Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 103 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
103
Dung lượng
1,13 MB
Nội dung
9E0-111 (CSPFA)
Cisco SecurePIXFirewallAdvanced
Version 4.0
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 2 -
Important Note, Please Read Carefully
Study Tips
This product will provide you questions and answers along with detailed explanations
carefully compiled and written by our experts. Try to understand the concepts behind the
questions instead of cramming the questions. Go through the entire document at least twice so
that you make sure that you are not missing anything.
Further Material
For this test TestKing also provides:
* Interactive Test Engine Examinator. Check out an Examinator Demo at
http://www.testking.com/index.cfm?pageid=724
Latest Version
We are constantly reviewing our products. New material is added and old material is revised.
Free updates are available for 90 days after the purchase. You should check your member
zone at TestKing an update 3-4 days before the scheduled exam date.
Here is the procedure to get the latest version:
1. Go to www.testking.com
2. Click on Member zone/Log in
3. The latest versions of all purchased products are downloadable from here. Just click
the links.
For most updates, it is enough just to print the new questions at the end of the new version,
not the whole document.
Feedback
Feedback on specific questions should be send to feedback@testking.com. You should state:
Exam number and version, question number, and login ID.
Our experts will answer your mail promptly.
Explanations
Currently this product does not include explanations. If you are interested in providing
TestKing with explanations contact feedback@testking.com
. Include the following
information: exam, your background regarding this exam in particular, and what you consider
a reasonable compensation for the work.
Copyright
Each pdf file contains a unique serial number associated with your particular name and
contact information for security purposes. So if we find out that a particular pdf file is being
distributed by you, TestKing reserves the right to take legal action against you according to
the International Copyright Laws.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 3 -
Note:
Section A contains 100 questions.
Section B contains 57 questions.
Section C contains 170 questions.
The total numbers of questions is 327.
Section A
QUESTION NO: 1
You are the network security administrator for an enterprise network with a complex
security policy.
Which PIXFirewall feature should you configure to minimize the number of ACLs
needed to implement your policy?
A. ASA
B. Packet capture
C. Turbo ACLs
D. IP helper
E. Object grouping
Answer: E
QUESTION NO: 2
IPSec works with which switching paths:
A. Process switching
B. Optimum switching
C. Fast switching
D. Flow switching
Answer: A
QUESTION NO: 3
Speaking of Security Association requirements, which of the following statements is
true?
A. A set of SAs are needed, one per direction, per protected data pipe.
B. A set of SAa are needed, one per direction, per protocol, per protected data pipe.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
-4-
C. A set of SAs are needed, one per protocol only.
D. A set of SAs are needed, per protocol, per protected data pipe.
Answer: B
QUESTION NO: 4
The graphic shows the output from the show failover command. This unit is active and
the other unit is Standby. For an unknown reason, the failover is triggered and this unit
has become Standby.
We enter the command “show failover” again.
What shall we see as the ip address of the [active-interface-inside]?
A. 172.29.1.2
B. 192.168.89.1
C. 0.0.0.0
D. 172.29.1.1
Answer: D
QUESTION NO: 5
Which of the following statements is not true regarding the DNS Guard?
A. If disabled, can be enabled by the command: fixed protocol dns 53
B. The default UDP time expires in two minutes.
C. Immediately tears down the UDP conduit on the PIXFirewall as soon as the DNS
response is received.
D. Prevents against UDP session hijacking and denial of service attacks.
Answer: A
QUESTION NO: 6
In helping the user to choose the right IPSec transforms combinations, the following
rules apply: (Choose all that apply)
A. To provide authentication services for the transform set, include an AH transform.
B. For authentication services include an ESP authentication transform.
C. To provide data authentication for the data and the outer IP header, include an AH
transform.
D. For data confidentiality include an ESP encryption transform.
E. ND5 is stronger than SHA.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 5 -
Answer: A, B, C, D
QUESTION NO: 7
What is the command that enables IPSec traffic to bypass the check of conduit or access-
group command statements?
A. conduit permit ip any any all
B. access-list acl_out permit tcp any any all access-group acl_out interface outside
C. sysopt connection permit-ipsec
D. conduit permit tcp any any all
Answer: C
QUESTION NO: 8
All of the following statements are true, except:
A. Use nat command to let users on the respective interfaces start outbound connections.
Associate the nat id with the global-id in the global command.
B. An interface is always outside when compared to another interface that has a higher
security level.
C. Use a single default route statement to the outside interface only.
Set the default route with the ip route command.
D. To permit access to servers on protected networks, use the static conduit commands.
E. Packets can not flow between interfaces that have the same security level.
Answer: C
QUESTION NO: 9
Which of the following statements are not true: (Choose all that apply)
A. DMZ interface can be considered an inside, or outside interface.
B. DMZ interface is always considered inside.
C. Traffic originating from the inside interface to the outside interface of the PIXFirewall
will be allowed to flow unless restricted by access lists.
D. Traffic originating from the outside interface to the inside interface of the PIXFirewall
will be dropped unless specifically allowed.
E. DMZ interface is always considered outside.
Answer: B, E
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 6 -
QUESTION NO: 10
Adaptive Security Algorithm (ASA) is the heart of the PIX Firewall. Choose the strict
rules that ASA follows: (Choose all that apply)
A. The highest security interface is the inside interface.
B. The highest security interface is the outside interface.
C. No outbound packet can exit the PIXFirewall without a connection and state.
D. No packet, regardless of its direction, can traverse the PIXFirewall without a
connection or state.
E. No inbound packet can enter the PIXFirewall without a connection and state.
Answer: A, D
QUESTION NO: 11
Which statements about the PIXFirewall in VoIP environments are true? (Choose two)
A. The PIXFirewall does not support the popular call setup protocol SIP because TCP
can be used for call setup.
B. The PIXFirewall allows SCCP signaling and media packets to traverse the PIX
Firewall and interoperate with H.323 terminals.
C. The PIXFirewall supports the Skinny Client Control Protocol, which allows you to
place IP phones and Call Manager on separate sides of the PIX Firewall.
D. Users behind the PIXFirewall can place outbound calls with IP phones because they
use HTTP tunneling to route packets through port 80, making them appear as web
traffic.
Answer: B, C
QUESTION NO: 12
Your organization’s web traffic has come to a halt because your PIXFirewall is
dropping all new connection attempts. Why?
A. You are running a software version older than 5.2, and the embryonic threshold you
set in the static command was reached.
B. The shun feature of the PIXFirewall has taken effect because the embryonic threshold
you set in the nat command was reached.
C. The TCP Intercept feature of the PIXFirewall has taken affect because the embryonic
threshold you set in the static command was reached.
D. The intrusion detection feature of the PIXFirewall has taken effect because the
embryonic threshold you set in the conduit command was reached.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 7 -
Answer: A
QUESTION NO: 13
Which tasks can be performed from the Access Rules tab? (Choose three)
A. Configure translation rules.
B. Configure CiscoSecure ACS.
C. Configure access rules.
D. Define Java and ActiveX filtering rules.
E. Configure command authorization.
F. Create service groups and apply them to ACLs.
Answer: C, D, F
QUESTION NO: 14
Where in PDM do you go to add, delete, or view global pools of addresses to be used by
NAT?
A. Global Pools tab
B. System Properties tab
C. Manage Pools button on the Translation Rules tab
D. IP Address Pools button on the VPN tab
Answer: C
QUESTION NO: 15
Which step is optional when creating a crypto map on the PIX Firewall?
A. Create a crypto map entry identifying the crypto map with a unique crypto map name
and sequence number.
B. Specify which transform sets are allowed for this crypto map entry.
C. Specify a dynamic crypto map to act as a policy template where the missing
parameters are later dynamically configured to match a peer’s requirements.
D. Assign an ACL to the crypto map entry.
E. Specify the peer to which IPSec-protected traffic can be forwarded.
Answer: C
QUESTION NO: 16
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 8 -
Which type of downloadable ACLs are best when there are frequent requests for
downloading a large ACL?
A. Named ACLs
B. Unnamed ACLs
C. Dynamic ACLs
D. Static ACLs
Answer: A
QUESTION NO: 17
Why is the group tag in the aaa-server command important?
A. The aaa command references the group tag to know where to direct authentication,
authorization, or accounting traffic.
B. The group tag identifies which users require authorization to use certain services.
C. The group tag identifies which user groups must authenticate.
D. The group tag enables or disables user authentication services.
Answer: A
QUESTION NO: 18
You have already created an ACL named ACLIN to permit traffic from certain Internet
hosts to the web server on your DMZ.
How do you make the ACL work for you? (Choose two)
A. Bind the ACL to the DMZ interface.
B. Bind the ACL to the inside interface.
C. Bind the ACL to the outside interface.
D. Create a static mapping for the DMZ server.
E. Create a static mapping for the web server.
F. Create a conduit mapping for the web server.
Answer: C, E
QUESTION NO: 19
Cicso PDM consists of five major configuration areas. Choose these areas.
A. Monitoring
B. Hosts or networks
C. Access rules
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 9 -
D. System properties
E. Preferences
F. Translation rules
Answer: A, B, C, D, F
QUESTION NO: 20
How does the PIXFirewall know where to get the addresses to use for any NAT
configuration?
A. From the nat_id in the static command.
B. You can have only one global pool of addresses, so the PIXFirewall knows that NAT
uses the addresses in the global pool established by the global command.
C. From the nat_id in the nat command.
D. From the nat_id in the dhcp address command.
Answer: C
QUESTION NO: 21
What is the purpose of the access-group command?
A. Bind an ACL to an interface.
B. Create an object group.
C. Create and access group.
D. Unbind the acl_ID from the interface interface_name
Answer: A
QUESTION NO: 22
Which statements about security level 100 are true? (Choose two)
A. It is the lowest security level.
B. It is the highest security level.
C. It is the least-trusted security level.
D. By default it is designated for the inside interface of the PIX Firewall.
E. It is not currently a configurable security level.
It is reserved for future use.
F. By default, it is designated for the outside interface of the PIX Firewall.
Answer: B, D
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 10 -
QUESTION NO: 23
Which statements about the PIX Firewall’s DHCP capabilities are true? (Choose two)
A. It can be a DHCP server.
B. It cannot be a DHCP client.
C. You must remove a configured domain name.
D. It can be a DHCP server and client simultaneously.
E. It cannot pass configuration parameters it receives from another DHCP server to its
own DHCP clients.
F. The PIX Firewall’s DHCP server can be configured to distribute the IP address of up
to four DNS servers to its clients.
Answer: A, D
QUESTION NO: 24
The LAN-based failover your configured does not work. Why? (Choose two)
A. You used a hub for failover operation.
B. You used a switch for failover operation.
C. You used a dedicated VLAN for failover operation.
D. You did not set a failover IP address.
E. You did not use a crossover Ethernet cable between the two PIX Firewalls.
F. You used a crossover Ethernet cable between the two PIX Firewalls.
Answer: D, F
Explanation:
LAN-Based Failover
It is recommended that you connect the Primary and Secondary PIXes with a
dedicated switch.
Do not use crossover cables. In the diagram above, a Cisco Catalyst 3500
switch connects the Primary and Secondary PIXes. The LAN failover and
stateful failover links are in different VLANs, VLAN 10 and VLAN 20,
respectively. The inside-router and outside-router are used only for the
sake of testing connectivity.
QUESTION NO: 25
How are LAN-based failover and serial failover alike?
