Securing Networks with PIX and ASA
Index >> Cisco >> CCSP >> "642-523"Exam
VUE/Prometric Code:642-523
Exam Name:Securing Networks with PIX and ASA
Questions and Answers:100 Q&As
Price:$ 69
Updated:2008-12-01
Questions and Answers:100 Q&As
Price:$ 69
Updated:2008-12-01
| Securing Networks with PIX and ASA | |||
| Test | Q&A | Updated | Price |
| 642-523 | 100 Q&A | 2008-12-01 | $ 69 |
please download in PDF format Demo:
killtest 642-523 Exam Features
High quality and Value for the 642-523 Exam.
Killtest Practice Exams for Securing Networks with PIX and ASA 642-523 are written to the highest standards of technical accuracy, using only certified subject matter experts and published authors for development.
100% Guarantee to Pass Your CCSP exam and get your CCSP Certification.
We guarantee your success in the first attempt. If you do not pass the 642-523 (Securing Networks with PIX and ASA) on your first attempt we will give you a FULL REFUND of your purchasing fee AND send you another same value product for free.
killtest 642-523 Downloadable.
Printable Exams (in PDF format) Our Exam 642-523 Preparation Material provides you everything you will need to take your CCSP exam. The CCSP Certification details are researched and produced by Professional Certification Experts who are constantly using industry experience to produce precise, and logical. You may get CCSP exam questions from different web sites or books, but logic is the key. Our Product will help you not only pass in the first CCSP exam try, but also save your valuable time .
- Comprehensive questions with complete details about 642-523 exam.
- 642-523 exam questions accompanied by exhibits.
- Verified Answers Researched by Industry Experts and almost 100% correct.
- Drag and Drop questions as experienced in the Real CCSP exam.
- 642-523 exam questions updated on regular basis.
- Like actual CCSP Certification exams, 642-523 exam preparation is in multiple-choice questions (MCQs).
- Tested by many real CCSP exams before publishing.
- Try free CCSP exam demo before you decide to buy it in http://www.Killtest.com.
High quality and Value for the 642-523 Exam:100% Guarantee to Pass Your CCSP exam and get your CCSP Certification.
http://www.Killtest.com The safer.easier way to get CCSP Certification.
We offer Demo version of Q&A, Q&A are as follows (not to provide picture):
642-523:please download 642-523 in PDF format Demo
1.For the following commands, which one enables the DHCP server on the DMZ interface of the Cisco ASA with an address pool of 10.0.1.100-10.0.1.108 and a DNS server of 192.168.1.2?
A.dhcpd address 10.0.1.100-10.0.1.108 DMZ dhcpd dns 192.168.1.2 dhcpd enable DMZ
B.dhcpd address range 10.0.1.100-10.0.1.108 dhcpd dns server 192.168.1.2 dhcpd enable DMZ
C.dhcpd range 10.0.1.100-10.0.1.108 DMZ dhcpd dns server 192.168.1.2 dhcpd DMZ
D.dhcpd address range 10.0.1.100-10.0.1.108 dhcpd dns 192.168.1.2 dhcpd enable
Correct:A
2.Which description is correct about the output provided in the exhibit?
A.The ACLOUT access list has been designed to allow the IP address with the network address of 192.168.6.0 to have unrestricted access to the web server at IP address 192.168.1.11.
B.The ACLOUT access list has been designed to deny the IP address 192.168.1.11 web access to the host with a network address of 192.168.6.0.
C.The ACLIN access list permits web access from host 192.168.6.10 to all hosts behind the Cisco ASA.
D.The ICMPDMZ access list denies all ICMP traffic bound for the bastion host except echo replies
Correct:A
3.What is the effect of the per-user-override option when applied to the access-group command syntax?
A.The log option in the per-user access list overrides existing interface log options.
B.It allows for extended authentication on a per-user basis.
C.It allows downloadable user access lists to override the access list applied to the interface.
D.It increases security by building upon the existing access list applied to the interface. All subsequent users are also subject to the additional access list entries.
