9E0-111 (CSPFA)

Cisco Secure PIX Firewall Advanced




Version 7.0

9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 2 -
Important Note, Please Read Carefully

Study Tips
This product will provide you questions and answers along with detailed explanations
carefully compiled and written by our experts. Try to understand the concepts behind the
questions instead of cramming the questions. Go through the entire document at least twice so
that you make sure that you are not missing anything.

Further Material
For this test TestKing also provides:
* Interactive Test Engine Examinator. Check out an Examinator Demo at
/>


Latest Version
We are constantly reviewing our products. New material is added and old material is revised.
Free updates are available for 90 days after the purchase. You should check your member
zone at TestKing an update 3-4 days before the scheduled exam date.

Here is the procedure to get the latest version:

1. Go to www.testking.com

2. Click on Member zone/Log in
3. The latest versions of all purchased products are downloadable from here. Just click
the links.

For most updates, it is enough just to print the new questions at the end of the new version,
not the whole document.

Feedback
Feedback on specific questions should be send to You should state:
Exam number and version, question number, and login ID.

Our experts will answer your mail promptly.

Explanations
Currently this product does not include explanations. If you are interested in providing
TestKing with explanations contact
. Include the following
information: exam, your background regarding this exam in particular, and what you consider
a reasonable compensation for the work.

Copyright

Each pdf file contains a unique serial number associated with your particular name and
contact information for security purposes. So if we find out that a particular pdf file is being
distributed by you, TestKing reserves the right to take legal action against you according to
the International Copyright Laws.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 3 -
Note:
Section A contains 106 questions.
Section B contains 57 questions.
Section C contains 170 questions.
The total numbers of questions is 333.




Section A

QUESTION NO: 1
You are the network security administrator for an enterprise network with a complex
security policy.
Which PIX Firewall feature should you configure to minimize the number of ACLs
needed to implement your policy?


A. ASA
B. Packet capture
C. Turbo ACLs

D. IP helper
E. Object grouping

Answer: E
Explanation:
To simplify your configuration, object grouping is supported in Cisco PIX Device Manager
Version 2.0. Object grouping enables you to define groups of objects such as hosts, IP
addresses, or network services. You can use these groups, for example, when you create and
apply access rules. When you include a Cisco PIX Firewall object group in a PIX Firewall
command, it is the equivalent of applying every element of the object group to the PIX
Firewall command.

Reference: Cisco PIX Device Manager Version 2.0



QUESTION NO: 2
IPSec works with which switching paths: (Select all that apply.)

A. Process switching
B. Optimum switching
C. Fast switching
D. Flow switching

Answer: A, C
Explanation:
Supported Switching Paths
IPSec works with process switching, fast switching, and Cisco Express Forwarding (CEF).
IPSec does not work with optimum or flow switching.
9E0 - 111

Leading the way in IT testing and certification tools, www.testking.com


- 4 -

Reference: Configuring IPSec Network Security

/>4/scdipsec.pdf

QUESTION NO: 3
Speaking of Security Association requirements, which of the following statements is
true?

A. A set of SAs are needed, one per direction, per protected data pipe.
B. A set of SAa are needed, one per direction, per protocol, per protected data pipe.
C. A set of SAs are needed, one per protocol only.
D. A set of SAs are needed, per protocol, per protected data pipe.


Answer: B
Explanation:
A set of SAs are needed for a protected data pipe, one per direction per protocol. For
example, if you have a pipe that supports ESP between peers, one ESP SA is required for each
direction. SAs are uniquely identified by destination (IPSec endpoint) address, security
protocol (AH or ESP), and security parameter index (SPI).

Reference: Configuring IKE Shared Secret Using AAA Server

/>kessaaa.pdf


QUESTION NO: 4
The graphic shows the output from the show failover command.

** Graphic output missing ***

This unit is active and the other unit is Standby. For an unknown reason, the failover is
triggered and this unit has become Standby.
We enter the command “show failover” again.
What shall we see as the ip address of the [active-interface-inside]?

A. 172.29.1.2
B. 192.168.89.1
C. 0.0.0.0
D. 172.29.1.1


Answer: D
Explanation:
When the primary PIX Firewall fails and the secondary PIX firewall become active, the
secondary {PIX Firewall assumes the system IP addresses and MAC addresses of the primary
PIX Firewall. Then the primary PIX Firewall, functioning in standby, assumes the failover IP
addresses and MAC addresses of the secondary PIX Firewall.

Note: The graphic is missing so it's hard to choose the correct answer.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 5 -


Reference: Cisco Secure PIX Firewalls (Ciscopress) page 176



QUESTION NO: 5
Which of the following statements is not true regarding the DNS Guard?

A. If disabled, can be enabled by the command: fixed protocol dns 53
B. The default UDP time expires in two minutes.
C. Immediately tears down the UDP conduit on the PIX Firewall as soon as the DNS
response is received.
D. Prevents against UDP session hijacking and denial of service attacks.


