1. Refer to the exhibit.
The network administrator for this small site has chosen to authenticate HTTP cut-through proxy traffic via a local
database on the Cisco PIX Security Appliance. Which command strings should the administrator enter to
accomplish this?
A. pix1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6
pix1(config)# access-list 150 permit tcp any host 172.16.16.6 eq www
pix1(config)# aaa authentication match 150 outside LOCAL
B. pix1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6
pix1(config)# access-list 150 permit tcp any host 192.168.16.6 eq www
pix1(config)# aaa authentication match 150 outside pix1
C. pix1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6
pix1(config)# access-list 150 permit tcp any host 172.16.16.6 eq www
pix1(config)# aaa authentication match 150 outside pix1
D. pix1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6
pix1(config)# access-list 150 permit tcp any host 192.168.16.6 eq www
pix1(config)# aaa authentication match 150 outside LOCAL
Answer:D
2. Refer to the exhibit.
An administrator wants a user on the inside network to access two sites on the Internet and present two different
source IP addresses. When the user is accessing Company A web servers, the source IP address is translated to
192.168.0.9. When the user is accessing Company B web servers, the source address is translated to 192.168.0.21.
Which of these can the security appliance administrator configure to accomplish this application?
TestInside 642-522
A. inside NAT
B. identity NAT
C. static
D. policy NAT
Answer:D
3. Refer to the exhibit.
An administrator wants to permanently map host addresses on the DMZ subnet to the same host addresses, but a
different subnet, on the outside interface. Which command should the administrator use to accomplish this?
A. NAT (dmz) 0 172.16.1.0 netmask 255.255.255.0
B. access-list server_map permit tcp any 192.168.10.0 255.255.255.0
Nat (outside) 10 access-list server_map
Global (dmz) 10 172.16.1.9-10 netmask 255.255.255.0
C. static (dmz,outside) 192.168.10.0 172.16.1.0 netmask 255.255.255.0
D. NAT (dmz) 1 172.16.1.0 netmask 255.255.255.0
TestInside 642-522
Global (outside) 1 192.168.10.9-10 netmask 255.255.255.0
Answer:C
4. An administrator is defining a modular policy. As part of the policy, the administrator wants to define a traffic
flow between Internet hosts and a specific web server on the DMZ. Which commands should the administrator
use?
A. class-map http_traffic
match port tcp eq www
B. class-map http_traffic
match flow ip destination address 192.168.1.11
C. class-map http_traffic
match set 192.168.1.11
D. access-list 150 permit tcp any host 192.168.1.11 eq www
class-map http_traffic
match access-list 150
Answer:D
5. When an outside FTP client accesses a corporation's dmz FTP server through a security appliance, the
administrator wants the security appliance to restrict ftp commands that can be performed by the client. Which
security appliance commands enable the administrator to restrict the ftp client to performing a specific set of ftp
commands.
A. ftp-map inbound_ftp
request-cmd deny appe dele rmd
B. ftp-map inbound_ftp
request-cmd permit get put cdup
C. policy-map inbound
class inbound_ftp_traffic
inspect ftp strict get put cdup
D. policy-map inbound
class inbound_ftp_traffic
inspect ftp strict appe dele rmd
TestInside 642-522
Answer:A
6. Refer to the exhibit.
Users on the DMZ are complaining that they cannot gain access to the insidehost via HTTP. What did the network
administrator determine after reviewing the network diagram and partial configuration?
A. The static (inside,dmz) command is not configured correctly.
B. The global (dmz) command is not configured correctly.
C. The nat (dmz) command is missing.
D. The dmzin access list is not configured correctly.
Answer:D
7. Which is a method of identifying the traffic requiring authorization on the security appliance?
A. implicitly enabling TACACS+ authorization rules in the response packet
B. specifying ACLs that authorization rules must match
C. independently interpreting authorization rules before authentication has occurred to decrease overall AAA
processing time
TestInside 642-522
D. checking the authentication rules for a match thus allowing the traffic to be authorized
Answer:B
8. What is displayed as a result of entering the command syntax show aaa-server group1 host 192.168.30.60 in the
security appliance?
A. aaa-server configuration for a particular host in server group group1
B. aaa-server statistics for a particular host in server group group1
C. aaa-server configuration for server group group1
D. aaa-server statistics for the host group1 at IP address 192.168.30.60
Answer:B
9. Refer to the exhibit.
Given the configuration, what traffic will be logged to the AAA server?
