21certify.com Answer: A Q.43 Which statement about the configuration mode for the PIX Firewall is true.. Answer: C Q.59 You primary PIX Firewall is currently the active unit in your fa
Trang 221certify.com
Study Tips
This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts Try to understand the concepts behind the questions instead of cramming the questions Go through the entire document at least twice so that you make sure that you are not missing anything
Latest Version
We are constantly reviewing our products New material is added and old material is revised Free updates are available for 365 days after the purchase You should check the products page on the www.21certify.com web site for an update 3-4 days before the scheduled exam date
Important Note:
Please Read Carefully
This 21certify Exam has been carefully written and compiled by 21certify Exams experts It is
designed to help you learn the concepts behind the questions rather than be a strict memorization tool Repeated readings will increase your comprehension
We continually add to and update our 21certify Exams with new questions, so check that you have the latest version of this 21certify Exam right before you take your exam
For security purposes, each PDF file is encrypted with a unique serial number associated with your 21certify Exams account information In accordance with International Copyright Law, 21certify Exams reserves the right to take legal action against you should we find copies of this PDF file has been distributed to other parties
Please tell us what you think of this 21certify Exam We appreciate both positive and critical
comments as your feedback helps us improve future versions
We thank you for buying our 21certify Exams and look forward to supplying you with all your
Certification training needs
Good studying!
21certify Exams Technical and Support Team
Trang 321certify.com
Note:
Section A contains 100 questions Section B contains 57
questions Section C contains 170 questions The total
numbers of questions is 327
Section A
Q.1 You are the network security administrator for an enterprise network with a complex security policy Which PIX Firewall feature should you configure to minimize the number of ACLs needed to implement your policy?
Q.3 Speaking of Security Association requirements, which of the following statements is true?
A A set of SAs are needed, one per direction, per protected data pipe
B A set of SAa are needed, one per direction, per protocol, per protected data pipe
C A set of SAs are needed, one per protocol only
D A set of SAs are needed, per protocol, per protected data pipe
Answer: B
Trang 421certify.com
Q.4 The graphic shows the output from the show failover command This unit is active and the other unit is Standby For an unknown reason, the failover is triggered and this unit has become Standby We enter the command “show failover” again What shall we see as the ip address of the [active-interface-inside]?
Q.5 Which of the following statements is not true regarding the DNS Guard?
A If disabled, can be enabled by the command: fixed protocol dns 53
B The default UDP time expires in two minutes
C Immediately tears down the UDP conduit on the PIX Firewall as soon as the DNS response is received
D Prevents against UDP session hijacking and denial of service attacks
Answer: A
Q.6 In helping the user to choose the right IPSec transforms combinations, the following rules apply: (Choose all that apply)
A To provide authentication services for the transform set, include an AH transform
B For authentication services include an ESP authentication transform
C To provide data authentication for the data and the outer IP header, include an AH transform
D For data confidentiality include an ESP encryption transform
E ND5 is stronger than SHA
Answer: A, B, C, D
Q.7 What is the command that enables IPSec traffic to bypass the check of conduit or access-group
command statements?
A conduit permit ip any any all
B access-list acl_out permit tcp any any all access-group acl_out interface outside
C sysopt connection permit-ipsec
D conduit permit tcp any any all
Trang 521certify.com
Answer: C
Q.8 All of the following statements are true, except:
A Use nat command to let users on the respective interfaces start outbound connections Associate the nat id with the global-id in the global command
B An interface is always outside when compared to another interface that has a higher security level
C Use a single default route statement to the outside interface only
Set the default route with the ip route command
D To permit access to servers on protected networks, use the static conduit commands
E Packets can not flow between interfaces that have the same security level
Answer: C
Q.9 Which of the following statements are not true: (Choose all that apply)
A DMZ interface can be considered an inside, or outside interface
B DMZ interface is always considered inside
C Traffic originating from the inside interface to the outside interface of the PIX Firewall will be allowed to flow unless restricted by access lists
D Traffic originating from the outside interface to the inside interface of the PIX Firewall will be dropped unless specifically allowed
E DMZ interface is always considered outside
Answer: B, E
Q.10 Adaptive Security Algorithm (ASA) is the heart of the PIX Firewall Choose the strict rules that ASA follows: (Choose all that apply)
A The highest security interface is the inside interface
B The highest security interface is the outside interface
C No outbound packet can exit the PIX Firewall without a connection and state
D No packet, regardless of its direction, can traverse the PIX Firewall without a
connection or state
E No inbound packet can enter the PIX Firewall without a connection and state
Answer: A, D
Trang 621certify.com
Q.11 Which statements about the PIX Firewall in VoIP environments are true? (Choose two)
A The PIX Firewall does not support the popular call setup protocol SIP because TCP can be used for call setup
B The PIX Firewall allows SCCP signaling and media packets to traverse the PIX Firewall and
interoperate with H.323 terminals
C The PIX Firewall supports the Skinny Client Control Protocol, which allows you to place IP phones and Call Manager on separate sides of the PIX Firewall
D Users behind the PIX Firewall can place outbound calls with IP phones because they use HTTP tunneling
to route packets through port 80, making them appear as web traffic
Answer: B, C
Q.12 Your organization’s web traffic has come to a halt because your PIX Firewall is dropping all new connection attempts Why?
