9E0-111 (CSPFA)
Cisco Secure PIX Firewall Advanced
Version 4.0
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 2 -
Important Note, Please Read Carefully
Study Tips
This product will provide you questions and answers along with detailed explanations
carefully compiled and written by our experts. Try to understand the concepts behind the
questions instead of cramming the questions. Go through the entire document at least twice so
that you make sure that you are not missing anything.
Further Material
For this test TestKing also provides:
* Interactive Test Engine Examinator. Check out an Examinator Demo at
/>
Latest Version
We are constantly reviewing our products. New material is added and old material is revised.
Free updates are available for 90 days after the purchase. You should check your member
zone at TestKing an update 3-4 days before the scheduled exam date.
Here is the procedure to get the latest version:
1. Go to www.testking.com
2. Click on Member zone/Log in
3. The latest versions of all purchased products are downloadable from here. Just click
the links.
For most updates, it is enough just to print the new questions at the end of the new version,
not the whole document.
Feedback
Feedback on specific questions should be send to You should state:
Exam number and version, question number, and login ID.
Our experts will answer your mail promptly.
Explanations
Currently this product does not include explanations. If you are interested in providing
TestKing with explanations contact
. Include the following
information: exam, your background regarding this exam in particular, and what you consider
a reasonable compensation for the work.
Copyright
Each pdf file contains a unique serial number associated with your particular name and
contact information for security purposes. So if we find out that a particular pdf file is being
distributed by you, TestKing reserves the right to take legal action against you according to
the International Copyright Laws.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 3 -
Note:
Section A contains 100 questions.
Section B contains 57 questions.
Section C contains 170 questions.
The total numbers of questions is 327.
Section A
QUESTION NO: 1
You are the network security administrator for an enterprise network with a complex
security policy.
Which PIX Firewall feature should you configure to minimize the number of ACLs
needed to implement your policy?
A. ASA
B. Packet capture
C. Turbo ACLs
D. IP helper
E. Object grouping
Answer: E
QUESTION NO: 2
IPSec works with which switching paths:
A. Process switching
B. Optimum switching
C. Fast switching
D. Flow switching
Answer: A
QUESTION NO: 3
Speaking of Security Association requirements, which of the following statements is
true?
A. A set of SAs are needed, one per direction, per protected data pipe.
B. A set of SAa are needed, one per direction, per protocol, per protected data pipe.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 4 -
C. A set of SAs are needed, one per protocol only.
D. A set of SAs are needed, per protocol, per protected data pipe.
Answer: B
QUESTION NO: 4
The graphic shows the output from the show failover command. This unit is active and
the other unit is Standby. For an unknown reason, the failover is triggered and this unit
has become Standby.
We enter the command “show failover” again.
What shall we see as the ip address of the [active-interface-inside]?
A. 172.29.1.2
B. 192.168.89.1
C. 0.0.0.0
D. 172.29.1.1
Answer: D
QUESTION NO: 5
Which of the following statements is not true regarding the DNS Guard?
A. If disabled, can be enabled by the command: fixed protocol dns 53
B. The default UDP time expires in two minutes.
C. Immediately tears down the UDP conduit on the PIX Firewall as soon as the DNS
response is received.
D. Prevents against UDP session hijacking and denial of service attacks.
Answer: A
QUESTION NO: 6
In helping the user to choose the right IPSec transforms combinations, the following
rules apply: (Choose all that apply)
A. To provide authentication services for the transform set, include an AH transform.
B. For authentication services include an ESP authentication transform.
C. To provide data authentication for the data and the outer IP header, include an AH
transform.
D. For data confidentiality include an ESP encryption transform.
E. ND5 is stronger than SHA.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 5 -
Answer: A, B, C, D
QUESTION NO: 7
What is the command that enables IPSec traffic to bypass the check of conduit or access-
group command statements?
A. conduit permit ip any any all
B. access-list acl_out permit tcp any any all access-group acl_out interface outside
C. sysopt connection permit-ipsec
D. conduit permit tcp any any all
Answer: C
QUESTION NO: 8
All of the following statements are true, except:
A. Use nat command to let users on the respective interfaces start outbound connections.
Associate the nat id with the global-id in the global command.
B. An interface is always outside when compared to another interface that has a higher
security level.