Correct:C
4.In order to recover the Cisco ASA password, which operation mode should you enter?
A.configure
B.unprivileged
C.privileged
D.monitor
Correct:D
5.Observe the following commands, which one verifies that NAT is working normally and displays active NAT translations?
A.show ip nat all
B.show running-configuration nat
C.show xlate
D.show nat translation
Correct:C
6.What is the result if the WebVPN url-entry parameter is disabled?
A.The end user is unable to access pre-defined URLs.
B.The end user is unable to access any CIFS shares or URLs.
C.The end user is able to access CIFS shares but not URLs.
D.The end user is able to access pre-defined URLs.
Correct:D
7.Which three tunneling protocols and methods are supported by the Cisco VPN Client? (Choose three.)
A.IPsec over TCP
B.IPsec over UDP
C.ESP
D.AH
Correct:A B C
8.Tom is a network administrator, study the exhibit carefully. He wants to authenticate remote users who are accessing the P4S-WEB server from the Internet. When a remote user initiates a session to the P4S-WEB server, the ASA1 security appliance will verify the user's credentials with the TX_ACS AAA server via RADIUS. In order to achieve this goal, Tom needs to load and configure Cisco ACS software on the TX_ACS AAA server. During the process, he should appropriately configure the AAA client information in the Cisco ACS network configuration window. What should Tom place in field A (AAA Client Hostname) and field B (AAA Client IP address)?
A.A - P4S-PC B - 192.168.2.10
B.A - TX_ACS B - 10.0.1.10
C.A - P4S-WEB B - 172.16.1.2
D.A - ASA1 B - 10.0.1.1
Correct:D
9.What are the two purposes of the same-security-traffic permit intra-interface command? (Choose two.)
A.It allows all of the VPN spokes in a hub-and-spoke configuration to be terminated on a single interface.
B.It enables Dynamic Multipoint VPN.
C.It permits communication in and out of the same interface when the traffic is IPSec protected.
D.It allows communication between different interfaces that have the same security level
Correct:A C
10.How many unique transforms will included in a single transform set while configuring a crypto ipsec transform-set command?
A.three
B.two
C.four
D.one
Correct:B
11.John works as a network administrator , according to the following exhibit. Descriptions are added to class maps for each part of the modular policy framework. Which text should John add to the description command to describe the TO_SERVER class map? P4S-asa1(config)#access-list UDP permit udp any any P4S-asa1(config)#access-list TCP permit tcp any any P4S-asa1(config)#access-list PUBLIC_WEB permit ip any 10.10.10.100 255.255.255.255 P4S-asa1(config)#class-map ALL_VDP P4S-asa1(config-cmap)#description "This class-map matches all UDP traffic" P4S-asa1(config-cmap)#match access-list VDP P4S-asa1(config-cmap)#class-map ALL_TCP P4S-asa1(config-cmap)#description "This class-map matches all TCP traffic" P4S-asa1(config-cmap)#match access-list TCP P4S-asa1(config-cmap)#class-map ALL_WEB_SERVER P4S-asa1(config-cmap)#description "This class-map matches all HTTP traffic" P4S-asa1(config-cmap)#match port tcp eq http P4S-asa1(config-cmap)#class-map TO_SERVER P4S-asa1(config-cmap)#match access-list PUBLIC_WEB
A.description "This class-map matches all TCP traffic for the public web server."
B.description "This class-map matches all HTTP traffic for the public web server."
C.description "This class-map matches all HTTPS traffic for the public web server."
D.description "This class-map matches all IP traffic for the public web server."
Correct:D
12.By default, the AIP-SSM IPS software is accessible from the management port at IP address 10.1.9.201/24. Which CLI command should an administrator use to change the default AIP-SSM management port IP address?
A.interface
B.hw module 1 recover
C.setup
D.hw module 1 setup
Correct:C
13.Alex works as a network administrator for P4S Ltd. Study the exhibit carefully. Alex has decided to authenticate HTTP cut-through proxy traffic via a local database on the Cisco ASA. In order to accomplish this objective, which set of command strings will Alex enter?
