Cisco Secure PIX Firewall Advanced (CSPFA)

Similar documents
Fundamentals of Network Security v1.1 Scope and Sequence

Cisco IOS Firewall Authentication Proxy

Configuring Authentication Proxy

co Configuring PIX to Router Dynamic to Static IPSec with

Configuring Authentication Proxy

Configuring Authentication Proxy

I N D E X. Numerics. 3DES (triple Data Encryption Standard), 199

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

Configuration Examples

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

Web server Access Control Server

This document is intended to give guidance on how to read log entries from a Cisco PIX / ASA. The specific model in this case was a PIX 501.

upgrade-mp through xlate-bypass Commands

Secure ACS Database Replication Configuration Example

CCNA Security 1.0 Student Packet Tracer Manual

Configure the ASA for Dual Internal Networks

Permitting PPTP Connections Through the PIX/ASA

Table of Contents. Cisco Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec

Table of Contents. Cisco PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-511): 5. User interface 6. Configuring the PIX

CCNA Security PT Practice SBA

Inspection of Router-Generated Traffic

Identity Firewall. About the Identity Firewall

Three interface Router without NAT Cisco IOS Firewall Configuration

CISCO EXAM QUESTIONS & ANSWERS

Intrusion Detection System Policy Manager

Authentication, Authorization, and Accounting Configuration on the Cisco PIX Firewall

ASA/PIX Security Appliance

VPN Connection through Zone based Firewall Router Configuration Example

Cisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]

Implementing Firewall Technologies

Technology Scenarios. INE s CCIE Security Bootcamp - 1 -

Exam : Title : Securing Networks with PIX and ASA. Ver :

Configuring Management Access

BIG-IP Access Policy Manager : Portal Access. Version 13.0

Context Based Access Control (CBAC): Introduction and Configuration

Identity Firewall. About the Identity Firewall. This chapter describes how to configure the ASA for the Identity Firewall.

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

through ftp-map Commands

ASA/PIX: Remote VPN Server with Inbound NAT for VPN Client Traffic with CLI and ASDM Configuration Example

IPSec tunnel for ER75i routers application guide

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

SYSLOG Enhancements for Cisco IOS EasyVPN Server

ASA Version 7.2(4)30! hostname vpn domain-name hollywood.com enable password BO5OGdtIUElAVJc7 encrypted passwd BO5OGdtIUElAVJc7 encrypted names name

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0

PIX/ASA : Port Redirection(Forwarding) with nat, global, static and access list Commands

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Migrating to the Cisco ASA Services Module from the FWSM

Cisco ASA 5500 LAB Guide

ASA Access Control. Section 3

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

CHAPTER 7 ADVANCED ADMINISTRATION PC

Viewing Router Information

Firepower Threat Defense Site-to-site VPNs

Cisco Passguide Exam Questions & Answers

This document is a tutorial related to the Router Emulator which is available at:

RX3041. User's Manual

Cisco CISCO Securing Networks with ASA Advanced. Practice Test. Version

Teacher s Reference Manual

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

Configuring Group Policies

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

Cisco PIX. Interoperability Guide

Barracuda Link Balancer

How to Configure the Cisco VPN Client to PIX with AES

PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example

1.1 Configuring HQ Router as Remote Access Group VPN Server

Network security session 9-2 Router Security. Network II

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

Logging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.

Configuring Web-Based Authentication

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

Indicate whether the statement is true or false.

IPsec NAT Transparency

AAA Configuration. Terms you ll need to understand:

NAC Appliance (Cisco Clean Access) In Band Virtual Gateway for Remote Access VPN Configuration Example

Configuring Network Admission Control

VRF Aware Cisco IOS Firewall

L2TP IPsec Support for NAT and PAT Windows Clients

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

BIG-IP Access Policy Manager : Portal Access. Version 12.1

Configuring Static and Dynamic NAT Translation

DC-228. ADSL2+ Modem/Router. User Manual. -Annex A- Version: 1.0

shun through sysopt radius ignore-secret Commands

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

New Features for ASA Version 9.0(2)

Table of Contents 1 IKE 1-1

Configuring IP Services

Access Rules. Controlling Network Access

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

Cisco CCIE Security Written.

Configuring PIX 5.1.x: TACACS+ and RADIUS

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Sample excerpt. Virtual Private Networks. Contents

Manual Overview. This manual contains the following sections:

High Availability Synchronization PAN-OS 5.0.3

Transcription:

9E0-571 9E0-571 Cisco Secure PIX Firewall Advanced (CSPFA) Version 3.0-1 -

Important Note Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 90 days after the purchase. You should check the products page on the TestKing web site for an update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1. Go to www.testking.com 2. Click on Login (upper right corner) 3. Enter e-mail and password 4. The latest versions of all purchased products are downloadable from here. Just click the links. For most updates, it is enough just to print the new questions at the end of the new version, not the whole document. Feedback Feedback on specific questions should be send to feedback@testking.com. You should state 1. Exam number and version. 2. Question number. 3. Order number and login ID. Our experts will answer your mail promptly. Copyright Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws. - 2 -

Note: Section A contains 59 questions and Section B contains 170. The total numbers of questions are 229. Section A Study these questions carefully. QUESTION NO: 1 Which PIX feature denies a user the ability to perform Telnet? A. Accounting B. Authorization C. Authentication D. Accounting and authorization QUESTION NO: 2 Which two AAA protocols and servers does the PIX Firewall support? (Choose two) A. Access control list. B. Synchronous Communication Server. C. Remote Authentication Dial-In User Service. D. Terminal Access Controller Access Control System Plus., D QUESTION NO: 3 Enter the function of the PIX Firewall that provides a safeguard in case a PIX Firewall fails. Answer: Failover QUESTION NO: 4 What does the nat command allow you to do on the PIX Firewall? (Choose two) A. Enable address translation for internal addresses. B. Enable address translation for external addresses. C. Disable address translation for internal addresses. D. Disable address translation for external addresses. E. Enable address translation for both external and internal addresses. F. Disable address translation for both external and internal addresses. - 3 -

, C QUESTION NO: 5 Exhibit: Match the characteristics of the Adaptive Security Algorithm (ASA) security level with the correct levels. - 4 -

