Cisco Sources:Free Cisco Certification
Home   |   Labs   |   Tutorials   |   Books   |  Link Exchange  |  Comments
 



QUESTION 1 John the security administrator for Cisco Sources Inc. is working on securing the Firewall with using a blocking function. Which command applies a blocking function to an interface receiving an attack?

A. The shun command

B. The conduit command

C. The ip deny command

D. The interface command Answer: A Explanation: Shun src_ip [dst_ip sport dport [protocol] Applies a blocking function to an interface - Reference: Cisco Secure PIX Firewall Advanced 3.1 11-22

QUESTION 2 Kathy the security administrator for Cisco Sources Inc. has installed a FWSM in the Catalyst 6500 switch, initialized it in the switch, configured switch VLANs, and configured the module interface, however, Kathy is unable to establish outbound connections. Kathy has checked the configuration and find that she has correctly configured the six basic commands (nameif, interface, ip address, nat, global, and route. What could be the cause of the problem?

A. Kathy needs an ACL for the outside interface.

B. Kathy has not configured a switch VLAN for the inside interface.

C. The MSFC is configured as a connected router only on the outside interface.

D. Kathy needs an ACL for the inside interface. Answer: B Explanation: To prevent losing the switch configuration or the definition of a firewall interface becoming out of synchronization between the module and the route processor, you should first configure a VLAN on the route processor MSFC and then configure the VLANs for the module. - Reference: Cisco Secure PIX Firewall Advanced 3.1 19-19

QUESTION 3 Cisco Sources Inc. needs a firewall that delivers at least 15 Gbps of throughput. Cost is a factor. Which would best meet your needs?

A. The best choice would be two PIX 525 or 535 Firewalls configured for failover.

B. The best choice would be multiple FWSMs for your Catalyst 6500 switch.

C. The best choice would be a PIX Firewall 535.

D. The best choice would be a FWSM for your Catalyst 6500 switch. Answer: B Explanation:

The Cisco FWSM is a high-performance firewall solution, providing 5 GBPS of throughput per module and scaling to 20GB of bandwidth with multiple modules in one chassis. Reference: Cisco Secure PIX Firewall Advanced 3.1 19-3

QUESTION 4 You have 100 users on your internal network at Cisco Sources Inc., you want only six of these users to perform FTP, Telnet, or HTTP outside the network. Which PIX Firewall feature do you enable?

A. You would enable access lists

B. You would enable object grouping

C. You would enable VAC+

D. You would enable AAA Answer: D Explanation: Authentication, Authorization, and Accounting (AAA) is used to tell the PIX Firewall who the user is, what the user can do, and what the user did. Authentication is valid without authorization. Authorization is never valid without authentication. Reference: Cisco Secure PIX Firewall Advanced 3.1 12-3

QUESTION 5 John the security administrator at Cisco Sources Inc. is working on PPPoE Which statement about the PIX Firewall and PPPoE is true?

A. The true statement is when PPPoE is configured, the user enters his username and password to connect to a PPPoE server and set the MTU size to 1492 bytes.

B. The true statement is the PIX Firewall does not detect PPPoE session termination.

C. The true statement is when configured, the PIX Firewall's PPPoE client automatically connects to a service providers access concentrator without user intervention.

D. The true statement is when PPPoE is configured, you must se the MTU size to the correct value to allow PPPoE to be transmitted in an Ethernet frame.

E. The true statement is to clear and restart a PPPoE session, enter the clear ppp session command. Answer: C Explanation: After it is configured, the PIX Firewall's PPPOE client automatically connects to a service provider's AC without user intervention. The MTU size is automatically set to 1492 bytes, the correct value to allow PPPoE to be transmitted in an Ethernet frame. Reference: Cisco Secure PIX Firewall Advanced 3.1 5-67

QUESTION 6 The security team at Cisco Sources Inc. is working on the problems with UDP. What are two of the problems with UDP? (Choose two)

