|
QUESTION 11 John the security administrator at Cisco Highway Inc.is working on ACLs. Which statement about downloadable ACLs is true?
A. The true statement is a downloadable ACL is not downloaded again as long as it exists on the PIX Firewall.
B. The true statement is a the PIX Firewall does not support versioning downloadable ACLs.
C. The true statement is a downloadable ACLs must have names assigned to them.
D. The true statement is a downloadable ACLs are downloaded from the PIX Firewall to the Cisco Secure ACS server during authentication Answer: C Explanation: There are two methods of configuring downloadable ACLs on the AAA server. The first method, downloading named ACL Reference: Cisco Secure PIX Firewall Advanced 3.1 12-40
QUESTION 12 Jason the security administrator at Cisco Highway Inc.is working on configuring the PIX Firewall command. Why is the group tag in the aaa-server command important?
A. It is important because the group tag identifies which users require authorization to use certain services.
B. It is important because the group tag identifies which user groups must authenticate.
C. It is important because the aaa command references the group tag to know where to direct authentication, authorization, or accounting traffic.
D. It is important because the group tag enables or disables user authentication services. Answer: C Explanation: Use the aaa-server command to specify AAA server groups...The AAA command references the group tag to direct authentication, authorization, and accounting traffic to the appropriate AAA server. Reference: Cisco Secure PIX Firewall Advanced 3.1 12-12
QUESTION 13 You work as network administrator at Cisco Highway. Cisco Highway's primary PIX Firewall is currently the active unit in your failover topology. What will happen to the current IP addresses on the primary PIX Firewall if it fails?
A. The current IP addresses on the primary PIX Firewall remain the same, but the current IP addresses of the secondary become the virtual IP addresses you configured.
B. The current IP addresses will be deleted.
C. The ones on both the primary and secondary PIX Firewalls are deleted and both assume the failover IP addresses you configured.
D. The current IP addresses will become those of the standby PIX Firewall. Answer: D Explanation The failover feature allows you to use a standby PIX Firewall to take over the functionality of a failed PIX Firewall. When the active unit fails, it changes to the standby state, while the standby unit changes to the active state. The unit that becomes active takes over the active unit's IP addresses and MAC addresses, and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Reference: Cisco PIX Firewall Software - Using PIX Firewall Failover www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a. html
QUESTION 14 The security team at Cisco Highway Inc.is looking for the truth about the PIX firewall. Which statement about the PIX Firewall is true?
A. The true statement is the PIX Firewall passes RIP updates between interfaces.
B. The true statement is the PIX Firewall uses the dynamically learned routes to forward traffic to the appropriate destinations but does not propagate learned routes to other devices.
C. The true statement is you cannot configure the PIX Firewall to learn routes dynamically from RIP version 1 or RIP version 2 broadcasts.
D. The true statement is the PIX Firewall uses dynamically learned routes to forward traffic to the appropriate destinations, passes RIP updates between its interfaces, and propagates learned routes to other devices. Answer: B Explanation: You can configure the PIX Firewall to learn routes dynamically from RIP version 1 or RIP version 2 broadcasts. Although the PIX firewall uses the dynamically learned routes itself to forward traffic to the appropriate destinations, it does not propagate learned routes to other devices. The Pix firewall cannot pass RIP updates between interfaces. It can, however, advertise one of its interfaces as a default route. Reference: Cisco Secure PIX Firewall Advanced 3.1 9-5
QUESTION 15 John the security administrator at Cisco Highway Inc.is working on configuring the PIX Firewall. John must choose two features on the PIX Firewall? (Choose two)
A. One feature is it uses Cisco Finesse operating system.
B. One feature is it uses Cisco IOS operating system.
C. One feature is it's based on Windows NT technology.
D. One feature is it analyzes every packet at the application layer of the OSI model.
E. One feature is it can be configured to provide full routing functionality.
F. One feature is it uses a cut-through proxy to provide user-based authentication connections. Answer: A, F Explanation: The PIX Firewall features the following technologies and benefits Non-Unix, secure, real-time, embedded system ASA Cut-through proxy - A user-based authentication method of both inbound and outbound connections, providing improved performance in comparison to that of a proxy server. Stateful packet filtering Finesse, a Cisco proprietary operating system, is a non-UNIX, non-windows NT, IOS- like operating system. Use of Finesse eliminates the risks associated with general-purpose operating system. Reference: Cisco Secure PIX Firewall Advanced 3.1 chap 3 pages 8-9
QUESTION 16 John the security administrator at Cisco Highway Inc.want to know what the default port number that the PIX Firewall uses to contact the AUS.