Answer: QUESTION NO: 6 Which four tasks should you perform to configure an IPSec-based VPN with the PIX Firewall? (Choose four) A. Configure accounting. B. Configure authorization. C. Configure authentication. D. Configure the PIX Firewall. E. Configure the IKE parameters. F. Configure the IPSec parameters. G. Prepare for configuring VPN support. H. Test and verify the VPN configuration. Answer: E, F, G, H QUESTION NO: 7 Any unprotected inbound traffic on the PIX Firewall that matches a permit entry in the crypto access list for a crypto map entry, flagged as IPSec, will be A. Dropped B. Completed C. Authorized D. Authenticated QUESTION NO: 8-5 -

What should you do to prepare for configuring VPN support on the PIX Firewall? A. Plan in advance. B. Minimize mis-configuration. C. Configure IPSec encryption correctly the first time. D. Define the overall security needs and strategy based on the overall company security policy. QUESTION NO: 9 Match the elements of the command for the PIX firewall to the description for the outbound command. Drag and drop. Exhibit: Answer: - 6 -

QUESTION NO: 10 What are packets inspected for on the PIX firewall? A. For invalid users. B. For mis-configuration. C. For incorrect addresses. D. For malicious application misuse. QUESTION NO: 11 With which two Cisco IOS Firewall security features is the authentication proxy compatible? (Choose two) A. Cisco router B. Network address translation C. Protocol address translation D. Content-Based Access Control, D QUESTION NO: 12 Which three thresholds does CBAC on the Cisco IOS Firewall provide against DoS attacks? (Choose Three) A. The number of half-open sessions based upon time. B. The total number of half open TCP or UDP sessions. C. The number of fully-open sessions based upon time. D. The number of half-open TCP-only sessions per host. - 7 -

E. The total number of fully-open TCP or UDP sessions. F. The number of fully-open TCP-only sessions per host., B, D QUESTION NO: 13 What does CBAC on the Cisco IOS Firewall do? A. Created specific security policies for each user. B. Protects the network from internal attacks and threats. C. Provides additional visibility at intranet, extranet and Internet perimeters. D. Provides secure, per-application access control across network perimeters. QUESTION NO: 14 What are three methods for configuring basic router security on the Cisco IOS Firewall? (Choose three) A. Turn off services. B. Set global timeouts. C. Set global thresholds. D. Use password encryption. E. Define inspection rules. F. Set console and VTY access., C, E QUESTION NO: 15 Why does aaa command reference the group tag on the PIX Firewall? A. To direct the interface name to the AAA server. B. To direct the IP address to the appropriate AAA server. C. To direct authentication, authorization or accounting traffic to the appropriate AAA server. D. To direct authentication, authorization or accounting traffic to the appropriate PIX Firewall. - 8 -

QUESTION NO: 16 Which two databases does the PIX Firewall use to authenticate cut-through proxy? (Choose two) A. ACS NT B. RADIUS+ C. ACS UNIX D. TACACS, D QUESTION NO: 17 Enter the command that enables failover between two PIX Firewalls. Answer: Failover active QUESTION NO: 18 Enter the command that allows the IP addresses to be updated in the translation table for the PIX Firewall lear xlate QUESTION NO: 19 Which portion of the conduit command denies access through the PIX Firewall in the conditions is met? Answer: deny QUESTION NO: 20 What does deny mean in regards to crypto access lists on the PIX firewall? A. It specifies that no packets are encrypted. B. It specifies that matching packets must be encrypted. C. It specifies that mismatched packets must be encrypted. D. It specifies that matching packets need no be encrypted. - 9 -

QUESTION NO: 21 What is the goal of pre-planning before configuring an IPSec based VPN when using the PIX Firewall? A. To plan in advance. B. To minimize misconfiguration. C. To identify IPSec peer router Internet Protocol addresses and host names. D. To determine key distribution methods based on the numbers and locations of IPSec peers. QUESTION NO: 22 Which three probables can ActiveX cause for network clients using the PIX Firewall? (Choose three) A. It can attack servers. B. It can block HTML commands. C. It can block HTML comments. D. It can download Java applets. E. It can cause workstations to fail. F. It can introduce network security problems.,?,? QUESTION NO: 23 How does passive mode FTP on the PIX firewall support inside clients without exposing them to attack? A. There is no data connection. B. Port 20 remains open from outside to inside. C. Port 21 remains open from inside to outside. D. The client initiates both the command and data connections. - 10 -

QUESTION NO: 24 Enter the command that enables the AAA access control system in the global configuration. Answer: aaa new-model QUESTION NO: 25 Enter the command that encrypts all use passwords within the Cisco IOS Firewall. Answer: no service password-encryption QUESTION NO: 26 Each session allows you four attempts to correctly authenticate to the PIX Firewall before it drops the connection? A. FTP B. HTPP C. Telnet D. Accounting QUESTION NO: 27 Enter the command that allows the PIX Firewall to enable and configure accounting for all services and to select services. Answer: aaa accounting QUESTION NO: 28 Why does failover begin a series of interface tests on the PIX Firewall? A. To check the failover cable. B. To clear the received packets. C. To determine which PIX Firewall has failed. D. To determine which interface has the failover packet. - 11 -

QUESTION NO: 29 Match the command to the correct interface when configuring the PIX Firewall. Exhibit: Answer: QUESTION NO: 30 What does deny instruct the PIX Firewall to do when configuring IPSec parameters for the PIX firewall? - 12 -

A. It routes traffic in the clear. B. It configures the transform set. C. It encrypts Internet Protocol packets. D. It causes all Internet protocol traffic to be protected by crypto. QUESTION NO: 31 Each IPSec peer individually enrolls with the CA server and obtains which two keys, using the PIX Firewall? (Choose two) A. Public encryption B. Private encryption C. Public authorization D. Public authentication E. Private authorization F. Private authentication, B QUESTION NO: 32 Which three statements about DNS Guard on the PIX Firewall are true? (Choose three) A. It is always enabled. B. It is always disabled. C. IT causes UDP session hijacking and denial-of-service attacks. D. It prevents UDP session hijacking and denial-of-service attacks. E. It automatically creates a UDP conduit as soon as the DNS response is received. F. It automatically tears down a UDP conduit as soon as the DNS response is received., D, F QUESTION NO: 33 Which part of the command specifies the service users are allowed to access, when configuring user authorization profiles? A. protocol B. host ip_addr C. eq auth_service D. ip_addr wildcard mask - 13 -