A. The problem with UDP is Spoofing packets is very easy because there is not handshaking or sequencing.

B. The problem with UDP is its method of guaranteeing delivery makes it processor intensive.

C. The problem with UDP is the congestion management and avoidance it uses makes it rather slow.

D. The problem with UDP is the UDP connection slow is never deleted from the connection table.

E. The problem with UDP is spoofing UDP packets is difficult.

F. The problem with UDP is the initiator of the transaction or the current state usually cannot be determined because there is no state machine. Answer: A, F Explanation: UDP characteristics UDP is an unreliable (connectionless) but efficient transport protocol. Spoofing UDP packets is very easy (no handshaking or sequencing). As there is no state machine, both the initiator of the transaction and the current state cannot be determined. UDP has no delivery guarantees. There is no connection setup and termination (application implements a state machine). UDP has no congestion management or avoidance. Reference: Cisco Secure PIX Firewalls (Cisco press) Page 70

QUESTION 7 The team at Cisco Sources Inc. is working on the Firewall redundancy. Which is likely to prevent serial-cable failover from working? (Choose two)

A. The problem is the hardware models are the same.

B. The problem is the two PIX Firewalls are running different version of the software.

C. The problem is the secondary PIX Firewall has not been properly configured as a secondary PIX Firewall.

D. The problem is the secondary PIX Firewall has a 3DES license.

E. The problem is the standby PIX Firewall has not yet replicated its configuration to the primary PIX Firewall.

F. The problem is the hardware models are different. Answer: B, F Explanation:

- Failover System Requirements Identical PIX Firewall hardware and software versions Description The failover feature requires two units that are identical in the following respects: Model (a PIX 515E cannot be used with a PIX 515) Same number and type of interfaces Software version Activation key type (DES or 3DES) Flash memory Amount of RAM Reference: Cisco PIX Firewall Software - Using PIX Firewall Failover www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_
chapter09186a008017278a. html

QUESTION 8 James the team leader for the security team at Cisco Sources Inc. is working on dynamic NAT. How can dynamic outside NAT simplify router configuration on your internal or perimeter networks?

A. It can simplify because you can configure you're routing within the nat command.

B. It can simplify because you can configure you're routing within the global command.

C. It can simplify by controlling the addresses that appear on these networks.

D. It can simplify because statics take precedence over nat and global command pairs. Answer: C Explanation: Dynamic outside NAT -Translates host addresses on less secure interfaces to a range or pool of IP address on a more secure interface. This is most useful for controlling the address on a more secure interface. This is most useful for controlling the address that appear on inside of the pix firewall and for connecting networks with overlapping addresses. Reference: Cisco Secure PIX Firewall Advanced 3.1 6-11 Inside dynamic NAT Translates between host addresses on more secure interfaces and a range or pool of IP addresses on a less secure interface. This provides a one-to-one mapping between internal and external addresses that allows internal users to share registered IP addresses and hides internal addresses from view on the public Internet. Reference: Establishing Connectivity www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm

QUESTION 9 James the security administrator for Cisco Sources Inc. is working on Telnet to PIX firewall. Which statement about Telnet and the PIX Firewall is true?

A. The true statement is you can enable Telnet on all interfaces except the outside interface.

B. The true statement is you can enable Telnet on all interfaces, but the PIX Firewall requires that all Telnet traffic to the outside interface be IPSec protected.

C. The true statement is you can enable Telnet on all interfaces, but the PIX Firewall requires that all Telnet traffic to all interfaces be IPSec protected.

D. The true statement is Telnet connections to the PIX Firewall are not permitted. Answer: B Explanation: You can enable telnet to the PIX firewall on all interfaces. However, the PIX Firewall requires that all telnet traffic to the outside interface be IPSec protected. Reference: Cisco Secure PIX Firewall Advanced 3.1 15-3

QUESTION 10 John the security administrator for Cisco Sources Inc. is working to multicast. How does John get to the multicast subcommand mode where he can enter the igmp commands for further multicast support?

A. By using the clear IGMP group command.

B. By entering the igmp interface command in privileged mode.

C. By entering the multicast interface command in configuration mode.

D. By entering the multicast mode command in configuration mode. Answer: C Explanation: Use the multicast interface command to enable multicast forwarding on each interface and place the interfaces in multicast promiscuous mode. When you enter the command, the CLO enters multicast subcommand mode and the prompt changes to (Configmulitacast)#. Reference: Cisco Secure PIX Firewall Advanced 3.1 9-10

Top of pageTop of page 01 of 23 Next

Home |  Labs |  Tutorials |  Books | Contact Us | Add to Favourites | Make Your Home Page

© Copyrights 2007 CCNA by Cisco Sources ® All rights reserved