A You are running a software version older than 5.2, and the embryonic threshold you set in the static
command was reached
B The shun feature of the PIX Firewall has taken effect because the embryonic threshold you set in the nat
command was reached
C The TCP Intercept feature of the PIX Firewall has taken affect because the embryonic threshold you set in
the static command was reached
D The intrusion detection feature of the PIX Firewall has taken effect because the embryonic
threshold you set in the conduit command was reached
Answer: A
Q.13 Which tasks can be performed from the Access Rules tab? (Choose three)
A Configure translation rules
B Configure Cisco Secure ACS
C Configure access rules
D Define Java and ActiveX filtering rules
E Configure command authorization
F Create service groups and apply them to ACLs
Answer: C, D, F
Q.14 Where in PDM do you go to add, delete, or view global pools of addresses to be used by NAT?
A Global Pools tab
B System Properties tab
Trang 721certify.com
C Manage Pools button on the Translation Rules tab
D IP Address Pools button on the VPN tab
Answer: C
Q.15 Which step is optional when creating a crypto map on the PIX Firewall?
A Create a crypto map entry identifying the crypto map with a unique crypto map name and sequence
number
B Specify which transform sets are allowed for this crypto map entry
C Specify a dynamic crypto map to act as a policy template where the missing
parameters are later dynamically configured to match a peer’s requirements
D Assign an ACL to the crypto map entry
E Specify the peer to which IPSec-protected traffic can be forwarded
Q.17 Why is the group tag in the aaa-server command important?
A The aaa command references the group tag to know where to direct authentication, authorization, or
accounting traffic
B The group tag identifies which users require authorization to use certain services
C The group tag identifies which user groups must authenticate
D The group tag enables or disables user authentication services
Answer: A
Trang 821certify.com
Q.18 You have already created an ACL named ACLIN to permit traffic from certain Internet hosts to the web server on your DMZ How do you make the ACL work for you? (Choose two)
A Bind the ACL to the DMZ interface
B Bind the ACL to the inside interface
C Bind the ACL to the outside interface
D Create a static mapping for the DMZ server
E Create a static mapping for the web server
F Create a conduit mapping for the web server
Q.20 How does the PIX Firewall know where to get the addresses to use for any NAT configuration?
A From the nat_id in the static command
B You can have only one global pool of addresses, so the PIX Firewall knows that NAT uses the addresses in
the global pool established by the global command
C From the nat_id in the nat command
D From the nat_id in the dhcp address command
Answer: C
Q.21 What is the purpose of the access-group command?
A Bind an ACL to an interface
B Create an object group
C Create and access group
D Unbind the acl_ID from the interface interface_name
Trang 921certify.com
Answer: A
Q.22 Which statements about security level 100 are true? (Choose two)
A It is the lowest security level
B It is the highest security level
C It is the least-trusted security level
D By default it is designated for the inside interface of the PIX Firewall
E It is not currently a configurable security level
It is reserved for future use
F By default, it is designated for the outside interface of the PIX Firewall
Answer: B, D
Q.23 Which statements about the PIX Firewall’s DHCP capabilities are true? (Choose two)
A It can be a DHCP server
B It cannot be a DHCP client
C You must remove a configured domain name
D It can be a DHCP server and client simultaneously
E It cannot pass configuration parameters it receives from another DHCP server to its own DHCP clients
F The PIX Firewall’s DHCP server can be configured to distribute the IP address of up to four DNS servers
to its clients
Answer: A, D
Q.24 The LAN-based failover your configured does not work Why? (Choose two)
A You used a hub for failover operation
B You used a switch for failover operation
C You used a dedicated VLAN for failover operation
D You did not set a failover IP address
E You did not use a crossover Ethernet cable between the two PIX Firewalls
F You used a crossover Ethernet cable between the two PIX Firewalls
Answer: D, F Explanation:
LAN-Based Failover It is recommended that you connect the Primary and Secondary PIXes with a dedicated switch Do not use crossover cables In the diagram above, a Cisco Catalyst 3500 switch connects the Primary and Secondary PIXes The LAN failover and stateful failover links are in different VLANs, VLAN 10 and VLAN
20, respectively The inside-router and outside-router are used only for the sake of testing connectivity
Trang 1021certify.com
Q.25 How are LAN-based failover and serial failover alike?