QUESTION NO: 34 What does the authentication proxy feature of the Cisco IOS Firewall allow network administrators to do? A. Tailor access privileges on an individual basis. B. Use a general policy applied across multiple users. C. Use a single security policy that us applied to an entire user group or subnet. D. Keep user policies active even when there is no active traffic from the authenticated users. QUESTION NO: 35 What happens when you see the "Authentication Successful" message during the virtual Telnet authentication of the PIX Firewall? A. The user is automatically logged out. B. All entries in the uauth cache are cleared. C. The user must provide a username and password. D. Authentication credentials are cached in the PIX Firewall for the duration of the uauth timeout. QUESTION NO: 36 What happens at the end of each test during failover interface testing on the PIX firewall? A. Network traffic is generated. B. The PIX Firewall receives traffic for a test. C. Each PIX Firewall looks to see if it has received any traffic. D. Each PIX Firewall clears its received packet count for its interface. QUESTION NO: 37-14 -

Enter the command that assigns a name and a security level to each interface of the PIX Answer: nameif ethernet0 perimeter1 security100 QUESTION NO: 38 Which four steps are used to configure IKE parameters when configuring PIX Firewall IPSec? (Choose Four) A. Test VPN. B. Verify VPN. C. Apply crypto map. D. Configure crypto map. E. Enable or disable IKE. F. Verify IKE phase 1 details. G. Configure phase 1 policy. H. Configure IKE pre-shared key. Answer: E, F, G, H QUESTION NO: 39 Match the VPN features that IPSec enables through the PIX Firewall with the correct descriptions. Exhibit: - 15 -

- 16 -

Answer: QUESTION NO: 40 Which four items does the outbound command let you specify on the PIX Firewall? (Choose four) A. Whether inside users can access outside servers. B. Whether outside users can access outside servers. C. Whether inside users can use outbound connections. D. Whether outside users can use inbound connections. E. Whether outbound connections can execute Java applets on the inside network. F. Whether inbound connections can execute Java applets on the outside network. G. Which services outside users can use for inbound connections and for accessing inside servers. H. Which services inside users can use for outbound connections and for accessing outside servers., C, E, H QUESTION NO: 41 How does the user trigger the authentication proxy after the idle timer expires? A. By authenticating the user. B. By initiating another HTTP session. C. By entering a new user name and password. D. By entering a valid user name and password. - 17 -

QUESTION NO: 42 Which three features does Cisco IOS Firewall use? (Choose three) A. PIX Firewall B. Flash memory C. Stateful Failover D. Authentication proxy E. Intrusion detection systems F. Content based access control, E, F QUESTION NO: 43 A user is allowed to perform FTP but not HTTP. Which feature performs this function within the PIX Firewall? A. Accounting only. B. Authorization only. C. Authentication only. D. Accounting and authentication. QUESTION NO: 44 Which addressed does the primary PIX Firewall use when in active mode? A. Media access control addresses only. B. System Internet Protocol addresses and media access control addresses. C. Failover Internet Protocol addresses and media access control addresses. D. System Internet Protocol addresses and failover Internet Protocol addresses. QUESTION NO: 45 What is the purpose of verifying the IKE Phase 1 policy with the PIX Firewall? A. To specify the hash algorithm. B. To configure the IPSec parameters. C. To specify the authentication method. - 18 -

D. To display configured and default IKE policies. QUESTION NO: 46 What is the purpose of WebSENSE with the PIX Firewall? A. To control or monitor e-mail activity. B. To control or monitor Internet activity. C. To control or monitor inside client activity. D. To control or monitor outside client activity. QUESTION NO: 47 What happens if the user fails to authenticate with the AAA server on a CSIS router? A. A password is requested. B. Authentication is completed. C. The connection request is dropped. D. The connection request is completed. QUESTION NO: 48 What is the default for Interface Configuration during basic configuration of the Cisco Secure ACS Network Access Server on the PIX Firewall? A. Enabled B. Disabled C. Automatically enabled D. Identical passwords required QUESTION NO: 49 Why is the ASA important for the PIX Firewall? (Choose three) - 19 -

A. It monitors return packets to assure validity. B. It allows two-way connections on all systems. C. It allows one-way connection with an explicit configuration on each internal system. D. It allows one-way connection with an explicit configuration on each external system E. It allows one-way connection without an explicit configuration on each internal system. F. It randomizes the TCP sequence number, which minimizes the risk of attack., C, F QUESTION NO: 50 How do you choose the specific values for each IKE parameter when using the PIC Firewall? A. Using host names. B. Using the remote level you desire and the host peer you will connect to. C. Using the remote level you desire and the destination peer you will connect to. D. Using the security level you desire and the type of IPSec peer you will connect to. QUESTION NO: 51 What is the purpose of UDP resend on the PIX Firewall when using Real Networks' RDT mode? A. It connects the client to the server. B. It connects the outside client to the inside client. C. The client requests that the server try to resend lost data packets. D. Media delivery uses the standard UDP packet format to fo from the server to the client. QUESTION NO: 52 What happens in the aggressive mode of the CBAC on the Cisco IOS Firewall? A. CBAC deletes all half-open sessions. B. CBAC re-initiates half-open sessions. C. CBAC completes all half-open sessions, making them fully-open sessions. D. CBAC deletes half-open sessions as required to accommodate new connection requests. - 20 -

QUESTION NO: 53 Enter the command that writes the configuration into Flash memory of the PIX Firewall. Answer: write memory QUESTION NO: 54 Enter the command that defines a static or default route for an interface on the PIX Firewall. Answer: ip route QUESTION NO: 55 What does permit mean in regards to crypto access lists on the PIX Firewall? A. It specifies that no packets are encrypted. B. It specifies that matching packets must be encrypted. C. It specifies that mismatched packets must be encrypted. D. It specifies that matching packets need not be encrypted. QUESTION NO: 56 How does the PIX firewall provide secure connections for Real Audio and CUSeeME? A. It statically opens UDP ports. B. It statically closes UDP ports. C. It statically opens and closes UDP ports. D. It dynamically opens and closes UDP ports. - 21 -

