640-442 1

21certify.com














CISCO:

Managing Cisco Network Security (MCNS)

640-442



Version 6.0

Jun. 17th, 2003

640-442 2

21certify.com

Study Tips
This product will provide you questions and answers along with detailed explanations
carefully compiled and written by our experts. Try to understand the concepts behind
the questions instead of cramming the questions. Go through the entire document at
least twice so that you make sure that you are not missing anything.
Latest Version
We are constantly reviewing our products. New material is added and old material is
revised. Free updates are available for 365 days after the purchase. You should check
the products page on the www.21certify.com web site for an update 3-4 days before the
scheduled exam date.


Important Note:
Please Read Carefully


This 21certify Exam has been carefully written and compiled by 21certify Exams experts. It is
designed to help you learn the concepts behind the questions rather than be a strict memorization
tool. Repeated readings will increase your comprehension.

We continually add to and update our 21certify Exams with new questions, so check that you have
the latest version of this 21certify Exam right before you take your exam.

For security purposes, each PDF file is encrypted with a unique serial number associated with your
21certify Exams account information. In accordance with International Copyright Law, 21certify
Exams reserves the right to take legal action against you should we find copies of this PDF file has
been distributed to other parties.

Please tell us what you think of this 21certify Exam. We appreciate both positive and critical
comments as your feedback helps us improve future versions.

We thank you for buying our 21certify Exams and look forward to supplying you with all your
Certification training needs.

Good studying!

21certify Exams Technical and Support Team
640-442 3

21certify.com

Q.1 What are three commands that can be used in enabling NAT? (Choose three)
A. nat
B. static
C. global

D. conduit
E. xlate enable
Answer: A, B, C
Q.2 Which three databases are supported by the Cisco Secure ACS for UNIX? (Choose three)
A. Oracle
B. Sybase
C. NDS (Novell)
D. SQL Anywhere
E. Windows NT user database
Answer: A, B, D
Q.3 Given the following debug output:
1d16h: %UPLINK-3-UPDOWN: Interface Serial3/0, changed state to up*Mar 2 16:52:297: Se3/0
PPP: Treating connection as a dedicated line *Mar 2 16:52:441: Se3/0 PPP: Phase is
AUTHENTICATING, by this end *Mar 2 16:52:445: Se3/0 CHAP: O CHALLENGE id 7 len 29 from
"NASx
Which two statements are true? (Choose two)
A. The user ID is NASx.
B. This is a connection attempt to an async port.
C. The connection is established on serial interface 3/0.
D. The user is authenticating using Challenge Handshake Authentication Protocol (CHAP).
E. The client is attempting to setup a Serial Internet Protocol (SLIP) connection.

Answer: C, D
Q.4 To ensure compatibility with IPSec when using Internet Key Exchange (IKE), what must be allowed
through an access list (ACL)?
A. IP protocol 50 and TCP port 500
B. IP protocol 50 and UDP port 51
C. IP protocol 51, TCP port 500 and UDP port 50
D. IP protocol 50, IP Protocol 51 and UDP port 500
Answer: D

Q.5 Java inspection was properly configured with Context based Access Control (CBAC) to allow only
applets from a trusted Web server. What happens when a user attempts to download an applet from an
untrusted server using FTP (assuming that FTP is allowed between the two by CBAC)?
A. CBAC requests user authentication.
640-442 4

21certify.com

B. The applet is downloaded successfully.
C. The FTP session is terminated by CBAC.
D. The packets containing the applet are dropped by CBAC.
Answer: B
Q.6 Which Cisco IOS feature should be used when hiding multiple hosts behind a single IP address?
A. PAT
B. ACL
C. DHCP
D. CBAC
Answer: A


Q.7 Which encryption algorithms are supported by the Cisco Secure VPN Client?
A. Null, CAST-128 and DES
B. DES, Triple-DES and Null
C. DES, CAST-128 and Blowfish
D. DES, Blowfish and Diffie-Hellman
Answer: B
Q.8 Given the following output:
Crypto Map: "s1first" idb: Serial0 local address: 172.16.254.201 Crypto Map "s1first" 20
ipsec-isakmp Peer = 172.16.254.212 Extended IP access list 101 access-list 101 permit ip
source: addr = 172.16.152.0/0.0.0.255 dest: addr 0.0.0.0/255.255.255.255 Current peer:

172.16.254.212 Security association lifetime: 4608000 kilobytes/3600 seconds PP3 (Y/N): N
Transform sets=(secure1, )
Which command was used to generate this display?
A. show crypto ip map
B. show crypto ipsec sa
C. show crypto map
D. show crypto ipsec transform set
Answer: C

Q.9 The PIX firewall operates with three rules that govern how to use the security level field.
What are these three rules? (Choose three)

A. Security level 0 is the least secure.
B. Security level 100 is the most secure.
C. The lowest security level is for the inside interface.
D. The highest security level is for the outside interface.
640-442 5

21certify.com

E. Conduit and static commands are required to enable traffic that originates from outside and has an inside
destination.

Answer: A, B, E
Q.10 Which statement about the PIX password recovery procedure is true?
A. The password recovery of the PIX 515 requires an FTP server.
B. The PIX firewall needs to be reloaded during password recovery.
C. Password recovery can only be done on PIX firewall with floppy drive.
D. The config-register has to be set to 0x2142 before password recovery.
Answer: C

Q.11 Which three statements apply to AAA on a PIX firewall? (Choose three)
A. Only inbound connections can be authenticated by AAA.
B. FTP, HTTP and Telnet can be authenticated using AAA.
C. The PIX can authenticate Enable mode access using AAA.
D. The PIX can authenticate serial console access using AAA.
Answer: A, B, C
Q.12 Exhibit:

Which PIX command statically translates the IP address of the Mail server to 182.16.1.4?
A. static(dmz, outside) 172.16.2.4 182.16.1.4
B. static(outside,dmz ) 182.16.1.4 172.16.2.4
C. static(dmz, outside) 182.16.1.4 172.16.2.4
D. static(inside, outside) 182.16.1.4 172.16.2.4
Answer: B
Q.13 Which statement best describes the Encapsulation Security Payload (ESP) header?
A. It is inserted before an encapsulated IP header in Tunnel mode.
B. It is inserted before an encapsulated IP header in Transparent mode.
640-442 6

21certify.com

C. It is inserted after the IP header and before the upper layer protocol header in Tunnel mode.
D. It is inserted after the IP header and after the upper layer protocol header in Transport mode.
Answer: A
Q.14 Which two protocols are known to pose security threats? (Choose two)
A. SNMP
B. NNTP
C. SMTP
D. CHAP
E. Frame Relay

Answer: A, C
Q.15 If a Security Association (SA) was previously established with Internet Key Exchange (IKE), what
will the following command do on the router?
A. It clears the SA symmetric key.
B. It clears the SA authentication key.
C. It deletes SA from the SA database.
D. It re-initializes every peer’s secret key.
Answer: C


Q.16 After the installation of Cisco Secure VPN Client is complete, you need either __________ for
authentication
A. A user ID or a password.
B. An error-correcting code (ECC) key or a pre-shared key.
C. An ECC key or a digital certificate.
D. A pre-shared key or a digital certificate.
Answer: A
Q.17 Which two statements are true (Choose two)
A. There are few good security products.
B. A lack of a consistent security policy is a security risk.
C. Security should only be implemented on the perimeter devices.
D. Individual products must be integrate from a complete network solution.
Answer: B, C
Q.18 A masquerade attack occurs when an attacker pretends to come from a trusted host by stealing its
_____________
A. User group
B. IP address
640-442 7

21certify.com


C. Account ID
D. Challenge handshake authentication protocol (CHAP) password
Answer: B
Q.19 Which command is most useful to troubleshoot a Challenge Handshake Authentication Protocol
(CHAP) authentication attempt?



Answer: D
Q.20 When the nat (inside) 0 command is configured on a PIX firewall, ________ IP address are
translated
A. DMZ
B. No inside
C. Only private
D. Global outside
Answer: B
Q.21 Which two commands prevent a chargen attack? (Choose two)
A. no ip redirects
B. no service finger
C. no chargen enable
D. no tcp-small-servers
E. no udp-small-servers
Answer: D
Q.22 Which 3 services can be authenticated using AAA on a PIX firewall? (Choose three)
A. FTP
B. POP
C. HTTP
D. SMTP
E. TFTP

F. TELNET
Answer: A, C, F


Q.23 Which three external databases are supported by CSNT (Choose three)
A. NDS
640-442 8

21certify.com

B. Oracle
C. Windows NT
D. Token server
Answer: A, C, D
Q.24 You generate general purpose RSA keys. The router will have one _____________
A. RSA key pair
B. RSA key pair per peer
C. RSA key pair and one certificate per peer
D. RSA key pair per peer and one certificate per peer
Answer: A
Q.25 Which three statements about Encapsulation Security Payload are true? (Choose three)
A. It encapsulates the data.
B. It uses symmetric secret key algorithms.
C. It provides protection to the outer headers.
D. It encrypts the payload for data confidentiality.
Answer: A, B, D
Q.26 Exhibit: Which command do you use to ping the
NAS from the PIX firewall

A. Ping 10.1.1.1

B. Ping –s 10.1.1.1
C. Ping –t 10.1.1.1
D. Ping inside 10.1.1.1
E. Ping outside 10.1.1.1
Answer: D
640-442 9

21certify.com

Q.27 Which PIX firewall command denies any internal hosts from downloading Java Applets?


Answer: A
Q.28 Which command allows you to view PIX firewall software version?
A. Show os
B. Show pix
C. Show version
D. Debug version
E. Show software
Answer: C
Q.29 With TCP inspection, which three parameters are used by Context Based Access Control (CBAC) to
permit a packet received on the external interface? (Choose Three)
A. A Source IP address
B. Source port number
C. TCP sequence number
D. Destination port number
E. Destination MAC address
Answer: A, B, D
Q.30 Which three statements about PIX firewall multimedia support are true? (Choose three)
A. It supports multimedia with or without NAT.

B. It reserves all available UDP and TCP ports.
C. Using PAT with multimedia can create port conflict.
D. It statically opens/closes UDP ports for multimedia connections.
Answer: A, B, C
Q.31 Given the following configuration command:
Router(config)#aaa authorization network abc tacacs local
Assuming all interfaces are configured to use default authentication, which statement is true?
A. The NAS will use the enable password by default.
B. If the TACACS server is unreachable, the local database will be used.
640-442 10

21certify.com

C. If the TACACS server is unreachable, the NAS access will be enabled by default.
D. If the Terminal Access Controller Access Control System (TACACS) server is
unreachable, no access will be permitted.

Answer: B
Q.32 Which authentication method is the most secure?
A. S/KEY
B. username/password
C. one-time passwords
D. token cards/soft tokens
Answer: D
Q.33 Given the following interface configuration:
interface serial 0 ip address 172.16.1.1 255.255.255.0 ip address-group 101 in
Which access list (ACL) line allows Internet Security Association Key Management Protocol (ISAKMP)
from router 172.16.1.2?
A. access-list 101 permit ahp host 172.16.1.2 host
172.16.1.1


B. access-list 101 permit isakmp host 172.16.1.2 host
172.16.1.1

C. access-list 101 permit udp host 172.16.1.2 host 172.16.1.1 eq isakmp
D. access-list 101 permit tcp host 172.16.1.2 host
172.16.1.1 eq isakmp

Answer: C
Q.34 Context based Access Control (CBAC) allows replies for sessions originating from the ______ hosts.
A. WAN
B. internal
C. external
D. destination

Answer: B
Q.35 Which IOS feature best prevents eavesdropping?
A. IPSec
B. CBAC
C. Lock and Key
D. TCP intercepts
640-442 11

21certify.com

Answer: A
Q.36 What does the following command do?
Crypto map map-name local-address interface-id
A. It applies a crypto map to an interface.
B. It defines a crypto map set to be used by multiple interfaces.

C. It allows the router to add a dynamic crypto map set to a static crypto map set on multiple interfaces.
D. It allows the router to have a single ID with the crypto map configured on more than one interface.
Answer: A
Q.37 Which four interfaces are supported by the PIX firewall? (Choose four)
A. ATM
B. FDDI
C. Serial
D. 10BaseT
E. 100BaseT
F. Token Ring
Answer: A, C, ?, ?


Q.38 Which PIX firewall command initiates a failover switch from the standby unit?
A. standby active
B. failover active
C. failover switch
D. no failover passive
Answer: B
Q.39 Which server is typically not in a DMZ?
A. FTP Server
B. DNS Server
C. Web server
D. Mail server
E. Enterprise server
Answer: E
Q.40 Which three tools is used to counter an unauthorized access attempt? (Choose three)
A. Encryption
A. Bb. Cisco IOS Lock and Key feature
B. Terminal Access Controller Control System (TACACS)

C. Challenge Handshake Authentication Protocol (CHAP) authentication
640-442 12

21certify.com

Answer: B, C, D
Q.41 Exhibit: The crypto map is implemented on the
serial interface of the remote router. Which access list
(ACL) line configured on the remote router enables
encryption of traffic between workstation B to
workstation A

A. Access-list 101 permit ip host 192.168.255.2 host 10.34.2.3
B. Access-list 101 permit ip host 192.168.255.2 host 172.34.2.1
C. Access-list 101 permit ip host 10.34.2.3 172.16.1.0 0.0.0.255
D. Access-list 101 permit ip 172.16.1.0 0.0.0.255 10.34.2.0 0.0.0.255
Answer: A
Q.42 The client’s public/private key pair is generated by ____________
A. The client.
B. The certificate authority (CA).
C. The peer during the security association (SA) establishment.
D. Both peers during the SA establishment.
Answer: A
Q.43 Which two demonstrate a security policy weakness? (Choose two)
A. ping of death
B. denial of service
C. improper change control
D. no disaster recovery plan
E. misconfigured network equipment
Answer: C, D

Q.44 Which command demonstrates a successful login for a specific user?
A. show all
B. show user
C. show interface
D. show aaa accounting