A. All connection information will be logged in the accounting database.
B. All outbound connection information will be logged in the accounting database.
C. Only the authenticated console connection information will be logged in the accounting database.
D. This is not a valid configuration because TACACS+ connection information cannot be captured and logged.
Answer:B
10. During failover, which security appliance attribute does not change?
A. failover unit status-active and standby
B. active and standby interfaces-IP address
C. failover unit type-primary and secondary
D. active and standby interfaces-MAC address
TestInside 642-522
Answer:C
11. Refer to the exhibit.
This security appliance is configured for what two types of failover? (Choose two.)
A. unit-based failover
B. LAN cable-based failover
C. stateful failover
D. Active/Standby failover
E. Active/Active failover
F. Context/Group failover
Answer:BE
12. The ASDM client is supported on which PC operating systems? Choose the best answer.
A. Windows, Macintosh, and Linux
B. Windows and Sun Solaris
C. Windows, Linux, and Sun Solaris
D. Windows and Linux
Answer:C
13. Refer to the exhibit.
An administrator is configuring the failover link on the secondary unit, pix2 and needs to configure the IP
addresses of the failover link. At pix2, which of these additional commands should be entered?
TestInside 642-522
A. pix2(config)# failover lan ip 172.17.2.1 255.255.255.0 standby 172.17.2.7
B. pix2(config)# failover link 172.17.2.7 255.255.255.0 standby 172.17.2.1
C. pix2(config)# failover interface ip LANFAIL 172.17.2.1 255.255.255.0 standby 172.17.2.7
D. pix2(config)# interface ethernet3
pix2(config-if)# failover ip address 172.17.2.7 255.255.255.0 standby 172.17.2.1
Answer:C
14. The inline IPS software feature set is available in which security appliances?
A. any Cisco PIX and ASA Security Appliance running v.7 software and an AIP-SSM module
B. only Cisco PIX 515, 525, and 535 Security Appliances with an AIP-SSM module
C. only Cisco ASA 5520 and 5540 Security Appliances with an AIP-SSM module
D. any Cisco ASA 5510, 5520, or 5540 Security Appliance with an AIP-SSM module
Answer:D
15. Refer to the exhibit.
When accessing the IPS icon in ASDM, the administrator is presented with a "Connecting to IPS" popup window.
In the window, the management IP address A.B.C.D is displayed where A.B.C.D is an actual IP address.
What is IPS management "connecting to" which has an IP address of A.B.C.D?
TestInside 642-522
A. the AIP-SSM IPS control channel IP address
B. the AIP-SSM IPS data channel IP address
C. the AIP-SSM external interface IP address
D. the AIP-SSM HTTP server virtual address
Answer:C
16. In the network diagram which two methods enable a PC on the partnernet to connect to a server on DMZ1 and
deny the Partnernet PC access to DMZ2 and the inside network? (choose two)
A. Apply a static command and ACL to the partnernet interface
B. Apply a static command and ACL to the DMZ1 interface
C. Apply a static command and a policy nat.
TestInside 642-522
D. Raise the security level of the partnernet interface to 70
E. Raise the security level of the partnernet interface to 55.
Answer:AE
17. By default, the AIP-SSM IPS software is accessible from the management port at IP address 10.1.9.201/24.
Which CLI command should an administrator use to change the default AIP-SSM management port IP address?
A. hw module 1 setup
B. interface
C. setup
D. hw module 1 recover
Answer:C
18. Refer to the exhibit.
An administrator wants to add a comment about access-list aclin line 2. What command should the administrator
enter to accomplish this addition?
A. pix1(config)# access-list aclin line 1 remark partner server http access
B. pix1(config)# access-list aclin line 2 remark partner server http access
C. pix1(config)# access-list aclin line 1 comment partner server http access
D. pix1(config)# access-list aclin line 2 comment partner server http access
Answer:B
19. What is the effect of the per-user-override option when applied to the access-group command syntax?
A. It increases security by building upon the existing access list applied to the interface. All subsequent users are
also subject to the additional access list entries.
B. The log option in the per-user access list overrides existing interface log options.
C. It allows downloadable user access lists to override the access list applied to the interface.
D. It allows for extended authentication on a per-user basis.
TestInside 642-522
Answer:C
20. Refer to the exhibit.
In the network diagram there are four servers on the DMZ-two web servers and two FTP servers. According to the
group configuration in the ny_acs server, when a remote user accesses the security appliance and is authenticated,
the user is authorized to perform which two actions? (Choose 2.)