Answer: A
Explanation:
The DNS Guard performs the following actions:
 Automatically tears down the UDP conduit on the PIX firewall as soon as the DNS
response is received. It doesn’t wait for the default UDP timer to close the session.
The default UDP session is two minutes.
 Prevents against UDP session hijacking and DoS attacks.

Reference: Cisco Secure PIX Firewalls (Ciscopress) page
166



QUESTION NO: 6
In helping the user to choose the right IPSec transforms combinations, the following
rules apply: (Choose all that apply)


A. To provide authentication services for the transform set, include an AH transform.
B. For authentication services include an ESP authentication transform.
C. To provide data authentication for the data and the outer IP header, include an AH
transform.
D. For data confidentiality include an ESP encryption transform.
E. ND5 is stronger than SHA.


Answer: A, B, C, D
Explanation:
Choosing IPSec transforms combination can be complex. The following tips may help you
select transforms that are appropriate for your situation:
 To provide data confidentiality, include an ESP encryption transform.
Also consider including an ESP authentication transform or an AH transform to
provide authentication services for the transform set.
 To ensure data authentication for the outer IP header as well as the data, include an
AH transform.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 6 -
 To ensure data authentication (using either ESP or AH) you can choose from the
MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA
algorithm is generally considered stronger than MD5, but it is slower.

Reference: Cisco Secure PIX Firewalls (Ciscopress) page 212 -213





QUESTION NO: 7
What is the command that enables IPSec traffic to bypass the check of conduit or access-
group command statements?

A. conduit permit ip any any all
B. access-list acl_out permit tcp any any all access-group acl_out interface outside
C. sysopt connection permit-ipsec
D. conduit permit tcp any any all


Answer: C
Explanation:
Use the sysopt connection permit-ipsec command in IPSec configurations to permit IPSec
traffic to pass through the PIX Firewall without a check of conduit or access-list command
statements.

Reference: Cisco PIX Firewall Command Reference, Version 6.3

/>tm

QUESTION NO: 8
All of the following statements are true, except:

A. Use nat command to let users on the respective interfaces start outbound connections.
Associate the nat id with the global-id in the global command.
B. An interface is always outside when compared to another interface that has a higher
security level.
C. Use a single default route statement to the outside interface only.

Set the default route with the ip route command.
D. To permit access to servers on protected networks, use the static conduit commands.
E. Packets can not flow between interfaces that have the same security level.


Answer: C
Explanation:
The route command defines a static route for an interface. The route statement may have a
specific destination, or a default static route may be created.
The ip route command is used in the Cisco IOS. To establish static routes, use the ip route
command in global configuration mode.

Reference: Cisco Secure PIX Firewalls (Ciscopress) page 61
Cisco IOS Master Commands List, Release 12.3(1)

9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 7 -


QUESTION NO: 9
Which of the following statements are not true: (Choose all that apply)

A. DMZ interface can be considered an inside, or outside interface.
B. DMZ interface is always considered inside.
C. Traffic originating from the inside interface to the outside interface of the PIX Firewall
will be allowed to flow unless restricted by access lists.
D. Traffic originating from the outside interface to the inside interface of the PIX Firewall

will be dropped unless specifically allowed.
E. DMZ interface is always considered outside.


Answer: B, E
Explanation:
DMZ is considered inside or outside depending on the security level of the inside and outside
interface.
A static translation and a access list must be configured to enable sessions originated from the
outside interface to the DMZ (inside) interface.
Global and NAT are typically configured to enable sessions originated from the inside
interface to the DMZ interface. Another option is the static command to ensure the internal
host has the same source address all the time.

Reference: Cisco Secure PIX Firewalls (Ciscopress) page 55


QUESTION NO: 10
Adaptive Security Algorithm (ASA) is the heart of the PIX Firewall. Choose the strict
rules that ASA follows: (Choose all that apply)

A. The highest security interface is the inside interface.
B. The highest security interface is the outside interface.
C. No outbound packet can exit the PIX Firewall without a connection and state.
D. No packet, regardless of its direction, can traverse the PIX Firewall without a
connection or state.
E. No inbound packet can enter the PIX Firewall without a connection and state.


Answer: A, D

Explanation:
A. The inside interface security level is 100 and is the default setting for the PIX firewall. It
cannot be changed because 100 is the most trusted interface security level, the organization’s
network should be set up behind that interface.
D. It allows (ASA) data packets to flow through the PIX Firewall only if an appropriate
connection exists to validate their passage.

Reference: Cisco Secure PIX Firewalls (Ciscopress) page 20, 53


9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 8 -
QUESTION NO: 11
Which statements about the PIX Firewall in VoIP environments are true? (Choose two)

A. The PIX Firewall does not support the popular call setup protocol SIP because TCP
can be used for call setup.
B. The PIX Firewall allows SCCP signaling and media packets to traverse the PIX
Firewall and interoperate with H.323 terminals.
C. The PIX Firewall supports the Skinny Client Control Protocol, which allows you to
place IP phones and Call Manager on separate sides of the PIX Firewall.
D. Users behind the PIX Firewall can place outbound calls with IP phones because they
use HTTP tunneling to route packets through port 80, making them appear as web
traffic.


