| Question 1 | What can an access list on the PIX use to permit or deny traffic? (Select all that apply.) -
A. Protocol number -
B. IP address (source or destination) -
C. Port number (source or destination) -
D. IPX address (source or destination) |
| Question 2 | Which command is used to save the configuration on a PIX firewall? -
A. save -
B. write terminal -
C. sync -
D. write memory -
E. None of the above |
| Question 3 | The nameif command does which of the following? (Select all that apply.) -
A. Assigns a name to PIX network interface -
B. Specifies the interface's security level -
C. Configures the interface type and speed -
D. Allows the security-level command to be used |
| Question 4 | Which is the correct command to reboot the PIX? -
A. cycle -
B. reload -
C. init 1 -
D. init 5 -
E. restart |
| Question 5 | How many syslog messages can be stored on the PIX if all the syslog servers are unavailable? |
| Question 6 | IP phones might be required to get their configuration files from a TFTP server. Which command enables the PIX to distribute the IP address of a TFTP server? -
A. dhcpd option 66 -
B. dhcpd option ip-phone tftp -
C. tftp <ip address> ip-phone -
D. tftp ip-phone send -
E. dhcpd ip phone <ip address> |
| Question 7 | Which of the following statements is true? (Select all that apply.) -
A. Translations are at the Transport layer. -
B. Translations are a subset of connections. -
C. Connections are at the Transport layer. -
D. Connections are at the Network layer. -
E. Translations are at the Network layer. |
| Question 8 | What is the purpose of the DNS option used in a nat or static command? -
A. It allows DNS doctoring (by the PIX) of DNS responses to hosts . -
B. It uses the alias command to perform DNS doctoring. -
C. It filters from any internal host. -
D. It restricts internal users establishing outside connections. |
| Question 9 | Which of the following commands implements the Turbo ACL feature for all ACLs? |
| Question 10 | Which of the following is correct regarding nesting of object groups? (Select all that apply.) -
A. An object group can be a member of another object group . -
B. A group object can be a member of another group object. -
C. You can nest object groups of different types. -
D. You can nest only object groups that are of the same type. -
E. Object groups cannot be nested. |
| Question 11 | Why is there a need for advanced protocol handling with some popular protocols and applications to allow them to work with a firewall? (Select all that apply.) -
A. Source ports can be dynamically assigned. -
B. Destination ports can be dynamically assigned. -
C. IP addresses can be dynamically assigned. -
D. Source ports can be embedded in upper layers . -
E. IP addresses can be embedded above the Network layer. |
| Question 12 | Which statement is true regarding the PIX's IDS feature? (Select all that apply.) -
A. It uses a subset of the full signature set available on the IDS appliances. -
B. It uses the full signature set available on the IDS appliances. -
C. It uses a DoS class signature type. -
D. It uses an attack class signature type. -
E. It uses an access class signature type. |
| Question 13 | Which IP address goes into the Access Server IP Address field during the installation of ACS on a Windows 2000 computer? -
A. The computer from which you will be accessing the ACS server -
B. The PIX firewall that will be the client of the ACS server -
C. The computer that is running the ACS software -
D. None of the above |
| Question 14 | Which of the following is a valid PIX firewall model? (Select all that apply.) -
A. 626 -
B. 506E -
C. 535 -
D. 511 -
E. 501 |
| Question 15 | Which license type is available for select firewall models? (Select all that apply.) -
A. Restricted -
B. Unlimited -
C. Unrestricted -
D. Failover |
| Question 16 | The capabilities of the clock command include which of the following? (Select all that apply.) -
A. It specifies the time. -
B. It specifies the year. -
C. It is retained by the battery. -
D. It sets the PIX firewall clock. |
| Question 17 | If two interfaces are set to the same security level, what is the result? -
A. This is not a possible configuration, and it would not be allowed. -
B. Traffic configured on the lowest -numbered interface would be considered more trusted than the other interface, and traffic would flow from the low number to the high number (for example, E2 traffic would flow to E3). -
C. Traffic configured on the highest-numbered interface would be considered more trusted than the other interface, and traffic would flow from the high number to the low number (for example, E3 traffic would flow to E2). -
