Exam lest
642-523

Securing Networks with PIX and ASA


QUESTION NO: 1
Which of these commands enables IKE on the outside interface?
A. nameif outside isakmp enable
B. int g0/0 ike enable (outbound)
C. isakmp enable outside
D. ike enable outside
Answer: C


QUESTION NO: 2
Refer to the exhibit. Select the command that will apply this policy map to an interface and the command that will apply it globally on the Cisco ASA. (Choose two.)

A. service-policy policy-map OUTSIDE_POLICY interface outside
B. service-policy OUTSIDE_POLICY global
C. policy-map OUTSIDE_POLICY interface outside
D. service-policy policy-map OUTSIDE_POLICY global
E. service-policy OUTSIDE_POLICY interface outside
F. policy-map OUTSIDE_POLICY global
Answer: B,E QUESTION NO: 3



Refer to the exhibit. What will the adaptive security appliance do if it is configured as shown?

A. drop any HTTP connection request that contains the NewP2P1 and NewP2P2 strings and also uses the POST request method
B. drop any HTTP connection request that contains either the NewP2P1 or the NewP2P2 string, and also uses the POST request method
C. drop any HTTP connection request that contains either the NewP2P1 or the NewP2P2 string, or that uses the POST request method
D. drop any HTTP connection request that either contains the NewP2P1 and the NewP2P2 strings, or uses the POST request method
Answer: B


QUESTION NO: 4
Which command configures the Cisco ASA console for SSH access by a local user?
A. aaa authentication ssh console LOCAL
B. ssh console username sysadmin password cisco123
C. ssh username sysadmin password cisco123

D. aaa authentication ssh LOCAL
Answer: A


QUESTION NO: 5
When configuring a crypto ipsec transform-set command, how many unique transforms can a single transform set contain?
A. two
B. one
C. four
D. three
Answer: A


QUESTION NO: 6
Which of the following statements about the configuration of WebVPN on the Cisco ASA is true for Cisco ASA version 7.2?
A. WebVPN and Cisco ASDM cannot be enabled at the same time on the Cisco ASA.
B. WebVPN and Cisco ASDM cannot run on the same interface.
C. WebVPN and Cisco ASDM can only be enabled at the same time using the command line interface.
D. WebVPN and Cisco ASDM can both be enabled on the same interface, but must run on different TCP ports.
Answer: D

QUESTION NO: 7
Which of the following statements about adaptive security appliance failover is true?
A. The Cisco ASA and PIX security appliances support LAN-based and cable-based failover.
B. The PIX adaptive security appliance only supports LAN-based failover.
C. The Cisco ASA security appliance only supports cable-based failover.
D. The PIX adaptive security appliance supports LAN-based and cable-based failover.
Answer: D


QUESTION NO: 8
LAB

A. ( conf t ) # nat-control
Answer: A
Explanation:
#nat (inside ) 1 10.0.3.0 255.255.255.0 #global (oustside ) 1 192.168.1.20-192.168.1.254 #copy run start


QUESTION NO: 9
An internet user is sending HTTP traffic to a DMZ server with the external address of 192.168.1.4. Which command will redirect HTTP traffic bound for the DMZ web server to its real IP address of 10.10.11.4?
A. static (dmz,outside) tcp 10.10.11.4 www 192.168.1.4 www
B. static (outside,dmz) tcp 192.168.1.4 www 10.10.11.4 www
C. static (dmz,outside) tcp 192.168.1.4 www 10.10.11.4 www
D. static (dmz,inside) udp 192.168.1.4 www 10.10.11.4 www
Answer: C
QUESTION NO: 10

Refer to the exhibit. The adaptive security appliance administrator needs to filter a single website on a host with the IP address 10.10.11.4, but allow access to all other websites. The administrator enters the commands shown and then executes them.
Which two tasks do these commands accomplish? (Choose two.)

