9E0-571 9E0 - 571 Cisco Secure PIX Firewall Advanced (CSPFA) Version 3.0 Leading the way in IT testing and certification tools, www.testking.com - 1- 9E0 - 571 Important Note Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts Try to understand the concepts behind the questions instead of cramming the questions Go through the entire document at least twice so that you make sure that you are not missing anything Latest Version We are constantly reviewing our products New material is added and old material is revised Free updates are available for 90 days after the purchase You should check the products page on the TestKing web site for an update 3-4 days before the scheduled exam date Here is the procedure to get the latest version: Go to www.testking.com Click on Login (upper right corner) Enter e-mail and password The latest versions of all purchased products are downloadable from here Just click the links For most updates, it is enough just to print the new questions at the end of the new version, not the whole document Feedback Feedback on specific questions should be send to feedback@testking.com You should state Exam number and version Question number Order number and login ID Our experts will answer your mail promptly Copyright Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws Leading the way in IT testing and certification tools, www.testking.com - 2- 9E0 - 571 Note: Section A contains 59 questions and Section B contains 170 The total numbers of questions are 229 Section A Study these questions carefully QUESTION NO: Which PIX feature denies a user the ability to perform Telnet? A B C D Accounting Authorization Authentication Accounting and authorization Answer: B QUESTION NO: Which two AAA protocols and servers does the PIX Firewall support? (Choose two) A B C D Access control list Synchronous Communication Server Remote Authentication Dial-In User Service Terminal Access Controller Access Control System Plus Answer: C, D QUESTION NO: Enter the function of the PIX Firewall that provides a safeguard in case a PIX Firewall fails Answer: Failover QUESTION NO: What does the nat command allow you to on the PIX Firewall? (Choose two) A B C D E F Enable address translation for internal addresses Enable address translation for external addresses Disable address translation for internal addresses Disable address translation for external addresses Enable address translation for both external and internal addresses Disable address translation for both external and internal addresses Leading the way in IT testing and certification tools, www.testking.com - 3- 9E0 - 571 Answer: A, C QUESTION NO: Exhibit: Match the characteristics of the Adaptive Security Algorithm (ASA) security level with the correct levels Leading the way in IT testing and certification tools, www.testking.com - 4- 9E0 - 571 Answer: QUESTION NO: Which four tasks should you perform to configure an IPSec-based VPN with the PIX Firewall? (Choose four) A B C D E F G H Configure accounting Configure authorization Configure authentication Configure the PIX Firewall Configure the IKE parameters Configure the IPSec parameters Prepare for configuring VPN support Test and verify the VPN configuration Answer: E, F, G, H QUESTION NO: Any unprotected inbound traffic on the PIX Firewall that matches a permit entry in the crypto access list for a crypto map entry , flagged as IPSec, will be A B C D Dropped Completed Authorized Authenticated Answer: A QUESTION NO: Leading the way in IT testing and certification tools, www.testking.com - 5- 9E0 - 571 What should you to prepare for configuring VPN support on the PIX Firewall? A B C D Plan in advance Minimize mis-configuration Configure IPSec encryption correctly the first time Define the overall security needs and strategy based on the overall company security policy Answer: D QUESTION NO: Match the elements of the command for the PIX firewall to the description for the outbound command Drag and drop Exhibit: Answer: Leading the way in IT testing and certification tools, www.testking.com - 6- 9E0 - 571 QUESTION NO: 10 What are packets inspected for on the PIX firewall? A B C D For invalid users For mis-configuration For incorrect addresses For malicious application misuse Answer: C QUESTION NO: 11 With which two Cisco IOS Firewall security features is the authentication proxy compatible? (Choose two) A B C D Cisco router Network address translation Protocol address translation Content-Based Access Control Answer: B, D QUESTION NO: 12 Which three thresholds does CBAC on the Cisco IOS Firewall provide against DoS attacks? (Choose Three) A B C D The number of half-open sessions based upon time The total number of half open TCP or UDP sessions The number of fully-open sessions based upon time The number of half-open TCP-only sessions per host Leading the way in IT testing and certification tools, www.testking.com - 7- 9E0 - 571 E The total number of fully-open TCP or UDP sessions F The number of fully-open TCP-only sessions per host Answer: A, B, D QUESTION NO: 13 What does CBAC on the Cisco IOS Firewall do? A B C D Created specific security policies for each user Protects the network from internal attacks and threats Provides additional visibility at intranet, extranet and Internet perimeters Provides secure, per-application access control across network