Tài liệu Cisco Secure PIX Firewall Advanced (CSPFA) - Version 3.0 pptx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (834.79 KB, 68 trang )
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 1 -
9E0-571
Cisco Secure PIX Firewall
Advanced (CSPFA)
Version 3.0
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 2 -
Important Note
Please Read Carefully
Study Tips
This product will provide you questions and answers along with detailed explanations
carefully compiled and written by our experts. Try to understand the concepts behind the
questions instead of cramming the questions. Go through the entire document at least twice so
that you make sure that you are not missing anything.
Latest Version
We are constantly reviewing our products. New material is added and old material is revised.
Free updates are available for 90 days after the purchase. You should check the products page
on the TestKing web site for an update 3-4 days before the scheduled exam date.
Here is the procedure to get the latest version:
1. Go to www.testking.com
2. Click on Login (upper right corner)
3. Enter e-mail and password
4. The latest versions of all purchased products are downloadable from here. Just click
the links.
For most updates, it is enough just to print the new questions at the end of the new version,
not the whole document.
Feedback
Feedback on specific questions should be send to You should state
1. Exam number and version.
2. Question number.
3. Order number and login ID.
Our experts will answer your mail promptly.
Copyright
Each pdf file contains a unique serial number associated with your particular name and
contact information for security purposes. So if we find out that a particular pdf file is being
distributed by you, TestKing reserves the right to take legal action against you according to
the International Copyright Laws.
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 3 -
Note: Section A contains 59 questions and Section B contains 170. The total numbers of
questions are 229.
Section A
Study these questions carefully.
QUESTION NO: 1
Which PIX feature denies a user the ability to perform Telnet?
A. Accounting
B. Authorization
C. Authentication
D. Accounting and authorization
Answer: B
QUESTION NO: 2
Which two AAA protocols and servers does the PIX Firewall support? (Choose two)
A. Access control list.
B. Synchronous Communication Server.
C. Remote Authentication Dial-In User Service.
D. Terminal Access Controller Access Control System Plus.
Answer: C, D
QUESTION NO: 3
Enter the function of the PIX Firewall that provides a safeguard in case a PIX Firewall
fails.
Answer: Failover
QUESTION NO: 4
What does the nat command allow you to do on the PIX Firewall? (Choose two)
A. Enable address translation for internal addresses.
B. Enable address translation for external addresses.
C. Disable address translation for internal addresses.
D. Disable address translation for external addresses.
E. Enable address translation for both external and internal addresses.
F. Disable address translation for both external and internal addresses.
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 4 -
Answer: A, C
QUESTION NO: 5
Exhibit:
Match the characteristics of the Adaptive Security Algorithm (ASA) security level with
the correct levels.
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 5 -
Answer:
QUESTION NO: 6
Which four tasks should you perform to configure an IPSec-based VPN with the PIX
Firewall? (Choose four)
A. Configure accounting.
B. Configure authorization.
C. Configure authentication.
D. Configure the PIX Firewall.
E. Configure the IKE parameters.
F. Configure the IPSec parameters.
G. Prepare for configuring VPN support.
H. Test and verify the VPN configuration.
Answer: E, F, G, H
QUESTION NO: 7
Any unprotected inbound traffic on the PIX Firewall that matches a permit entry in the
crypto access list for a crypto map entry , flagged as IPSec, will be __________________
A. Dropped
B. Completed
C. Authorized
D. Authenticated
Answer: A
QUESTION NO: 8
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 6 -
What should you do to prepare for configuring VPN support on the PIX Firewall?
A. Plan in advance.
B. Minimize mis-configuration.
C. Configure IPSec encryption correctly the first time.
D. Define the overall security needs and strategy based on the overall company security
policy.
Answer: D
QUESTION NO: 9
Match the elements of the command for the PIX firewall to the description for the
outbound command. Drag and drop.
Exhibit:
Answer:
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 7 -
QUESTION NO: 10
What are packets inspected for on the PIX firewall?