A. cause URL requests to be filtered by the filtering host at the IP address 10.10.11.4
B. filter all URL requests
C. cause URL requests from the address 10.10.11.4 to be exempted from filtering
D. filter the URLs found at the host with the IP address 10.10.11.4
E. allow access to all website except those hosted at IP address 10.10.11.4
F. only allow access to the websites hosted at the IP address 10.10.11.4
Answer: B,C
QUESTION NO: 11
An administrator is configuring a Cisco ASA for site-to-site VPN using pre-shared keys. Which two configuration modes and commands would the administrator configure when using a pre-shared key of 1234? (Choose two.)
A. asa(config-isakmp-policy)# authentication pre-shared-key 1234
B. asa(config)# tunnel-group name ipsec-attributes pre-shared-key 1234
C. asa(config-tunnel-general)# authentication pre-share
D. asa(config)# tunnel-group name general-attributes authentication pre-share
E. asa(config-isakmp-policy)# authentication pre-share
F. asa(config-tunnel-ipsec)# pre-shared-key 1234
Answer: E,F

QUESTION NO: 12
Which three types of information can be found in the syslog output for an adaptive security appliance? (Choose three.)
A. logging level

B. hostname of the packet sender
C. time stamp and date
D. default router
E. message text
F. interface packet received
Answer: A,C,E

QUESTION NO: 13
Which of these commands enables the DHCP server on the DMZ interface of the Cisco ASA with an address pool of 10.0.1.100-10.0.1.108 and a DNS server of 192.168.1.2?
A. dhcpd address range 10.0.1.100-10.0.1.108 dhcpd dns server 192.168.1.2 dhcpd enable DMZ
B. dhcpd range 10.0.1.100-10.0.1.108 DMZ dhcpd dns server 192.168.1.2 dhcpd DMZ
C. dhcpd address 10.0.1.100-10.0.1.108 DMZ dhcpd dns 192.168.1.2 dhcpd enable DMZ
D. dhcpd address range 10.0.1.100-10.0.1.108 dhcpd dns 192.168.1.2 dhcpd enable

Answer: C


QUESTION NO: 14
Refer to exhibit. Which three show commands would verify that the boot image is asa721-k8.bin? (Choose three.)


A. show processes
B. show version
C. show cpu profile
D. show startup-config
E. show bootvar
F. show disk0:
Answer: B,D,E
QUESTION NO: 15
Refer to the exhibit. If the show failover command has returned this output, what is the problem with the failover configuration?


A. The poll frequency is set too high to detect the secondary failover security appliance.
B. There is no problem; the timer that detects the secondary failover security appliance has not expired.
C. The failover cable is not connected to the secondary failover security appliance.
D. The LAN-based failover interface has been shut down on the security appliance.

Answer: C


QUESTION NO: 16
Which of these commands displays the status of the CSC SSM on the Cisco ASA?
A. show module 1 CSC details
B. show hw 1 details
C. show interface GigabitEthernet 1/0
D. show module 1 details
Answer: D


QUESTION NO: 17
Which of these commands will configure the adaptive security appliance to use an ACS server for console access authentication?
A. aaa authentication console SRVGRP1
B. aaa authentication console LOCAL
C. aaa authentication serial console SRVGRP1 LOCAL
D. aaa authentication serial console LOCAL
Answer: C


QUESTION NO: 18
Which command will provide interface IP information, the interface operational status, and the interface configuration method for an adaptive security appliance?
A. show interface ip brief
B. show interface stats
C. show ip interface
D. show interface detail

Answer: A


QUESTION NO: 19
Which commands are necessary in order to add a port for DNS inspection?
A. class-map, match, policy-map, class, inspect
B. policy-map type inspect dns
C. class-map, match, fixup, policy-map, inspect
D. fixup
E. class-map, fixup, policy-map
F. class-map type inspect dns, match, policy-map type inspect dns, class, inspect dns
Answer: A


QUESTION NO: 20
Which three of these are Cisco ASA syslog message fields? (Choose three.)
A. default ASA gateway
B. logging level
C. logging device IP
D. syslog community string
E. message text
F. triggering packet copy
Answer: B,C,E

QUESTION NO: 21
Which mode of operation must you enter in order to recover the Cisco ASA password?
A. unprivileged
B. configure
C. privileged
D. monitor
Answer: D
QUESTION NO: 22

LAB

A. (conf ) # mode multiple
Answer: A
Explanation:
after giving that command firewall will reboot then give following commands #context admin #config-url flash:/admin.cfg #allocate interfaces GigabitEthernet 0/0 #allocate interfaces GigabitEthernet 0/1
again create another context
(conf ) #context ctx2 config-url flash:/ctx2.cfg ##allocate interfaces GigabitEthernet 0/2 #allocate interfaces GigabitEthernet 0/3 copy run start...