QUESTION NO: 57 What does a half-open TCP session on the Cisco IOS Firewall mean? A. The session was denied. B. The firewall detected return traffic. C. A three-way handshake has been completed. D. The session has not reached the established state. QUESTION NO: 58 Why do the connections remain with stateful failover on the PIX Firewall? A. Stateful failover passes per-connection stateful information to the active PIX Firewall. B. Stateful failover passes per-connection stateful information to the standby PIX Firewall. C. Stateful failover does not pass per-connection stateful information to the active PIX Firewall. D. Stateful failover does not pass per-connection stateful information to the standby PIX Firewall. QUESTION NO: 59 Which command limits the hosts that are allowed to Telnet to the Cisco IOS Firewall router? A. password B. access-list C. enable mode D. disable mode - 22 -

Section B Study these questions as well. QUESTION NO: 1 What is the default TCP timeout for inactivity on CBAC? A. 360 seconds B. 3600 seconds C. 255,000 seconds D. 2400 seconds QUESTION NO: 2 What is NAT? A. Access control B. Default hostname of the Cisco PIX C. Network access translations D. IP addressing translating QUESTION NO: 3 What does PAM stand for? A. Port address mapping B. Port allocation mapping C. Port to application mapping D. Port address management QUESTION NO: 4 What are the two types of PIX firewall translations? A. Dynamic B. PAM C. Default - 23 -

D. Static, D QUESTION NO: 5 No packets can traverse the PIX Firewall without a connection and state? A. True B. False QUESTION NO: 6 How do you save the PAM mappings? A. Copy pam-mappings flash B. They are automatically saved C. Save pam-mappings D. Copy run start QUESTION NO: 7 What command enables the failover feature on the PIX506? A. Failover is not supported on the PIX506 B. Failover standby C. Enable failover D. Enable standby QUESTION NO: 8 What needs to be done to the clients in case of a PIX stateful failover situation? A. A router is required to redirect to the PIX in case of failover B. The arp table must be cleared on all client computers C. All clients must have the default gateway changed to the now active PIX - 24 -

D. Nothing. Actually, nothing needs to be done if two PIXs are hooked up and failover is active, and the Primary fails. With stateful failover, all the actual connection states that are created in the Primary PIX are replicated to the standby PIX. In the event of a failover, the XLATE table is the same on standby unit so when it becomes the Primary, nothing needs to be done. It is transparent to all the hosts on the network. QUESTION NO: 9 What three commands are required for stateful failover? A. failover ip address inside 10.1.1.2 B. stateful failover C. failover on D. failover link intf2, C, D QUESTION NO: 10 What is a limitation of PAT? A. Very processor intensive B. Supports very few clients C. Only supported on Cisco IOS routers D. Does not support multi-media protocols QUESTION NO: 11 What protocols trigger authentication proxy? A. FTP B. SSL C. Telnet D. HTTP - 25 -

QUESTION NO: 12 How are outbound TCP sessions handled? A. TCP sessions are allowed inbound unless blocked by an access list B. PIX does not inspect TCP traffic C. TCP sessions are maintained in a state table D. TCP sessions are authorized inbound and outbound by default. QUESTION NO: 13 What are the three access modes in the PIX? A. Privileged B. Unprivileged C. Configuration D. Enable E. User, B, C QUESTION NO: 14 What would be the purpose of multiple interfaces? A. For redundant Internet connections B. To create separate secure networks C. For redundancy D. Multiple interfaces is not supported on the PIX QUESTION NO: 15 Pix firewall only supports TACACS+. A. False B. True - 26 -

QUESTION NO: 16 What are some limitations of authentication proxy? A. Client browsers must have JavaScript enabled for secure authentication. B. Does not support AAA C. HTTP must be running on the standard port D. HTTP is the only triggering protocol, B, C, D QUESTION NO: 17 What are TCP half open sessions? A. TCP sessions that span several ports B. One way TCP sessions C. TCP sessions that have not complete the 3-way handshake D. TCP sessions initiated from inside the PIX QUESTION NO: 18 What is the purpose of inspection rules in CBAC configurations? A. Defines what IP traffic is denied B. Defines what application layer protocols will be denied C. Defines what IP traffic will be permitted D. Defines what application layer protocols will be inspected QUESTION NO: 19 What features are authentication proxy compatible with? A. NAT B. VPN Client C. IPSEC D. CBAC - 27 -

, B, C, D QUESTION NO: 20 By default, how are outbound connections handled by the PIX? A. All outbound connections are allowed, except those specifically denied by access control lists. B. All ports on the PIX are open by default until you lock them down. Therefore all connections are allowed until access control list are implemented. C. Depends upon the user D. All outbound connections are denied, except those specifically allowed. QUESTION NO: 21 How do you save the running configuration to the startup configuration on the PIX firewall? A. Copy running-configuration flash B. Write memory C. Copy running-configuration startup-configuration D. Save configuration QUESTION NO: 22 What command enables authentication proxy? A. router(conf)#ip authentication-proxy <name> B. router#ip authentication-proxy <name> C. router(conf-if)#ip authentication-proxy <name> D. router#enable ip authentication proxy QUESTION NO: 23-28 -

What command enables activex blocking? A. activex filter B. no activex C. block activex D. filter activex QUESTION NO: 24 How do you view all active static translations? A. show static translations B. show all static translations C. show xlate state static D. show translations state static QUESTION NO: 25 The IP address assigned to the outside interface cannot be used for PAT. A. False B. True QUESTION NO: 26 What command is used to verify PAM? A. show port-map B. show pam C. show ip pam D. show ip port-map QUESTION NO: 27-29 -

What command is used to disable NAT? A. Disable NAT B. Disable IP NAT C. NAT 0 D. No NAT QUESTION NO: 28 What is the name of the two default interfaces on the PIX? A. public B. outside C. inside D. private, C QUESTION NO: 29 How much RAM/Flash does the PIX506 base model have? A. 32/8 B. 256/32 C. 16/16 D. 128/16 QUESTION NO: 30 What is the purpose of authorization with AAA? A. Authorization is not supported on the PIX B. To determine who has authorized access C. To determine what services a user is authorized to utilize. D. To determine which PIX is authorized to allow traffic to pass - 30 -

