642-523 Securing Networks with PIX and ASA

Page 1   
Question 1

How many unique transforms will included in a single transform set while configuring a
crypto ipsec transform-set command?

  • A. three
  • B. two
  • C. four
  • D. one

Answer : B

Question 2

For the following commands, which one enables the DHCP server on the DMZ interface of
the Cisco ASA with an address pool of and a DNS server of

  • A. dhcpd address DMZ dhcpd dns dhcpd enable DMZ
  • B. dhcpd address range dhcpd dns server dhcpd enable DMZ
  • C. dhcpd range DMZ dhcpd dns server dhcpd DMZ
  • D. dhcpd address range dhcpd dns dhcpd enable

Answer : A

Question 3

According to the exhibit. Chose the appropriate command that will apply this policy map to

  • A. policy-map OUTSIDE_POLICY interface outside
  • B. service-policy OUTSIDE_POLICY interface outside
  • C. policy-map OUTSIDE_POLICY global
  • D. service-policy OUTSIDE_POLICY global

Answer : B,D

Question 4

During failover, which security appliance attribute does not change?

  • A. active and standby interfaces-IP address
  • B. active and standby interfaces-MAC address
  • C. failover unit type-primary and secondary
  • D. failover unit status-active and standby

Answer : C

Question 5

When an outside FTP client accesses a corporation's dmz FTP server through a security
appliance, the administrator wants the security appliance to restrict ftp commands that can
be performed by the client. Which security appliance commands enable the administrator
to restrict the ftp client to performing a specific set of ftp commands.

  • A. ftp-map inbound_ftp request-cmd deny appe dele rmd
  • B. policy-map inbound class inbound_ftp_traffic inspect ftp strict appe dele rmd
  • C. ftp-map inbound_ftp request-cmd permit get put cdup
  • D. policy-map inbound class inbound_ftp_traffic inspect ftp strict get put cdup

Answer : A

Question 6

Which one of the following commands configures the adaptive security appliance interface
as a DHCP client and sets the default route to be the default gateway parameter returned
from the DHCP server?

  • A. ip address dhcp setroute
  • B. dhcp setroute
  • C. ip address dhcp
  • D. ip address dhcp default route

Answer : A

Question 7

What happens while adding the same-security-traffic permit inter-interface command to a
Cisco ASA?

  • A. Communication will be allowed between VPN clients terminated on different Cisco ASA interfaces.
  • B. Communication will be allowed between different interfaces with the same security level.
  • C. Communication will be allowed between multiple Cisco ASA security appliances deployed as hubs in enterprise-wide deployments of Cisco Easy VPN servers.
  • D. A Dynamic Multipoint VPN connected to all endpoints will be enabled.

Answer : B

Question 8

The ASDM client is supported on which PC operating systems? Choose the best answer.

  • A. Windows and Sun Solaris
  • B. Windows and Linux
  • C. Windows, Linux, and Sun Solaris
  • D. Windows, Macintosh, and Linux

Answer : C

Question 9

How do you ensure that the main interface does not pass untagged traffic when using

  • A. Use the vlan command on the main interface.
  • B. Use the shutdown command on the main interface
  • C. Omit the nameif command on the subinterface
  • D. Omit the nameif command on the main interface.

Answer : D

Question 10

Which three options belong to Cisco ASA syslog message fields? (Choose three.)

  • A. logging level
  • B. logging device IP
  • C. message text
  • D. triggering packet copy

Answer : A,B,C

Question 11

Which is a method of identifying the traffic requiring authorization on the security

  • A. independently interpreting authorization rules before authentication has occurred to decrease overall AAA processing time
  • B. specifying ACLs that authorization rules must match
  • C. checking the authentication rules for a match thus allowing the traffic to be authorized
  • D. implicitly enabling TACACS+ authorization rules in the response packet

Answer : B

Question 12

Cisco's Adaptive Security Appliance (ASA) earns the silver in the network firewall category
of our 2008 Product Leadership Awards. According to the exhibit. The ASA administrator is
tasked to filter a single website on a host with the IP address, but allow access
to all other websites. The administrator inputs the commands displayed and then executes
Which two purposes are of the following commands? (Choose two.)
P4S-asa1(config)# filter url http 0 0 0 0
P4S-asa1(config)# filter url except 0 0

  • A. allow access to all website except those hosted at IP address
  • B. filter the URLs found at the host with the IP address
  • C. filter all URL requests
  • D. cause URL requests from the address to be exempted from filtering

Answer : C,D

Question 13

Which three commands are to display contents of flash memory on the Cisco ASA?
(Choose three.)

  • A. show disk
  • B. flash
  • C. dir
  • D. show flash:

Answer : A,C,D

Question 14

On which device can Dead Peer Detection be configured when it is used for IPSec remote

  • A. the headend device
  • B. Dead Peer Detection should not be used in IPSec remote access applications
  • C. both the headend and remote devices
  • D. the remote device

Answer : C

Question 15

John works as a network administrator , according to the following exhibit. Descriptions are
added to class maps for each part of the modular policy framework. Which text should John
add to the description command to describe the TO_SERVER class map?
P4S-asa1(config)#access-list UDP permit udp any any
P4S-asa1(config)#access-list TCP permit tcp any any
P4S-asa1(config)#access-list PUBLIC_WEB permit ip any
P4S-asa1(config)#class-map ALL_VDP
P4S-asa1(config-cmap)#description "This class-map matches all UDP traffic"
P4S-asa1(config-cmap)#match access-list VDP
P4S-asa1(config-cmap)#class-map ALL_TCP
P4S-asa1(config-cmap)#description "This class-map matches all TCP traffic"
P4S-asa1(config-cmap)#match access-list TCP
P4S-asa1(config-cmap)#class-map ALL_WEB_SERVER
P4S-asa1(config-cmap)#description "This class-map matches all HTTP traffic"
P4S-asa1(config-cmap)#match port tcp eq http
P4S-asa1(config-cmap)#class-map TO_SERVER
P4S-asa1(config-cmap)#match access-list PUBLIC_WEB

  • A. description "This class-map matches all TCP traffic for the public web server."
  • B. description "This class-map matches all HTTP traffic for the public web server."
  • C. description "This class-map matches all HTTPS traffic for the public web server."
  • D. description "This class-map matches all IP traffic for the public web server."

Answer : D

Page 1