passguide ccsp 642-524 pdf demo
Securing Networks with ASA Foundation
Q&A V3.21
www.PassGuide.com
(C) Copyright 2006-2009 CertBible Tech LTD,All Rights Reserved.
Important Note
Please Read Carefully
Study Tips
This product will provide you questions and answers carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions.
Go through the entire document at least twice so that you make sure that you are not
missing anything.
Latest Version
We are constantly reviewing our products. New material is added and old material is
revised. Free updates are available for 120 days after the purchase. You should check your
member zone at PassGuide an update 3-4 days before the scheduled exam date.
Feedback
If you spot a possible improvement then please let us know. We always interested in
improving product quality.
Feedback should be send to feedback@passguide.com. You should include the following:
Exam number, version, page number, question number, and your login ID.
Our experts will answer your mail promptly.
Be Prepared. Be Confident. Get Certified.
————————————————————————————————————————-
Sales and Support Manager
Sales Team: sales@passguide.com Support Team: support@passguide.com
———————————————————————————————————————
Copyright
Each pdf file contains a unique serial number associated with your particular name and
contact information for security purposes. So if we find out that a particular pdf file is
being distributed by you, CertBible reserves the right to take legal action against you
according to the International Copyright Laws.
1.Tom works as a network administrator for the PG company. The primary adaptive security appliance in an active/standby failover configuration failed, so the secondary adaptive security appliance was automatically activated. Tom then fixed the problem. Now he would like to restore the primary to active status. Which one of the following commands can reactivate the primary adaptive security appliance and restore it to active status while issued on the primary adaptive security appliance?A.failover resetB.failover primary activeC.failover activeD.failover exec standby
Answer:C
2.For the following commands, which one enables the DHCP server on the DMZ interface of the Cisco ASA with an address pool of 10.0.1.100-10.0.1.108 and a DNS server of 192.168.1.2?A.dhcpd address 10.0.1.100-10.0.1.108 DMZ dhcpd dns 192.168.1.2 dhcpd enable DMZB.dhcpd address range 10.0.1.100-10.0.1.108 dhcpd dns server 192.168.1.2 dhcpd enable DMZC.dhcpd range 10.0.1.100-10.0.1.108 DMZ dhcpd dns server 192.168.1.2 dhcpd DMZD.dhcpd address range 10.0.1.100-10.0.1.108 dhcpd dns 192.168.1.2 dhcpd enable
Answer:A
3.Look at the following exhibit carefully, which one of the four diagrams displays a correctly configured network for a transparent firewall?A.1B.2C.3D.4
Answer:D
4.What is the effect of the per-user-override option when applied to the access-group command syntax?A.The log option in the per-user access list overrides existing interface log options.B.It allows for extended authentication on a per-user basis.C.It allows downloadable user access lists to override the access list applied to the interface.D.It increases security by building upon the existing access list applied to the interface. All subsequent users are also subject to the additional access list entries.
Answer:C
5.John works as a network administrator for the PG company. According to the exhibit, the only traffic that John would like to allow through the corporate Cisco ASA adaptive security appliance is inbound HTTP to the DMZ network and all traffic from the inside network to the outside network. John also has configured the Cisco ASA adaptive security appliance, and access through it is now working as expected with one exception: contractors working on the DMZ servers have been surfing the Internet from the DMZ servers, which (unlike other Company XYZ hosts) are using public, routable IP addresses. Neither NAT statements nor access lists have been configured for the DMZ interface. What is the reason that the contractors are able to surf the Internet from the DMZ servers? (Note: The 192.168.X.X IP addresses are used to represent routable public IP addresses even though the 192.168.1.0 network is not actually a public routable network.)A.An access list on the outside interface permits this traffic.B.NAT control is not enabled.C.The DMZ servers are using the same global pool of addresses that is being used by the inside hosts.D.HTTP inspection is not enabled.
Answer:B
6.In order to recover the Cisco ASA password, which operation mode should you enter?A.configureB.unprivilegedC.privilegedD.monitor
Answer:D
7.Which three statements correctly describe protocol inspection on the Cisco ASA adaptive security appliance? (Choose three.)A.For the security appliance to inspect packets for signs of malicious application misuse, you must enable advanced (application layer) protocol inspection.B.If you want to enable inspection globally for a protocol that is not inspected by default or if you want to globally disable inspection for a protocol, you can edit the default global policy.C.The protocol inspection feature of the security appliance securely opens and closes negotiated ports and IP addresses for legitimate client-server connections through the security appliance.D.If inspection for a protocol is not enabled, traffic for that protocol may be blocked.
