Chapter 18. Answer Key 2

Answers A and E are correct. One firewall technology is a proxy server. Proxy servers request connections between a client on the internal network and the external network. A client on the inside network establishes a connection to the proxy server, and the proxy server establishes a connection to the outside resource. All data flowing between the client to the outside server is processed at the higher layers by the intermediate proxy server; because of this layer 7 capability, answer B is incorrect. Proxy servers do not deliver high performance compared to other firewall options, so answer C is incorrect. One disadvantage of a single proxy server that processes each packet from inside hosts to outside servers is that it is also a single point of failure for the network, which makes answer D incorrect.

Answers B and C are correct. The PIX uses stateful packet filtering and maintains a table for every connection or connectionless transaction. Packets are compared against a connection object, which determines which return packets are allowed from the outside network into the higher security inside network. A stateful packet-filtering device provides better performance over a proxy server because it does not have to analyze each packet at the upper layers of the OSI model, which makes answer A incorrect. Stateful packet filtering devices approximate connectionless protocols such as UDP, which makes answer D incorrect. The firewall uses a stateful, not stateless, database, which makes answer E incorrect.

Answer C is correct. Each time a TCP connection is established for inbound or outbound connections through the PIX firewall, the information about the connection is logged in a stateful session flow table, which makes answers A, B, and D incorrect.

Answer C is correct. This is a tricky question. When failover is configured, configuration changes should be made only on the active firewall. Normally, the primary firewall is the active one. However, in a failed condition, the active firewall is in standby mode, the secondary PIX is active, and configurations should be applied to the active PIX, which makes answer C the best answer and answers A, B, and D incorrect.

Answer C is correct. The PIX-4FE and PIX-VPN-ACCEL cards can be installed only in the 32-bit, 33MHz bus, or bus 2, and they must never be installed in the 64-bit, 66MHz bus. Installing either of these cards in the faster bus can cause the system to hang, which make answers A and B incorrect. Buses 3 and 4 do not exist on the PIX 535; therefore, answers D and E are incorrect.

Answer B is correct. License keys are not specific to a particular PIX software version, so answer E is incorrect. The same license key can be applied to the same physical PIX and is not tied to the physical serial number on the chassis nor the model type; therefore, answers A and C are incorrect. Answer D is incorrect, because there is no show system command on the PIX.

Answers A, C, and D are correct. Configuration mode, privileged mode, monitor mode, and unprivileged mode are the four PIX firewall administrative access codes. The IOS familiar user mode is termed unprivileged mode on the PIX firewall. Answer B is incorrect because, on the PIX, the > prompt is referred to as unprivileged mode, not user mode. Answer E is incorrect because object group is considered a sub-command mode.

Answer A is correct. Privileged mode allows you to change the current settings on the PIX. Any unprivileged command works in privileged mode. Changing system configurations requires configuration mode. Configuration changes are made from configuration mode, which makes answer B incorrect. The PIX does not support native IPX, which makes answer C incorrect. Password recovery is performed from monitor mode, which makes answer D incorrect. Answer E was a simple attempt at humor, which also means it is incorrect.

Answers A and E are correct. The interactive prompts are designed to minimally configure the PIX for use with PDM. Setup is invoked when you type in the command setup or when you boot a PIX that has no configuration. If you erase the configuration stored in flash and reboot the PIX, you are prompted to run the interactive setup script. The init commands are not valid on a PIX, which makes answers B and C incorrect. Rebooting a PIX that has a configuration saved does not invoke the setup, which makes answer D incorrect.

Answer C is correct. The serial number is listed with the show version command on PIX versions 5.3 and higher. This is the number that must be used to upgrade the PIX image. The write terminal command doesn't show the serial number; therefore, answer A is incorrect. The serial number on the physical chassis is not part of the critical information required; therefore, answers B, D, and E are incorrect.