A Both require that all configuration is performed on the primary PIX Firewall
B Both require the use of a special serial cable
C They are configured with the same command set
D Both require two dedicated interfaces: one for configuration replication and another for stateful failover
E Both provide stateful failover
Answer: E
Q.26 Choose the correct statements regarding ACLs & Conduits:
A A conduit creates a rule on the PIX Firewall Adaptive Security Algorithm by denying connections from one interface to access hosts on another
B An ACL applies to a single interface, affecting all traffic entering that interface
regardless of its security level
C An ACL applies to a single interface, affecting all traffic entering that interface based in its security level
D A conduit creates an exception to the PIX Firewall Adaptive Security Algorithm by permitting
connections from one interface to access hosts on another
Answer: A
Q.27 What is the command to remove a group of previously defined object-group commands?
A Both answers are correct
B clear object-group
C Both answers are incorrect
D no object-group
Answer: A
Q.28 With the IKE disabled, which of the following statements are true on a router? (Choose all that apply)
A The peer’s IPSec SA will never time out for a given IPSec session
B CA can not be used
C The command to disable IKE is: no crypto isakmp
D The user must manually define all the IPSec security associations in the crypto maps at all peers
Answer: A, B, D Explanation: Disabling IKE To disable IKE, you will have to make these concessions at the
peers:
Trang 1121certify.com
You must manually specify all the IPSec security associations in the crypto maps at all peers
IPSec security associations will never time out for a given IPSec session
The encryption keys never change during IPSec sessions between peers
Anti-replay services will not be available between the peers
CA support cannot be used
To disable IKE, use the following command:
no crypto isakmp enable interface-name
Q.29 This security protocol provides data confidentiality and protection with optional authentication and replay-detection services
Q.31 H.323 is more complicated than other traditional protocols because:
A It requires a high amount of bandwidth
B It uses more than one TCP port
C It is sensitive to delays
D It requires client reconfiguration
Trang 1221certify.com
Answer: B
Q.32 Speaking of the translation table of a PIX Firewall, by default, if there is no translated packets for a particular IP address, the entry times out and gets removes from the table This timeout period is:
A User- Configurable and by default is 5 minutes
B User- Configurable and by default is 60 minutes
C User- Configurable and by default is 180 minutes
D not User- Configurable and by default is 5 minutes
E not User- Configurable and by default is 2 Minutes
F not User- Configurable and by default is 60 Minutes
B Stateful Packet Filtering
C All answers are incorrect
D Proxy server
Answer: B
Q.34 Which statements about intrusion detection in the PIX Firewall are true? (Choose two)
A When a policy for a given signature class is created and applied to an interface, all supported
signatures of that class are monitored unless you disable them
B Only the signatures you enable will be monitored
C The PIX Firewall supports only inbound auditing
D IP audit policies must be applied to an interface with the ip audit interface command
E When a policy for a given signature class is created and applied to an interface, all supported
signatures of that class are monitored and cannot be disabled until you remove the policy from the
interface
F IP audit policies must be applied to an interface with the ip audit signature command
Answer: A, D
Trang 1321certify.com
Q.35 Why are packets inspected on the PIX Firewall?
A For valid users
B For misconfiguration
C For incorrect address
D For malicious application misuse
Q.37 Which command enables IKE on the outside interface?
A ike enable outside
B ipsec enable outside
C isakmp enable outside
D ike enable (outbound)
Answer: C
Q.38 Why use ESP security protocol rather than the AH security protocol when creating a VPN with IPSec?
A ESP provides ant-replay and AH does not
B ESP provides data integrity and AH does not
C ESP provides data confidentiality and AH does not
D ESP provides data origin authentication and AH does not
Answer: C
Trang 1421certify.com
Q.39 You have configured the PIX Firewall and a AAA server for authentication Telnet and FTP
authentication work normally, but HTTP authentication does not Why?
A You have not enabled HTTP, Telnet, and FTP authorization, which is required for HTTP
authentication
B You have not enabled HTTP authorization, which is required for HTTP authentication
C HTTP authentication is not supported
D Re-authentication maybe taking place with the web browser sending the cached username and
password back to the PIX Firewall
Answer: D
Q.40 Which are functions of the object-group command? (Choose two)
A Defines members of an object group
B Names an object group
C Enables sub-command mode
D Inserts an object group in an ACL
E Displays a list of the current configured object groups of the specified type
F Describes the object group
Answer: B, C
Q.41 Why create Turbo ACL’s only on high-end PIX Firewall models, such as the PIX Firewall 525 or 535?