A. For invalid users.
B. For mis-configuration.
C. For incorrect addresses.
D. For malicious application misuse.
Answer: C
QUESTION NO: 11
With which two Cisco IOS Firewall security features is the authentication proxy
compatible? (Choose two)
A. Cisco router
B. Network address translation
C. Protocol address translation
D. Content-Based Access Control
Answer: B, D
QUESTION NO: 12
Which three thresholds does CBAC on the Cisco IOS Firewall provide against DoS
attacks? (Choose Three)
A. The number of half-open sessions based upon time.
B. The total number of half open TCP or UDP sessions.
C. The number of fully-open sessions based upon time.
D. The number of half-open TCP-only sessions per host.
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 8 -
E. The total number of fully-open TCP or UDP sessions.
F. The number of fully-open TCP-only sessions per host.
Answer: A, B, D
QUESTION NO: 13
What does CBAC on the Cisco IOS Firewall do?
A. Created specific security policies for each user.
B. Protects the network from internal attacks and threats.
C. Provides additional visibility at intranet, extranet and Internet perimeters.
D. Provides secure, per-application access control across network perimeters.
Answer: D
QUESTION NO: 14
What are three methods for configuring basic router security on the Cisco IOS
Firewall? (Choose three)
A. Turn off services.
B. Set global timeouts.
C. Set global thresholds.
D. Use password encryption.
E. Define inspection rules.
F. Set console and VTY access.
Answer: B, C, E
QUESTION NO: 15
Why does aaa command reference the group tag on the PIX Firewall?
A. To direct the interface name to the AAA server.
B. To direct the IP address to the appropriate AAA server.
C. To direct authentication, authorization or accounting traffic to the appropriate AAA
server.
D. To direct authentication, authorization or accounting traffic to the appropriate PIX
Firewall.
Answer: C
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 9 -
QUESTION NO: 16
Which two databases does the PIX Firewall use to authenticate cut-through proxy?
(Choose two)
A. ACS NT
B. RADIUS+
C. ACS UNIX
D. TACACS
Answer: B, D
QUESTION NO: 17
Enter the command that enables failover between two PIX Firewalls.
Answer: Failover active
QUESTION NO: 18
Enter the command that allows the IP addresses to be updated in the translation table
for the PIX Firewall
Answer: Clear xlate
QUESTION NO: 19
Which portion of the conduit command denies access through the PIX Firewall in the
conditions is met?
Answer: deny
QUESTION NO: 20
What does deny mean in regards to crypto access lists on the PIX firewall?
A. It specifies that no packets are encrypted.
B. It specifies that matching packets must be encrypted.
C. It specifies that mismatched packets must be encrypted.
D. It specifies that matching packets need no be encrypted.
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 10 -
Answer: D
QUESTION NO: 21
What is the goal of pre-planning before configuring an IPSec based VPN when using the
PIX Firewall?
A. To plan in advance.
B. To minimize misconfiguration.
C. To identify IPSec peer router Internet Protocol addresses and host names.
D. To determine key distribution methods based on the numbers and locations of IPSec
peers.
Answer: B
QUESTION NO: 22
Which three probables can ActiveX cause for network clients using the PIX Firewall?
(Choose three)
A. It can attack servers.
B. It can block HTML commands.
C. It can block HTML comments.
D. It can download Java applets.
E. It can cause workstations to fail.
F. It can introduce network security problems.
Answer: A, ?, ?
QUESTION NO: 23
How does passive mode FTP on the PIX firewall support inside clients without exposing
them to attack?
A. There is no data connection.
B. Port 20 remains open from outside to inside.
C. Port 21 remains open from inside to outside.
D. The client initiates both the command and data connections.
Answer: D
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 11 -
QUESTION NO: 24
Enter the command that enables the AAA access control system in the global
configuration.
Answer: aaa new-model
QUESTION NO: 25
Enter the command that encrypts all use passwords within the Cisco IOS Firewall.
Answer:
no service password-encryption
QUESTION NO: 26
Each session allows you four attempts to correctly authenticate to the PIX Firewall
before it drops the connection?