Answers A, C, and D are correct. The ASA is the heart of the PIX and tracks source and destination IP addresses, ports, and TCP flags. The reason the Adaptive Security Algorithm is adaptive is that is dynamically tracks outbound sessions and adapts the security policy to allow the correct return traffic for the outbound initiated sessions on an application-by-application basis. The PIX doesn't randomize all sequence numbers , nor does it randomize TCP flags; therefore, answers B and E are incorrect.

Answer A is correct. ASA allows one-way outbound connections without explicit configuration for each internal system application, which makes answers B and D incorrect. An outbound connection is a connection originating from a host on a higher security level interface to a lower security level interface. Answers C and E are incorrect because the two-way inbound and two-way outbound options are invalid options.

Answers A and B are correct. The nameif command assigns a name to each perimeter interface on the PIX firewall and specifies its security level. The interface command enables an interface and configures its type and speed. By default, the E0 interface is given the name of outside , with a security level of . Also by default, the E1 interface is given the name of inside with a security level of 100 . Because the ip address and global commands do not specify security level nor duplex, answers C and E are incorrect. There is no security-level command on the PIX, so answer D is incorrect.

Answers D and E are correct. The PIX firewall categorizes syslog events. A PIX reboot and console logouts are classified as system events. Answers A, B, and C are incorrect because dropped UDP packets, translation slot deletion, and bytes transferred are not classified as system events.

Answer C is correct. The dhcpd command is used for virtually all the DHCP server functions on the PIX firewall. dhcp address , dhcp pool , dhcpd ip pool , and dhcpd pool are invalid commands on the PIX, so answers A, B, D, and E are incorrect. The dhcpd address command specifies the range of IP addresses for the server to distribute. This pool of addresses should be planned in such a way that it will not conflict with existing configured addresses on the client network.

Answer A is correct. The dhcpd auto_config command enables the PIX to automatically configure DNS, WINS, and domain names received from an outside DHCP server to internal DHCP clients . dhcpd enable inside enables the service but does not in itself forward configuration parameters learned from a DHCP server, which makes answer E incorrect. Answers B, C, and D are invalid options and are therefore incorrect answers.

Answer B is correct. The dhcpd dns command specifies the IP address of the DNS server for the DHCP clients. Up to two DNS servers can be specified with this command. Because 2 is the correct answer, answers A, C, and D are incorrect.

Answer D is correct. Configuring the IP pools and options for DHCP clients is a large part of the PIX DHCP configuration. It is also critical that the service, once configured, is also enabled on the PIX. Enabling the DHCP daemon within the PIX firewall enables you to listen for DHCP client requests on the enabled interface. Enabling DHCP on the PIX is done by executing the dhcpd enable command. The commands shown in answers A, B, and C are incorrect. Answer E is incorrect because the question does have a correct answer.

Answer B is correct. The PIX has tools available that make it a viable solution in a wide variety of scenarios. If a customer has an ISP that is delivering IP addresses and connectivity to the Internet via PPPoE, the PIX firewall is compatible with broadband offerings that require PPPoE usage. The PPPoE is not compatible with failover, L2TP, or PPTP, so answers C, D, and E are incorrect. Reliability is not increased exponentially with PPPoE, so answer A is incorrect.

Answer C is correct. The vpdn family of commands configures a VPDN group and user information for PPPoE. Crypto maps, transform sets, and digital certificates are associated with IPSec configurations on the PIX firewall, so answers A, B, and D are incorrect.

Answers A, B, and D are correct. Applications using UDP are difficult to secure properly because no handshaking or sequencing is involved. Maintaining the state of session is difficult because it has no clear beginning, flow state, or end. Because of the difficult nature in tracking UDP, it is not as trusted as TCP through the PIX firewall. The PIX approximates UDP sessions and, by default, has a shorter timeout for UDP flows through the PIX. UDP has well-known layer 4 attributes, making answer C incorrect.

