Actual Tests v3.0-2.12.2011.105q.

Chips
Number: 642-617 Passing Score: 800 Time Limit: 60 min File Version: 1.1

For the Lab - Download the ASDM Demo from here http://www.4shared.com/file/dbE_vbdo/asdm-demo-634.htm Improvements over other files Fixed Drag and Drops Fixed incomplete questions Fixed checked all questions Removed duplicates - just really dont like duplicated questions Added Hotspot Area style for LABs Added screenshots for simlet question NB:none of the answers are guaranteed -- please check the answers yourself - and check back in the comments for other people's ideas. Its an open and collobrative effort - if you feel that a question is wrong -- please publish forward so people can decide for themselves. If you make any changes - please publish under a new name -- not this name. Thanks Steak & Chips

Sections 1. Lab 2. Pre-Production Design 3. Complex Operations 4. Advanced Troubleshooting 5. New Questions 6. LAB

Exam A QUESTION 1 Using the default modular policy framework global configuration on the Cisco ASA, how does the Cisco ASA process outbound HTTP traffic? A. B. C. D. HTTP flows are not permitted through the Cisco ASA, because HTTP is not inspected bydefault. HTTP flows match the inspection_default traffic class and are inspected using HTTP inspection. HTTP outbound traffic is permitted, but all return HTTP traffic is denied. HTTP flows statefully inspected using TCP stateful inspection.

Answer: D Section: Pre-Production Design Explanation/Reference:

QUESTION 2 Which Cisco ASA feature enables the ASA to do these two things? 1) Act as a proxy for the server and generate a SYN-ACK response to the client SYN request. 2) When the Cisco ASA receives an ACK back from the client, the Cisco ASA authenticates the client and allows the connection to the server. A. B. C. D. E. F. TCPnormalizer TCP state bypass TCP intercept basic threat detection advanced threat detection botnet traffic filter

Answer: C Section: Pre-Production Design Explanation/Reference:

QUESTION 3 By default, which traffic can pass through a Cisco ASA that is operating in transparent mode without explicitly allowing it using an ACL? A. B. C. D. E. ARP BPDU CDP OSPF multicasts DHCP

Answer: A Section: Pre-Production Design Explanation/Reference:

QUESTION 4 Refertothe exhibit. Which Cisco ASA feature can be configured using this Cisco ASDM screen?

A. B. C. D. E.

Cisco ASA command authorization using TACACS+ AAA accounting to track serial,ssh, and telnet connections to the Cisco ASA Exec Shell access authorization using AAA cut-thru proxy AAA authentication policy for Cisco ASDM access

Answer: D Section: Pre-Production Design Explanation/Reference:

QUESTION 5 Refer to the exhibit. The Cisco ASA is dropping all the traffic that is sourced from the internet and is destined to any security context inside interface. Which configuration should be verified on the Cisco ASA to solve this problem?

A. B. C. D. E.

The Cisco ASA has NAT control disabled on each security context. The Cisco ASA is using inside dynamic NAT on each security context. The Cisco ASA is using a unique MAC address on each security context outside interface. The Cisco ASA is using a unique dynamic routing protocol process on each security context. The Cisco ASA packet classifier is configured to use the outside physical interface to assign the packets to each security context.

Answer: C Section: Complex Operations Explanation/Reference:

QUESTION 6 Which four types of ACL object group are supported on the Cisco ASA (release 8.2)? (Choose four.) A. B. C. D. E. F. protocol network port service icmp-type host

Answer: ABDE Section: Pre-Production Design Explanation/Reference:

QUESTION 7 Refer to the exhibit. Which two statements about the class maps are true? (Choose two.)

A. B. C. D. E.

These class maps are referenced within the global policy by default for HTTP inspection. These class maps are all type inspect http class maps. These class maps classify traffic using regular expressions. These class maps are Layer 3/4 class maps. These class maps are used within the inspection_default class map for matching the default inspection traffic.

Answer: BE Section: Pre-Production Design Explanation/Reference:

QUESTION 8 Refer to the exhibit. A Cisco ASA in transparent firewall mode generates the log messages seen in the exhibit. What should be configured on the Cisco ASA to allow the denied traffic?

A. B. C. D. E.

extended ACL on the outside and inside interface to permit the multicast traffic EtherType ACL on the outside and inside interface to permit the multicast traffic stateful packet inspection static ARP mapping static MAC address mapping

Answer: A Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 9 The Cisco ASA must support dynamic routing and terminating VPN traffic. Which three Cisco ASA options will not support these requirements? (Choose three.) A. B. C. D. E. F. transparent mode multiple context mode active/standby failover mode active/active failover mode routed mode no NAT-control

Answer: ABD Section: Complex Operations Explanation/Reference:

QUESTION 10 Refer to the exhibits. Which five options should be entered into the five fields in the Cisco ASDM Add Static Policy NAT Rule screen? (Choose five.) access-list POLICY_NAT_ACL extended permit ip host 172.16.0.10 10.0.1.0 255.255.255.0 static (dmz,outside) 192.168.2.10 access-list POLICY_NAT_ACL

A. B. C. D. E. F. G. H. I. J.

dmz = Original Interface outside = Original Interface 172.16.0.10 = Original Source 192.168.2.10 = Original Source 10.0.1.0/24 = Original Destination 192.168.2.10 = Original Destination dmz = Translated Interface outside = Translated Interface 192.168.2.10 = Translated Use IP Address 172.16.0.10 = Translated Use IP Address

