ASA - KillTest · 6.What is the result if the WebVPN urlentry parameter is disabled ... D.any Cisco...
Transcript of ASA - KillTest · 6.What is the result if the WebVPN urlentry parameter is disabled ... D.any Cisco...
Exam : Cisco 642523
Title :
Update : Nov122008
Securing Networks with PIX and
ASA
http://www.KillTest.com
| English | Chinese(Traditional) | Chinese(Simplified) | 2 KillTest Information Co., Ltd. All rights reserved.
1.For the following commands, which one enables the DHCP server on the DMZ interface of the Cisco ASA with an address pool of 10.0.1.10010.0.1.108 and a DNS server of 192.168.1.2? A.dhcpd address 10.0.1.10010.0.1.108 DMZ dhcpd dns 192.168.1.2 dhcpd enable DMZ B.dhcpd address range 10.0.1.10010.0.1.108 dhcpd dns server 192.168.1.2 dhcpd enable DMZ C.dhcpd range 10.0.1.10010.0.1.108 DMZ dhcpd dns server 192.168.1.2 dhcpd DMZ D.dhcpd address range 10.0.1.10010.0.1.108 dhcpd dns 192.168.1.2 dhcpd enable Correct:A 2.Which description is correct about the output provided in the exhibit?
A.The ACLOUT access list has been designed to allow the IP address with the network address of 192.168.6.0 to have unrestricted access to the web server at IP address 192.168.1.11. B.The ACLOUT access list has been designed to deny the IP address 192.168.1.11 web access to the host with a network address of 192.168.6.0. C.The ACLIN access list permits web access from host 192.168.6.10 to all hosts behind the Cisco ASA. D.The ICMPDMZ access list denies all ICMP traffic bound for the bastion host except echo replies Correct:A 3.What is the effect of the peruseroverride option when applied to the accessgroup command syntax? A.The log option in the peruser access list overrides existing interface log options. B.It allows for extended authentication on a peruser basis. C.It allows downloadable user access lists to override the access list applied to the interface. D.It increases security by building upon the existing access list applied to the interface. All subsequent users are also subject to the additional access list entries. Correct:C 4.In order to recover the Cisco ASA password, which operation mode should you enter? A.configure B.unprivileged
| English | Chinese(Traditional) | Chinese(Simplified) | 3 KillTest Information Co., Ltd. All rights reserved.
C.privileged D.monitor Correct:D 5.Observe the following commands, which one verifies that NAT is working normally and displays active NAT translations? A.show ip nat all B.show runningconfiguration nat C.show xlate D.show nat translation Correct:C 6.What is the result if the WebVPN urlentry parameter is disabled? A.The end user is unable to access predefined URLs. B.The end user is unable to access any CIFS shares or URLs. C.The end user is able to access CIFS shares but not URLs. D.The end user is able to access predefined URLs. Correct:D 7.Which three tunneling protocols and methods are supported by the Cisco VPN Client? (Choose three.) A.IPsec over TCP B.IPsec over UDP C.ESP D.AH Correct:A B C 8.Tom is a network administrator, study the exhibit carefully. He wants to authenticate remote users who are accessing the P4SWEB server from the Internet. When a remote user initiates a session to the P4SWEB server, the ASA1 security appliance will verify the user's credentials with the TX_ACS AAA server via RADIUS. In order to achieve this goal, Tom needs to load and configure Cisco ACS software on the TX_ACS AAA server. During the process, he should appropriately configure the AAA client information in the Cisco ACS network configuration window. What should Tom place in field A (AAA Client Hostname) and field B (AAA Client IP address)?
| English | Chinese(Traditional) | Chinese(Simplified) | 4 KillTest Information Co., Ltd. All rights reserved.
A.A P4SPC B 192.168.2.10 B.A TX_ACS B 10.0.1.10 C.A P4SWEB B 172.16.1.2 D.A ASA1 B 10.0.1.1 Correct:D 9.What are the two purposes of the samesecuritytraffic permit intrainterface command? (Choose two.) A.It allows all of the VPN spokes in a hubandspoke configuration to be terminated on a single interface. B.It enables Dynamic Multipoint VPN. C.It permits communication in and out of the same interface when the traffic is IPSec protected. D.It allows communication between different interfaces that have the same security level Correct:A C 10.How many unique transforms will included in a single transform set while configuring a crypto ipsec transformset command? A.three
| English | Chinese(Traditional) | Chinese(Simplified) | 5 KillTest Information Co., Ltd. All rights reserved.