Answer:B C D
8.Observe the following commands, which one verifies that NAT is working normally and displays active NAT translations?A.show ip nat allB.show running-configuration natC.show xlateD.show nat translation
Answer:C
9.Multimedia applications transmit requests on TCP, get responses on UDP or TCP, use dynamic ports, and use the same port for source and destination, so they can pose challenges to a firewall. Which three items are true about how the Cisco ASA adaptive security appliance handles multimedia applications? (Choose three.)A.It dynamically opens and closes UDP ports for secure multimedia connections, so you do not need to open a large range of ports.B.It supports SIP with NAT but not with PAT.C.It supports multimedia with or without NAT.D.It supports RTSP, H.323, Skinny, and CTIQBE.
Answer:A C D
10.What is the result if the WebVPN url-entry parameter is disabled?A.The end user is unable to access pre-defined URLs.B.The end user is unable to access any CIFS shares or URLs.C.The end user is able to access CIFS shares but not URLs.D.The end user is able to access pre-defined URLs.
Answer:D
11.You work as a network engineer at Pass4sure.com, you are asked to examine the current Modular Policy Framework configurations on the LA-ASA Adaptive Security Appliances using the Cisco Adaptive Security Device Manager (ASDM) utility. You need to answer the multiple-choice questions in this simulation by use of the appropriate Cisco ASDM configuration screens. A host on the partnernet network attempts to use FTP to download a file from InsideHost,which resides on the inside interface of the security appliance.What does the security appliance do with the traffic from the partnernet host?A.Sends it to the Cisco ASA Advanced Inspection and Prevention(AIP)-Security Services Module(SSM)for inspection before forwarding it to its destinationB.Sends it to the Cisco ASA 5500 Series Content Security and Control(CSC)SSM for inspection before forwarding it to its destinationC.Forwards it directly to its destinationD.Forwards it directly to its destination unless the connection limit is already met
Answer:D
12.You work as a network engineer at PassGuide.com, you are asked to examine the current Modular Policy Framework configurations on the LA-ASA Adaptive Security Appliances using the Cisco Adaptive Security Device Manager (ASDM) utility. You need to answer the multiple-choice questions in this simulation by use of the appropriate Cisco ASDM configuration screens. Which traffic does the security appliance inspect globally(regardless of the interface on which the traffic enters the security appliance)?(Choose 3)A.HTTPB.DNSC.GTPD.H.323 H.225
Answer:A B D
13.You work as a network engineer at PassGuidecom, you are asked to examine the current Modular Policy Framework configurations on the LA-ASA Adaptive Security Appliances using the Cisco Adaptive Security Device Manager (ASDM) utility. You need to answer the multiple-choice questions in this simulation by use of the appropriate Cisco ASDM configuration screens. A host on the partnernet network makes a VoIP call to 172.20.1.15,which is statically mapped to an IP phone on the inside network.What does the security appliance do with the VoIP traffic between host 172.20.1.15 and the host on the partnernet network?A.Sends it to the AIP-SSM for inspection before forwarding it to its destinationB.Sends it to the CSC-SSM for inspection before forwarding it to its destinationC.Forwards it directly to its destination unless the connection limit is already metD.Applies low latency queuing as it exits the partnernet interface
Answer:D
14.You work as a network engineer at PaGuide.com, you are asked to examine the current Modular Policy Framework configurations on the LA-ASA Adaptive Security Appliances using the Cisco Adaptive Security Device Manager (ASDM) utility. You need to answer the multiple-choice questions in this simulation by use of the appropriate Cisco ASDM configuration screens. A host on the outside network sends e-mail to the public e-mail server.What does the security appliance do with the traffic from the outside host?A.Sends it to the AIP-SSM for inspection before forwarding it to its destinationB.Sends it to the CSC-SSM for inspection before forwarding it to its destinationC.Forwards it directly to its destinationD.Forwards it directly to its destination unless the connection limit is already met
Answer:A