Answer: ACEHI Section: Pre-Production Design Explanation/Reference:

QUESTION 11 By default, which access rule is applied inbound to the inside interface? A. B. C. D. All IP traffic is denied. All IP traffic is permitted. All IP traffic sourced from any source to any less secure network destinations is permitted. All IP traffic sourced from any source to any more secure network destinations is permitted

Answer: C Section: Pre-Production Design Explanation/Reference:

QUESTION 12 In which type of environment is the Cisco ASA MPF set connection advanced-options tcp-statebypass option the most useful? A. B. C. D. E. SIP proxy WCCP BGP peering through the Cisco ASA asymmetric traffic flow transparent firewall

Answer: D Section: Complex Operations Explanation/Reference:

QUESTION 13 Which Cisco ASA platform should be selected if the requirements are to support 35,000 connections per second, 600,000 maximum connections, and traffic shaping? A. B. C. D. 5540 5550 5580-20 5580-40

Answer: B Section: Pre-Production Design Explanation/Reference:

QUESTION 14 Refer to the exhibit. What is the resulting CLI command?

A. match requesturi regex _default_GoToMyPC-tunnel drop-connection log B. match regex _default_GoToMyPC-tunnel drop-connection log C. class_default_GoToMyPC-tunnel drop-connection log D. match class-map _default_GoToMyPC-tunnel drop-connection log Answer: C Section: Pre-Production Design Explanation/Reference:

QUESTION 15 A customer is ordering a number of Cisco ASAs for their network. For the remote or home office, they are purchasing the Cisco ASA 5505. When ordering the licenses for their Cisco ASAs, which two licenses must they order that are "platform specific" to the Cisco ASA 5505? (Choose two.) A. B. C. D. E. AnyConnect Essentials license per-user Premium SSL VPN license VPN shared license internal user licenses Security Plus license

Answer: DE Section: Pre-Production Design Explanation/Reference:

QUESTION 16 With Cisco ASA active/standby failover, what is needed to enable sub-second failover? A. B. C. D. Use redundant interfaces. Enable the stateful failover interface between the primary and secondary Cisco ASA. Decrease the default unit failover polltime to 300 msec and the unit failover holdtime to 900 msec Decrease the default number of monitored interfaces to 1.

Answer: C Section: Complex Operations Explanation/Reference:

QUESTION 17 Which Cisco ASA feature is implemented by the ip verify reverse-path interface interface_name command? A. B. C. D. E. uRPF TCP intercept botnet traffic filter scanning threat detection IPS (IP audit)

Answer: A Section: Pre-Production Design Explanation/Reference:

QUESTION 18 Refer to the exhibit. What can be determined about the connection status?

A. The output is showing normal activity to the inside 10.1.1.50 web server. B. Many HTTP connections to the 10.1.1.50 web server have successfully completed the threeway TCP handshake C. Many embryonic connections are made from random sources to the 10.1.1.50 web server. D. The 10.1.1.50 host is triggering SYN flood attacks against random hosts on the outside. E. The 10.1.1.50 web server is terminating all the incoming HTTP connections. Answer: C Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 19 When troubleshooting a Cisco ASA that is operating in multiple context mode, which two verification steps should be performed if a user context does not pass user traffic? (Choose two.) A. B. C. D. E. Verify the interface status in the system execution space. Verify the mac-address-table on the Cisco ASA. Verify that unique MAC addresses are configured if the contexts are using non-shared interfaces. Verify the interface status in the user context. Verify the resource classes configuration by accessing the admin context.

Answer: AD Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 20 Which statement about the default ACL logging behavior of the Cisco ASA is true? A. The Cisco ASA generates system message 106023 for each denied packet when a deny ACE is configured B. The Cisco ASA generates system message 106023 for each packet that matched an ACE. C. The Cisco ASA generates system message 106100 only for the first packet that matched an ACE. D. The Cisco ASA generates system message 106100 for each packet that matched an ACE. E. No ACL logging is enabled by default. Answer: A Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 21 When will a Cisco ASA that is operating in transparent firewall mode perform a routing table lookup instead of a MAC address table lookup to determine the outgoing interface of a packet? A. B. C. D. E. if multiple context mode is configured if the destination MAC address is unknown if the destination is more than a hop away from the Cisco ASA if NAT is configured if dynamic ARP inspection is configured

Answer: D Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 22 Which flags should the show conn command normally show after a TCP connection has successfully been established from an inside host to an outside host? A. B. C. D. E. F. aB saA slO AIO UIO F

Answer: E Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 23 Refer to the exhibit. Which three configuration commands will enable the VPN client to get PATed to the 10.3.3.3 IP address when accessing the DMZ? (Choose three.)

A. B. C. D. E. F.

access-list client extended permit ip 209.165.202.128 255.255.255.224 any access-list client extended permit ip 10.3.3.3 255.255.255.255 any access-list client extended permit ip any 10.3.3.3 255.255.255.255 nat (outside) 1 access-list client nat (dmz) 1 209.165.202.128 255.255.255.224 nat (dmz) 1 access-list client

Answer: ACD Section: Pre-Production Design Explanation/Reference:

QUESTION 24 Refer to the exhibit. What is a reasonable conclusion?

