used to indicate that an initial SYN packet is from the outside (lower security-level interface)? A. B B. D C. b

18 D. A E. a F. I G. 1 H. O Correct Answer: A Section: Advanced Troubleshooting /Reference: Official Guide page 343 onwards a = awaiting outside ACK to SYN A = awaiting inside ACK to SYN B = initial SYN from outside f = inside FIN F = outside FIN I = inbound data O = outbound data r = inside acknowleged FIN R = outside acknowlegded FIN s = awating outside SYN S = awaiting inside SYN U = connection UP QUESTION 35

19 A. allows the configuration of predifined user account privileges B. allows tacacs C. allow backup for group fail D. allows AAA Correct Answer: A Section: Pre-Production Design /Reference: QUESTION 36 Refer to the exhibit. Which two CLI commands will result? (Choose two. )

20 A. aaa authorization network LOCAL B. aaa authorization network default authentication-server LOCAL C. aaa authorization command LOCAL D. aaa authorization exec LOCAL E. aaa authorization exec authentication-server LOCAL F. aaa authorization exec authentication-server Correct Answer: CD Section: Pre-Production Design /Reference: QUESTION 37 A. create an access list on the inside and outside interface to permit multicast traffic(the answer may change to "extend ACL...") B. create a policy map to match the routing protocol ospf C. map the mac addresses of the two routers in the mac-address table

21 D. Correct Answer: A Section: New Questions /Reference: QUESTION 38 What SNMP feature supported by new ASA OS version? A. SNMPv3 with 3 modes B. SNMP 1 and 2c only C. read-only and read-write D. SNMPv2 with aes authentication encryption Correct Answer: A Section: New Questions /Reference: QUESTION 39 Which ASA model has a 4 port module attached to it, which can not be removed? A. ASA 5505 B. ASA 5520 C. ASA 5540 D. ASA 5550 E. ASA 5580 Correct Answer: D Section: New Questions /Reference: Official Guide - Page 49 QUESTION 40 Which of the following configurations are needed to enable SNMPv3 on a Cisco ASA? (Choose four) A. SNMPv3 local Engin ID B. SNMPv3 Remote Engin ID C. SNMP User D. SNMP Group E. SNMP Community Strings F. SNMP Host Correct Answer: CDF Section: New Questions

22 /Reference: Official Guide Page 220+ and QUESTION 41 How many monitored interfaces should be down to transfer to failover state? A. 1 B. 2 C. 3 D. 4 E. 5 Correct Answer: A Section: New Questions /Reference: QUESTION 42 Which URI regular expression would match any webpage with the welcome.jpg? A.?/welcome*.jpg B.?/welcome\.jpg C. ^*/welcome\.jpg D../welcome.jpg E. ^*/welcome.jpg Correct Answer: C Section: New Questions /Reference: Official guide page = match any single character ^ = matches anything at the beginning of the line : any expression following the ^ will be matched only if it appears at the begining of the line * = matches 0,1 or any number of the character preceeding the * -- ie w* can equal w, ww, www, wwww \ = ignores the special function of the next letter - = just as it is printed Further reading QUESTION 43 When a Cisco ASA is configured in multiple context mode, within which configuration are the interfaces allocated to the security contexts? A. each security context

23 B. system configuration C. admin context (context within the admin role) D. context startup configuration file (.cfg file) Correct Answer: B Section: New Questions /Reference: QUESTION 44 Which statement about NAT/PAT is true? A. Dynamic PAT is used for any traffic that is sourced from the dmz_ server to the outside B. Dynamic PAT is used for any traffic that is sourced from any host on the inside network to the outside C. Static NAT is used for any traffic that is sourced from the dmz_ server to the outside D. Static PAT is used for any traffic that is sourced from the dmz_ server to the outside E. Dynamic NAT is used for any traffic that is sourced from the dmz_ server to the outside F. Dynamic NAT is used for any traffic that is sourced from and host on the guest-network to the outside Correct Answer: A Section: New Questions /Reference: Official guide Page 300 onwards QUESTION 45 Which statement about SNMP support is true for the Cisco ASA running is true? A. Only support running SNMP version 1 and 2c simultaenously B. Support both read-only and read/write access C. Support three SNMP Groups: Authentication and Encryption, Authentication Only and No Authentication. D. The Cisco ASA can send SNMP traps the the Network Management Station only using SNMPv2 Correct Answer: C Section: New Questions /Reference:

24 Official Guide - Chapter 5 - pages 217 onwards Page219 Three SNMPv3 group definitions are supported by the ASA: No Authentication, No Encryption: Cleartext communication between the ASA and NMS Authentication Only: Communication is authenticated but unencrypted Authentication and Encryption: Authentication and full encryption for communication between the ASA and NMS QUESTION 46 What protocols have to be transferred to CSC-SSM A. FTP, POP3, SMTP, HTTP B.... C.... D.... Correct Answer: A Section: (none) /Reference: QUESTION 47 Which command enables Advanced threat detection A. Threat-detection statistics B... C.... D.... Correct Answer: A Section: (none) /Reference: QUESTION 48 Configuration in order to allow a /20 network on the inside interface access to ASDM A. http x.x.x.x inside B.... C.... D.... Correct Answer: A Section: (none) /Reference: QUESTION 49

25 What does the sequence do: hw-module module 1 reset A. Reset command shuts down and resets the SSM hardware B.... C.... D.... Correct Answer: A Section: (none) /Reference: QUESTION 50 What does the sequence do: hw-module module 1 reload A. Reload command reloads the intelligent SSM software(for example, AIP SSM) B... C... D.... Correct Answer: A Section: (none) /Reference: QUESTION 51 Strict FTP[Output of a class-map, policy-map and service policy to review... something to do with strict FTP (action) -- answers regarding strict FTP NonRFC, RFC application] A. The strict option may break FTP sessions from clients that do not comply with the RFC standards; however, it provides more security features. B.... C.... D.... Correct Answer: A Section: (none) /Reference: QUESTION 52 NAT RULES (MISSED) A.... B.... C.... D.... Correct Answer: AB

26 Section: (none) /Reference: QUESTION 53 ASA Redundant Interfaces (MISSED)(you should check the book) A. how many member B. loadbalance C... D.... Correct Answer: D Section: (none) /Reference: QUESTION 54 Which three Cisco ASA configuration commands are used to enable the Cisco ASA to log only the debug output to syslog? (Choose three.) A. logging Hst test message B. logging debug-trace C. logging trap debugging D. logging message level 7 E. logging trap test Correct Answer: BCD Section: Advanced Troubleshooting /Reference: QUESTION 55 Refer to the exhibit. Which three CLI configuration commands result from this configuration? (Choose three.) (THE choices may changed...)

27 A. global (outside) B. nat (inside) C. static(inside.outside) netmask tcp 0 0 udp 0 D. static(inside,outside) tcp E. access-list outside_access_in line 1 extended permit tcp any host eq http F. access-list outside_access_in line 1 extended permit tcp any host eq http G. access-group outside_access_in outside in H. access-group outside acces in inside in Correct Answer: CEG Section: Pre-Production Design /Reference: QUESTION 56 LAB Question #1c - Scenario - Topo This is a Hot Area - select the correct areas to click on Enable HTTP Inspect gloabally on the ASA Hot Area:

28 Correct Answer:

29 Section: Lab /Reference:

30

31 Exam B QUESTION 1 Which feature is not supported on the Cisco ASA 5505 with the Security Plus license? A. stateless active/standby failover B. transparent firewall C. threat detection D. traffic shaping E. security contexts Correct Answer: E Section: Complex Operations /Reference: QUESTION 2 What is the first configuration step when using Cisco ASDM to configure a new Layer 3/4 inspection policy on the Cisco ASA? A. Create a new class map. B. Create a new policy map and apply actions to the traffic classes. C. Create a new service policy rule. D. Create the ACLs to be referenced by any of the new class maps. E. Disable the default global inspection policy. F. Create a new firewall access rule. Correct Answer: C Section: Pre-Production Design /Reference: QUESTION 3 Which statement about the Cisco ASA 5505 configuration is true? A. The IP address is configured under the physical interface (ethemet 0/0 to ethemet 0/7). B. With the default factory configuration, the management interface (management 0/0) is configured with the /24 IP address C. With the default factory configuration, Cisco ASDM access is not enabled. D. The switchport access vlan command can be used to assign the VLAN to each physical interface (ethemet 0/0 to ethemet 0/7).( 有有有有选选, B 肯肯肯对.Thisi is right, because ASA 5505 have a built-in switch.) E. With the default factory configuration, both the inside and outside interface will use DHCP to acquire its IP address. Correct Answer: D Section: Pre-Production Design /Reference: ASA 5505 Default Configuration