Answer: B, C

Explanation:
Cisco Secure PIX Firewall application handling has been enhanced to support the Skinny
Client Control Protocol (SCCP), used by Cisco IP phones for VoIP call signaling. This
capability dynamically opens pinholes for media sessions and Network Address Translation
(NAT)-embedded IP addresses. SCCP supports IP telephony and can coexist in an H.323
environment. An application layer ensures that all SCCP signaling and media packets can
traverse the PIX Firewall and interoperate with H.323 terminals.
Reference: Cisco PIX Firewall Version 6.0



QUESTION NO: 12
Your organization’s web traffic has come to a halt because your PIX Firewall is
dropping all new connection attempts. Why?

A. You are running a software version older than 5.2, and the embryonic threshold you
set in the static command was reached.
B. The shun feature of the PIX Firewall has taken effect because the embryonic threshold
you set in the nat command was reached.
C. The TCP Intercept feature of the PIX Firewall has taken affect because the embryonic
threshold you set in the static command was reached.
D. The intrusion detection feature of the PIX Firewall has taken effect because the
embryonic threshold you set in the conduit command was reached.


Answer: A
Explanation:
Prior to version 5.2, PIX Firewall offered no mechanism to protect systems reachable via a
static and TCP conduit from TCP SYN segment attacks. With the new TCP intercept feature,
once the optional embryonic connection limit is reached, and until the embryonic connection

count falls below this threshold, every SYN segment bound for the affected server is
intercepted.
This feature requires no change to the PIX Firewall command set, only that the embryonic
connection limit on the static command now has a new behavior.

9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 9 -
Reference: Release Notes for the Cisco Secure PIX Firewall Version 5.2(1)
/>df

QUESTION NO: 13
Which tasks can be performed from the Access Rules tab? (Choose three)

A. Configure translation rules.
B. Configure Cisco Secure ACS.
C. Configure access rules.
D. Define Java and ActiveX filtering rules.
E. Configure command authorization.
F. Create service groups and apply them to ACLs.


Answer: B, C, D
Explanation:
Each interface on the PIX Firewall is associated with a list of Access Control Entries (ACEs),
called Access Control Lists (ACLs). An ACL is an ordered list of rules that describe how an
entire subnet or specific network host interacts with another to permit or deny a specific
service, protocol, or both. You can also define authentication, authorization, and accounting

(AAA), and filter rules for ActiveX and Java.
Reference: Configuring Settings, Rules, and Building Blocks

/>ms_2_1/pix/use_man/px_cnfig.pdf

QUESTION NO: 14
Where in PDM do you go to add, delete, or view global pools of addresses to be used by
NAT?

A. Global Pools tab
B. System Properties tab
C. Manage Pools button on the Translation Rules tab
D. IP Address Pools button on the VPN tab


Answer: C
Explanation:
The Translation Rules feature allows you to view all address translation rules applied to your
network. Address translation means that when a host starts an outbound connection, the IP
addresses in the internal network are translated into global addresses. Network Address
Translation (NAT) allows your network to have any IP addressing scheme, and the PIX
Firewalls protect these addresses from visibility on the external network. You access this
feature by selecting Configure > Translation Rules.

Reference: Configuring Settings, Rules, and Building Blocks

/>ms_2_1/pix/use_man/px_cnfig.pdf

QUESTION NO: 15
9E0 - 111

Leading the way in IT testing and certification tools, www.testking.com


- 10 -
Which step is optional when creating a crypto map on the PIX Firewall?

A. Create a crypto map entry identifying the crypto map with a unique crypto map name
and sequence number.
B. Specify which transform sets are allowed for this crypto map entry.
C. Specify a dynamic crypto map to act as a policy template where the missing
parameters are later dynamically configured to match a peer’s requirements.
D. Assign an ACL to the crypto map entry.
E. Specify the peer to which IPSec-protected traffic can be forwarded.


Answer: C
Explanation:
If you are not sure how to configure each crypto map parameter to guarantee compatibility
with other peers, you might consider configuring dynamic crypto maps as described in the
section "Dynamic Crypto Maps
." Dynamic crypto maps are useful when the establishment of
the IPSec tunnels is initiated by the peer. They are not useful if the establishment of the IPSec
tunnels is locally initiated, because the dynamic crypto maps are policy templates, not
complete statements of policy. (Although the access lists in any referenced dynamic crypto
map entry are used for crypto packet filtering.)
Reference: About IPSec

/>



QUESTION NO: 16
Which type of downloadable ACLs are best when there are frequent requests for
downloading a large ACL?