QUESTION NO: 23
The primary adaptive security appliance failed, so the secondary adaptive security appliance was automatically activated. The network administrator then fixed the problem. Now the administrator wants to return the primary to "active" status.
Which of these commands, when issued on the primary adaptive security appliance, will reactivate the primary adaptive security appliance and restore it to "active" status?

A. failover secondary standby group 1
B. failover primary active
C. failover secondary group 1
D. failover active group 1
Answer: D


QUESTION NO: 24
What does the csd enable command enable on the Cisco ASA?"
A. It enables the Cisco Secure Desktop on SSL VPN clients without a host-based firewall.
B. It enables the Cisco Secure Desktop for SSL VPN clients when they connect.
C. It enables the Cisco Secure Desktop on the host connecting to the Cisco ASDM.
D. It enables the Cisco Secure Desktop for IPsec VPN clients when they connect to the Cisco ASA.
Answer: B


QUESTION NO: 25
Which command will set the default route for an adaptive security appliance to the IP address 10.10.10.1?
A. route management 10.10.10.0 0.0.0.255 10.10.10.1 1
B. route add default 0 10.10.10.1
C. route outside 0 0 10.10.10.1 1
D. route 0 0 10.10.10.1 1
Answer: C


QUESTION NO: 26
Which three of these are encryption algorithms used by Cisco ASA security appliances? (Choose three.)
A. 3DES
B. DES
C. AES

D. Blowfish
E. RC4
F. Diffie-Hellman Group 5
Answer: A,B,C
QUESTION NO: 27
An administrator wants to protect a DMZ web server from SYN flood attacks. Which three of these commands, used individually, would allow the administrator to place limits on the number of embryonic connections? (Choose three.)
A. http redirect
B. set connection
C. nat
D. http-proxy
E. access-list
F. static
Answer: B,C,F

QUESTION NO: 28
Which of these statements regarding Active/Active failover configurations is correct?
A. Configure failover interface parameters in the "ADMIN" context.
B. Allocate interfaces to a failover group using the failover group sub-command mode.
C. Configure two failover groups: group 1 and group 2.
D. Use the failover active command to enable Active/Active failover on the Cisco ASA Security Appliance.
Answer: C


QUESTION NO: 29
What does the activation-key command in the Cisco ASA do?
A. activates the SSM module in the Cisco ASA, providing intrusion protection and content filtering
B. applies the activation key to the Cisco ASDM so the Cisco ASA can be managed using a web interface
C. automatically activates the Cisco ASA, allowing it to be configured right out of the box D. applies the activation key to the Cisco ASA operating system, so that the Cisco ASA is licensed and all features are available

Answer: D


QUESTION NO: 30
By default, adaptive security appliances configured for LAN-based failover will fail over after approximately 15 seconds. Which two commands should an administrator configure on the security appliance to detect a failure faster? (Choose two.)
A. failover unit-policy polltime
B. failover lan link polltime
C. failover polltime unit
D. failover interface-policy polltime
E. failover lan unit polltime
F. failover polltime interface
Answer: C,F
QUESTION NO: 31
Only the default modular policy framework is currently configured on your Cisco ASA. You want to block the dele and put FTP commands, but only on the outside interface. Which three of these commands must be entered to accomplish this goal? (Choose three.)
A. regex
B. class-map type inspect ftp
C. policy-map type inspect ftp
D. service-policy
E. access-list
F. policy-map
Answer: C,D,F


QUESTION NO: 32
Which command both verifies that NAT is working properly and displays active NAT translations?
A. show ip nat all
B. show xlate

C. show running-configuration nat
D. show nat translation
Answer: B


QUESTION NO: 33
Which of these commands will provide detailed information about the crypto map configurations of a Cisco ASA?
A. show run crypto map
B. show crypto map
C. show ipsec sa
D. show run ipsec sa
Answer: A


QUESTION NO: 34
You want to block a new instant messaging application. Which three of the these are mandatory for accomplishing this goal with your Cisco ASA? (Choose three.)
A. a regex class map
B. an HTTP inspection policy map
C. a Layer 3/4 policy map
D. an IM inspection policy map
E. an HTTP inspection class map
F. a regular expression
Answer: B,C,F
QUESTION NO: 35
Refer to the exhibit. What does the inspect http HTTP_TRAFFIC command do in this policy map?


