Taking the Test

Relax. When you're sitting in front of the testing computer, there's nothing more you can do to increase your knowledge or preparation. Take a deep breath , stretch, and start reading that first question.

You don't need to rush, either. You have plenty of time to complete each question, and if you're taking a fixed-length test, you'll have time to return to the questions you skipped or marked for return. On a fixed-length test, if you read a question twice and you remain clueless, you can mark it; if you're taking an adaptive test, you'll have to guess and move on. Both easy and difficult questions are intermixed throughout the test in random order. If you're taking a fixed-length test, don't cheat yourself by spending too much time on a hard question early in the test, thereby depriving yourself of the time you need to answer the questions at the end of the test. If you're taking an adaptive test, don't spend more than 5 minutes on any single question ”if it takes you that long to get nowhere, it's time to guess and move on.

On a fixed-length test, you can read through the entire test, and, before returning to marked questions for a second visit, you can figure out how much time you have per question. As you answer each question, remove its mark. Continue to review the remaining marked questions until you run out of time or complete the test.

On an adaptive test, set a maximum time limit for questions and watch your time on long or complex questions. If you reach your limit, it's time to guess and move on. Don't deprive yourself of the opportunity to see more questions by taking too long to puzzle over questions, unless you think you can figure out the answer. Otherwise, you're limiting your opportunities to pass.

That's it for pointers. Here are some questions for you to practice on. Good luck!

Question 1

What can an access list on the PIX use to permit or deny traffic? (Select all that apply.)

  • A. Protocol number

  • B. IP address (source or destination)

  • C. Port number (source or destination)

  • D. IPX address (source or destination)

Question 2

Which command is used to save the configuration on a PIX firewall?

  • A. save

  • B. write terminal

  • C. sync

  • D. write memory

  • E. None of the above

Question 3

The nameif command does which of the following? (Select all that apply.)

  • A. Assigns a name to PIX network interface

  • B. Specifies the interface's security level

  • C. Configures the interface type and speed

  • D. Allows the security-level command to be used

Question 4

Which is the correct command to reboot the PIX?

  • A. cycle

  • B. reload

  • C. init 1

  • D. init 5

  • E. restart

Question 5

How many syslog messages can be stored on the PIX if all the syslog servers are unavailable?

  • A. Zero.

  • B. 100.

  • C. 250.

  • D. 500.

  • E. This is limited only by the physical memory of the PIX platform.

Question 6

IP phones might be required to get their configuration files from a TFTP server. Which command enables the PIX to distribute the IP address of a TFTP server?

  • A. dhcpd option 66

  • B. dhcpd option ip-phone tftp

  • C. tftp <ip address> ip-phone

  • D. tftp ip-phone send

  • E. dhcpd ip phone <ip address>

Question 7

Which of the following statements is true? (Select all that apply.)

  • A. Translations are at the Transport layer.

  • B. Translations are a subset of connections.

  • C. Connections are at the Transport layer.

  • D. Connections are at the Network layer.

  • E. Translations are at the Network layer.

Question 8

What is the purpose of the DNS option used in a nat or static command?

  • A. It allows DNS doctoring (by the PIX) of DNS responses to hosts .

  • B. It uses the alias command to perform DNS doctoring.

  • C. It filters from any internal host.

  • D. It restricts internal users establishing outside connections.

Question 9

Which of the following commands implements the Turbo ACL feature for all ACLs?

  • A. access-list turbo all

  • B. access-list turbo compiled all

  • C. access-list compiled

  • D. No command is needed; the Turbo ACL feature is on by default.

  • E. turbo-acl compile all

Question 10

Which of the following is correct regarding nesting of object groups? (Select all that apply.)

  • A. An object group can be a member of another object group .

  • B. A group object can be a member of another group object.

  • C. You can nest object groups of different types.

  • D. You can nest only object groups that are of the same type.

  • E. Object groups cannot be nested.

Question 11

Why is there a need for advanced protocol handling with some popular protocols and applications to allow them to work with a firewall? (Select all that apply.)

  • A. Source ports can be dynamically assigned.

  • B. Destination ports can be dynamically assigned.

  • C. IP addresses can be dynamically assigned.

  • D. Source ports can be embedded in upper layers .

  • E. IP addresses can be embedded above the Network layer.

Question 12

Which statement is true regarding the PIX's IDS feature? (Select all that apply.)

  • A. It uses a subset of the full signature set available on the IDS appliances.

  • B. It uses the full signature set available on the IDS appliances.

  • C. It uses a DoS class signature type.

  • D. It uses an attack class signature type.

  • E. It uses an access class signature type.

Question 13

Which IP address goes into the Access Server IP Address field during the installation of ACS on a Windows 2000 computer?

  • A. The computer from which you will be accessing the ACS server

  • B. The PIX firewall that will be the client of the ACS server

  • C. The computer that is running the ACS software

  • D. None of the above

Question 14

Which of the following is a valid PIX firewall model? (Select all that apply.)