A.P4S-asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 P4S-asa1(config)# access-list 150 permit tcp any host 172.16.16.6 eq www P4S-asa1(config)# aaa authentication match 150 outside asa1
B.P4S-asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 P4S-asa1(config)# access-list 150 permit tcp any host 172.16.16.6 eq www P4S-asa1(config)# aaa authentication match 150 outside LOCAL
C.P4S-asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 P4S-asa1(config)# access-list 150 permit tcp any host 192.168.16.6 eq www P4S-asa1(config)# aaa authentication match 150 outside asa1
D.P4S-asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 P4S-asa1(config)# access-list 150 permit tcp any host 192.168.16.6 eq www P4S-asa1(config)# aaa authentication match 150 outside LOCAL
Correct:D
14.Which three potential groups are of users for WebVPN? (Choose three.)
A.employees accessing specific internal applications from desktops and laptops not managed by IT
B.administrators who need to manage servers and networking equipment
C.employees that only need occasional corporate access to a few applications
D.users of a customer service kiosk placed in a retail store
Correct:A C D
15.The inline IPS software feature set is available in which security appliances?
A.only Cisco ASA 5520 and 5540 Security Appliances with an AIP-SSM module
B.any Cisco PIX and ASA Security Appliance running v.7 software and an AIP-SSM module
C.only Cisco PIX 515, 525, and 535 Security Appliances with an AIP-SSM module
D.any Cisco ASA 5510, 5520, or 5540 Security Appliance with an AIP-SSM module
Correct:D
16.For the following commands, which one would offer detailed information about the crypto map configurations of a Cisco ASA?
A.show crypto map
B.show run ipsec sa
C.show ipsec sa
D.show run crypto map
Correct:D
17.Which one of the following commands will prevent all SIP INVITE packets, such as calling-party and request-method, from specific SIP endpoints?
A.Use the match calling-party command in a class map. Apply the class map to a policy map that contains the match request-methods command.
B.Group the match commands in a SIP inspection class map.
C.Use the match request-methods command in an inspection class map. Apply the inspection class map to an inspection policy map that contains the match calling-party command.
D.Group the match commands in a SIP inspection policy map.
Correct:B
18.How do you ensure that the main interface does not pass untagged traffic when using subinterfaces?
A.Use the vlan command on the main interface.
B.Use the shutdown command on the main interface
C.Omit the nameif command on the subinterface
D.Omit the nameif command on the main interface.
Correct:D
19.Study the exhibit carefully. Which two types of failover is this adaptive security appliance configured for? (Choose two.) P4S-asa1# show failover Failover On Cable status: N/A-LAN-based failover enabled Failover unit Primary Failover LAN Interface: Ianfail GigabitEthernet0/2 (up) Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 15 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Group 1 last failover at: 15:54:49 UTC Sept 17 2006 Group 2 last failover at: 15:55:00 UTC Sept 17 2006
A.stateful failover
B.LAN-based failover
C.cable-based failover
D.Active/Active failover
Correct:B D
20.LAB ABC agency has installed a Cisco Adaptive Security Appliance (ASA) and wants basic outbound access configured on the outside interface for all hosts on the inside network of 10.0.3.0/255.255.255.0. The real IP addresses of the inside hosts should be hidden from the outside network. Company policy requires that packets traversing from a higher security interface to a lower security interface for all other inside networks must match a NAT rule, or else processing for the packet must stop. Use the topology provided and the parameters below to complete this exercise. When you complete the exercise you should be able to open a Web session from the Corporate PC at 10.0.3.11 to the Web server located at 172.26.26.50. You should not be able to open a Web Session from Corporate PC at 10.0.4.11. to the Web server located at 172.26.26.50. Please Input correct Answer
A.(conf t) # nat-control #nat (inside ) 1 10.0.3.0 255.255.255.0 #global (oustside ) 1 192.168.1.20-192.168.1.254 #copy run start
Correct:A
21.Which statement about Telnet and the security appliance is true?