A. The default port number is 444
B. The default port number is 443 C. The default port number is 110
D. The default port number is 25 Answer: B Explanation: AUS uses port 443 SSL Reference: Page 18-12 of the course manual version 3.1
QUESTION 17 The security team at Cisco Highway Inc.is working on VoIP for the PIX Firewall. Which statements about the PIX Firewall in VoIP environments are true? (Choose two)
A. The true statement is the PIX Firewall allows SCCP signaling and media packets to traverse the PIX Firewall and interoperate with H.323 terminals.
B. The true statement is the PIX Firewall does not support the popular call setup protocol SIP because TCP can be used for call setup.
C. The true statement is the PIX Firewall supports the Skinny Client Control Protocol, which allows you to place IP phones and Call Manager on separate sides of the PIX Firewall.
D. The true statement is users behind the PIX Firewall can place outbound calls with IP phones because they use HTTP tunneling to route packets through port 80, making them appear as web traffic. Answer: A, C Explanation: Fix up protocol skinny port [-port] Enables the SCCP (skinny) protocol Dynamically opens pinholes for media sessions and nat -embedded IP addresses Supports Ip telephony Can coexist in an H323 environment Default port is 2000 Due to SCCP support, an IP phone and Cisco Call manager can now be placed on separate sides of the PIX Firewall. Reference: Cisco Secure PIX Firewall Advanced 3.1 chap 10 page 14
QUESTION 18 Help John from the security department at Cisco Highway Inc find out which statement about authorization and the PIX Firewall is true.
A. The true statement is the PIX Firewall does not support per-user authorization.
B. The true statement is the PIX Firewall does not support TACACS+ authorization.
C. The true statement is the PIX Firewall supports downloadable ACLs using TACACS+.
D. The true statement is the PIX Firewall supports downloadable ACLs using RADIUS. Answer: D Explanation: Note- Downloadable ACLs are supported with Radius only. They are not supported with TACACS+. - Reference: Cisco Secure PIX Firewall Advanced 3.1 chap 12 page 38
QUESTION 19 Kathy the security administrator at Cisco Highway Inc.is working on creating VPN's. Which two of these statements about creating VPNs in PDM are true? (Choose two)
A. The true statement is when the inactivity timeout for all IPSec SAs have expired for a given VPN Client, the tunnel is established.
B. The true statement is PDM hides the concept of crypto map.
C. The true statement is PDM supports tunnel polices that are not bound to an interface.
D. The true statement is to create a crypto map, select crypto maps from the IPSec branch of the categories tree.
E. The true statement is PDM does not support tunnel polices that are not bound to an interface. You must select an interface for a tunnel policy when you create it.
F. The true statement is after you create a tunnel policy in the VPN tab's tunnel policy window, you must bind it to an interface from the Access Rules tab. Answer: B, E Explanation:
D: PDM hides the concept of the crypto map. IT does not support crypto maps that are not applied to any interface.
F: Open PDM -VPN tab --IPSec category ---tunnel policy ----select "Add" tunnel policy As you can see the interfaces is chosen in the Tunnel Policy window...not from the Access Rules tab (Not E)...the access rules tab is all about access lists and the PDM creates needed access list for VPN connections on its own...Again
Reference: Cisco Secure PIX Firewall Advanced 3.1 chap 16 pages 17 and 33
QUESTION 20 James the security administrator at Cisco Highway is working on PDM. He needs to know which operating systems the PDM runs on. (Choose the best answer?)
A. PDM runs on Windows, Linux, and Sun Solaris
B. PDM runs on Windows, Macintosh, and Linux
C. PDM runs on Windows and Sun Solaris
D. PDM runs on Windows and Linux Answer: A Explanation: PDM can operate in browsers running on Windows, SUN, Solaris, or Linux operating systems. Reference: Cisco Secure PIX Firewall Advanced 3.1 chap 16 page 9
Search and Find Anything Here
|
|