A They are not supported in any of the low-end models, such as the 506
B Turbo ACLs require significant amounts of memory
C Turbo ACLs are processor-intensive
D Although turbo ACLs improve ACL search time with any PIX Firewall model, they are complicated and rather difficult to configure It is unlikely that environments using low-end models have personnel
properly trained to configure turbo ACLs
Answer: B
Q.42 When are duplicate objects allowed in object groups?
A When they are due to the inclusion of group objects
B When a group object is included, which causes the group hierarchy to become circular
C Never
D Always, because there are no conditions or restrictions
Trang 1521certify.com
Answer: A
Q.43 Which statement about the configuration mode for the PIX Firewall is true?
A Privileged mode commands, unprivileged mode commands, and configuration mode commands all work
in configuration mode
B Only configuration mode commands work in configuration mode
C Unprivileged mode commands and configuration mode commands work in configuration mode, but
you must exit the configuration mode in order to execute privileged mode commands
D Privileged mode commands and configuration mode commands work in configuration mode, but you
must exit both these modes in order to execute unprivileged mode commands
Answer: A
Q.44 Which statement about the PIX Firewall Syslog is true?
A Syslog messages can be used to create log files, and can be displayed on the console of a designated Syslog host, but they cannot be used to create e-mail alerts
B If all Syslog servers are offline, the PIX Firewall stores up to 100 messages in its memory and then
deletes the messages in its memory to make room for subsequent messages
C The PIX Firewall sends Syslog messages to document such events as denied TCP connections,
translation slot depletion, console logins and bytes transferred for each connection
D All Syslog messages are denied unless explicitly permitted
Answer: C
Q.45 In the output of the show failover command, what does cable status waiting mean?
A The active PIX Firewall is working and the standby PIX Firewall is ready
B Monitoring the other PIX Firewall’s network interface has not yet started
C The active PIX Firewall is waiting for configuration replication to be completed
D The primary PIX Firewall has finished testing the standby PIX Firewall’s interfaces and the standby
PIX Firewall is waiting to take control
Answer: B
Q.46 Your new network administrator has recently modified your PIX Firewall’s configuration You are suddenly experiencing security breaches involving Internet mail What change did the administrator make?
Trang 1621certify.com
A He disabled the PIX Firewall’s mailpor fixup
B He disabled the PIX Firewall’s smtp fixup
C He enabled the Pix Firewall’s ils fixup on port 25
D He defined the port on which to activate Mail Guard
Q.48 You have configured your router with the following command:
crypto ipsec transform-set goodform ah-sha-hmac csp-des-csp-sha-hmac
A The peer does not have to have a matching transform set
Parameters will be dynamically negotiated
B The peer must also have the same transform set parameters specified
C The peer must also have the same transform set name specified
D The peer must also have the same transform set name and parameters specified
Trang 1721certify.com
Answer: B
Q.49 Which of the following statements are true regarding the sanity check of PIX Firewall’s failover feature? (Choose all that apply)
A Both PIX Firewalls exchange failover HELLO packets over failover cable every 15 seconds
B With Network Activity test, the PIX Firewall counts all received packets for up to 5 seconds If no traffic is received, the PIX is declared nonoperational and the standby takes over
C Both PIX Firewalls exchange failover HELLO packets over all network interfaces
D PIX Firewall performs a broadcast and checks the responses
Q.51 Which of the following statement is correct?
A Installing an additional interface card on a PIX Firewall is as simple as adding a NIC to a PC, but you must have a license for it from Cisco
B Installing an additional interface card on a PIX Firewall is as simple as adding a NIC to a PC
Answer: A
Q.52 On a PIX Firewall, as a general rule:
A There is no general rule The software configuration decides which one is the outside and which one is the inside interface
B Ethernet 0 is always the outside network connection and Ethernet 1 is always the inside network
connection
C Ethernet 0 is always the inside network connection and Ethernet 1 is always the outside network
connection
Trang 1821certify.com
D There is no general rule
The priority command applied to the interface decides which interface is the outside and which interface
is the inside
Answer: B
Q.53 How does the PIX Firewall handle multimedia applications? (Choose two)
A It supports multimedia only with NAT
B It supports multimedia only without NAT
C It supports multimedia with or without NAT
D Multimedia applications are not allowed because they pose a security risk
E It dynamically opens and closes UDP ports for secure multimedia connections
F It opens a large range of ports for these applications if you configure the PIX Firewall to support
multimedia
Answer: C, E
Q.54 Which command sets the Telnet password to cisco?