A.You can enable Telnet on all interfaces, but the PIX security appliance requires that all Telnet traffic to all interfaces be IPSec protected.
B.You can enable Telnet on all interfaces, but it must be protected with SSH.
C.You can enable Telnet on all interfaces, but the PIX security appliance requires that all Telnet traffic to the outside interface be IPSec protected.
D.You can enable Telnet on all interfaces except the outside interface.
Correct:C
22.Please look at the follwing picture: Which of the following traffic is permitted based on the current access-list configuration?
A.FTP traffic from any outside host to the 172.16.1.2 host on the DMZ1 network
B.HTTP and HTTPS traffic from the 172.16.10.2 DMZ2 host to any host on the outside
C.Any IP traffic from any outside host to the 172.16.10.2 host on the DMZ2 network
D.Any IP traffic from any outside host to the 172.16.1.2 host on the DMZ1 network
Correct:A
23.How is the address translation feature of the security appliance used in the current configuration? (Choose two)
A.Dynamic NAT is used to translate any host on the inside to a mapped address from the address pool of 192.168.1.20 to 192.168.1.254.
B.Port Address Translation (PAT) is used to translate any host on the inside to the 192.168.1.10 global address.
C.Static NAT is used to translate the 172.16.10.2 DMZ2 host address to a global address of 192.168.1.12
D.Dynamic NAT is used to translate any host on the DMZ1 network and the DMZ2 network to a mapped address from the address pool of 192.168.1.20 to 192.168.1.254.
Correct:A C
24.Why does the PIX security appliance record information about a packet in its stateful session flow table?
A.to establish a proxy session by relaying the application layer requests and responses between two endpoints
B.to track outbound UDP connections
C.to compare against return packets for determining whether the packet should be allowed through the firewall
D.to build the reverse path forwarding (RFP) table to prevent spoofed source IP address
Correct:C
25.What is the currently configured default gateway IP address on the security appliance?
A.172.16.10.1
B.172.16.1.1
C.192.168.1.1
D.10.0.1.1
Correct:C
26.Which hosts are allowed to manage this security appliance using ASDM or HTTPS?
A.The 10.0.1.11 host only
B.The 172.16.1.2 host only
C.The 172.16.10.2 host only
D.Any host on the 10.0.1.0/24 subnet
Correct:A
27.Which of these identifies basic settings for the security appliance, including a list of contexts?
A.network configuration
B.admin configuration
C.system configuration
D.primary configuration
Correct:C
28.Which interface on this security appliance is enabled for DHCP server functionality?
A.None
B.GigabitEthernet0/2
C.GigabitEthernet0/1
D.GigabitEthernet0/0
Correct:C
29.What is the maximum number of VLANs and physical interfaces supported based on the current security appliance software license?
A.25 VLANs and 6 interfaces
B.10 VLANs and 3 interfaces
C.50 VLANs and 8 interfaces
D.100 VLANs and unlimited interfaces
Correct:D
30.An administrator wants to protect a DMZ web server from SYN flood attacks. Which command does not allow the administrator to place limits on the number of embryonic connections?
A.set connection
B.nat
C.static
D.HTTP-map
Correct:D
A.dhcpd address 10.0.1.100-10.0.1.108 DMZ dhcpd dns 192.168.1.2 dhcpd enable DMZ
B.dhcpd address range 10.0.1.100-10.0.1.108 dhcpd dns server 192.168.1.2 dhcpd enable DMZ
C.dhcpd range 10.0.1.100-10.0.1.108 DMZ dhcpd dns server 192.168.1.2 dhcpd DMZ
D.dhcpd address range 10.0.1.100-10.0.1.108 dhcpd dns 192.168.1.2 dhcpd enable
Correct:A
2.Which description is correct about the output provided in the exhibit?
A.The ACLOUT access list has been designed to allow the IP address with the network address of 192.168.6.0 to have unrestricted access to the web server at IP address 192.168.1.11.
