Securing Networks with PIX and ASA Exam(SNPA)
Index >> Cisco >> CCSP >> "642-522"Exam
VUE/Prometric Code:642-522
Questions and Answers:63 Q&As
Price:$ 69
Updated:2008-12-01
| Securing Networks with PIX and ASA Exam(SNPA) | |||
| Test | Q&A | Updated | Price |
| 642-522 | 63 Q&A | 2008-12-01 | $ 69 |
please download in PDF format Demo:
killtest 642-522 Exam Features
High quality and Value for the 642-522 Exam.
Killtest Practice Exams for Securing Networks with PIX and ASA Exam(SNPA) 642-522 are written to the highest standards of technical accuracy, using only certified subject matter experts and published authors for development.
100% Guarantee to Pass Your CCSP exam and get your CCSP Certification.
We guarantee your success in the first attempt. If you do not pass the 642-522 (Securing Networks with PIX and ASA Exam(SNPA)) on your first attempt we will give you a FULL REFUND of your purchasing fee AND send you another same value product for free.
killtest 642-522 Downloadable.
Printable Exams (in PDF format) Our Exam 642-522 Preparation Material provides you everything you will need to take your CCSP exam. The CCSP Certification details are researched and produced by Professional Certification Experts who are constantly using industry experience to produce precise, and logical. You may get CCSP exam questions from different web sites or books, but logic is the key. Our Product will help you not only pass in the first CCSP exam try, but also save your valuable time .
- Comprehensive questions with complete details about 642-522 exam.
- 642-522 exam questions accompanied by exhibits.
- Verified Answers Researched by Industry Experts and almost 100% correct.
- Drag and Drop questions as experienced in the Real CCSP exam.
- 642-522 exam questions updated on regular basis.
- Like actual CCSP Certification exams, 642-522 exam preparation is in multiple-choice questions (MCQs).
- Tested by many real CCSP exams before publishing.
- Try free CCSP exam demo before you decide to buy it in http://www.Killtest.com.
High quality and Value for the 642-522 Exam:100% Guarantee to Pass Your CCSP exam and get your CCSP Certification.
http://www.Killtest.com The safer.easier way to get CCSP Certification.
We offer Demo version of Q&A, Q&A are as follows (not to provide picture):
642-522:please download 642-522 in PDF format Demo
1.Refer to the show run output in the exhibit. Which access-list configuration using the object-groups shown will only permit HTTP and HTTPS traffic from any host on 10.1.1.0/24 to any host on 192.168.1.0/24?
A.access-list aclin extended permit tcp object-group test2 object-group test1 object-group test3
B.access-list aclin extended permit tcp object-group test1 object-group test2 object-group test3
C.access-list aclin extended permit tcp object-group test1 object-group test3 object-group test2
D.access-list aclin extended permit ip object-group test1 object-group test2
Correct:B
2.What is the effect of the per-user-override option when applied to the access-group command syntax?
A.It increases security by building upon the existing access list applied to the interface. All subsequent users are also subject to the additional access list entries.
B.The log option in the per-user access list overrides existing interface log options.
C.It allows downloadable user access lists to override the access list applied to the interface.
D.It allows for extended authentication on a per-user basis.
Correct:C
3.Drag Drop question
Correct:
4.Which command enables IKE on the outside interface?
A.ike enable outside
B.ipsec enable outside
C.isakmp enable outside
D.ike enable (outbound)
Correct:C
5.Refer to the exhibit. An administrator is configuring the failover link on the secondary unit, pix2 and needs to configure the IP addresses of the failover link. At pix2, which of these additional commands should be entered?
A.pix2(config)# failover lan ip 172.17.2.1 255.255.255.0 standby 172.17.2.7
B.pix2(config)# failover link 172.17.2.7 255.255.255.0 standby 172.17.2.1
C.pix2(config)# failover interface ip LANFAIL 172.17.2.1 255.255.255.0 standby 172.17.2.7
D.pix2(config)# interface ethernet3 pix2(config-if)# failover ip address 172.17.2.7 255.255.255.0 standby 172.17.2.1
Correct:C
6.What type of tunneling should be used on the VPN Client to allow IPSec traffic through a stateful firewall that may be performing NAT or PAT?
A.GRE/IPSec
B.IPSec over TCP
C.IPSec over UDP
D.split tunneling
E.L2TP
Correct:B
7.What is the result if the WebVPN url-entry parameter is disabled?
A.The end user is unable to access any CIFS shares or URLs.
B.The end user is able to access CIFS shares but not URLs.
C.The end user is unable to access pre-defined URLs.
D.The end user is able to access pre-defined URLs.
Correct:D
8.What are the two purposes of the same-security-traffic permit intra-interface command? (Choose two.)
A.It allows all of the VPN spokes in a hub-and-spoke configuration to be terminated on a single interface.
B.It allows communication between different interfaces that have the same security level
C.It permits communication in and out of the same interface when the traffic is IPSec protected.
D.It enables Dynamic Multipoint VPN.
Correct:A C
9.When configuring a crypto map, which command correctly specifies the peer to which IPSec-protected traffic can be forwarded?
A.crypto map set peer 192.168.7.2
B.crypto map 20 set-peer insidehost
C.crypto-map policy 10 set 192.168.7.2
D.crypto map peer7 10 set peer 192.168.7.2
Correct:D
10.By default, the AIP-SSM IPS software is accessible from the management port at IP address 10.1.9.201/24. Which CLI command should an administrator use to change the default AIP-SSM management port IP address?