C. Use a single default route statement to the outside interface only.
Set the default route with the ip route command.
D. To permit access to servers on protected networks, use the static conduit commands.
E. Packets can not flow between interfaces that have the same security level.
Answer: C
QUESTION NO: 9
Which of the following statements are not true: (Choose all that apply)
A. DMZ interface can be considered an inside, or outside interface.
B. DMZ interface is always considered inside.
C. Traffic originating from the inside interface to the outside interface of the PIX Firewall
will be allowed to flow unless restricted by access lists.
D. Traffic originating from the outside interface to the inside interface of the PIX Firewall
will be dropped unless specifically allowed.
E. DMZ interface is always considered outside.
Answer: B, E
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 6 -
QUESTION NO: 10
Adaptive Security Algorithm (ASA) is the heart of the PIX Firewall. Choose the strict
rules that ASA follows: (Choose all that apply)
A. The highest security interface is the inside interface.
B. The highest security interface is the outside interface.
C. No outbound packet can exit the PIX Firewall without a connection and state.
D. No packet, regardless of its direction, can traverse the PIX Firewall without a
connection or state.
E. No inbound packet can enter the PIX Firewall without a connection and state.
Answer: A, D
QUESTION NO: 11
Which statements about the PIX Firewall in VoIP environments are true? (Choose two)
A. The PIX Firewall does not support the popular call setup protocol SIP because TCP
can be used for call setup.
B. The PIX Firewall allows SCCP signaling and media packets to traverse the PIX
Firewall and interoperate with H.323 terminals.
C. The PIX Firewall supports the Skinny Client Control Protocol, which allows you to
place IP phones and Call Manager on separate sides of the PIX Firewall.
D. Users behind the PIX Firewall can place outbound calls with IP phones because they
use HTTP tunneling to route packets through port 80, making them appear as web
traffic.
Answer: B, C
QUESTION NO: 12
Your organization’s web traffic has come to a halt because your PIX Firewall is
dropping all new connection attempts. Why?
A. You are running a software version older than 5.2, and the embryonic threshold you
set in the static command was reached.
B. The shun feature of the PIX Firewall has taken effect because the embryonic threshold
you set in the nat command was reached.
C. The TCP Intercept feature of the PIX Firewall has taken affect because the embryonic
threshold you set in the static command was reached.
D. The intrusion detection feature of the PIX Firewall has taken effect because the
embryonic threshold you set in the conduit command was reached.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 7 -
Answer: A
QUESTION NO: 13
Which tasks can be performed from the Access Rules tab? (Choose three)
A. Configure translation rules.
B. Configure Cisco Secure ACS.
C. Configure access rules.
D. Define Java and ActiveX filtering rules.
E. Configure command authorization.
F. Create service groups and apply them to ACLs.
Answer: C, D, F
QUESTION NO: 14
Where in PDM do you go to add, delete, or view global pools of addresses to be used by
NAT?
A. Global Pools tab
B. System Properties tab
C. Manage Pools button on the Translation Rules tab
D. IP Address Pools button on the VPN tab
Answer: C
QUESTION NO: 15
Which step is optional when creating a crypto map on the PIX Firewall?
A. Create a crypto map entry identifying the crypto map with a unique crypto map name
and sequence number.
B. Specify which transform sets are allowed for this crypto map entry.
C. Specify a dynamic crypto map to act as a policy template where the missing
parameters are later dynamically configured to match a peer’s requirements.
D. Assign an ACL to the crypto map entry.
E. Specify the peer to which IPSec-protected traffic can be forwarded.
Answer: C
QUESTION NO: 16
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 8 -
Which type of downloadable ACLs are best when there are frequent requests for
downloading a large ACL?
A. Named ACLs
B. Unnamed ACLs
C. Dynamic ACLs
D. Static ACLs
Answer: A
QUESTION NO: 17
Why is the group tag in the aaa-server command important?
A. The aaa command references the group tag to know where to direct authentication,
authorization, or accounting traffic.
B. The group tag identifies which users require authorization to use certain services.
C. The group tag identifies which user groups must authenticate.
D. The group tag enables or disables user authentication services.
Answer: A
QUESTION NO: 18
You have already created an ACL named ACLIN to permit traffic from certain Internet
hosts to the web server on your DMZ.
