9E0-111 (CSPFA) Cisco Secure PIX Firewall Advanced Version 4.0 9E0 - 111 Important Note, Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts Try to understand the concepts behind the questions instead of cramming the questions Go through the entire document at least twice so that you make sure that you are not missing anything Further Material For this test TestKing also provides: * Interactive Test Engine Examinator Check out an Examinator Demo at http://www.testking.com/index.cfm?pageid=724 Latest Version We are constantly reviewing our products New material is added and old material is revised Free updates are available for 90 days after the purchase You should check your member zone at TestKing an update 3-4 days before the scheduled exam date Here is the procedure to get the latest version: Go to www.testking.com Click on Member zone/Log in The latest versions of all purchased products are downloadable from here Just click the links For most updates, it is enough just to print the new questions at the end of the new version, not the whole document Feedback Feedback on specific questions should be send to feedback@testking.com You should state: Exam number and version, question number, and login ID Our experts will answer your mail promptly Explanations Currently this product does not include explanations If you are interested in providing TestKing with explanations contact feedback@testking.com Include the following information: exam, your background regarding this exam in particular, and what you consider a reasonable compensation for the work Copyright Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws Leading the way in IT testing and certification tools, www.testking.com - 2- 9E0 - 111 Note: Section A contains 100 questions Section B contains 57 questions Section C contains 170 questions The total numbers of questions is 327 Section A QUESTION NO: You are the network security administrator for an enterprise network with a complex security policy Which PIX Firewall feature should you configure to minimize the number of ACLs needed to implement your policy? A B C D E ASA Packet capture Turbo ACLs IP helper Object grouping Answer: E QUESTION NO: IPSec works with which switching paths: A B C D Process switching Optimum switching Fast switching Flow switching Answer: A QUESTION NO: Speaking of Security Association requirements, which of the following statements is true? A A set of SAs are needed, one per direction, per protected data pipe B A set of SAa are needed, one per direction, per protocol, per protected data pipe Leading the way in IT testing and certification tools, www.testking.com - 3- 9E0 - 111 C A set of SAs are needed, one per protocol only D A set of SAs are needed, per protocol, per protected data pipe Answer: B QUESTION NO: The graphic shows the output from the show failover command This unit is active and the other unit is Standby For an unknown reason, the failover is triggered and this unit has become Standby We enter the command “show failover” again What shall we see as the ip address of the [active-interface-inside]? A B C D 172.29.1.2 192.168.89.1 0.0.0.0 172.29.1.1 Answer: D QUESTION NO: Which of the following statements is not true regarding the DNS Guard? A If disabled, can be enabled by the command: fixed protocol dns 53 B The default UDP time expires in two minutes C Immediately tears down the UDP conduit on the PIX Firewall as soon as the DNS response is received D Prevents against UDP session hijacking and denial of service attacks Answer: A QUESTION NO: In helping the user to choose the right IPSec transforms combinations, the following rules apply: (Choose all that apply) A To provide authentication services for the transform set, include an AH transform B For authentication services include an ESP authentication transform C To provide data authentication for the data and the outer IP header, include an AH transform D For data confidentiality include an ESP encryption transform E ND5 is stronger than SHA Leading the way in IT testing and certification tools, www.testking.com - 4- 9E0 - 111 Answer: A, B, C, D QUESTION NO: What is the command that enables IPSec traffic to bypass the check of conduit or accessgroup command statements? A B C D conduit permit ip any any all access-list acl_out permit tcp any any all access-group acl_out interface outside sysopt connection permit-ipsec conduit permit tcp any any all Answer: C QUESTION NO: All of the following statements are true, except: A Use nat command to let users on the respective interfaces start outbound connections Associate the nat id with the global-id in the global command B An interface is always outside when compared to another interface that has a higher security level C Use a single default route statement to the outside interface only Set the default route with the ip route command D To permit access to servers on protected networks, use the static conduit commands E Packets can not flow between interfaces that have the same security level Answer: C QUESTION NO: Which of the following statements are not true: (Choose all that apply) A DMZ interface can be considered an inside, or outside interface B DMZ interface is always considered inside C Traffic originating from the