Answer B is correct. One global and two nat statements is the minimum configuration based on the listed requirement because one nat command would be needed for each higher security interface (the DMZ and inside) and one global statement would be needed for the outside interface. Because you need one global and two nat statements, answers A, C, and D, which show different required nat (s) and global (s), are incorrect. If we changed the scenario and added the requirement for the inside to talk to the DMZ interface as well, you would need to add another global statement to specify the addresses to use when translating from the inside to the DMZ network.

Answer D is correct. Careful planning should be used to avoid overlapping IP addresses between static and nat / global pairs. Use static translations when you want an inside host to always appear with a fixed address on the PIX firewall's global network. Answers A, B, and C are incorrect because static translations always take precedence over nat and global command pairs regardless of where they appear in the configuration.

Answer B is correct. Dynamic outside NAT is useful for simplifying router configurations on your internal or perimeter networks by controlling the addresses that appear on these networks. Dozens of outside networks could be made to appear as a few or even one network to the inside hosts. Performance would not improve as a result, so answer A is incorrect. Answers C and D are incorrect because dynamic outside NAT is not used to contain hidden codes or secure packets after failover.

Answer C is correct. The nat 0 command lets you disable address translation so that inside IP addresses are visible on the outside without address translation. This is also referred to as identity NAT. With nat 0 , the IP address you configure on an inside resource is the same IP address that is used by clients on the outside, as a destination address, to reach the inside resource. NAT-T is an industry standard for transparently using IPSec, which makes answer A incorrect. The alias command is used to help internal clients reach DNS resolved servers, which makes answer B incorrect. Answer D is incorrect because there is a correct answer.

Answers A, B, D, and E are correct. PAT is a many-to-one translation. The outside interface can receive its IP address via DHCP, and this address can be the PAT address as well (although it's not required). For translation from an inside network to the DMZ, the DMZ interface could be used as the PAT address. This is a feature that helps conserve IP addresses because no separate IP address ”other than the interface IP ”is required in this configuration. The PAT address does not need to be the outside address, so answer C is incorrect.

Answer E is correct. PIX versions 6.0 and higher support port redirection, which enables outside users to connect to a specific server/application on a higher security level interface. The static command was modified to accommodate port redirection. The benefit is that you can have a single IP address on the outside (the outside interface address) and through port redirection, depending on the requested service or port (such as HTTP port 80 or FTP port 21), the PIX can forward that request to the specific physical server on the inside via port redirection. In addition to the port redirection, you would also need to have the appropriate permissions (ACLs or conduits ) in place to allow traffic from the lower security interface to a higher security interface. Answers A, B, C, and D are incorrect because the alias , conduit , global , and nat commands are all valid on the PIX but do not provide port redirection.

Answer C is correct. The access-group command binds an ACL to an interface. The ACL compares the traffic inbound (and only inbound) to an interface. Only one ACL at a time can be bound to an interface using the access-group command. Answers A, B, D, and E are incorrect for applying the access list as required. If an access list is applied to an interface and the configuration commands to apply a new access list to the same interface are used, the new access list will replace the existing access list on the interface.

Answers A and D are correct. By causing the PIX firewall to compile tables for ACLs, Turbo ACLs improve the average search time for ACLs containing a large number of entries; therefore, answer B and C are incorrect. The Turbo ACL feature is most appropriate for high-end PIX firewall models because it requires significant amounts of memory, making answer E incorrect.

Answers A, B, and D are correct. ActiveX controls can provide significant functionality in current applications. Unfortunately, ActiveX controls create a potential security problem because they can provide a way for someone to attack servers. Because of this potential security problem, you can use the PIX firewall to block all ActiveX controls. You can specify that ActiveX controls are not allowed globally, as well as use a configuration that specifies which addresses (source and destination) require ActiveX filtering. Java filtering uses similar syntax and provides the same type of filtering for Java. IOS routers do not process ActiveX controls, so answer C is incorrect. ACLs are not used to identify and block ActiveX, which makes answer E incorrect.