A. It adds HTTP traffic inspection to the OUTSIDE_POLICY policy map.
B. It adds HTTP traffic inspection on TCP port 8080 to the OUTSIDE_POLICY policy map.
C. It adds HTTP traffic inspection to the inspection-default global class map.
D. It adds HTTP traffic limits to the OUTSIDE_POLICY policy map.
Answer: A


QUESTION NO: 36
Which of these regular expressions would best match the website address "www.cisco.com/go/ccsp"?
A. "www+cisco+com\/go\/ccsp"
B. (w){3,}.cisco.com\/go\/(c){2}sp
C. (w){3}\.cisco\.com\/go\/(c){2}sp
D. "www.cisco.com/go/ccsp \r"
Answer: C

QUESTION NO: 37
Which three of these are potential groups of users for WebVPN? (Choose three.)
A. remote employees that need daily access to the internal corporate network
B. employees that need access to a wide range of corporate applications

C. employees that only need occasional corporate access to a few applications
D. users of a customer service kiosk placed in a retail store
E. employees accessing specific internal applications from desktops and laptops not managed by IT
F. administrators who need to manage servers and networking equipment
Answer: C,D,E
QUESTION NO: 38
Refer to the exhibit. An administrator is adding descriptions to class maps for each part of the modular policy framework. What text would the administrator add to the description command to describe the TO_SERVER class map?

A. description "This class-map matches all HTTP traffic for the public web server."
B. description "This class-map matches all TCP traffic for the public web server."
C. description "This class-map matches all IP traffic for the public web server."
D. description "This class-map matches all HTTPS traffic for the public web server."

Answer: C


QUESTION NO: 39
Which username and password can you use to establish an SSH connection to your adaptive security appliance when no local or remote user database has been configured?

A. the username "ssh" and the password "cisco123"
B. the username "pix" and the password "cisco123"
C. the username "ssh" and the password "pix"
D. the username "pix" and the password "cisco"
Answer: D


QUESTION NO: 40
Refer to the exhibit. Given the configuration commands shown, what traffic will be logged to the AAA server?

A. All connection information will be logged in the accounting database.
B. No information will be logged. This is not a valid configuration because TACACS+ connection information cannot be captured and logged.
C. Only the authenticated console connection information will be logged in the accounting database.
D. All outbound connection information will be logged in the accounting database.
Answer: D


QUESTION NO: 41
An administrator receives a new Cisco ASA. Which command, when entered from the console, directs the Cisco ASA to provide interactive prompts that aid in the building of a first-use, minimal configuration?
A. configure terminal
B. configure factory default
C. configure startup
D. setup
Answer: D QUESTION NO: 42


Refer to the exhibit. Based on this output, which of the following statements is true?

A. The ACLIN access list permits web access from host 192.168.6.10 to all hosts behind the Cisco ASA.
B. The ICMPDMZ access list denies all ICMP traffic bound for the bastion host except echo replies
C. The ACLOUT access list has been designed to allow the IP address with the network address of 192.168.6.0 to have unrestricted access to the web server at IP address 192.168.1.11.
D. The ACLOUT access list has been designed to deny the IP address 192.168.1.11 web access to the host with a network address of 192.168.6.0.
Answer: C


QUESTION NO: 43
Refer to the exhibit. The network administrator for this small site has chosen to authenticate HTTP cut-through proxy traffic via a local database on the Cisco ASA. Which set of command strings should the administrator enter to accomplish this?


A. asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 asa1(config)# access-list 150 permit tcp any host 192.168.16.6 eq www asa1(config)# aaa authentication match 150 outside LOCAL
B. asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 asa1(config)# access-list 150 permit tcp any host 192.168.16.6 eq www asa1(config)# aaa authentication match 150 outside asa1
C. asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 asa1(config)# access-list 150 permit tcp any host 172.16.16.6 eq www asa1(config)# aaa authentication match 150 outside LOCAL
D. asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 asa1(config)# access-list 150 permit tcp any host 172.16.16.6 eq www asa1(config)# aaa authentication match 150 outside asa1
Answer: A


QUESTION NO: 44
What does the nat 0 command do?
A. The nat 0 command, followed by a range of IP addresses, specifies the addresses that are to be translated when used for IPsec.
B. The nat 0 command, followed by a range of IP addresses, specifies the addresses that are to be translated using network address translation.
C. The nat 0 command, followed by an access list, specifies the addresses that are not to be translated.

D. The nat 0 command, followed by an access list, specifies the addresses that are to be used in translations only once.
Answer: C


QUESTION NO: 45
Which command configures the adaptive security appliance interface as a DHCP client and sets the default route to be the default gateway parameter returned from the DHCP server?
A. ip address dhcp
B. dhcp setroute
C. ip address dhcp setroute
D. ip address dhcp default route
Answer: C


QUESTION NO: 46
Refer to the exhibit. A network administrator wants to authenticate remote users who are accessing the WEB1 server from the Internet. When a remote user initiates a session to the WEB1 server, the ASA1 security appliance will verify the user's credentials with the TX_ACS AAA server via RADIUS. To accomplish this, the administrator must load and configure Cisco ACS software on the TX_ACS AAA server. During the process, the administrator must correctly configure the AAA client information in the Cisco ACS network configuration window.
What must the administrator place in field A (AAA Client Hostname) and field B (AAA Client IP address)?


A. ASA1 B?0.0.1.1
B. AEB1 B?72.16.1.2
C. Aave B?92.168.2.10
D. AX_ACS B?0.0.1.10
Answer: A


QUESTION NO: 47
With adaptive security appliance code of version 7.0 or later, which three hardware and software requirements must be met before failover can be configured? (Choose three.)
A. The failover pair must meet hardware and software requirements, but can be a PIX and a Cisco ASA.
B. Software versions must have the same major release version, but minor release versions do not need to match.
C. RAM, flash, modules, and interfaces must be identical on each unit.

D. Major and minor software releases must match, but software versions do not need to be identical.
E. Only RAM and interfaces must be identical on each unit.
F. The adaptive security appliances must be the same type of platform.
Answer: C,D,F
QUESTION NO: 48
Which of these commands would block all SIP INVITE packets, such as calling-party and request-method, from specific SIP endpoints?
A. Group the match commands in the global_policy policy map.
B. Group the match commands in a SIP inspection policy map.
C. Use the match calling-party command in a class map. Apply the class map to a policy map that contains the match request-methods command.
D. Use the match request-methods command in an inspection class map. Apply the inspection class map to an inspection policy map that contains the match calling-party command.
E. Group the match commands in a SIP inspection class map.

Answer: E


QUESTION NO: 49
Refer to the exhibit. An administrator wants to permanently map host addresses on the DMZ subnet to the same host addresses, but a different subnet, on the outside interface. Which command or commands should the administrator use to accomplish this?

A. access-list server_map permit tcp any 192.168.10.0 255.255.255.0 nat (outside) 10 access-list server_map global (dmz) 10 172.16.1.9-10 netmask 255.255.255.0

B. NAT (dmz) 0 172.16.1.0 netmask 255.255.255.0
C. static (dmz,outside) 192.168.10.0 172.16.1.0 netmask 255.255.255.0
D. nat (dmz) 1 172.16.1.0 netmask 255.255.255.0 global (outside) 1 192.168.10.9-10 netmask 255.255.255.0
Answer: C


QUESTION NO: 50
Which of these commands must be used when configuring advanced FTP inspection, such as FTP banner masking or the blocking of specific usernames?
A. tcp-map
B. ftp-map
C. class-map type regex
D. class-map type inspect ftp
E. policy-map type inspect ftp
Answer: E


QUESTION NO: 51
The Cisco VPN Client supports which three of these tunneling protocols and methods? (Choose three.)
A. LZS
B. IPsec over TCP
C. ESP
D. AH
E. SCEP
F. IPsec over UDP
Answer: B,C,F
QUESTION NO: 52
Refer to the exhibit. What is the purpose of this command?