inside interface to the outside interface of the PIX Firewall will be allowed to flow unless restricted by access lists D Traffic originating from the outside interface to the inside interface of the PIX Firewall will be dropped unless specifically allowed E DMZ interface is always considered outside Answer: B, E Leading the way in IT testing and certification tools, www.testking.com - 5- 9E0 - 111 QUESTION NO: 10 Adaptive Security Algorithm (ASA) is the heart of the PIX Firewall Choose the strict rules that ASA follows: (Choose all that apply) A B C D The highest security interface is the inside interface The highest security interface is the outside interface No outbound packet can exit the PIX Firewall without a connection and state No packet, regardless of its direction, can traverse the PIX Firewall without a connection or state E No inbound packet can enter the PIX Firewall without a connection and state Answer: A, D QUESTION NO: 11 Which statements about the PIX Firewall in VoIP environments are true? (Choose two) A The PIX Firewall does not support the popular call setup protocol SIP because TCP can be used for call setup B The PIX Firewall allows SCCP signaling and media packets to traverse the PIX Firewall and interoperate with H.323 terminals C The PIX Firewall supports the Skinny Client Control Protocol, which allows you to place IP phones and Call Manager on separate sides of the PIX Firewall D Users behind the PIX Firewall can place outbound calls with IP phones because they use HTTP tunneling to route packets through port 80, making them appear as web traffic Answer: B, C QUESTION NO: 12 Your organization’s web traffic has come to a halt because your PIX Firewall is dropping all new connection attempts Why? A You are running a software version older than 5.2, and the embryonic threshold you set in the static command was reached B The shun feature of the PIX Firewall has taken effect because the embryonic threshold you set in the nat command was reached C The TCP Intercept feature of the PIX Firewall has taken affect because the embryonic threshold you set in the static command was reached D The intrusion detection feature of the PIX Firewall has taken effect because the embryonic threshold you set in the conduit command was reached Leading the way in IT testing and certification tools, www.testking.com - 6- 9E0 - 111 Answer: A QUESTION NO: 13 Which tasks can be performed from the Access Rules tab? (Choose three) A B C D E F Configure translation rules Configure Cisco Secure ACS Configure access rules Define Java and ActiveX filtering rules Configure command authorization Create service groups and apply them to ACLs Answer: C, D, F QUESTION NO: 14 Where in PDM you go to add, delete, or view global pools of addresses to be used by NAT? A B C D Global Pools tab System Properties tab Manage Pools button on the Translation Rules tab IP Address Pools button on the VPN tab Answer: C QUESTION NO: 15 Which step is optional when creating a crypto map on the PIX Firewall? A Create a crypto map entry identifying the crypto map with a unique crypto map name and sequence number B Specify which transform sets are allowed for this crypto map entry C Specify a dynamic crypto map to act as a policy template where the missing parameters are later dynamically configured to match a peer’s requirements D Assign an ACL to the crypto map entry E Specify the peer to which IPSec-protected traffic can be forwarded Answer: C QUESTION NO: 16 Leading the way in IT testing and certification tools, www.testking.com - 7- 9E0 - 111 Which type of downloadable ACLs are best when there are frequent requests for downloading a large ACL? A B C D Named ACLs Unnamed ACLs Dynamic ACLs Static ACLs Answer: A QUESTION NO: 17 Why is the group tag in the aaa-server command important? A The aaa command references the group tag to know where to direct authentication, authorization, or accounting traffic B The group tag identifies which users require authorization to use certain services C The group tag identifies which user groups must authenticate D The group tag enables or disables user authentication services Answer: A QUESTION NO: 18 You have already created an ACL named ACLIN to permit traffic from certain Internet hosts to the web server on your DMZ How you make the ACL work for you? (Choose two) A B C D E F Bind the ACL to the DMZ interface Bind the ACL to the inside interface Bind the ACL to the outside interface Create a static mapping for the DMZ server Create a static mapping for the web server Create a conduit mapping for the web server Answer: C, E QUESTION NO: 19 Cicso PDM consists of five major configuration areas Choose these areas A Monitoring B Hosts or networks C Access rules Leading the way in IT testing and certification tools, www.testking.com - 8- 9E0 - 111 D System properties E Preferences F Translation rules Answer: A, B, C, D, F QUESTION NO: 20 How does the PIX Firewall know where to get the addresses to use for any NAT configuration? A From the nat_id in the static command B You can have only one global pool of addresses, so the PIX Firewall knows that NAT uses the addresses in the global pool established by the global command C From the nat_id in the nat command D From the nat_id in the