A enable telnet password cisco
B telnet password cisco
C password cisco
D passwd cisco
Answer: D
Q.55 Which commands configure the PIX Firewall’s PPPoE client?
A Only vpdn group, vpdn username, and ip address pppoe
B Only vpngroup and vpnusername
C Only vpdn group and interface pppoe
D Only vpngroup and ip address pppoe
Answer: A Q.56 Which statement about AAA and the PIX Firewall is true?
A Authorization is valid without authentication, but authentication is never valid without authorization
B Authorization is valid without authentication, and authentication is valid without authorization
C Authentication is valid without authorization, but authorization is never valid without authentication
Trang 19A It can attack servers
B It can block HTML commands
C It can block HTML comments
D It can download Java applets
E It can cause workstations to fail
F It can introduce network security problems
Answer: A, E, F
Q.58 Which statement about the PIX Firewall is true?
A The PIX Firewall passes RIP updates between interfaces
B You cannot configure the PIX Firewall to learn routes dynamically from RIP version 1 or RIP version 2 broadcast
C The PIX Firewall uses the dynamically learned routes to forward traffic to the
appropriate destinations but does not propagate learned routes to other devices
D The PIX Firewall uses dynamically learned routes to forward traffic to the appropriate destinations, passes RIP updates between its interfaces, and propagates learned routes to other devices
Answer: C
Q.59 You primary PIX Firewall is currently the active unit in your failover topology What will happen to the current IP addresses on the primary PIX Firewall if it fails?
A They become those of the standby PIX Firewall
B The ones on the primary PIX Firewall remain the same, but the current IP addresses of the secondary become the virtual IP addresses you configured
C They are deleted
D The ones on both the primary and secondary PIX Firewalls are deleted and both assume the failover
IP addresses you configured
Trang 20Data Origin Authentication
The IPSec framework facilitates these features using two types of tunnels:
Key Management Tunnels (also known as IKE tunnels)
Data Management Tunnels (also known as IPSec tunnels)
Both key management and data management tunnels comprise Security Associations
Q.61 You existing IPSec network comprises of 6 peers Due to company expansion, one more peer is added
to your network As a key administrator, how many 2-part key configurations would you have to create?
Trang 2121certify.com
Q.62 The hardware requirements of the Stateful Failover are: (Choose all that apply)
A Two identical PIX Firewall units
FIX 520 or later model is recommended by Cisco
B The LAN ports for Stateful Failover on both PIX Firewall units should be connected with a crossover cable or through a hub or switch
C A failover cable with the correct terminals
D Dedicated 10BaseT Ethernet ports on both PIX Firewall units must be connected and fully functional in full Duplex mode
Answer: A, B, C
Q.63 Preparation to configure VPN support has several steps The first two steps are: -plan for IKE -plan for IPSec
The goal of these advance planning are:
A To investigate whether the budget allocated for the project will suffice
B To minimize misconfiguration
C To locate and remove bottleneck before the production phase
D To evaluate IPSEC and IKE parameter for optimal security and performance
Trang 2221certify.com
Answer: A
Q.66 When do you have access to the interactive setup dialog that helps you perform initial configuration required to use PDM?
A Only when an unconfigured PIX Firewall starts up
B Each time your PIX Firewall reloads
C When you enter the startup command at the configuration prompt
D When an unconfigured PIX Firewall boots up or when you enter the setup command at the configuration
mode prompt
Answer: D
Q.67 If you configure a VPN between a Cisco VPN Client and the PIX Firewall using pre-shared keys for authentication, which should you do? (Choose two)
A Use pre-shared keys for authentication
B Use digital certificates for authentication instead of pre-shared keys
C Do not use digital certificates for authentication
D Ensure that the password on the VPN client matches the vpngroup password on the PIX Firewall
E Ensure that the group name differs from the VPN group name on the PIX Firewall
F Ensure that the group name on the VPN Client matches the vpngroup name on the PIX Firewall
Answer: D, F
Q.68 Which statement about the PIX Firewall and virtual HTTP is true?
A The PIX Firewall enables web browsers to work correctly with its HTTP authentication The PIX Firewall redirects the web browser’s initial connection to an IP address, which resides on it, authenticates the user, and the redirects the browser back to the URL the user originally requested
B The PIX Firewall supports virtual Telnet, but not virtual HTTP
C The PIX Firewall enables RADIUS authorization by redirecting the web browser’s initial connection to
an IP address which resides on a web server you specify, authorizing the user, and then redirecting the browser back to the URL the user originally requested
D The PIX Firewall enables you to access URLs from its console
Answer: A
Trang 2321certify.com
Q.69 Which statement about object groups is true?
