1. Which two statements are true regarding classic Cisco IOS Firewall configurations? (Choose two.)

　　A. You can apply the IP inspection rule in the inbound direction on the trusted interface.

　　B. You can apply the IP inspection rule in the outbound direction on the untrusted interface.

　　C. For temporary openings to be created dynamically by Cisco IOS Firewall, the access list for the returning

　　traffic must be a standard ACL.

　　D. For temporary openings to be created dynamically by Cisco IOS Firewall, you must apply the IP inspection

　　rule to the trusted interface.

　　E. For temporary openings to be created dynamically by Cisco IOS Firewall, the inbound access list on the trusted

　　interface must be an extended ACL.

　　Answer: AB

　　2. Refer to the exhibit. Why is the Cisco IOS Firewall authentication proxy not working?

　　A. The aaa authentication auth-proxy default group tacacs+ command is missing in the configuration.

　　B. The router local username and password database is not configured.

　　C. Cisco IOS authentication proxy only supports RADIUS and not TACACS+.

　　TestInside 642-503

　　D. HTTP server and AAA authentication for the HTTP server is not enabled.

　　E. The AAA method lists used for authentication proxy should be named "pxy" rather than "default" to match the

　　authentication proxy rule name.

　　Answer: D

　　3. Refer to the exhibit. What additional configuration is required for the Cisco IOS Firewall to reset the TCP

　　connection if any peer-to-peer, tunneling, or instant messaging traffic is detected over HTTP?

　　A. class-map configuration for matching peer-to-peer, tunneling, and instant messaging traffic over HTTP, and a

　　policy map specifying the reset action

　　B. the port-misuse default action reset alarm command in the HTTP application firewall policy configuration

　　C. the PAM configuration for mapping the peer-to-peer, tunneling, and instant messaging TCP ports to the HTTP

　　application

　　D. the ip inspect name firewall im, ip inspect name firewall p2p, and ip inspect name firewall tunnel commands

　　E. the service default action reset command in the HTTP application firewall policy configuration

　　Answer: B

　　TestInside 642-503

　　4. Refer to the exhibit. Why is the Total Active Signatures count zero?

　　A. The 128MB.sdf file in flash is corrupted.

　　B. IPS is in fail-open mode.

　　C. IPS is in fail-closed mode.

　　D. IPS has not been enabled on an interface yet.

　　E. The flash:/128MB.sdf needs to be merged with the built-in signatures first.

　　Answer: D

　　5. Which three configurations are required to enable the Cisco IOS Firewall to inspect a user-defined application

　　which uses TCP ports 8000 and 8001? (Choose three.)

　　A. access-list 101 permit tcp any any eq 8000

　　access-list 101 permit tcp any any eq 8001

　　class-map user-10

　　match access-group 101

　　B. policy-map user-10

　　TestInside 642-503

　　class user-10

　　inspect

　　C. ip port-map user-10 port tcp 8000 8001 description "TEST PROTOCOL"

　　D. ip inspect name test appfw user-10

　　E. ip inspect name test user-10

　　F. int {type|number}

　　ip inpsect name test in

　　Answer: CEF

　　6. What are two benefits of using an IPsec GRE tunnel? (Choose two.)

　　A. It allows dynamic routing protocol to run over the tunnel interface.

　　B. It has less overhead than running IPsec in tunnel mode.

　　C. It allows IP multicast traffic.

　　D. It requires a more restrictive crypto ACL to provide finer security control.

　　E. It supports the use of dynamic crypto maps to reduce configuration complexity.

　　Answer: AC

　　7. Refer to the DMVPN topology diagram in the exhibit. Which two statements are correct? (Choose two.)

　　A. The hub router needs to have EIGRP split horizon disabled.

　　TestInside 642-503

　　B. At the Spoke A router, the next hop to reach the 192.168.2.0/24 network is 10.0.0.1.

　　C. Before a spoke-to-spoke tunnel can be built, the spoke router needs to send an NHRP query to the hub to

　　resolve the remote spoke router physical interface IP address.