dhcp address command Answer: C QUESTION NO: 21 What is the purpose of the access-group command? A B C D Bind an ACL to an interface Create an object group Create and access group Unbind the acl_ID from the interface interface_name Answer: A QUESTION NO: 22 Which statements about security level 100 are true? (Choose two) A B C D E It is the lowest security level It is the highest security level It is the least-trusted security level By default it is designated for the inside interface of the PIX Firewall It is not currently a configurable security level It is reserved for future use F By default, it is designated for the outside interface of the PIX Firewall Answer: B, D Leading the way in IT testing and certification tools, www.testking.com - 9- 9E0 - 111 QUESTION NO: 23 Which statements about the PIX Firewall’s DHCP capabilities are true? (Choose two) A B C D E It can be a DHCP server It cannot be a DHCP client You must remove a configured domain name It can be a DHCP server and client simultaneously It cannot pass configuration parameters it receives from another DHCP server to its own DHCP clients F The PIX Firewall’s DHCP server can be configured to distribute the IP address of up to four DNS servers to its clients Answer: A, D QUESTION NO: 24 The LAN-based failover your configured does not work Why? (Choose two) A B C D E F You used a hub for failover operation You used a switch for failover operation You used a dedicated VLAN for failover operation You did not set a failover IP address You did not use a crossover Ethernet cable between the two PIX Firewalls You used a crossover Ethernet cable between the two PIX Firewalls Answer: D, F Explanation: LAN-Based Failover It is recommended that you connect the Primary and Secondary PIXes with a dedicated switch Do not use crossover cables In the diagram above, a Cisco Catalyst 3500 switch connects the Primary and Secondary PIXes The LAN failover and stateful failover links are in different VLANs, VLAN 10 and VLAN 20, respectively The inside-router and outside-router are used only for the sake of testing connectivity QUESTION NO: 25 How are LAN-based failover and serial failover alike? A Both require that all configuration is performed on the primary PIX Firewall B Both require the use of a special serial cable C They are configured with the same command set Leading the way in IT testing and certification tools, www.testking.com - 10 - 9E0 - 111 QUESTION NO: 118 Without stateful failover, how are active connections handled? A B C D Connections are maintained between the PIX and the failover unit Dropped UDP connections are maintained TCP connections are maintained Answer: B QUESTION NO: 119 What is the purpose of the "fixup protocol" commands? A B C D To identify what protocols are permitted through the PIX Change PIX firewall application protocol feature To identify what protocols are to be blocked by the PIX To map a protocol to a TCP or UDP port Answer: B QUESTION NO: 120 What version of IOS was the "ip port-map" command introduced? A B C D 13.(1) 12.1 11.0(1) 12.05(t) Answer: D QUESTION NO: 121 What is the first step in configuring IPSec without CA? A B C D Crypto ISAKMP IKE IPSEC Answer: C Leading the way in IT testing and certification tools, www.testking.com - 89 - 9E0 - 111 QUESTION NO: 122 How you delete the following PAM entry? IP port-map http port 81 A B C D clear IP port-map http port 81 This is a system-defined entry and cannot be deleted no IP port-map http port 81 delete IP port-map http port 81 Answer: C QUESTION NO: 123 What is the purpose of the outbound access-list for a CBAC solution? A B C D To block all traffic, CBAC will then inspect the traffic and allow legitimate traffic out Packets you want inspected by CBAC The is no need for an outbound access-list in a CBAC solution To identify legitimate inbound traffic from the Internet Answer: B QUESTION NO: 124 What does the " crypto access-list" command accomplish? A B C D There are no such access list They block non-encrypted traffic They identify crypto map statements Identifies which traffic is to be encrypted Answer: D QUESTION NO: 125 "Logging timestamp" specifies that syslog messages sent to the syslog server should have a time stamp value on each message A True B False Leading the way in IT testing and certification tools, www.testking.com - 90 - 9E0 - 111 Answer: A QUESTION NO: 126 What is the layer-4 difference between Radius and TACACS+? A B C D Radius uses TCP & TACACS+ uses UDP Radius uses UDP & TACACS+ uses TCP TACACS+ uses FTP & Radius uses TFTP There is no layer-4 difference between Radius & TACACS+ Answer: B QUESTION NO: 127 What two concepts are included in data authentication? A B C D Anti replay Data origin authentication Data integrity Data confidentiality Answer: B, C QUESTION NO: 128 You decide you need more interfaces for your PIX 515 and you already have the unrestricted license installed The PIX firewall only shipped with Ethernet interfaces You install a new Ethernet interface that you ordered from Cisco After you power the PIX on, you assign an IP address to the interface and configure a NAT & global statement for the new network But users on the new network are unable to browse the Internet What else you need to do? A B C D Enable