Answer C is correct. Access lists can have hundreds of individual lines in them. Object groups simplify the creation of access lists. Using object groups does not improve the performance of an access list, but it does simplify the implementation by the engineer. A complex security policy that normally requires 3,300 ACL entries manually entered might require only 40 ACL entries by using object groups. Turbo ACLs could be used to improve the performance when the resulting ACL entries are longer than 19 lines. Answers A, B, D, and E are incorrect because the serious planning, configuration, implementation, and troubleshooting of a complex security policy are still required even when using object groups.

Answer B is correct. The pix(config-protocol)# prompt is the prompt the PIX firewall displays after naming and creating a protocol object group. The prompt changes to reflect the type of object group you are creating. In this example, a protocol object group was created. Answers A, C, D, and E are incorrect because each is an invalid prompt on the PIX.

Answers A, B, D, and E are correct. The source IP address, port number, access list name, and icmp type are valid elements of object groups that can be used in an access list. The main benefit of using object groups is the simplification of ACL creating. By creating the object groups first and then replacing the traditional elements of the ACLs with object groups, implementation of the actual ACL entries can be simplified. The configuration sequence number is not an element identified by an object group, so answer C is incorrect.

Answer E is correct. The rip inside passive version 2 command allows you to enable the RIP version 2 on the inside interface without broadcasting a default route. The syntax shown in answers A, B, C, and D are not the correct syntax for accomplishing this task and are therefore incorrect.

Answers A and B are correct. The multicast interface command on each interface enables multicast forwarding, and the mroute command creates a static route from the transmission source to the next -hop router. Therefore, answer E is incorrect. This would be the case if you had a multicast server on the DMZ network and you had clients on the outside who needed to receive the multicast stream from the server. The igmp forward command could allow clients on the inside to receive a multicast stream from the outside, so answer C is incorrect. multicast routing is not a valid command on the PIX, so answer D is incorrect.

Answers B and D are correct. The PIX does not function as a full-multicast router; however, the PIX does support stub multicast routing (SMR). By using the multicast interface and igmp forward commands, you could allow clients on the inside to receive a multicast stream from a server on a lower security interface, such as the outside, without using GRE tunnels to pass multicast traffic through the PIX. The mroute command is not required for this scenario so answer A is incorrect. Answers C and E are IOS commands and are not found on the PIX, making them incorrect.

Answers B, C, and E are correct. The ftp fixup protocol causes the PIX firewall to perform NAT or PAT in packet payload, create conduits for the FTP data connections, and log FTP commands when syslog is enabled. ftp fixup , which is enabled by default, allows standard (active) FTP to function through the PIX, so answers A and D are incorrect.

Answer D is correct. Session Initiation Protocol enables call handling sessions ”particularly calls or two-party audio conferences. SIP provides the ability to integrate traditional voice services with Web-based data services, including self-based provisioning, instant messaging, presence, and mobility services. The fixup protocol for SIP allows the PIX to securely manage SIP traffic through the PIX. Answers A, B, and C are all valid protocols the PIX can work with, but they do not match the description and are therefore incorrect.

Answers B, C, and D are correct. If you're using a nonstandard SMTP port, you use the fixup protocol smtp command to enable the Mail Guard feature on the nonstandard port. The Mail Guard feature is on by default on port 25, so answer E is incorrect. If Mail Guard fixup is disabled, SMTP traffic, with the appropriate ACLs configured, goes through the PIX but is not inspected for malicious or nonstandard SMTP commands, making answer A incorrect.

Answers A, B, C, and E are correct. The DNS Guard is always on and recognizes only outbound DNS queries. UDP packets can return due to the ASA allowing the reply from the DNS server back to the inside client. DNS Guard does not wait for the default UDP timer to close the session but instead closes it after the first DNS response is received from a specific DNS server. If two requests were sent from a client, to two different DNS servers, the PIX allows the first request from each server to return to the client and then closes the return path from the DNS server to the client immediately and independently after each response is returned. DNS Guard does not look for port 51, so answer D is incorrect.