A Duplicate objects are allowed in object groups unless they are due to the inclusion of group objects
B An object group cannot be a member of another object group
C An object group can be a member of another object group
D Duplicate objects are not allowed in object groups
Q.71 Why is the ASA important for the PIX Firewall? (Choose three)
A It monitors return packets to assure validity
B It allows two-way connections on all systems
C It allows one-way connection with an explicit configuration on each internal system
D It allows one-way connection with an explicit configuration on each external system
E It allows one-way connection without an explicit configuration for each internal system
F It randomizes the TCP sequence number, which minimizes the risk of attack
Answer: A, E, F
Q.72 Which statement about failover is true?
A When configuring the PIX Firewall for failover, you must configure the primary and secondary PIX Firewalls exactly the same
B Configuration can be modified on either the primary or secondary PIX Firewalls with the same result
C Configuration replication is automatic from the active PIX Firewall to the standby PIX Firewall
D The active PIX Firewall replicates only the failover configuration to the standby PIX Firewall
Answer: C
Trang 24A pix(config)#outbound 1 deny 0 0 eq jave pix(config)#apply (inside) 1 outgoing_src
B pix(config)#outbound 1 deny 0.0.0.0 0.0.0.0 java pix(config)#apply (inside) 1
outgoing_src
C pix(config)#outbound 1 deny 0.0.0.0 255.255.255.255 java pix(config)#apply (inside) 1 outgoing_src
D pix(config)#outbound 1 deny java pix(config)#apply (inside) 1 outgoing_src
Answer: B
Q.76 Network security should be an on-going process built around the security policy of the organization This continuous process known as the Security Wheel comprises of the four steps: 1-secure 2-monitor 3-test 4-improve
Choose the correct statements: (Choose all that apply)
A To make sure that your network security system works, you must test and validate it with a product such
as Cisco Secure Scanner
B Monitoring of the network should be done with a real-time intrusion detection device such as Cisco Secure
Trang 2521certify.com
Intrusion Detection System
C To make sure that your network security system works, you must test and validate it with a product such
as Cisco Secure Intrusion Detection System
D Monitoring of the network should be done with a real-time intrusion detection device such as Cisco Secure Scanner
Answer: A, B
Q.77 What username and password establish an SSH connection to your PIX Firewall?
A username pixfirewall, password aaapass
B username pix, current enable password
C username pixfirewall, password attack
D username pix, current Telnet password
Trang 2621certify.com
model is true?
A The PIX-VPN-ACCEL card must be installed in the 64-bit/22 MHz bus, and the PIX4FE card must be installed in the 32-bit/33 MHz bus
B They can be installed in either the 64-bit/66 MHz bus or the 32-bit/33 MHz bus; however, installing them
in the 64-bit/66 MHz bus achieves the best possible system performance
C They can be installed only in the 32-bit/33 MHz bus and must never be installed in a 64-bit/66 MHz bus Installation of these cards in a 64-bit/66 bus may cause the system to hang at boot time
D They can be installed only in the 64-bit/66 MHz bust and must never be installed in a 32-bit/33 MHz bus Installation of these cards in a 32-bit/33 MHz bus may cause the system to hang at boot time
Q.82 Which command produces the output as the exhibit?
A show transform set
B show isakmp protection
C show isakmp priority
D show isakmp policy
Answer: D
Q.83 If the FTP protocol fixup is not enabled for a given port, which statements are true?
(Choose two)
A Outbound standard FTP will work properly on that port
B Outbound passive FTP will not work properly on that port
C Outbound standard FTP will not work properly on that port
Trang 2721certify.com
D Outbound standard FTP will work properly on that port if outbound traffic is not explicitly
disallowed
E Inbound standard FTP will not work properly on that port even if a conduit to the inside server exists
F Outbound passive FTP will work properly on that port as long as outbound traffic is not explicitly
disallowed
Answer: C, F
Q.84 Which statement about the PIX Firewall and PPPoE is true?
A When PPPoE is configured, the user enters his username and password to connect to a PPPoE server and set the MTU size to 1492 bytes
B The PIX Firewall does not detect PPPoE session termination
C When PPPoE is configured, you must set the MTU size to the correct value to allow PPPoE to be
transmitted in an Ethernet frame
D To clear and restart a PPPoE session, enter the clear ppp session command
E When configured, the PIX Firewall’s PPPoE client automatically connects to a service provider’s access concentrator without user intervention
Answer: E
Q.85 How can dynamic outside NAT simplify router configuration on your internal or perimeter networks?
A By controlling the addresses that appear on these networks
B Because you can configure your routing within the nat command
C Because you can configure your routing within the global command
D Because statics take precedence over nat and global command pairs
Answer: A
Q.86 Which is likely to cause standard failover via the special serial cable not to work?