　　D. At the Spoke B router, the next hop to reach the 192.168.1.0/24 network is 172.17.0.1.

　　E. The spoke routers act as the NHRP servers for resolving the remote spoke physical interface IP address.

　　F. At the Spoke A router, the next hop to reach the 192.168.0.0/24 network is 172.17.0.1.

　　Answer: AC

　　8. Referring to a DMVPN hub router tunnel interface configuration, what can happen if the ip nhrp map multicast

　　dynamic command is missing on the tunnel interface?

　　A. The NHRP request and response between the spoke router and hub router will fail.

　　B. The GRE tunnel between the hub router and the spoke router will be down.

　　C. The IPsec peering between the hub router and the spoke router will fail.

　　D. The dynamic routing protocol between the hub router and the spoke router will fail.

　　E. The NHRP mappings at the spoke routers will be incorrect.

　　F. The NHRP mappings at the hub router will be incorrect.

　　Answer: D

　　9. Which three of these statements are correct regarding DMVPN configuration? (Choose three.)

　　A. If running EIGRP over DMVPN, the hub router tunnel interface must have "next hop self" enabled: ip

　　next-hop-self eigrp AS-Number

　　B. If running EIGRP over DMVPN, the hub router tunnel interface must have split horizon disabled: no ip

　　split-horizon eigrp AS-Number

　　C. The spoke routers must be configured as the NHRP servers: ip nhrp nhs spoke-tunnel-ip-address

　　D. At the spoke routers, static NHRP mapping to the hub router is required: ip nhrp map hub-tunnel-ip-address

　　hub-physical-ip-address

　　E. The GRE tunnel mode must be set to point-to-point mode: tunnel mode gre point-to-point

　　F. The GRE tunnel must be associated with an IPsec profile: tunnel protection ipsec profile profile-name

　　Answer: BDF

　　10. When you configure Cisco IOS WebVPN, you can use the port-forward command to enable which function?

　　TestInside 642-503

　　A. web-enabled applications

　　B. Cisco Secure Desktop

　　C. full-tunnel client

　　D. thin client

　　E. CIFS

　　F. OWA

　　Answer: D

　　11. Refer to the exhibit. What additional configuration is required to enable split tunneling?

　　A. the reverse-route command under "crypto dynamic-map mode 1"

　　TestInside 642-503

　　B. the include-local-lan under "crypto dynamic-map mode 1"

　　C. the match address 199 command under "crypto dynamic-map mode 1"

　　D. the acl 199 command under "crypto isakmp client configuration group cisco"

　　E. the include-local-lan command under "crypto isakmp client configuration group cisco"

　　F. the reverse-route command under "crypto isakmp client configuration group cisco"

　　Answer: D

　　12. Refer to the exhibit. Which two statements are true about the configurations shown? (Choose two.)

　　A. The clickable links will have a heading entitled "MYLINKS".

　　B. The home page will have three clickable links on it.

　　C. ACS will be used for remote-user authentication by default.

　　D. This is an example of a clientless configuration.

　　E. Thin client (port forwarding) has been enabled using the url-text command.

　　Answer: BD

　　TestInside 642-503

　　13. Which two commands are used to only allow SSH traffic to the router Eth0 interface and deny other

　　management traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router interfaces? (Choose two.)

　　A. interface eth0

　　B. control-plane host

　　C. policy-map type port-filter policy-name

　　D. service-policy type port-filter input policy-name

　　E. management-interface eth0 allow ssh

　　F. line vty 0 5

　　transport input ssh

　　Answer: BE

　　14. Refer to the exhibit. Which optional AAA or RADIUS configuration command is used to support 802.1x guest

　　VLAN functionality?

　　A. aaa authentication dot1x default group radius

　　B. aaa authorization network default group radius

　　TestInside 642-503

　　C. aaa accounting dot1x default start-stop group radius

　　D. aaa accounting system default start-stop group radius

　　E. radius-server host 10.1.1.1 auth-port 1812 acct-port 1813

　　Answer: B

　　15. When configuring FPM, what should be the next step after the PHDFs have been loaded?

　　A. Define a stack of protocol headers.

　　B. Define a traffic policy.

　　C. Define a service policy.

　　D. Define a class map of type "access-control" for classifying packets.

　　E. Reload the router.

　　F. Save the PHDFs to startup-config.

　　Answer: A

　　16. Refer to the exhibit. What traffic will be matched to the "qt-class" traffic class?

　　TestInside 642-503

　　A. all traffic matched by the "host-protocols" named access list

　　B. all traffic matched by the "host-protocols" nested class map

　　C. all TCP and UDP protocol ports open on the router not specifically matched

　　D. all traffic other than SNMP and Telnet to the router

　　E. all other traffic arriving at the interface where the "qt-policy" policy map is applied

　　Answer: C

　　17. When configuring ACS 4.0 Network Access Profiles (NAPs), which three things can be used to determine

　　how an access request is classified and mapped to a profile? (Choose three.)