Answers A, C, and E are correct. Prior to PIX version 5.2, after the embryonic limit was reached for a particular server, the PIX would drop any new SYN packets destined for the same server. The current version, by default, intercepts new TCP connections until the number of half- formed sessions drops below the embryonic limit, meaning answers B and D are incorrect.

Answer A is correct. Intrusion detection is enabled with the PIX firewall ip audit commands, which makes answers B, C, D, and E incorrect. After a policy is created, it can be applied to any PIX firewall interface. When a policy for a given signature class is created and applied to an interface, all supported signatures of that class are monitored unless disabled with the ip audit signature disable command.

Answer D is correct. ip audit interface outside DETECT is the correct syntax to apply an IDS policy named DETECT to the outside interface on the PIX, which makes answers A, B, C, and E incorrect. All supported signatures, except those disabled or excluded by the ip audit signature command, become part of the policy by default.

Answers B, C, and D are correct. The shun command, intended for use by a Cisco IDS appliance, applies a blocking function to an interface receiving an attack. Packets containing the IP source address of the attacking host are dropped and logged until the blocking function is removed manually or by the Cisco IDS master unit, which makes answer A incorrect. No traffic from the IP source address is allowed to traverse the PIX firewall.

Answer D is correct. aaa_username@remote_username is the correct format, making answers A, B, C, and E incorrect. The PIX firewall sends the aaa_username and aaa_password to the AAA server; if the authentication is successful, the remote_username and remote_password are passed to the destination FTP server.

Answer D is correct. The aaa group tag is used to direct authentication, authorization, or accounting traffic to the appropriate AAA server, so answers B and C are incorrect. The PIX firewall enables you to define separate groups of TACACS+ and RADIUS servers for specifying different types of traffic, making answer A incorrect.

Answers A, B, and E are correct. The PIX firewall interacts with only Telnet, FTP, and HTTP to display the prompts for logging in, so answers C and D are incorrect. You can specify that only a single service be authenticated, but this must agree with the AAA server to ensure that both the firewall and the server agree.

Answers A and B are correct. When using virtual Telnet to authenticate inbound clients, the IP address must be an unused global address. When using virtual Telnet to authenticate outbound clients, the IP address must be an unused global address routed directly to the PIX firewall. Inbound and outbound are supported, making answer C incorrect. Virtual Telnet does not provide HTTP forwarding, making answer D incorrect.

Answers C and E are correct. Telnet access to the PIX firewall console is available from any internal interface as well as from any outside interface with IPSec configured. The maximum number of simultaneous connections via Telnet is five. Telnet is allowed only on the outside interface when IPSec is used to protect the data stream, so answer D is incorrect. Telnet does not encrypt the packets, and without IPSec protection, it could be susceptible to an eavesdropping attack. Answers A and B are incorrect because the default password is not in-default and RSA keys are not required for Telnet.

Answers A and D are correct. RADIUS and TACACS+ are both methods a PIX can use to communicate with an AAA server such as ACS. Downloadable ACLs are supported with RADIUS only. The downloadable ACLs are a function of AAA authentication and require RADIUS, so answer C is incorrect. Authorization, a separate function, is available between the PIX and the ACS only if TACACS+ is used; therefore, answer B is incorrect.

Answer A is correct. During authentication, the PIX firewall builds a RADIUS request with the user identification and password and sends it to the AAA server. The AAA server then authenticates the user and retrieves from its configuration database the ACL name associated with the user. The AAA server then builds a RADIUS response packet containing the ACL name and sends it to the PIX firewall. The ACL is stored on the ACS server and is available to the PIX only when using the RADIUS protocol; therefore, answers B, C, D, and E are incorrect.

Answer B is correct. When actively functioning, the primary PIX uses system IP addresses and MAC addresses. The secondary PIX uses failover IP addresses and MAC addresses when on standby. If the primary PIX fails, it then uses the failover IP and MAC addresses, while the secondary PIX goes active and uses the system addresses. Therefore, answers A, C, D, and E incorrect.