A. Both require that all configuration is performed on the primary PIX Firewall.
B. Both require the use of a special serial cable.
C. They are configured with the same command set.
[...]... QUESTION NO: 79 What PIXFirewall feature do you need when you have NIC-registered IP addresses on your inside network that you want to be accessible on the outside network? A NAT B PAT Leading the way in IT testing and certification tools, www.testking.com - 28 - 9E0 - 111 C NAT+ D PPPoE Answer: C QUESTION NO: 80 Which statement about installing the PIX- 4FE and PIX- VPN-ACCEL cards in a PIXFirewall 535 model... PIXFirewall is ready Monitoring the other PIXFirewall s network interface has not yet started The active PIXFirewall is waiting for configuration replication to be completed The primary PIXFirewall has finished testing the standby PIXFirewall s interfaces and the standby PIXFirewall is waiting to take control Answer: B QUESTION NO: 46 Your new network administrator has recently modified your PIX. .. must configure the primary and secondary PIX Firewalls exactly the same B Configuration can be modified on either the primary or secondary PIX Firewalls with the same result C Configuration replication is automatic from the active PIXFirewall to the standby PIXFirewall D The active PIXFirewall replicates only the failover configuration to the standby PIXFirewall Answer: C QUESTION NO: 73 Leading... certification tools, www.testking.com - 15 - 9E0 - 111 Why create Turbo ACL’s only on high-end PIXFirewall models, such as the PIXFirewall 525 or 535? A B C D They are not supported in any of the low-end models, such as the 506 Turbo ACLs require significant amounts of memory Turbo ACLs are processor-intensive Although turbo ACLs improve ACL search time with any PIXFirewall model, they are complicated... Leading the way in IT testing and certification tools, www.testking.com - 21 - 9E0 - 111 You primary PIXFirewall is currently the active unit in your failover topology What will happen to the current IP addresses on the primary PIX Firewall if it fails? A They become those of the standby PIXFirewall B The ones on the primary PIX Firewall remain the same, but the current IP addresses of the secondary... The PIX- VPN-ACCEL card must be installed in the 64-bit/22 MHz bus, and the PIX4 FE card must be installed in the 32-bit/33 MHz bus B They can be installed in either the 64-bit/66 MHz bus or the 32-bit/33 MHz bus; however, installing them in the 64-bit/66 MHz bus achieves the best possible system performance C They can be installed only in the 32-bit/33 MHz bus and must never be installed in a 64-bit/66... the group name differs from the VPN group name on the PIX Firewall F Ensure that the group name on the VPN Client matches the vpngroup name on the PIX Firewall Answer: D, F QUESTION NO: 68 Which statement about the PIXFirewall and virtual HTTP is true? A The PIXFirewall enables web browsers to work correctly with its HTTP authentication The PIXFirewall redirects the web browser’s initial connection... www.testking.com - 25 - 9E0 - 111 QUESTION NO: 70 Which object group types can be created in the PIX Firewall? (Choose three) A B C D E F Icmp-type Service Server host ACL out DHCP Protocol Answer: A, B, F QUESTION NO: 71 Why is the ASA important for the PIX Firewall? (Choose three) A B C D E It monitors return packets to assure validity It allows two-way connections on all systems It allows one-way connection... closes UDP ports for secure multimedia connections It opens a large range of ports for these applications if you configure the PIXFirewall to support multimedia Answer: C, E QUESTION NO: 54 Which command sets the Telnet password to cisco? A B C D enable telnet password cisco telnet password cisco password cisco passwd cisco Answer: D QUESTION NO: 55 Which commands configure the PIXFirewall s PPPoE client?... the sanity check of PIXFirewall s failover feature? (Choose all that apply) A Both PIX Firewalls exchange failover HELLO packets over failover cable every 15 seconds Leading the way in IT testing and certification tools, www.testking.com - 18 - 9E0 - 111 B With Network Activity test, the PIXFirewall counts all received packets for up to 5 seconds If no traffic is received, the PIX is declared nonoperational .
9E 0- 1 11 (CSPFA)
Cisco Secure PIX Firewall Advanced
Version 4. 0
9E0 - 111
Leading. NO: 41
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 16 -
Why create Turbo ACL’s only on high-end PIX Firewall