(Choose two)
A The two PIX Firewalls are running different version of software
B The hardware models are the same
C The secondary PIX Firewall has not been properly configured as a secondary PIX Firewall
D The secondary PIX Firewall has a 3DES license
E The hardware models are different
F The standby PIX Firewall has not yet replicated its configuration to the primary PIX Firewall
Trang 2821certify.com
Answer: A, E
Q.87 Select the correct statement:
A With the Diffie-Hellman exchange, the DES key never crosses the network
B With the Diffie-Hellman exchange, the DES key crosses the network in encrypted form
C With the Diffie-Hellman exchange, the DES key never crosses the network in clear text
D With RSA encrypt and sign technique the key never crosses the network
Answer: A
Q.88 We have already created a permanent mapping between a local ip address and a global IP address using the following command:
Pix(config)#static (inside, outside) 172.29.40.8 10.10.10.6
Now we want to create an exception to the PIX Firewall ASA using conduit command The conduit
command must permit TCP for the global IP address 172.29.40.8 that was specified in the static command statement and permit http access over port 80 Choose the correct command
A pix(config)#conduit permit tcp host 172.29.40.8 any eq www
B pix(config)#conduit permit tcp host 172.29.40.8 eq www any
C pix(config)#conduit permit ip host 172.29.40.8 eq www any
D pix(config)#conduit permit tcp 172.29.40.8 eq 80 any
Trang 2921certify.com
tag
Use the aaa-server command to identify the AAA server for a given group tag
Use the aaa authentication command to enable user authentication services
Use the aaa authorization command to enable user authorization services
Q.91 What are two of the problems with UDP? (Choose two)
A Its method of guaranteeing delivery makes it processor-intensive
B Spoofing packets is very easy because there is no handshaking or sequencing
C The congestion management and avoidance it uses makes it rather slow
D The UDP connection slot is never deleted from the connection table
E The initiator of the transaction of the current state usually cannot be determined because there is no state machine
F Spoofing UDP packets is difficult
Answer: B, E
Q.92 The PIX Firewall logs information about packets, such as source and destination IP addresses, in the stateful session flow table When does this happen?
A Each time it is reloaded
B Each time a TCP or UDP outbound connection attempt is made
C Only when a TCP inbound or outbound connection attempt is made
D Each time a TCP or UDP inbound or outbound connection attempt is made
Answer: D
Q.93 The two ends of the PIX Firewall failover cable are:
A Labeled as active & standby
B Labeled as primary and secondary
Trang 3021certify.com
C Labeled as PIX1 and PIX2
D Labeled as active and failover
Answer: B
Q.94 Which of the following specifications is true about PIX Firewall 515E:
A Supports 120, 000 simultaneous connections
B Supports 196, 000 simultaneous connections
Q.95 The PDM runs on which operating systems? (Choose the best answer)
A Windows, Macintosh, and Linux
B Windows and Sun Solaris
C Windows, Linux, and Sun Solaris
D Windows and Linux
Answer: C
Q.96 To configure the PIX Firewall to forward multicast transmissions from an inside source,
which steps are necessary? (Choose two)
A Use the igmp join-group command to enable the PIX Firewall to forward IGMP reports
B Use the igmp forward command to enable multicast forwarding on each PIX Firewall interface
C Use the multicast interface command to enable multicast forwarding on each PIX Firewall interface
D Use the route command to create a static route from the transmission source to the next-hop router
Trang 31View restricted settings - Unprivileged mode
Change current settings - Privileged mode
Change system configurations - Configuration
mode update image over network - Monitor mode
Q.98
Match the firewall technology with its description
Trang 3221certify.com
Answer:
Request Connections between client & internet host - Proxy server
Based on ACLs - Packet filtering
Compares inbound and outbound packets - Stateful packet filtering
Q.99
As the network security administrator at 21certify you are required to solve the following problem 21certify has recenlty acquired a small company called Tess Inc Now 21certify wants you to add an interface to their PIX Firewall
to support a dedicated network for the new employees from Tess's Your task is to enable the ethernet4 interface for
100 Mbps full duplex communication and configure it with the following parameters:
The confirmation will be as follows:
Name: tess Security level: 18 IP address: 172.19.4.1 Netmask: 255.255.255.0
• You will not be able to ping the inside PIX interface from an interface connected to an inside host
• The firewall is named king
• The enable password is 21certify
Assignment: Click on the picture of the host connected to an PIX Firewall by a serial console cable shown in the diagram as a dotted line Select the Cisco Terminal Option and make the appropriate configuration tasks
Lab A Name: king Password: 21certify Answer: King#config t King(config)#nameif ethernet4 tess security18 King(config)#interface ethernet4 100full King(config)#ip address tess 172.19.4.1 255.255.255.0
Trang 3421certify.com
Q.2 Which two AAA protocols and servers does the PIX Firewall support? (Choose two)
A Access control list
B Synchronous Communication Server
C Remote Authentication Dial-In User Service
D Terminal Access Controller Access Control System Plus
Answer: C, D
Q.3 Enter the function of the PIX Firewall that provides a safeguard in case a PIX Firewall fails
Answer: Failover
Q.4 What does the nat command allow you to do on the PIX Firewall? (Choose two)
A Enable address translation for internal addresses
B Enable address translation for external addresses
C Disable address translation for internal addresses
D Disable address translation for external addresses
E Enable address translation for both external and internal addresses
F Disable address translation for both external and internal addresses
Answer: A, C Q.5 Exhibit: Match the characteristics of the Adaptive Security Algorithm (ASA) security level with the correct levels
Trang 35D Configure the PIX Firewall
E Configure the IKE parameters
F Configure the IPSec parameters
G Prepare for configuring VPN support
H Test and verify the VPN configuration
Trang 3621certify.com
C Configure IPSec encryption correctly the first time
D Define the overall security needs and strategy based on the overall company security policy
Trang 3721certify.com
A Stateful failover passes per-connection stateful information to the active PIX Firewall
B Stateful failover passes per-connection stateful information to the standby PIX
Firewall
C Stateful failover does not pass per-connection stateful information to the active PIX Firewall
D Stateful failover does not pass per-connection stateful information to the standby PIX Firewall
Answer: B
Q.11 With which two Cisco IOS Firewall security features is the authentication proxy compatible? (Choose two)
A Cisco router
B Network address translation
C Protocol address translation
D Content-Based Access Control
Answer: B, D
Q.12 Which three thresholds does CBAC on the Cisco IOS Firewall provide against DoS attacks? (Choose Three)
A The number of half-open sessions based upon time
B The total number of half open TCP or UDP sessions
C The number of fully-open sessions based upon time
D The number of half-open TCP-only sessions per host
E The total number of fully-open TCP or UDP sessions
F The number of fully-open TCP-only sessions per host
Answer: A, B, D
Q.13 What does CBAC on the Cisco IOS Firewall do?
A Created specific security policies for each user
B Protects the network from internal attacks and threats
C Provides additional visibility at intranet, extranet and Internet perimeters
D Provides secure, per-application access control across network perimeters
Answer: D
Trang 3821certify.com
Q.14 What are three methods for configuring basic router security on the Cisco IOS Firewall? (Choose three)
A Turn off services
B Set global timeouts
C Set global thresholds
D Use password encryption
E Define inspection rules
F Set console and VTY access
Answer: B, C, E
Q.15 Why does aaa command reference the group tag on the PIX Firewall?
A To direct the interface name to the AAA server
B To direct the IP address to the appropriate AAA server
C To direct authentication, authorization or accounting traffic to the appropriate AAA server
D To direct authentication, authorization or accounting traffic to the appropriate PIX Firewall
Q.17 Enter the command that enables failover between two PIX Firewalls
Answer: Failover active
Q.18 Enter the command that allows the IP addresses to be updated in the translation table for the PIX Firewall
Trang 3921certify.com
Answer: Clear xlate
Q.19 Which portion of the conduit command denies access through the PIX Firewall in the conditions is met?
Answer: deny
Q.20 What does deny mean in regards to crypto access lists on the PIX firewall?
A It specifies that no packets are encrypted
B It specifies that matching packets must be encrypted
C It specifies that mismatched packets must be encrypted
D It specifies that matching packets need no be encrypted
Answer: D
Q.21 What is the goal of pre-planning before configuring an IPSec based VPN when using the PIX Firewall?
A To plan in advance
B To minimize misconfiguration
C To identify IPSec peer router Internet Protocol addresses and host names
D To determine key distribution methods based on the numbers and locations of IPSec peers
Trang 4021certify.com
attack?
A There is no data connection
B Port 20 remains open from outside to inside
C Port 21 remains open from inside to outside
D The client initiates both the command and data connections
Answer: D Q.24 Enter the command that enables the AAA access control system in the global
configuration
Answer: aaa new-model
Q.25 Enter the command that encrypts all use passwords within the Cisco IOS Firewall
Answer: no service password-encryption
Q.26 Each session allows you four attempts to correctly authenticate to the PIX Firewall before it drops the connection?
Answer: aaa accounting
Q.28 Why does failover begin a series of interface tests on the PIX Firewall?
A To check the failover cable
B To clear the received packets
C To determine which PIX Firewall has failed