32 The default factory configuration for the ASA 5505 adaptive security appliance configures the following: An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are and An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP. The default route is also derived from DHCP. All inside IP addresses are translated when accessing the outside using interface PAT. By default, inside users can access the outside, and outside users are prevented from accessing the inside. The DHCP server is enabled on the ASA, so a PC connecting to the VLAN 1 interface receives an address between and The HTTP server is enabled for ASDM and is accessible to users on the network As per cisco document ASDM is enabled by default. ASA 5505 Default Configuration The default factory configuration for the ASA 5505 adaptive security appliance configures the following: An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are and An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP. The default route is also derived from DHCP. All inside IP addresses are translated when accessing the outside using interface PAT. By default, inside users can access the outside with an access list, and outside users are prevented from accessing the inside. The DHCP server is enabled on the security appliance, so a PC connecting to the VLAN 1 interface receives an address between and The HTTP server is enabled for ASDM and is accessible to users on the network. The configuration consists of the following commands: interface Ethernet 0/0 switchport access vlan 2 no shutdown interface Ethernet 0/1

33 switchport access vlan 1 no shutdown interface Ethernet 0/2 switchport access vlan 1 no shutdown interface Ethernet 0/3 switchport access vlan 1 no shutdown interface Ethernet 0/4 switchport access vlan 1 no shutdown interface Ethernet 0/5 switchport access vlan 1 no shutdown interface Ethernet 0/6 switchport access vlan 1 no shutdown interface Ethernet 0/7 switchport access vlan 1 no shutdown interface vlan2 nameif outside no shutdown ip address dhcp setroute interface vlan1 nameif inside ip address security-level 100 no shutdown

34 global (outside) 1 interface nat (inside) http server enable http inside dhcpd address inside dhcpd auto_config outside dhcpd enable inside logging asdm informational The document url is start.html#wp Please suggest Official Guide - Page 51 - Chapter 2 In the initial configuration, the management interface is always configured to use IP address and subnet mask The DHCP server is configured to provide addresses from a range of to The HTTP server is configured to allow ASDM sessions from devices on the /24 management network. On ASA 5510 and higher platforms, the initial configuration always uses the Management0/0 physical interface for the management network, as shown in the top portion of Figure 2-7. The ASA 5505, however, doesn t have a dedicated management interface. Instead, it uses VLAN 1 for the secure inside network, which is assigned to physical interfaces Ethernet0/1 through 0/7. QUESTION 4 Refer to the exhibit. What does the * next to the CTX security context indicate? A. The CTX context is the active context on the Cisco ASA. B. The CTX context is the standby context on the Cisco ASA. C. The CTX context contains the system configurations. D. The CTX context has the admin role. Correct Answer: D

35 Section: Complex Operations /Reference: QUESTION 5 Which three Cisco ASA configuration commands are used to enable the Cisco ASA to log only the debug output to syslog? (Choose three.) A. logging Hst test message B. logging debug-trace C. logging trap debugging D. logging message level 7 E. logging trap test Correct Answer: BCD Section: Advanced Troubleshooting /Reference: QUESTION 6 Refer to the exhibit. Which two configurations are required on the Cisco ASAs so that the return traffic from the outside server back to the inside client can be rerouted from the Active CtxB context in ASA Two to the Active Ctx A context in ASA One? (Choose two.) A. stateful active/active failover

36 B. dynamic routing (EIGRP or OSPF or RIP) C. ASR-group D. no NAT-control E. policy-based routing F. TCP/UDP connections replication Correct Answer: AC Section: Complex Operations /Reference: QUESTION 7 Where in the ACS are the individual downloadable ACL statements configured to achieve the most scalable deployment? A. Group Setup B. User Setup C. Shared Profile Components D. Network Access Profiles E. Network Configuration F. Interface Configuration Correct Answer: C Section: Pre-Production Design /Reference: QUESTION 8 Which two methods can be used to access the Cisco AIP-SSM CLI? (Choose two.) A. initiating an SSH connection to the Cisco AIP-SSM external management Ethernet port B. connecting to the console port on the Cisco AIP-SSM C. using the setup command on the Cisco ASA CLI D. using the session 1 command on the Cisco ASA CLI E. using the hw-module command on the Cisco ASA CLI Correct Answer: AD Section: Pre-Production Design /Reference: QUESTION 9 Refer to the exhibit. Which three CLI configuration commands result from this configuration? (Choose three.) (THE choices may changed...)