A. access any server on the DMZ
B. access any FTP server
C. access FTP1 server only
D. utilize FTP and HTTP protocol to attach to the server
E. utilize HTTP protocol only to attach to the server
F. utilize FTP protocol only to attach to the server
Answer:CF
21. Refer to the show run output in the exhibit.
TestInside 642-522
Which access-list configuration using the object-groups shown will only permit HTTP and HTTPS traffic from
any host on 10.1.1.0/24 to any host on 192.168.1.0/24?
A. access-list aclin extended permit tcp object-group test2 object-group test1 object-group test3
B. access-list aclin extended permit tcp object-group test1 object-group test2 object-group test3
C. access-list aclin extended permit tcp object-group test1 object-group test3 object-group test2
D. access-list aclin extended permit ip object-group test1 object-group test2
Answer:B
22. An administrator wants to protect a DMZ web server from SYN flood attacks. Which command does not
allow the administrator to place limits on the number of embryonic connections?
A. nat
B. static
C. set connection
D. HTTP-map
Answer:D
23. Refer to the exhibit.
An administrator is troubleshooting a security appliance connectivity issue using ASDM. The problem is that a
new partner is trying to access the order entry server on dmz1_host from a PC on the outside network. The
administrator is able to access the host successfully from the outside. After successfully troubleshooting the
problem, the administrator determines that the partner is trying to access the server on the wrong IP address.
From the information present on the ASDM screens, what address should the partner use to connect to
dmz1_host?
TestInside 642-522
A. 172.16.1.17
B. 172.16.1.10
C. 192.168.1.9
D. 192.168.1.4
Answer:D
24. Refer to the exhibit.
An administrator has configured the first four data ports on a Cisco ASA 5540 Security Appliance. The technician
attaches the next data cable to PortA.
When configuring this interface, what physical type, slot, and port number should the administrator add to the
configuration?
TestInside 642-522
A. GigabitEthernet0/0
B. GigabitEthernet0/5
C. GigabitEthernet0/4
D. Management0/0
Answer:D
25. Refer to the exhibit.
You are an administrator who is inundated with unwanted syslog messages. You want to stay at your current
syslog message level but block selected unwanted syslog messages from filling your syslog.
What command should you use to block specific unwanted message number 710005?
A. logging message deny 710005
B. no logging debug 710005
C. logging trap deny 710005
D. no logging message 710005
Answer:D
26. Which of these statements regarding Active/Active failover configurations is correct?
A. Use the failover active command to enable Active/Active failover on the Cisco ASA Security Appliance.
B. Allocate interfaces to a failover group using the failover group sub-command mode.
C. Configure two failover groups: group 1 and group 2.
D. Configure failover interface parameters in the "admin" context.
Answer:C
27. Why does the PIX security appliance record information about a packet in its stateful session flow table?
A. to build the reverse path forwarding (RFP) table to prevent spoofed source IP address
B. to establish a proxy session by relaying the application layer requests and responses between two endpoints
C. to compare against return packets for determining whether the packet should be allowed through the firewall
TestInside 642-522
D. to track outbound UDP connections
Answer:C
28. If you want IP addresses of hosts on your DMZ and inside network translated when they make connections to
hosts on the outside interface of the security appliance, what is the minimum NAT configuration you can enter?
A. 1 NAT statement and 1 global statement
B. 1 NAT statement and 2 global statements
C. 2 NAT statements and 1 global statement
D. 2 NAT statements and 2 global statements
Answer:C
29. If the FTP protocol inspection is not enabled for a given port, which two statements are true? (Choose two.)
A. Outbound standard FTP will work properly on that port.
B. Outbound passive FTP will not work properly on that port.
C. Outbound standard FTP will not work properly on that port.
D. Inbound standard FTP will not work properly on that port even if the traffic to the inside server is permitted by
an access element.
E. Outbound passive FTP will work properly on that port as long as outbound traffic is not explicitly disallowed.
Answer:CE
30. You have configured the security appliance and an AAA server for authentication. Why does Telnet and FTP
authentication work normally but HTTP authentication does not?
A. The AAA server is not properly configured to accept HTTP authentication requests.
B. You have not enabled HTTP authorization, which is required for HTTP authentication.
C. You must specify HTTPS authentication in your configuration.
D. HTTP reauthentication may be taking place with the web browser sending the cached username and password
back to the security appliance.
