1. Which of these commands enables the DHCP server on the DMZ interface of the Cisco ASA with an address

　　pool of 10.0.1.100-10.0.1.108 and a DNS server of 192.168.1.2?

　　A. dhcpd address 10.0.1.100-10.0.1.108 DMZ

　　dhcpd dns 192.168.1.2 dhcpd enable DMZ

　　B. dhcpd range 10.0.1.100-10.0.1.108 DMZ

　　dhcpd dns server 192.168.1.2 dhcpd DMZ

　　C. dhcpd address range 10.0.1.100-10.0.1.108

　　dhcpd dns 192.168.1.2 dhcpd enable

　　D. dhcpd address range 10.0.1.100-10.0.1.108

　　dhcpd dns server 192.168.1.2 dhcpd enable DMZ

　　Answer: A

　　2. Refer to the exhibit. Based on this output, which of the following statements is true?

　　A. The ACLOUT access list has been designed to allow the IP address with the network address of 192.168.6.0 to

　　have unrestricted access to the web server at IP address 192.168.1.11.

　　B. The ACLIN access list permits web access from host 192.168.6.10 to all hosts behind the Cisco ASA.

　　C. The ICMPDMZ access list denies all ICMP traffic bound for the bastion host except echo replies

　　D. The ACLOUT access list has been designed to deny the IP address 192.168.1.11 web access to the host with a

　　network address of 192.168.6.0.

　　Answer: A

　　3. Which mode of operation must you enter in order to recover the Cisco ASA password?

　　TestInside 642-523

　　A. unprivileged

　　B. privileged

　　C. configure

　　D. monitor

　　Answer: D

　　4. Which command both verifies that NAT is working properly and displays active NAT translations?

　　A. show running-configuration nat

　　B. show nat translation

　　C. show xlate

　　D. show ip nat all

　　Answer: C

　　5. The Cisco VPN Client supports which three of these tunneling protocols and methods? (Choose three.)

　　A. IPsec over TCP

　　B. IPsec over UDP

　　C. ESP

　　D. AH

　　E. SCEP

　　F. LZS

　　Answer: ABC

　　6. Refer to the exhibit. A network administrator wants to authenticate remote users who are accessing the WEB1

　　server from the Internet. When a remote user initiates a session to the WEB1 server, the ASA1 security appliance

　　will verify the user's credentials with the TX_ACS AAA server via RADIUS. To accomplish this, the

　　administrator must load and configure Cisco ACS software on the TX_ACS AAA server. During the process, the

　　administrator must correctly configure the AAA client information in the Cisco ACS network configuration

　　window.

　　What must the administrator place in field A (AAA Client Hostname) and field B (AAA Client IP address)?

　　TestInside 642-523

　　A. AX_ACS

　　B?0.0.1.10

　　B. AEB1

　　B?72.16.1.2

　　C. Aave

　　B?92.168.2.10

　　D. ASA1

　　B?0.0.1.1

　　Answer: D

　　7. When configuring a crypto ipsec transform-set command, how many unique transforms can a single transform

　　set contain?

　　TestInside 642-523

　　A. one

　　B. two

　　C. three

　　D. four

　　Answer: B

　　8. Refer to the exhibit. An administrator is adding descriptions to class maps for each part of the modular policy

　　framework. What text would the administrator add to the description command to describe the TO_SERVER class

　　map?

　　A. description "This class-map matches all HTTP traffic for the public web server."

　　B. description "This class-map matches all HTTPS traffic for the public web server."

　　C. description "This class-map matches all TCP traffic for the public web server."

　　D. description "This class-map matches all IP traffic for the public web server."

　　Answer: D

　　9. Refer to the exhibit. The network administrator for this small site has chosen to authenticate HTTP cut-through

　　TestInside 642-523

　　proxy traffic via a local database on the Cisco ASA. Which set of command strings should the administrator enter

　　to accomplish this?