B.The ACLOUT access list has been designed to deny the IP address 192.168.1.11 web access to the host with a network address of 192.168.6.0.
C.The ACLIN access list permits web access from host 192.168.6.10 to all hosts behind the Cisco ASA.
D.The ICMPDMZ access list denies all ICMP traffic bound for the bastion host except echo replies
Correct:A
3.What is the effect of the per-user-override option when applied to the access-group command syntax?
A.The log option in the per-user access list overrides existing interface log options.
B.It allows for extended authentication on a per-user basis.
C.It allows downloadable user access lists to override the access list applied to the interface.
D.It increases security by building upon the existing access list applied to the interface. All subsequent users are also subject to the additional access list entries.
Correct:C
4.In order to recover the Cisco ASA password, which operation mode should you enter?
A.configure
B.unprivileged
C.privileged
D.monitor
Correct:D
5.Observe the following commands, which one verifies that NAT is working normally and displays active NAT translations?
A.show ip nat all
B.show running-configuration nat
C.show xlate
D.show nat translation
Correct:C
6.What is the result if the WebVPN url-entry parameter is disabled?
A.The end user is unable to access pre-defined URLs.
B.The end user is unable to access any CIFS shares or URLs.
C.The end user is able to access CIFS shares but not URLs.
D.The end user is able to access pre-defined URLs.
Correct:D
7.Which three tunneling protocols and methods are supported by the Cisco VPN Client? (Choose three.)
A.IPsec over TCP
B.IPsec over UDP
C.ESP
D.AH
Correct:A B C
8.Tom is a network administrator, study the exhibit carefully. He wants to authenticate remote users who are accessing the P4S-WEB server from the Internet. When a remote user initiates a session to the P4S-WEB server, the ASA1 security appliance will verify the user's credentials with the TX_ACS AAA server via RADIUS. In order to achieve this goal, Tom needs to load and configure Cisco ACS software on the TX_ACS AAA server. During the process, he should appropriately configure the AAA client information in the Cisco ACS network configuration window. What should Tom place in field A (AAA Client Hostname) and field B (AAA Client IP address)?
A.A - P4S-PC B - 192.168.2.10
B.A - TX_ACS B - 10.0.1.10
C.A - P4S-WEB B - 172.16.1.2
D.A - ASA1 B - 10.0.1.1
Correct:D
9.What are the two purposes of the same-security-traffic permit intra-interface command? (Choose two.)
A.It allows all of the VPN spokes in a hub-and-spoke configuration to be terminated on a single interface.
B.It enables Dynamic Multipoint VPN.
C.It permits communication in and out of the same interface when the traffic is IPSec protected.
D.It allows communication between different interfaces that have the same security level
Correct:A C
10.How many unique transforms will included in a single transform set while configuring a crypto ipsec transform-set command?
A.three
B.two
C.four
D.one
Correct:B
11.John works as a network administrator , according to the following exhibit. Descriptions are added to class maps for each part of the modular policy framework. Which text should John add to the description command to describe the TO_SERVER class map? P4S-asa1(config)#access-list UDP permit udp any any P4S-asa1(config)#access-list TCP permit tcp any any P4S-asa1(config)#access-list PUBLIC_WEB permit ip any 10.10.10.100 255.255.255.255 P4S-asa1(config)#class-map ALL_VDP P4S-asa1(config-cmap)#description "This class-map matches all UDP traffic" P4S-asa1(config-cmap)#match access-list VDP P4S-asa1(config-cmap)#class-map ALL_TCP P4S-asa1(config-cmap)#description "This class-map matches all TCP traffic" P4S-asa1(config-cmap)#match access-list TCP P4S-asa1(config-cmap)#class-map ALL_WEB_SERVER P4S-asa1(config-cmap)#description "This class-map matches all HTTP traffic" P4S-asa1(config-cmap)#match port tcp eq http P4S-asa1(config-cmap)#class-map TO_SERVER P4S-asa1(config-cmap)#match access-list PUBLIC_WEB
A.description "This class-map matches all TCP traffic for the public web server."