　　A. Network Access Filters (NAFs)

　　B. RADIUS Authorization Components (RACs)

　　C. the authentication method

　　D. the protocol types

　　E. advance filtering

　　F. RADIUS VSAs

　　Answer: ADE

　　18. Cisco Easy VPN Server pushes parameters such as the client internal IP address, DHCP server IP address, and

　　WINS server IP address to the Cisco Easy VPN Remote client during which of these phases?

　　A. IKE Phase 1 first message exchange

　　B. IKE Phase 2 last message exchange

　　C. IKE mode configuration

　　D. IKE XAUTH

　　E. IKE quick mode

　　Answer: C

　　19. Which of these statements is correct regarding user setup on ACS 4.0?

　　A. In the case of conflicting settings, the settings at the group level override the settings configured at the user

　　level.

　　B. A user can belong to more than one group.

　　C. The username can contain characters such as "#" and "?".

　　TestInside 642-503

　　D. By default, users are assigned to the default group.

　　E. The ACS PAP password cannot be used as the CHAP password also.

　　Answer: D

　　20. Refer to the exhibit. When you configure DHCP snooping, which ports should be configured as trusted ?

　　A. port A only

　　B. port E only

　　C. ports B and C

　　D. ports A, B, and C

　　E. ports B, C, and E

　　F. ports A, B, C, and E

　　Answer: D

　　21. When you implement IBNS (802.1x authentication), what is defined using the Tunnel-Private-Group-ID (81)

　　RADIUS attribute?

　　TestInside 642-503

　　A. the EAP type

　　B. the shared secret key

　　C. the ACL name

　　D. the VLAN name

　　E. the NAP

　　F. the NAF

　　Answer: D

　　22. Refer to the partial classic Cisco IOS Firewall configuration shown in the exhibit. Which three are the correct

　　missing configuration commands? (Choose three.)

　　A. 1=ip inspect myfw in

　　B. 1=ip access-group 51 in

　　C. 2=ip access-group 101 in

　　D. 2=ip inspect myfw out

　　TestInside 642-503

　　E. 3=ip access-group 111 in

　　F. 3=ip inspect myfw in

　　Answer: ACE

　　23. Refer to the exhibit. Given that the fa0/1 interface is the trusted interface, what could be a reason for users on

　　the trusted inside networks not to be able to successfully establish outbound HTTP connections?

　　A. The outgoing ACL on the fa0/1 interface is not set.

　　B. The FWRULE inspection policy is not inspecting HTTP traffic.

　　C. ACL 104 is denying the outbound HTTP traffic.

　　D. The outgoing inspection rule on the fa0/1 interface is not set.

　　E. ACL 104 is denying the return HTTP traffic.

　　F. The FWRULE inspection policy is not configured correctly.

　　Answer: C

　　24. Cisco IOS Zone-Based Firewall uses which of these to identify a service or application from traffic flowing

　　through the firewall?

　　A. NBAR

　　B. extended access list

　　C. PAM table

　　D. deep packet inspection

　　TestInside 642-503

　　E. application layer inspection

　　F. CEF table

　　Answer: C

　　25. Refer to the exhibit. Why is auth-proxy not working?

　　A. The AAA authentication method-list is not configured.

　　B. HTTPS is not enabled on the router.

　　C. The local username and password database is not configured.

　　D. The aaa authorization command is not correct.

　　E. The ip auth-proxy HQU interface configuration command is missing the in direction option.

　　F. AAA accounting is not enabled.

　　Answer: D

　　26. Refer to the exhibit. Which two configuration commands are used to apply an inspect policy map for traffic

　　traversing from the E0 or E1 interface to the S3 interface? (Choose two.)