Answer:D
31. What is the result if the WebVPN url-entry parameter is disabled?
A. The end user is unable to access any CIFS shares or URLs.
TestInside 642-522
B. The end user is able to access CIFS shares but not URLs.
C. The end user is unable to access pre-defined URLs.
D. The end user is able to access pre-defined URLs.
Answer:D
32. What is the purpose of the url-list command in global configuration mode?
A. Allow end users access to URLs.
B. Allow end users access to CIFS shares and URLs.
C. Stop the end user from accessing pre-defined URLs.
D. Configure a set of URLs for WebVPN users to access.
E. List URLs that the end user cannot access.
Answer:D
33. Which type of access list supports filtering for WebVPN?
A. extended
B. standard
C. ethertype
D. webtype
Answer:D
34. How is NAT configured in transparent firewall mode?
A. NAT must be configured on all interfaces.
B. NAT must be configured on all outbound traffic flows.
C. NAT must be configured on all inbound traffic flows.
D. NAT is not configured in transparent firewall mode.
Answer:D
35. Which feature prevents ARP spoofing?
A. ARP fixup
B. ARP inspection
C. MAC fixup
TestInside 642-522
D. MAC inspection
nswer:B
36. Which of these identifies basic settings for the security appliance, including a list of contexts?
A. primary configuration
B. network configuration
C. system configuration
D. admin configuration
Answer:C
37. Which two of these are valid types of object groups? (Choose two.)
A. ping
B. service
C. protocol
D. port
E. TCP
Answer:BC
38. What is the minimal number of physical interfaces required for all security appliance platforms to support
VLANs?
A. one
B. two
C. three
D. four
Answer:B
39. How do you ensure that the main interface does not pass untagged traffic when using subinterfaces?
A. Use the shutdown command on the main interface.
B. Omit the nameif command on the subinterface.
C. Use the vlan command on the main interface.
D. Omit the nameif command on the main interface.
TestInside 642-522
E. Use the shutdown and then use the nameif command on the main interface.
Answer:D
40. What are the two purposes of the network area subcommand? (Choose two.)
A. It defines the interfaces on which OSPF runs.
B. It defines the interfaces on which RIP runs.
C. It defines the OSPF area the interface belongs to.
D. It separates the public area from the private area.
E. It defines the OSPF area type.
Answer:AC
41. What are two instances when sparse-mode PIM is most useful? (Choose two.)
A. when there are few receivers in a group
B. when there are many receivers in a group
C. when the type of traffic is intermittent
D. when the type of traffic is constant
E. when the traffic is not ethertype
F. when the traffic is ethertype
Answer:AC
42. What is one purpose of a tunnel group?
A. to group similar IPSec users
B. to group similar IPSec networks
C. to group similar IPSec protocols
D. to identify AAA servers
Answer:D
43. What is the purpose of the nat 0 command when used in conjunction with IPSec?
A. It instructs the security appliance not to use Network Address Translation for any traffic deemed interesting
traffic for IPSec.
B. It instructs the security appliance to use Network Address Translation for any traffic deemed interesting traffic
TestInside 642-522
for IPSec.
C. It disables Network Address Translation control on the security appliance.
D. It enables Network Address Translation Traversal for any traffic deemed interesting for IPSec.
Answer:A
44. How many unique transforms can a single transform set contain?
A. one
B. two
C. three
D. four
Answer:B
45. On which device can Dead Peer Detection be configured when it is used for IPSec remote access?
A. the remote device
B. the headend device
C. both the headend and remote devices
D. Dead Peer Detection should not be used in IPSec remote access applications
Answer:C
46. What are the two purposes of the same-security-traffic permit intra-interface command? (Choose two.)
A. It allows all of the VPN spokes in a hub-and-spoke configuration to be terminated on a single interface.
B. It allows communication between different interfaces that have the same security level.
C. It permits communication in and out of the same interface when the traffic is IPSec protected.
D. It enables Dynamic Multipoint VPN.
Answer:AC
47. What is the purpose of the same-security-traffic permit inter-interface command?
A. It allows all of the VPN spokes in a hub-and-spoke configuration to be terminated on a single interface.
B. It allows communication between different interfaces that have the same security level.
C. It permits communication in and out of the same interface when the traffic is IPSec protected.
D. It enables Dynamic Multipoint VPN.
TestInside 642-522
Answer:B
48. What type of tunneling should be used on the VPN Client to allow IPSec traffic through a stateful firewall that
may be performing NAT or PAT?
A. GRE/IPSec
B. IPSec over TCP
C. IPSec over UDP
D. split tunneling
E. L2TP
Answer:B
49. What privilege level is the highest on the security appliance?
A. 1
B. 5
C. 10
D. 15
E. 20
Answer:D
50. In the Cisco ASA 5500 series, what is the flash keyword aliased to?
A. Disk0
B. Disk1
C. both Disk0 and Disk1
D. Flash0
E. Flash1
Answer:A