15.You work as a network engineer at PassGuide.com, you are asked to examine the current Modular Policy Framework configurations on the LA-ASA Adaptive Security Appliances using the Cisco Adaptive Security Device Manager (ASDM) utility. You need to answer the multiple-choice questions in this simulation by use of the appropriate Cisco ASDM configuration screens. A host on the partnernet network attempts to access the public web server via HTTP.What does the security appliance do with traffic from the partnernet?A.Sends it to the AIP-SSM for inspection before forwarding it to its destinationB.Sends it to the CSC-SSM for inspection before forwarding it to its destinationC.Forwards it directly to its destinationD.Forwards it directly to its destination unless the connection limit is already met
Answer:C
16.You work as a network engineer at PassGuide.com, you are asked to examine the current Modular Policy Framework configurations on the LA-ASA Adaptive Security Appliances using the Cisco Adaptive Security Device Manager (ASDM) utility. You need to answer the multiple-choice questions in this simulation by use of the appropriate Cisco ASDM configuration screens. A host on the outside network makes a VoIP call to a host on the inside network.What does the security appliance do with the traffic from the host on the outside network?A.Sends it to the AIP-SSM for inspection before forwarding it to its destinationB.Sends it to the CSC-SSM for inspection before forwarding it to its destinationC.Forwards it directly to its destinationD.Drops it
Answer:D
17.Which three tunneling protocols and methods are supported by the Cisco VPN Client? (Choose three.)A.IPsec over TCPB.IPsec over UDPC.ESPD.AH
Answer:A B C
18.Which two options are correct about the impacts of this configuration? (Choose two.) class-map INBOUND_HTTP_TRAFFIC
match access-list TOINSIDEHOST
class-map OUTBOUND_HTTP_TRAFFIC
match access-list TOOUTSIDEHOST
policy-map MYPOLICY
class INBOUND_HTTP_TRAFFIC
inspect http
set connection conn-max 100
policy-map MYOTHERPOLICY
class OUTBOUND_HTTP_TRAFFIC
inspect http
service-policy MYOTHERPOLICY interface inside
service-policy MYPOLICY interface outsideA.Traffic that matches access control list TOINSIDEHOST is subject to HTTP inspection and maximum connection limits.B.Traffic that enters the security appliance through the inside interface is subject to HTTP inspection.C.Traffic that enters the security appliance through the outside interface and matches access control list TOINSIDEHOST is subject to HTTP inspection and maximum connection limits.D.Traffic that enters the security appliance through the inside interface and matches access control list TOOUTSIDEHOST is subject to HTTP inspection.
Answer:C D
19.Take the following configuration shown in the exhibit carefully, what traffic will be logged to the AAA server?A.Only authenticated and authorized console connection information will be logged in the accounting database.B.All outbound TCP connection information will be logged in the accounting database.C.No information will be logged. This is not a valid configuration because TACACS+ connection information cannot be captured and logged.D.All connection information will be logged in the accounting database.
Answer:B
20.What are the two purposes of the same-security-traffic permit intra-interface command? (Choose two.)A.It allows all of the VPN spokes in a hub-and-spoke configuration to be terminated on a single interface.B.It enables Dynamic Multipoint VPN.C.It permits communication in and out of the same interface when the traffic is IPSec protected.D.It allows communication between different interfaces that have the same security level
Answer:A C
21.How many unique transforms will included in a single transform set while configuring a crypto ipsec transform-set command?A.threeB.twoC.fourD.one
Answer:B
22.Study the following exhibit carefully, the Cisco ASA adaptive security appliance is using software version 8.0 with the default configuration. Configure the interfaces displayed in the exhibit with the security levels that are shown, and enable the interfaces. Management-only mode is disabled on m0/0. Which two statements correctly describe these interfaces? (Choose two.)A.Interface m0/0 can access interface g0/2, but interface g0/2 cannot access interface m0/0 unless it is given permission.B.Interface g0/1 can access interface m0/0, and interface m0/0 can access interface g0/1.C.Interface g0/1 cannot access interface m0/0 unless it is given permission, and interface m0/0 cannot access interface g0/1 unless it is given permission.D.No traffic can flow between the g0/2 and g0/3 interfaces.
Answer:A D
23.John works as a network administrator , according to the following exhibit. Descriptions are added to class maps for each part of the modular policy framework. Which text should John add to the description command to describe the TO_SERVER class map?