A. Named ACLs
B. Unnamed ACLs
C. Dynamic ACLs
D. Static ACLs


Answer: A
Explanation:
The following are the two methods for downloading an access list from an AAA server to the
PIX Firewall:
 Downloading a named access list—Configure a user (real) authentication profile to
include a Shared Profile Component (SPC) and then configure the SPC to include
the access list name and the actual access list. This method should be used when
there are frequent requests for downloading a large access list.
 Downloading an access list without a name—Configure a user authentication profile
on an AAA server to include the PIX Firewall access list to be downloaded. This
method should be used when there are no frequent requests for the same access list.

Reference: Controlling Network Access and Use

/>pdf

9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com



- 11 -
QUESTION NO: 17
Why is the group tag in the aaa-server command important?

A. The aaa command references the group tag to know where to direct authentication,
authorization, or accounting traffic.
B. The group tag identifies which users require authorization to use certain services.
C. The group tag identifies which user groups must authenticate.
D. The group tag enables or disables user authentication services.


Answer: A
Explanation:
Group_tag specifies the AAA server. Enter LOCAL for the group tag value for local AAA
services such as local command authorization using privilege levels, or use the AAA server
group tag as defined by the aaa-server command.

Reference:

PIX Firewall Software Version 6.3 Commands
/>m


QUESTION NO: 18
You have already created an ACL named ACLIN to permit traffic from certain Internet
hosts to the web server on your DMZ.
How do you make the ACL work for you? (Choose two)

A. Bind the ACL to the DMZ interface.
B. Bind the ACL to the inside interface.

C. Bind the ACL to the outside interface.
D. Create a static mapping for the DMZ server.
E. Create a static mapping for the web server.
F. Create a conduit mapping for the web server.


Answer: C, E
Explanation:
Static address translation creates a permanent, one-to-one mapping between an address on an
internal network (a higher security level interface) and a perimeter or external network (lower
security level interface). For example, to share a web server on a perimeter interface with
users on the public Internet, use static address translation to map the server's actual address to
a registered IP address. Static address translation hides the actual address of the server from
users on the less secure interface, making casual access by unauthorized users less likely.
Unlike NAT or PAT, it requires a dedicated address on the outside network for each host, so it
does not save registered IP addresses.
If you use a static command to allow inbound connections to a fixed IP address, use the
access-list and access-group commands to create an access list and to bind it to the
appropriate interface. For more information, refer to "Allowing Inbound Connections
."

Reference: Managing Network Access and Use

9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 12 -
/>pdf


QUESTION NO: 19
Cisco PDM consists of five major configuration areas. Choose these areas.

A. Monitoring
B. Hosts or networks
C. Access rules
D. System properties
E. Preferences
F. Translation rules


Answer: A, B, C, D, F
Explanation:
The main tabs for the PIX Device Manager are:
 Access rules
 Translation rules
 VPN
 Hosts/Networks
 System Properties
 Monitoring
Reference: User Guides
(PIX Device Manager 2.1)
/>ml

QUESTION NO: 20
How does the PIX Firewall know where to get the addresses to use for any NAT
configuration?

A. From the nat_id in the static command.
B. You can have only one global pool of addresses, so the PIX Firewall knows that NAT

uses the addresses in the global pool established by the global command.
C. From the nat_id in the nat command.
D. From the nat_id in the dhcp address command.


Answer: C
Explanation:
A nat_id that is a number from 1 to 2147483647 specifies the inside hosts for dynamic
address translation. The dynamic addresses are chosen from a global address pool created
with the global command, so the nat_id number must match the global_id number of the
global address pool you want to use for dynamic address translation.

Reference: PIX Firewall Software Version 6.3 Commands

/>m

QUESTION NO: 21
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 13 -
What is the purpose of the access-group command?

A. Bind an ACL to an interface.
B. Create an object group.
C. Create and access group.
D. Unbind the acl_ID from the interface interface_name

Answer: A

Explanation:
The access-group command binds an access list to an interface. The access list is applied to
traffic inbound to an interface. If you enter the permit option in an access-list command
statement, the PIX Firewall continues to process the packet. If you enter the deny option in an
access-list command statement, PIX Firewall discards the packet and generates the following
syslog message.

Reference: PIX Firewall Software Version 6.3 Commands

/>m

QUESTION NO: 22
Which statements about security level 100 are true? (Choose two)

A. It is the lowest security level.
B. It is the highest security level.
C. It is the least-trusted security level.
D. By default it is designated for the inside interface of the PIX Firewall.
E. It is not currently a configurable security level.
It is reserved for future use.
F. By default, it is designated for the outside interface of the PIX Firewall.


Answer: B, D
Explanation:
The inside interface security level is 100 and is the default setting for the PIX firewall. It
cannot be changed because 100 is the most trusted interface security level, the organization’s
network should be set up behind that interface.

Reference: Cisco Secure PIX Firewalls (Ciscopress) page 53



QUESTION NO: 23
Which statements about the PIX Firewall’s DHCP capabilities are true? (Choose two)

A. It can be a DHCP server.
B. It cannot be a DHCP client.
C. You must remove a configured domain name.
D. It can be a DHCP server and client simultaneously.
E. It cannot pass configuration parameters it receives from another DHCP server to its
own DHCP clients.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 14 -
F. The PIX Firewall’s DHCP server can be configured to distribute the IP address of up
to four DNS servers to its clients.