37 A. global (outside) B. nat (inside) C. static(inside.outside) netmask tcp 0 0 udp 0 D. static(inside,outside) tcp E. access-list outside_access_in line 1 extended permit tcp any host eq http F. access-list outside_access_in line 1 extended permit tcp any host eq http G. access-group outside_access_in outside in H. access-group outside acces in inside in Correct Answer: CEG Section: Pre-Production Design /Reference: QUESTION 10 Which three configuration options are available when configuring static routes on the Cisco ASA? (Choose three.) A. Change the default metric (admin distance) from 1 to some other value. B. Enable route tracking. C. Specify the static route as the default tunnel gateway for VPN traffic. D. Specify that the static route will not be removed, even if the interface shuts down. E. Specify a tag value to the static route that can be used as a "match" value for controlling redistribution via route maps Correct Answer: ABC Section: Pre-Production Design /Reference:

38 QUESTION 11 On the Cisco ASA, what is the default access rule if no user-defined access lists are defined on the interfaces? A. All inbound connections from the lower-security interfaces to the higher-security interfaces are permitted. B. All outbound connections from the higher-security interfaces to the lower-security interfaces are permitted C. All IP traffic between interfaces with the same security levelare permitted. D. All IP traffic in and out of the same interface is permitted. E. All IP traffic is denied. Correct Answer: B Section: Pre-Production Design /Reference: QUESTION 12 On the Cisco ASA, tcp-map can be applied to a traffic class using which MPF CLI configuration command? A. inspect B. sysopt connection C. tcp-options D. parameters E. set connection advanced-options Correct Answer: E Section: Complex Operations /Reference: QUESTION 13 On the Cisco ASA, where are the Layer 5-7 policy maps applied? A. inside the Layer 3-4 policy map B. inside the Layer 3-4 class map C. inside the Layer 5-7 class map D. inside the Layer 3-4 service policy E. inside the Layer 5-7 service policy Correct Answer: A Section: Complex Operations /Reference: QUESTION 14

39 Refer to the exhibit. Which two options will result from the Cisco ASA configuration? (Choose two.) A. The outside hosts can use the IP address to reach the web server on the inside network. B. The global IP address of the web server is C. The inside web client will use the IP address to reach the web server and the Cisco ASA will translate the IP address to the IP address. D. The Cisco ASA will translate the DNS A-Record reply from the DNS server to any inside client for the web server (web server IP = ). E. The web server will be reachable only from the inside. F. The web server will be reachable only from the outside. Correct Answer: BD Section: Complex Operations /Reference: QUESTION 15 The Cisco ASA is configured in multiple mode and the security contexts share the same outside physical interface. Which two packet classification methods can be used by the Cisco ASA to determine which security context to forward the incoming traffic from the outside interface? (Choose two.) A. unique interface IP address B. unique interface MAC address C. routing table lookup D. MAC address table lookup E. unique global mapped IP addresses Correct Answer: BE Section: Complex Operations /Reference:

40 QUESTION 16 With Cisco ASA active/active or active/standby stateful failover, which state information or table is not passed between the active and standby Cisco ASA by default? A. NAT translation table B. TCP connection states C. UDP connection states D. ARP table E. HTTP connection table Correct Answer: E Section: Complex Operations /Reference: QUESTION 17 Refer to the exhibit. What requirement is mandatory when configuring a Cisco ASA to operate in transparent firewall mode? A. IP routing must be disabled on the Cisco ASA using the no ip routing global configuration command. B. The Cisco ASA must be configured to use the same MAC address on its outside and inside interfaces. C. ARP inspection must be enabled on both the inside and outside interfaces using the arp inspection interface-name enable flood command. D. Both the inside and outside interfaces must be configured with the same security level. E. An inbound EtherType ACL is required on the inside and outside interfaces to permit ARP traffic. F. The management IP address of the Cisco ASA configured with the ip address global configuration command must belong in the /24 subnet. Correct Answer: F Section: Pre-Production Design /Reference:

41 QUESTION 18 Refer to the exhibit. Which two statements are true? (Choose two.) A. The connection is awaiting outside ACK to SYN. B. The connection is initiated from the inside. C. The connection is active and has received inbound and outbound data. D. The connection is an incomplete TCP connection. E. The connection is a DNS connection. Correct Answer: BC Section: Advanced Troubleshooting /Reference: QUESTION 19 Which five options are valid logging destinations for the Cisco ASA? (Choose five.) A. AAA server B. Cisco ASDM C. buffer D. SNMP traps E. LDAP server F. G. TCP-based secure syslog server Correct Answer: BCDFG Section: Advanced Troubleshooting /Reference: QUESTION 20 When troubleshooting redundant interface operations on the Cisco ASA, which configuration should be verified? A. The nameif configuration on the member physical interfaces are identical. B. The MAC address configuration on the member physical interfaces are identical. C. The active interface is sending periodic hellos to the standby interface. D. The IP address configuration on the logical redundant interface is correct. E. The duplex and speed configuration on the logical redundant interface are correct. Correct Answer: D

42 Section: Advanced Troubleshooting /Reference: QUESTION 21 What mechanism is used on the Cisco ASA to map IP addresses to domain names that are contained in the botnet traffic filter dynamic database or local blacklist? A. HTTP inspection B. DNS inspection and snooping C. Web ACL D. dynamic botnet database fetches (updates) E. static black list F. static white list Correct Answer: B Section: Complex Operations /Reference: QUESTION 22 Which three statements about traffic shaping capability on the Cisco ASA are true? (Choose three.) A. Traffic shaping can be applied to all outgoing traffic on a physical interface or in the case of the Cisco ASA 5505, on a VLAN B. Traffic shaping can be applied in the input or output direction. C. Traffic shaping can cause jitter and delay. D. You can configure both traffic shaping and priority queueing on the same interface. E. Traffic shaping is not supported on the Cisco ASA Correct Answer: ACE Section: Complex Operations /Reference: QUESTION 23 Refer to the exhibit. Which statement about the policy map named test is true?

43 A. Only HTTP inspection will be applied to the TCP port 21 traffic. B. Only FTP inspection will be applied to the TCP port 21 traffic. C. Both HTTP and FTP inspections will be applied to the TCP port 21 traffic. D. No inspection will be applied to the TCP port 21 traffic, because the http class map configuration conflicts with the ftp class map E. All FTP traffic will be denied, because the FTP traffic will fail the HTTP inspection. Correct Answer: A Section: Complex Operations /Reference: QUESTION 24 When troubleshooting a Cisco ASA (running 8.2.2) that is operating in transparent firewall mode, what should you verify to ensure proper operation? A. The Cisco ASA has not been configured for inside static or dynamic NAT. B. The Cisco ASA global IP address belongs to the same subnet as the directly connected interfaces. C. The outside and inside interface are connected to different Layer 3 subnets. D. The Cisco ASA is using a dedicated management interface for management access. E. The Cisco ASA is configured for ARP inspection. Correct Answer: B Section: Advanced Troubleshooting /Reference: QUESTION 25 Which Cisco ASA object group type offers the most flexibility for grouping different services together based on arbitrary protocols? A. network B. ICMP C. protocol D. TCP-UDP E. service Correct Answer: E Section: Complex Operations /Reference: QUESTION 26 Which three parameters are set using the set connection command within a policy map on the Cisco ASA 8.2 release? (Choose three.) A. per-client TCP and/or UDP idle timeout B. per-client TCP and/or UDP maximum session time

44 C. TCP sequence number randomization D. maximum number of simultaneous embryonic connections E. maximum number of simultaneous TCP and/or UDP connections F. fragments reassembly options Correct Answer: CDE Section: Complex Operations /Reference: QUESTION 27 With Cisco ASA active/standby failover, what is needed to enable sub-second failover? A. Use redundant interfaces. B. Enable thestateful failover interface between the primary and secondary Cisco ASA. C. Decrease the default unit failover polltime to 300 msec and the unit failover holdtime to 900 msec D. Decrease the default number of monitored interfaces to 1. Correct Answer: C Section: Complex Operations /Reference: QUESTION 28 A Cisco ASA requires an additional feature license to enable which feature? A. transparent firewall B. cut-thru proxy C. threat detection D. botnet traffic filtering E. TCPnormalizer Correct Answer: D Section: Complex Operations /Reference: QUESTION 29 Refer to the exhibit. What can be determined about the connection status?

