500-258 Cisco ASA Express Security

Page 1   
Question 1

Which two options are identity policy types? (Choose two.)

  • A. known
  • B. unknown
  • C. active
  • D. passive
  • E. white-list
  • F. black-list


Answer : C,D

Question 2

Which two options show the required Cisco ASA command(s) to allow this scenario?
(Choose two.)
An inside client on the 10.0.0.0/8 network connects to an outside server on the
172.16.0.0/16 network using TCP and the server port of 2001. The inside client negotiates
a client port in the range between UDP ports 5000 to 5500. The outside server then can
start sending UDP data to the inside client on the negotiated port within the specified UDP
port range.

  • A. access-list INSIDE line 1 permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 eq 2001 access-group INSIDE in interface inside
  • B. access-list INSIDE line 1 permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 eq 2001 access-list INSIDE line 2 permit udp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 eq established access-group INSIDE in interface inside
  • C. access-list OUTSIDE line 1 permit tcp 172.16.0.0 255.255.0.0 eq 2001 10.0.0.0 255.0.0.0 access-list OUTSIDE line 2 permit udp 172.16.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq 5000- 5500 access-group OUTSIDE in interface outside
  • D. access-list OUTSIDE line 1 permit tcp 172.16.0.0 255.255.0.0 eq 2001 10.0.0.0 255.0.0.0 access-list OUTSIDE line 2 permit udp 172.16.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq established access-group OUTSIDE in interface outside
  • E. established tcp 2001 permit udp 5000-5500
  • F. established tcp 2001 permit from udp 5000-5500
  • G. established tcp 2001 permit to udp 5000-5500


Answer : A,G

Question 3

Refer to the exhibit.


A NOC engineer needs to tune some postlogin parameters on an SSL VPN tunnel.
From the information shown, where should the engineer navigate to, in order to find all the
postlogin session parameters?

  • A. "engineering" Group Policy
  • B. "contractor" Connection Profile
  • C. DefaultWEBVPNGroup Group Policy
  • D. DefaultRAGroup Group Policy
  • E. "engineer1" AAA/Local Users


Answer : A

Question 4




Answer :

Question 5

In one custom dynamic application, the inside client connects to an outside server using
TCP port 4444 and negotiates return client traffic in the port range of 5000 to 5500. The
server then starts streaming UDP data to the client on the negotiated port in the specified
range. Which Cisco ASA feature or command supports this custom dynamic application?

  • A. TCP normalizer
  • B. TCP intercept
  • C. ip verify command
  • D. established command
  • E. tcp-map and tcp-options commands
  • F. set connection advanced-options command


Answer : D

Question 6

In which two form factors is PRSM available? (Choose two.)

  • A. Physical Appliance
  • B. Microsoft V-Hyper Virtual Appliance
  • C. VMware Virtual Appliance
  • D. Citrix XenServer Virtual Appliance
  • E. Web Services Application


Answer : A,C

Question 7

Which component determines the number of required PRMS licenses?

  • A. AVC seats
  • B. WSE seats
  • C. IPS for NGFW modules
  • D. ASAs


Answer : D

Question 8

Which statement best describes application recognition on the Cisco ASA NGFW?

  • A. Application recognition is based only on signatures that are constantly updated, which are usually released at a monthly cadence.
  • B. Application recognition is based on signatures, heuristics, and content scanning, which removes the need to tie applications to ports.
  • C. Application recognition is based on custom signatures based on URL, FQDN, user agent strings in the HTTP stream, and IP addresses and ports.
  • D. Application recognition is based on PRSM that supports quick filtering capabilities to search for a particular application.


Answer : B

Question 9

The Cisco ASA software image has been erased from flash memory. Which two
statements about the process to recover the Cisco ASA software image are true? (Choose
two.)

  • A. Access to the ROM monitor mode is required.
  • B. The Cisco ASA appliance must have connectivity to the TFTP server where the Cisco ASA image is stored through the Management 0/0 interface.
  • C. The copy tftp flash command is necessary to start the TFTP file transfer.
  • D. The server command is necessary to set the TFTP server IP address.
  • E. Cisco ASA password recovery must be enabled.


Answer : A,D

Question 10

Refer to the exhibit.


A new NOC engineer, while viewing a real-time log from an SSL VPN tunnel, has a
question about a line in the log.
The IP address 172.26.26.30 is attached to which interface in the network?

  • A. the Cisco ASA physical interface
  • B. the physical interface of the end user
  • C. the Cisco ASA SSL VPN tunnel interface
  • D. the SSL VPN tunnel interface of the end user


Answer : B

Question 11

Refer to the exhibit.


When the user "contractor" Cisco AnyConnect tunnel is established, what type of Cisco
ASA user restrictions are applied to the tunnel?

  • A. full restrictions (no Cisco ASDM, no CLI, no console access)
  • B. full restrictions (no read, no write, no execute permissions)
  • C. full restrictions (CLI show commands and Cisco ASDM monitoring permissions only)
  • D. full access with no restrictions


Answer : D

Question 12

How is the NGFW AVC subscription licensed?

  • A. term
  • B. seat
  • C. application
  • D. session


Answer : A

Question 13

Refer to the exhibit.


After a remote user established a Cisco AnyConnect session from a wireless card through
the Cisco ASA appliance of a partner to a remote server, the user opened the Cisco
AnyConnect VPN Client Statistics Details screen.
What are the two sources of the IP addresses that are marked A and B? (Choose two.)

  • A. IP address that is assigned to the wireless Ethernet adapter of the remote user
  • B. IP address that is assigned to the remote user from the Cisco ASA address pool
  • C. IP address of the Cisco ASA physical interface of the partner
  • D. IP address of the Cisco ASA virtual HTTP server of the partner
  • E. IP address of the default gateway router of the remote user
  • F. IP address of the default gateway router of the partner


Answer : B,C

Question 14

Your IT department needs to run a custom-built TCP application within the clientless SSL
VPN tunnel. The network administrator suggests running the smart tunnel application.
Which three statements concerning smart tunnel applications are true? (Choose three.)

  • A. They support active FTP and other RTSP-based applications.
  • B. They do not require administrator privileges on the remote system.
  • C. They require the enabling of port forwarding.
  • D. They are supported on Windows and MAC OS X platforms.
  • E. They support native client applications over SSL VPN.
  • F. They require the modification of the Host file on the end-user PC.


Answer : B,D,E

Question 15

Which option is the typical web reputation range for sites that tend to be well managed,
responsible content syndication networks, and user-generated content sites?

  • A. -10 to -6
  • B. -6 to -3
  • C. -3 to 3
  • D. 0 to 5
  • E. 5 to 10


Answer : C

Page 1