　　TestInside 642-503

　　A. zone-pair security test source Z1 destination Z2

　　B. interface E0

　　C. policy-map myfwpolicy

　　class class-default

　　inspect

　　D. ip inspect myfwpolicy out

　　E. ip inspect myfwpolicy in

　　F. service-policy type inspect myfwpolicy

　　Answer: AF

　　27. Refer to the exhibit. What will result from this zone-based firewall configuration?

　　A. All traffic from the private zone to the public zone will be dropped.

　　B. All traffic from the private zone to the public zone will be permitted but not inspected.

　　C. All traffic from the private zone to the public zone will be permitted and inspected.

　　TestInside 642-503

　　D. All traffic from the public zone to the private zone will be permitted but not inspected.

　　E. Only HTTP and DNS traffic from the private zone to the public zone will be permitted and inspected.

　　F. Only HTTP and DNS traffic from the public zone to the private zone will be permitted and inspected.

　　Answer: A

　　28. What does this command do?

　　router(config)# ip port-map user-1 port tcp 4001

　　A. enables application firewall inspection on a user-defined application that is mapped to TCP port 4001

　　B. enables NBAR to recognize a user-defined application on TCP port 4001

　　C. enables the Cisco IOS Firewall to inspect TCP port 4001 as part of the ip inspect name xxx TCP inspection rule

　　D. defines a user application in the PAM table where the user-defined application is called "user-1" and that

　　application is mapped to TCP port 4001

　　Answer: D

　　29. Refer to the exhibit. Which two statements are correct? (Choose two.)

　　A. Cisco IOS IPS will fail-open.

　　B. The basic signatures (previously known as 128MB.sdf) will be used if the built-in signatures fail to load.

　　C. The built-in signatures will be used.

　　D. SDEE alert messages will be enabled.

　　E. syslog alert messages will be enabled.

　　Answer: AC

　　30. When verifying Cisco IOS IPS operations, when should you expect Cisco IOS IPS to start loading the

　　signatures?

　　A. immediately after you configure the ip ips sdf location flash:filename command

　　B. immediately after you configure the ip ips sdf builtin command

　　TestInside 642-503

　　C. after you configure a Cisco IOS IPS rule in the global configuration

　　D. after traffic reaches the interface with Cisco IOS IPS enabled

　　E. when the first Cisco IOS IPS rule is enabled on an interface

　　F. when the SMEs are put into active state using the ip ips name rule-name command

　　Answer: E

　　31. What are the three authentication methods that you can use during IKE Phase 1? (Choose three.)

　　A. AAA or Local Authentication

　　B. Kerberos

　　C. pre-shared key

　　D. RSA signature

　　E. RSA encrypted nonce

　　F. DH

　　Answer: CDE

　　32. Refer to the exhibit. What can you determine about the configuration?

　　A. The authentication method used between the IPsec peers is pre-shared key.

　　B. ESP tunnel mode will be used.

　　C. This is a dynamic crypto map.

　　D. Traffic matched by ACL 101 will not be encrypted.

　　E. 3DES encryption will be used.

　　F. HMAC-MD5 authentication will be used.

　　Answer: B

　　TestInside 642-503

　　33. When you configure a site-to-site IPsec VPN tunnel, which configuration must be the exact reverse (mirror

　　image) of the other IPsec peer?

　　A. IPsec transform set

　　B. ISAKMP policy

　　C. crypto ACL

　　D. pre-shared key

　　E. crypto map

　　F. static route

　　Answer: C

　　34. Which Cisco IOS command will trigger the router to request certificates from the CA for the router RSA key

　　pair?

　　A. crypto pki authenticate CA-Name

　　B. enrollment url http://CA-Name:80

　　C. crypto pki trustpoint CA-Name

　　D. crypto key generate rsa

　　E. crypto key zeroize rsa

　　F. crypto pki enroll CA-Name

　　Answer: F

　　35. When troubleshooting site-to-site IPsec VPN on Cisco routers, you see this console message:

　　%CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or

　　changed

　　Which configuration should you verify?