Answers A, B, D, and E are correct. Failover is not successful unless the OS versions, flash, model, and RAM are the same on the PIX firewalls. For failover to work, both firewalls must have the same software version, activation key type, flash memory, and RAM. The manufacture date does not have to be identical on both PIX firewalls, so answer C is incorrect.

Answers B, D, and E are correct. When the standby PIX firewall completes its initial bootup , the active firewall replicates its entire configuration to the standby firewall. Commands are entered on the active PIX firewall, making answer A incorrect; they are also sent across the failover cable to the standby firewall. Entering the write standby command on the active PIX firewall forces the entire configuration to be sent to the standby firewall. Because the standby learns configuration from the active PIX, answer C is incorrect.

Answers A, C, and D are correct. The link up/down test does test the NIC. The network activity test tests the received network activity, the ARP test reads the firewall's ARP cache for the 10 most recently acquired entries, and the broadcast ping test sends out a broadcast ping request. The purpose of the tests is to generate network traffic to determine which, if either, PIX firewall has failed. Before each test, the PIX firewall clears its received packet count for its interfaces. The PIX does not use a backup interface after 30 seconds, so answer B is incorrect.

Answer D is correct. Configuration replication occurs over the serial failover cable from the primary/active PIX firewall to the secondary/standby PIX firewall, meaning answers A, B, C, and E are incorrect. The configuration is done exclusively on the primary, and the replication happens automatically when the secondary PIX ”with the serial failover cable attached ”is booted .

Answers B, C, and D are correct. LAN-based failover provides long-distance failover functionality; uses an Ethernet cable; requires a dedicated LAN interface; requires a dedicated switch, hub, or VLAN; and uses message encryption and authentication to secure failover transmissions. Using a crossover Ethernet cable between the two PIX firewalls with LAN-based failover is not supported. The ACL packets answer is not real, so answer A is incorrect.

Answers B, C, and D are correct. IKE is a hybrid protocol that provides utility services for IPSec, including authentication of the IPSec peers, negotiation of IKE and IPSec security associations (SAs), and establishment of keys for encryption algorithms used by IPSec. IKE is synonymous with ISAKMP in PIX firewall configuration. IKE is not a variant of DES, so answer A is incorrect.

Answers A, B, D, and E are correct. The IKE policy parameters are the message encryption algorithm, message integrity algorithm, peer authentication method, key exchange parameters, and ISAKMP-established security association's lifetime. Both IPSec peers need to negotiate a compatible IKE phase 1 policy before an SA can be established between the two devices. RSA key pair generation parameters are not part of IKE policies, so answer C is incorrect.

Answer B is correct. The command for enabling the IKE outside interface is isakmp enable outside . The default name for e0 is OUTSIDE . If ISAKMP is not enabled on a given interface, the PIX is not capable of using that interface to successfully negotiate an IKE phase 1 policy with an IPSec peer. Answers A, C, and D are not the correct commands, so those answers are incorrect.

Answer A is correct. Crypto ACLs define which traffic is interesting and therefore are protected by IPSec when included in an active crypto map. Answers B, C, D, and E address items included with IPSec but do not answer the question, so they are incorrect. When a crypto access list is configured and applied via a crypto map, the IPSec device expects any traffic coming into the interface of the PIX that inversely matches the crypto access list to be encrypted traffic. The crypto access lists on two IPSec peers needs to be symmetrical.

Answer C is correct. Three transforms can belong to a transform set, making answers A, B, and D incorrect. One of the transforms can specify AH, another can specify ESP encryption, and a third can specify ESP authentication using MD5 or SHA1.

Answer C is correct. The ip local pool command is used to assign a group of addresses that will dynamically be assigned to the VPN clients, which makes answers A, B, and D incorrect. This pool will be used during IKE phase 1 to hand out local (private) IP addresses to VPN clients. The VPN clients will use these addresses as source addresses when they communicate over the VPN tunnel with corporate resources.