A. B. C. D. E.

The maximum number of TCP connections that the 10.1.1.99 host can establish will be 146608. All the connections from the 10.1.1.99 have completed the TCP three-way handshake. The 10.1.1.99 hosts are generating a vast number of outgoing connections, probably due to a virus The 10.1.1.99 host on the inside is under a SYN flood attack. The 10.1.1.99 host operations on the inside look normal.

Answer: C Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 25 In one custom dynamic application, the inside client connects to an outside server using TCP port 4444 and negotiates return client traffic in the port range of 5000 to 5500. The server then starts streaming UDP data to the client on the negotiated port in the specified range. Which Cisco ASA feature or command supports this custom dynamic application? A. B. C. D. E. TCPnormalizer TCP intercept ip verify command established command tcp-map and tcp-options commands

F. set connection advanced-options command Answer: D Section: Complex Operations Explanation/Reference:

QUESTION 26 Which two statements about Cisco ASA failover troubleshooting are true? (Choose two.) A. With active/active failover, failover link troubleshooting should be done in the system execution space. B. With active/active failover, ASR groups must be enabled. C. With active/active failover, user data passing interfaces troubleshooting should be done within the context execution space. D. The failed interface threshold is set to 1. Using the show monitor-interface command, if one of the monitored interfaces on both the primary and secondary Cisco ASA appliances is in the unknown state, a failover should occur. E. Syslog level 1 messages will be generated on the standby unit only if the logging standby command is used. Answer: AC Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 27 A Cisco ASA is operating in transparent firewall mode, but the MAC address table of the Cisco ASA is always empty, which causes connectivity issues. What should you verify to troubleshoot this issue? A. B. C. D. E. if ARP inspection has been disabled if MAC learning has been disabled if NAT has been disabled if ARP traffic is explicitly allowed using EtherType ACL if BPDU traffic is explicitly allowed using EtherType ACL

Answer: B Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 28 When configuring security contexts on the Cisco ASA, which three resource class limits can be set using a rate limit? (Choose three.) A. B. C. D. E. F. address translation rate Cisco ASDM session rate connections rate MAC-address learning rate (when in transparent mode) syslog messages rate stateful packet inspections rate

Answer: CEF Section: Complex Operations Explanation/Reference:

QUESTION 29 Refer to the exhibit. Which statement about the Telnet session from 10.0.0.1 to 172.26.1.200 is true?

A. B. C. D. E.

The Telnet session should be successful. The Telnet session should fail because the route lookup to the destination fails. The Telnet session should fail because the inside interface inbound access list will block it The Telnet session should fail because no matching flow was found. The Telnet session should fail because inside NAT has not been configured.

Answer: C

Section: Pre-Production Design Explanation/Reference:

QUESTION 30 Which Cisco ASA show command groups the xiates and connections information together in its output? A. B. C. D. show conn show conn detail show asp show local-host

Answer: D Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 31 By default, how does the Cisco ASA authenticate itself to the Cisco ASDM users? A. The administrator validates the Cisco ASA by examining the factory built-in identity certificate thumbprint of the Cisco ASA. B. The Cisco ASA automatically creates and uses a persistent self-signed X.509 certificate to authenticate itself to the administrator C. The Cisco ASA automatically creates a self-signed X.509 certificate on each reboot to authenticate itself to the administrator. D. The Cisco ASA and the administrator use a mutual password to authenticate each other. E. The Cisco ASA authenticates itself to the administrator using a one-time password. Answer: C Section: Pre-Production Design Explanation/Reference:

QUESTION 32 Refer to the exhibit. Which command enables the stateful failover option?

A. failover link MYFAILOVER GigabitEthernetO/2 B. failover Ian interface MYFAILOVER GigabitEthernetO/2 C failover interface ip MYFAILOVER 172.16.5.1 255.255.255.0 standby 172.16.5.10 C. preempt D. failover group 1 primary E. failover Ian unit primary Answer: A Section: Complex Operations Explanation/Reference:

QUESTION 33 On Cisco ASA version 8.2, which four inspections are enabled by default in the global_policy? (Choose four.) A. B. C. D. E. F. HTTP ESMTP SKINNY ICMP TFTP SIP

Answer: BCEF Section: Pre-Production Design Explanation/Reference:

QUESTION 34 Which flag shown in the output of the show conn command is used to indicate that an initial SYN packet is from the outside (lower security-level interface)? A. B. C. D. E. F. G. H. B D b A a I 1 O

Answer: A Section: Advanced Troubleshooting Explanation/Reference: Official Guide page 343 onwards a = awaiting outside ACK to SYN A = awaiting inside ACK to SYN B = initial SYN from outside

f = inside FIN F = outside FIN I = inbound data O = outbound data r = inside acknowleged FIN R = outside acknowlegded FIN s = awating outside SYN S = awaiting inside SYN U = connection UP

QUESTION 35

A. B. C. D.

allows the configuration of predifined user account privileges allows tacacs allow backup for group fail allows AAA

Answer: A Section: Pre-Production Design Explanation/Reference:

QUESTION 36

Refer to the exhibit. Which two CLI commands will result? (Choose two. )

A. B. C. D. E. F.

aaa authorization network LOCAL aaa authorization network default authentication-server LOCAL aaa authorization command LOCAL aaa authorization exec LOCAL aaa authorization exec authentication-server LOCAL aaa authorization exec authentication-server

Answer: CD Section: Pre-Production Design Explanation/Reference:

QUESTION 37

A. create an access list on the inside and outside interface to permit multicast traffic B. create a policy map to match the routing protocol ospf C. map the mac addresses of the two routers in the mac-address table D. Answer: A

Section: New Questions Explanation/Reference:

QUESTION 38 What SNMP feature supported by new ASA OS version? A. B. C. D. SNMPv3 with 3 modes SNMP 1 and 2c only read-only and read-write SNMPv2 with aes authentication encryption

Answer: A Section: New Questions Explanation/Reference: http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html

QUESTION 39 Which ASA model has a 4 port module attached to it, which can not be removed? A. B. C. D. E. ASA 5505 ASA 5520 ASA 5540 ASA 5550 ASA 5580

Answer: D Section: New Questions Explanation/Reference: Official Guide - Page 49

QUESTION 40 Which of the following configurations are needed to enable SNMPv3 on a Cisco ASA? (Choose four) A. B. C. D. E. F. SNMPv3 local Engin ID SNMPv3 Remote Engin ID SNMP User SNMP Group SNMP Community Strings SNMP Host

Answer: ACDF Section: New Questions Explanation/Reference: Official Guide Page 220+ and http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html#wp18853

QUESTION 41 How many monitored interfaces should be down to transfer to failover state? A. B. C. D. E. 1 2 3 4 5

Answer: A Section: New Questions Explanation/Reference:

QUESTION 42 Which URI regular expression would match any webpage with the welcome.jpg? A. B. C. D. E. ?/welcome*.jpg ?/welcome\.jpg ^*/welcome\.jpg ./welcome.jpg ^*/welcome.jpg

Answer: C Section: New Questions Explanation/Reference: Official guide page 457-458 . = match any single character ^ = matches anything at the beginning of the line : any expression following the ^ will be matched only if it appears at the begining of the line * = matches 0,1 or any number of the character preceeding the * -- ie w* can equal w, ww, www, wwww \ = ignores the special function of the next letter - = just as it is printed Further reading http://en.wikipedia.org/wiki/Regular_expression_examples

QUESTION 43 When a Cisco ASA is configured in multiple context mode, within which configuration are the interfaces allocated to the security contexts? A. B. C. D. each security context system configuration admin context (context within the admin role) context startup configuration file (.cfg file)

Answer: B Section: New Questions Explanation/Reference:

QUESTION 44 Which statement about NAT/PAT is true?

A. B. C. D. E. F.

Dynamic PAT is used for any traffic that is sourced from the dmz_emailserver to the outside Dynamic PAT is used for any traffic that is sourced from any host on the inside network to the outside Static NAT is used for any traffic that is sourced from the dmz_emailserver to the outside Static PAT is used for any traffic that is sourced from the dmz_emailserver to the outside Dynamic NAT is used for any traffic that is sourced from the dmz_emailserver to the outside Dynamic NAT is used for any traffic that is sourced from and host on the guest-network to the outside

Answer: B Section: New Questions Explanation/Reference: Official guide Page 300 onwards

QUESTION 45 Which statement about SNMP support is true for the Cisco ASA running 8.2.2 is true? A. Only support running SNMP version 1 and 2c simultaenously B. Support both read-only and read/write access C. Support three SNMP Groups: Authentication and Encryption, Authentication Only and No Authentication. D. The Cisco ASA can send SNMP traps the the Network Management Station only using SNMPv2 Answer: C Section: New Questions Explanation/Reference: Official Guide - Chapter 5 - pages 217 onwards Page219 Three SNMPv3 group definitions are supported by the ASA: No Authentication, No Encryption: Cleartext communication between the ASA and NMS Authentication Only: Communication is authenticated but unencrypted Authentication and Encryption: Authentication and full encryption for communication between the ASA and NMS

Exam B QUESTION 1 Which feature is not supported on the Cisco ASA 5505 with the Security Plus license? O A. security contexts A. B. C. D. stateless active/standby failover transparent firewall threat detection traffic shaping

Answer: A Section: Complex Operations Explanation/Reference:

QUESTION 2 What is the first configuration step when using Cisco ASDM to configure a new Layer 3/4 inspection policy on the Cisco ASA? A. B. C. D. E. F. Create a new class map. Create a new policy map and apply actions to the traffic classes. Create a new service policy rule. Create the ACLs to be referenced by any of the new class maps. Disable the default global inspection policy. Create a new firewall access rule.

Answer: C Section: Pre-Production Design Explanation/Reference:

QUESTION 3 Which statement about the Cisco ASA 5505 configuration is true? A. The IP address is configured under the physical interface (ethemet 0/0 to ethemet 0/7). B. With the default factory configuration, the management interface (management 0/0) is configured with the 192.168.1.1/24 IP address C. With the default factory configuration, Cisco ASDM access is not enabled. D. The switchport access vlan command can be used to assign the VLAN to each physical interface (ethemet 0/0 to ethemet 0/7). E. With the default factory configuration, both the inside and outside interface will use DHCP to acquire its IP address. Answer: B Section: Pre-Production Design Explanation/Reference: Official Guide - Page 51 - Chapter 2

In the initial configuration, the management interface is always configured to use IP address 192.168.1.1 and subnet mask 255.255.255.0. The DHCP server is configured to provide addresses from a range of 192.168.1.2 to 192.168.1.254. The HTTP server is con-

figured to allow ASDM sessions from devices on the 192.168.1.0/24 management network. On ASA 5510 and higher platforms, the initial configuration always uses the Management0/0 physical interface for the management network, as shown in the top portion of Figure 2-7. The ASA 5505, however, doesnt have a dedicated management interface. Instead, it uses VLAN 1 for the secure inside network, which is assigned to physical interfaces Ethernet0/1 through 0/7.