　　A. the crypto ACL

　　B. the crypto map

　　C. the IPsec transform set

　　D. the ISAKMP policies

　　E. the pre-shared key

　　F. the DH group

　　Answer: D

　　TestInside 642-503

　　36. Refer to the exhibits. Why is the IPsec site-to-site VPN between Router A and Router B not working?

　　A. The crypto ACLs of the two routers do not match.

　　B. Neither router has a route in its routing table to reach the other protected subnet.

　　C. The IPsec SA lifetime has not been configured.

　　D. The crypto maps default to transport mode, need to specify tunnel mode in the crypto maps.

　　E. The crypto maps are missing the authentication method configuration.

　　F. The crypto ACLs are not permitting the routing protocol traffic between Router A and Router B.

　　Answer: B

　　37. When you implement Cisco IOS WebVPN on a Cisco router using a self-signed certificate, you notice that the

　　router is not generating a self-signed certificate. What should you check to troubleshoot this issue?

　　A. Verify the ip http secure-server configuration.

　　B. Verify the ip http server configuration.

　　C. Verify that the WebVPN gateway is inservice.

　　D. Verify the AAA authentication configuration.

　　TestInside 642-503

　　E. Verify the WebVPN group policy configuration.

　　F. Verify the WebVPN context configuration.

　　Answer: C

　　38. ACS administrators use which TCP port to access the Cisco ACS web interface?

　　A. 22

　　B. 80

　　C. 127

　　D. 443

　　E. 2002

　　F. 8080

　　Answer: E

　　39. When you implement 802.1x authentication on the ACS, which two configurations are performed under the

　　ACS System Configuration? (Choose two.)

　　A. Users

　　B. Groups

　　C. Global Authentication Setup

　　D. RACs

　　E. Logging

　　F. NAPs

　　Answer: CE

　　40. If you enable all the authentication protocols under the Global Authentication Setup in Cisco ACS, how can

　　you select a specific EAP type to use for 802.1x authentication?

　　A. When you configure the RAC, you can specify the particular EAP type to use.

　　B. When you configure the NAP authentication policy, you can specify the particular EAP type to use.

　　C. When you configure the NAF, you can specify the particular EAP type to use.

　　D. When you configure the NAP authorization policy, you can specify the particular EAP type to use.

　　E. When you configure the user, you can specify the particular EAP type to use.

　　F. When you configure the user group, you can specify the particular EAP type to use.

　　TestInside 642-503

　　Answer: B

　　41. When you add NADs as AAA clients in the ACS, which three parameters are configured for each AAA client?

　　(Choose three.)

　　A. the NAD IP address

　　B. the AAA server IP address

　　C. the EAP type

　　D. the shared secret key

　　E. the AAA protocol to use for communications with the NADs

　　F. the UDP ports to use for communications with the NADs

　　Answer: ADE

　　42. When you implement 802.1x authentication, the RACs configured under the Shared Profile Components in the

　　ACS are referenced by which other ACS component?

　　A. user setup

　　B. group setup

　　C. the authorization policy of the NAP

　　D. the authentication policy of the NAP

　　E. the posture-validation policy of the NAP

　　F. the NDG

　　Answer: C

　　43. When you enter the switch(config)#aaa authentication dot1x default group radius command on a Cisco

　　Catalyst switch, the Cisco IOS parser returns with the "invalid input detected" error message. What can be the

　　cause of this error?

　　A. You must use the dot1x system-auth-control command first to globally enable 802.1x.

　　B. You must define the RADIUS server IP address first, using the switch(config)# radius-server host ip-address

　　command.

　　C. You must enter the aaa new-model command first.

　　D. The method-list name is missing in the command.

　　E. The local option is missing in the command.

　　TestInside 642-503

　　Answer: C

　　44. The PHDF stored in the router flash memory is required for which of these applications to function?

　　A. NBAR

　　B. CPPr

　　C. FPM

　　D. PAM

　　E. CoPP

　　F. Zone-Based Firewall

　　Answer: C

　　45. Match the Cisco IOS IPS component or feature on the left to its proper description on the right.

　　46. Match the correct debug command (on the left) used to troubleshoot the WebVPN function (on the right).

　　47. Match the ACS 4.0 component on the left to the correct function on the right.

　　TestInside 642-503

　　48. Match the IBNS (802.1x authentication) feature on the left to its proper description on the right. Not all

　　features are used (distracters).

　　49. Match the Cisco IOS Firewall feature on the left to its proper function on the right. Not all features are used

　　(distracters).