B.two C.four D.one Correct:B 11.John works as a network administrator , according to the following exhibit. Descriptions are added to class maps for each part of the modular policy framework. Which text should John add to the description command to describe the TO_SERVER class map? P4Sasa1(config)#accesslist UDP permit udp any any P4Sasa1(config)#accesslist TCP permit tcp any any P4Sasa1(config)#accesslist PUBLIC_WEB permit ip any 10.10.10.100 255.255.255.255 P4Sasa1(config)#classmap ALL_VDP P4Sasa1(configcmap)#description "This classmap matches all UDP traffic" P4Sasa1(configcmap)#match accesslist VDP P4Sasa1(configcmap)#classmap ALL_TCP P4Sasa1(configcmap)#description "This classmap matches all TCP traffic" P4Sasa1(configcmap)#match accesslist TCP P4Sasa1(configcmap)#classmap ALL_WEB_SERVER P4Sasa1(configcmap)#description "This classmap matches all HTTP traffic" P4Sasa1(configcmap)#match port tcp eq http P4Sasa1(configcmap)#classmap TO_SERVER P4Sasa1(configcmap)#match accesslist PUBLIC_WEB A.description "This classmap matches all TCP traffic for the public web server." B.description "This classmap matches all HTTP traffic for the public web server." C.description "This classmap matches all HTTPS traffic for the public web server." D.description "This classmap matches all IP traffic for the public web server." Correct:D 12.By default, the AIPSSM IPS software is accessible from the management port at IP address 10.1.9.201/24. Which CLI command should an administrator use to change the default AIPSSM management port IP address? A.interface B.hw module 1 recover C.setup D.hw module 1 setup Correct:C 13.Alex works as a network administrator for P4S Ltd. Study the exhibit carefully. Alex has decided to authenticate HTTP cutthrough proxy traffic via a local database on the Cisco ASA. In order to accomplish this objective, which set of command strings will Alex enter?
| English | Chinese(Traditional) | Chinese(Simplified) | 6 KillTest Information Co., Ltd. All rights reserved.
A.P4Sasa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 P4Sasa1(config)# accesslist 150 permit tcp any host 172.16.16.6 eq www P4Sasa1(config)# aaa authentication match 150 outside asa1 B.P4Sasa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 P4Sasa1(config)# accesslist 150 permit tcp any host 172.16.16.6 eq www P4Sasa1(config)# aaa authentication match 150 outside LOCAL C.P4Sasa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 P4Sasa1(config)# accesslist 150 permit tcp any host 192.168.16.6 eq www P4Sasa1(config)# aaa authentication match 150 outside asa1 D.P4Sasa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 P4Sasa1(config)# accesslist 150 permit tcp any host 192.168.16.6 eq www P4Sasa1(config)# aaa authentication match 150 outside LOCAL Correct:D 14.Which three potential groups are of users for WebVPN? (Choose three.) A.employees accessing specific internal applications from desktops and laptops not managed by IT B.administrators who need to manage servers and networking equipment C.employees that only need occasional corporate access to a few applications D.users of a customer service kiosk placed in a retail store Correct:A C D 15.The inline IPS software feature set is available in which security appliances? A.only Cisco ASA 5520 and 5540 Security Appliances with an AIPSSM module B.any Cisco PIX and ASA Security Appliance running v.7 software and an AIPSSM module C.only Cisco PIX 515, 525, and 535 Security Appliances with an AIPSSM module D.any Cisco ASA 5510, 5520, or 5540 Security Appliance with an AIPSSM module Correct:D 16.For the following commands, which one would offer detailed information about the crypto map configurations of a Cisco ASA? A.show crypto map
| English | Chinese(Traditional) | Chinese(Simplified) | 7 KillTest Information Co., Ltd. All rights reserved.
B.show run ipsec sa C.show ipsec sa D.show run crypto map Correct:D 17.Which one of the following commands will prevent all SIP INVITE packets, such as callingparty and requestmethod, from specific SIP endpoints? A.Use the match callingparty command in a class map. Apply the class map to a policy map that contains the match requestmethods command. B.Group the match commands in a SIP inspection class map. C.Use the match requestmethods command in an inspection class map. Apply the inspection class map to an inspection policy map that contains the match callingparty command. D.Group the match commands in a SIP inspection policy map. Correct:B 18.How do you ensure that the main interface does not pass untagged traffic when using subinterfaces? A.Use the vlan command on the main interface. B.Use the shutdown command on the main interface C.Omit the nameif command on the subinterface D.Omit the nameif command on the main interface. Correct:D 19.Study the exhibit carefully. Which two types of failover is this adaptive security appliance configured for? (Choose two.) P4Sasa1# show failover Failover On Cable status: N/ALANbased failover enabled Failover unit Primary Failover LAN Interface: Ianfail GigabitEthernet0/2 (up) Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 15 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Group 1 last failover at: 15:54:49 UTC Sept 17 2006 Group 2 last failover at: 15:55:00 UTC Sept 17 2006 A.stateful failover B.LANbased failover C.cablebased failover D.Active/Active failover Correct:B D 20.LAB ABC agency has installed a Cisco Adaptive Security Appliance (ASA) and wants basic outbound access configured on the outside interface for all hosts on the inside network of 10.0.3.0/255.255.255.0. The real IP addresses of the inside hosts should be hidden from the outside network. Company policy requires that packets traversing from a higher security interface to a lower security interface for all other inside networks must match a NAT rule, or else processing for the packet must stop. Use the topology provided and the parameters below to complete this exercise. When you complete the exercise you should be able to open a Web session from the Corporate PC at 10.0.3.11 to the Web server located at 172.26.26.50. You should not be able to open a Web Session from Corporate PC at 10.0.4.11. to the Web server located at 172.26.26.50. Please Input correct Answer
| English | Chinese(Traditional) | Chinese(Simplified) | 8 KillTest Information Co., Ltd. All rights reserved.