45 A. The output is showing normal activity to the inside web server. B. Many HTTP connections to the web server have successfully completed the threeway TCP handshake C. Many embryonic connections are made from random sources to the web server. D. The host is triggering SYN flood attacks against random hosts on the outside. E. The web server is terminating all the incoming HTTP connections. Correct Answer: C Section: Advanced Troubleshooting /Reference: QUESTION 30 When troubleshooting a Cisco ASA that is operating in multiple context mode, which two verification steps should be performed if a user context does not pass user traffic? (Choose two.) A. Verify the interface status in the system execution space. B. Verify the mac-address-table on the Cisco ASA. C. Verify that unique MAC addresses are configured if the contexts are using nonshared interfaces. D. Verify the interface status in the user context. E. Verify the resource classes configuration by accessing the admin context. Correct Answer: AD Section: Complex Operations /Reference:

46 QUESTION 31 What features are available by default with CSC-SSM base license (choose Three) A. Antispam B. Antivirus C. Antispyware D. HTTP & FTP file blocking E. URL Blocking and Filtering F. Antiphishing G. content control Correct Answer: BCD Section: Complex Operations /Reference: QUESTION 32 If an ASA is configured with overlapping NAT/PAT rules, The ASA will apply the rules in a specific order. What rule will be applied first? A. Policy NAT B. Static NAT C. Static PAT D. Dynamic PAT E. Dynamic NAT F. NAT Exemption Correct Answer: F Section: Pre-Production Design /Reference: QUESTION 33 In which two directions are the Cisco ASA modular policy framework inspection policies applied? (Choose two.) A. in the ingress direction only when applied globally B. in the ingress direction only when applied on an interface C. in the egress direction only when applied globally D. in the egress direction only when applied on an interface E. bi-directionally when applied globally F. bi-directionally when applied on an interface Correct Answer: AF Section: Pre-Production Design /Reference: QUESTION 34

47 A Cisco ASA requires an additional feature license to enable which feature? A. transparent firewall B. cut-thru proxy C. threat detection D. botnet traffic filtering E. TCPnormalizer Correct Answer: D Section: Pre-Production Design /Reference: QUESTION 35 When enabling a Cisco ASA to send syslog messages to a syslog server, which syslog level will produce the most messages? A. notifications B. informational C. alerts D. emergencies E. errors F. debugging Correct Answer: F Section: Advanced Troubleshooting /Reference: QUESTION 36 What is the default interval for how often the dynamic database of the Cisco ASA botnet traffic filter is updated from Cisco/lronPort? A. every 5 minutes B. every 15 minutes C. every 30 minutes D. every 1 hour E. every 12 hours F. every 24 hours Correct Answer: D Section: Complex Operations /Reference: QUESTION 37 What feature can have a major performance impact if enabled? A. VPN termination

48 B. Advanced Threat Detection C. urpf D. DNS snooping E. Anti-spoofing Correct Answer: B Section: New Questions /Reference: QUESTION 38 With ASA Redundant Interfaces - what happens When Active turns to Standby? A. Send Hellos Packet B. Does a broadcast ping to find active interface C. Checks any of the 8 redundanct interface pairs for active connection D. Changes the mac-address to that of the new Active interface E. does ARP request to see if the mac address responds Correct Answer: D Section: New Questions /Reference: QUESTION 39 What feature is not supported with Security Context + Transparent mode? A. mac address learning B. shared interface C. multiple context mode D. http inspection Correct Answer: B Section: New Questions /Reference: Note The management interface for transparent mode does not flood a packet out the interface when that packet is not in the MAC address table. You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces. QUESTION 40 What does the hw-module module 1 recover command do? A. automatically goes into ROMMON mode so you can access the module B. allows you to reconfigure the management interface froma reset C. forces the module to reload the software without any configuration D. allows you to load a new software image from a TFTP server