How do you make the ACL work for you? (Choose two)
A. Bind the ACL to the DMZ interface.
B. Bind the ACL to the inside interface.
C. Bind the ACL to the outside interface.
D. Create a static mapping for the DMZ server.
E. Create a static mapping for the web server.
F. Create a conduit mapping for the web server.
Answer: C, E
QUESTION NO: 19
Cicso PDM consists of five major configuration areas. Choose these areas.
A. Monitoring
B. Hosts or networks
C. Access rules
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 9 -
D. System properties
E. Preferences
F. Translation rules
Answer: A, B, C, D, F
QUESTION NO: 20
How does the PIX Firewall know where to get the addresses to use for any NAT
configuration?
A. From the nat_id in the static command.
B. You can have only one global pool of addresses, so the PIX Firewall knows that NAT
uses the addresses in the global pool established by the global command.
C. From the nat_id in the nat command.
D. From the nat_id in the dhcp address command.
Answer: C
QUESTION NO: 21
What is the purpose of the access-group command?
A. Bind an ACL to an interface.
B. Create an object group.
C. Create and access group.
D. Unbind the acl_ID from the interface interface_name
Answer: A
QUESTION NO: 22
Which statements about security level 100 are true? (Choose two)
A. It is the lowest security level.
B. It is the highest security level.
C. It is the least-trusted security level.
D. By default it is designated for the inside interface of the PIX Firewall.
E. It is not currently a configurable security level.
It is reserved for future use.
F. By default, it is designated for the outside interface of the PIX Firewall.
Answer: B, D
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 10 -
QUESTION NO: 23
Which statements about the PIX Firewall’s DHCP capabilities are true? (Choose two)
A. It can be a DHCP server.
B. It cannot be a DHCP client.
C. You must remove a configured domain name.
D. It can be a DHCP server and client simultaneously.
E. It cannot pass configuration parameters it receives from another DHCP server to its
own DHCP clients.
F. The PIX Firewall’s DHCP server can be configured to distribute the IP address of up
to four DNS servers to its clients.
Answer: A, D
QUESTION NO: 24
The LAN-based failover your configured does not work. Why? (Choose two)
A. You used a hub for failover operation.
B. You used a switch for failover operation.
C. You used a dedicated VLAN for failover operation.
D. You did not set a failover IP address.
E. You did not use a crossover Ethernet cable between the two PIX Firewalls.
F. You used a crossover Ethernet cable between the two PIX Firewalls.
Answer: D, F
Explanation:
LAN-Based Failover
It is recommended that you connect the Primary and Secondary PIXes with a
dedicated switch.
Do not use crossover cables. In the diagram above, a Cisco Catalyst 3500
switch connects the Primary and Secondary PIXes. The LAN failover and
stateful failover links are in different VLANs, VLAN 10 and VLAN 20,
respectively. The inside-router and outside-router are used only for the
sake of testing connectivity.
QUESTION NO: 25
How are LAN-based failover and serial failover alike?
A. Both require that all configuration is performed on the primary PIX Firewall.
B. Both require the use of a special serial cable.
C. They are configured with the same command set.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 11 -
D. Both require two dedicated interfaces: one for configuration replication and another
for stateful failover
E. Both provide stateful failover.
Answer: E
QUESTION NO: 26
Choose the correct statements regarding ACLs & Conduits:
A. A conduit creates a rule on the PIX Firewall Adaptive Security Algorithm by denying
connections from one interface to access hosts on another.
B. An ACL applies to a single interface, affecting all traffic entering that interface
regardless of its security level.
C. An ACL applies to a single interface, affecting all traffic entering that interface based
in its security level.
D. A conduit creates an exception to the PIX Firewall Adaptive Security Algorithm by
permitting connections from one interface to access hosts on another.
Answer: A
QUESTION NO: 27
What is the command to remove a group of previously defined object-group commands?
A. Both answers are correct.
B. clear object-group
C. Both answers are incorrect.
D. no object-group
Answer: A
QUESTION NO: 28
With the IKE disabled, which of the following statements are true on a router? (Choose
all that apply)
A. The peer’s IPSec SA will never time out for a given IPSec session.
B. CA can not be used.
C. The command to disable IKE is: no crypto isakmp
D. The user must manually define all the IPSec security associations in the crypto maps at
all peers.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 12 -
Answer: A, B, D
Explanation: Disabling IKE
To disable IKE, you will have to make these concessions at the peers:
You must manually specify all the IPSec security associations in the crypto
maps at all peers.