perimeters Answer: D QUESTION NO: 14 What are three methods for configuring basic router security on the Cisco IOS Firewall? (Choose three) A B C D E F Turn off services Set global timeouts Set global thresholds Use password encryption Define inspection rules Set console and VTY access Answer: B, C, E QUESTION NO: 15 Why does aaa command reference the group tag on the PIX Firewall? A To direct the interface name to the AAA server B To direct the IP address to the appropriate AAA server C To direct authentication, authorization or accounting traffic to the appropriate AAA server D To direct authentication, authorization or accounting traffic to the appropriate PIX Firewall Answer: C Leading the way in IT testing and certification tools, www.testking.com - 8- 9E0 - 571 QUESTION NO: 16 Which two databases does the PIX Firewall use to authenticate cut-through proxy? (Choose two) A B C D ACS NT RADIUS+ ACS UNIX TACACS Answer: B, D QUESTION NO: 17 Enter the command that enables failover between two PIX Firewalls Answer: Failover active QUESTION NO: 18 Enter the command that allows the IP addresses to be updated in the translation table for the PIX Firewall Answer: Clear xlate QUESTION NO: 19 Which portion of the conduit command denies access through the PIX Firewall in the conditions is met? Answer: deny QUESTION NO: 20 What does deny mean in regards to crypto access lists on the PIX firewall? A B C D It specifies that no packets are encrypted It specifies that matching packets must be encrypted It specifies that mismatched packets must be encrypted It specifies that matching packets need no be encrypted Leading the way in IT testing and certification tools, www.testking.com - 9- 9E0 - 571 Answer: D QUESTION NO: 21 What is the goal of pre-planning before configuring an IPSec based VPN when using the PIX Firewall? A B C D To plan in advance To minimize misconfiguration To identify IPSec peer router Internet Protocol addresses and host names To determine key distribution methods based on the numbers and locations of IPSec peers Answer: B QUESTION NO: 22 Which three probables can ActiveX cause for network clients using the PIX Firewall? (Choose three) A B C D E F It can attack servers It can block HTML commands It can block HTML comments It can download Java applets It can cause workstations to fail It can introduce network security problems Answer: A, ?, ? QUESTION NO: 23 How does passive mode FTP on the PIX firewall support inside clients without exposing them to attack? A B C D There is no data connection Port 20 remains open from outside to inside Port 21 remains open from inside to outside The client initiates both the command and data connections Answer: D Leading the way in IT testing and certification tools, www.testking.com - 10 - 9E0 - 571 QUESTION NO: 118 Without stateful failover, how are active connections handled? A B C D Connections are maintained between the PIX and the failover unit Dropped UDP connections are maintained TCP connections are maintained Answer: B QUESTION NO: 119 What is the purpose of the "fixup protocol" commands? A B C D To identify what protocols are permitted through the PIX Change PIX firewall application protocol feature To identify what protocols are to be blocked by the PIX To map a protocol to a TCP or UDP port Answer: B QUESTION NO: 120 What version of IOS was the "ip port-map" command introduced? A B C D 13.(1) 12.1 11.0(1) 12.05(t) Answer: D QUESTION NO: 121 What is the first step in configuring IPSec without CA? A B C D Crypto ISAKMP IKE IPSEC Answer: C Leading the way in IT testing and certification tools, www.testking.com - 54 - 9E0 - 571 QUESTION NO: 122 How you delete the following PAM entry? IP port-map http port 81 A B C D clear IP port-map http port 81 This is a system-defined entry and cannot be deleted no IP port-map http port 81 delete IP port-map http port 81 Answer: C QUESTION NO: 123 What is the purpose of the outbound access-list for a CBAC solution? A B C D To block all traffic, CBAC will then inspect the traffic and allow legitimate traffic out Packets you want inspected by CBAC The is no need for an outbound access-list in a CBAC solution To identify legitimate inbound traffic from the Internet Answer: B QUESTION NO: 124 What does the " crypto access-list" command accomplish? A B C D There are no such access list They block non-encrypted traffic They identify crypto map statements Identifies which traffic is to be encrypted Answer: D QUESTION NO: 125 "Logging timestamp" specifies that syslog messages sent to the syslog server should have a time stamp value on each message A True B False Leading the way in IT testing and certification tools, www.testking.com - 55 - 9E0 - 571 Answer: A QUESTION NO: 126 What is the layer-4 difference between Radius and TACACS+? A B C D Radius uses TCP & TACACS+ uses UDP Radius uses UDP & TACACS+ uses TCP TACACS+ uses FTP & Radius uses TFTP There is no layer-4 difference between Radius & TACACS+ Answer: B QUESTION NO: 127 What two concepts are included in data authentication? A B C D Anti replay Data origin authentication Data integrity Data confidentiality Answer: B, C QUESTION NO: 128 You decide you need more interfaces for your PIX 515 and you already have the unrestricted license installed The PIX firewall only shipped with Ethernet interfaces You install a new