QUESTION NO: 31 How do you enable URL filtering on the PIX? A. enable url-filtering B. It is enabled by default C. filter url D. url-filtering QUESTION NO: 32 What is data integrity? A. IPSec receiver can detect & reject replayed packets B. Packets are authenticated by receiver to ensure no alterations have been made C. Packets are encrypted before transmitting them across a network D. Receiver can authenticate source of IPSec packets QUESTION NO: 33 What is anti-replay? A. Receiver can authenticate source of IPSec packets B. Receiver authenticates packets to ensure no alterations have been made C. IPSec receiver can detect & reject replayed packets D. IPSec sender can encrypt packets before transmitting them across a network QUESTION NO: 34 How do you display dynamic ACL entries an authentication proxy router? A. Show access-list authentication proxy B. Show dynamic-entries access-list C. Show access-list D. Show authentication-proxy access-list entries - 31 -

QUESTION NO: 35 What happens if the global timeouts are different on two IPSec peers? A. Nothing B. The highest value is used C. The lowest value is used D. The PIX default timeout is used QUESTION NO: 36 What is the purpose of the alias command? A. To allow internal users to use the FQDN that is registered an external DNS server B. To assign a name to an IP host C. To hide inside addresses from the Internet D. To assign a name to the PIX firewall QUESTION NO: 37 What three things does IKE provide? A. Security payload encapsulation B. IPSec peer authentication C. IPSec SA negotiations D. IPSec key establishment, C, D QUESTION NO: 38 What is required to perform a password recovery on the PIX520? A. Change to the boot sequence B. Change to the registry - 32 -

C. Pix Password Lockout Utility D. Reboot, D QUESTION NO: 39 How do you edit a system defined PAM mapping? A. ip pam <port number> B. System defined mappings cannot be changed C. ip port-map <port number> D. ip port-map port <port number> QUESTION NO: 40 What is data origin authentication? A. Receiver authenticates packets to ensure no alterations have been made B. IPSec receiver can detect & reject replayed packets C. IPSec sender can encrypt packets before transmitting them across a network D. Receiver can authenticate source of IPSec packets QUESTION NO: 41 What does CBAC offer? A. Application layer examination B. PAM C. Routing D. Routing protocol encryption QUESTION NO: 42 What would be a reason to change the activation key on the PIX? - 33 -

A. The activation key cannot be changed B. Enable DES C. Upgrade IOS version D. Install new memory QUESTION NO: 43 What does the AH security protocol provide? A. encrypted data routing B. data authentication C. peer identification D. anti-replay services, D QUESTION NO: 44 How do you clear all active translations? A. Delete translations B. Clear translations C. Clear xlate D. Clear translations * QUESTION NO: 45 What does the following command accomplish? IP port-map http port 21 A. It allows HTTP traffic to port 21 B. Nothing C. It allows HTTP & FTP traffic to port 21 D. It allows FTP traffic to port 80 and HTTP traffic to port 21-34 -

QUESTION NO: 46 What is supported on the PIX for stateful failover? A. Ethernet B. ATM C. Token Ring D. FDDI QUESTION NO: 47 How does activex blocking affect activex traffic to servers identified by an alias command? A. Allows activex traffic to the server B. Inspects the activex applet from the servers C. Does not block activex traffic from the server D. Blocks all activex traffic from the server QUESTION NO: 48 What command clears the IPSec security associations? A. clear ipsec sa B. clear security-associations C. clear ipsec D. clear sa QUESTION NO: 49 By default what are the two interface names on the PIX Firewall? A. Ethernet B. DMZ C. Serial D. 100Mb E. Inside F. Outside - 35 -

Answer: E, F QUESTION NO: 50 What platforms support CBAC? A. PIX 515 B. 1600 C. PIX 506 D. 2500, D QUESTION NO: 51 How do you view the running configuration? A. write terminal B. show running-configuration C. show all-configuration D. show configuration QUESTION NO: 52 What is the purpose of the "nameif" command? A. To shutdown an interface on the PIX B. To enable an interface on the PIX C. The nameif is not a valid PIX command. D. To assign a security level and name to an interface. QUESTION NO: 53 In the following command, what does the keyword "http" represent? Ip port-map http port 81 A. It identifies the table for the port-mapping to reference - 36 -

B. Nothing, the command is invalid C. it identifies the application name D. it redirects all http traffic from port 80 QUESTION NO: 54 How does CBAC allow traffic through the router? A. All traffic is blocked by the router B. Traffic must be permitted in the pre-configured access-list C. All traffic is allowed through D. Using access-list entries QUESTION NO: 55 How is the configuration maintained between the primary PIX and the standby unit? A. Standby is configured and configuration is replicated to primary B. Primary is configured and configuration is replicated to standby C. Both must be configured separately D. The standby does not maintain a current configuration until failover occurs QUESTION NO: 56 What command saves the CA settings & policies? A. ca save all B. save ca C. Write memory D. They cannot be saved QUESTION NO: 57-37 -

How do you clear the logging buffer? A. clear buffer B. delete log C. clear logging D. delete log QUESTION NO: 58 What is the purpose of the xlate command? A. To configure translations B. To configure PIX global timeouts C. Xlate is not a valid command D. To view and clear translations QUESTION NO: 59 Which interfaces does the PIX send "hello" packets out of for failover? A. Only interfaces directly connected to each other B. Inside C. All including the failover cable D. None, just over the failover cable QUESTION NO: 60 What is the purpose of PAM? A. To identify users via port mapping B. To create address pools for NAT C. There is no such feature D. To customize TCP & UDP port numbers - 38 -

QUESTION NO: 61 How do you determine the amount of memory and flash installed in the PIX? A. show flash B. show dram C. show version D. show memory QUESTION NO: 62 What are the two ways security associations can be established? A. Manual B. CRYPTO C. ISAKMP D. IKE., D QUESTION NO: 63 What does the "conduit" command do? A. Nothing, the conduit is not a valid command on the PIX B. Enables the conduit interface on the PIX. C. Permits/denies traffic if the specified conditions are met. D. Maps a local address to a global address. QUESTION NO: 64 What command enables AAA on a Cisco router? A. aaa radius B. aaa enable C. enable aaa D. aaa new-model - 39 -