A. FTP
B. HTPP
C. Telnet
D. Accounting
Answer: C
QUESTION NO: 27
Enter the command that allows the PIX Firewall to enable and configure accounting for
all services and to select services.
Answer: aaa accounting
QUESTION NO: 28
Why does failover begin a series of interface tests on the PIX Firewall?
A. To check the failover cable.
B. To clear the received packets.
C. To determine which PIX Firewall has failed.
D. To determine which interface has the failover packet.
Answer: C
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 12 -
QUESTION NO: 29
Match the command to the correct interface when configuring the PIX Firewall.
Exhibit:
Answer:
QUESTION NO: 30
What does deny instruct the PIX Firewall to do when configuring IPSec parameters for
the PIX firewall?
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 13 -
A. It routes traffic in the clear.
B. It configures the transform set.
C. It encrypts Internet Protocol packets.
D. It causes all Internet protocol traffic to be protected by crypto.
Answer: A
QUESTION NO: 31
Each IPSec peer individually enrolls with the CA server and obtains which two keys,
using the PIX Firewall? (Choose two)
A. Public encryption
B. Private encryption
C. Public authorization
D. Public authentication
E. Private authorization
F. Private authentication
Answer: A, B
QUESTION NO: 32
Which three statements about DNS Guard on the PIX Firewall are true? (Choose three)
A. It is always enabled.
B. It is always disabled.
C. IT causes UDP session hijacking and denial-of-service attacks.
D. It prevents UDP session hijacking and denial-of-service attacks.
E. It automatically creates a UDP conduit as soon as the DNS response is received.
F. It automatically tears down a UDP conduit as soon as the DNS response is received.
Answer: A, D, F
QUESTION NO: 33
Which part of the command specifies the service users are allowed to access, when
configuring user authorization profiles?
A. protocol
B. host ip_addr
C. eq auth_service
D. ip_addr wildcard mask
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 14 -
Answer: C
QUESTION NO: 34
What does the authentication proxy feature of the Cisco IOS Firewall allow network
administrators to do?
A. Tailor access privileges on an individual basis.
B. Use a general policy applied across multiple users.
C. Use a single security policy that us applied to an entire user group or subnet.
D. Keep user policies active even when there is no active traffic from the authenticated
users.
Answer: A
QUESTION NO: 35
What happens when you see the "Authentication Successful" message during the virtual
Telnet authentication of the PIX Firewall?
A. The user is automatically logged out.
B. All entries in the uauth cache are cleared.
C. The user must provide a username and password.
D. Authentication credentials are cached in the PIX Firewall for the duration of the uauth
timeout.
Answer: D
QUESTION NO: 36
What happens at the end of each test during failover interface testing on the PIX
firewall?
A. Network traffic is generated.
B. The PIX Firewall receives traffic for a test.
C. Each PIX Firewall looks to see if it has received any traffic.
D. Each PIX Firewall clears its received packet count for its interface.
Answer: C
QUESTION NO: 37
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 15 -
Enter the command that assigns a name and a security level to each interface of the PIX
Answer: nameif ethernet0 perimeter1 security100
QUESTION NO: 38
Which four steps are used to configure IKE parameters when configuring PIX Firewall
IPSec? (Choose Four)
A. Test VPN.
B. Verify VPN.
C. Apply crypto map.
D. Configure crypto map.
E. Enable or disable IKE.
F. Verify IKE phase 1 details.
G. Configure phase 1 policy.
H. Configure IKE pre-shared key.
Answer: E, F, G, H
QUESTION NO: 39
Match the VPN features that IPSec enables through the PIX Firewall with the correct
descriptions.
Exhibit:
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 16 -
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 17 -
Answer:
QUESTION NO: 40
Which four items does the outbound command let you specify on the PIX Firewall?
(Choose four)
A. Whether inside users can access outside servers.
B. Whether outside users can access outside servers.
C. Whether inside users can use outbound connections.
D. Whether outside users can use inbound connections.
E. Whether outbound connections can execute Java applets on the inside network.
F. Whether inbound connections can execute Java applets on the outside network.
G. Which services outside users can use for inbound connections and for accessing inside
servers.