　　A. asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6

　　asa1(config)# access-list 150 permit tcp any host 172.16.16.6 eq www

　　asa1(config)# aaa authentication match 150 outside LOCAL

　　B. asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6

　　asa1(config)# access-list 150 permit tcp any host 192.168.16.6 eq www

　　asa1(config)# aaa authentication match 150 outside asa1

　　C. asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6

　　asa1(config)# access-list 150 permit tcp any host 172.16.16.6 eq www

　　asa1(config)# aaa authentication match 150 outside asa1

　　D. asa1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6

　　asa1(config)# access-list 150 permit tcp any host 192.168.16.6 eq www

　　asa1(config)# aaa authentication match 150 outside LOCAL

　　Answer: D

　　TestInside 642-523

　　10. Which three of these are potential groups of users for WebVPN? (Choose three.)

　　A. employees accessing specific internal applications from desktops and laptops not managed by IT

　　B. administrators who need to manage servers and networking equipment

　　C. employees that only need occasional corporate access to a few applications

　　D. employees that need access to a wide range of corporate applications

　　E. users of a customer service kiosk placed in a retail store

　　F. remote employees that need daily access to the internal corporate network

　　Answer: ACE

　　11. Which of these commands will provide detailed information about the crypto map configurations of a Cisco

　　ASA?

　　A. show run ipsec sa

　　B. show ipsec sa

　　C. show crypto map

　　D. show run crypto map

　　Answer: D

　　12. Which of these commands would block all SIP INVITE packets, such as calling-party and request-method,

　　from specific SIP endpoints?

　　A. Group the match commands in a SIP inspection policy map.

　　B. Group the match commands in a SIP inspection class map.

　　C. Use the match calling-party command in a class map. Apply the class map to a policy map that contains the

　　match request-methods command.

　　D. Use the match request-methods command in an inspection class map. Apply the inspection class map to an

　　inspection policy map that contains the match calling-party command.

　　E. Group the match commands in the global_policy policy map.

　　Answer: B

　　13. Refer to the exhibit. This adaptive security appliance is configured for which two types of failover? (Choose

　　two.)

　　TestInside 642-523

　　A. cable-based failover

　　B. LAN-based failover

　　C. stateful failover

　　D. Active/Standby failover

　　E. Active/Active failover

　　F. Context/Group failover

　　Answer: BE

　　14. LAB

　　TestInside 642-523

　　The answer for the question is not available now, we are appreciate if you can provide the answer to us!

　　15. The primary adaptive security appliance failed, so the secondary adaptive security appliance was

　　automatically activated. The network administrator then fixed the problem. Now the administrator wants to return

　　the primary to "active" status.

　　Which of these commands, when issued on the primary adaptive security appliance, will reactivate the primary

　　adaptive security appliance and restore it to "active" status?

　　A. failover primary active

　　B. failover secondary group 1

　　C. failover active group 1

　　D. failover secondary standby group 1

　　Answer: C

　　16. You are configuring a crypto map. Which of these commands would you use to specify the peer to which

　　IPsec-protected traffic can be forwarded?

　　A. crypto map set peer 192.168.7.2

　　B. crypto map 20 set-peer insidehost

　　C. crypto-map policy 10 set 192.168.7.2

　　TestInside 642-523

　　D. crypto map peer7 10 set peer 192.168.7.2

　　Answer: D

　　17. Which three types of information can be found in the syslog output for an adaptive security appliance?

　　(Choose three.)

　　A. time stamp and date

　　B. logging level

　　C. default router

　　D. interface packet received

　　E. hostname of the packet sender

　　F. message text

　　Answer: ABF

　　18. With adaptive security appliance code of version 7.0 or later, which three hardware and software requirements

　　must be met before failover can be configured? (Choose three.)