A.hw module 1 setup
B.interface
C.setup
D.hw module 1 recover
Correct:C
11.The inline IPS software feature set is available in which security appliances?
A.any Cisco PIX and ASA Security Appliance running v.7 software and an AIP-SSM module
B.only Cisco PIX 515, 525, and 535 Security Appliances with an AIP-SSM module
C.only Cisco ASA 5520 and 5540 Security Appliances with an AIP-SSM module
D.any Cisco ASA 5510, 5520, or 5540 Security Appliance with an AIP-SSM module
Correct:D
12.Which is a hybrid protocol that provides utility services for IPSec, including authentication of the IPSec peers, negotiation of IKE and IPSec Sas, and establishment of keys for encryption algorithms?
A.3DES
B.ESP
C.IKE
D.MD5
Correct:C
13.How do you ensure that the main interface does not pass untagged traffic when using subinterfaces?
A.Use the shutdown command on the main interface
B.Omit the nameif command on the subinterface
C.Use the vlan command on the main interface.
D.Omit the nameif command on the main interface.
E.Use the shutdown and then use the nameif command on the main interface.
Correct:D
14.Which statement about Telnet and the security appliance is true?
A.You can enable Telnet on all interfaces except the outside interface.
B.You can enable Telnet on all interfaces, but the PIX security appliance requires that all Telnet traffic to all interfaces be IPSec protected.
C.You can enable Telnet on all interfaces, but the PIX security appliance requires that all Telnet traffic to the outside interface be IPSec protected.
D.You can enable Telnet on all interfaces, but it must be protected with SSH.
Correct:C
15.Why does the PIX security appliance record information about a packet in its stateful session flow table?
A.to build the reverse path forwarding (RFP) table to prevent spoofed source IP address
B.to establish a proxy session by relaying the application layer requests and responses between two endpoints
C.to compare against return packets for determining whether the packet should be allowed through the firewall
D.to track outbound UDP connections
Correct:C
16.In the Cisco ASA 5500 series, what is the flash keyword aliased to?
A.Disk0
B.Disk1
C.both Disk0 and Disk1
D.Flash0
E.Flash1
Correct:A
17.Refer to the exhibit. This security appliance is configured for what two types of failover? (Choose two.)
A.unit-based failover
B.LAN cable-based failover
C.stateful failover
D.Active/Standby failover
E.Active/Active failover
F.Context/Group failover
Correct:B E
18.Refer to the exhibit. You are an administrator who is inundated with unwanted syslog messages. You want to stay at your current syslog message level but block selected unwanted syslog messages from filling your syslog. What command should you use to block specific unwanted message number 710005?
A.logging message deny 710005
B.no logging debug 710005
C.logging trap deny 710005
D.no logging message 710005
Correct:D
19.Refer to the exhibit. An administrator wants to add a comment about access-list aclin line 2. What command should the administrator enter to accomplish this addition?
A.pix1(config)# access-list aclin line 1 remark partner server http access
B.pix1(config)# access-list aclin line 2 remark partner server http access
C.pix1(config)# access-list aclin line 1 comment partner server http access
D.pix1(config)# access-list aclin line 2 comment partner server http access
Correct:B
20.What is the minimal number of physical interfaces required for all security appliance platforms to support VLANs?
A.one
B.two
C.three
D.four
Correct:B
21.Which of these identifies basic settings for the security appliance, including a list of contexts?
A.primary configuration
B.network configuration
C.system configuration
D.admin configuration
Correct:C
22.An administrator wants to protect a DMZ web server from SYN flood attacks. Which command does not allow the administrator to place limits on the number of embryonic connections?
A.nat
B.static
C.set connection
D.HTTP-map
Correct:D
23.Drag Drop question
Correct:
Green choice1---->Yellow Choice1
Green choice3---->Yellow Choice2
Green choice6---->Yellow Choice3
24.Refer to the exhibit. Users on the DMZ are complaining that they cannot gain access to the insidehost via HTTP. What did the network administrator determine after reviewing the network diagram and partial configuration?
A.The static (inside,dmz) command is not configured correctly.
B.The global (dmz) command is not configured correctly.
C.The nat (dmz) command is missing.
D.The dmzin access list is not configured correctly.
Correct:D
25.Refer to the exhibit. An administrator has configured the first four data ports on a Cisco ASA 5540 Security Appliance. The technician attaches the next data cable to Port A. When configuring this interface, what physical type, slot, and port number should the administrator add to the configuration?
A.GigabitEthernet0/0
B.GigabitEthernet0/5
C.GigabitEthernet0/4
D.Management0/0
Correct:D
26.Which feature prevents ARP spoofing?
A.ARP fixup
B.ARP inspection
C.MAC fixup
D.MAC inspection
Correct:B
27.Simulate question
Correct:
28.What is the purpose of the url-list command in global configuration mode?
A.Allow end users access to URLs.
B.Allow end users access to CIFS shares and URLs.
C.Stop the end user from accessing pre-defined URLs.
D.Configure a set of URLs for WebVPN users to access.
E.List URLs that the end user cannot access.
Correct:D
29.What privilege level is the highest on the security appliance?
A.1
B.5
C.10
D.15
E.20
Correct:D
30.What are two instances when sparse-mode PIM is most useful? (Choose two.)
A.when there are few receivers in a group
B.when there are many receivers in a group
C.when the type of traffic is intermittent
D.when the type of traffic is constant
E.when the traffic is not ethertype
F.when the traffic is ethertype
Correct:A C