B.description "This class-map matches all HTTP traffic for the public web server."
C.description "This class-map matches all HTTPS traffic for the public web server."
D.description "This class-map matches all IP traffic for the public web server."
Correct:D
12.By default, the AIP-SSM IPS software is accessible from the management port at IP address 10.1.9.201/24. Which CLI command should an administrator use to change the default AIP-SSM management port IP address?
A.interface
B.hw module 1 recover
C.setup
D.hw module 1 setup
Correct:C
13.Alex works as a network administrator for P4S Ltd. Study the exhibit carefully. Alex has decided to authenticate HTTP cut-through proxy traffic via a local database on the Cisco ASA. In order to accomplish this objective, which set of command strings will Alex enter?
A.P4S-asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 P4S-asa1(config)# access-list 150 permit tcp any host 172.16.16.6 eq www P4S-asa1(config)# aaa authentication match 150 outside asa1
B.P4S-asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 P4S-asa1(config)# access-list 150 permit tcp any host 172.16.16.6 eq www P4S-asa1(config)# aaa authentication match 150 outside LOCAL
C.P4S-asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 P4S-asa1(config)# access-list 150 permit tcp any host 192.168.16.6 eq www P4S-asa1(config)# aaa authentication match 150 outside asa1
D.P4S-asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 P4S-asa1(config)# access-list 150 permit tcp any host 192.168.16.6 eq www P4S-asa1(config)# aaa authentication match 150 outside LOCAL
Correct:D
14.Which three potential groups are of users for WebVPN? (Choose three.)
A.employees accessing specific internal applications from desktops and laptops not managed by IT
B.administrators who need to manage servers and networking equipment
C.employees that only need occasional corporate access to a few applications
D.users of a customer service kiosk placed in a retail store
Correct:A C D
15.The inline IPS software feature set is available in which security appliances?
A.only Cisco ASA 5520 and 5540 Security Appliances with an AIP-SSM module
B.any Cisco PIX and ASA Security Appliance running v.7 software and an AIP-SSM module
C.only Cisco PIX 515, 525, and 535 Security Appliances with an AIP-SSM module
D.any Cisco ASA 5510, 5520, or 5540 Security Appliance with an AIP-SSM module
Correct:D
16.For the following commands, which one would offer detailed information about the crypto map configurations of a Cisco ASA?
A.show crypto map
B.show run ipsec sa
C.show ipsec sa
D.show run crypto map
Correct:D
17.Which one of the following commands will prevent all SIP INVITE packets, such as calling-party and request-method, from specific SIP endpoints?
A.Use the match calling-party command in a class map. Apply the class map to a policy map that contains the match request-methods command.
B.Group the match commands in a SIP inspection class map.
C.Use the match request-methods command in an inspection class map. Apply the inspection class map to an inspection policy map that contains the match calling-party command.
D.Group the match commands in a SIP inspection policy map.
Correct:B
18.How do you ensure that the main interface does not pass untagged traffic when using subinterfaces?
A.Use the vlan command on the main interface.
B.Use the shutdown command on the main interface
C.Omit the nameif command on the subinterface
D.Omit the nameif command on the main interface.