PG-asa1(config)#access-list UDP permit udp any any
PG-asa1(config)#access-list TCP permit tcp any any
PG-asa1(config)#access-list PUBLIC_WEB permit ip any 10.10.10.100 255.255.255.255 PG-asa1(config)#class-map ALL_VDP
PG-asa1(config-cmap)#description “This class-map matches all UDP traffic”
PG-asa1(config-cmap)#match access-list VDP
PG-asa1(config-cmap)#class-map ALL_TCP
PG-asa1(config-cmap)#description “This class-map matches all TCP traffic”
PG-asa1(config-cmap)#match access-list TCP
PG-asa1(config-cmap)#class-map ALL_WEB_SERVER
PG-asa1(config-cmap)#description “This class-map matches all HTTP traffic”
PG-asa1(config-cmap)#match port tcp eq http
PG-asa1(config-cmap)#class-map TO_SERVER
PG-asa1(config-cmap)#match access-list PUBLIC_WEBA.description “This class-map matches all TCP traffic for the public web server.”B.description “This class-map matches all HTTP traffic for the public web server.”C.description “This class-map matches all HTTPS traffic for the public web server.”D.description “This class-map matches all IP traffic for the public web server.”
Answer:D
24.What is the reason that you want to configure VLANs on a security appliance interface?A.for use in conjunction with device-level failover to increase the reliability of your security applianceB.for use in transparent firewall mode, where only VLAN interfaces are usedC.to increase the number of interfaces available to the network without adding additional physical interfaces or security appliancesD.for use in multiple context mode, where you can map only VLAN interfaces to contexts
Answer:C
25.By default, the AIP-SSM IPS software is accessible from the management port at IP address 10.1.9.201/24. Which CLI command should an administrator use to change the default AIP-SSM management port IP address?A.interfaceB.hw module 1 recoverC.setupD.hw module 1 setup
Answer:C
26.Which one of the following commands can provide detailed information about the crypto map configurations of a Cisco ASA adaptive security appliance?A.show ipsec saB.show crypto mapC.show run ipsec saD.show run crypto map
Answer:D
27.Which three potential groups are of users for WebVPN? (Choose three.)A.employees accessing specific internal applications from desktops and laptops not managed by ITB.administrators who need to manage servers and networking equipmentC.employees that only need occasional corporate access to a few applicationsD.users of a customer service kiosk placed in a retail store
Answer:A C D
28.Which three features can the Cisco ASA adaptive security appliance support? (Choose three.)A.BGP dynamic routingB.802.1Q VLANsC.OSPF dynamic routingD.static routes
Answer:B C D
29.Which one of the following commands will prevent all SIP INVITE packets, such as calling-party and request-method, from specific SIP endpoints?A.Use the match calling-party command in a class map. Apply the class map to a policy map that contains the match request-methods command.B.Group the match commands in a SIP inspection class map.C.Use the match request-methods command in an inspection class map. Apply the inspection class map to an inspection policy map that contains the match calling-party command.D.Group the match commands in a SIP inspection policy map.
Answer:B
30.Which two statements are true about multiple context mode? (Choose two.)A.Multiple context mode does not support IPS, IPsec, and SSL VPNs, or dynamic routing protocols.B.Multiple context mode enables you to create multiple independent virtual firewalls with their own security policies and interfaces.C.Multiple context mode enables you to add to the security appliance a hardware module that supports up to four independent virtual firewalls.D.When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name “admin.”
Answer:B D
31.How do you ensure that the main interface does not pass untagged traffic when using subinterfaces?A.Use the vlan command on the main interface.B.Use the shutdown command on the main interfaceC.Omit the nameif command on the subinterfaceD.Omit the nameif command on the main interface.
Answer:D
32.For creating and configuring a security context, which three tasks are mandatory? (Choose three.)A.allocating interfaces to the contextB.assigning MAC addresses to context interfacesC.creating a context nameD.specifying the location of the context startup configuration
Answer:A C D
33.Study the exhibit carefully. Which two types of failover is this adaptive security appliance configured for? (Choose two.)
PG-asa1# show failover Failover On Cable status:
N/A-LAN-based failover enabled Failover unit Primary Failover LAN Interface:
Ianfail GigabitEthernet0/2 (up) Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 15 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Group 1 last failover at:
15:54:49 UTC Sept 17 2006 Group 2 last failover at:
15:55:00 UTC Sept 17 2006A.stateful failoverB.LAN-based failoverC.cable-based failoverD.Active/Active failover
Answer:B D
34.Which two descriptions are correct about configuring passive RIP on the security appliance based on the following exhibit? (Choose two.)A.You must specify a classful network IP address to define a network for the RIP routing process.B.If you enable passive RIP, all interfaces must operate in passive mode.C.There is no limit to the number of networks you can specify for the RIP routing process.D.Enabling passive RIP mode causes the security appliance to receive all RIP routing updates but send only a default route to neighboring routers.