Answer: A, D

Explanation:
PIX Firewall supports Dynamic Host Configuration Protocol (DHCP) servers and DHCP
clients. DHCP is a protocol that supplies automatic configuration parameters to Internet hosts.
This protocol has two components:
 Protocol for delivering host-specific configuration parameters from a DHCP server
to a host (DHCP client)
 Mechanism for allocating network addresses to hosts
A DHCP server is simply a computer that provides configuration parameters to a DHCP

client, and a DHCP client is a computer or network device that uses DHCP to obtain network
configuration parameters.

Reference: Using PIX Firewall in SOHO Networks

/>df

QUESTION NO: 24
The LAN-based failover your configured does not work. Why? (Choose two)

A. You used a hub for failover operation.
B. You used a switch for failover operation.
C. You used a dedicated VLAN for failover operation.
D. You did not set a failover IP address.
E. You did not use a crossover Ethernet cable between the two PIX Firewalls.
F. You used a crossover Ethernet cable between the two PIX Firewalls.


Answer: D, F
Explanation:
You must set an Failover IP address for LAN-based failover.
Ethernet connection (“LAN-based failover”)—You can use any unused Ethernet interface on
the device. If the units are further than six feet apart, use this method. We recommend that
you connect this link through a dedicated switch. You cannot use a crossover Ethernet cable
to link the units directly.

Reference: Using PIX Firewall Failover

/>pdf


QUESTION NO: 25
How are LAN-based failover and serial failover alike?

A. Both require that all configuration is performed on the primary PIX Firewall.
B. Both require the use of a special serial cable.
C. They are configured with the same command set.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 15 -
D. Both require two dedicated interfaces: one for configuration replication and another
for stateful failover
E. Both provide stateful failover.


Answer: E
Explanation:
For Stateful Failover, you must use an Ethernet link to pass state information. The PIX
Firewall supports the following Ethernet interface settings for the state link:
•
Fast Ethernet (100BASE-T) full duplex
•
Gigabit Ethernet (GE) (1000BASE-T) full duplex
We recommend that you use a crossover cable to directly connect the units. You can also use
a switch between the units. No hosts or routers should be on this link.
If the two units are more than six feet apart, you can use the same Ethernet state link as the
failover link, but we recommend that you use a separate Ethernet link if available. If they are
closer than 6 feet, we recommend that you use the serial failover cable as the failover link.


Reference: Using PIX Firewall Failover

/>pdf

QUESTION NO: 26
Choose the correct statements regarding ACLs & Conduits:

A. A conduit creates a rule on the PIX Firewall Adaptive Security Algorithm by denying
connections from one interface to access hosts on another.
B. An ACL applies to a single interface, affecting all traffic entering that interface
regardless of its security level.
C. An ACL applies to a single interface, affecting all traffic entering that interface based
in its security level.
D. A conduit creates an exception to the PIX Firewall Adaptive Security Algorithm by
permitting connections from one interface to access hosts on another.


Answer: B, D
Explanation: The conduit statement creates an exception to the PIX Firewall ASA by
permitting connections from one PIX Firewall network interface to access host on another.
The access-list command lets you specify if an IP address is permitted or denied access to a
port or protocol. In this document, one or more access-list command statements with the same
access list name are referred to as an "access list." Access lists associated with IPSec are
known as "crypto access lists."

Reference: PIX Firewall Software Version 6.3 Commands



QUESTION NO: 27

What is the command to remove a group of previously defined object-group commands?
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 16 -

A. Both answers are correct.
B. clear object-group
C. Both answers are incorrect.
D. no object-group


Answer: A
Explanation:
object groupingUse the no object-group command form to remove a group of previously
defined object-group commands. The clear object-group command form can also be used.
Reference: PIX Firewall Software Version 6.3 Commands

/>m

QUESTION NO: 28
With the IKE disabled, which of the following statements are true on a router? (Choose
all that apply)

A. The peer’s IPSec SA will never time out for a given IPSec session.
B. CA can not be used.
C. The command to disable IKE is: no crypto isakmp
D. The user must manually define all the IPSec security associations in the crypto maps at
all peers.



Answer: A, B, D
Explanation: Disabling IKE
To disable IKE, you will have to make these concessions at the peers:
 You must manually specify all the IPSec security associations in the crypto maps at
all peers.
 IPSec security associations will never time out for a given IPSec session.
 The encryption keys never change during IPSec sessions between peers.
 Anti-replay services will not be available between the peers.
 CA support cannot be used.
To disable IKE, use the following command: no crypto isakmp enable interface-name

Reference: IPSec - Overview




QUESTION NO: 29
This security protocol provides data confidentiality and protection with optional
authentication and replay-detection services.