QUESTION 4 Refer to the exhibit. What does the * next to the CTX security context indicate?

A. B. C. D.

The CTX context is the active context on the Cisco ASA. The CTX context is the standby context on the Cisco ASA. The CTX context contains the system configurations. The CTX context has the admin role.

Answer: D Section: Complex Operations Explanation/Reference:

QUESTION 5 Which three Cisco ASA configuration commands are used to enable the Cisco ASA to log only the debug output to syslog? (Choose three.) A. B. C. D. E. logging Hst test message 711001 logging debug-trace logging trap debugging logging message 711001 level 7 logging trap test

Answer: BCD Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 6 Refer to the exhibit. Which two configurations are required on the Cisco ASAs so that the return traffic from the 10.10.10.100 outside server back to the 10.20.10.100 inside client can be rerouted from the Active CtxB context in ASA Two to the Active Ctx A context in ASA One? (Choose two.)

A. B. C. D. E. F.

stateful active/active failover dynamic routing (EIGRP or OSPF or RIP) ASR-group no NAT-control policy-based routing TCP/UDP connections replication

Answer: AC Section: Complex Operations Explanation/Reference:

QUESTION 7 Where in the ACS are the individual downloadable ACL statements configured to achieve the most scalable deployment? A. B. C. D. E. F. Group Setup User Setup Shared Profile Components Network Access Profiles Network Configuration Interface Configuration

Answer: C Section: Pre-Production Design Explanation/Reference:

QUESTION 8 Which two methods can be used to access the Cisco AIP-SSM CLI? (Choose two.) A. B. C. D. E. initiating an SSH connection to the Cisco AIP-SSM external management Ethernet port connecting to the console port on the Cisco AIP-SSM using the setup command on the Cisco ASA CLI using the session 1 command on the Cisco ASA CLI using the hw-module command on the Cisco ASA CLI

Answer: AD Section: Pre-Production Design Explanation/Reference:

QUESTION 9 Refer to the exhibit. Which three CLI configuration commands result from this configuration? (Choose three.)

A. B. C. D. E. F. G. H.

global (outside) 1 192.168.11 nat (inside) 110.16.1.1 static(inside.outside) 192.168.1.1 10.16.1.1 netmask 255.255.255.255 tcp 0 0 udp 0 static(inside,outside) tcp 192.168.1.1 80 10.16.1.1 80 access-list outside_access_in line 1 extended permit tcp any host 192.168.1.1 eq http access-list outside_access_in line 1 extended permit tcp any host 10.16.1.1 eq http access-group outside_access_in outside in access-group outside acces in inside in

Answer: CEG Section: Pre-Production Design Explanation/Reference:

QUESTION 10 Which three configuration options are available when configuring static routes on the Cisco ASA? (Choose three.) A. B. C. D. E. Change the default metric (admin distance) from 1 to some other value. Enable route tracking. Specify the static route as the default tunnel gateway for VPN traffic. Specify that the static route will not be removed, even if the interface shuts down. Specify a tag value to the static route that can be used as a "match" value for controlling redistribution via route maps

Answer: ABC Section: Pre-Production Design Explanation/Reference:

QUESTION 11 On the Cisco ASA, what is the default access rule if no user-defined access lists are defined on the interfaces?

A. All inbound connections from the lower-security interfaces to the higher-security interfaces are permitted. B. All outbound connections from the higher-security interfaces to the lower-security interfaces are permitted C. All IP traffic between interfaces with the same security levelare permitted. D. All IP traffic in and out of the same interface is permitted. E. All IP traffic is denied. Answer: B Section: Pre-Production Design Explanation/Reference:

QUESTION 12 On the Cisco ASA, tcp-map can be applied to a traffic class using which MPF CLI configuration command?

A. B. C. D. E.

inspect sysopt connection tcp-options parameters set connection advanced-options

Answer: E Section: Complex Operations Explanation/Reference:

QUESTION 13 On the Cisco ASA, where are the Layer 5-7 policy maps applied? A. B. C. D. E. inside the Layer 3-4 policy map inside the Layer 3-4 class map inside the Layer 5-7 class map inside the Layer 3-4 service policy inside the Layer 5-7 service policy

Answer: A Section: Complex Operations Explanation/Reference:

QUESTION 14 Refer to the exhibit. Which two options will result from the Cisco ASA configuration? (Choose two.)

A. The outside hosts can use the 192.168.100.1 IP address to reach the web server on the inside network. B. The global IP address of the web server is 209.165.200.230.

C. The inside web client will use the 209.165.200.230 IP address to reach the web server and the Cisco ASA will translate the 209.165.200.230 IP address to the 192.168.100.1 IP address. D. The Cisco ASA will translate the DNS A-Record reply from the DNS server to any inside client for the web server (web server IP = 192.168.100.1). E. The web server will be reachable only from the inside. F. The web server will be reachable only from the outside. Answer: BD Section: Complex Operations Explanation/Reference:

QUESTION 15 The Cisco ASA is configured in multiple mode and the security contexts share the same outside physical interface. Which two packet classification methods can be used by the Cisco ASA to determine which security context to forward the incoming traffic from the outside interface? (Choose two.) A. B. C. D. E. unique interface IP address unique interface MAC address routing table lookup MAC address table lookup unique global mapped IP addresses

Answer: BE Section: Complex Operations Explanation/Reference:

QUESTION 16 With Cisco ASA active/active or active/standby stateful failover, which state information or table is not passed between the active and standby Cisco ASA by default? A. B. C. D. E. NAT translation table TCP connection states UDP connection states ARP table HTTP connection table

Answer: E Section: Complex Operations Explanation/Reference:

QUESTION 17 Refer to the exhibit. What requirement is mandatory when configuring a Cisco ASA to operate in transparent firewall mode?