Answer:A C
35.Which of these identifies basic settings for the security appliance, including a list of contexts?A.network configurationB.admin configurationC.system configurationD.primary configuration
Answer:C
36.Study the exhibit carefully. The security policy for PG Corporation allows only the following traffic through the corporate adaptive security appliance: –outbound NTP traffic from the inside network to any outside destination –FTP traffic from the inside network to the FTP server on the DMZ –outbound HTTP traffic from the inside network to any outside destination –FTP traffic from the outside 192.168.6.0/24 network to the FTP server on the DMZ –any HTTP traffic from the outside to the web server on the DMZ The network administrator configured access rules according to the security policy requirements but made two mistakes. Which are two mistakes? (Choose two.)A.missing ACEB.incorrect destination addressC.missing ACLD.incorrect order of ACLs
Answer:B D
37.An administrator wants to protect a DMZ web server from SYN flood attacks. Which command does not allow the administrator to place limits on the number of embryonic connections?A.set connectionB.natC.staticD.HTTP-map
Answer:D
38.Which option correctly describes the order to upgrade the license (activation key) for your security appliance from Cisco ASDM?A.Step 1 Obtain an activation key from http://www.cisco.com/go/license by providing the serial number for the security appliance as it appears on the chassis of the security appliance.
Step 2 Reboot the security appliance to ensure that the image in flash and the running image are the same.
Step 3 Go to Configuration > Device Management > System Image/Configuration > Activation Key in Cisco ASDM and enter the activation key as a four- or five-element hexadecimal string with no spaces.
Step 4 Click Update Activation Key in the Activation Key panel.
Step 5 Reload the security appliance to activate the flash activation key.B.Step 1 Obtain an activation key from http://www.cisco.com/go/license by providing the serial number for the security appliance as it appears in the show version command output. Step 2 Reboot the security appliance to ensure that the image in flash and the running image are the same.
Step 3 Go to Configuration > Device Management > System Image/Configuration > Activation Key in Cisco ASDM and enter the activation key as a four- or five-element hexadecimal string with one space between each element.
Step 4 Click Update Activation Key in the Activation Key panel.
Step 5 Reload the security appliance to activate the flash activation key.C.Step 1 Obtain an activation key from http://www.cisco.com/go/license by providing the serial number for the security appliance as it appears in the show version command output. Step 2 Go to Configuration > Device Management > System Image/Configuration > Activation Key in Cisco ASDM and enter the activation key as a three- or four-element hexadecimal string with one space between each element.
Step 3 Click Update Activation Key in the Activation Key panel.
Step 4 Click Save in the Cisco ASDM toolbar.D.Step 1 Obtain an activation key from http://www.cisco.com/go/license by providing the serial number for the security appliance as it appears on the chassis of the security appliance.
Step 2 Go to Configuration > Device Management > System Image/Configuration > Activation Key in Cisco ASDM and enter the activation key as a four- or five-element hexadecimal string with no spaces.
Step 3 Click Update Activation Key in the Activation Key panel.
Step 4 Click Save in the Cisco ASDM toolbar.
Answer:B
39.You are a network administrator for the PG company. After the primary adaptive security appliance failed, the secondary adaptive security appliance was automatically activated. You fixed the problem. Now you would like to restore the primary to “active” status. When issued on the primary adaptive security appliance, which command would reactivate the primary adaptive security appliance and return it to “active” status?A.failover secondary standby group 1B.failover primary activeC.failover active group 1D.failover secondary group 1
Answer:C
40.Which two scenarios correctly describe the impact of the configuration shown in the exhibit? (Choose two.)A.User addison enters the login command at the > prompt and logs in with the correct username and password when prompted. User addison can then enter the global configuration mode on the security appliance.B.User carter enters the enable command at the > prompt and logs in with the correct username and password when prompted. User carter can then enter the global configuration mode.C.User carter enters the login command at the > prompt and logs in with the correct username and password when prompted. User carter can then enter the global configuration mode on the security appliance.D.User kenny enters the enable command at the > prompt and logs in with the correct username and password when prompted. User kenny can then enter the global configuration mode.
Answer:A D
41.While configuring a crypto map, which command will be used to specify the peer to which IPsec-protected traffic could be forwarded?A.crypto-map policy 10 set 192.168.7.2B.crypto map set peer 192.168.7.2C.crypto map 20 set-peer insidehostD.crypto map peer7 10 set peer 192.168.7.2
Answer:D
Recent Comments