QUESTION NO: 65 How does a user receive a login screen through authentication proxy? A. Clicking on the authentication proxy icon on the desktop B. They do not, as authentication proxy uses their NT login C. By opening a Internet browser D. From a command prompt QUESTION NO: 66 How are outbound UDP sessions handled? A. A connection state is maintained on the PIX. B. All UDP traffic is permitted inbound unless blocked with an access-list C. The PIX does not recognize UDP sessions D. All UDP traffic is blocked outbound unless permitted with an access-list QUESTION NO: 67 What is the purpose of a Web sense server? A. To host our website B. It is a syslog server for the PIX C. URL filtering D. To monitor the state of your Internet connection QUESTION NO: 68 How does the PIX initiate new IPSec security associations using dynamic crypto maps? A. By sending its public key to the remote peer B. By sending an IKE key to the remote peer - 40 -

C. By sending security association request to the remote peer D. The PIX cannot initiate an IPSec sa using dynamic crypto maps QUESTION NO: 69 What does CBAC stand for? A. Control Based on Access list B. Cisco Based Accounting Control. C. Context Based Access Control D. Cisco Based Access Control QUESTION NO: 70 When do you need an access-list applied inbound to the inside interface? A. When you want to block all outbound traffic B. When you want to control the outbound traffic C. Access-list cannot be applied to the inside interface D. When you want to control inbound public traffic QUESTION NO: 71 What command displays all security associations? A. show ipsec security-associations B. show ipsec security-associations C. show ip security-associations D. show ipsec security-associations all QUESTION NO: 72 How do you map a port to a specific host? - 41 -

A. You cannot map to a specific host B. IP port-map http port 81 host 10.1.1.1 C. An access-list permitting the host is required D. IP port-map http port 81 10.1.1.1 QUESTION NO: 73 What traffic is identified in the inbound access-list on a CBAC router? A. Permitting traffic to be inspected by CBAC B. FTP C. Denying traffic to be inspected by CBAC D. HTTP QUESTION NO: 74 What is the default time-out for authentication proxy? A. 60 seconds B. 6 minutes C. 60 minutes D. 360 seconds QUESTION NO: 75 How is URL filtering accomplished? A. With a Web sense server B. With a Cisco IDS C. With a PIX failover unit D. URL filtering is not supported QUESTION NO: 76-42 -

How do you reset a security association with an IPSec peer? A. Clear ipsec sa <peer name> B. Disconnect the PIX from the network C. Delete security-association D. You must delete all IPSec configurations and reconfigure QUESTION NO: 77 What is the command to assign an IP address to an interface? A. nameif inside IP address 10.1.1.1 255.255.255.0 B. ip address inside 10.1.1.1 255.255.255.0 C. inside address 10.1.1.1 255.255.255.0 D. inside ip address 10.1.1.1 255.255.255.0 QUESTION NO: 78 What command is utilized to upgrade the IOS version of the PIX? A. Copy tftp flash B. Copy flash tftp C. Write tftp flash D. Save tftp flash QUESTION NO: 79 What are the two types of global timeouts for IPSec on the PIX? A. bandwidth B. uptime C. number of PPTP connections D. time, D - 43 -

QUESTION NO: 80 What two commands enable viewing the url filtering information? A. show url-cache stats B. show url-filtering C. show filter-url D. show perfmon, D QUESTION NO: 81 How does CBAC handle ICMP? A. Only ICMP echo packets are inspected B. All ICMP traffic is inspected by CBAC C. ICMP traffic is not inspected by CBAC D. ICMP traffic is denied by CBAC QUESTION NO: 82 What two commands are needed for outbound access? A. PAT B. Access list C. NAT D. Global, D QUESTION NO: 83 What does the "clear filter" command accomplish? A. Clears all filter counters displayed by the show filters command B. Resets all filters to their original state C. Invalid PIX command - 44 -

D. Removes all filters from the PIX configuration QUESTION NO: 84 How do you apply conduit statements to the outside interface? A. With the use of the conduit-outside statement B. With the use of the conduit-group statement C. No configuration required D. Conduit statements cannot be applied to the outside interface QUESTION NO: 85 A crypto map statement can contain multiple access-lists. A. False B. True QUESTION NO: 86 The PIX is a single point of failure and has no solution for redundancy. Cisco is working on a solution for this right now. A. True B. False QUESTION NO: 87 In CBAC, how are dynamic access-list entries saved? A. They are not saved B. Write memory C. Write tftp - 45 -

D. Save access-list QUESTION NO: 88 How is outbound access enabled? A. Global B. Static C. NAT D. Access-list, C QUESTION NO: 89 How is inbound access controlled? A. Global B. Access-list C. Static D. NAT, C QUESTION NO: 90 You can configure conduit statements on a PIX Firewall, but not access-lit. A. False B. True QUESTION NO: 91 What is s data confidentiality? A. IPSec receiver can detect & reject replayed packets B. Receiver authenticates packets to ensure no alterations have been made C. Packets are encrypted before they are transmitted across a network - 46 -

D. Receiver can authenticate source of IPSec packets QUESTION NO: 92 What is a false-positive alarms? A. Alarms that do not reach their intended destination B. Legitimate alarms that are not triggered C. Alarms caused by legitimate traffic D. Alarms that an administrator ignores QUESTION NO: 93 What command displays the authentication proxy configuration? A. Show version proxy-authentication B. Show proxy-authentication C. Show all proxy-authentication D. Show ip proxy-authentication QUESTION NO: 94 What is a dynamic crypto map? A. There is no such thing as a dynamic crypto map B. When the PIX gets the entire crypto map configuration from a CA C. A crypto map created solely by the PIX upon negotiation with an IPSec peer D. A crypto map without all the parameters configured QUESTION NO: 95 Authentication proxy only works with TACACS+. A. False - 47 -

B. True QUESTION NO: 96 What command is required to save the configuration to a remote device? A. radius-server B. Copy C. Save D. write QUESTION NO: 97 What three protocols does the PIX provide credential prompts, with the proper configuration of an AAA server? A. HTTP B. TFTP C. FTP D. HTTPS E. Telnet F. SSL, C, E QUESTION NO: 98 In CBAC, where does the router get the state table information? A. By inspecting the packet B. From a PIX firewall C. From routing tables D. Configured by administrator QUESTION NO: 99-48 -

