642-523 Securing Networks with PIX and ASA

Page 1   
Question 1

How many unique transforms will included in a single transform set while configuring a
crypto ipsec transform-set command?

  • A. three
  • B. two
  • C. four
  • D. one


Answer : B

Question 2

For the following commands, which one enables the DHCP server on the DMZ interface of
the Cisco ASA with an address pool of 10.0.1.100-10.0.1.108 and a DNS server of
192.168.1.2?

  • A. dhcpd address 10.0.1.100-10.0.1.108 DMZ dhcpd dns 192.168.1.2 dhcpd enable DMZ
  • B. dhcpd address range 10.0.1.100-10.0.1.108 dhcpd dns server 192.168.1.2 dhcpd enable DMZ
  • C. dhcpd range 10.0.1.100-10.0.1.108 DMZ dhcpd dns server 192.168.1.2 dhcpd DMZ
  • D. dhcpd address range 10.0.1.100-10.0.1.108 dhcpd dns 192.168.1.2 dhcpd enable


Answer : A

Question 3

According to the exhibit. Chose the appropriate command that will apply this policy map to

  • A. policy-map OUTSIDE_POLICY interface outside
  • B. service-policy OUTSIDE_POLICY interface outside
  • C. policy-map OUTSIDE_POLICY global
  • D. service-policy OUTSIDE_POLICY global


Answer : B,D

Question 4

During failover, which security appliance attribute does not change?

  • A. active and standby interfaces-IP address
  • B. active and standby interfaces-MAC address
  • C. failover unit type-primary and secondary
  • D. failover unit status-active and standby


Answer : C

Question 5

When an outside FTP client accesses a corporation's dmz FTP server through a security
appliance, the administrator wants the security appliance to restrict ftp commands that can
be performed by the client. Which security appliance commands enable the administrator
to restrict the ftp client to performing a specific set of ftp commands.

  • A. ftp-map inbound_ftp request-cmd deny appe dele rmd
  • B. policy-map inbound class inbound_ftp_traffic inspect ftp strict appe dele rmd
  • C. ftp-map inbound_ftp request-cmd permit get put cdup
  • D. policy-map inbound class inbound_ftp_traffic inspect ftp strict get put cdup


Answer : A

Question 6

Which one of the following commands configures the adaptive security appliance interface
as a DHCP client and sets the default route to be the default gateway parameter returned
from the DHCP server?

  • A. ip address dhcp setroute
  • B. dhcp setroute
  • C. ip address dhcp
  • D. ip address dhcp default route


Answer : A

Question 7

What happens while adding the same-security-traffic permit inter-interface command to a
Cisco ASA?

  • A. Communication will be allowed between VPN clients terminated on different Cisco ASA interfaces.
  • B. Communication will be allowed between different interfaces with the same security level.
  • C. Communication will be allowed between multiple Cisco ASA security appliances deployed as hubs in enterprise-wide deployments of Cisco Easy VPN servers.
  • D. A Dynamic Multipoint VPN connected to all endpoints will be enabled.


Answer : B

Question 8

The ASDM client is supported on which PC operating systems? Choose the best answer.

  • A. Windows and Sun Solaris
  • B. Windows and Linux
  • C. Windows, Linux, and Sun Solaris
  • D. Windows, Macintosh, and Linux


Answer : C

Question 9

How do you ensure that the main interface does not pass untagged traffic when using
subinterfaces?

  • A. Use the vlan command on the main interface.
  • B. Use the shutdown command on the main interface
  • C. Omit the nameif command on the subinterface
  • D. Omit the nameif command on the main interface.


Answer : D

Question 10

Which three options belong to Cisco ASA syslog message fields? (Choose three.)

  • A. logging level
  • B. logging device IP
  • C. message text
  • D. triggering packet copy


Answer : A,B,C

Question 11

Which is a method of identifying the traffic requiring authorization on the security
appliance?

  • A. independently interpreting authorization rules before authentication has occurred to decrease overall AAA processing time
  • B. specifying ACLs that authorization rules must match
  • C. checking the authentication rules for a match thus allowing the traffic to be authorized
  • D. implicitly enabling TACACS+ authorization rules in the response packet


Answer : B

Question 12

Cisco's Adaptive Security Appliance (ASA) earns the silver in the network firewall category
of our 2008 Product Leadership Awards. According to the exhibit. The ASA administrator is
tasked to filter a single website on a host with the IP address 10.10.11.4, but allow access
to all other websites. The administrator inputs the commands displayed and then executes
them.
Which two purposes are of the following commands? (Choose two.)
P4S-asa1(config)# filter url http 0 0 0 0
P4S-asa1(config)# filter url except 10.10.11.4 255.255.255.255 0 0

  • A. allow access to all website except those hosted at IP address 10.10.11.4
  • B. filter the URLs found at the host with the IP address 10.10.11.4
  • C. filter all URL requests
  • D. cause URL requests from the address 10.10.11.4 to be exempted from filtering


Answer : C,D

Question 13

Which three commands are to display contents of flash memory on the Cisco ASA?
(Choose three.)

  • A. show disk
  • B. flash
  • C. dir
  • D. show flash:


Answer : A,C,D

Question 14

On which device can Dead Peer Detection be configured when it is used for IPSec remote
access?

  • A. the headend device
  • B. Dead Peer Detection should not be used in IPSec remote access applications
  • C. both the headend and remote devices
  • D. the remote device


Answer : C

Question 15

John works as a network administrator , according to the following exhibit. Descriptions are
added to class maps for each part of the modular policy framework. Which text should John
add to the description command to describe the TO_SERVER class map?
P4S-asa1(config)#access-list UDP permit udp any any
P4S-asa1(config)#access-list TCP permit tcp any any
P4S-asa1(config)#access-list PUBLIC_WEB permit ip any 10.10.10.100 255.255.255.255
P4S-asa1(config)#class-map ALL_VDP
P4S-asa1(config-cmap)#description "This class-map matches all UDP traffic"
P4S-asa1(config-cmap)#match access-list VDP
P4S-asa1(config-cmap)#class-map ALL_TCP
P4S-asa1(config-cmap)#description "This class-map matches all TCP traffic"
P4S-asa1(config-cmap)#match access-list TCP
P4S-asa1(config-cmap)#class-map ALL_WEB_SERVER
P4S-asa1(config-cmap)#description "This class-map matches all HTTP traffic"
P4S-asa1(config-cmap)#match port tcp eq http
P4S-asa1(config-cmap)#class-map TO_SERVER
P4S-asa1(config-cmap)#match access-list PUBLIC_WEB

  • A. description "This class-map matches all TCP traffic for the public web server."
  • B. description "This class-map matches all HTTP traffic for the public web server."
  • C. description "This class-map matches all HTTPS traffic for the public web server."
  • D. description "This class-map matches all IP traffic for the public web server."


Answer : D

Page 1