  • A. 626

  • B. 506E

  • C. 535

  • D. 511

  • E. 501

Question 15

Which license type is available for select firewall models? (Select all that apply.)

  • A. Restricted

  • B. Unlimited

  • C. Unrestricted

  • D. Failover

Question 16

The capabilities of the clock command include which of the following? (Select all that apply.)

  • A. It specifies the time.

  • B. It specifies the year.

  • C. It is retained by the battery.

  • D. It sets the PIX firewall clock.

Question 17

If two interfaces are set to the same security level, what is the result?

  • A. This is not a possible configuration, and it would not be allowed.

  • B. Traffic configured on the lowest -numbered interface would be considered more trusted than the other interface, and traffic would flow from the low number to the high number (for example, E2 traffic would flow to E3).

  • C. Traffic configured on the highest-numbered interface would be considered more trusted than the other interface, and traffic would flow from the high number to the low number (for example, E3 traffic would flow to E2).

  • D. Traffic would not flow between these two interfaces if the security level was the same on each.

Question 18

Customers on the outside need to access a Web server on a DMZ interface. A static has been configured, but customers still can't access the Web server. What needs to be added to make the server accessible from the outside?

  • A. NAT 0

  • B. Alias

  • C. Access list

  • D. Global

Question 19

Which applies to the ASA security level 100?

  • A. It's the lowest level for the outside interface of the PIX.

  • B. It is usually used for your Internet connection.

  • C. It's a default that can be changed.

  • D. It's the most trusted interface security level.

  • E. It's assignable to perimeter interfaces.

Question 20

When the multicast source is on the inside, what are the required commands that allow the PIX to forward multicast traffic to the outside? (Select all that apply.)

  • A. igmp forward

  • B. mroute

  • C. multicast routing

  • D. multicast interface

  • E. No command is required. By default, the PIX forwards traffic from high security interfaces to low security interfaces.

Question 21

Which command, when used with the global command, allows IP address translation?

  • A. nat command

  • B. ip address command

  • C. ip_ addr command

  • D. nameif command

  • E. None of the above

Question 22

The PIX firewall can send Syslog messages to document events related to which of the following?

  • A. Security

  • B. Resources

  • C. System

  • D. Accounting

  • E. All of the above

Question 23

The PIX operating system version 6.x is based on which of the following?

  • A. BSD Unix

  • B. ATT Unix

  • C. The Hardened NT kernel

  • D. Cisco IOS

  • E. The Proprietary Finesse operating system

Question 24

Users need to authenticate with the PIX so they can use their email applications through the PIX. Which service should be configured on the PIX?

  • A. Virtual SMTP.

  • B. Virtual HTTP.

  • C. Virtual Telnet.

  • D. SMTP fixup , which is on by default, will allow the traffic.

Question 25

Configuration replication between the active PIX and the standby PIX configured for standard failover occurs over which of the following?

  • A. Over any active interface

  • B. Over the inside interface

  • C. Over the outside interface only if the failure occurred on the inside interface

  • D. Over the stateful failover cable

  • E. Over the failover cable

Question 26

Which two commands work together to perform network address translation?

  • A. ip address pppoe and nameif commands

  • B. dhcpd dns and dhcpd wins commands

  • C. ip address and nameif commands

  • D. nat and global commands

Question 27

Which statement is true about security levels?

  • A. Interfaces with lower security levels can access interfaces with higher security levels.

  • B. Interfaces with higher security levels can access interfaces with lower security levels.

  • C. Both higher and lower security levels have access to each other with an unrestricted license.

  • D. None of the above.

Question 28

How does the PIX firewall manage the TCP and UDP protocols? (Select all that apply.)

  • A. It uses a stateful database for tracking sessions.

  • B. It uses a connection table for TCP and UDP sessions.

  • C. It uses a translation table for NAT sessions.

  • D. It uses a stateless database for TCP and UDP sessions.

Question 29

The PIX 535 firewall can be configured with up to how many interfaces?

  • A. 4

  • B. 6

  • C. 8

  • D. 10

  • E. 12

Question 30

Which of the following is not true regarding ACLs?

  • A. ACLs improve performance for matching packets.

  • B. ACLs enable you to determine which systems can establish connections through your PIX.

  • C. Cisco recommends migration from conduits to ACLs if you're using the PIX MC.

  • D. Turbo ACLs improve search times for large ACLs.

Question 31

The PIX, in combination with which of the following, allows only specific user traffic through the firewall?

  • A. Cisco Secure ACS

  • B. Traffic Director

  • C. Management Center

  • D. Cisco Secure Policy Manager

Question 32

What is the correct command to delete a saved RSA key from flash memory?

  • A. write erase

  • B. ca zeroize rsa

  • C. no rsa key

  • D. clear key rsa

Question 33

Which of the following is true about the MailGuard feature on the PIX? (Select all that apply.)

  • A. The MailGuard feature is enabled by default.

  • B. The MailGuard feature is available only on PIX firewalls with at least 32MB of memory.

  • C. The MailGuard feature protects against spam.

  • D. The MailGuard feature allows only the RFC 821 legal SMTP commands through the PIX.

Question 34

What is the function of the object-group command? (Select all that apply.)

  • A. It names the object group.

  • B. It allows grouping of AAA users.

  • C. It enables a sub-command mode for the type of object specified.

  • D. It removes all defined object groups not being used.

Question 35

Which is true concerning RIP version 2?

  • A. The PIX firewall advertises learned RIP multicast updates when RIP is in aggressive mode.

  • B. The PIX firewall transmits default route updates if configured for RIP version 2 using the default keyword.

  • C. The IP destination is

  • D. None of the above.

Question 36

Which command allows you to change the enable password to secret ?

  • A. enable secret secret

  • B. enable password secret

  • C. passwd secret

  • D. set enable secret

Question 37

Which statement regarding PAT on the PIX is true?

  • A. It provides for address expansion.

  • B. It maps port numbers to a single IP address.

  • C. The PAT address can be different from the outside interface address.

  • D. All of the above.

Question 38

What does DNS Guard do? (Select all that apply.)

  • A. It controls which DNS servers clients can access.

  • B. It tears down the UDP return patch after the first response from a given DNS server is seen.

  • C. It helps prevent UDP session hijacking.

  • D. Answers A and B are both correct.

Question 39

Which command should be used to allow IKE on the outside interface?

  • A. crypto isakmp enable outside

  • B. crypto isakmp enable e0

  • C. isakmp enable outside

  • D. isakmp enable e0

Question 40

What is the correct command to set the Telnet password?

  • A. password

  • B. enable password

  • C. telnet password

  • D. passwd

Question 41

What is required to initiate SSH connections from the PIX to another device?

  • A. The Telnet password must be set on the PIX.

  • B. It must have a 3DES license on the PIX.

  • C. It must have either a DES or 3DES license on the PIX.

  • D. None of the above. PIX does not support outbound SSH sessions.

Question 42

Which command is used to assign a name to an interface?

  • A. name

  • B. nameif

  • C. hostname

  • D. ifName

Question 43

Which option allows the PIX to reload without user confirmation when using the reload command?

  • A. noconfirm

  • B. justdoit

  • C. confirm

  • D. There is no option for this; user confirmation is required before a reload occurs.

Question 44

Which command should be used to set the speed and duplex on a PIX interface?

  • A. speed

  • B. 100full

  • C. nameif

  • D. interface

  • E. None of the above

Question 45

Which of the following is true concerning the PIX firewall and AAA services? (Select all that apply.)

  • A. TACACS+ or RADIUS can be used for authorization.

  • B. TACACS+ or RADIUS can be used for authentication.

  • C. RADIUS authorization is not supported on the PIX.

  • D. TACACS+ can be used with downloadable ACLs.

Question 46

Which command specifies a variable IP address that will be used during a new NAT?

  • A. nat

  • B. static

  • C. global

  • D. local

Question 47

What is the correct command for the PIX to use a default route of

  • A. route outside 1

  • B. route outside default 1

  • C. route default

  • D. route default outside 1

Question 48

Which is a valid translation type on the PIX? (Select all that apply.)

  • A. dynamic inside nat

  • B. static inside nat

  • C. dynamic outside nat

  • D. static outside nat

Question 49

Which syntax would allow any host on the / 16 network to reach a Web server on the / 8 network?

  • A. access-list ACL1 permit tcp 30.0.0. 0 eq 80

  • B. access-list ACL1 permit tcp eq 80

  • C. access-list ACL1 permit tcp eq 80

  • D. access-list ACL1 permit tcp eq 80

Question 50

Which command is used to apply an access list to an interface?

  • A. interface

  • B. access-list

  • C. name-if

  • D. access-group

Question 51

Which traffic should be allowed through the PIX outside interface to support IPSec? (Select all that apply.)

  • A. Protocol 50

  • B. TCP port 23

  • C. UDP port 500

  • D. All of the above

Question 52

Which is the best definition of AAA Flood Guard?

  • A. It prevents synflood attacks against AAA servers.

  • B. It reclaims authorization given to users if attacks are sourced from their AAA-derived IP address.

  • C. It reclaims overused AAA resources to help prevent DoS attacks on AAA services.

  • D. It is disabled by default.

Question 53

Which option is available for the PIX in response to a detected attack? (Select all that apply.)

  • A. Send an alarm to a syslog server.

  • B. Implement a shun statement to stop future attacks.

  • C. Drop the offending packet.

  • D. Send a TCP reset if the signature match is TCP based.

Question 54

In the PIX MC, valid options for importing a device include all except which of the following?

  • A. Import the configuration from a device.

  • B. Import the configuration file for a device.

  • C. Import the configuration files for multiple devices.

  • D. Import the configuration from Cisco Secure Policy Manager.

Question 55

Which of the statements is true regarding access rules in the PIX MC? (Select all that apply.)

  • A. Rules are recognized as either mandatory or default.

  • B. Rules can be applied only at a group level or individual device.

  • C. Default rules can be overridden.

  • D. Rules can be applied at the global level.

CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net