D. Traffic would not flow between these two interfaces if the security level was the same on each. |
| Question 18 | Customers on the outside need to access a Web server on a DMZ interface. A static has been configured, but customers still can't access the Web server. What needs to be added to make the server accessible from the outside? -
A. NAT 0 -
B. Alias -
C. Access list -
D. Global |
| Question 19 | Which applies to the ASA security level 100? -
A. It's the lowest level for the outside interface of the PIX. -
B. It is usually used for your Internet connection. -
C. It's a default that can be changed. -
D. It's the most trusted interface security level. -
E. It's assignable to perimeter interfaces. |
| Question 20 | When the multicast source is on the inside, what are the required commands that allow the PIX to forward multicast traffic to the outside? (Select all that apply.) |
| Question 21 | Which command, when used with the global command, allows IP address translation? -
A. nat command -
B. ip address command -
C. ip_ addr command -
D. nameif command -
E. None of the above |
| Question 22 | The PIX firewall can send Syslog messages to document events related to which of the following? -
A. Security -
B. Resources -
C. System -
D. Accounting -
E. All of the above |
| Question 23 | The PIX operating system version 6.x is based on which of the following? |
| Question 24 | Users need to authenticate with the PIX so they can use their email applications through the PIX. Which service should be configured on the PIX? |
| Question 25 | Configuration replication between the active PIX and the standby PIX configured for standard failover occurs over which of the following? -
A. Over any active interface -
B. Over the inside interface -
C. Over the outside interface only if the failure occurred on the inside interface -
D. Over the stateful failover cable -
E. Over the failover cable |
| Question 26 | Which two commands work together to perform network address translation? -
A. ip address pppoe and nameif commands -
B. dhcpd dns and dhcpd wins commands -
C. ip address and nameif commands -
D. nat and global commands |
| Question 27 | Which statement is true about security levels? -
A. Interfaces with lower security levels can access interfaces with higher security levels. -
B. Interfaces with higher security levels can access interfaces with lower security levels. -
C. Both higher and lower security levels have access to each other with an unrestricted license. -
D. None of the above. |
| Question 28 | How does the PIX firewall manage the TCP and UDP protocols? (Select all that apply.) -
A. It uses a stateful database for tracking sessions. -
B. It uses a connection table for TCP and UDP sessions. -
C. It uses a translation table for NAT sessions. -
D. It uses a stateless database for TCP and UDP sessions. |
| Question 29 | The PIX 535 firewall can be configured with up to how many interfaces? -
A. 4 -
B. 6 -
C. 8 -
D. 10 -
E. 12 |
| Question 30 | Which of the following is not true regarding ACLs? -
A. ACLs improve performance for matching packets. -
B. ACLs enable you to determine which systems can establish connections through your PIX. -
C. Cisco recommends migration from conduits to ACLs if you're using the PIX MC. -
D. Turbo ACLs improve search times for large ACLs. |
| Question 31 | The PIX, in combination with which of the following, allows only specific user traffic through the firewall? |
| Question 32 | What is the correct command to delete a saved RSA key from flash memory? -
A. write erase -
B. ca zeroize rsa -
C. no rsa key -
D. clear key rsa |
| Question 33 | Which of the following is true about the MailGuard feature on the PIX? (Select all that apply.) -
A. The MailGuard feature is enabled by default. -
B. The MailGuard feature is available only on PIX firewalls with at least 32MB of memory. -
C. The MailGuard feature protects against spam. -
D. The MailGuard feature allows only the RFC 821 legal SMTP commands through the PIX. |
| Question 34 | What is the function of the object-group command? (Select all that apply.) -
A. It names the object group. -
B. It allows grouping of AAA users. -
C. It enables a sub-command mode for the type of object specified. -
D. It removes all defined object groups not being used. |
| Question 35 | Which is true concerning RIP version 2? -
A. The PIX firewall advertises learned RIP multicast updates when RIP is in aggressive mode. -
B. The PIX firewall transmits default route updates if configured for RIP version 2 using the default keyword. -
C. The IP destination is 224.0.0.100. -