the new interface in the configuration Add the "conduit permit any any" statement to your configuration Nothing The problem is probably with the clients workstations, not the PIX Add the Cisco client proxy software to each workstation on the new network Answer: A Leading the way in IT testing and certification tools, www.testking.com - 91 - 9E0 - 111 QUESTION NO: 129 What are some advantages of using the PIX firewall over other firewalls such as Microsoft Proxy? A B C D E No security problems from running on top of other operating systems PIX firewall is plug and play, no configuration required PIX inspects on lower layer protocols PIX does stateful packet inspections One box solution Answer: A, C, D, E QUESTION NO: 130 How many interfaces does the PIX 515R support? A B C D Answer: A QUESTION NO: 131 How you configure a PAT address? A B C D Nat (Outside) 1.1.1.1 1.1.1.1 255.255.255.255 IP PAT (Outside) 1.1.1.1 255.255.255.255 PAT (Outside) 1.1.1.1 255.255.255.255 Global (Outside) 1.1.1.1 1.1.1.1 255.255.255.255 Answer: D QUESTION NO: 132 What are the two transport layer protocols? A B C D TCP IP ICMP UDP Leading the way in IT testing and certification tools, www.testking.com - 92 - 9E0 - 111 Answer: A, D QUESTION NO: 133 How many hello packets must be missed before the failover unit will become active? A B C D Answer: A QUESTION NO: 134 Only one IPSec tunnel can exist between two peers A False B True Answer: A QUESTION NO: 135 What are two purposes of NAT? A B C D E To build routing tables To expedite packet inspection To connect two separate interfaces To conserve non-RFC1918 addresses To hide internal servers and workstations real IP addresses from the Internet Answer: D, E QUESTION NO: 136 What does IKE Extended authentication provide? A Authentication of multiple IPSec peers B Auto-negotiation of IPSec security associations C User authentication using Radius/TACACS+ Leading the way in IT testing and certification tools, www.testking.com - 93 - 9E0 - 111 Answer: C QUESTION NO: 137 How you view active NAT translations? A B C D show nat-translations show ip-nat translations show xlate show translations * Answer: C QUESTION NO: 138 Access-list are supported with Radius authorization A True B False Answer: A QUESTION NO: 139 How are transform sets selected in manually established security associations? A B C D Transform sets are not used in manually established security associations Manually established security associations only have one transform set The first transform set is always used The first common transform set is used Answer: B QUESTION NO: 140 What are the two licenses supported on the PIX515? A B C D Unrestricted Limited Restricted Unlimited Leading the way in IT testing and certification tools, www.testking.com - 94 - 9E0 - 111 Answer: A, C QUESTION NO: 141 What is the purpose of the "clear access-list" command? A B C D Remove an access-list from an interface To clear all access-list from the PIX To clear all access-list counters Invalid command Answer: B QUESTION NO: 142 At what layer of the OSI model does IPSec provide security? A B C D Answer: D QUESTION NO: 143 A transform set is a combination of _ & A B C D access-list crypto maps security protocols algorithms Answer: C, D QUESTION NO: 144 AAA stands for authentication, authorization, & A application B accounting Leading the way in IT testing and certification tools, www.testking.com - 95 - 9E0 - 111 C access control D authenticity Answer: B QUESTION NO: 145 In CBAC, how are half-open sessions measured? A B C D Both TCP & UPD half-open sessions are calculated Only UDP half-open sessions are calculated CBAC does not calculate half-open sessions Only TCP half-open sessions are calculated Answer: A QUESTION NO: 146 What does DDOS stand for? A B C D Distributed denial of service Dedicated Department of Security Dead, Denied, Out of Service Demand denial of service Answer: A QUESTION NO: 147 What is the purpose of the "route 0" command? A B C D To configure a static route To enable routing on the PIX To configure a default route To route between interfaces Answer: C QUESTION NO: 148 Leading the way in IT testing and certification tools, www.testking.com - 96 - 9E0 - 111 You establish an IPSec tunnel with a remote peer You verify by viewing the security associations You view the security associations two days later and find they are not there What is the problem? A B C D This would not happen You have used an incorrect command to view the security associations Your PIX is not powered up No traffic was identified to be encrypted Answer: D QUESTION NO: 149 In CBAC, where are dynamic access entries added? A B C D A new access-list is configured for each access entry At the beginning of the access-list A separate access-list is created for access entries At the end of the access-list Answer: B QUESTION NO: 150 How you identify a syslog server on the PIX? A B C D logging host 10.1.1.1 TFTP server 10.1.1.1 syslog-server 10.1.1.1 syslog server 10.1.1.1 Answer: A QUESTION NO: 151 CBAC inspection can only be configured in one direction A False B True Answer: A Leading the way in IT testing and certification tools, www.testking.com - 97 - 9E0 - 111 QUESTION NO: 152 What is anti-replay? A IPSec peer will not accept old or duplicated