H. Which services inside users can use for outbound connections and for accessing
outside servers.
Answer: A, C, E, H
QUESTION NO: 41
How does the user trigger the authentication proxy after the idle timer expires?
A. By authenticating the user.
B. By initiating another HTTP session.
C. By entering a new user name and password.
D. By entering a valid user name and password.
Answer: D
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 18 -
QUESTION NO: 42
Which three features does Cisco IOS Firewall use? (Choose three)
A. PIX Firewall
B. Flash memory
C. Stateful Failover
D. Authentication proxy
E. Intrusion detection systems
F. Content based access control
Answer: D, E, F
QUESTION NO: 43
A user is allowed to perform FTP but not HTTP. Which feature performs this function
within the PIX Firewall?
A. Accounting only.
B. Authorization only.
C. Authentication only.
D. Accounting and authentication.
Answer: B
QUESTION NO: 44
Which addressed does the primary PIX Firewall use when in active mode?
A. Media access control addresses only.
B. System Internet Protocol addresses and media access control addresses.
C. Failover Internet Protocol addresses and media access control addresses.
D. System Internet Protocol addresses and failover Internet Protocol addresses.
Answer: B
QUESTION NO: 45
What is the purpose of verifying the IKE Phase 1 policy with the PIX Firewall?
A. To specify the hash algorithm.
B. To configure the IPSec parameters.
C. To specify the authentication method.
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 19 -
D. To display configured and default IKE policies.
Answer: D
QUESTION NO: 46
What is the purpose of WebSENSE with the PIX Firewall?
A. To control or monitor e-mail activity.
B. To control or monitor Internet activity.
C. To control or monitor inside client activity.
D. To control or monitor outside client activity.
Answer: B
QUESTION NO: 47
What happens if the user fails to authenticate with the AAA server on a CSIS router?
A. A password is requested.
B. Authentication is completed.
C. The connection request is dropped.
D. The connection request is completed.
Answer: C
QUESTION NO: 48
What is the default for Interface Configuration during basic configuration of the Cisco
Secure ACS Network Access Server on the PIX Firewall?
A. Enabled
B. Disabled
C. Automatically enabled
D. Identical passwords required
Answer: B
QUESTION NO: 49
Why is the ASA important for the PIX Firewall? (Choose three)
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 20 -
A. It monitors return packets to assure validity.
B. It allows two-way connections on all systems.
C. It allows one-way connection with an explicit configuration on each internal system.
D. It allows one-way connection with an explicit configuration on each external system
E. It allows one-way connection without an explicit configuration on each internal
system.
F. It randomizes the TCP sequence number, which minimizes the risk of attack.
Answer: A, C, F
QUESTION NO: 50
How do you choose the specific values for each IKE parameter when using the PIC
Firewall?
A. Using host names.
B. Using the remote level you desire and the host peer you will connect to.
C. Using the remote level you desire and the destination peer you will connect to.
D. Using the security level you desire and the type of IPSec peer you will connect to.
Answer: B
QUESTION NO: 51
What is the purpose of UDP resend on the PIX Firewall when using Real Networks'
RDT mode?
A. It connects the client to the server.
B. It connects the outside client to the inside client.
C. The client requests that the server try to resend lost data packets.
D. Media delivery uses the standard UDP packet format to fo from the server to the
client.
Answer: C
QUESTION NO: 52
What happens in the aggressive mode of the CBAC on the Cisco IOS Firewall?
A. CBAC deletes all half-open sessions.
B. CBAC re-initiates half-open sessions.
C. CBAC completes all half-open sessions, making them fully-open sessions.
D. CBAC deletes half-open sessions as required to accommodate new connection
requests.
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 21 -
Answer: D
QUESTION NO: 53
Enter the command that writes the configuration into Flash memory of the PIX
Firewall.
Answer: write memory
QUESTION NO: 54
Enter the command that defines a static or default route for an interface on the PIX
Firewall.