Answer C is correct. The VPN group name of TRAINING and password match the group name and password in the VPN client. This password is effectively the preshared key used during IKE phase 1 authentication. Answers A and B are incorrect because they are not valid parameters that need to match. Answer D is incorrect because there is a correct answer.

Answer A is correct. The PIX firewall needs to have either a DES or 3DES license to support SSH, which makes answer D incorrect. SSH sessions use the configured Telnet password, which makes answer E incorrect. A maximum of five simultaneous sessions is supported on the PIX. Answers B and C are incorrect because the PIX supports only SSH version 1.

Answer D is correct. You can create privilege levels and secure them by using the enable password command, as shown in answer D, which makes answers A, B, C, and E incorrect. You can then gain access to a particular privilege level from the > prompt by entering the enable command with a privilege level designation and entering the password for that level when prompted.

Answers B and C are correct. The password recovery for the PIX firewall requires a TFTP server, and files are needed for password recovery. The process involves rebooting the PIX, avoiding a normal startup, going into monitor mode, using the monitor commands to connect to a TFTP server, and using Cisco-provided files for the password recovery. Answers A and D are incorrect because monitor mode is used and privilege level 15 and 1 are not part of that scenario.

Answer C is correct. Selecting Options, Preview Commands Before Sending to PIX enables you to preview any commands generated by any panel before they are sent to the PIX firewall; therefore, answers A and D are incorrect. This is a convenient tool to allow the engineer to see the exact CLI commands that will be issued on the PIX before they are applied. Answer B is incorrect because you can't use the View menu and select the CLI commands at any time.

Answers A and B are correct. ESP-DES-SHA and ESP-3DES-SHA, along with their MD5 counterparts, are predefined by PDM. By using the predefined transforms, along with the VPN Wizard built in to the PIX Device Manager, the creation of VPN configurations can be done without using the command-line interface. Answers C and D are incorrect because those transforms are not predefined by PDM.

Answer D is correct. PDM does not support crypto maps that are not applied to any interface. If such a map exists in the configuration, PDM parses and ignores it. Therefore, answers A, B, and C are incorrect. By understanding this, you will avoid the loss of an unapplied crypto map. A quick solution is to apply the crypto map to the appropriate interface before PDM parses the configuration. Within PDM, the concept of a crypto map is hidden, even though the end result of the VPN Wizard applies a crypto map to the actual configuration.

Answers A, B, and C are correct. The PIX Management Center (MC) provides a workflow and audit trail, allows Web-based management of multiple PIX firewalls, and uses SSL to ensure secure remote connectivity between the browser and server. The MC can support 1,000 PIX firewalls, making answer D incorrect. This enterprise tool enables centralized management and change control in the management of PIX firewalls.

Answer B is correct. The PIX MC does not support the use of conduits for access in the PIX firewall. To assist customers who need to migrate their conduits to ACLs so they can use the MC, Cisco has provided a tool named conv . The conv conversion tool uses a command-line interface to convert conduits to their equivalent access lists. Answers A, C, and D are incorrect because they are not PIX- related applications.

Answer C is correct. 1741 is the correct port used to launch the PIX MC. Any other port will not be the default port, which is why answers A, B, D, and E are incorrect. To access the management center, a user must open a browser window and type in the URL for the MC server, followed by a colon and the port number of 1741.

Answer A is correct. The default poll period is 720 minutes. Every 720 minutes (or 12 hours), a PIX firewall checks with the Automatic Update Server (AUS) to see whether there are any updates, which makes answers B, C, and D incorrect. The AUS can contain updated software images, PDM images, and PIX firewall configuration files.

Answers A, C, and E are correct. The Auto Update Server is a tool used to upgrade device configuration files and software images. The main advantage of AUS is that it primarily manages devices that obtain their addresses through DHCP, although it can be used to manage any device that uses the auto update feature. The AUS enables you to manage PIX firewall software images, PDM images, and PIX firewall configuration files. Answers B and D are incorrect because AUS doesn't allow you to manage bug tracking information or IOS firewall feature sets.