IPSec security associations will never time out for a given IPSec session.
The encryption keys never change during IPSec sessions between peers.
Anti-replay services will not be available between the peers.
CA support cannot be used.
To disable IKE, use the following command:
no crypto isakmp enable interface-name
QUESTION NO: 29
This security protocol provides data confidentiality and protection with optional
authentication and replay-detection services.
A. What is ESP
B. What is DES
C. What is IKE
D. What is AH
E. What is RSA
Answer: A
QUESTION NO: 30
What is the command to enable a PIX Firewall to inspect port 554 for RTSP traffic?
A. fixup protocol rtsp 554
B. inspect rtsp 554
C. fixup rtsp 554
D. inspect protocol rtsp 554
Answer: A
QUESTION NO: 31
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 13 -
H.323 is more complicated than other traditional protocols because:
A. It requires a high amount of bandwidth.
B. It uses more than one TCP port.
C. It is sensitive to delays.
D. It requires client reconfiguration.
Answer: B
QUESTION NO: 32
Speaking of the translation table of a PIX Firewall, by default, if there is no translated
packets for a particular IP address, the entry times out and gets removes from the table.
This timeout period is:
A. User- Configurable and by default is 5 minutes
B. User- Configurable and by default is 60 minutes.
C. User- Configurable and by default is 180 minutes.
D. not User- Configurable and by default is 5 minutes.
E. not User- Configurable and by default is 2 Minutes.
F. not User- Configurable and by default is 60 Minutes.
Answer: C
QUESTION NO: 33
Firewall operations are based on one of the following technologies:
- Packet filtering
- Proxy Server
- Stateful packet filtering
Which is the method used by PIX Firewall?
A. Packet Filtering
B. Stateful Packet Filtering
C. All answers are incorrect
D. Proxy server
Answer: B
QUESTION NO: 34
Which statements about intrusion detection in the PIX Firewall are true? (Choose two)
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 14 -
A. When a policy for a given signature class is created and applied to an interface, all
supported signatures of that class are monitored unless you disable them.
B. Only the signatures you enable will be monitored.
C. The PIX Firewall supports only inbound auditing.
D. IP audit policies must be applied to an interface with the ip audit interface command.
E. When a policy for a given signature class is created and applied to an interface, all
supported signatures of that class are monitored and cannot be disabled until you
remove the policy from the interface.
F. IP audit policies must be applied to an interface with the ip audit signature command.
Answer: A, D
QUESTION NO: 35
Why are packets inspected on the PIX Firewall?
A. For valid users.
B. For misconfiguration.
C. For incorrect address.
D. For malicious application misuse.
Answer: D
QUESTION NO: 36
What command reassigns a specific command to a different privilege level?
A. privilege
B. command auth
C. level-priv
D. curpriv
Answer: A
QUESTION NO: 37
Which command enables IKE on the outside interface?
A. ike enable outside
B. ipsec enable outside
C. isakmp enable outside
D. ike enable (outbound)
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 15 -
Answer: C
QUESTION NO: 38
Why use ESP security protocol rather than the AH security protocol when creating a
VPN with IPSec?
A. ESP provides ant-replay and AH does not.
B. ESP provides data integrity and AH does not.
C. ESP provides data confidentiality and AH does not.
D. ESP provides data origin authentication and AH does not.
Answer: C
QUESTION NO: 39
You have configured the PIX Firewall and a AAA server for authentication. Telnet and
FTP authentication work normally, but HTTP authentication does not. Why?
A. You have not enabled HTTP, Telnet, and FTP authorization, which is required for
HTTP authentication.
B. You have not enabled HTTP authorization, which is required for HTTP authentication.
C. HTTP authentication is not supported.
D. Re-authentication maybe taking place with the web browser sending the cached
username and password back to the PIX Firewall.