A.(conf t) # natcontrol #nat (inside ) 1 10.0.3.0 255.255.255.0 #global (oustside ) 1 192.168.1.20192.168.1.254 #copy run start Correct:A 21.Which statement about Telnet and the security appliance is true? A.You can enable Telnet on all interfaces, but the PIX security appliance requires that all Telnet traffic to all interfaces be IPSec protected. B.You can enable Telnet on all interfaces, but it must be protected with SSH. C.You can enable Telnet on all interfaces, but the PIX security appliance requires that all Telnet traffic to the outside interface be IPSec protected. D.You can enable Telnet on all interfaces except the outside interface. Correct:C 22.Please look at the follwing picture: Which of the following traffic is permitted based on the current accesslist configuration?
| English | Chinese(Traditional) | Chinese(Simplified) | 9 KillTest Information Co., Ltd. All rights reserved.
A.FTP traffic from any outside host to the 172.16.1.2 host on the DMZ1 network B.HTTP and HTTPS traffic from the 172.16.10.2 DMZ2 host to any host on the outside C.Any IP traffic from any outside host to the 172.16.10.2 host on the DMZ2 network D.Any IP traffic from any outside host to the 172.16.1.2 host on the DMZ1 network Correct:A 23.How is the address translation feature of the security appliance used in the current configuration? (Choose two)
A.Dynamic NAT is used to translate any host on the inside to a mapped address from the address pool of 192.168.1.20 to 192.168.1.254.
| English | Chinese(Traditional) | Chinese(Simplified) | 10 KillTest Information Co., Ltd. All rights reserved.
B.Port Address Translation (PAT) is used to translate any host on the inside to the 192.168.1.10 global address. C.Static NAT is used to translate the 172.16.10.2 DMZ2 host address to a global address of 192.168.1.12 D.Dynamic NAT is used to translate any host on the DMZ1 network and the DMZ2 network to a mapped address from the address pool of 192.168.1.20 to 192.168.1.254. Correct:A C 24.Why does the PIX security appliance record information about a packet in its stateful session flow table? A.to establish a proxy session by relaying the application layer requests and responses between two endpoints B.to track outbound UDP connections C.to compare against return packets for determining whether the packet should be allowed through the firewall D.to build the reverse path forwarding (RFP) table to prevent spoofed source IP address Correct:C 25.What is the currently configured default gateway IP address on the security appliance?
A.172.16.10.1 B.172.16.1.1 C.192.168.1.1 D.10.0.1.1 Correct:C 26.Which hosts are allowed to manage this security appliance using ASDM or HTTPS?
| English | Chinese(Traditional) | Chinese(Simplified) | 11 KillTest Information Co., Ltd. All rights reserved.
A.The 10.0.1.11 host only B.The 172.16.1.2 host only C.The 172.16.10.2 host only D.Any host on the 10.0.1.0/24 subnet Correct:A 27.Which of these identifies basic settings for the security appliance, including a list of contexts? A.network configuration B.admin configuration C.system configuration D.primary configuration Correct:C 28.Which interface on this security appliance is enabled for DHCP server functionality?
A.None
| English | Chinese(Traditional) | Chinese(Simplified) | 12 KillTest Information Co., Ltd. All rights reserved.
B.GigabitEthernet0/2 C.GigabitEthernet0/1 D.GigabitEthernet0/0 Correct:C 29.What is the maximum number of VLANs and physical interfaces supported based on the current security appliance software license?
A.25 VLANs and 6 interfaces B.10 VLANs and 3 interfaces C.50 VLANs and 8 interfaces D.100 VLANs and unlimited interfaces Correct:D 30.An administrator wants to protect a DMZ web server from SYN flood attacks. Which command does not allow the administrator to place limits on the number of embryonic connections? A.set connection B.nat C.static D.HTTPmap Correct:D
KillTest.com was founded in 2006. The safer,easier way to help you pass any IT Certification exams . We provide high quality IT Certification exams practice questions and answers(Q&A). Especially Adobe, Apple, Citrix, Comptia, EMC, HP, HuaWei, LPI, Nortel, Oracle, SUN, Vmware and so on. And help you pass any IT Certification exams at the first try.
You can reach us at any of the email addresses listed below.
English Customer: Chinese Customer:
Sales : [email protected] [email protected] Support: [email protected] [email protected]
English Version http://www.KillTest.com Chinese (Traditional) http://www.KillTest.net Chinese (Simplified) http://www.KillTest.cn