　　A. The adaptive security appliances must be the same type of platform.

　　B. RAM, flash, modules, and interfaces must be identical on each unit.

　　C. The failover pair must meet hardware and software requirements, but can be a PIX and a Cisco ASA.

　　D. Only RAM and interfaces must be identical on each unit.

　　E. Major and minor software releases must match, but software versions do not need to be identical.

　　F. Software versions must have the same major release version, but minor release versions do not need to match.

　　Answer: ABE

　　19. Refer to the exhibit. What is the purpose of this command?

　　A. to filter ActiveX traffic from the default route

　　B. to filter ActiveX traffic on HTTP from any host and to any host

　　C. to filter Java traffic on HTTP from any host and to any host

　　D. to filter ActiveX traffic once it has been applied to an interface

　　TestInside 642-523

　　Answer: B

　　20. Which three of these are encryption algorithms used by Cisco ASA security appliances? (Choose three.)

　　A. DES

　　B. Blowfish

　　C. RC4

　　D. 3DES

　　E. AES

　　F. Diffie-Hellman Group 5

　　Answer: ADE

　　21. Which command configures the Cisco ASA console for SSH access by a local user?

　　A. aaa authentication ssh console LOCAL

　　B. ssh console username sysadmin password cisco123

　　C. ssh username sysadmin password cisco123

　　D. aaa authentication ssh LOCAL

　　Answer: A

　　22. By default, adaptive security appliances configured for LAN-based failover will fail over after approximately

　　15 seconds. Which two commands should an administrator configure on the security appliance to detect a failure

　　faster? (Choose two.)

　　A. failover polltime unit

　　B. failover interface-policy polltime

　　C. failover lan link polltime

　　D. failover lan unit polltime

　　E. failover unit-policy polltime

　　F. failover polltime interface

　　Answer: AF

　　23. LAB

　　TestInside 642-523

　　The answer for the question is not available now, we are appreciate if you can provide the answer to us!

　　24. Which of the following statements about adaptive security appliance failover is true?

　　A. The Cisco ASA and PIX security appliances support LAN-based and cable-based failover.

　　B. The Cisco ASA security appliance only supports cable-based failover.

　　C. The PIX adaptive security appliance only supports LAN-based failover.

　　D. The PIX adaptive security appliance supports LAN-based and cable-based failover.

　　Answer: D

　　25. Which of these commands enables IKE on the outside interface?

　　A. ike enable outside

　　B. nameif outside isakmp enable

　　C. isakmp enable outside

　　D. int g0/0 ike enable (outbound)

　　Answer: C

　　26. Which of the following statements about the configuration of WebVPN on the Cisco ASA is true for Cisco

　　ASA version 7.2?

　　TestInside 642-523

　　A. WebVPN and Cisco ASDM can both be enabled on the same interface, but must run on different TCP ports.

　　B. WebVPN and Cisco ASDM cannot be enabled at the same time on the Cisco ASA.

　　C. WebVPN and Cisco ASDM can only be enabled at the same time using the command line interface.

　　D. WebVPN and Cisco ASDM cannot run on the same interface.

　　Answer: A

　　27. Which command will set the default route for an adaptive security appliance to the IP address 10.10.10.1?

　　A. route add default 0 10.10.10.1

　　B. route management 10.10.10.0 0.0.0.255 10.10.10.1 1

　　C. route 0 0 10.10.10.1 1

　　D. route outside 0 0 10.10.10.1 1

　　Answer: D

　　28. An administrator is configuring a Cisco ASA for site-to-site VPN using pre-shared keys. Which two

　　configuration modes and commands would the administrator configure when using a pre-shared key of 1234?

　　(Choose two.)

　　A. asa(config-isakmp-policy)# authentication pre-share

　　B. asa(config-isakmp-policy)# authentication pre-shared-key 1234

　　C. asa(config-tunnel-ipsec)# pre-shared-key 1234

　　D. asa(config-tunnel-general)# authentication pre-share

　　E. asa(config)# tunnel-group name general-attributes authentication pre-share

　　F. asa(config)# tunnel-group name ipsec-attributes pre-shared-key 1234

　　Answer: AC

　　29. Refer to the exhibit. An administrator wants to permanently map host addresses on the DMZ subnet to the

　　same host addresses, but a different subnet, on the outside interface. Which command or commands should the

　　administrator use to accomplish this?

　　TestInside 642-523

　　A. NAT (dmz) 0 172.16.1.0 netmask 255.255.255.0

　　B. access-list server_map permit tcp any 192.168.10.0 255.255.255.0

　　nat (outside) 10 access-list server_map

　　global (dmz) 10 172.16.1.9-10 netmask 255.255.255.0

　　C. static (dmz,outside) 192.168.10.0 172.16.1.0 netmask 255.255.255.0

　　D. nat (dmz) 1 172.16.1.0 netmask 255.255.255.0

　　global (outside) 1 192.168.10.9-10 netmask 255.255.255.0

　　Answer: C

　　30. Which three of these commands will show you the contents of flash memory on the Cisco ASA? (Choose

　　three.)