Answer: D
QUESTION NO: 40
Which are functions of the object-group command? (Choose two)
A. Defines members of an object group.
B. Names an object group.
C. Enables sub-command mode.
D. Inserts an object group in an ACL.
E. Displays a list of the current configured object groups of the specified type.
F. Describes the object group.
Answer: B, C
QUESTION NO: 41
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 16 -
Why create Turbo ACL’s only on high-end PIX Firewall models, such as the PIX
Firewall 525 or 535?
A. They are not supported in any of the low-end models, such as the 506.
B. Turbo ACLs require significant amounts of memory.
C. Turbo ACLs are processor-intensive.
D. Although turbo ACLs improve ACL search time with any PIX Firewall model, they
are complicated and rather difficult to configure.
It is unlikely that environments using low-end models have personnel properly trained
to configure turbo ACLs
Answer: B
QUESTION NO: 42
When are duplicate objects allowed in object groups?
A. When they are due to the inclusion of group objects.
B. When a group object is included, which causes the group hierarchy to become circular.
C. Never
D. Always, because there are no conditions or restrictions.
Answer: A
QUESTION NO: 43
Which statement about the configuration mode for the PIX Firewall is true?
A. Privileged mode commands, unprivileged mode commands, and configuration mode
commands all work in configuration mode.
B. Only configuration mode commands work in configuration mode.
C. Unprivileged mode commands and configuration mode commands work in
configuration mode, but you must exit the configuration mode in order to execute
privileged mode commands.
D. Privileged mode commands and configuration mode commands work in configuration
mode, but you must exit both these modes in order to execute unprivileged mode
commands.
Answer: A
QUESTION NO: 44
Which statement about the PIX Firewall Syslog is true?
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 17 -
A. Syslog messages can be used to create log files, and can be displayed on the console of
a designated Syslog host, but they cannot be used to create e-mail alerts.
B. If all Syslog servers are offline, the PIX Firewall stores up to 100 messages in its
memory and then deletes the messages in its memory to make room for subsequent
messages.
C. The PIX Firewall sends Syslog messages to document such events as denied TCP
connections, translation slot depletion, console logins and bytes transferred for each
connection.
D. All Syslog messages are denied unless explicitly permitted.
Answer: C
QUESTION NO: 45
In the output of the show failover command, what does cable status waiting mean?
A. The active PIX Firewall is working and the standby PIX Firewall is ready.
B. Monitoring the other PIX Firewall’s network interface has not yet started.
C. The active PIX Firewall is waiting for configuration replication to be completed.
D. The primary PIX Firewall has finished testing the standby PIX Firewall’s interfaces
and the standby PIX Firewall is waiting to take control.
Answer: B
QUESTION NO: 46
Your new network administrator has recently modified your PIX Firewall’s
configuration. You are suddenly experiencing security breaches involving Internet mail.
What change did the administrator make?
A. He disabled the PIX Firewall’s mailpor fixup.
B. He disabled the PIX Firewall’s smtp fixup.
C. He enabled the Pix Firewall’s ils fixup on port 25.
D. He defined the port on which to activate Mail Guard.
Answer: B
QUESTION NO: 47
What is the command that clears all IPSec security associations at the router?
A. clear crypto sa
B. clear isakmp
C. no crypto sa
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 18 -
D. crypto sa disable
Answer: A
Explanation:
clear [crypto] ipsec sa
or
clear [crypto] ipsec sa peer ip-address | peer-name
or
clear [crypto] ipsec sa map map-name
or
clear [crypto] ipsec sa entry destination-address protocol spi
Clear IPSec security associations.
Note Using the clear [crypto] ipsec sa command without parameters will
clear out the full security association database,
which will clear out active security sessions. You may also specify the
peer, map, or entry keywords to clear out only a subset of the security
association database. For more information, see the clear [crypto] ipsec sa
command within "Command Reference."
QUESTION NO: 48
You have configured your router with the following command:
crypto ipsec transform-set goodform ah-sha-hmac csp-des-csp-
sha-hmac
A. The peer does not have to have a matching transform set.
Parameters will be dynamically negotiated.
B. The peer must also have the same transform set parameters specified.
C. The peer must also have the same transform set name specified.
D. The peer must also have the same transform set name and parameters specified.
Answer: B
QUESTION NO: 49
Which of the following statements are true regarding the sanity check of PIX Firewall’s
failover feature? (Choose all that apply)
A. Both PIX Firewalls exchange failover HELLO packets over failover cable every 15
seconds.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 19 -
B. With Network Activity test, the PIX Firewall counts all received packets for up to 5
seconds.