A. to filter ActiveX traffic from the default route
B. to filter ActiveX traffic once it has been applied to an interface
C. to filter ActiveX traffic on HTTP from any host and to any host
D. to filter Java traffic on HTTP from any host and to any host
Answer: C


QUESTION NO: 53
A security appliance administrator has defined a regular expression to match an unauthorized website. Which pair of commands would the administrator need to enter to configure a regular expression class map?
A. class-map regex match-any URL match UNAUTHORIZED_SITE
B. class-map type regex match-any match regex UNAUTHORIZED_SITE
C. class-map match-any type regex match UNAUTHORIZED_SITE
D. class-map type regex match-any URL match regex UNAUTHORIZED_SITE
Answer: D


QUESTION NO: 54
On a Cisco ASA adaptive security appliance, the administrator enters the boot config disk0:/startup.txt command. What will this command do when the system is reloaded?
A. It will do nothing until the file extension is changed to .cfg, at which time it will boot the startup.cfg config file.
B. It will copy the current config file to the startup.txt file on disk 0.
C. It will configure the Cisco ASA to boot using the startup.txt config file stored in flash memory.
D. It will configure the ASA to skip the hardware diagnostics and perform a warm boot of the startup.txt config file.
Answer: C


QUESTION NO: 55
You are configuring a crypto map. Which of these commands would you use to specify the peer to which IPsec-protected traffic can be forwarded?

A. crypto map set peer 192.168.7.2
B. crypto-map policy 10 set 192.168.7.2
C. crypto map peer7 10 set peer 192.168.7.2
D. crypto map 20 set-peer insidehost
Answer: C


QUESTION NO: 56
Which of these commands causes the CSC SSM to load a new software image from a remote TFTP server via the CLI?
A. hw module recover config
B. copy tftp:tftphost/image.bin hardware:module1/image.bin
C. hw module 1 recover config
D. module 1 recover config
Answer: C


QUESTION NO: 57
Refer to the exhibit. What do these commands accomplish?

A. they guarantee five Cisco ASDM sessions and a system connection of 20% for resources belonging to the MEDIUM-RESOURCE-SET class
B. they limit the MEDIUM-RESOURCE-SET class to five Cisco ASDM sessions and 20% of the system connection limit
C. they increase the default Cisco ASDM session limit by five for the MEDIUM-RESOURCE-SET class and increase the system connection limit by 20%
D. they limit the MEDIUM-RESOURCE-SET class to five failed Cisco ASDM connection attempts and 20% of system resources
Answer: B QUESTION NO: 58



Which three of these are required in order to set up a CSC SSM on the Cisco ASA? (Choose three.)
A. DNS names of critical hosts
B. IP addresses of external routers
C. an e-mail address for notifications
D. activation codes
E. the IP address of the CSC interface
F. an SSL certificate to use for HTTPS connections
Answer: C,D,E
QUESTION NO: 59
Which three of these commands will show you the contents of flash memory on the Cisco ASA? (Choose three.)
A. directory
B. info flash
C. flash
D. dir
E. show disk
F. show flash:
Answer: D,E,F

QUESTION NO: 60
When an administrator adds the same-security-traffic permit inter-interface command to a Cisco ASA, what will happen?
A. Communication will be allowed between VPN clients terminated on different Cisco ASA interfaces.
B. A Dynamic Multipoint VPN connected to all endpoints will be enabled.
C. Communication will be allowed between different interfaces with the same security level.
D. Communication will be allowed between multiple Cisco ASA security appliances deployed as hubs in enterprise-wide deployments of Cisco Easy VPN servers.
Answer: C QUESTION NO: 61



Which three of these protocols can the Content Security and Control module for the Cisco ASA be configured to scan? (Choose three.)
A. FTP
B. SSH
C. Telnet
D. HTTPS
E. SMTP
F. POP3
Answer: A,E,F
QUESTION NO: 62
Refer to the exhibit. This adaptive security appliance is configured for which two types of failover? (Choose two.)

A. Active/Standby failover
B. Active/Active failover
C. stateful failover
D. LAN-based failover
E. Context/Group failover
F. cable-based failover
Answer: B,D

QUESTION NO: 63 HOTSPOT

Hotspot

Answer:


Explanation:



QUESTION NO: 64 HOTSPOT
HOTSPOT


Answer: Explanation:





[email protected]