　　A. show disk

　　B. flash

　　C. dir

　　D. show flash:

　　E. directory

　　F. info flash

　　Answer: ACD

　　31. On a Cisco ASA adaptive security appliance, the administrator enters the boot config disk0:/startup.txt

　　command. What will this command do when the system is reloaded?

　　A. It will configure the ASA to skip the hardware diagnostics and perform a warm boot of the startup.txt config

　　file.

　　TestInside 642-523

　　B. It will copy the current config file to the startup.txt file on disk 0.

　　C. It will do nothing until the file extension is changed to .cfg, at which time it will boot the startup.cfg config file.

　　D. It will configure the Cisco ASA to boot using the startup.txt config file stored in flash memory.

　　Answer: D

　　32. What does the activation-key command in the Cisco ASA do?

　　A. automatically activates the Cisco ASA, allowing it to be configured right out of the box

　　B. activates the SSM module in the Cisco ASA, providing intrusion protection and content filtering

　　C. applies the activation key to the Cisco ASDM so the Cisco ASA can be managed using a web interface

　　D. applies the activation key to the Cisco ASA operating system, so that the Cisco ASA is licensed and all features

　　are available

　　Answer: D

　　33. Refer to the exhibit. Given the configuration commands shown, what traffic will be logged to the AAA server?

　　A. All connection information will be logged in the accounting database.

　　B. All outbound connection information will be logged in the accounting database.

　　C. Only the authenticated console connection information will be logged in the accounting database.

　　D. No information will be logged. This is not a valid configuration because TACACS+ connection information

　　cannot be captured and logged.

　　Answer: B

　　34. What does the csd enable command enable on the Cisco ASA?"

　　A. It enables the Cisco Secure Desktop on the host connecting to the Cisco ASDM.

　　B. It enables the Cisco Secure Desktop for IPsec VPN clients when they connect to the Cisco ASA.

　　C. It enables the Cisco Secure Desktop for SSL VPN clients when they connect.

　　TestInside 642-523

　　D. It enables the Cisco Secure Desktop on SSL VPN clients without a host-based firewall.

　　Answer: C

　　35. Which command configures the adaptive security appliance interface as a DHCP client and sets the default

　　route to be the default gateway parameter returned from the DHCP server?

　　A. ip address dhcp setroute

　　B. ip address dhcp

　　C. ip address dhcp default route

　　D. dhcp setroute

　　Answer: A

　　36. Which three of these are Cisco ASA syslog message fields? (Choose three.)

　　A. logging level

　　B. logging device IP

　　C. message text

　　D. triggering packet copy

　　E. syslog community string

　　F. default ASA gateway

　　Answer: ABC

　　37. Which username and password can you use to establish an SSH connection to your adaptive security appliance

　　when no local or remote user database has been configured?

　　A. the username "pix" and the password "cisco123"

　　B. the username "pix" and the password "cisco"

　　C. the username "ssh" and the password "pix"

　　D. the username "ssh" and the password "cisco123"

　　Answer: B

　　38. Which of these commands causes the CSC SSM to load a new software image from a remote TFTP server via

　　the CLI?

　　A. module 1 recover config

　　TestInside 642-523

　　B. hw module recover config

　　C. hw module 1 recover config

　　D. copy tftp:tftphost/image.bin hardware:module1/image.bin

　　Answer: C

　　39. Only the default modular policy framework is currently configured on your Cisco ASA. You want to block the

　　dele and put FTP commands, but only on the outside interface. Which three of these commands must be entered to

　　accomplish this goal? (Choose three.)

　　A. policy-map type inspect ftp

　　B. service-policy

　　C. regex

　　D. access-list

　　E. class-map type inspect ftp

　　F. policy-map

　　Answer: ABF

　　40. When an administrator adds the same-security-traffic permit inter-interface command to a Cisco ASA, what

　　will happen?

　　A. A Dynamic Multipoint VPN connected to all endpoints will be enabled.

　　B. Communication will be allowed between different interfaces with the same security level.

　　C. Communication will be allowed between VPN clients terminated on different Cisco ASA interfaces.

　　D. Communication will be allowed between multiple Cisco ASA security appliances deployed as hubs in

　　enterprise-wide deployments of Cisco Easy VPN servers.