Ethernet interface that you ordered from Cisco After you power the PIX on, you assign an IP address to the interface and configure a NAT & global statement for the new network But users on the new network are unable to browse the Internet What else you need to do? A B C D Enable the new interface in the configuration Add the "conduit permit any any" statement to your configuration Nothing The problem is probably with the clients workstations, not the PIX Add the Cisco client proxy software to each workstation on the new network Answer: A Leading the way in IT testing and certification tools, www.testking.com - 56 - 9E0 - 571 QUESTION NO: 129 What are some advantages of using the PIX firewall over other firewalls such as Microsoft Proxy? A B C D E No security problems from running on top of other operating systems PIX firewall is plug and play, no configuration required PIX inspects on lower layer protocols PIX does stateful packet inspections One box solution Answer: A, C, D, E QUESTION NO: 130 How many interfaces does the PIX 515R support? A B C D Answer: A QUESTION NO: 131 How you configure a PAT address? A B C D Nat (Outside) 1.1.1.1 1.1.1.1 255.255.255.255 IP PAT (Outside) 1.1.1.1 255.255.255.255 PAT (Outside) 1.1.1.1 255.255.255.255 Global (Outside) 1.1.1.1 1.1.1.1 255.255.255.255 Answer: D QUESTION NO: 132 What are the two transport layer protocols? A B C D TCP IP ICMP UDP Leading the way in IT testing and certification tools, www.testking.com - 57 - 9E0 - 571 Answer: A, D QUESTION NO: 133 How many hello packets must be missed before the failover unit will become active? A B C D Answer: A QUESTION NO: 134 Only one IPSec tunnel can exist between two peers A False B True Answer: A QUESTION NO: 135 What are two purposes of NAT? A B C D E To build routing tables To expedite packet inspection To connect two separate interfaces To conserve non-RFC1918 addresses To hide internal servers and workstations real IP addresses from the Internet Answer: D, E QUESTION NO: 136 What does IKE Extended authentication provide? A Authentication of multiple IPSec peers B Auto-negotiation of IPSec security associations C User authentication using Radius/TACACS+ Leading the way in IT testing and certification tools, www.testking.com - 58 - 9E0 - 571 Answer: C QUESTION NO: 137 How you view active NAT translations? A B C D show nat-translations show ip-nat translations show xlate show translations * Answer: C QUESTION NO: 138 Access-list are supported with Radius authorization A True B False Answer: A QUESTION NO: 139 How are transform sets selected in manually established security associations? A B C D Transform sets are not used in manually established security associations Manually established security associations only have one transform set The first transform set is always used The first common transform set is used Answer: B QUESTION NO: 140 What are the two licenses supported on the PIX515? A B C D Unrestricted Limited Restricted Unlimited Leading the way in IT testing and certification tools, www.testking.com - 59 - 9E0 - 571 Answer: A, C QUESTION NO: 141 What is the purpose of the "clear access-list" command? A B C D Remove an access-list from an interface To clear all access-list from the PIX To clear all access-list counters Invalid command Answer: B QUESTION NO: 142 At what layer of the OSI model does IPSec provide security? A B C D Answer: D QUESTION NO: 143 A transform set is a combination of _ & A B C D access-list crypto maps security protocols algorithms Answer: C, D QUESTION NO: 144 AAA stands for authentication, authorization, & A application B accounting Leading the way in IT testing and certification tools, www.testking.com - 60 - 9E0 - 571 C access control D authenticity Answer: B QUESTION NO: 145 In CBAC, how are half-open sessions measured? A B C D Both TCP & UPD half-open sessions are calculated Only UDP half-open sessions are calculated CBAC does not calculate half-open sessions Only TCP half-open sessions are calculated Answer: A QUESTION NO: 146 What does DDOS stand for? A B C D Distributed denial of service Dedicated Department of Security Dead, Denied, Out of Service Demand denial of service Answer: A QUESTION NO: 147 What is the purpose of the "route 0" command? A B C D To configure a static route To enable routing on the PIX To configure a default route To route between interfaces Answer: C QUESTION NO: 148 Leading the way in IT testing and certification tools, www.testking.com - 61 - 9E0 - 571 You establish an IPSec tunnel with a remote peer You verify by viewing the security associations You view the security associations two days later and find they are not there What is the problem? A B C D This would not happen You have used an incorrect command to view the security associations Your PIX is not powered up No traffic was identified to be encrypted Answer: D QUESTION NO: 149 In CBAC, where are dynamic access entries added? A B C D A new access-list is configured for each access entry At the beginning of the access-list A separate access-list is created for access entries At the end of the access-list Answer: B QUESTION NO: 150 How you identify a syslog server on the PIX? A B C D logging host 10.1.1.1 TFTP server 10.1.1.1 syslog-server 10.1.1.1 syslog server 10.1.1.1 Answer: A QUESTION NO: 151 CBAC inspection can only be configured in one