Answer: ip route
QUESTION NO: 55
What does permit mean in regards to crypto access lists on the PIX Firewall?
A. It specifies that no packets are encrypted.
B. It specifies that matching packets must be encrypted.
C. It specifies that mismatched packets must be encrypted.
D. It specifies that matching packets need not be encrypted.
Answer: B
QUESTION NO: 56
How does the PIX firewall provide secure connections for Real Audio and CUSeeME?
A. It statically opens UDP ports.
B. It statically closes UDP ports.
C. It statically opens and closes UDP ports.
D. It dynamically opens and closes UDP ports.
Answer: D
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 22 -
QUESTION NO: 57
What does a half-open TCP session on the Cisco IOS Firewall mean?
A. The session was denied.
B. The firewall detected return traffic.
C. A three-way handshake has been completed.
D. The session has not reached the established state.
Answer: D
QUESTION NO: 58
Why do the connections remain with stateful failover on the PIX Firewall?
A. Stateful failover passes per-connection stateful information to the active PIX Firewall.
B. Stateful failover passes per-connection stateful information to the standby PIX
Firewall.
C. Stateful failover does not pass per-connection stateful information to the active PIX
Firewall.
D. Stateful failover does not pass per-connection stateful information to the standby PIX
Firewall.
Answer: B
QUESTION NO: 59
Which command limits the hosts that are allowed to Telnet to the Cisco IOS Firewall
router?
A. password
B. access-list
C. enable mode
D. disable mode
Answer: B
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 23 -
Section B
Study these questions as well.
QUESTION NO: 1
What is the default TCP timeout for inactivity on CBAC?
A. 360 seconds
B. 3600 seconds
C. 255,000 seconds
D. 2400 seconds
Answer: B
QUESTION NO: 2
What is NAT?
A. Access control
B. Default hostname of the Cisco PIX
C. Network access translations
D. IP addressing translating
Answer: D
QUESTION NO: 3
What does PAM stand for?
A. Port address mapping
B. Port allocation mapping
C. Port to application mapping
D. Port address management
Answer: C
QUESTION NO: 4
What are the two types of PIX firewall translations?
A. Dynamic
B. PAM
C. Default
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 24 -
D. Static
Answer: A, D
QUESTION NO: 5
No packets can traverse the PIX Firewall without a connection and state?
A. True
B. False
Answer: A
QUESTION NO: 6
How do you save the PAM mappings?
A. Copy pam-mappings flash
B. They are automatically saved
C. Save pam-mappings
D. Copy run start
Answer: D
QUESTION NO: 7
What command enables the failover feature on the PIX506?
A. Failover is not supported on the PIX506
B. Failover standby
C. Enable failover
D. Enable standby
Answer: A
QUESTION NO: 8
What needs to be done to the clients in case of a PIX stateful failover situation?
A. A router is required to redirect to the PIX in case of failover
B. The arp table must be cleared on all client computers
C. All clients must have the default gateway changed to the now active PIX
9E0 - 571
Leading the way in IT testing and certification tools, www.testking.com
- 25 -
D. Nothing.
Answer: D
Actually, nothing needs to be done if two PIXs are hooked up and failover is active, and the
Primary fails. With stateful failover, all the actual connection states that are created in the
Primary PIX are replicated to the standby PIX. In the event of a failover, the XLATE table is
the same on standby unit so when it becomes the Primary, nothing needs to be done. It is
transparent to all the hosts on the network.
QUESTION NO: 9
What three commands are required for stateful failover?
A. failover ip address inside 10.1.1.2
B. stateful failover
C. failover on
D. failover link intf2
Answer: A, C, D
QUESTION NO: 10
What is a limitation of PAT?
A. Very processor intensive
B. Supports very few clients
C. Only supported on Cisco IOS routers
D. Does not support multi-media protocols
Answer: D
QUESTION NO: 11
What protocols trigger authentication proxy?
A. FTP
B. SSL
C. Telnet
D. HTTP
Answer: D