　　Answer: B

　　41. Which of these commands will configure the adaptive security appliance to use an ACS server for console

　　access authentication?

　　A. aaa authentication serial console LOCAL

　　B. aaa authentication console LOCAL

　　C. aaa authentication serial console SRVGRP1 LOCAL

　　D. aaa authentication console SRVGRP1

　　TestInside 642-523

　　Answer: C

　　42. Refer to the exhibit. If the show failover command has returned this output, what is the problem with the

　　failover configuration?

　　A. The LAN-based failover interface has been shut down on the security appliance.

　　B. The failover cable is not connected to the secondary failover security appliance.

　　C. The poll frequency is set too high to detect the secondary failover security appliance.

　　D. There is no problem; the timer that detects the secondary failover security appliance has not expired.

　　Answer: B

　　43. An administrator wants to protect a DMZ web server from SYN flood attacks. Which three of these commands,

　　used individually, would allow the administrator to place limits on the number of embryonic connections?

　　(Choose three.)

　　A. nat

　　B. access-list

　　C. static

　　D. set connection

　　E. http-proxy

　　F. http redirect

　　TestInside 642-523

　　Answer: ACD

　　44. Which command will provide interface IP information, the interface operational status, and the interface

　　configuration method for an adaptive security appliance?

　　A. show ip interface

　　B. show interface ip brief

　　C. show interface stats

　　D. show interface detail

　　Answer: B

　　45. Refer to the exhibit. The adaptive security appliance administrator needs to filter a single website on a host

　　with the IP address 10.10.11.4, but allow access to all other websites. The administrator enters the commands

　　shown and then executes them.

　　Which two tasks do these commands accomplish? (Choose two.)

　　A. filter the URLs found at the host with the IP address 10.10.11.4

　　B. allow access to all website except those hosted at IP address 10.10.11.4

　　C. filter all URL requests

　　D. only allow access to the websites hosted at the IP address 10.10.11.4

　　E. cause URL requests from the address 10.10.11.4 to be exempted from filtering

　　F. cause URL requests to be filtered by the filtering host at the IP address 10.10.11.4

　　Answer: CE

　　46. Which of these statements regarding Active/Active failover configurations is correct?

　　A. Use the failover active command to enable Active/Active failover on the Cisco ASA Security Appliance.

　　B. Allocate interfaces to a failover group using the failover group sub-command mode.

　　C. Configure two failover groups: group 1 and group 2.

　　D. Configure failover interface parameters in the "ADMIN" context.

　　TestInside 642-523

　　Answer: C

　　47. Refer to the exhibit. What do these commands accomplish?

　　A. they limit the MEDIUM-RESOURCE-SET class to five Cisco ASDM sessions and 20% of the system

　　connection limit

　　B. they limit the MEDIUM-RESOURCE-SET class to five failed Cisco ASDM connection attempts and 20% of

　　system resources

　　C. they increase the default Cisco ASDM session limit by five for the MEDIUM-RESOURCE-SET class and

　　increase the system connection limit by 20%

　　D. they guarantee five Cisco ASDM sessions and a system connection of 20% for resources belonging to the

　　MEDIUM-RESOURCE-SET class

　　Answer: A

　　48. You want to block a new instant messaging application. Which three of the these are mandatory for

　　accomplishing this goal with your Cisco ASA? (Choose three.)

　　A. a regex class map

　　B. a Layer 3/4 policy map

　　C. an HTTP inspection policy map

　　D. an HTTP inspection class map

　　E. a regular expression

　　F. an IM inspection policy map

　　Answer: BCE

　　49. Which of these commands must be used when configuring advanced FTP inspection, such as FTP banner

　　masking or the blocking of specific usernames?

　　A. ftp-map

　　B. class-map type regex

　　TestInside 642-523

　　C. tcp-map

　　D. policy-map type inspect ftp

　　E. class-map type inspect ftp

　　Answer: D

　　50. Which of these commands displays the status of the CSC SSM on the Cisco ASA?

　　A. show module 1 details

　　B. show module 1 CSC details

　　C. show hw 1 details

　　D. show interface GigabitEthernet 1/0

　　Answer: A