A. What is ESP
B. What is DES
C. What is IKE
D. What is AH
E. What is RSA
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com



- 17 -


Answer: A
Explanation:
Encapsulating Security Protocol (ESP) A security protocol that provides data confidentiality
and protection with optional authentication and relay-detection services. The PIX Firewall
uses ESP to encrypt the data payload of IP packets. ESP can be used either by itself or in
conjunction with AH. ESP was assigned IP protocol number 50.

Reference: Cisco Secure PIX Firewall (Ciscopress) page 198


QUESTION NO: 30
What is the command to enable a PIX Firewall to inspect port 554 for RTSP traffic?

A. fixup protocol rtsp 554
B. inspect rtsp 554
C. fixup rtsp 554
D. inspect protocol rtsp 554


Answer: A

Explanation:
The fixup protocol rtsp command lets PIX Firewall pass Real Time Streaming Protocol
(RTSP) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4,
RealPlayer, and Cisco IP/TV connections.


Reference: PIX Firewall Software Version 6.3 Commands

/>m

QUESTION NO: 31
H.323 is more complicated than other traditional protocols because:

A. It requires a high amount of bandwidth.
B. It uses more than one TCP port.
C. It is sensitive to delays.
D. It requires client reconfiguration.


Answer: B
Explanation:
H.323 is more complicated than other protocols because of it uses two TCP connections and
several UDP sessions for a single “call”.

Reference: Cisco Secure PIX Firewall (Ciscopress) page 163


QUESTION NO: 32
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 18 -
Speaking of the translation table of a PIX Firewall, by default, if there is no translated
packets for a particular IP address, the entry times out and gets removes from the table.
This timeout period is:


A. User- Configurable and by default is 5 minutes
B. User- Configurable and by default is 60 minutes.
C. User- Configurable and by default is 180 minutes.
D. not User- Configurable and by default is 5 minutes.
E. not User- Configurable and by default is 2 Minutes.
F. not User- Configurable and by default is 60 Minutes.


Answer: C
Explanation:
Translation slot. The default value for this timeout setting is 180 minutes.

Reference: Cisco Secure Policy Manager - Configuring the Global Policy Override Settings
for Policy Enforcement Points
/>9186a00800d9cf9.html


QUESTION NO: 33
Firewall operations are based on one of the following technologies:
- Packet filtering
- Proxy Server
- Stateful packet filtering

Which is the method used by PIX Firewall?

A. Packet Filtering
B. Stateful Packet Filtering
C. All answers are incorrect
D. Proxy server



Answer: B
Explanation:
The third type of firewall combines the best of packet filtering and proxy technologies.
A stateful packet filter keeps complete session state information for each built through the
firewall. Each time an IP connection is established for an inbound or outbound connection, the
information is logged in a stateful session flow table. Stateful packet filtering is the method
used by the Cisco PIX Firewall.

Reference: Cisco Secure PIX Firewall (Ciscopress) page 18

QUESTION NO: 34
Which statements about intrusion detection in the PIX Firewall are true? (Choose two)

9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 19 -
A. When a policy for a given signature class is created and applied to an interface, all
supported signatures of that class are monitored unless you disable them.
B. Only the signatures you enable will be monitored.
C. The PIX Firewall supports only inbound auditing.
D. IP audit policies must be applied to an interface with the ip audit interface command.
E. When a policy for a given signature class is created and applied to an interface, all
supported signatures of that class are monitored and cannot be disabled until you
remove the policy from the interface.
F. IP audit policies must be applied to an interface with the ip audit signature command.



Answer: A, D
Explanation:
Developed with flexibility in mind, PIX IDS allows a signature to be acted upon differently
depending on the interface on which it was detected on. PIX also allows signatures to be
individually disabled when the event that reoccurring false positives are detected.
The ip audit interface if_name audit_name command applies an audit specification or policy
(via the ip audit name command) to an interface. The no ip audit interface [if_name]
command removes a policy from an interface.

Reference: Cisco PIX 500 Series Firewalls - Cisco PIX Firewall Software v5.2

/>80091b32.html

QUESTION NO: 35
Why are packets inspected on the PIX Firewall?

A. For valid users.
B. For misconfiguration.
C. For incorrect address.
D. For malicious application misuse.


Answer: D
Explanation:
PIX Firewall is based on stateful packet filtering technology, where data are inspected at the
application level, it guarantees advanced security and eliminates network performance
bottlenecks.

Reference: DHL Selects Cisco PIX Firewall for Cost-Effective, High-Performance

Network Security



QUESTION NO: 36
What command reassigns a specific command to a different privilege level?

A. privilege
B. command auth
C. level-priv
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 20 -
D. curpriv


Answer: A
Explanation:
The privilege command sets user-defined privilege levels for PIX Firewall commands. This is
especially useful for setting different privilege levels for related configuration, show, and
clear commands. However, be sure to verify privilege level changes in your commands with
your security policies before implementing the new privilege levels.

Reference: PIX Firewall Software Version 6.3 Commands

/>m

QUESTION NO: 37

Which command enables IKE on the outside interface?

A. ike enable outside
B. ipsec enable outside
C. isakmp enable outside
D. ike enable (outbound)


Answer: C
Explanation:
The isakmp enable command is used to enable ISAKMP negotiation on the interface on
which the IPSec peer will communicate with the PIX Firewall. ISAKMP is enabled by
default. Use the no isakmp enable command to disable IKE.

Reference: PIX Firewall Software Version 6.3 Commands

/>m

QUESTION NO: 38
Why use ESP security protocol rather than the AH security protocol when creating a
VPN with IPSec?

A. ESP provides ant-replay and AH does not.
B. ESP provides data integrity and AH does not.
C. ESP provides data confidentiality and AH does not.
D. ESP provides data origin authentication and AH does not.


Answer: C
Explanation:

ESP and AH both provide authentication and anti-replay services, but ESP can encrypt the
data payload of IP packets which provides data confidentiality.

Reference: Cisco Secure PIX Firewall (Ciscopress) page 198

9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 21 -

QUESTION NO: 39
You have configured the PIX Firewall and a AAA server for authentication. Telnet and
FTP authentication work normally, but HTTP authentication does not. Why?

A. You have not enabled HTTP, Telnet, and FTP authorization, which is required for
HTTP authentication.
B. You have not enabled HTTP authorization, which is required for HTTP authentication.
C. HTTP authentication is not supported.
D. Re-authentication maybe taking place with the web browser sending the cached
username and password back to the PIX Firewall.


Answer: D
Explanation:
HTTP - A window is displayed in the browser requesting username and password. If
authentication (and authorization) is successful, the user arrives at the destination web site
beyond. Keep in mind that browsers cache usernames and passwords! If it appears that the
PIX should be timing out an HTTP connection but is not doing so, it is likely that re-
authentication actually is taking place with the browser "shooting" the cached username and

password to the PIX, which then forwards this to the authentication server. PIX syslog and/or
server debug will show this phenomenon. If Telnet and FTP seem to work "normally", but
HTTP connections do not, this is why.
Reference: Cisco PIX 500 Series Firewalls - Performing Authentication, Authorization,
and Accounting of Users Through PIX Versions 5.2 and Later
/>0094ea9.shtml

QUESTION NO: 40
Which are functions of the object-group command? (Choose two)

A. Defines members of an object group.
B. Names an object group.
C. Enables sub-command mode.
D. Inserts an object group in an ACL.
E. Displays a list of the current configured object groups of the specified type.
F. Describes the object group.


Answer: B, C
Explanation:
To simplify your configuration, object grouping is supported in Cisco PIX Device Manager
Version 2.0. Object grouping enables you to define groups of objects such as hosts, IP
addresses, or network services. You can use these groups, for example, when you create and
apply access rules. When you include a Cisco PIX Firewall object group in a PIX Firewall
command, it is the equivalent of applying every element of the object group to the PIX
Firewall command.

Reference: Cisco PIX Device Manager Version 2.0



9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 22 -


QUESTION NO: 41
Why create Turbo ACL’s only on high-end PIX Firewall models, such as the PIX
Firewall 525 or 535?

A. They are not supported in any of the low-end models, such as the 506.
B. Turbo ACLs require significant amounts of memory.
C. Turbo ACLs are processor-intensive.
D. Although turbo ACLs improve ACL search time with any PIX Firewall model, they
are complicated and rather difficult to configure.
It is unlikely that environments using low-end models have personnel properly trained
to configure turbo ACLs


Answer: B
Explanation:
The TurboACL feature requires significant amounts of memory and is most appropriate for
high-end PIX Firewall models, such as the PIX 525 or PIX 535. The minimum memory
required for TurboACL is 2.1 MB and approximately 1 MB of memory is required for every
2000 ACL elements.

Reference: Controlling Network Access and Use

/>pdf


QUESTION NO: 42
When are duplicate objects allowed in object groups?

A. When they are due to the inclusion of group objects.
B. When a group object is included, which causes the group hierarchy to become circular.
C. Never
D. Always, because there are no conditions or restrictions.


Answer: A
Explanation:
Object Grouping provides a way to group objects of a similar type into a group so that a single
access rule can apply to all the objects in the group. For example, consider the following three
object groups:
 MyServices—Includes the TCP/UDP port numbers of the service requests that are
allowed access to the internal network
 TrustedHosts—Includes the host and network addresses allowed access to the
greatest range of services and servers
 PublicServers—Includes the host addresses of servers to which the greatest access is
provided
After creating these groups, you could use a single access rule to allow trusted hosts to make
specific service requests to a group of public servers. Object groups can also contain other
object groups or be contained by other object groups.

9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 23 -

Reference: Cisco PIX Firewall Software - Controlling Network Access and Use
/>_chapter09186a00800eb721.html

QUESTION NO: 43
Which statement about the configuration mode for the PIX Firewall is true?