packets B IPSec peer listens for all traffic from IPSec peer (at other end of tunnel), as to not require any resends C The IPSec peer sends duplicates of each packet as to not have to resend any packets D The IPSec peer will not resend packets Answer: A QUESTION NO: 153 During IPSec security associations negotiation, if there are multiple transform sets, which one is used? A B C D Is does not matter The first common one The first one The last one Answer: B QUESTION NO: 154 What three types of entries does the PAM table provide? A B C D User defined Internet specific Host specific System defined Answer: A, C, D QUESTION NO: 155 In AAA, what does the method keyword "local" mean? A That the AAA server is local B Deny if login request is local C Use the local database for authentication Leading the way in IT testing and certification tools, www.testking.com - 98 - 9E0 - 111 D Authenticate if login request is local Answer: C QUESTION NO: 156 At what frequency does the PIX send hello packets to the failover unit? A B C D 15 seconds 60 seconds seconds 20 seconds Answer: A QUESTION NO: 157 What command deletes all authentication proxy entries? A B C D Clear ip authentication-proxy cache Clear ip authentication-proxy cache all Clear ip authentication-proxy cache * Clear authentication-proxy all entries Answer: C QUESTION NO: 158 What is the purpose of the access-group command? A B C D To apply an access-list to an interface This is not a valid command on the PIX firewall To create an ACL To group access-list together Answer: A QUESTION NO: 159 Default "fixup protocol" commands cannot be disabled A True Leading the way in IT testing and certification tools, www.testking.com - 99 - 9E0 - 111 B False Answer: B QUESTION NO: 160 What is the purpose of a syslog server? A B C D To host websites To collect system messages To maintain current backup configurations To maintain URL filtering information Answer: B QUESTION NO: 161 What is required for stateful failover on the PIX 515? A B C D Unrestricted software license Cisco failover cable Cisco IOS failover feature set Ethernet interfaces interconnected Answer: A, B, D QUESTION NO: 162 In CBAC, what is a state table? A B C D A table containing access-list information A table containing information about the state of CBAC A table containing information about the state of the packet's connection A table containing routing information Answer: C QUESTION NO: 163 What two commands are needed for inbound access? A Static Leading the way in IT testing and certification tools, www.testking.com - 100 - 9E0 - 111 B Access-list C PAT D NAT Answer: A, B QUESTION NO: 164 What are some application layer protocols that CBAC can inspect? A B C D E F TFTP TCP SMTP UDP HTTP FTP Answer: A, C, E, F QUESTION NO: 165 What does PAM for CBAC? A B C D PAM allows CBAC to associate non-standard port numbers with specific protocols PAM is required by CBAC to inspect traffic PAM is an alternative to using CBAC for packet inspection PAM is not compatible with CBAC Answer: A QUESTION NO: 166 What is the different about the PIX privileged access mode as opposed to the privileged access mode of a Cisco IOS router? A B C D The "?" command does not work on the PIX No difference Each configuration command is automatically saved to flash The ability to view the running configuration from the configuration mode Answer: D You can a show run from anywhere in the PIX and get the running configuration Ina IOS Router you can only it from router# (There is a way in the new IOS though to it in a Leading the way in IT testing and certification tools, www.testking.com - 101 - 9E0 - 111 router) If you wanted to it from router(config-if)# you would have to enter "do show run" But what they are looking for is D QUESTION NO: 167 When configuring ACL to identify traffic that requires encryption, two entries are needed One for inbound traffic and one for outbound traffic A True B False Answer: B QUESTION NO: 168 How you change the activation key on the PIX? A B C D Reset the PIX With the checksum command Copy a PIX image to the flash The activation key cannot be changed Answer: C QUESTION NO: 169 How many interfaces does the PIX 506 support? A B C D Answer: B QUESTION NO: 170 What is CA? A B C D Configured applications Cisco authentication Certificate authority Command approval Leading the way in IT testing and certification tools, www.testking.com - 102 - 9E0 - 111 Answer: C Note: Section A contains 100 questions Section B contains 57 questions Section C contains 170 questions The total numbers of questions is 327 Leading the way in IT testing and certification tools, www.testking.com - 103 - ... mean? A B C D The active PIX Firewall is working and the standby PIX Firewall is ready Monitoring the other PIX Firewall? ??s network interface has not yet started The active PIX Firewall is waiting... about the PIX Firewall is true? A The PIX Firewall passes RIP updates between interfaces B You cannot configure the PIX Firewall to learn routes dynamically from RIP version or RIP version broadcast... replication is automatic from the active PIX Firewall to the standby PIX Firewall D The active PIX Firewall replicates only the failover configuration to the standby PIX Firewall Answer: C QUESTION NO: