| Question 1 | Which of the following statements are true regarding proxy servers? (Select all that apply.) -
A. They examine packets at higher layers of the OSI model. -
B. They limit packets going into a network based on static packet header information. -
C. They have high performance under stress. -
D. They provide fault tolerance using a single proxy. -
E. They have a single point of failure. |
| Question 2 | Which of the following statements is true regarding stateful packet filtering? (Select all that apply.) -
A. It has slower performance than a proxy firewall. -
B. It has better performance than a proxy server. -
C. It maintains complete session state. -
D. It records data only for connection-oriented communications. -
E. Packets are compared against the stateless database. |
| Question 3 | Which of the following statements is true about a connection logged in a stateful session flow table? -
A. It's for inbound TCP connections only. -
B. It's for outbound TCP connections only. -
C. It's used each time a TCP connection is established inbound or outbound. -
D. It's used only when a TCP connection is established from a lower security level to higher level. |
| Question 4 | Where should configuration be applied in a fault-tolerant scenario? -
A. On the primary firewall only -
B. On the secondary firewall only -
C. On the active firewall only -
D. On the standby firewall only |
| Question 5 | In which bus should a quad Ethernet card or a VPN Accelerator card be installed on a PIX 535? -
A. Bus 0 -
B. Bus 1 -
C. Bus 2 -
D. Bus 3 -
E. Bus 4 |
| Question 6 | Which of the following is correct regarding PIX license keys? -
A. The key is specific to the hardware platform. -
B. The key is not specific to the software version. -
C. The key is specific to the serial number on the box. -
D. The key is specific to the show system serial number. -
E. The key is specific to the software version. |
| Question 7 | Which administrative access modes does a PIX firewall support? (Select all that apply.) -
A. Configuration -
B. User -
C. Privileged -
D. Monitor -
E. Object- group |
| Question 8 | Which of the following best describes the options in privileged mode? -
A. Change current settings -
B. Change system configurations -
C. Modify IPX network parameters -
D. Recover passwords -
E. View future features |
| Question 9 | What are the two ways in which to configure the PIX firewall through interactive prompts? (Select all that apply.) -
A. Use the setup command. -
B. Use the init 0 command. -
C. Use the init 6 command. -
D. Reboot the PIX. -
E. Erase the saved configuration and reboot the PIX. |
| Question 10 | To obtain a software feature upgrade, what information is needed? -
A. Serial number displayed by the write terminal command -
B. The serial number on the chassis -
C. The serial number displayed by the show version command -
D. Either the serial number on the chassis or the serial number displayed by the show version command -
E. Either the serial number on the chassis or the serial number displayed by the write terminal command |
| Question 11 | Which of the following characterizes the PIX's Adaptive Security Algorithm? (Select all that apply.) -
A. It randomizes initial TCP sequence numbers . -
B. It randomizes all TCP sequence numbers. -
C. It tracks source and destination ports. -
D. It tracks TCP flags. -
E. It randomizes TCP flags. |
| Question 12 | Which of the following is true regarding the ASA? -
A. Allows one-way outbound connections without explicit configuration for each internal system application -
B. Allows one-way outbound connections with explicit configuration for each internal system and application -
C. Allows two-way outbound connections without explicit configuration for each internal system and application -
D. Allows two-way outbound connections with explicit configuration for each internal system and application -
E. Allows two-way inbound connections without explicit configuration for each internal system and application |
| Question 13 | What are the correct commands to specify the security level and duplex for an interface? (Select all that apply.) -
A. interface -
B. nameif -
C. ip address -
D. security-level -
E. global |
| Question 14 | Which PIX syslog events are considered system events? (Select all that apply.) |
| Question 15 | Which command is used to specify the DHCP pool used by the PIX firewall to support DHCP clients ? -
A. dhcp address -
B. dhcp pool -
C. dhcpd address -
D. dhcpd ip pool -
E. dhcpd pool |
| Question 16 | You have configured the PIX to obtain its outside IP address via DHCP. You want the PIX to forward configuration parameters received from the DHCP server on the outside interface to inside DHCP client hosts . What command should you use? |
| Question 17 | How many DNS servers can a DHCP client acquire from a PIX DHCP server? |
| Question 18 | What is the command to start the DHCP server service on a PIX firewall? -
A. dhcp enable -
B. service dhcp -
C. dhcp service -
D. dhcpd enable -
E. None of the above |
| Question 19 | Which of the following statements is true regarding the PIX and PPPoE? -
A. PPPoE increases reliability exponentially. -
B. PPPoE is used with broadband connections. -
C. The PIX's PPPoE client is compatible with failover. -
D. The PIX's PPPoE client is compatible with L2TP. -
E. The PIX's PPPoE client is compatible with PPTP. |
| Question 20 | Which option is used when configuring PPPoE on the PIX? |
| Question 21 | Why is UDP difficult to inspect properly? (Select all that apply.) -
A. It has no sequencing or handshaking. -
B. It has no clear beginning. -
C. It uses unknown layer 4 attributes. -
D. It has no clear flow state. |
| Question 22 | What is the minimum number of nat and global statements to allow dmz hosts and inside hosts to reach servers on the outside? -
A. One global , one nat -
B. One global , two nat -
C. Two global , one nat -
D. Two global , two nat |
| Question 23 | What happens when a global command and static command compete to use the same IP address? -
A. The first one appearing in the configuration uses the IP address. -
B. The first one that actually uses the IP address is given exclusive use of it. -
C. The global command, being systemwide , always takes precedence over a static command. -
D. The static command takes precedence over the nat and global pairs. |
| Question 24 | What would be an ideal reason to use dynamic outside NAT? -
A. To improve the performance of the ASA -
B. To simplify router configuration on internal or perimeter networks -
C. To contain hidden codes that can destroy data on the internal network -
D. To promptly secure packets after failover |
| Question 25 | What technique is used to allow an inside host to have the same local and global inside address? |
| Question 26 | Which of the following statements is correct regarding PAT? (Select all that apply.) -
A. It can use the outside interface address as the PAT address. -
B. It can use the DMZ interface address as the PAT address. -
C. The PAT address must be the outside interface IP address. -
D. PAT and NAT can be used together. -
E. The PAT address can be received via DHCP. |
| Question 27 | You have only one publicly routable IP address available, and this is the PAT address. Which command will enable an outside host to connect to specific servers on the inside interface for a specific service? -
A. alias -
B. conduit -
C. global -
D. nat -
E. static |
| Question 28 | You want to apply an access list named DMZ to the inside interface. What is the correct command? -
A. access-list DMZ apply inside -
B. access-group DMZ out inside -
C. access-group DMZ in interface inside -
D. access-group DMZ interface inside out -
E. access-group DMZ out interface inside |
| Question 29 | Which of the following is true regarding Turbo ACLs? (Select all that apply.) -
A. Turbo ACLs improve the average search time for all ACLs containing a large number of entries. -
B. Turbo ACLs improve the average search time for all ACLs containing any number of entries. -
C. Turbo ACLs improve the average search time only for ACLs containing a small number of entries. -
D. Turbo ACLs require a significant amount of memory. -
E. Turbo ACLs do not require a significant amount of memory. |
| Question 30 | Why can ActiveX controls create security problems on your network? (Select all that apply.) -
A. ActiveX controls can be inserted into Web pages. -
B. ActiveX controls can be used to attack servers. -
C. ActiveX controls can be used to reroute packets on an IOS router. -
D. ActiveX controls can be inserted into applications. -
E. ACLs are used to block ActiveX controls. |
| Question 31 | What is the purpose of object groups? -
A. To easily apply specific security policies to specific groups -
B. To ease the configuration of security policies -
C. To reduce the number of ACL entries required to implement complex security policies -
D. To speed the configuration of complex security policies -
E. To ease troubleshooting issues when implementing security policies |
| Question 32 | After issuing the object-group protocol MYPROTO command, which prompt does the PIX display? -
A. pix(config-if)# -
B. pix(config-protocol)# -
C. pix(object-config)# -
D. pix(network-config)# -
E. pix(config-object)# |
| Question 33 | Which elements of an access list can be replaced using an object group? (Select all that apply.) |
| Question 34 | You want to enable RIP version 2 on the inside interface of the PIX. You do not want the PIX to broadcast a default route. What is the correct command to accomplish this? -
A. rip version 2 default inside -
B. rip version 2 passive inside -
C. rip version 2 inside -
D. rip inside version 2 passive -
E. rip inside passive version 2 |
| Question 35 | What is the required command(s) to allow the PIX to forward multicast traffic if the multicast source is on a higher security level interface? (Select all that apply.) |
| Question 36 | What is the required command(s) to allow hosts on the inside to receive multicast traffic from a server on the outside of the PIX? (Select all that apply.) -
A. mroute -
B. multicast interface -
C. igmp join -
D. igmp forward -
E. multicast routing |
| Question 37 | Which of the following is correct regarding the fixup protocol for FTP? (Select all that apply.) -
A. You must manually enable this command for standard FTP port inspection. -
B. It is enabled by default for standard FTP port inspection. -
C. It causes the PIX to perform NAT or PAT in the payloads of packets. -
D. You must manually configure the fixup protocol ftp command to perform NAT or PAT for packet payloads. -
E. It automatically logs ftp commands. |
| Question 38 | Which advanced protocol enables call handling sessions ”particularly two-party audio conferences? -
A. SCCP -
B. H.323 -
C. RTSP -
D. SIP |
| Question 39 | The Mail Guard feature inspects port 25 by default. Which of the following is correct for the fixup protocol for SMTP? (Select all that apply.) -
A. If it's disabled, no SMTP traffic is allowed through the PIX. -
B. If it's disabled, all SMTP traffic is allowed through the PIX. -
C. It allows only RFC-compliant commands through the PIX. -
D. It's enabled by default. -
E. It must be manually enabled. |
| Question 40 | Which of the following is true when using the DNS Guard feature? (Select all that apply.) -
A. DNS Guard always remains on. -
B. The DNS server response is recognized by the PIX firewall. -
C. After a DNS request, UDP packets are allowed to return from the DNS server. -
D. DNS Guard recognizes an inbound query to port 51. -
E. DNS Guard tears down the UDP conduit after the first DNS response is received. |
| Question 41 | Which statement is true regarding the PIX's TCP Intercept feature for OS versions 5.2 and higher? (Select all that apply.) -
A. It's on by default when you optionally configure an embryonic limit. -
B. It must be explicitly configured. -
C. When the embryonic limit is reached, the PIX intercepts SYN packets. -
D. When the embryonic limit is reached, the PIX drops new SYN packets. -
E. The PIX can respond to a SYN with a SYN/ACK packet after the embryonic limit is reached. |
| Question 42 | Which command is used to enable intrusion detection on the PIX? -
A. ip audit -
B. ip ids -
C. ip info -
D. ip attack -
E. ip access |
| Question 43 | Which command is used to apply an IDS policy named DETECT to the outside interface? -
A. ip audit outside DETECT -
B. ip audit in interface outside DETECT -
C. ip audit outside DETECT -
D. ip audit interface outside DETECT -
E. ip audit DETECT interface outside |
| Question 44 | Which of the following applies when considering the PIX firewall's shunning capabilities? (Select all that apply.) -
A. The shun command's blocking capability is applied only when the specified connection is currently active. -
B. The shun command is designed primarily for use by a Cisco IDS appliance. -
C. The blocking function can be removed manually or automatically by the IDS appliance. -
D. Packets are dropped if they contain the IP source address of the attacking host. |
| Question 45 | When authenticating to the PIX via FTP, with AAA enabled, what is the correct way to enter your username if the authentication database differs from the username configured on the remote FTP server you are trying to access? -
A. aaa_username -
B. remote_username -
C. remote_username@aaa_username -
D. aaa_username@remote_username -
E. Both usernames must be the same to authenticate. |
| Question 46 | What is the purpose of the aaa group tag? -
A. To specify RADIUS-only server groups -
B. To enable identical groups of TACACS+ servers -
C. To access servers one at a time for a close, examined startup -
D. To direct authentication, authorization, or accounting traffic to the appropriate AAA server |
| Question 47 | Which protocol can be used with AAA authentication prompts? (Select all that apply.) -
A. FTP -
B. HTTP -
C. Kerberos -
D. SIP -
E. Telnet |
| Question 48 | Which statement is true regarding Virtual Telnet? (Select all that apply.) -
A. It provides a mechanism for users to authenticate with the PIX. -
B. The IP address must be an unused global address to authenticate inbound and outbound clients. -
C. The IP address must be an unused global address to authenticate outbound clients only. -
D. After authentication, the PIX firewall forwards a Web request to the intended Web server. |
| Question 49 | Which of the following statements is true regarding Telnet? (Select all that apply.) -
A. The default password for Telnet is in-default . -
B. The PIX requires the generation of RSA keys to support Telnet. -
C. The PIX allows a maximum of five simultaneous Telnet sessions. -
D. Telnet is available on the outside interface with or without IPSec. -
E. Telnet is available on the outside interface if it's used with IPSec. |
| Question 50 | Which is true regarding the PIX firewall and AAA services? (Select all that apply.) -
A. TACACS+ or RADIUS can be used for authentication. -
B. TACACS+ or RADIUS can be used for authorization. -
C. TACACS+ can be used with downloadable ACLs. -
D. RADIUS authorization is not supported on the PIX. |
| Question 51 | When using the PIX's downloadable named ACL feature, where can the ACLs that will be downloaded into the PIX reside? -
A. RADIUS server -
B. TACACS+ server -
C. Router -
D. TFTP server -
E. FTP server |
| Question 52 | When the primary PIX fails, which IP addresses and MAC addresses will the primary PIX use? -
A. The system IP addresses and system MAC addresses -
B. The failover IP addresses and MAC addresses -
C. The primary IP addresses and primary MAC addresses -
D. The virtual IP addresses and virtual MAC addresses -
E. The virtual IP addresses and primary MAC addresses |
| Question 53 | For a PIX to successfully fail over, which of the following parameters must be the same on all the PIXs configured for failover? (Select all that apply.) |
| Question 54 | When are commands replicated from the active PIX to the standby PIX? (Select all that apply.) -
A. When changes are made to the standby. -
B. As commands are entered on the active PIX. -
C. The standby PIX must be manually configured. -
D. When the standby PIX firewall completes its initial bootup . -
E. When the write standby command is used. |
| Question 55 | Which of the following is correct regarding the failover interface testing process? (Select all that apply.) -
A. The purpose of the tests is to determine which PIX firewall has failed. -
B. After 30 seconds of no response on an interface, the PIX uses the backup interface. -
C. One test sends out a broadcast ping request. -
D. The Link Up/Down test tests the NIC. |
| Question 56 | How does configuration replication occur between the active PIX firewall and the standby PIX firewall configured for standard failover? -
A. Over any active interface -
B. Over the inside interface -
C. Over the outside interface only if the failure occurred on the inside interface -
D. Over the failover cable -
E. Over the stateful failover cable |
| Question 57 | Which of the following is a characteristic of LAN-based failover? (Select all that apply.) -
A. It incorporates the ACL packets in flow tables. -
B. It can use message encryption and authentication to secure failover transmissions. -
C. It requires a dedicated switch, hub, or VLAN. -
D. It uses an Ethernet cable rather than the serial failover cable. |
| Question 58 | Which of the following describes IKE? (Select all that apply.) -
A. It is a variant of DES. -
B. It provides authentication of the IPSec peers. -
C. It is synonymous with ISAKMP. -
D. It is a hybrid protocol. |
| Question 59 | The IKE policy parameters include which of the following? (Select all that apply.) -
A. The peer authentication method -
B. The message encryption algorithm -
C. RSA key pair generation parameters -
D. The message integrity algorithm -
E. The ISAKMP-established security association's lifetime |
| Question 60 | Which command allows you to enable ISAKMP on e0 ? |
| Question 61 | What is the purpose of crypto ACLs? -
A. To define interesting traffic -
B. To encrypt traffic -
C. To decrypt traffic -
D. To prevent traffic from using the IPSec tunnel -
E. To authenticate IPSec peers |
| Question 62 | What is the maximum number of transforms that can belong to a transform set? |
| Question 63 | What is the command ip local pool used for? -
A. DHCP pools -
B. DHCPD pools -
C. IPSec pools -
D. VPDN pools |
| Question 64 | Which configuration item is vital for a VPN software client successfully connecting to a PIX using IPSec? -
A. The VPN group IP address matches the address in the VPN client. -
B. The VPN group ACL count matches the count in the VPN client. -
C. The VPN group password matches the password in the VPN client. -
D. None of the above. |
| Question 65 | Which of the following statements is true regarding SSH? -
A. The PIX supports only SSH version 1. -
B. The PIX supports only SSH version 2. -
C. The PIX supports either SSH version 1 or 2. -
D. The PIX must have a 3DES activation key to support SSH. -
E. SSH passwords are configured with the ssh passwd command. |
| Question 66 | What is the correct command to associate privilege level 10 with the password of supersecret ? -
A. enable supersecret 10 -
B. privilege 10 password supersecret -
C. privilege 10 supersecret -
D. enable password supersecret level 10 -
E. enable password supersecret 10 |
| Question 67 | What is required for password recovery on a PIX? (Select all that apply.) -
A. Privilege level 15 password -
B. A TFTP server -
C. Files from Cisco designed for password recovery -
D. Privilege level 1 password |
| Question 68 | In PDM, how do you allow the previewing of commands before sending them to the PIX firewall? -
A. The GUI prevents the viewing of the actual CLI commands. -
B. Use the View menu and select the CLI commands at any time. -
C. Select Options, Preview Commands Before Sending to PIX. -
D. Select Tools, Preview Task Dialog Before Sending to PIX. |
| Question 69 | Which of the following transforms is predefined by PDM? (Select all that apply.) -
A. ESP-DES-SHA -
B. ESP-3DES-SHA -
C. ESP-3DES-AH -
D. ESP-DES-AH |
| Question 70 | What does PDM do when it reads a crypto map from a configuration, if the map is not applied to any interfaces? -
A. PDM logs it in a stateful flow table. -
B. PDM applies it to the required interface based on deduction . -
C. PDM prompts you to run setup. -
D. PDM parses and ignores it. |
| Question 71 | Which of the following statements is true regarding the PIX Management Center? (Select all that apply.) -
A. It provides a workflow and audit trail. -
B. It allows Web-based management of multiple PIX firewalls. -
C. It uses SSL to ensure secure remote connectivity between the browser and server. -
D. It supports a maximum of 100 PIX firewalls. |
| Question 72 | What is the name of the conversion tool to convert conduits to access lists? -
A. makeACL -
B. conv -
C. con2acl -
D. mcfixup |
| Question 73 | From a browser, what is the correct port used to launch the PIX MC? -
A. 443 -
B. 1812 -
C. 1741 -
D. 80 -
E. 1742 |
| Question 74 | How often does a PIX firewall check with the AUS for updates? -
A. Every 720 minutes -
B. Every 800 minutes -
C. Every 1440 minutes -
D. Every 1460 minutes |
| Question 75 | What does AUS allow you to manage? (Select all that apply.) -
A. PIX firewall software images -
B. Bug tracking information -
C. PDM images -
D. IOS firewall feature sets -
E. PIX firewall configuration files |