direction A False B True Answer: A Leading the way in IT testing and certification tools, www.testking.com - 62 - 9E0 - 571 QUESTION NO: 152 What is anti-replay? A IPSec peer will not accept old or duplicated packets B IPSec peer listens for all traffic from IPSec peer (at other end of tunnel), as to not require any resends C The IPSec peer sends duplicates of each packet as to not have to resend any packets D The IPSec peer will not resend packets Answer: A QUESTION NO: 153 During IPSec security associations negotiation, if there are multiple transform sets, which one is used? A B C D Is does not matter The first common one The first one The last one Answer: B QUESTION NO: 154 What three types of entries does the PAM table provide? A B C D User defined Internet specific Host specific System defined Answer: A, C, D QUESTION NO: 155 In AAA, what does the method keyword "local" mean? A That the AAA server is local B Deny if login request is local C Use the local database for authentication Leading the way in IT testing and certification tools, www.testking.com - 63 - 9E0 - 571 D Authenticate if login request is local Answer: C QUESTION NO: 156 At what frequency does the PIX send hello packets to the failover unit? A B C D 15 seconds 60 seconds seconds 20 seconds Answer: A QUESTION NO: 157 What command deletes all authentication proxy entries? A B C D Clear ip authentication-proxy cache Clear ip authentication-proxy cache all Clear ip authentication-proxy cache * Clear authentication-proxy all entries Answer: C QUESTION NO: 158 What is the purpose of the access-group command? A B C D To apply an access-list to an interface This is not a valid command on the PIX firewall To create an ACL To group access-list together Answer: A QUESTION NO: 159 Default "fixup protocol" commands cannot be disabled A True Leading the way in IT testing and certification tools, www.testking.com - 64 - 9E0 - 571 B False Answer: B QUESTION NO: 160 What is the purpose of a syslog server? A B C D To host websites To collect system messages To maintain current backup configurations To maintain URL filtering information Answer: B QUESTION NO: 161 What is required for stateful failover on the PIX 515? A B C D Unrestricted software license Cisco failover cable Cisco IOS failover feature set Ethernet interfaces interconnected Answer: A, B, D QUESTION NO: 162 In CBAC, what is a state table? A B C D A table containing access-list information A table containing information about the state of CBAC A table containing information about the state of the packet's connection A table containing routing information Answer: C QUESTION NO: 163 What two commands are needed for inbound access? A Static Leading the way in IT testing and certification tools, www.testking.com - 65 - 9E0 - 571 B Access-list C PAT D NAT Answer: A, B QUESTION NO: 164 What are some application layer protocols that CBAC can inspect? A B C D E F TFTP TCP SMTP UDP HTTP FTP Answer: A, C, E, F QUESTION NO: 165 What does PAM for CBAC? A B C D PAM allows CBAC to associate non-standard port numbers with specific protocols PAM is required by CBAC to inspect traffic PAM is an alternative to using CBAC for packet inspection PAM is not compatible with CBAC Answer: A QUESTION NO: 166 What is the different about the PIX privileged access mode as opposed to the privileged access mode of a Cisco IOS router? A B C D The "?" command does not work on the PIX No difference Each configuration command is automatically saved to flash The ability to view the running configuration from the configuration mode Answer: D You can a show run from anywhere in the PIX and get the running configuration Ina IOS Router you can only it from router# (There is a way in the new IOS though to it in a Leading the way in IT testing and certification tools, www.testking.com - 66 - 9E0 - 571 router) If you wanted to it from router(config-if)# you would have to enter "do show run" But what they are looking for is D QUESTION NO: 167 When configuring ACL to identify traffic that requires encryption, two entries are needed One for inbound traffic and one for outbound traffic A True B False Answer: B QUESTION NO: 168 How you change the activation key on the PIX? A B C D Reset the PIX With the checksum command Copy a PIX image to the flash The activation key cannot be changed Answer: C QUESTION NO: 169 What is CA? A B C D Configured applications Cisco authentication Certificate authority Command approval Answer: C QUESTION NO: 170 How many interfaces does the PIX 506 support? A B C D Leading the way in IT testing and certification tools, www.testking.com - 67 - 9E0 - 571 Answer: B Leading the way in IT testing and certification tools, www.testking.com - 68 - ... www.testking.com - 7- 9E0 - 571 E The total number of fully-open TCP or UDP sessions F The number of fully-open TCP-only sessions per host Answer: A, B, D QUESTION NO: 13 What does CBAC on the Cisco IOS Firewall. .. the Cisco IOS Firewall? A B C D CBAC deletes all half-open sessions CBAC re-initiates half-open sessions CBAC completes all half-open sessions, making them fully-open sessions CBAC deletes half-open... www.testking.com - 21 - 9E0 - 571 QUESTION NO: 57 What does a half-open TCP session on the Cisco IOS Firewall mean? A B C D The session was denied The firewall detected return traffic A three-way handshake