A. Privileged mode commands, unprivileged mode commands, and configuration mode
commands all work in configuration mode.
B. Only configuration mode commands work in configuration mode.
C. Unprivileged mode commands and configuration mode commands work in
configuration mode, but you must exit the configuration mode in order to execute
privileged mode commands.
D. Privileged mode commands and configuration mode commands work in configuration
mode, but you must exit both these modes in order to execute unprivileged mode
commands.


Answer: A
Explanation:
Configuration Mode – This mode displays the (config)# prompt and enables you to change
system configurations. All privileged, unprivileged, and configuration commands work in this
mode.

Reference: Cisco Secure PIX Firewall (Ciscopress) page 32



QUESTION NO: 44
Which statement about the PIX Firewall Syslog is true?


A. Syslog messages can be used to create log files, and can be displayed on the console of
a designated Syslog host, but they cannot be used to create e-mail alerts.
B. If all Syslog servers are offline, the PIX Firewall stores up to 100 messages in its
memory and then deletes the messages in its memory to make room for subsequent
messages.
C. The PIX Firewall sends Syslog messages to document such events as denied TCP
connections, translation slot depletion, console logins and bytes transferred for each
connection.
D. All Syslog messages are denied unless explicitly permitted.


Answer: C
Explanation:
PIX Firewall sends SYSLOG messages to document the following events:
 Security—Dropped UDP packets and denied TCP connections.
 Resources—Notification of 80% and 100% connection and translation slot
depletion, and translation and connection counts every 10 minutes.
 System—Console and Telnet logins and logouts and PIX Firewall reboots.
 Accounting—Bytes transferred per connection.
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 24 -

Reference: Cisco PIX Firewall Software - Configuring by Feature

/>_chapter09186a00801162ec.html

QUESTION NO: 45

In the output of the show failover command, what does cable status waiting mean?

A. The active PIX Firewall is working and the standby PIX Firewall is ready.
B. Monitoring the other PIX Firewall’s network interface has not yet started.
C. The active PIX Firewall is waiting for configuration replication to be completed.
D. The primary PIX Firewall has finished testing the standby PIX Firewall’s interfaces
and the standby PIX Firewall is waiting to take control.


Answer: B
Explanation:
The Cable Status that displays with the show failover command has these values:
(a) Normal—Indicates that the Active unit is working and that the Standby unit is ready.
(b) Waiting—Indicates that monitoring of the other unit's network interfaces has not yet
started.
(c) Failed—Indicates that the PIX Firewall has failed.

Reference: Cisco PIX Firewall Software - Advanced Configurations

/>_chapter09186a008008996b.html

QUESTION NO: 46
Your new network administrator has recently modified your PIX Firewall’s
configuration. You are suddenly experiencing security breaches involving Internet mail.
What change did the administrator make?

A. He disabled the PIX Firewall’s mailpor fixup.
B. He disabled the PIX Firewall’s smtp fixup.
C. He enabled the Pix Firewall’s ils fixup on port 25.
D. He defined the port on which to activate Mail Guard.



Answer: B
Explanation:
The fixup protocol smtp command enables the Mail Guard feature, which only lets mail
servers receive the RFC 821, section 4.5.1, commands of HELO, MAIL, RCPT, DATA,
RSET, NOOP, and QUIT.

Reference: PIX Firewall Software Version 6.3 Commands

/>m

QUESTION NO: 47
What is the command that clears all IPSec security associations at the router?
9E0 - 111
Leading the way in IT testing and certification tools, www.testking.com


- 25 -

A. clear crypto sa
B. clear isakmp
C. no crypto sa
D. crypto sa disable


Answer: A
Explanation:
clear crypto sa - Clears existing IPSec security associations so that any changes to a
transform set take effect on subsequently established security associations (SAs). (Manually

established SAs are reestablished immediately.)

Reference: Configuring the SA-VAM2

/>vam2/vam2cf.pdf

QUESTION NO: 48
You have configured your router with the following command:
crypto ipsec transform-set goodform ah-sha-hmac csp-des-csp-
sha-hmac

A. The peer does not have to have a matching transform set.
Parameters will be dynamically negotiated.
B. The peer must also have the same transform set parameters specified.
C. The peer must also have the same transform set name specified.
D. The peer must also have the same transform set name and parameters specified.


Answer: B
Explanation:
To define a transform set—an acceptable combination of security protocols and algorithms—
use the crypto ipsec transform-set command in global configuration mode. To delete a
transform set, use the no form of this command.

To define a transform set, you specify one to four "transforms"—each transform represents an
IPSec security protocol (AH or ESP) plus the algorithm you want to use. When the particular
transform set is used during negotiations for IPSec SAs, the entire transform set (the
combination of protocols, algorithms, and other settings) must match a transform set at the
remote peer.


Reference: PIX Firewall Software Version 6.3 Commands

/>m

QUESTION NO: 49
Which of the following statements are true regarding the sanity check of PIX Firewall’s
failover feature? (Choose all that apply)