Correct:D
19.Study the exhibit carefully. Which two types of failover is this adaptive security appliance configured for? (Choose two.) P4S-asa1# show failover Failover On Cable status: N/A-LAN-based failover enabled Failover unit Primary Failover LAN Interface: Ianfail GigabitEthernet0/2 (up) Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 15 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Group 1 last failover at: 15:54:49 UTC Sept 17 2006 Group 2 last failover at: 15:55:00 UTC Sept 17 2006
A.stateful failover
B.LAN-based failover
C.cable-based failover
D.Active/Active failover
Correct:B D
20.LAB ABC agency has installed a Cisco Adaptive Security Appliance (ASA) and wants basic outbound access configured on the outside interface for all hosts on the inside network of 10.0.3.0/255.255.255.0. The real IP addresses of the inside hosts should be hidden from the outside network. Company policy requires that packets traversing from a higher security interface to a lower security interface for all other inside networks must match a NAT rule, or else processing for the packet must stop. Use the topology provided and the parameters below to complete this exercise. When you complete the exercise you should be able to open a Web session from the Corporate PC at 10.0.3.11 to the Web server located at 172.26.26.50. You should not be able to open a Web Session from Corporate PC at 10.0.4.11. to the Web server located at 172.26.26.50. Please Input correct Answer
A.(conf t) # nat-control #nat (inside ) 1 10.0.3.0 255.255.255.0 #global (oustside ) 1 192.168.1.20-192.168.1.254 #copy run start
Correct:A
21.Which statement about Telnet and the security appliance is true?
A.You can enable Telnet on all interfaces, but the PIX security appliance requires that all Telnet traffic to all interfaces be IPSec protected.
B.You can enable Telnet on all interfaces, but it must be protected with SSH.
C.You can enable Telnet on all interfaces, but the PIX security appliance requires that all Telnet traffic to the outside interface be IPSec protected.
D.You can enable Telnet on all interfaces except the outside interface.
Correct:C
22.Please look at the follwing picture: Which of the following traffic is permitted based on the current access-list configuration?
A.FTP traffic from any outside host to the 172.16.1.2 host on the DMZ1 network
B.HTTP and HTTPS traffic from the 172.16.10.2 DMZ2 host to any host on the outside
C.Any IP traffic from any outside host to the 172.16.10.2 host on the DMZ2 network
D.Any IP traffic from any outside host to the 172.16.1.2 host on the DMZ1 network
Correct:A
23.How is the address translation feature of the security appliance used in the current configuration? (Choose two)
A.Dynamic NAT is used to translate any host on the inside to a mapped address from the address pool of 192.168.1.20 to 192.168.1.254.
B.Port Address Translation (PAT) is used to translate any host on the inside to the 192.168.1.10 global address.
C.Static NAT is used to translate the 172.16.10.2 DMZ2 host address to a global address of 192.168.1.12
D.Dynamic NAT is used to translate any host on the DMZ1 network and the DMZ2 network to a mapped address from the address pool of 192.168.1.20 to 192.168.1.254.
Correct:A C
24.Why does the PIX security appliance record information about a packet in its stateful session flow table?
A.to establish a proxy session by relaying the application layer requests and responses between two endpoints
B.to track outbound UDP connections
C.to compare against return packets for determining whether the packet should be allowed through the firewall
D.to build the reverse path forwarding (RFP) table to prevent spoofed source IP address
Correct:C
25.What is the currently configured default gateway IP address on the security appliance?
A.172.16.10.1
B.172.16.1.1
C.192.168.1.1
D.10.0.1.1
Correct:C
26.Which hosts are allowed to manage this security appliance using ASDM or HTTPS?
A.The 10.0.1.11 host only
B.The 172.16.1.2 host only
C.The 172.16.10.2 host only
D.Any host on the 10.0.1.0/24 subnet
Correct:A
27.Which of these identifies basic settings for the security appliance, including a list of contexts?
A.network configuration
B.admin configuration
C.system configuration
D.primary configuration
Correct:C
28.Which interface on this security appliance is enabled for DHCP server functionality?
A.None
B.GigabitEthernet0/2
C.GigabitEthernet0/1
D.GigabitEthernet0/0
Correct:C
29.What is the maximum number of VLANs and physical interfaces supported based on the current security appliance software license?
A.25 VLANs and 6 interfaces
B.10 VLANs and 3 interfaces
C.50 VLANs and 8 interfaces
D.100 VLANs and unlimited interfaces
Correct:D
30.An administrator wants to protect a DMZ web server from SYN flood attacks. Which command does not allow the administrator to place limits on the number of embryonic connections?
A.set connection
B.nat
C.static
D.HTTP-map
Correct:D