D. None of the above. |
| Question 36 | Which command allows you to change the enable password to secret ? |
| Question 37 | Which statement regarding PAT on the PIX is true? -
A. It provides for address expansion. -
B. It maps port numbers to a single IP address. -
C. The PAT address can be different from the outside interface address. -
D. All of the above. |
| Question 38 | What does DNS Guard do? (Select all that apply.) -
A. It controls which DNS servers clients can access. -
B. It tears down the UDP return patch after the first response from a given DNS server is seen. -
C. It helps prevent UDP session hijacking. -
D. Answers A and B are both correct. |
| Question 39 | Which command should be used to allow IKE on the outside interface? |
| Question 40 | What is the correct command to set the Telnet password? -
A. password -
B. enable password -
C. telnet password -
D. passwd |
| Question 41 | What is required to initiate SSH connections from the PIX to another device? -
A. The Telnet password must be set on the PIX. -
B. It must have a 3DES license on the PIX. -
C. It must have either a DES or 3DES license on the PIX. -
D. None of the above. PIX does not support outbound SSH sessions. |
| Question 42 | Which command is used to assign a name to an interface? -
A. name -
B. nameif -
C. hostname -
D. ifName |
| Question 43 | Which option allows the PIX to reload without user confirmation when using the reload command? |
| Question 44 | Which command should be used to set the speed and duplex on a PIX interface? -
A. speed -
B. 100full -
C. nameif -
D. interface -
E. None of the above |
| Question 45 | Which of the following is true concerning the PIX firewall and AAA services? (Select all that apply.) -
A. TACACS+ or RADIUS can be used for authorization. -
B. TACACS+ or RADIUS can be used for authentication. -
C. RADIUS authorization is not supported on the PIX. -
D. TACACS+ can be used with downloadable ACLs. |
| Question 46 | Which command specifies a variable IP address that will be used during a new NAT? -
A. nat -
B. static -
C. global -
D. local |
| Question 47 | What is the correct command for the PIX to use a default route of 172.168.1.1? -
A. route outside 0.0.0.0 0.0.0.0 172.168.1.1 1 -
B. route outside default 172.168.1.1 1 -
C. route 172.168.1.1 default -
D. route default outside 172.168.1.1 1 |
| Question 48 | Which is a valid translation type on the PIX? (Select all that apply.) -
A. dynamic inside nat -
B. static inside nat -
C. dynamic outside nat -
D. static outside nat |
| Question 49 | Which syntax would allow any host on the 10.2.0.0 / 16 network to reach a Web server on the 30.0.0.0 / 8 network? -
A. access-list ACL1 permit tcp 10.2.0.0 0.0.255.255 30.0.0. 0 0.255.255.255 eq 80 -
B. access-list ACL1 permit tcp 10.2.0.0 255.255.0.0 30.0.0.0 255.0.0.0 eq 80 -
C. access-list ACL1 permit tcp 30.0.0.0 0.255.255.255 10.2.0.0 0.0.255.255 eq 80 -
D. access-list ACL1 permit tcp 30.0.0.0 255.0.0.0 10.2.0.0 255.255.0.0 eq 80 |
| Question 50 | Which command is used to apply an access list to an interface? -
A. interface -
B. access-list -
C. name-if -
D. access-group |
| Question 51 | Which traffic should be allowed through the PIX outside interface to support IPSec? (Select all that apply.) -
A. Protocol 50 -
B. TCP port 23 -
C. UDP port 500 -
D. All of the above |
| Question 52 | Which is the best definition of AAA Flood Guard? -
A. It prevents synflood attacks against AAA servers. -
B. It reclaims authorization given to users if attacks are sourced from their AAA-derived IP address. -
C. It reclaims overused AAA resources to help prevent DoS attacks on AAA services. -
D. It is disabled by default. |
| Question 53 | Which option is available for the PIX in response to a detected attack? (Select all that apply.) -
A. Send an alarm to a syslog server. -
B. Implement a shun statement to stop future attacks. -
C. Drop the offending packet. -
D. Send a TCP reset if the signature match is TCP based. |
| Question 54 | In the PIX MC, valid options for importing a device include all except which of the following? -
A. Import the configuration from a device. -
B. Import the configuration file for a device. -
C. Import the configuration files for multiple devices. -
D. Import the configuration from Cisco Secure Policy Manager. |
| Question 55 | Which of the statements is true regarding access rules in the PIX MC? (Select all that apply.) -
A. Rules are recognized as either mandatory or default. -
B. Rules can be applied only at a group level or individual device. -
C. Default rules can be overridden. -
D. Rules can be applied at the global level. |