If no traffic is received, the PIX is declared nonoperational and the standby takes over.
C. Both PIX Firewalls exchange failover HELLO packets over all network interfaces.
D. PIX Firewall performs a broadcast and checks the responses.
Answer: A, C, D
QUESTION NO: 50
What is the command that causes PIX Firewall to prompt user for username and
password?
A. uauth
B. auth-prompt
C. aaa authentication
D. aaa new-model
Answer: C
QUESTION NO: 51
Which of the following statement is correct?
A. Installing an additional interface card on a PIX Firewall is as simple as adding a NIC
to a PC, but you must have a license for it from Cisco.
B. Installing an additional interface card on a PIX Firewall is as simple as adding a NIC
to a PC.
Answer: A
QUESTION NO: 52
On a PIX Firewall, as a general rule:
A. There is no general rule.
The software configuration decides which one is the outside and which one is the
inside interface.
B. Ethernet 0 is always the outside network connection and Ethernet 1 is always the
inside network connection.
C. Ethernet 0 is always the inside network connection and Ethernet 1 is always the
outside network connection.
D. There is no general rule.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 20 -
The priority command applied to the interface decides which interface is the outside
and which interface is the inside.
Answer: B
QUESTION NO: 53
How does the PIX Firewall handle multimedia applications? (Choose two)
A. It supports multimedia only with NAT.
B. It supports multimedia only without NAT.
C. It supports multimedia with or without NAT.
D. Multimedia applications are not allowed because they pose a security risk.
E. It dynamically opens and closes UDP ports for secure multimedia connections.
F. It opens a large range of ports for these applications if you configure the PIX Firewall
to support multimedia.
Answer: C, E
QUESTION NO: 54
Which command sets the Telnet password to cisco?
A. enable telnet password cisco
B. telnet password cisco
C. password cisco
D. passwd cisco
Answer: D
QUESTION NO: 55
Which commands configure the PIX Firewall’s PPPoE client?
A. Only vpdn group, vpdn username, and ip address pppoe.
B. Only vpngroup and vpnusername.
C. Only vpdn group and interface pppoe.
D. Only vpngroup and ip address pppoe.
Answer: A
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 21 -
QUESTION NO: 56
Which statement about AAA and the PIX Firewall is true?
A. Authorization is valid without authentication, but authentication is never valid without
authorization.
B. Authorization is valid without authentication, and authentication is valid without
authorization.
C. Authentication is valid without authorization, but authorization is never valid without
authentication.
D. Authentication and authorization are never valid without accounting.
Answer: C
QUESTION NO: 57
Which three problems can ActiveX cause for network clients using the PIX Firewall?
(Choose three)
A. It can attack servers.
B. It can block HTML commands.
C. It can block HTML comments.
D. It can download Java applets.
E. It can cause workstations to fail.
F. It can introduce network security problems.
Answer: A, E, F
QUESTION NO: 58
Which statement about the PIX Firewall is true?
A. The PIX Firewall passes RIP updates between interfaces.
B. You cannot configure the PIX Firewall to learn routes dynamically from RIP version 1
or RIP version 2 broadcast.
C. The PIX Firewall uses the dynamically learned routes to forward traffic to the
appropriate destinations but does not propagate learned routes to other devices.
D. The PIX Firewall uses dynamically learned routes to forward traffic to the appropriate
destinations, passes RIP updates between its interfaces, and propagates learned routes
to other devices.
Answer: C
QUESTION NO: 59
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 22 -
You primary PIX Firewall is currently the active unit in your failover topology.
What will happen to the current IP addresses on the primary PIX Firewall if it fails?
A. They become those of the standby PIX Firewall.
B. The ones on the primary PIX Firewall remain the same, but the current IP addresses of
the secondary become the virtual IP addresses you configured.
C. They are deleted.
D. The ones on both the primary and secondary PIX Firewalls are deleted and both
assume the failover IP addresses you configured.
Answer: A
QUESTION NO: 60
IPSec enables PIX Firewall VPN features. At what OSI layer does IPSec funtion?
A. 3 & 4
B. 7
C. 2
D. 3
E. 5
Answer: A
Explanation:
IPSec Framework
The IPSec framework is a set of open standards developed by the Internet
Engineering Task Force (IETF).
This framework provides security services at Layer 3, the Network layer of
the OSI model.
The IPSec framework provides these features:
Peer Authentication
Data Integrity
Data Origin Authentication
The IPSec framework facilitates these features using two types of tunnels:
Key Management Tunnels (also known as IKE tunnels)
Data Management Tunnels (also known as IPSec tunnels)
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 23 -
Both key management and data management tunnels comprise Security
Associations.
QUESTION NO: 61
You existing IPSec network comprises of 6 peers. Due to company expansion, one more
peer is added to your network. As a key administrator, how many 2-part key
configurations would you have to create?
A. 1
B. 6
C. 5
D. None
E. 2
Answer: B
QUESTION NO: 62
The hardware requirements of the Stateful Failover are: (Choose all that apply)
A. Two identical PIX Firewall units.
FIX 520 or later model is recommended by Cisco.
B. The LAN ports for Stateful Failover on both PIX Firewall units should be connected
with a crossover cable or through a hub or switch.
C. A failover cable with the correct terminals.
D. Dedicated 10BaseT Ethernet ports on both PIX Firewall units must be connected and
fully functional in full Duplex mode.
Answer: A, B, C
QUESTION NO: 63
Preparation to configure VPN support has several steps. The first two steps are:
- plan for IKE
- plan for IPSec
The goal of these advance planning are:
A. To investigate whether the budget allocated for the project will suffice.
B. To minimize misconfiguration.
C. To locate and remove bottleneck before the production phase.
D. To evaluate IPSEC and IKE parameter for optimal security and performance.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 24 -
Answer: B
QUESTION NO: 64
On a PIX Firewall, you want to see the IP addresses assigned to your inside, outside and
DMZ interfaces.
What is the command you use?
A. show interface *
B. show controllers
C. show ip address
D. show interfaces
Answer: C
QUESTION NO: 65
In a recent survey conducted by the Computer Security Institute, what percent of the
organizations polled stated that their network security defenses had been breached?
A. 70 percent
B. 37 percent
C. 7 percent
D. 27 percent
Answer: A
QUESTION NO: 66
When do you have access to the interactive setup dialog that helps you perform initial
configuration required to use PDM?
A. Only when an unconfigured PIX Firewall starts up.
B. Each time your PIX Firewall reloads.
C. When you enter the startup command at the configuration prompt.
D. When an unconfigured PIX Firewall boots up or when you enter the setup command
at the configuration mode prompt.
Answer: D
QUESTION NO: 67
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com
- 25 -
If you configure a VPN between a Cisco VPN Client and the PIX Firewall using pre-
shared keys for authentication, which should you do? (Choose two)
A. Use pre-shared keys for authentication.
B. Use digital certificates for authentication instead of pre-shared keys.
C. Do not use digital certificates for authentication.
D. Ensure that the password on the VPN client matches the vpngroup password on the
PIX Firewall.
E. Ensure that the group name differs from the VPN group name on the PIX Firewall.
F. Ensure that the group name on the VPN Client matches the vpngroup name on the
PIX Firewall.
Answer: D, F
QUESTION NO: 68
Which statement about the PIX Firewall and virtual HTTP is true?
A. The PIX Firewall enables web browsers to work correctly with its HTTP
authentication.
The PIX Firewall redirects the web browser’s initial connection to an IP address,
which resides on it, authenticates the user, and the redirects the browser back to the
URL the user originally requested.
B. The PIX Firewall supports virtual Telnet, but not virtual HTTP.
C. The PIX Firewall enables RADIUS authorization by redirecting the web browser’s
initial connection to an IP address which resides on a web server you specify,
authorizing the user, and then redirecting the browser back to the URL the user
originally requested.
D. The PIX Firewall enables you to access URLs from its console.
Answer: A
QUESTION NO: 69
Which statement about object groups is true?
A. Duplicate objects are allowed in object groups unless they are due to the inclusion of
group objects.
B. An object group cannot be a member of another object group.
C. An object group can be a member of another object group.
D. Duplicate objects are not allowed in object groups.
Answer: C