A. IP routing must be disabled on the Cisco ASA using the no ip routing global configuration command. B. The Cisco ASA must be configured to use the same MAC address on its outside and inside interfaces. C. ARP inspection must be enabled on both the inside and outside interfaces using the arp inspection interface-name enable flood command. D. Both the inside and outside interfaces must be configured with the same security level. E. An inbound EtherType ACL is required on the inside and outside interfaces to permit ARP traffic. F. The management IP address of the Cisco ASA configured with the ip address global configuration command must belong in the 10.0.1.0/24 subnet. Answer: F Section: Pre-Production Design Explanation/Reference:

QUESTION 18 Refer to the exhibit. Which two statements are true? (Choose two.)

A. B. C. D. E.

The connection is awaiting outside ACK to SYN. The connection is initiated from the inside. The connection is active and has received inbound and outbound data. The connection is an incomplete TCP connection. The connection is a DNS connection.

Answer: BC Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 19 Which five options are valid logging destinations for the Cisco ASA? (Choose five.) A. B. C. D. E. F. G. AAA server Cisco ASDM buffer SNMP traps LDAP server email TCP-based secure syslog server

Answer: BCDFG Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 20 When troubleshooting redundant interface operations on the Cisco ASA, which configuration should be verified? A. B. C. D. E. The nameif configuration on the member physical interfaces are identical. The MAC address configuration on the member physical interfaces are identical. The active interface is sending periodic hellos to the standby interface. The IP address configuration on the logical redundant interface is correct. The duplex and speed configuration on the logical redundant interface are correct.

Answer: D Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 21 What mechanism is used on the Cisco ASA to map IP addresses to domain names that are contained in the botnet traffic filter dynamic database or local blacklist? A. B. C. D. E. F. HTTP inspection DNS inspection and snooping Web ACL dynamic botnet database fetches (updates) static black list static white list

Answer: B Section: Complex Operations Explanation/Reference:

QUESTION 22 Which three statements about traffic shaping capability on the Cisco ASA are true? (Choose three.)

A. Traffic shaping can be applied to all outgoing traffic on a physical interface or in the case of the Cisco ASA 5505, on a VLAN B. Traffic shaping can be applied in the input or output direction. C. Traffic shaping can cause jitter and delay. D. You can configure both traffic shaping and priority queueing on the same interface. E. Traffic shaping is not supported on the Cisco ASA 5580. Answer: ACE Section: Complex Operations Explanation/Reference:

QUESTION 23 Refer to the exhibit. Which statement about the policy map named test is true?

A. B. C. D.

Only HTTP inspection will be applied to the TCP port 21 traffic. Only FTP inspection will be applied to the TCP port 21 traffic. Both HTTP and FTP inspections will be applied to the TCP port 21 traffic. No inspection will be applied to the TCP port 21 traffic, because the http class map configuration conflicts with the ftp class map E. All FTP traffic will be denied, because the FTP traffic will fail the HTTP inspection. Answer: C Section: Complex Operations Explanation/Reference:

QUESTION 24 When troubleshooting a Cisco ASA (running 8.2.2) that is operating in transparent firewall mode, what should you verify to ensure proper operation? A. B. C. D. E. The Cisco ASA has not been configured for inside static or dynamic NAT. The Cisco ASA global IP address belongs to the same subnet as the directly connected interfaces. The outside and inside interface are connected to different Layer 3 subnets. The Cisco ASA is using a dedicated management interface for management access. The Cisco ASA is configured for ARP inspection.

Answer: B Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 25 Which Cisco ASA object group type offers the most flexibility for grouping different services together based on arbitrary protocols? A. B. C. D. E. network ICMP protocol TCP-UDP service

Answer: E Section: Complex Operations Explanation/Reference:

QUESTION 26 Which three parameters are set using the set connection command within a policy map on the Cisco ASA 8.2 release? (Choose three.) A. B. C. D. E. F. per-client TCP and/or UDP idle timeout per-client TCP and/or UDP maximum session time TCP sequence number randomization maximum number of simultaneous embryonic connections maximum number of simultaneous TCP and/or UDP connections fragments reassembly options

Answer: CDE Section: Complex Operations Explanation/Reference:

QUESTION 27 With Cisco ASA active/standby failover, what is needed to enable sub-second failover? A. B. C. D. Use redundant interfaces. Enable thestateful failover interface between the primary and secondary Cisco ASA. Decrease the default unit failover polltime to 300 msec and the unit failover holdtime to 900 msec Decrease the default number of monitored interfaces to 1.

Answer: C Section: Complex Operations Explanation/Reference:

QUESTION 28 A Cisco ASA requires an additional feature license to enable which feature? A. transparent firewall

B. C. D. E.

cut-thru proxy threat detection botnet traffic filtering TCPnormalizer

Answer: D Section: Complex Operations Explanation/Reference:

QUESTION 29 Refer to the exhibit. What can be determined about the connection status?

A. The output is showing normal activity to the inside 10.1.1.50 web server. B. Many HTTP connections to the 10.1.1.50 web server have successfully completed the threeway TCP handshake C. Many embryonic connections are made from random sources to the 10.1.1.50 web server. D. The 10.1.1.50 host is triggering SYN flood attacks against random hosts on the outside. E. The 10.1.1.50 web server is terminating all the incoming HTTP connections. Answer: C Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 30 When troubleshooting a Cisco ASA that is operating in multiple context mode, which two verification steps should be performed if a user context does not pass user traffic? (Choose two.) A. Verify the interface status in the system execution space.

B. C. D. E.

Verify the mac-address-table on the Cisco ASA. Verify that unique MAC addresses are configured if the contexts are using nonshared interfaces. Verify the interface status in the user context. Verify the resource classes configuration by accessing the admin context.

Answer: AD Section: Complex Operations Explanation/Reference:

QUESTION 31 What features are available by default with CSC-SSM base license (choose Three) A. B. C. D. E. F. G. Antispam Antivirus Antispyware HTTP & FTP file blocking URL Blocking and Filtering Antiphishing email content control

Answer: BCD Section: Complex Operations Explanation/Reference:

QUESTION 32 If an ASA is configured with overlapping NAT/PAT rules, The ASA will apply the rules in a specific order. What rule will be applied first ? A. B. C. D. E. F. Policy NAT Static NAT Static PAT Dynamic PAT Dynamic NAT NAT Exemption

Answer: F Section: Pre-Production Design Explanation/Reference:

QUESTION 33 In which two directions are the Cisco ASA modular policy framework inspection policies applied? (Choose two.) A. B. C. D. in the ingress direction only when applied globally in the ingress direction only when applied on an interface in the egress direction only when applied globally in the egress direction only when applied on an interface

E. bi-directionally when applied globally F. bi-directionally when applied on an interface Answer: AF Section: Pre-Production Design Explanation/Reference:

QUESTION 34 A Cisco ASA requires an additional feature license to enable which feature? A. B. C. D. E. transparent firewall cut-thru proxy threat detection botnet traffic filtering TCPnormalizer

Answer: D Section: Pre-Production Design Explanation/Reference:

QUESTION 35 When enabling a Cisco ASA to send syslog messages to a syslog server, which syslog level will produce the most messages? A. B. C. D. E. F. notifications informational alerts emergencies errors debugging

Answer: F Section: Advanced Troubleshooting Explanation/Reference:

QUESTION 36 What is the default interval for how often the dynamic database of the Cisco ASA botnet traffic filter is updated from Cisco/lronPort? A. B. C. D. E. F. every 5 minutes every 15 minutes every 30 minutes every 1 hour every 12 hours every 24 hours

Answer: D Section: Complex Operations

Explanation/Reference:

QUESTION 37 What feature can have a major performance impact if enabled? A. B. C. D. E. VPN termination Advanced Threat Detection uRPF DNS snooping Anti-spoofing

Answer: B Section: New Questions Explanation/Reference: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html#wp1096812

QUESTION 38 With ASA Redundant Interfaces - what happens When Active turns to Standby? A. B. C. D. E. Send Hellos Packet Does a broadcast ping to find active interface Checks any of the 8 redundanct interface pairs for active connection Changes the mac-address to that of the new Active interface does ARP request to see if the mac address responds

Answer: D Section: New Questions Explanation/Reference:

QUESTION 39 What feature is not supported with Security Context + Transparent mode? A. B. C. D. mac address learning shared interface multiple context mode http inspection

Answer: B Section: New Questions Explanation/Reference: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146747 Note The management interface for transparent mode does not flood a packet out the interface when that packet is not in the MAC address table. You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces.

QUESTION 40

What does the hw-module module 1 recover command do? A. B. C. D. E. automatically goes into ROMMON mode so you can access the module allows you to reconfigure the management interface froma reset forces the module to reload the software without any configuration allows you to load a new software image from a TFTP server enables the password recovery reset

Answer: D Section: New Questions Explanation/Reference: Official Guide - Page 686

QUESTION 41 How many failover group are supported by Active/Active failover? A. B. C. D. 1 2 1 on each contect 2 on each context

Answer: B Section: New Questions Explanation/Reference:

QUESTION 42 With active/standby failover, what happens if the standby Cisco ASA does not recieve three consective hello messages from the active Cisco ASA on the LAN failover interface? A. The standby ASA immeditaley becomes the active ASA B. The standby ASA eventually becomes the active ASA after three times the the hold-down times interval expires C. The standby ASA runs network activity tests, including ARP and ping, to determine if the active ASA has expired D. The standby ASA sends additional hello packets on all monitored interfaces, including the LAN failover interface, to determine of the active ASA has failed E. Both ASA's go into unknown state until the LAN interface becomes operational again Answer: C Section: New Questions Explanation/Reference: Official Guide - page 610 onwards

QUESTION 43 Which feature is not supported on the Cisco ASA 5505 with Security Plus license? A. security contexts

B. C. D. E.

stateless Active/Standby Failover transparent firewall threat detection traffic shaping

Answer: A Section: New Questions Explanation/Reference: Official Guide Page 27 - Table 1-14

QUESTION 44 Which two functions will the Set ASDM Defined User Roles perform? (Choose two)

A. enables role based privileges to most Cisco ASA commands B. enable the Cisco ASDM user to assign user privileges manually to individual commands or group of commands C. enables command authorization with a remote TACACS+ server D. enables three pre-define user account privileges (Admin = Priv 15, Read-only = Priv 5, Monitor only = Priv 3) Answer: AD Section: New Questions Explanation/Reference: Official Guide Page 208 onwards Configuring Local AAA Command Authorization To enable AAA authorization using the LOCAL database, you can use a wizard function in ASDM to quickly set up RBAC privilege levels to most commands, while still being able to make manual customizations to each command. To do so, navigate to Configuration > Device Management > Users/AAA > AAA Access and click the Authorization tab, shown in the background in Figure 5-29.

Exam C QUESTION 1 Drag and Drop #1

Answer:

Section: Pre-Production Design Explanation/Reference:

QUESTION 2 Drag and Drop #2

Answer:

Section: Complex Operations Explanation/Reference:

QUESTION 3 Drag and Drop #3

Answer:

Section: Complex Operations

Explanation/Reference:

Exam D QUESTION 1 LAB Question Intro - Scenario - Topo This is a Hot Area - select the correct areas to click on -------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------------------------------------------------------

Answer:

Section: Lab Explanation/Reference:

QUESTION 2 LAB Question #1a - Scenario - Topo This is a Hot Area - select the correct areas to click on ------------------------------------------------------------------------------Enable HTTP Inspect gloabally on the ASA

Answer:

Section: Lab Explanation/Reference:

QUESTION 3 LAB Question #1b - Scenario - Topo This is a Hot Area - select the correct areas to click on ------------------------------------------------------------------------------Enable HTTP Inspect gloabally on the ASA

Answer:

Section: Lab Explanation/Reference:

QUESTION 4 LAB Question #1c - Scenario - Topo This is a Hot Area - select the correct areas to click on ------------------------------------------------------------------------------Enable HTTP Inspect gloabally on the ASA

Answer:

Section: Lab Explanation/Reference:

QUESTION 5 LAB Question #2 - Scenario - Topo This is a Hot Area - select the correct areas to click on ------------------------------------------------------------------------------Create a new HTTP Inspect map named: http-inspect-map

Answer:

Section: Lab Explanation/Reference:

QUESTION 6 LAB Question #2a - Parameters This is a Hot Area - select the correct areas to click on ------------------------------------------------------------------------------Create a new HTTP Inspect map named: http-inspect-map > enable dropping and of any HTTP connections that encounter HTTP Violations

Answer:

Section: Lab Explanation/Reference: 1: Make sure you enter in the name exactly as written - http-inspect-map 2: Leave Logging - disabled

QUESTION 7 LAB Question #2b-a - Inspections This is a Hot Area - select the correct areas to click on ------------------------------------------------------------------------------Enable the dropping and logging of HTTP connections when the content type in the HTTP response does not match one of the MIME types in the accept field HTTP request

Answer:

Section: Lab Explanation/Reference:

QUESTION 8 LAB Question #2b-b - Scenario - Topo This is a Hot Area - select the correct areas to click on ------------------------------------------------------------------------------Enable the dropping and logging of HTTP connections when the content type in the HTTP response does not match one of the MIME types in the accept field HTTP request

Answer:

Section: Lab Explanation/Reference:

Make sure to click OK at the end and it will show you this

QUESTION 9 LAB Question #2b-c - Scenario - Topo This is a Hot Area - select the correct areas to click on ------------------------------------------------------------------------------Enable the dropping and logging of HTTP connections when the content type in the HTTP response does not match one of the MIME types in the accept field HTTP request

Answer:

Section: Lab Explanation/Reference:

Click OK all the way back to main screen and you should see this

QUESTION 10 LAB Question Finishing This is a Hot Area - select the correct areas to click on ------------------------------------------------------------------------------Make sure you save and exit properly

Answer:

Section: Lab Explanation/Reference: Two ways to save - preference is to Save before Exit

Exam E QUESTION 1 Question 1# Which two statements about the Cisco ASA configuration is true? (Choose two.)

A. B. C. D. E.

NAT Control is enabled The Cisco ASA is setup as the DHCP server for hosts on the inside and outside interfaces All IP traffic is permitted from the inside host to the outside All hosts on the inside and on the outside can access Cisco ASDM Access to the CLI in privileged mode will be authenticated using the LOCAL database on the Cisco ASA F. The ASA is using a persistent self-signed certificated so users can authenticate the Cisco ASA when accessing it via Cisco ASDM Answer: AB Section: Pre-Production Design Explanation/Reference: Have to check each and every setting -- expect different results for different exams

QUESTION 2 The ASA administrator wants to configure Botnet Traffic Filter using the dynamic database but it is not working properly after the initiate configuration has been entered. What other configuration is missing?

A. B. C. D. E.

Enabling DNS Snooping Enabling Botnet Traffic Filtering on at least one of the ASA interface Enabling the ASA to periodically download the dynamic database from Cisco Enabling DNS inspection globally Configuring the manual white and black lists

Answer: AC Section: Complex Operations Explanation/Reference: Just check all the following settings - certain they will change from time to time

####################################################

##############################################

QUESTION 3 Question #3 When the Cisco ASA detects scanning attacks, how long is the attacker who is performing the scan shunned?

A. B. C. D. E.

120 seconds 600 seconds 1200 seconds 3600 seconds 6000 seconds

Answer: B Section: Complex Operations Explanation/Reference: From ASDM