49 E. enables the password recovery reset Correct Answer: D Section: New Questions /Reference: Official Guide - Page 686 QUESTION 41 How many failover group are supported by Active/Active failover? A. 1 B. 2 C. 1 on each contect D. 2 on each context Correct Answer: B Section: New Questions /Reference: QUESTION 42 With active/standby failover, what happens if the standby Cisco ASA does not recieve three consective hello messages from the active Cisco ASA on the LAN failover interface? A. The standby ASA immeditaley becomes the active ASA B. The standby ASA eventually becomes the active ASA after three times the the hold-down times interval expires C. The standby ASA runs network activity tests, including ARP and ping, to determine if the active ASA has expired.(answer C, ( CCNP Security FIREWALL Official Cert Guide Page 612 )) D. The standby ASA sends additional hello packets on all monitored interfaces, including the LAN failover interface, to determine of the active ASA has failed.(according to Actual Test its A, by chips its C.) E. Both ASA's go into unknown state until the LAN interface becomes operational again Correct Answer: C Section: New Questions /Reference: Official Guide - page 610 onwards Answer C, ( CCNP Security FIREWALL Official Cert Guide Page 612 ) text - If hello packets are not seen on a monitored interface within half of the hold time, that interface is moved into a testing mode to determine if a failure has occurred. The peer ASA is notified of the test via the LAN failover interface. Interfaces in the testing mode are moved through the following sequence of tests: 1. Interface status: The interface is failed if the link status is down. 2. Network activity: If no packets are received over a 5-second interval, the next testing

50 phase begins; otherwise, the interface can still be used. 3. ARP: The interface stimulates received traffic by sending ARP requests for the ten newest entries in the ASA s ARP table. If no traffic is received in 5 seconds, the next testing phase begins. 4. Broadcast ping: Traffic is stimulated by sending an ICMP echo request to the broadcast address on the interface. If no replies are received over a 5-second interval, the interface is marked in a failed state; however, if the same interface on the peer ASA also fails the test, then the interface is marked in an unknown state because an actual failure cannot be determined. End text QUESTION 43 Which feature is not supported on the Cisco ASA 5505 with Security Plus license? A. security contexts B. stateless Active/Standby Failover C. transparent firewall D. threat detection E. traffic shaping Correct Answer: A Section: New Questions /Reference: Official Guide Page 27 - Table 1-14 QUESTION 44 Which two functions will the Set ASDM Defined User Roles perform? (Choose two) A. enables role based privileges to most Cisco ASA commands B. enable the Cisco ASDM user to assign user privileges manually to individual commands or group of commands C. enables command authorization with a remote TACACS+ server

51 D. enables three pre-define user account privileges (Admin = Priv 15, Read-only = Priv 5, Monitor only = Priv 3) Correct Answer: AD Section: New Questions /Reference: Official Guide Page 208 onwards Configuring Local AAA Command Authorization To enable AAA authorization using the LOCAL database, you can use a wizard function in ASDM to quickly set up RBAC privilege levels to most commands, while still being able to make manual customizations to each command. To do so, navigate to Configuration > Device Management > Users/AAA > AAA Access and click the Authorization tab, shown in the background in Figure QUESTION 45 LAB Question #1c - Scenario - Topo This is a Hot Area - select the correct areas to click on Enable HTTP Inspect gloabally on the ASA Hot Area:

52 Correct Answer:

53 Section: Lab /Reference:

54

55 Exam C QUESTION 1 Drag and Drop #1 Select and Place: Correct Answer: Section: Pre-Production Design /Reference: QUESTION 2 Drag and Drop #2

56 Select and Place: Correct Answer:

57 Section: Complex Operations /Reference: QUESTION 3 Drag and Drop #3 Select and Place: Correct Answer:

58 Section: Complex Operations /Reference: QUESTION 4 Refer to the exhibit. What can be determined about the connection status?

59 A. The output is showing normal activity to the inside web server. B. Many HTTP connections to the web server have successfully completed the threeway TCP handshake C. Many embryonic connections are made from random sources to the web server. D. The host is triggering SYN flood attacks against random hosts on the outside. E. The web server is terminating all the incoming HTTP connections. Correct Answer: C Section: Advanced Troubleshooting /Reference: QUESTION 5 In which two directions are the Cisco ASA modular policy framework inspection policies applied? (Choose two.) A. in the ingress direction only when applied globally B. in the ingress direction only when applied on an interface C. in the egress direction only when applied globally D. in the egress direction only when applied on an interface E. bi-directionally when applied globally F. bi-directionally when applied on an interface Correct Answer: AF Section: Pre-Production Design /Reference:

60 Exam D QUESTION 1 LAB Question Intro - Scenario - Topo This is a Hot Area - select the correct areas to click on Hot Area: Correct Answer:

61 Section: Lab /Reference: QUESTION 2 LAB Question #1a - Scenario - Topo This is a Hot Area - select the correct areas to click on Enable HTTP Inspect gloabally on the ASA Hot Area:

62 Correct Answer:

63 Section: Lab /Reference:

64 QUESTION 3 LAB Question #1b - Scenario - Topo This is a Hot Area - select the correct areas to click on Enable HTTP Inspect gloabally on the ASA Hot Area:

65 Correct Answer:

66 Section: Lab /Reference:

67 QUESTION 4 LAB Question #1c - Scenario - Topo This is a Hot Area - select the correct areas to click on Enable HTTP Inspect gloabally on the ASA Hot Area:

68 Correct Answer:

69 Section: Lab /Reference:

70 QUESTION 5 LAB Question #2 - Scenario - Topo This is a Hot Area - select the correct areas to click on Create a new HTTP Inspect map named: http-inspect-map

71 Hot Area:

72 Correct Answer:

73 Section: Lab /Reference:

74 QUESTION 6 LAB Question #2a - Parameters This is a Hot Area - select the correct areas to click on Create a new HTTP Inspect map named: http-inspect-map > enable dropping and of any HTTP connections that encounter HTTP Violations Hot Area:

75 Correct Answer:

76 Section: Lab /Reference: 1: Make sure you enter in the name exactly as written - http-inspect-map 2: Leave Logging - disabled QUESTION 7 LAB Question #2b-a - Inspections This is a Hot Area - select the correct areas to click on Enable the dropping and logging of HTTP connections when the content type in the HTTP response does not match one of the MIME types in the accept field HTTP request Hot Area:

77 Correct Answer:

78 Section: Lab /Reference:

79 QUESTION 8 LAB Question #2b-b - Scenario - Topo This is a Hot Area - select the correct areas to click on Enable the dropping and logging of HTTP connections when the content type in the HTTP response does not match one of the MIME types in the accept field HTTP request Hot Area:

80 Correct Answer:

81 Section: Lab /Reference:

82 Make sure to click OK at the end and it will show you this QUESTION 9 LAB Question #2b-c - Scenario - Topo This is a Hot Area - select the correct areas to click on Enable the dropping and logging of HTTP connections when the content type in the HTTP response does not match one of the MIME types in the accept field HTTP request Hot Area:

83 Correct Answer: Section: Lab

84 /Reference: Click OK all the way back to main screen and you should see this QUESTION 10 LAB Question Finishing This is a Hot Area - select the correct areas to click on

85 Make sure you save and exit properly Hot Area: Correct Answer:

86 Section: Lab /Reference: Two ways to save - preference is to Save before Exit

87

88 Exam E QUESTION 1 Question 1# Which two statements about the Cisco ASA configuration is true? (Choose two.) A. NAT Control is enabled B. The Cisco ASA is setup as the DHCP server for hosts on the inside and outside interfaces C. All IP traffic is permitted from the inside host to the outside D. All hosts on the inside and on the outside can access Cisco ASDM E. Access to the CLI in privileged mode will be authenticated using the LOCAL database on the Cisco ASA F. The ASA is using a persistent self-signed certificated so users can authenticate the Cisco ASA when accessing it via Cisco ASDM Correct Answer: AB Section: Pre-Production Design /Reference: Have to check each and every setting -- expect different results for different exams

89

90

91 QUESTION 2 The ASA administrator wants to configure Botnet Traffic Filter using the dynamic database but it is not working properly after the initiate configuration has been entered. What other configuration is missing?

92 A. Enabling DNS Snooping B. Enabling Botnet Traffic Filtering on at least one of the ASA interface C. Enabling the ASA to periodically download the dynamic database from Cisco D. Enabling DNS inspection globally E. Configuring the manual white and black lists Correct Answer: AC Section: Complex Operations /Reference: Just check all the following settings - certain they will change from time to time

93 ####################################################

94 ##############################################

95 QUESTION 3 Question #3 When the Cisco ASA detects scanning attacks, how long is the attacker who is performing the scan shunned?

96 A. 120 seconds B. 600 seconds C seconds D seconds E seconds Correct Answer: B Section: Complex Operations /Reference: From ASDM

97 QUESTION 4 A Cisco ASA requires an additional feature license to enable which feature? A. transparent firewall B. cut-thru proxy C. threat detection D. botnet traffic filtering E. TCPnormalizer Correct Answer: D Section: Pre-Production Design /Reference: QUESTION 5 With ASA Redundant Interfaces - what happens When Active turns to Standby? A. Send Hellos Packet