What command applies CBAC to an interface? A. router# ip inspect NAME in interface outside B. router(conf)#ip inspect NAME in C. router(conf-if)#ip inspect NAME in D. router(conf)#ip inspect NAME out QUESTION NO: 100 With the PIX Firewall, you can configure: A. Separate groups of TACACS+ or RADIUS servers for specifying different types of traffic B. None of the above. PIX does not support TACACS+ or RADIUS. C. Only TACACS+ for inbound & outbound connections D. Only RADIUS for inbound & outbound connections QUESTION NO: 101 What does ACS stand for? A. Another Cisco Server B. Authentication, Control, Secure C. Access Control Server D. Access, Control, Security QUESTION NO: 102 What is required for stateful failover? A. FDDI interface B. 1 interface interconnected C. PIX failover cable. D. 3 interfaces interconnected, C - 49 -

QUESTION NO: 103 What is the goal of a DDOS attack? A. To use the network to attack another network B. To steal vital information C. To take control of the network D. To stop the network from working QUESTION NO: 104 When configuring a security association in IPSec, the global lifetime default (the time when the security association is renegotiated) is 28,800 seconds. A. True B. False QUESTION NO: 105 How many hosts will PAT support? A. 1024 B. unlimited C. 64000 D. 1 QUESTION NO: 106 How do you configure a Web sense server on the PIX? A. server 10.1.1.1 B. websense-server 10.1.1.1 C. url-server 10.1.1.1 D. websense 10.1.1.1-50 -

QUESTION NO: 107 What is one difference between conduit statements and access-list? A. Conduit statements can only contain permit statements B. Conduit statements list the destination address before the source address and accesslist contain the source address before the destination address C. Conduit statements do not contain the implicit deny any at the end D. Access-list cannot be applied to the interfaces of the PIX QUESTION NO: 108 The inbound access-list or conduit statements must include permit statements for all IPSec traffic. A. False B. True QUESTION NO: 109 What is the purpose of the "logging trap" command? A. Enables syslog traps B. This is not a valid PIX command C. Sends logs to a host named trap D. Enables SMTP traps QUESTION NO: 110 How do you configure a pool of public IP addresses? A. Global command B. Pool command - 51 -

C. NAT command. D. Static command QUESTION NO: 111 PAT is not supported with the "fixup protocol rtsp" command. A. True B. False QUESTION NO: 112 You are required to have two crypto access-list for IPSec. One is to identify outbound traffic to be encrypted, and the other is to identify inbound traffic that should be encrypted. A. False B. True QUESTION NO: 113 What is the purpose of authentication proxy? A. Proxy of user logins B. To enable AAA C. Policies on per user basis D. For user accounting QUESTION NO: 114 Which PIX interface(s) do you apply the crypto map statements? A. To the outside interface B. To the inside interface - 52 -

C. To any interfaces that IPSec packets will traverse D. All PIX interfaces QUESTION NO: 115 What three purposes does the failover cable serve? A. Power status of the other unit B. Communication link C. Unit identification of both units D. Stateful information, B, C QUESTION NO: 116 You have a PIX firewall and you are only given one public IP address from your ISP to use on the PIX. You do not have any type of servers that need be accessed from the Internet. What is a valid quick solution to your problem? A. Get a new ISP B. PAT C. Request additional IP addresses from your ISP D. NAT QUESTION NO: 117 How many default routes can be assigned to the PIX firewall? A. 1 per network B. 1. C. As many as required D. 1 per interface E. 1 for the primary PIX and 1 for the standby PIX - 53 -

QUESTION NO: 118 Without stateful failover, how are active connections handled? A. Connections are maintained between the PIX and the failover unit B. Dropped C. UDP connections are maintained D. TCP connections are maintained QUESTION NO: 119 What is the purpose of the "fixup protocol" commands? A. To identify what protocols are permitted through the PIX B. Change PIX firewall application protocol feature C. To identify what protocols are to be blocked by the PIX D. To map a protocol to a TCP or UDP port QUESTION NO: 120 What version of IOS was the "ip port-map" command introduced? A. 13.(1) B. 12.1 C. 11.0(1) D. 12.05(t) QUESTION NO: 121 What is the first step in configuring IPSec without CA? A. Crypto B. ISAKMP C. IKE D. IPSEC - 54 -

QUESTION NO: 122 How do you delete the following PAM entry? IP port-map http port 81 A. clear IP port-map http port 81 B. This is a system-defined entry and cannot be deleted C. no IP port-map http port 81 D. delete IP port-map http port 81 QUESTION NO: 123 What is the purpose of the outbound access-list for a CBAC solution? A. To block all traffic, CBAC will then inspect the traffic and allow legitimate traffic out B. Packets you want inspected by CBAC C. The is no need for an outbound access-list in a CBAC solution D. To identify legitimate inbound traffic from the Internet QUESTION NO: 124 What does the " crypto access-list" command accomplish? A. There are no such access list B. They block non-encrypted traffic C. They identify crypto map statements D. Identifies which traffic is to be encrypted QUESTION NO: 125 "Logging timestamp" specifies that syslog messages sent to the syslog server should have a time stamp value on each message. A. True B. False - 55 -

QUESTION NO: 126 What is the layer-4 difference between Radius and TACACS+? A. Radius uses TCP & TACACS+ uses UDP B. Radius uses UDP & TACACS+ uses TCP C. TACACS+ uses FTP & Radius uses TFTP D. There is no layer-4 difference between Radius & TACACS+ QUESTION NO: 127 What two concepts are included in data authentication? A. Anti replay B. Data origin authentication C. Data integrity. D. Data confidentiality, C QUESTION NO: 128 You decide you need more interfaces for your PIX 515 and you already have the unrestricted license installed. The PIX firewall only shipped with 2 Ethernet interfaces. You install a new Ethernet interface that you ordered from Cisco. After you power the PIX on, you assign an IP address to the interface and configure a NAT & global statement for the new network. But users on the new network are unable to browse the Internet. What else do you need to do? A. Enable the new interface in the configuration B. Add the "conduit permit any any" statement to your configuration C. Nothing. The problem is probably with the clients workstations, not the PIX. D. Add the Cisco client proxy software to each workstation on the new network. - 56 -

QUESTION NO: 129 What are some advantages of using the PIX firewall over other firewalls such as Microsoft Proxy? A. No security problems from running on top of other operating systems B. PIX firewall is plug and play, no configuration required C. PIX inspects on lower layer protocols D. PIX does stateful packet inspections E. One box solution, C, D, E QUESTION NO: 130 How many interfaces does the PIX 515R support? A. 3 B. 4 C. 2 D. 6 QUESTION NO: 131 How do you configure a PAT address? A. Nat (Outside) 1 1.1.1.1 1.1.1.1 255.255.255.255 B. IP PAT (Outside) 1 1.1.1.1 255.255.255.255 C. PAT (Outside) 1 1.1.1.1 255.255.255.255 D. Global (Outside) 1 1.1.1.1 1.1.1.1 255.255.255.255 QUESTION NO: 132 What are the two transport layer protocols? A. TCP B. IP C. ICMP D. UDP - 57 -

, D QUESTION NO: 133 How many hello packets must be missed before the failover unit will become active? A. 2 B. 3 C. 1 D. 5 QUESTION NO: 134 Only one IPSec tunnel can exist between two peers. A. False B. True QUESTION NO: 135 What are two purposes of NAT? A. To build routing tables B. To expedite packet inspection C. To connect two separate interfaces D. To conserve non-rfc1918 addresses E. To hide internal servers and workstations real IP addresses from the Internet, E QUESTION NO: 136 What does IKE Extended authentication provide? A. Authentication of multiple IPSec peers B. Auto-negotiation of IPSec security associations C. User authentication using Radius/TACACS+ - 58 -

QUESTION NO: 137 How do you view active NAT translations? A. show nat-translations B. show ip-nat translations C. show xlate D. show translations * QUESTION NO: 138 Access-list are supported with Radius authorization. A. True. B. False QUESTION NO: 139 How are transform sets selected in manually established security associations? A. Transform sets are not used in manually established security associations B. Manually established security associations only have one transform set C. The first transform set is always used D. The first common transform set is used QUESTION NO: 140 What are the two licenses supported on the PIX515? A. Unrestricted B. Limited C. Restricted D. Unlimited - 59 -

, C QUESTION NO: 141 What is the purpose of the "clear access-list" command? A. Remove an access-list from an interface B. To clear all access-list from the PIX C. To clear all access-list counters D. Invalid command QUESTION NO: 142 At what layer of the OSI model does IPSec provide security? A. 4 B. 7 C. 8 D. 3 QUESTION NO: 143 A transform set is a combination of &. A. access-list B. crypto maps C. security protocols D. algorithms, D QUESTION NO: 144 AAA stands for authentication, authorization, &. A. application B. accounting - 60 -

C. access control D. authenticity QUESTION NO: 145 In CBAC, how are half-open sessions measured? A. Both TCP & UPD half-open sessions are calculated B. Only UDP half-open sessions are calculated C. CBAC does not calculate half-open sessions D. Only TCP half-open sessions are calculated QUESTION NO: 146 What does DDOS stand for? A. Distributed denial of service B. Dedicated Department of Security C. Dead, Denied, Out of Service D. Demand denial of service QUESTION NO: 147 What is the purpose of the "route 0 0" command? A. To configure a static route B. To enable routing on the PIX C. To configure a default route D. To route between 2 interfaces QUESTION NO: 148-61 -

You establish an IPSec tunnel with a remote peer. You verify by viewing the security associations. You view the security associations two days later and find they are not there. What is the problem? A. This would not happen B. You have used an incorrect command to view the security associations C. Your PIX is not powered up. D. No traffic was identified to be encrypted. QUESTION NO: 149 In CBAC, where are dynamic access entries added? A. A new access-list is configured for each access entry B. At the beginning of the access-list C. A separate access-list is created for access entries D. At the end of the access-list QUESTION NO: 150 How do you identify a syslog server on the PIX? A. logging host 10.1.1.1 B. TFTP server 10.1.1.1 C. syslog-server 10.1.1.1 D. syslog server 10.1.1.1 QUESTION NO: 151 CBAC inspection can only be configured in one direction. A. False B. True - 62 -

QUESTION NO: 152 What is anti-replay? A. IPSec peer will not accept old or duplicated packets B. IPSec peer listens for all traffic from IPSec peer (at other end of tunnel), as to not require any resends C. The IPSec peer sends duplicates of each packet as to not have to resend any packets D. The IPSec peer will not resend packets. QUESTION NO: 153 During IPSec security associations negotiation, if there are multiple transform sets, which one is used? A. Is does not matter B. The first common one C. The first one D. The last one QUESTION NO: 154 What three types of entries does the PAM table provide? A. User defined B. Internet specific C. Host specific D. System defined., C, D QUESTION NO: 155 In AAA, what does the method keyword "local" mean? A. That the AAA server is local B. Deny if login request is local C. Use the local database for authentication - 63 -

D. Authenticate if login request is local QUESTION NO: 156 At what frequency does the PIX send hello packets to the failover unit? A. 15 seconds B. 60 seconds C. 6 seconds D. 20 seconds QUESTION NO: 157 What command deletes all authentication proxy entries? A. Clear ip authentication-proxy cache B. Clear ip authentication-proxy cache all C. Clear ip authentication-proxy cache * D. Clear authentication-proxy all entries QUESTION NO: 158 What is the purpose of the access-group command? A. To apply an access-list to an interface B. This is not a valid command on the PIX firewall C. To create an ACL D. To group access-list together QUESTION NO: 159 Default "fixup protocol" commands cannot be disabled. A. True - 64 -

B. False QUESTION NO: 160 What is the purpose of a syslog server? A. To host websites B. To collect system messages C. To maintain current backup configurations D. To maintain URL filtering information QUESTION NO: 161 What is required for stateful failover on the PIX 515? A. Unrestricted software license B. Cisco failover cable C. Cisco IOS failover feature set D. 2 Ethernet interfaces interconnected, B, D QUESTION NO: 162 In CBAC, what is a state table? A. A table containing access-list information B. A table containing information about the state of CBAC C. A table containing information about the state of the packet's connection D. A table containing routing information QUESTION NO: 163 What two commands are needed for inbound access? A. Static - 65 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback