Vous êtes sur la page 1sur 320

Base

Base
Base
Base
Base
Base

28 QUESTION 28
28 What is the purpose of the Integrity component of the CIA triad?
28 A. to ensure that only authorized parties can modify data
28 B. to determine whether data is relevant
28 C. to create a process for accessing data
28 D. to ensure that only authorized parties can view data

Base
Base
Base
Base
Base
Base

45 QUESTION 45
45 What type of attack was the Stuxnet virus?
45 A. cyber warfare
45 B. hactivism
45 C. botnet
45 D. social engineering

Base
Base
Base
Base
Base
Base

58 QUESTION 58
58 Which tool can an attacker use to attempt a DDos attack?
58 A. botnet
58 B. Trojan horse
58 C. virus
58 D. adware

Base
Base
Base
Base
Base
Base

63 QUESTION 63
63 When is the best time to perform an anti-virus signature update?
63 A. When the local scanner has detected a new virus
63 B. When a new virus is discovered in the wild
63 C. Every time a new update is available
63 D. When the system detects a browser hook

Base
Base
Base
Base
Base
Base

104 QUESTION 104


104 In a security context, which action can you take to address compliance?
104 A. Implement rules to prevent a vulnerability
104 B. Correct or counteract a vulnerability
104 C. Reduce the severity of a vulnerability
104 D. Follow directions from the security appliance manufacturer to remediate a

Base
Base
Base
Base
Base
Base
Base

119 QUESTION 119


119 By which kind of threat is the victim tricked into entering username and pass
119 disguised website?
119 A. Spoofing
119 B. Malware
119 C. Spam
119 D. Phishing

Base
Base
Base
Base
Base
Base

128 QUESTION 128


128 In which stage of an attack does the attacker discover devices on a target ne
128 A. Reconnaissance
128 B. Covering tracks
128 C. Gaining access
128 D. Maintaining access

Base
Base
Base

129 QUESTION 129


129 Which type of security control is defense in depth?
129 A. Threat mitigation

Base
Base
Base

129 B. Risk analysis


129 C. Botnet mitigation
129 D. Overt and covert channels

Base
Base
Base
Base
Base
Base
Base

166 QUESTION 166


166 In which type of attack does an attacker send email message that ask the re
166 such as https://www.cisco.net.cc/securelogs?
166 A. pharming
166 B. phishing
166 C. solicitation
166 D. secure transaction

Base
Base
Base
Base
Base
Base
Base
Base
Base
Base
Base
Base
Base
Base
Base
Base
Base

168 QUESTION 168


168 Your security team has discovered a malicious program that has been harves
168 email messages and the company's user database for the last 6 months. Wh
168 your team discover?
168 A. social activism
168 B. drive-by spyware
168 C. targeted malware
168 D. advance persistent threat
168 E. Polymorphic virus
175 QUESTION 175
175 What are the three layers of a hierarchical network design? (Choose three.)
175 A. core
175 B. access
175 C. server
175 D. user
175 E. internet
175 F. distribution

Base
Base
Base
Base
Base
Base
Base

181 QUESTION 181


181 A data breach has occurred and your company database has been copied. W
181 principle has been violated?
181 A. Confidentiality
181 B. Access
181 C. Control
181 D. Availability

ss compliance?

turer to remediate a vulnerability


username and password information at a

evices on a target network?

sage that ask the recipient to click a link

hat has been harvesting the CEO's


e last 6 months. What type of attack did

n? (Choose three.)

has been copied. Which security

AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA

22 QUESTION 22
22 In which three ways does the TACACS protocol differ from RADIUS? (Choose t
22 A. TACACS uses TCP to communicate with the NAS
22 B. TACACS can encrypt the entire packet that is sent to the NAS
22 C. TACACS authenticates and authorizes simultaneously, causing fewer pack
22 D. TACACS uses UDP to communicate with the NAS
22 E. TACACS encrypts only the password field in an authentication packet
22 F. TACACS support per-command authorization

AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA

35 QUESTION 35
35 What is a possible reason for the error message?
35 Router(config)#aaa server?
35 % Unrecognized command
35 A. The command syntax requires a space after the word "server"
35 B. The command is invalid on the target device
35 C. The router is already running the latest operating system
35 D. The router is a new device on which the aaa new-model command
35 continuing

AAA
AAA
AAA
AAA
AAA
AAA

52 QUESTION 52
52 Which statement about Cisco ACS authentication and authorization is true?
52 A. ACS servers can be clustered to provide scalability
52 B. ACS can query multiple Active Directory domains
52 C. ACS uses TACACS to proxy other authentication servers
52 D. ACS can use only one authorization profile to allo or deny requests

AAA
AAA
AAA
AAA
AAA
AAA
AAA

89 QUESTION 89
89 If a router configuration includes the line aaa authentication login default gro
89 which events will occur when the TACACS+ server returns an error? (Choose
89 A. The user will be prompted to authenticate using the enable passw
89 B. Authentication attempts to the router will be denied
89 C. Authentication will use the router`s local database
89 D. Authentication attempts will be sent to the TACACS+ server

AAA
AAA
AAA
AAA
AAA
AAA
AAA

93 QUESTION 93
93 What is the default timeout interval during which a router waits for response
93 server before declaring a timeout failure?
93 A. 5 seconds
93 B. 10 seconds
93 C. 15 seconds
93 D. 20 seconds

AAA
AAA
AAA
AAA
AAA
AAA
AAA

116 QUESTION 116


116 Which accounting notices are used to send a failed authentication attempt re
116 server? (Choose two.)
116 A. start-stop
116 B. stop-record
116 C. stop-only
116 D. stop

AAA
AAA
AAA

130 QUESTION 130


130 On which Cisco Configuration Professional screen do you enable AAA?
130 A. AAA Summary

AAA
AAA
AAA

130 B. AAA Servers and Groups


130 C. Authentication Policies
130 D. Authorization Policies

AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA

151 QUESTION 151


151 Refer to the exhibit. Which statement about the given configuration is true?
151 Tacacs server tacacsl
151 Address ipv4 1.1.1.1
151 Timeout 20
151 Single- connection
151 Tacacs server tacacs2
151 Address ipv4 2.2.2.2
151 Timeout 20
151 Single- connection
151 Tacacs server tacacs3
151 Address ipv4 3.3.3.3
151 Timeout 20
151 Single- connection
151 A. The timeout command causes the device to move to the next server after
151 inactivity.
151 B. The single-connection command causes the device to process one TACACS
151 move to the next server.
151 C. The single-connection command causes the device to establish on
151 transactions.
151 D. The router communicates with the NAS on the default port, TCP 1645

AAA
AAA
AAA
AAA
AAA
AAA

169 QUESTION 169


169 What is the best way to confirm that AAA authentication is working properly?
169 A. use the test aaa command
169 B. use the Cisco-recommended configuration for AAA authentication
169 C. Log into and out of the router, and then check the NAS authentication log
169 D. Ping the NAS to confirm connectivity

AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA

180 QUESTION 180


180 Which three ways does the RADIUS protocol differ from TACACS?? (Choose th
180 A. RADIUS authenticates and authorizes simultaneously. Causing few
180 B. RADIUS encrypts only the password field in an authentication pac
180 C. RADIUS can encrypt the entire packet that is sent to the NAS
180 D. RADIUS uses UDP to communicate with the NAS
180 E. RADIUS uses TCP to communicate with the NAS
180 F. RADIUS support per-command authentication

m RADIUS? (Choose three)

nt to the NAS
causing fewer packets to be transmitted

tication packet

w-model command must be applied before

thorization is true?

eny requests

ion login default group tacacs+ enable,


s an error? (Choose two.)
g the enable password

ACS+ server

r waits for responses from a TACACS

entication attempt record to a AAA

enable AAA?

nfiguration is true?

he next server after 20 seconds of TACACS

process one TACACS request and then

ice to establish one connection for all TACACS


port, TCP 1645

is working properly?

hentication
S authentication log

ACACS?? (Choose three)


ously. Causing fewer packets to be transmitted
authentication packets

ISE
ISE
ISE
ISE
ISE
ISE

54 QUESTION 54
54 What is one requirement for locking a wired or wireless device from ISE?
54 A. The ISE agent must be installed on the device
54 B. The device must be connnected to the network when the lock command is
54 C. The user must approve the locking action
54 D. The organization must implement an acceptable use policy allowing devic

ISE
ISE
ISE
ISE
ISE
ISE
ISE
ISE
ISE

142 QUESTION 142


142 When an administrator initiates a device wipe command from the ISE, what i
142 effect?
142 A. It requests the administrator to choose between erasing all device data or
142 corporate data.
142 B. It requests the administrator to enter the device PIN or password before p
142 operation
142 C. It immediately erases all data on the device.
142 D. It notifies the device user and proceeds with the erase operation

ISE
ISE
ISE
ISE
ISE
ISE
ISE

143 QUESTION 143


143 How does a device on a network using ISE receive its digital certificate durin
143 registration process?
143 A. ISE acts as a SCEP proxy to enable the device to receive a certificate from
143 B. The device request a new certificate directly from a central CA
143 C. ISE issues a pre-defined certificate from a local database
143 D. ISE issues a certificate from its internal CA server.

evice from ISE?

the lock command is executed

policy allowing device locking

from the ISE, what is the immediate

ng all device data or only managed

r password before proceeding with the

e operation

ital certificate during the new-device

ve a certificate from a central CA server

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

6 QUESTION 6
6 What type of algorithm uses the same key to encryp and decrypt data?
6 A. a symmetric algorithm
6 B. an asymetric algorithm
6 C. a Public Key infrastructure algorithm
6 D. an IP Security algorithm

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

9 QUESTION 9
9 Which EAP method uses protected Access Credentials?
9 A. EAP-TLS
9 B. EAP-PEAP
9 C. EAP-FAST
9 D. EAP-GTC

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

74 QUESTION 74, 141


74 Which two next generation encrytption algorithms does Cisco recommend? (
74 A. AES
74 B. 3DES
74 C. DES
74 D. MD5
74 E. DH-1024
74 F. SHA-384

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

87 QUESTION 87
87 What hash type does Cisco use to validate the integrity of downloaded image
87 A. Sha1
87 B. Sha2
87 C. Md5
87 D. Md1

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

92 QUESTION 92
92 Which components does HMAC use to determine the authenticity and integri
92 A. The password
92 B. The hash
92 C. The key
92 D. The transform set

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

98 QUESTION 98
98 Which protocols use encryption to protect the confidentiality of data transmi
98 parties? (Choose two.)
98 A. FTP
98 B. SSH
98 C. Telnet
98 D. AAA
98 E. HTTPS

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

138 QUESTION 138


138 Which of encryption technology has the broadcast platform support to protec
138 A. Middleware
138 B. Hardware
138 C. software
138 D. file-level

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

171 QUESTION 171


171 What improvement does EAP-FASTv2 provide over EAP-FAST?
171 A. It support more secure encryption protocols.
171 B. It allows multiple credentials to be passed in a single EAP exchange
171 C. It addresses security vulnerabilities found in the original protocol.
171 D. It allows faster authentication by using fewer packets.

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

173 QUESTION 173


173 What mechanism does asymmetric cryptography use to secure data?
173 A. an RSA nonce
173 B. a public/private key pair.
173 C. an MD5 hash.
173 D. shared secret keys.

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

184 QUESTION 184


184 How does PEAP protect EAP exchange?
184 A. it encrypts the exchange using the client certificate.
184 B. it validates the server-supplied certificate and then encrypts the exchange
184 certificate
184 C. it encrypts the exchange using the server certificate
184 D. it validates the client-supplied certificate and then encrypts the exchange
184 certificate.

decrypt data?

Cisco recommend? (Choose two)

of downloaded images?

henticity and integrity of a message?

ality of data transmitted between two

rm support to protect operating systems?

EAP exchange
al protocol.

secure data?

crypts the exchange using the client

crypts the exchange using the server

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

2 QUESTION 2, 146
2 Which three ESP fields can be encrypted during transmission? (Choose three
2 A. Security Parameter Index
2 B. Sequence Number
2 C. MAC Address
2 D. Padding
2 E. Pad Length
2 F. Next Header

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

21 QUESTION 21
21 Which command is needed to enable SSH support on a Cisco Router?
21 A. crypto key lock rsa
21 B. crypto key generate rsa
21 C. crypto key zeroize rsa
21 D. crypto key unlock rsa

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

33 QUESTION 33
33 What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose tw
33 A. The Internet Key Exchange protocol establishes security associat
33 B. The Internet Key Exchange protocol provides data confidentiality
33 C. The Internet Key Exchange protocol provides replay detection
33 D. The Internet Key Exchange protocol is responsible for mutual aut

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

38 QUESTION 38
38 Which source port does IKE use when NAT has been detected between two V
38 A. TCP 4500
38 B. TCP 500
38 C. UDP 4500
38 D. UDP 500

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

39 QUESTION 39
39 Which of the following are features of IPsec transport mode? (Choose three.)
39 A. IPsec transport mode is used between end stations
39 B. IPsec transport mode is used between gateways
39 C. IPsec transport mode supports multicast
39 D. IPsec transport mode supports unicast
39 E. IPsec transport mode encrypts only the payload
39 F. IPsec transport mode encrypts the entire packet

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

41 QUESTION 41
41 Which command verifies phase 1 of an IPsec VPN on a Cisco router?
41 A. show crypto map
41 B. show crypto ipsec sa
41 C. show crypto isakmp sa
41 D. show crypto engine connection active

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

57 QUESTION 57
57 What is the effect of the given command sequence?
57
57
57
57
57

IPSec
IPSec
IPSec
IPSec
IPSec

57 A. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with


57 10.100.100.0/24
57 B. It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a dest
57 C. it defines IKE policy for traffic sourced from 10.10.10.0/24 with a destinati
57 D. It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destin

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

64 QUESTION 64
64 What is the effect of thesend-lifetime local 23:59:00 31 December 31
64 A. It configures the device to begin transmitting the authentication key to oth
64 local time on January 1, 2014 and continue using the key indefinitely.
64 B. It configures the device to begin transmitting the authentication
64 local time on December 31, 2013 and continue using the key indefin
64 C. It configures the device to begin accepting the authentication key from oth
64 and stop accepting the key at 23:59:00 local time on December 31, 2013.
64 D. It configures the device to generate a new authentication key and transm
64 23:59 00 local time on December 31, 2013.
64 E. It configures the device to begin accepting the authentication key from oth
64 local time on December 31, 2013 and continue accepting the key indefinitely
64 F. It configures the device to begin accepting the authentication key from oth
64 local time on January 1, 2014 and continue accepting the key indefinitely.

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

78 QUESTION 78
78 Refer to the exhibit. What is the effect of the given command sequence?
78
78
78
78
78
78
78
78 A. It configures IKE Phase 1
78 B. It configures a site-to-site VPN Tunnel
78 C. It configures a crypto policy with a key size of 14400
78 D. It configures IPSec Phase 2

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

108 QUESTION 108, 164


108 Which two authentication types does OSPF support? (Choose two)
108 A. plaintext
108 B. MD5
108 C. HMAC
108 D. AES 256
108 E. SHA-1
108 F. DES

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

152 QUESTION 152


152 Refer to the exhibit. What is the effect of the given command?
152 Crypto ipsec transform-set myset esp-md5-hmac esp-esp-aes-256
152 A. It configure the network to use a different transform set between peers.
152 B. It merges authentication and encryption methods to protect traffic that ma
152 C. It configures encryption for MD5 HMAC.
152 D. It configures authentications as AES 256.

sion? (Choose three)

isco Router?

sec VPN? (Choose two.)


security associations
fidentiality

ble for mutual authentication

cted between two VPN gateways?

de? (Choose three.)

sco router?

0.10.10.0/24 with a desstination of

100.0/24 with a destination of 10.10.10.0/24


0/24 with a destination of 10.100.100.0/24
0.0/24 with a destination of 10.10.10.0/24

0 31 December 31 2013infinite command?


entication key to other devices at 00:00:00
indefinitely.
he authentication key to other devices at 23:59:00
ng the key indefinitely.
tication key from other devices immediately
cember 31, 2013.
tion key and transmit it to other devices at

tication key from other devices at 23:59:00


g the key indefinitely.
tication key from other devices at 00:00:00
e key indefinitely.

mand sequence?

sp-esp-aes-256
et between peers.
rotect traffic that matches an ACL.

VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN

4 QUESTION 4
4 Refer to the exhibit. If a supplicant supplies incorrect credentials for all authe
4 configured on the switch, how will the switch respond?
4
4
4
4
4
4
4
4 A. The switch will cycle through the configured authentication methods indefi
4 B. The supplicant will fail to advance beyond the webauth method.
4 C. The authentication attempt will time out and the switch will place the port
4 state
4 D. The authentication attempt will time out and the switch will place the port

VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN

44 QUESTION 44, 149


44 Refer to the exhibit. While troubleshooting site-to-site VPN, you issued the sh
44 command. What does the given output show?
44
44
44
44
44 A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5
44 B. IPSec Phase 2 is established between 10.10.10.2 and 10.1.1.5
44 C. IPSec Phase 1 is down due to a QM_IDLE state
44 D. IPSEc Phase 2 is down due to a QM_IDLE state

VPN
VPN
VPN
VPN
VPN
VPN

46 QUESTION 46, 153


46 Which type of secure connectivity does an extranet provide?
46 A. remote branch offices to your company network
46 B. your company network to the Internet
46 C. new networks to your company network
46 D. other company networks to your company network

VPN
VPN
VPN
VPN
VPN
VPN
VPN

50 QUESTION 50
50 What VPN feature allows traffic to exit the security appliance through the sam
50 entered?
50 A. Hairpinning
50 B. NAT
50 C. NAT traversal
50 D. split tunneling

VPN
VPN
VPN
VPN
VPN
VPN
VPN

62 QUESTION 62
62 What VPN feature allows Internet traffic and local LAN/WAN traffic to use the
62 connection.
62 A. split tunneling
62 B. hairpinning
62 C. tunnel mode
62 D. transparent mode

VPN

66 QUESTION 66

VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN

66 Refer to the exhibit. While troubleshooting site-to-site VPN, you issued the sh
66 command. What does the given output show?
66
66
66
66
66
66
66
66
66 A. ISAKMP security associations are established between 10.1.1.5 and 10.1.1
66 B. IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5
66 C. IKE version 2 security associations are established between 10.1.1.1 and 1
66 D. IPSec Phase 2 is down due to a mismatch between encrypted and decrypt

VPN
VPN
VPN
VPN
VPN
VPN

67 QUESTION 67
67 Which statement about a PVLAN isolated port configured on a switch is true?
67 A. The isolated port can communicate only with the promiscous port
67 B. The isolated port can communicate with other isolated ports and the prom
67 C. The isolated port can communicate only with community ports
67 D. The isolated port can communicate only with other isolated ports

VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN

100 QUESTION 100


100 How can the administrator enable permanent client installation in a Cisco An
100 firewall configuration?
100 A. Issue the command anyconnect keep-installer under the group po
100 B. Issue the command anyconnect keep-installer installed in the global config
100 C. Issue the command anyconnect keep-installer installed under the group p
100 webvpn mode
100 D. Issue the command anyconnect keep-installer installer under the group po
100 webvpn mode

VPN
VPN
VPN
VPN
VPN
VPN

147 QUESTION 147


147 Which type of PVLAN port allows host in the same VLAN to communicate dire
147 A. promiscuous for hosts in the PVLAN
147 B. span for hosts in the PVLAN
147 C. Community for hosts in the PVLAN
147 D. isolated for hosts in the PVLAN

VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN

148 QUESTION 148


148 Refer to the exhibit while troubleshooting site-to-site VPN, you issued the sho
148 sa command. What does the given output shows?
148 Dst src state conn-id slot
148 10.10.10.2 10.1.1.5 MM_NO_STATE 1 0
148 A. IKE Phase 1 main mode was created on 10.1.1.5, but it failed to n
148 B. IKE Phase 1 main mode has successfully negotiate between 10.1.1.5 and1
148 C. IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to neg
148 D. IKE Phase 1 aggressive mode was create on 10.1.1.5, but it failed to nego

VPN
VPN
VPN

150 QUESTION 150


150 Refer to the exhibit. You have configured R1 and R2 as shown, but the router
150 establish a site-to-site VPN tunnel. What action can you take to correct the p

VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN

150 R1
150 Interface GigabitEthernet 0/0
150 IP address 10.20.20.4 255.255.255.255.0
150 Crypto isakmp policy 1
150 Authentication pre-share
150 Lifetime 84600
150 Crypto isakmp key test67890 address 10.20.20.4
150 R2
150 Interface GigabitEthernet 0/0
150 IP address 10.20.20.4 255.255.255.255.0
150 Crypto isakmp policy 10
150 Authentication pre-share
150 Lifetime 84600
150 Crypto isakmp key test12345 address 10.30.30.5
150 A. Edit the crypto keys on R1 and R2 to match.
150 B. Edit the crypto isakmp key command on each router with the address valu
150 C. Edit the ISAKMP policy sequence numbers on R1 and R2 to match.
150 D. set a valid value for the crypto key lifetime on each router.

VPN
VPN
VPN
VPN
VPN
VPN
VPN

161 QUESTION 161


161 What configuration allows AnyConnect to authenticate automatically establis
161 when a user logs in to the computer?
161 A. proxy
161 B. Trusted Network Detection
161 C. transparent mode
161 D. always-on

dentials for all authentication methods

ation methods indefinitely


h method.
h will place the port into the unathorized

ch will place the port into VLAN 101

N, you issued the show crypto isakmp as

2 and 10.1.1.5

ance through the same interface it

AN traffic to use the same network

N, you issued the show crypto ipsec sa

10.1.1.5 and 10.1.1.1


and 10.1.1.5
ween 10.1.1.1 and 10.1.1.5
crypted and decrypted packets

on a switch is true?
e promiscous port
d ports and the promiscuous port

olated ports

allation in a Cisco AnyConnect VPN

nder the group policy or username webvpn mode


d in the global configuration
d under the group policy or username

r under the group policy or username

to communicate directly with the other?

N, you issued the show crypto isakamp

, but it failed to negotiate with 10.10.10.2


ween 10.1.1.5 and10.10.10.2
, but it failed to negotiate with 10.10.10.2
but it failed to negotiate with 10.10.10.2

hown, but the routers are unable to


ake to correct the problem?

with the address value of its own interface


R2 to match.

utomatically establish a VPN session

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

13 QUESTION 13
13 What is the transition order of STP states on a Layer 2 switch interface?
13 A. listening, learning, blocking, forwarding, disabled
13 B. listening, blocking, learning, forwarding, disabled
13 C. blocking, listening, learning, forwarding, disabled
13 D. forwarding, listening, learning, blocking, disabled

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

40 QUESTION 40
40 Which command causes a Layer 2 switch interface to operate as a Layer 3 in
40 A. no switchport nonnegotiate
40 B. switchport
40 C. no switchport mode dynamic auto
40 D. no switchport

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

71 QUESTION 71
71 In what type of attack does an attacker virtually change a devices burned in
71 to circumvent access lists and mask the device's true identity?
71 A. gratuitous ARP
71 B. ARP poisoning
71 C. IP Spoofing
71 D. MAC Spoofing

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

73 QUESTION 73
73 An attacker installs a rogue switch that sends superior BPDUs on your netwo
73 What is a possible result of this activity?
73 A. The switch could offer fake DHCP addresses.
73 B. The switch could become the root bridge.
73 C. The switch could be allowed to join the VTP domain
73 D. The switch could become a transparent bridge.

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

80 QUESTION 80
80 If you change the native VLAN on the port to an unused VLAN, what happens
80 attempts a double tagging attack?
80 A. The trunk port would go into an error-disable state.
80 B. A VLAN hopping attack would be successful
80 C. A VLAN hopping attack would be prevented
80 D. the attacked VLAN will be pruned

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

99 QUESTION 99
99 What are the primary attack methods of VLAN hopping? (Choose two.)
99 A. VoIP hopping
99 B. Switch spoofing
99 C. CAM-table overflow
99 D. Double tagging

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

110 QUESTION 110


110 What command can you use to verify the binding table status?
110 A. Show ip dhcp snooping binding
110 B. Show ip dhcp snooping database
110 C. show ip dhcp snooping statistics
110 D. show ip dhcp pool
110 E. show ip dhcp source binding
110 F. show ip dhcp snooping

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

111 QUESTION 111


111 If a switch receives a superior BPDU and goes directly into a blocked state, w
111 be in use?
111 A. Etherchannel guard
111 B. root guard
111 C. loop guard
111 D. BPDU guard

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

117 QUESTION 117


117 If the native VLAN on a trunk is different on each end of the link, what is a po
117 consequence?
117 A. The interface on both switches may shut down
117 B. STP loops may occur
117 C. The switch with the higher native VLAN may shut down
117 D. The interface with the lower native VLAN may shut down

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

121 QUESTION 121


121 Which statement correctly describes the function of a private VLAN?
121 A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN
121 B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into sub
121 C. A private VLAN enables the creation of multiple VLANs using one broadcas
121 D. A private VLAN combines the Layer 2 broadcast domains of many VLANs i
121 broadcast domain

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

123 QUESTION 123


123 What is the most common Cisco Discovery Protocol version 1 attack?
123 A. Denial of Service
123 B. MAC-address spoofing
123 C. CAM-table overflow
123 D. VLAN hopping

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

124 QUESTION 124


124 What is the Cisco preferred countermeasure to mitigate CAM overflows?
124 A. Port security
124 B. Dynamic port security
124 C. IP source guard
124 D. Root guard

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

125 QUESTION 125


125 When a switch has multiple links connected to a downstream switch, what is
125 STP takes to prevent loops?
125 A. STP elects the root bridge
125 B. STP selects the root port
125 C. STP selects the designated port
125 D. STP blocks one of the ports

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

126 QUESTION 126


126 Which countermeasures can mitigate ARP spoofing attacks? (Choose two.)
126 A. Port security
126 B. DHCP snooping
126 C. IP source guard
126 D. Dynamic ARP inspection

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

156 QUESTION 156


156 What is the potential drawback to leaving VLAN 1 as the native VLAN?
156 A. Gratuitous ARPs might be able to conduct a man-in-the-middle attack.
156 B. The CAM might be overloaded, effectively turning the switch into hub.
156 C. VLAN 1 might be vulnerable to IP address spoofing
156 D. It may be susceptible to a VLAN hopping attack

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

176 QUESTION 176


176 In which type of attack does the attacker attempt to overload the CAM table
176 the switch acts as a hub?
176 A. gratuitous ARP
176 B. MAC flooding
176 C. MAC spoofing
176 D. DoS

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

182 QUESTION 182


182 If a switch receives a superior BPDU and goes directly into a blocked state, w
182 must be in use?
182 A. BPDU guard
182 B. portfast
182 C. EherCahannel guard
182 D. loop guard
182 E. STP Root guard

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

192 QUESTION 192


192 Which three statements are characteristics of DHCP Spoofing? (choose three
192 A. Arp Poisoning
192 B. Modify Traffic in transit
192 C. Used to perform man-in-the-middle attack
192 D. Physically modify the network gateway
192 E. Protect the identity of the attacker by masking the DHCP address
192 F. can access most network devices

witch interface?

erate as a Layer 3 interface?

a devices burned in address in an attempt

PDUs on your network.

VLAN, what happens if an attacker

(Choose two.)

o a blocked state, what mecanism must

the link, what is a potential

vate VLAN?
domain of a VLAN into subdomains
n of a VLAN into subdomains
s using one broadcast domain
ins of many VLANs into one major

on 1 attack?

CAM overflows?

eam switch, what is the first step that

ks? (Choose two.)

native VLAN?
e-middle attack.
switch into hub.

rload the CAM table on a switch so that

o a blocked state, what mechanism

ofing? (choose three)

CP address

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

10 QUESTION 10
10 In which two situations should you use out-of-band management? (Choose tw
10 A. when a network device fails to forward packets
10 B. when management applications need concurrent access to the device
10 C. when you require ROMMON access
10 D. when you require adminstrator access from multiple locations
10 E. when the control plane fails to respond

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

20 QUESTION 20
20 Which Cisco Security Manager application collects information about device s
20 generate notifications and alerts?
20 A. FlexConfig
20 B. Device Manager
20 C. Report Manager
20 D. Health and Performance Monitor

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

30 QUESTION 30
30 Which protocol provides security to Secure Copy?
30 A. IPsec
30 B. SSH
30 C. HTTPS
30 D. ESP

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

47 QUESTION 47
47 After reloading a router, you issue the dir command to verify the installation
47 image file appears to be missing. For what reason could the image file fail to
47 output?
47 A. The secure boot-image command is configured
47 B. The secure boot-comfit command is configured
47 C. The confreg 0x24 command is configured.
47 D. The reload command was issued from ROMMON.

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

56 QUESTION 56
56 What are two default Cisco IOS privilege levels? (Choose two)
56 A. 0
56 B. 5
56 C. 1
56 D. 7
56 E. 10
56 F. 15

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

83 QUESTION 83
83 Which syslog severity level is level number 7?
83 A. Warning
83 B. Informational
83 C. Notification
83 D. Debugging

SecMP
SecMP
SecMP
SecMP
SecMP

95 QUESTION 95
95 Which command initializes a lawful intercept view?
95 A. username cisco1 view lawful-intercept password cisco
95 B. parser view cisco li-view
95 C. li-view cisco user cisco1 password cisco

SecMP

95 D. parser view li-view inclusive

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

105 QUESTION 105


105 How many times was a read-only string used to attempt a write operation?
105
105
105
105
105
105
105
105
105
105
105
105
105
105
105
105
105
105
105
105
105
105 A. 6
105 B. 9
105 C. 4
105 D. 3
105 E. 2

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

109 QUESTION 109, 159


109 Refer to the exhibit. The Admin user is unable to enter configuration mode on
109 given configuration. What change can you make to the configuration to corre
109
109
109
109
109
109
109 A. Remove the Autocommand keyword and arguments from the Use
109 B. Change the Privilege exec level value to 15
109 C. Remove the two Username Admin lines
109 D. Remove the Privilege exec line.

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

157 QUESTION 157


157 Refer to the exhibit. Which line in this configuration prevents the HelpDesk u
157 the interface configuration?
157 Username Engineer privilege 9 password 0 configure
157 Username Monitor privilege 8 password 0 vatcher
157 Username HelpDesk privilege 6 password help

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

157 Privilege exec level 6 show running


157 Privilege exec level 7show start-up
157 Privilege exec level 9 show configure terminal
157 Privilege exec level 10 interface
157 A. Privilege exec level 9 show configure terminal
157 B. Privilege exec level 7show start-up
157 C. Privilege exec level 10 interface
157 D. Username HelpDesk privilege 6 password help

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

172 QUESTION 172


172 Which statement about IOS privilege levels is true?
172 A. Each privilege level is independent of all other privilege levels.
172 B. Each privilege level supports the commands at its own level and all levels
172 C. Each privilege level supports the commands at its own level and a
172 D. Privilege-level commands are set explicitly for each user.

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

178 QUESTION 178


178 What are two ways to protect eavesdropping when you perform device-mana
178 (Choose two)
178 A. use SNMPv2
178 B. use SSH connection
178 C. use SNMPv3
178 D. use in-band management
178 E. use out-band management

gement? (Choose two)

ss to the device

mation about device status and uses it to

erify the installation and observe that the


the image file fail to appear in the dir

a write operation?

onfiguration mode on a device with the


onfiguration to correct the problem?

ents from the Username Admin privilege line

ents the HelpDesk user from modifying

n level and all levels above it.


ts own level and all levels below it.

erform device-management task?

SecDP
SecDP
SecDP
SecDP
SecDP
SecDP
SecDP
SecDP
SecDP
SecDP
SecDP
SecDP
SecDP
SecDP

11 QUESTION 11
11 What features can protect the data plane? (Choose three.)
11 A. policing
11 B. ACLs
11 C. IPS
11 D. antispoofing
11 E. QoS
11 F. DHCP-snooping
34 QUESTION 34
34 Which address block is reserved for locally assigned unique local addresses?
34 A. 2002::/16
34 B. FD00::/8
34 C. 2001::/32
34 D. FB00::/8

SecDP
SecDP
SecDP
SecDP
SecDP
SecDP

122 QUESTION 122


122 Which Cisco feature can help mitigate spoofing attacks by verifying symmetr
122 A. Unidirectional Link Detection
122 B. Unicast Reverse Path Forwarding
122 C. TrustSec
122 D. IP Source Guard

ue local addresses?

y verifying symmetry of the traffic path?

SecCP
SecCP
SecCP
SecCP
SecCP
SecCP
SecCP
SecCP

76 QUESTION 76
76 Which two feature do CoPP and CPPr use to protect the control plane? (Choos
76 A. QoS
76 B. traffic classification
76 C. access lists
76 D. policy maps
76 E. class maps
76 F. Cisco Express Forwarding

SecCP
SecCP
SecCP
SecCP
SecCP
SecCP

77 QUESTION 77
77 What is an advantage of implementing a Trusted Platform Module for disk en
77 A. It provides hardware authentication
77 B. It allows the hard disk to be transferred to another device without requirin
77 C. it supports a more complex encryption algorithm than other disk-encryptio
77 D. it can protect against single poins of failure.

SecCP
SecCP
SecCP
SecCP
SecCP
SecCP
SecCP

96 QUESTION 96
96 Which security measures can protect the control plane of a Cisco router? (Ch
96 A. CCPr
96 B. Parser views
96 C. Access control lists
96 D. Port security
96 E. CoPP

SecCP
SecCP
SecCP
SecCP
SecCP
SecCP

112 QUESTION 112


112 What type of packet creates and performs network operations on a network
112 A. data plane packets
112 B. management plane packets
112 C. services plane packets
112 D. control plane packets

SecCP
SecCP
SecCP
SecCP
SecCP
SecCP

165 QUESTION 165


165 Which feature filters CoPP packets?
165 A. Policy maps
165 B. route maps
165 C. access control lists
165 D. class maps

ontrol plane? (Choose two)

m Module for disk encryption?

vice without requiring re-encryption.dis


other disk-encryption technologies.

f a Cisco router? (Choose two.)

ations on a network device?

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

16 QUESTION 16
16 When a company puts a security policy in place, what is the effect on the com
16 A. Minimizing risk
16 B. Minimizing total cost of ownership
16 C. Minimizing liability
16 D. Maximizing compliance

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

43 QUESTION 43
43 Which type of firewall can act on the behalf of the end device?
43 A. Stateful packet
43 B. Application
43 C. Packet
43 D. Proxy

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

48 QUESTION 48
48 What is a reason for an organization to deploy a personal firewall?
48 A. To protect endpoints such as desktops from malicious activity
48 B. To protect one virtual network segment from another
48 C. To determine whether a host meets minimum security posture requiremen
48 D. To create a separate, non-persistent virtual environment that can be destr
48 E. To protect the network from DoS and syn-flood attacks

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

55 QUESTION 55
55 Refer to the exhibit. What type of firewall would use the given cofiguration lin
55
55
55
55 A. a stateful firewall
55 B. a personal firewall
55 C. a proxy firewall
55 D. an application firewall
55 E. a stateless firewall

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

65 QUESTION 65
65 Which Statement about personal firewalls is true?
65 A. They are resilient against kernal attacks
65 B. They can protect email messages and private documents in a similar way
65 C. They can protect the network against attacks
65 D. They can protect a system by denying probing requests

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

84 QUESTION 84
84 Which type of mirroring does SPAN technology perform?
84 A. Remote mirroring over Layer 2
84 B. Remote mirroring over Layer 3
84 C. Local mirroring over Layer 2
84 D. Local mirroring over Layer 3

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

107 QUESTION 107


107 You want to allow all of your companies users to access the Internet without
107 servers to collect the IP addresses of individual users.
107 What two solutions can you use? (Choose two).
107 A. Configure a proxy server to hide users local IP addresses
107 B. Assign unique IP addresses to all users.

Firewall
Firewall
Firewall

107 C. Assign the same IP addresses to all users


107 D. Install a Web content filter to hide users local IP addresses
107 E. Configure a firewall to use Port Address Translation.

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

113 QUESTION 113, 145


113 Which two statements about stateless firewalls are true? (Choose two.)
113 A. They compare the 5-tuple of each incoming packet against config
113 B. They cannot track connections.
113 C. They are designed to work most efficiently with stateless protocols such a
113 D. Cisco IOS cannot implement them because the platform is stateful by natu
113 E. The Cisco ASA is implicitly stateless because it blocks all traffic by default.

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

162 QUESTION 162


162 Which statement about the communication between interfaces on the same
162 A. All Traffic is allowed by default between interfaces on the same security le
162 B. Interface on the same security level require additional configurat
162 communication.
162 C. Configuring interface on the same security level can cause asymmetric ro
162 D. You can configure only one interface on an individual security level.

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

187 QUESTION 187


187 A proxy firewall protects against which type of attacks?
187 A. DDoS
187 B. port scanning
187 C. worm traffic
187 D. cross-site scripting attacks

the effect on the company's business?

l firewall?
licious activity

posture requirements
nt that can be destroyed after a session

given cofiguration line?

nts in a similar way to a VPN

he Internet without allowing other Web

addresses

(Choose two.)
ket against configurable rules.

ess protocols such as HTTP or HTTPS.


m is stateful by nature.
all traffic by default.

rfaces on the same security level is true?


the same security level.
ditional configuration to permit inter-interface

ause asymmetric routing.


security level.

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

12 QUESTION 12
12 How many crypto map sets can you apply to a router interface?
12 A. 3
12 B. 2
12 C. 4
12 D. 1

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

32 QUESTION 32
32 Which security zone is automatically defined by the system?
32 A. The source zone
32 B. The self zone
32 C. The destination zone
32 D. The inside zone

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

36 QUESTION 36
36 Which statements about smart tunnels on a Cisco firewall are true? (Choose
36 A. Smart tunnels can be used by clients that do not have administrator privil
36 B. Smart tunnels support all operating systems
36 C. Smart tunnels offer better performance than port forwarding
36 D. Smart tunnels require the client to have the application installed locally

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

53 QUESTION 53, 137


53 What is the only permitted operation for processing multicast traffic on zone
53 A. Stateful inspection of multicast traffic is supported only for the self zone
53 B. Stateful inspection for multicast traffic is supported only between the self53 zone
53 C. Only control plane policing can protect the control plane against
53 D. Stateful inspection of multicast traffic is supported only for the internal zo

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

72 QUESTION 72
72 How does a zone-based firewall implementation handle traffic between Inter
72 Zone?
72 A. traffic between interfaces in the same zone is blocked unless yoc configur
72 permit command
72 B. Traffic between interfaces in the same zone is always blocked
72 C. Traffic between two interfaces in the same zone is allowed by def
72 D. Traffic between interfaces in the same zone is blocked unless you apply a
72 zone pair

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

179 QUESTION 179


179 Which firewall configuration must you perform to allow traffic to flow in both
179 two zones?
179 A. You can configure a single zone pair that allows bidirectional traffic flows f
179 except the self-zone
179 B. You must configure two zone pair, one for each direction
179 C. You can configure a single zone pair that allows bidirectional traffic flows f
179 D. You can configure a single zone pair that allows bidirectional traffic flows o
179 is the less secure zone.

l are true? (Choose two.)


administrator privileges

n installed locally

icast traffic on zone-based firewalls?


y for the self zone
ly between the self-zone and the internal

rol plane against multicast traffic.


y for the internal zone.

raffic between Interfaces in the same


unless yoc configure the same-security

is allowed by default
unless you apply a service policy to the

affic to flow in both directions between

ctional traffic flows from for any zone

direction
ctional traffic flows for any zone
ctional traffic flows only if the source zone

ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA

1 QUESTION 1
1 Which statement about communication over failover interfaces is true?
1 A. All information that is sent over the failover interface is sent as clear text,
1 link is encrypted by default.
1 B. All information that is sent over the failover and stateful failover interfaces
1 C. All information that is sent over the failover and stateful failover interface
1 D. Usernames, password and preshared keys are encrypted by default when
1 failover and stateful failover interfaces, but other information is sent as clear
1 Ref: http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/g

ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA

7 QUESTION 7, 133
7 If a packet matches more than one class map in an individual feature type's
7 does the ASA handle the packet?
7 A. The ASA will apply the actions from only the most specific matching class
7 feature type
7 B. The ASA will apply the actions from all matching class maps it finds for the
7 C. The ASA will apply the actions from only the last matching class map it fin
7 D. The ASA will apply the actions from only the first matching class map it fin

ASA
ASA
ASA
ASA
ASA
ASA
ASA

29 QUESTION 29
29 Which two statements about Telnet access to the ASA are true? (Choose two
29 A. You may VPN to the lowest security interface to telnet to an inside interfac
29 B. You must configure an AAA server to enable Telnet.
29 C. You can access all interfaces on an ASA using Telnet.
29 D. You must use the command virtual telnet to enable Telnet.
29 E. Best practice is to disable Telnet and use SSH.

ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA

31 QUESTION 31
31 A clientless SSL VPN user who is connecting on a Windows Vista computer is
31 option for Remote Desktop Protocol on the portal web page.
31 Which action should you take to begin troubleshooting?
31 A. Ensure that the RDP2 plug-in is installed on the VPN gateway
31 B. Reboot the VPN gateway
31 C. Instruct the user to reconnect to the VPN gateway
31 D. Ensure that the RDP plug-in is installed on the VPN gateway

ASA
ASA
ASA
ASA
ASA
ASA
ASA

59 QUESTION 59
59 how does the Cisco ASA use Active Directory to authorize VPN users?
59 A. It queries the Active Directory server for a Specfic attribute for the specific
59 B. It sends the username and password to retire an ACCEPT or Reject messag
59 Directory server
59 C. It downloads and stores the Active Directory databas to query for future au
59 D. It redirects requests to the Active Directory server defined for the VPN gro

ASA
ASA
ASA
ASA
ASA
ASA

61 QUESTION 61
61 For what reason would you configure multiple security contexts on the ASA fi
61 A. To enable the use of VFRs on routers that are adjacently connected
61 B. To provide redundancy and high availability within the organization
61 C. To enable the use of multicast routing and QoS through the firewall
61 D. To seperate different departments and business units

ASA
ASA

85 QUESTION 85
85 Which tasks is the session management path responsible for? (Choose three

ASA
ASA
ASA
ASA
ASA
ASA

85 A. Verifying IP checksums
85 B. Performing route lookup
85 C. Performing session lookup
85 D. Allocating NAT translations
85 E. Checking TCP sequence numbers
85 F. Checking packets against the access list

ASA
ASA
ASA
ASA
ASA
ASA

91 QUESTION 91
91 Which type of address translation should be used when a Cisco ASA is in tran
91 A. Static NAT
91 B. Dynamic NAT
91 C. Overload
91 D. Dynamic PAT

ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA

94 QUESTION 94
94 Which RADIUS server authentication protocols are supported on Cisco ASA fir
94 three.)
94 A. EAP
94 B. ASCII
94 C. PAP
94 D. PEAP
94 E. MS-CHAPv1
94 F. MS-CHAPv2

ASA
ASA
ASA
ASA
ASA
ASA
ASA

115 QUESTION 115


115 Which command will configure a Cisco ASA firewall to authenticate users whe
115 enable syntax using the local database with no fallback method?
115 A. aaa authentication enable console LOCAL SERVER_GROUP
115 B. aaa authentication enable console SERVER_GROUP LOCAL
115 C. aaa authentication enable console local
115 D. aaa authentication enable console LOCAL

ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA

154 QUESTION 154


154 What is a valid implicit permit rule for traffic that is traversing the ASA firewa
154 A. Unicast IPv6 traffic from a higher security interface to a lower security inte
154 transparent mode only
154 B. Only BPDUs from a higher security interface to a lower security interface a
154 mode.
154 C. ARPs in both directions are permitted in transparent mode only
154 D. Unicast IPv4 traffic from a higher security interface to a lower security inte
154 routed mode only
154 E. Only BPDUs from a higher security interface to a lower security interface a
154 transparent mode.

ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA

185 QUESTION 185


185 In which three cases does the ASA firewall permit inbound HTTP GET request
185 operations? (Choose three)
185 A. When matching ACL entries are configured
185 B. when matching NAT entries are configured
185 C. When the firewall requires strict HTTP inspection
185 D. When the firewall requires HTTP inspection
185 E. When the firewall receives a SYN-ACK packet

ASA

185 When the firewall receives a SYN packet

ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA

188 QUESTION 188


188 Which two statements regarding the ASA VPN configurations are correct? (Ch
188 A. The ASA has a certificate issued by an external Certificate Authority assoc
188 ASDM_TrustPoint1.
188 B. The DefaultWEBVPNGroup Connection Profile is using the AAA with RADIUS
188 C. The Inside-SRV bookmark references thehttps://192.168.1.2URL
188 D. Only Clientless SSL VPN access is allowed with the Sales group policy
188 E. AnyConnect, IPSec IKEv1, and IPSec IKEv2 VPN access is enabled on the o
188 F. The Inside-SRV bookmark has not been applied to the Sales group policy

rfaces is true?
s sent as clear text, but the stateful failover

ul failover interfaces is encrypted by default


ul failover interfaces is sent as clear text by default
ed by default when they are sent over the
ation is sent as clear text
sa72/configuration/guide/conf_gd/failover.html

dual feature type's policy map, how

cific matching class map it finds for the

maps it finds for the feature type


hing class map it finds for the feature type.
hing class map it finds for the feature type.

e true? (Choose two).


to an inside interface.

ws Vista computer is missing the menu

e VPN users?
ibute for the specific user
PT or Reject message from the Active

o query for future authorization


fined for the VPN group

ontexts on the ASA firewall?


ly connected
organization
h the firewall

e for? (Choose three.)

a Cisco ASA is in transparent mode?

rted on Cisco ASA firewalls? (Choose

thenticate users when they enter the

rsing the ASA firewall?


a lower security interface is permitted in

r security interface are permitted in routed

a lower security interface is permitted in

r security interface are permitted in

d HTTP GET requests during normal

ions are correct? (Choose two)


cate Authority associated to the

the AAA with RADIUS server method.


68.1.2URL
es group policy
is enabled on the outside interface
Sales group policy

IPS
IPS
IPS
IPS
IPS
IPS

14 QUESTION 14
14 Which sensor mode can deny attackers inline?
14 A. IPS
14 B. fail-close
14 C. IDS
14 D. fail-open

IPS
IPS
IPS
IPS
IPS
IPS

15 QUESTION 15
15 Which options are filtering options used to display SDEE message types?
15 A. stop
15 B. none
15 C. error
15 D. all

IPS
IPS
IPS
IPS
IPS
IPS
IPS
IPS

19 QUESTION 19
19 Which actions can a promiscuous IPS take to mitigate an attack?
19 A. modifying packets
19 B. requesting connection blocking
19 C. denying packets
19 D. resetting the TCP connection
19 E. requesting host blocking
19 F. denying frames

IPS
IPS
IPS
IPS
IPS
IPS

42 QUESTION 42
42 What is the purpose of a honeypot IPS?
42 A. To create customized policies
42 B. To detect unknown attacks
42 C. To normalize streams
42 D. To collect information about attacks

IPS
IPS
IPS
IPS
IPS
IPS
IPS

51 QUESTION 51
51 When an IPS detects an attack, which action can the IPS take to prevent the
51 spreading?
51 A. Perform a Layer 6 reset
51 B. Deploy an antimalware system
51 C. Enable bypass mode
51 D. Deny the connection inline

IPS
IPS
IPS
IPS
IPS
IPS
IPS
IPS

68 QUESTION 68, 82, 131


68 Which three statements about host-based IPS are true? (Choose three)
68 A. It can view encrypted files
68 B. It can be deployed at the perimeter
68 C. It uses signature-based policies
68 D. It can have more restrictive policies than network-based IPS
68 E. It works with deployed firewalls
68 F. It can generate alerts based on behavior at the desktop level.

IPS
IPS
IPS
IPS
IPS
IPS

75 QUESTION 75, 114


75 What three actions are limitations when running IPS in promiscous mode? (C
75 A. deny attacker
75 B. request block connection
75 C. deny packet
75 D. modify packet

IPS
IPS

75 E. request block host


75 F. reset TCP connection

IPS
IPS
IPS
IPS
IPS
IPS

81 QUESTION 81
81 What is an advantage of placing an IPS on the inside of a network?
81 A. It can provide higher throughput.
81 B. It receives traffic that has already been filtered.
81 C. It receives every inbound packet.
81 D. It can provide greater security.

IPS
IPS
IPS
IPS
IPS
IPS

88 QUESTION 88
88 Which option is the most effective placement of an IPS device within the infr
88 A. Inline, behind the internet router and firewall
88 B. Inline, before the internet router and firewall
88 C. Promiscuously, after the Internet router and before the firewall
88 D. Promiscuously, before the Internet router and the firewall

IPS
IPS
IPS
IPS
IPS
IPS

90 QUESTION 90
90 Which alert protocol is used with Cisco IPS Manager Express to support up to
90 A. SDEE
90 B. Syslog
90 C. SNMP
90 D. CSM

IPS
IPS
IPS
IPS
IPS
IPS

118 QUESTION 118


118 Which type of IPS can identify worms that are propagating in a network?
118 A. Policy-based IPS
118 B. Anomaly-based IPS
118 C. Reputation-based IPS
118 D. Signature-based IPS

IPS
IPS
IPS
IPS
IPS
IPS
IPS

132 QUESTION 132


132 What are two users of SIEM software? (Choose two)
132 A. performing automatic network audits
132 B. configuring firewall and IDS devices
132 C. alerting administrators to security events in real time
132 D. scanning emails for suspicious attachments
132 E. collecting and archiving syslog data

IPS
IPS
IPS
IPS
IPS
IPS
IPS

144 QUESTION 144


144 How can you detect a false negative on an IPS?
144 A. View the alert on the IPS
144 B. Use a third-party to audit the next-generation firewall rules
144 C. Review the IPS console
144 D. Review the IPS log
144 E. Use a third-party system to perform penetration testing

IPS
IPS
IPS
IPS
IPS
IPS
IPS

158 QUESTION 158


158 Which IPS mode provides the maximum number of actions?
158 A. Inline
158 B. bypass
158 C. span
158 D. failover
158 E. promiscuous

IPS
IPS
IPS
IPS
IPS
IPS

160 QUESTION 160


160 Which technology can be used to rate data fidelity and to provide an authent
160 A. Network blocking
160 B. signature updates
160 C. file analysis
160 D. file reputation

IPS
IPS
IPS
IPS
IPS
IPS

183 QUESTION 183


183 What is the primary purposed of a defined rule in an IPS?
183 A. to detect internal attacks
183 B. to define a set of actions that occur when a specific user logs in to the sys
183 C. to configure an event action that is pre-defined by the system ad
183 D. to configure an event action that takes place when a signature is triggered

message types?

take to prevent the attack from

Choose three)

desktop level.

omiscous mode? (Choose three)

network?

evice within the infrastructure?

ess to support up to 10 sensors?

g in a network?

n testing

o provide an authenticated hash for data?

er logs in to the system


by the system administrator
signature is triggered.

IOS
IOS
IOS
IOS
IOS
IOS
IOS

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

5 QUESTION 5
5 Which SOURCEFIRE logging action should you choose to record the most det
5 connection.
5 A. Enable logging at the beginning of the session
5 B. Enable logging at the end of the session
5 C. Enable alerts via SNMP to log events off-box
5 D. Enable eStreamer to log events off-box

IOS
IOS
IOS
IOS
IOS
IOS
IOS
IOS
IOS

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

8 QUESTION 8, 163
8 You have implemented a Sourcefire IPS and configured it to block certain add
8 Security Intelligence IP address Reputation. A user calls and is not able to ac
8 address. What action can you take to allow the user access to the IP address
8 A. Create a custom blacklist to allow traffic
8 B. Create a whitelist and add the appropriate IP address to allow traffic.
8 C. Create a user based access control rule to allo the traffic.
8 D. Create a network based access control rule to allow the traffic.
8 E. Create a rule to bypass inspection to allow the traffic

IOS
IOS
IOS
IOS
IOS
IOS

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

IOS
IOS
IOS
IOS
IOS
IOS

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

102 QUESTION 102


102 What is the FirePOWER impact flag used for?
102 A. A value that indicates the potential severity of an attack.
102 B. A value that the administrator assigns to each signature.
102 C. A value that sets the priority of a signature.
102 D. A value that measures the application awareness.

IOS
IOS
IOS
IOS
IOS
IOS
IOS

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

106 QUESTION 106


106 What can the SMTP preprocessor in a FirePOWER normalize?
106 A. It can extract and decode email attachments in client to server tr
106 B. It can look up the email sender
106 C. it compares known threats to the email sender
106 D. It can forward the SMTP traffic to an email filter server
106 E. It uses the Traffic Anomaly Detector

IOS
IOS
IOS
IOS
IOS
IOS
IOS
IOS

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

140 QUESTION 140


140 Which Sourfire secure action should you choose if you want to block only ma
140 particular end-user?
140 A. Trust
140 B. Block
140 C. Allow without inspection
140 D. Monitor
140 E. Allow with inspection

IOS
IOS
IOS
IOS

ZBF
ZBF
ZBF
ZBF

186 QUESTION 186


186 How can firepower block malicious email attachments?
186 A) It forwards email requests to an external signature engine
186 B) It sends the traffic through a file policy

49 QUESTION 49, 136


49 Which FirePOWER preprocessor engine is used to prevent SYN attacks?
49 A. Rate-Based Prevention
49 B. Portscan Detection
49 C. IP Defragmentation
49 D. Inline Normalization

IOS ZBF
IOS ZBF

186 C) It scans inbound email messages for known bad URLs


186 D) It sends an alert to the administrator to verify suspicious email messages

record the most detail about a

to block certain addresses utilizing


and is not able to access a certain IP
ss to the IP address?

to allow traffic.

t SYN attacks?

an attack.

client to server traffic

ant to block only malicious traffic from a

ous email messages

ACL
ACL
ACL
ACL
ACL
ACL
ACL
ACL
ACL
ACL

3 QUESTION 3
3 According to Cisco best practices, which three protocols should the default A
3 port to enable wired BYOD devices to supply valid credentials and connect to
3 (Choose three)
3 A. BOOTP
3 B. TFTP
3 C. DNS
3 D. MAB
3 E. HTTP
3 F. 802.1x

ACL
ACL
ACL
ACL
ACL
ACL
ACL
ACL

18 QUESTION 18
18 Which statements about reflexive access lists are true?
18 A. Reflexive access lists create a permanent ACE
18 B. Reflexive access lists approximate session filtering using the established k
18 C. Reflexive access lists can be attached to standard named IP ACLs
18 D. Reflexive access lists support UDP sessions
18 E. Reflexive access lists can be attached to extended named IP ACLs
18 F. Reflexive access lists support TCP sessions

ACL
ACL
ACL
ACL
ACL
ACL
ACL

37 QUESTION 37
37 Which option describes information that must be considered when you apply
37 physical interface?
37 A. Protocol used for filtering
37 B. Direction of the access class
37 C. Direction of the access group
37 D. Direction of the access list

ACL
ACL
ACL
ACL
ACL
ACL
ACL
ACL
ACL
ACL

97 QUESTION 97
97 Which statement about extended access lists is true?
97 A. Extended access lists perform filtering that is based on source and destina
97 effective when applied to the destination
97 B. Extended access lists perform filtering that is based on source an
97 effective when applied to the source
97 C. Extended access lists perform filtering that is based on destination and ar
97 applied to the source
97 D. Extended access lists perform filtering that is based on source and are mo
97 applied to the destination

ACL
ACL
ACL
ACL
ACL
ACL

17 QUESTION 17
17 Which wildcard mask is associated with a subnet mask of /27?
17 A. 0.0.0.31
17 B. 0.0.0.27
17 C. 0.0.0.224
17 D. 0.0.0.255

ACL
ACL
ACL
ACL
ACL
ACL

127 QUESTION 127


127 Which of the following statements about access lists are true? (Choose three
127 A. Extended access lists should be placed as near as possible to the destinat
127 B. Extended access lists should be placed as near as possible to the
127 C. Standard access lists should be placed as near as possible to the
127 D. Standard access lists should be placed as near as possible to the source

ACL
ACL

127 E. Standard access lists filter on the source address


127 F. Standard access lists filter on the destination address

should the default ACL allow an access


ntials and connect to the network?

ng the established keyword


med IP ACLs

med IP ACLs

red when you apply an access list to a

n source and destination and are most

ased on source and destination and are most

n destination and are most effective when

n source and are most effective when

true? (Choose three.)


sible to the destination
as possible to the source
as possible to the destination
sible to the source

WebMail
WebMail
WebMail
WebMail
WebMail
WebMail

60 QUESTION 60, 174


60 Which statement about application blocking is true?
60 A. It blocks access to files with specific extensions
60 B. It blocks access to specific network addresses
60 C. It blocks access to specific programs
60 D. It blocks access to specific network services.

WebMail
WebMail
WebMail
WebMail
WebMail
WebMail

69 QUESTION 69, 101


69 What type of security support is provided by the Open Web Application Secu
69 A. Education about common Web site vulnerabilities
69 B. A wb site security framework
69 C. A security discussion forum for Web site developers
69 D. Scoring of common vulnerabilities and exposures

WebMail
WebMail
WebMail
WebMail
WebMail
WebMail
WebMail
WebMail
WebMail
WebMail
WebMail
WebMail
WebMail

79 QUESTION 79
79 A specific URL has been identified as containing malware. What action can yo
79 users from accidentaly visiting the URL and becoming infected with malware
79 A. Enable URL filtering on the perimeter firewall and add the URLs you want
79 local URL list
79 B. Enable URL filtering on the perimeter router and add the URLs you want to
79 local URL list
79 C. Create a blacklist that contains the URL you want to block and activate the
79 perimeter router.
79 D. Enable URL filtering on the perimeter router and add the URLs you want to
79 local URL list
79 E. Create a whitelist that contains the URls you want to allow and ac
79 perimeter router.

WebMail
WebMail
WebMail
WebMail
WebMail
WebMail
WebMail

103 QUESTION 103


103 Which two services define cloud networks? (Choose two.)
103 A. Infrastructure as a Service
103 B. Platform as a Service
103 C. Compute as a Service
103 D. Security as a Service
103 E. Tenancy as a Service

WebMail
WebMail
WebMail
WebMail
WebMail
WebMail

120 QUESTION 120


120 Which Cisco product can help mitigate web-based attacks within a network?
120 A. Adaptive Security Appliance
120 B. Web Security Appliance
120 C. Email Security Appliance
120 D. Identity Services Engine

WebMail
WebMail
WebMail
WebMail
WebMail
WebMail
WebMail

139 QUESTION 139


139 Which feature of the Cisco Email Security Appliance can mitigate the impact
139 and sophisticated phishing attack?
139 A. holistic understanding of threats
139 B. graymail management and filtering
139 C. signature-based IPS
139 D. contextual analysis

WebMail
WebMail

155 QUESTION 155


155 You have been tasked with blocking user access to website that violate comp

WebMail
WebMail
WebMail
WebMail
WebMail
WebMail
WebMail
WebMail
WebMail

155 site use dynamic IP Addresses. What is the best practice URL filtering to solv
155 A. Enable URL filtering and create a blacklist to block the websites that violat
155 B. Enable URL filtering and create a whitelist to allow only the websites the c
155 users to access.
155 C. Enable URL filtering and use URL categorization to allow only the websites
155 allow users to access
155 D. Enable URL filtering and create a whitelist to block the websites that viola
155 E. Enable URL filtering and use URL categorization to block the websites that
155 policy.

WebMail
WebMail
WebMail
WebMail
WebMail
WebMail

170 QUESTION 170


170 What is the benefit of web application firewall?
170 A. It accelerate web traffic
170 B. It blocks know vulnerabilities without patching applications
170 C. It supports all networking protocols.
170 D. It simplifies troubleshooting

eb Application Security Project?

. What action can you take to block


ected with malware?
the URLs you want to allow to the routers

he URLs you want to allow to the firewalls

ock and activate the blacklist on the

he URLs you want to block to the routers

ant to allow and activate the whitelist on the

s within a network?

mitigate the impact of snowshoe spam

te that violate company policy, but the

URL filtering to solve the problem?


websites that violate company policy.
y the websites the company policy allow

ow only the websites the company policy

e websites that violate company policy.


ck the websites that violate company

NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP

70 QUESTION 70
70 Refer to the exhibit. Which statement about the device time is true?
70
70
70
70
70
70 A. The time is authoritative because the clock is in sync
70 B. The time is authoritative, but the NTP process has lost contact with its ser
70 C. The clock is out of sync
70 D. NTP is configured incorrectly
70 E. The time is not authoritative

NTP
NTP
NTP
NTP
NTP
NTP

86 QUESTION 86
86 Which network device does NTP authenticate?
86 A. Only the time source
86 B. Only the client device
86 C. The firewall and the client device
86 D. The client device and the time source

NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP
NTP

177 QUESTION 177


177 Refer to the exhibit. With which NTP server has the router synchronized?
177 209.114.111.1 Configure, ipv4, same, valid, stratum 2 ref ID 132.163.4.103,
177 D7AD124D.9D6FC576 (03:17:33.614 UTC Sun Aug 31 2014) our mode client
177 our poll intvl 64, peer poll intvl 64 root delay 46.34 msec, root disp 23.52, rea
177 268.59 delay 63.27 msec, offset 7.9817 msec, dispersion 187.56, jitter 2.07
177 2**23, version 4
177 204.2.134.164 Configure, ipv4, same, valid, stratum 2 ref ID 241.199.164.10
177 D7AD1D149.9EB5272B (03:25:13.619 UTC Sun Aug 31 2014) our mode clien
177 server, our poll intvl 64, peer poll intvl 256 root delay 30.83 msec, root disp 4
177 dist 223.80 delay 28.69 msec, offset 6.4331 msec, dispersion 187.56, jitter 1
177 2**23, version 4
177 192.168.10.7 Configure, ipv4, our_master, sane, valid, stratum 3 ref ID 108.6
177 D7AD0D8F.AE79A23A (02:57:19.681 UTC Sun Aug 31 2014) our mode client,
177 our poll intvl 64, peer poll intvl 64 root delay 86.45 msec, root disp 87.82, rea
177 134.25 delay 0.89 msec, offset 19.5087 msec, dispersion 1.69, jitter 0.84 ms
177 version 4
177 A. 192.168.10.7
177 B. 108.61.73.243
177 C. 209.114.111.1
177 D. 204.2.134.164
177 E. 132.163.4.103
177 F. 241.199.164.101

me is true?

contact with its servers

r synchronized?
f ID 132.163.4.103, time
14) our mode client, peer mode server,
, root disp 23.52, reach 1, sync dist
n 187.56, jitter 2.07 msec precision

f ID 241.199.164.101, time
014) our mode client, peer mode
.83 msec, root disp 4.88, reach 1, sync
rsion 187.56, jitter 1.39 msec precision

ratum 3 ref ID 108.61.73.243, time


14) our mode client, peer mode server,
, root disp 87.82, reach 377, sync dist
n 1.69, jitter 0.84 msec precision 2**23,

Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab

23 QUESTION 23
23 Scenario
23 In this simulation, you have access to ASDM only. Review the various ASA co
23 ASDM then answer the five multiple choice questions about the ASA SSLVPN
23 To access ASDM, click the ASA icon in the topology diagram.
23 Note: Not all ASDM functionalities are enabled in this simulation.
23 To see all the menu options available on the left navigation pane, you may a
23 the expanded menu first.
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23 Which user authentication method is used when users login to the Clientless
23 using https://209.165.201.2/test?
23 A. Both Certificate and AAA with LOCAL database
23 B. AAA with RADIUS server
23 C. Both Certificate and AAA with RADIUS server
23 D. AAA with LOCAL database
23 E. Certificate

Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab

24 QUESTION 24
24 Scenario
24 In this simulation, you have access to ASDM only. Review the various ASA co
24 ASDM then answer the five multiple choice questions about the ASA SSLVPN
24 To access ASDM, click the ASA icon in the topology diagram.
24 Note: Not all ASDM functionalities are enabled in this simulation.
24 To see all the menu options available on the left navigation pane, you may a
24 the expanded menu first.

Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab

24 When users login to the Clientless SSL VPN using https://209.165.201.2/test,


24 will be applied?
24 A. test
24 B. Sales
24 C. DefaultRAGroup
24 D. DefaultWEBVPNGroup
24 E. clientless
24 F. DFTGrpPolicy

Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab

25 QUESTION 25
25 Scenario
25 In this simulation, you have access to ASDM only. Review the various ASA co
25 ASDM then answer the five multiple choice questions about the ASA SSLVPN
25 To access ASDM, click the ASA icon in the topology diagram.
25 Note: Not all ASDM functionalities are enabled in this simulation.
25 To see all the menu options available on the left navigation pane, you may a
25 the expanded menu first.
25 Which two statements regarding the ASA VPN configurations are correct? (Ch
25 A. The Inside-SRV bookmark has not been applied to the Sales group policy
25 B. The ASA has a certificate issued by an external Certificate Authority assoc
25 ASDM_Trustpoint1
25 C. The Inside-SRV bookmark references the https://192.168.1.2 URL
25 D. Any Connect, IPSec IKEv1 and IPSec IKEv2 VPN access is enabled on the o
25 E. Only Clientless SSL VPN VPN access is allowed with the Sales group Policy
25 F. The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius

Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab

26 QUESTION 26
26 Scenario
26 In this simulation, you have access to ASDM only. Review the various ASA co
26 ASDM then answer the five multiple choice questions about the ASA SSLVPN
26 To access ASDM, click the ASA icon in the topology diagram.
26 Note: Not all ASDM functionalities are enabled in this simulation.
26 To see all the menu options available on the left navigation pane, you may a
26 the expanded menu first.
26 Which four tunneling protocols are enabled in the DfltGrpPolicy group policy?
26 A. IPsec IKEv1
26 B. IPsec IKEv2
26 C. L2TP/IPsec
26 D. Clientless SSL VPN
26 E. SSL VPN Client
26 F. PPTP

Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab

27 QUESTION 27
27 Scenario
27 Given the new additional connectivity requirements and the topology diagram
27 accomplish the required ASA configurations to meet the requirements.
27 New additional connectivity requirements:
27 - Currently, the ASA configurations only allow on the Inside and DMZ
27 networks to access any hosts on the Outside. Your task is to use ASDM
27 to configure the ASA to also allow any host only on the Outside to HTTP
27 to the DMZ server. The hosts on the Outside will need to use the

Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab

27 209.165.201.30 public IP address when HTTPing to the DMZ server.


27 - Currently, hosts on the ASA higher security level interfaces are not
27 able to ping any hosts on the lower security level interfaces. Your
27 task in this simulation is to use ASDM to enable the ASA to dynamically
27 allow the echo-reply responses back through the ASA.
27 Once the correct ASA configurations have been configured:
27 - You can test the connectivity tohttp://209.165.201,30from the Outside
27 PC browser.
27 - You can test the pings to the Outside (www.cisco.com) by opening the
27 inside PC command prompt window. In this simulation, only testing
27 pings to www.cisco.com will work.
27 To access ASDM, click the ASA icon in the topology diagram.
27 To access the Firefox Browser on the Outside PC, click the Outside PC icon in
27 diagram.
27 To access the Command prompt on the Inside PC, click the Inside PC icon in t
27 diagram.
27 Note:
27 After you make the configuration changes in ASDM, remember to click Apply
27 configuration changes.
27 Not all ASDM screens are enabled in this simulation, if some screen is not en
27 different methods to configure the ASA to meet the requirements.
27 In this simulation, some of the ASDM screens may not look and function exac
27 ASDM.
27 Answer:
27 Step1: Firewall, Configuration, NAT Rules, Name=http, IP version=IPv4, IP
27 address=209.165.201.30, Static NAT=172.16.1.2
27 Step2: Firewall, Config, NAT Rules, Interface=Outside, Action=Permit, Source
27 Destination=209.165.201.30, Service= tcp/http
27 Step3: Firewall, Config, Service policy Rules, Click Global Policy and edit, Rule
27 ICMP and apply
27 Step4: Ping www.cisco.com from Inside PC

the various ASA configurations using


out the ASA SSLVPN configurations.

on pane, you may also need to unexpand

gin to the Clientless SSL VPN portal

the various ASA configurations using


out the ASA SSLVPN configurations.

on pane, you may also need to unexpand

209.165.201.2/test, which group policy

the various ASA configurations using


out the ASA SSLVPN configurations.

on pane, you may also need to unexpand

ions are correct? (Choose two)


Sales group policy
cate Authority associated to the

68.1.2 URL
is enabled on the outside interface
e Sales group Policy
he AAA with Radius server method

the various ASA configurations using


out the ASA SSLVPN configurations.

on pane, you may also need to unexpand

pPolicy group policy? (choose four)

the topology diagram, use ASDM to


requirements.

de and DMZ
s to use ASDM
utside to HTTP

MZ server.
ces are not

to dynamically

om the Outside

by opening the
nly testing

e Outside PC icon in the topology

he Inside PC icon in the topology

ember to click Apply to apply the

me screen is not enabled, try to use

ok and function exactly like the real

version=IPv4, IP

tion=Permit, Source=any,

Policy and edit, Rule Action tab, Click

OSPF
OSPF
OSPF
OSPF
OSPF
OSPF

167 QUESTION 167


167 If the router ospf 200 command, what does the value 200 stands for?
167 A. Administrative distance value
167 B. process ID
167 C. area ID.
167 D. ABR ID

0 stands for?

25
94
142
143
152
160
168
169
177
182
185

25-E/F
94-C/E/F
142-A
143-A
152-(I do not have clear)
160-D
168-C
169-A
177-A
182-Root Guard (missing in responses)
185-A/B/D

25-E/F yes
94-C/E/F yes
142-A yes
143-A yes
152- they provide 5 a
160-D yes
168-C and D (on the t
169-A yes
177-A yes
182-STP Root Guard
185-A/B in the exam d

4-C/E/F yes

52- they provide 5 answers you have chosse two answers HMAC authentication AES encryption not encry

68-C and D (on the test, its two choices and E.polymorphic Virus is an option on the test)

82-STP Root Guard in the exam this updated


85-A/B in the exam different choices

ncryption not encrypto

1-OK
2-ok same as q. 146
3-OK
4-ok c on FLASH CARDS?
5-OK
6-OK
7-ok same as q. 133
8-ok same as q. 163
9-ok
10-ok
11-ok
12-ok
13-ok
14-ok
15-ok
16-ok
17-ok
18-ok
19-ok
20-ok
21-ok
22-ok

23-ok Via Configuration > Remote Access VPN > Clientless SSL VPN Access
Via Configuration > Remote Access VPN > AAA/Local Users > AAA Server G
24-ok Via Configuration > Remote Access VPN > Clientless SSL VPN Access
25- EF secondo 9tut Via Via Configuration > Remote Access VPN > Clientl
25-ok Via Configuration > Remote Access VPN > Certificate Management >
26-ok Via Configuration > Remote Access VPN > Clientless SSL VPN Access
27 SIM

28-ok
29-ok
30-ok
31-9Tut ans D RDP 1 o 2?
32-ok
33-ok
34-ok
35-ok
36-9tut ans AC\AD Smart Tunnels
37-ok
38-ok
39-ok
40-ok
41-ok
42-ok
43-ok
44-ok

45-ok
46-ok same as q. 153
47-ok
48-ok
49-ok same as q. 136
50-ok
51-ok
52-ok
53-ok same as q. 137
54-ok
55-ok
56-ok
57-ok
58-ok
59-ok
60-ok same as q. 174
61-ok
62-ok
63-ok
64-ok
65-ok
66-ok
67-ok
68-ok same as q. 82
69-ok
70-ok
71-ok
72-ok
73-ok
74-ok
75-ok
76-ok
77-ok
78-ok
79-ok maybe E????? confirmed in Quizlet
80-ok
81-ok
82-ok same as q. 68
83-ok
84-ok
85-ok
86-ok
87-ok
88-ok
89-AB or AC or AD
90-ok
91-ok
92-ok

93-ok
94-ACF, CEF
95-ok
96-ok
97-ok
98-ok
99-ok
100-ok
101-ok
102-ok
103-ok
104-ok
105-ok
106-ok or C on 9 tut
107-ok
108-ok same as q. 164
109-ok same as q. 159
110 C o B same as q. 135 qualcuno dice ok (mOLTE CONFERME SU B)
111-root guard BPDU Guard same as q. 182
112-ok
113-ok same as q. 145
114-ok
115-ok
116-ok
117-ok
118-ok
119-ok
120-ok
121-ok
122-ok
123-ok
124-ok Dynamic Port Security, CAM
125-ok
126-ok
127-ok
128-ok
129-ok
130-ok
131-ok
132-ok
133-ok same as q. 7
134-ok
135-C o B same as q. 110 (lots telling B)
136-ok same as q. 49
137-ok same as q. 53
138-ok
139-ok
140-ok

141-ok
142-A more likely
143-D (5x) ore A (3x)
144-ok
145-ok same as q. 113
146-ok same as q. 2
147-ok 3x
148-ok
149-ok
150-ok
151-ok
152-B secondo 9tut (molti) 152- they provide 5 answers you have chosse two
153-ok same as q. 46
154-ok
155-ok
156-ok
157-ok
158-ok
159-ok same as q. 109
160-ok maybe D (2x)
161-ok
162-ok
163-ok same as q. 8
164-ok same as q. 108
165-ok
166-ok
167-ok
168-ok CD on the exam (test gives more options)
169-A test AAA (lot of people)
170-B on 9tut
171-ok
172-ok
173-ok
174-ok same as q. 60
175-ok
176-ok
177-A
178-ok
179-ok
180-ok
181-ok
182-ok STP Root Guard
183-ok
184-ok
185-ABD

less SSL VPN Access > Connection Profiles


sers > AAA Server Groups
less SSL VPN Access > Connection Profiles > Edit
Access VPN > Clientless SSL VPN Access > Portal > Bookmarks
cate Management > Identity Certificates
less SSL VPN Access > Group Policies

FERME SU B)

you have chosse two answers HMAC authentication AES encryption not encrypto

Type
ASA
ASA
ASA
ASA
ASA
ASA

Number
1
1
1
1
1
1

iii

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

2
2
2
2
2
2
2
2

iii

iii

ACL

ACL
ACL
ACL
ACL
ACL
ACL
ACL

3
3
3
3
3
3
3

iii

iii

VPN

VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN

IOS
IOS
IOS
IOS

4
4
4
4
4
4
4
4
4
4
4
4

ZBF
ZBF
ZBF
ZBF

5
5
5
5

IOS ZBF
IOS ZBF

5
5

iii
iii
iii

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

6
6
6
6
6
6

iii
iii

ASA

ASA
ASA
ASA
ASA
ASA
ASA

7
7
7
7
7
7

iii

IOS ZBF

IOS
IOS
IOS
IOS
IOS
IOS

8
8
8
8
8
8

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

iii
iii

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

9
9
9
9
9
9

SecMP

10

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

10
10
10
10
10
10

iii

iii

SecDP
SecDP
SecDP
SecDP
SecDP
SecDP
SecDP
SecDP

11
11
11
11
11
11
11
11

iii
iii

ZBF

12

ZBF
ZBF
ZBF
ZBF
ZBF

12
12
12
12
12

iii

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

13
13
13
13
13
13

IPS
IPS

14
14

IPS
IPS
IPS
IPS

14
14
14
14

iii

IPS
IPS
IPS
IPS
IPS
IPS

15
15
15
15
15
15

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

16
16
16
16
16
16

ACL
ACL
ACL
ACL
ACL
ACL

17
17
17
17
17
17

ACL
ACL
ACL
ACL
ACL
ACL
ACL
ACL

18
18
18
18
18
18
18
18

IPS
IPS
IPS
IPS
IPS
IPS
IPS
IPS

19
19
19
19
19
19
19
19

IOS ZBF
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

20
20
20
20
20
20

IPSec
IPSec

21
21

IPSec
IPSec
IPSec
IPSec

21
21
21
21

AAA
AAA
AAA
AAA
AAA
AAA
AAA
AAA

22
22
22
22
22
22
22
22

Lab
Lab

23
23

Lab
Lab
Lab

23
23
23

Lab
Lab
Lab
Lab
Lab
Lab

23
23
23
23
23
23

Lab
Lab
Lab
Lab
Lab
Lab

23
23
23
23
23
23

Lab

23

Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab
Lab

23
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23
23

Lab

24

Lab

24

Lab
Lab
Lab
Lab
Lab

24
24
24
24
24

Lab
Lab

24
24

Lab
Lab

25
25

Lab

25

Lab
Lab
Lab
Lab
Lab

25
25
25
25
25

Lab

25

Lab

25

Lab
Lab

26
26

Lab

26

Lab
Lab
Lab
Lab
Lab
Lab

26
26
26
26
26
26

Lab

27

Lab
Lab

27
27

Lab
Lab
Lab
Lab

27
27
27
27

Base
Base
Base
Base
Base
Base

28
28
28
28
28
28

ASA
ASA
ASA

29
29
29

ASA
ASA
ASA
ASA

29
29
29
29

SecMP
SecMP

30
30

SecMP
SecMP
SecMP
SecMP

30
30
30
30

ASA

31

ASA
ASA
ASA
ASA
ASA

31
31
31
31
31

ZBF

32

ZBF
ZBF
ZBF
ZBF
ZBF

32
32
32
32
32

IOS ZBF
IPSec
IPSec
IPSec

33
33
33

IPSec
IPSec
IPSec

33
33
33

SecDP
SecDP
SecDP
SecDP
SecDP
SecDP

34
34
34
34
34
34

AAA
AAA
AAA

35
35
35

AAA
AAA
AAA
AAA
AAA

35
35
35
35
35

ZBF
ZBF
ZBF

36
36
36

ZBF
ZBF
ZBF

36
36
36

ACL
ACL
ACL
ACL
ACL
ACL

37
37
37
37
37
37

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

38
38
38
38
38
38

IPSec
IPSec

39
39

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

39
39
39
39
39
39

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

40
40
40
40
40
40

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

41
41
41
41
41
41

IPS
IPS
IPS
IPS

42
42
42
42

IPS
IPS

42
42

Firewall
Firewall
Firewall
Firewall

43
43
43
43

Firewall
Firewall

43
43

VPN
VPN
VPN

44
44
44

VPN
VPN
VPN
VPN
VPN
VPN
VPN

44
44
44
44
44
44
44

Base
Base
Base
Base
Base
Base

45
45
45
45
45
45

VPN
VPN
VPN
VPN
VPN
VPN

46
46
46
46
46
46

SecMP

47

SecMP
SecMP
SecMP
SecMP
SecMP

47
47
47
47
47

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

48
48
48
48
48
48

Firewall

48

IOS
IOS
IOS
IOS
IOS

ZBF
ZBF
ZBF
ZBF
ZBF

49
49
49
49
49

IOS ZBF

49

VPN
VPN
VPN
VPN
VPN
VPN

50
50
50
50
50
50

IPS
IPS
IPS
IPS
IPS
IPS

51
51
51
51
51
51

AAA

52

AAA
AAA
AAA
AAA
AAA

52
52
52
52
52

IOS ZBF

ZBF
ZBF

53
53

ZBF
ZBF
ZBF
ZBF

53
53
53
53

ISE
ISE
ISE

54
54
54

ISE
ISE
ISE

54
54
54

Firewall
Firewall
Firewall
Firewall

55
55
55
55

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

55
55
55
55
55
55

SecMP
SecMP
SecMP
SecMP
SecMP

56
56
56
56
56

SecMP
SecMP
SecMP

56
56
56

IOS ZBF

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

57
57
57
57
57
57

IPSec
IPSec
IPSec
IPSec
IPSec

57
57
57
57
57

IOS ZBF

Base
Base
Base

58
58
58

Base
Base
Base
iii

58
58
58

iii
ASA
ASA
ASA
ASA
ASA
ASA

59
59
59
59
59
59

iii

WebMail

60

WebMail
WebMail
WebMail
WebMail
WebMail

60
60
60
60
60

iii

iii

ASA
ASA
ASA
ASA
ASA
ASA

61
61
61
61
61
61

iii

VPN
VPN
VPN
VPN

62
62
62
62

VPN
VPN
iii

62
62

Base
Base
Base
Base
Base
Base

63
63
63
63
63
63

IPSec

64

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

64
64
64
64
64
64
64

Firewall
Firewall
Firewall
Firewall
Firewall

65
65
65
65
65

Firewall

65

VPN
VPN
VPN
VPN
VPN

66
66
66
66
66

VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN

66
66
66
66
66
66
66
66
66

VPN

67

VPN
VPN
VPN
VPN
VPN

67
67
67
67
67

IPS
IPS
IPS

68
68
68

IPS
IPS
IPS
IPS
IPS

68
68
68
68
68

WebMail

69

WebMail
WebMail
WebMail
WebMail
WebMail

69
69
69
69
69

NTP

70

NTP
NTP
NTP
NTP
NTP
NTP

70
70
70
70
70
70

NTP

70

NTP
NTP
NTP
NTP

70
70
70
70

SecL2
SecL2
SecL2
SecL2
SecL2

71
71
71
71
71

SecL2

71

ZBF
ZBF
ZBF

72
72
72

ZBF
ZBF
ZBF

72
72
72

iii

SecL2
SecL2
SecL2
SecL2

73
73
73
73

SecL2
SecL2

73
73

Encryption
Encryption
Encryption
Encryption

74
74
74
74

Encryption
Encryption
Encryption
Encryption

74
74
74
74

iii

IPS
IPS
IPS

75
75
75

IPS
IPS
IPS
IPS
IPS

75
75
75
75
75

SecCP
SecCP

76
76

SecCP
SecCP
SecCP
SecCP
SecCP

76
76
76
76
76

SecCP

76

SecCP
SecCP
SecCP
SecCP
SecCP
SecCP

77
77
77
77
77
77

IPSec
IPSec

78
78

IPSec
IPSec
IPSec
IPSec
IPSec
IPSec

78
78
78
78
78
78

IPSec
IPSec
IPSec
IPSec
IPSec

78
78
78
78
78

WebMail
WebMail

79
79

WebMail
WebMail
WebMail
WebMail
WebMail

79
79
79
79
79

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

80
80
80
80
80
80

IPS
IPS
IPS
IPS
IPS
IPS
iii

81
81
81
81
81
81

SecMP
SecMP

83
83

SecMP
SecMP
SecMP
SecMP

83
83
83
83

iii

Firewall
Firewall

84
84

Firewall

84

Firewall
Firewall
Firewall

84
84
84

ASA
ASA
ASA

85
85
85

ASA
ASA
ASA
ASA
ASA

85
85
85
85
85

NTP
NTP

86
86

NTP
NTP
NTP
NTP

86
86
86
86

Encryption
Encryption

87
87

Encryption
Encryption
Encryption
Encryption

87
87
87
87

IPS
IPS
IPS
IPS

88
88
88
88

IPS
IPS

88
88

AAA

89

AAA
AAA
AAA
AAA

89
89
89
89

AAA

89

IPS
IPS
IPS
IPS
IPS

90
90
90
90
90

IPS

90

ASA
ASA
ASA
ASA
ASA

91
91
91
91
91

ASA

91

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

92
92
92
92
92
92

AAA
AAA
AAA
AAA
AAA
AAA

93
93
93
93
93
93

ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA

94
94
94
94
94
94
94
94

SecMP
SecMP
SecMP
SecMP
SecMP

95
95
95
95
95

SecMP

95

SecCP
SecCP
SecCP
SecCP
SecCP
SecCP
SecCP

96
96
96
96
96
96
96

ACL
ACL
ACL
ACL
ACL

97
97
97
97
97

ACL

97

Encryption
Encryption
Encryption

98
98
98

Encryption
Encryption
Encryption
Encryption

98
98
98
98

SecL2

99

SecL2
SecL2
SecL2
SecL2
SecL2

99
99
99
99
99

VPN

100

VPN
VPN
VPN
VPN
VPN

100
100
100
100
100

IOS
IOS
IOS
IOS
IOS
IOS

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

102
102
102
102
102
102

WebMail
WebMail
WebMail
WebMail
WebMail
WebMail

103
103
103
103
103
103

WebMail

103

Base
Base
Base
Base
Base
Base

104
104
104
104
104
104

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

105
105
105
105
105
105
105

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

105
105
105
105
105
105
105

SecMP
SecMP

105
105

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

105
105
105
105
105
105
105

IOS
IOS
IOS
IOS
IOS
IOS
IOS

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

106
106
106
106
106
106
106

Firewall

107

Firewall
Firewall
Firewall
Firewall

107
107
107
107

Firewall
Firewall

107
107

IPSec
IPSec
IPSec

108
108
108

IPSec
IPSec

108
108

IPSec
IPSec
IPSec

108
108
108

SecMP

109

SecMP

109

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

109
109
109
109
109
109

SecMP
SecMP
SecMP
SecMP

109
109
109
109

SecL2
SecL2
SecL2

110
110
110

SecL2
SecL2
SecL2
SecL2
SecL2

110
110
110
110
110

SecL2

111

SecL2
SecL2
SecL2
SecL2
SecL2

111
111
111
111
111

SecCP
SecCP
SecCP
SecCP
SecCP
SecCP

112
112
112
112
112
112

Firewall

113

Firewall
Firewall
Firewall
Firewall
Firewall
Firewall

113
113
113
113
113
113

ASA
ASA
ASA

115
115
115

ASA
ASA
ASA

115
115
115

AAA
AAA
AAA
AAA
AAA
AAA

116
116
116
116
116
116

SecL2
SecL2

117
117

SecL2
SecL2
SecL2
SecL2

117
117
117
117

IPS
IPS
IPS
IPS
IPS
IPS

118
118
118
118
118
118

Base

119

Base
Base
Base
Base
Base

119
119
119
119
119

WebMail
WebMail
WebMail
WebMail
WebMail
WebMail

120
120
120
120
120
120

SecL2

121

SecL2
SecL2
SecL2
SecL2
SecL2

121
121
121
121
121

SecL2
SecDP

121
122

SecDP

122

SecDP
SecDP
SecDP
SecDP

122
122
122
122

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

123
123
123
123
123
123

SecL2
SecL2
SecL2
SecL2

124
124
124
124

SecL2
SecL2

124
124

SecL2
SecL2
SecL2

125
125
125

SecL2
SecL2
SecL2

125
125
125

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

126
126
126
126
126
126

ACL
ACL
ACL
ACL
ACL
ACL
ACL
ACL

127
127
127
127
127
127
127
127

Base
Base
Base
Base
Base
Base

128
128
128
128
128
128

Base

129

Base
Base
Base
Base
Base

129
129
129
129
129

AAA
AAA
AAA
AAA
AAA
AAA

130
130
130
130
130
130

IPS
IPS
IPS
IPS
IPS
IPS
IPS

132
132
132
132
132
132
132

Base
Base
Base
Base
Base
Base

134
134
134
134
134
134

Encryption
Encryption
Encryption
Encryption

138
138
138
138

Encryption
Encryption

138
138

WebMail
WebMail
WebMail
WebMail
WebMail
WebMail

139
139
139
139
139
139

WebMail

139

IOS
IOS
IOS
IOS

ZBF
ZBF
ZBF
ZBF

140
140
140
140

IOS ZBF
IOS ZBF
IOS ZBF
AAA

140
140
140

ISE
ISE
ISE

142
142
142

ISE
ISE
ISE

142
142
142

ISE
ISE
ISE
ISE
ISE

143
143
143
143
143

ISE

143

IPS
IPS
IPS

144
144
144

IPS
IPS
IPS
IPS

144
144
144
144

VPN
VPN
VPN
VPN
VPN
VPN

147
147
147
147
147
147

VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN

148
148
148
148
148
148
148
148

iii

VPN

150

VPN
VPN
VPN
VPN
VPN

150
150
150
150
150

VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN
VPN

150
150
150
150
150
150
150
150
150
150
150
150
150

VPN

150

AAA
AAA
AAA
AAA
AAA
AAA
AAA

151
151
151
151
151
151
151

AAA
AAA
AAA
AAA
AAA
AAA
AAA

151
151
151
151
151
151
151

AAA
AAA
AAA
AAA

151
151
151
151

IPSec
IPSec
IPSec
IPSec
IPSec

152
152
152
152
152

IPSec
IPSec

152
152

ASA
ASA
ASA
ASA

154
154
154
154

ASA
ASA
ASA

154
154
154

WebMail

155

WebMail
WebMail
WebMail
WebMail
WebMail
WebMail

155
155
155
155
155
155

SecL2
SecL2
SecL2
SecL2

156
156
156
156

SecL2
SecL2

156
156

SecMP
SecMP
SecMP

157
157
157

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

157
157
157
157
157
157

SecMP
SecMP
SecMP
SecMP

157
157
157
157

IPS
IPS

158
158

IPS
IPS

158
158

IPS
IPS
IPS

158
158
158

IPS
IPS
IPS

160
160
160

IPS
IPS
IPS

160
160
160

VPN
VPN

161
161

VPN
VPN
VPN
VPN

161
161
161
161

Firewall
Firewall
Firewall
Firewall

162
162
162
162

Firewall
Firewall

162
162

SecCP
SecCP
SecCP
SecCP
SecCP
SecCP

165
165
165
165
165
165

Base
Base

166
166

Base
Base
Base
Base

166
166
166
166

iii

OSPF
OSPF
OSPF
OSPF

167
167
167
167

OSPF
OSPF

167
167

Base

168

Base
Base
Base
Base

168
168
168
168

Base
Base

168
168

AAA
AAA
AAA
AAA

169
169
169
169

AAA
AAA

169
169

WebMail
WebMail
WebMail
WebMail
WebMail

170
170
170
170
170

WebMail

170

iii
Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

171
171
171
171
171
171

SecMP
SecMP
SecMP
SecMP
SecMP
SecMP

172
172
172
172
172
172

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

173
173
173
173
173
173

Base

175

Base
Base
Base
Base
Base
Base
Base

175
175
175
175
175
175
175

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

176
176
176
176
176
176

NTP
NTP
NTP
NTP
NTP
NTP
NTP

177
177
177
177
177
177
177

NTP
NTP
NTP
NTP
NTP
NTP

177
177
177
177
177
177

NTP

177

NTP
NTP
NTP
NTP
NTP
NTP
NTP

177
177
177
177
177
177
177

NTP
NTP

177
177

SecMP
SecMP
SecMP

178
178
178

SecMP
SecMP
SecMP
SecMP

178
178
178
178

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

179
179
179
179
179
179

AAA
AAA
AAA
AAA
AAA

180
180
180
180
180

AAA
AAA
AAA

180
180
180

Base
Base

181
181

Base
Base
Base
Base

181
181
181
181

SecL2
SecL2

182
182

SecL2
SecL2
SecL2
SecL2
SecL2

182
182
182
182
182

IPS

183

IPS
IPS
IPS
IPS
IPS

183
183
183
183
183

Encryption

184

Encryption
Encryption
Encryption
Encryption
Encryption
Encryption

184
184
184
184
184
184

ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA

185
185
185
185
185
185
185
185

iii

IOS
IOS
IOS
IOS
IOS
IOS

ZBF
ZBF
ZBF
ZBF
ZBF
ZBF

186
186
186
186
186
186

Firewall
Firewall

187
187

Firewall
Firewall
Firewall
Firewall

187
187
187
187

ASA
ASA
ASA
ASA
ASA
ASA
ASA
ASA

188
188
188
188
188
188
188
188

NAT
NAT
NAT
NAT
NAT
NAT

189
189
189
189
189
189

NAT
NAT
NAT
NAT
NAT
NAT

190
190
190
190
190
190

NAT
NAT
NAT
NAT
NAT
NAT

191
191
191
191
191
191

SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2
SecL2

192
192
192
192
192
192
192
192

Question
QUESTION 1
Which statement about communication over failover interfaces is true?
A. All information that is sent over the failover interface is sent as clear text, but the stateful failov
B. All information that is sent over the failover and stateful failover interfaces is encrypted by defau
C. All information that is sent over the failover and stateful failover interfaces is sent as clear text b

D. Usernames, password and preshared keys are encrypted by default when they are sent over the

C
QUESTION 2, 146
Which three ESP fields can be encrypted during transmission? (Choose three)
A. Security Parameter Index
B. Sequence Number
C. MAC Address
D. Padding
E. Pad Length
F. Next Header

DEF
QUESTION 3

According to Cisco best practices, which three protocols should the default ACL allow an access po
(Choose three)
A. BOOTP
B. TFTP
C. DNS
D. MAB
E. HTTP
F. 802.1x

ABC
QUESTION 4

Refer to the exhibit. If a supplicant supplies incorrect credentials for all authentication methods con

A. The switch will cycle through the configured authentication methods indefinitely
B. The supplicant will fail to advance beyond the webauth method.
C. The authentication attempt will time out and the switch will place the port into the unathorized s
D. The authentication attempt will time out and the switch will place the port into VLAN 101

B
QUESTION 5
Which SOURCEFIRE logging action should you choose to record the most detail about a connection
A. Enable logging at the beginning of the session
B. Enable logging at the end of the session
C. Enable alerts via SNMP to log events off-box
D. Enable eStreamer to log events off-box

B
QUESTION 6
What type of algorithm uses the same key to encryp and decrypt data?
A. a symmetric algorithm
B. an asymetric algorithm
C. a Public Key infrastructure algorithm
D. an IP Security algorithm

A
QUESTION 7, 133

If a packet matches more than one class map in an individual feature type's policy map, how does
A. The ASA will apply the actions from only the most specific matching class map it finds for the
feature type
B. The ASA will apply the actions from all matching class maps it finds for the feature type
C. The ASA will apply the actions from only the last matching class map it finds for the feature type
D. The ASA will apply the actions from only the first matching class map it finds for the feature type

D
QUESTION 8, 163

You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing Secur
address. What action can you take to allow the user access to the IP address?
A. Create a custom blacklist to allow traffic
B. Create a whitelist and add the appropriate IP address to allow traffic.
C. Create a user based access control rule to allow the traffic.
D. Create a network based access control rule to allow the traffic.
E. Create a rule to bypass inspection to allow the traffic

B
QUESTION 9
Which EAP method uses protected Access Credentials?
A. EAP-TLS
B. EAP-PEAP
C. EAP-FAST
D. EAP-GTC

C
QUESTION 10
In which two situations should you use out-of-band management? (Choose two)
A. when a network device fails to forward packets
B. when management applications need concurrent access to the device
C. when you require ROMMON access
D. when you require adminstrator access from multiple locations
E. when the control plane fails to respond

AC
QUESTION 11
What features can protect the data plane? (Choose three.)
A. policing
B. ACLs
C. IPS
D. antispoofing
E. QoS
F. DHCP-snooping

BDF
QUESTION 12
How many crypto map sets can you apply to a router interface?
A. 3
B. 2
C. 4
D. 1

D
QUESTION 13
What is the transition order of STP states on a Layer 2 switch interface?
A. listening, learning, blocking, forwarding, disabled
B. listening, blocking, learning, forwarding, disabled
C. blocking, listening, learning, forwarding, disabled
D. forwarding, listening, learning, blocking, disabled

C
QUESTION 14
Which sensor mode can deny attackers inline?

A. IPS
B. fail-close
C. IDS
D. fail-open

A
QUESTION 15
Which options are filtering options used to display SDEE message types?
A. stop
B. none
C. error
D. all

CD
QUESTION 16
When a company puts a security policy in place, what is the effect on the company's business?
A. Minimizing risk
B. Minimizing total cost of ownership
C. Minimizing liability
D. Maximizing compliance

A
QUESTION 17
Which wildcard mask is associated with a subnet mask of /27?
A. 0.0.0.31
B. 0.0.0.27
C. 0.0.0.224
D. 0.0.0.255

A
QUESTION 18
Which statements about reflexive access lists are true?
A. Reflexive access lists create a permanent ACE
B. Reflexive access lists approximate session filtering using the established keyword
C. Reflexive access lists can be attached to standard named IP ACLs
D. Reflexive access lists support UDP sessions
E. Reflexive access lists can be attached to extended named IP ACLs
F. Reflexive access lists support TCP sessions

DEF
QUESTION 19
Which actions can a promiscuous IPS take to mitigate an attack?
A. modifying packets
B. requesting connection blocking
C. denying packets
D. resetting the TCP connection
E. requesting host blocking
F. denying frames

BDE
QUESTION 20
Which Cisco Security Manager application collects information about device status and uses it to g
A. FlexConfig
B. Device Manager
C. Report Manager
D. Health and Performance Monitor

D
QUESTION 21
Which command is needed to enable SSH support on a Cisco Router?

A. crypto key lock rsa


B. crypto key generate rsa
C. crypto key zeroize rsa
D. crypto key unlock rsa

B
QUESTION 22
In which three ways does the TACACS protocol differ from RADIUS? (Choose three)
A. TACACS uses TCP to communicate with the NAS
B. TACACS can encrypt the entire packet that is sent to the NAS
C. TACACS authenticates and authorizes simultaneously, causing fewer packets to be transmitted
D. TACACS uses UDP to communicate with the NAS
E. TACACS encrypts only the password field in an authentication packet
F. TACACS support per-command authorization

ABF
QUESTION 23
Scenario

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASD
access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are en
you may also need to unexpand the expanded menu first.

Which user authentication method is used when users login to the Clientless SSL VPN portal using
A. Both Certificate and AAA with LOCAL database
B. AAA with RADIUS server
C. Both Certificate and AAA with RADIUS server
D. AAA with LOCAL database
E. Certificate

D
QUESTION 24
Scenario

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASD
access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are en
you may also need to unexpand the expanded menu first. When users login to the Clientless SSL V
A. test
B. Sales
C. DefaultRAGroup
D. DefaultWEBVPNGroup
E. clientless
F. DFTGrpPolicy

B
QUESTION 25
Scenario

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASD
access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are en
you may also need to unexpand the expanded menu first. Which two statements regarding the AS
A. The Inside-SRV bookmark has not been applied to the Sales group policy
B. The ASA has a certificate issued by an external Certificate Authority associated to the
ASDM_Trustpoint1
C. The Inside-SRV bookmark references the https://192.168.1.2 URL
D. Any Connect, IPSec IKEv1 and IPSec IKEv2 VPN access is enabled on the outside interface

E. Only Clientless SSL VPN VPN access is allowed with the Sales group Policy
F. The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius server method

CF
QUESTION 26
Scenario

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASD
access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are en
you may also need to unexpand the expanded menu first. Which four tunneling protocols are enab
A. IPsec IKEv1
B. IPsec IKEv2
C. L2TP/IPsec
D. Clientless SSL VPN
E. SSL VPN Client
F. PPTP

ABCD
QUESTION 27

Given the new additional connectivity requirements and the topology diagram, use ASDM to accom
connectivity requirements:
- Currently, the ASA configurations only allow on the Inside and DMZ networks to access any hosts
the Outside to HTTP to the DMZ server. The hosts on the Outside will need to use the 209.165.201.
- Currently, hosts on the ASA higher security level interfaces are not able to ping any hosts on the l
to dynamically allow the echo-reply responses back through the ASA.
Once the correct ASA configurations have been configured:
- You can test the connectivity tohttp://209.165.201,30from the Outside PC browser.
- You can test the pings to the Outside (www.cisco.com) by opening the inside PC command promp
To access ASDM, click the ASA icon in the topology diagram.
To access the Firefox Browser on the Outside PC, click the Outside PC icon in the topology diagram
To access the Command prompt on the Inside PC, click the Inside PC icon in the topology diagram.
Note:
After you make the configuration changes in ASDM, remember to click Apply to apply the configura
Not all ASDM screens are enabled in this simulation, if some screen is not enabled, try to use differ
ASDM screens may not look and function exactly like the real ASDM.
Answer:
Step1:
Step2:
Step3:
Step4:

Firewall, Configuration, NAT Rules, Name=http, IP version=IPv4, IP address=209.165.201.30


Firewall, Config, NAT Rules, Interface=Outside, Action=Permit, Source=any, Destination=20
Firewall, Config, Service policy Rules, Click Global Policy and edit, Rule Action tab, Click ICMP
Ping www.cisco.com from Inside PC

QUESTION 28
What is the purpose of the Integrity component of the CIA triad?
A. to ensure that only authorized parties can modify data
B. to determine whether data is relevant
C. to create a process for accessing data
D. to ensure that only authorized parties can view data

A
QUESTION 29
Which two statements about Telnet access to the ASA are true? (Choose two).
A. You may VPN to the lowest security interface to telnet to an inside interface.
B. You must configure an AAA server to enable Telnet.
C. You can access all interfaces on an ASA using Telnet.
D. You must use the command virtual telnet to enable Telnet.
E. Best practice is to disable Telnet and use SSH.

AE
QUESTION 30
Which protocol provides security to Secure Copy?
A. IPsec
B. SSH
C. HTTPS
D. ESP

B
QUESTION 31

A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu opt
begin troubleshooting?
A. Ensure that the RDP2 plug-in is installed on the VPN gateway
B. Reboot the VPN gateway
C. Instruct the user to reconnect to the VPN gateway
D. Ensure that the RDP plug-in is installed on the VPN gateway

D
QUESTION 32
Which security zone is automatically defined by the system?
A. The source zone
B. The self zone
C. The destination zone
D. The inside zone

B
QUESTION 33
What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose two.)
A. The Internet Key Exchange protocol establishes security associations
B. The Internet Key Exchange protocol provides data confidentiality
C. The Internet Key Exchange protocol provides replay detection
D. The Internet Key Exchange protocol is responsible for mutual authentication

AD
QUESTION 34
Which address block is reserved for locally assigned unique local addresses?
A. 2002::/16
B. FD00::/8
C. 2001::/32
D. FB00::/8

B
QUESTION 35
What is a possible reason for the error message?
Router(config)#aaa server?

% Unrecognized command
A. The command syntax requires a space after the word "server"
B. The command is invalid on the target device
C. The router is already running the latest operating system
D. The router is a new device on which the aaa new-model command must be applied before conti

D
QUESTION 36
Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)
A. Smart tunnels can be used by clients that do not have administrator privileges

B. Smart tunnels support all operating systems


C. Smart tunnels offer better performance than port forwarding
D. Smart tunnels require the client to have the application installed locally

AD
QUESTION 37
Which option describes information that must be considered when you apply an access list to a phy
A. Protocol used for filtering
B. Direction of the access class
C. Direction of the access group
D. Direction of the access list

C
QUESTION 38
Which source port does IKE use when NAT has been detected between two VPN gateways?
A. TCP 4500
B. TCP 500
C. UDP 4500
D. UDP 500

QUESTION 39
Which of the following are features of IPsec transport mode? (Choose three.)
A. IPsec transport mode is used between end stations
B. IPsec transport mode is used between gateways
C. IPsec transport mode supports multicast
D. IPsec transport mode supports unicast
E. IPsec transport mode encrypts only the payload
F. IPsec transport mode encrypts the entire packet

ADE
QUESTION 40
Which command causes a Layer 2 switch interface to operate as a Layer 3 interface?
A. no switchport nonnegotiate
B. switchport
C. no switchport mode dynamic auto
D. no switchport

D
QUESTION 41
Which command verifies phase 1 of an IPsec VPN on a Cisco router?
A. show crypto map
B. show crypto ipsec sa
C. show crypto isakmp sa
D. show crypto engine connection active

C
QUESTION 42
What is the purpose of a honeypot IPS?
A. To create customized policies
B. To detect unknown attacks
C. To normalize streams
D. To collect information about attacks

D
QUESTION 43
Which type of firewall can act on the behalf of the end device?
A. Stateful packet
B. Application
C. Packet
D. Proxy

D
QUESTION 44, 149
Refer to the exhibit. While troubleshooting site-to-site VPN, you issued the show crypto isakmp as c

A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5


B. IPSec Phase 2 is established between 10.10.10.2 and 10.1.1.5
C. IPSec Phase 1 is down due to a QM_IDLE state
D. IPSEc Phase 2 is down due to a QM_IDLE state

A
QUESTION 45
What type of attack was the Stuxnet virus?
A. cyber warfare
B. hactivism
C. botnet
D. social engineering

A
QUESTION 46, 153
Which type of secure connectivity does an extranet provide?
A. remote branch offices to your company network
B. your company network to the Internet
C. new networks to your company network
D. other company networks to your company network

D
QUESTION 47

After reloading a router, you issue the dir command to verify the installation and observe that the i
dir output?
A. The secure boot-image command is configured
B. The secure boot-comfit command is configured
C. The confreg 0x24 command is configured.
D. The reload command was issued from ROMMON.

A
QUESTION 48
What is a reason for an organization to deploy a personal firewall?
A. To protect endpoints such as desktops from malicious activity
B. To protect one virtual network segment from another
C. To determine whether a host meets minimum security posture requirements
D. To create a separate, non-persistent virtual environment that can be destroyed after a session
E. To protect the network from DoS and syn-flood attacks

A
QUESTION 49, 136
Which FirePOWER preprocessor engine is used to prevent SYN attacks?
A. Rate-Based Prevention
B. Portscan Detection
C. IP Defragmentation
D. Inline Normalization

A
QUESTION 50
What VPN feature allows traffic to exit the security appliance through the same interface it entered
A. Hairpinning
B. NAT
C. NAT traversal
D. split tunneling

A
QUESTION 51
When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading
A. Perform a Layer 6 reset
B. Deploy an antimalware system
C. Enable bypass mode
D. Deny the connection inline

D
QUESTION 52
Which statement about Cisco ACS authentication and authorization is true?
A. ACS servers can be clustered to provide scalability
B. ACS can query multiple Active Directory domains
C. ACS uses TACACS to proxy other authentication servers
D. ACS can use only one authorization profile to allo or deny requests

A
QUESTION 53, 137
What is the only permitted operation for processing multicast traffic on zone-based firewalls?
A. Stateful inspection of multicast traffic is supported only for the self zone
B. Stateful inspection for multicast traffic is supported only between the self-zone and the internal
C. Only control plane policing can protect the control plane against multicast traffic.
D. Stateful inspection of multicast traffic is supported only for the internal zone.

C
QUESTION 54
What is one requirement for locking a wired or wireless device from ISE?
A. The ISE agent must be installed on the device
B. The device must be connnected to the network when the lock command is executed
C. The user must approve the locking action
D. The organization must implement an acceptable use policy allowing device locking

A
QUESTION 55
Refer to the exhibit. What type of firewall would use the given cofiguration line?

A. a stateful firewall
B. a personal firewall
C. a proxy firewall
D. an application firewall
E. a stateless firewall

A
QUESTION 56
What are two default Cisco IOS privilege levels? (Choose two)
A. 0
B. 5
C. 1

D. 7
E. 10
F. 15

CF
QUESTION 57
What is the effect of the given command sequence?

A. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/2
B. It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/2
C. it defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24
D. It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24

A
QUESTION 58
Which tool can an attacker use to attempt a DDos attack?
A. botnet
B. Trojan horse
C. virus
D. adware

A
QUESTION 59
how does the Cisco ASA use Active Directory to authorize VPN users?
A. It queries the Active Directory server for a Specfic attribute for the specific user
B. It sends the username and password to retire an ACCEPT or Reject message from the Active Dire
C. It downloads and stores the Active Directory databas to query for future authorization
D. It redirects requests to the Active Directory server defined for the VPN group

A
QUESTION 60, 174

Which statement about application blocking is true?


A. It blocks access to files with specific extensions
B. It blocks access to specific network addresses
C. It blocks access to specific programs
D. It blocks access to specific network services.

C
QUESTION 61
For what reason would you configure multiple security contexts on the ASA firewall?
A. To enable the use of VFRs on routers that are adjacently connected
B. To provide redundancy and high availability within the organization
C. To enable the use of multicast routing and QoS through the firewall
D. To seperate different departments and business units

D
QUESTION 62
What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connec
A. split tunneling
B. hairpinning
C. tunnel mode
D. transparent mode

A
QUESTION 63
When is the best time to perform an anti-virus signature update?
A. When the local scanner has detected a new virus
B. When a new virus is discovered in the wild
C. Every time a new update is available
D. When the system detects a browser hook

QUESTION 64

What is the effect of thesend-lifetime local 23:59:00 31 December 31 2013infinite command


A. It configures the device to begin transmitting the authentication key to other devices at 00:00:0
B. It configures the device to begin transmitting the authentication key to other devices at 23:59:0
C. It configures the device to begin accepting the authentication key from other devices immediate
D. It configures the device to generate a new authentication key and transmit it to other devices at
E. It configures the device to begin accepting the authentication key from other devices at 23:59:0
F. It configures the device to begin accepting the authentication key from other devices at 00:00:00

B
QUESTION 65
Which Statement about personal firewalls is true?
A. They are resilient against kernal attacks
B. They can protect email messages and private documents in a similar way to a VPN
C. They can protect the network against attacks
D. They can protect a system by denying probing requests

D
QUESTION 66
Refer to the exhibit. While troubleshooting site-to-site VPN, you issued theshow crypto ipsec sac

A. ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1


B. IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5
C. IKE version 2 security associations are established between 10.1.1.1 and 10.1.1.5
D. IPSec Phase 2 is down due to a mismatch between encrypted and decrypted packets

B
QUESTION 67

Which statement about a PVLAN isolated port configured on a switch is true?


A. The isolated port can communicate only with the promiscous port
B. The isolated port can communicate with other isolated ports and the promiscuous port
C. The isolated port can communicate only with community ports
D. The isolated port can communicate only with other isolated ports

A
QUESTION 68, 82, 131
Which three statements about host-based IPS are true? (Choose three)
A. It can view encrypted files
B. It can be deployed at the perimeter
C. It uses signature-based policies
D. It can have more restrictive policies than network-based IPS
E. It works with deployed firewalls
F. It can generate alerts based on behavior at the desktop level.

ADF
QUESTION 69, 101
What type of security support is provided by the Open Web Application Security Project?
A. Education about common Web site vulnerabilities
B. A wb site security framework
C. A security discussion forum for Web site developers
D. Scoring of common vulnerabilities and exposures

A
QUESTION 70
Refer to the exhibit. Which statement about the device time is true?

A. The time is authoritative because the clock is in sync


B. The time is authoritative, but the NTP process has lost contact with its servers
C. The clock is out of sync
D. NTP is configured incorrectly
E. The time is not authoritative

B
QUESTION 71
In what type of attack does an attacker virtually change a devices burned in address in an attempt
A. gratuitous ARP
B. ARP poisoning
C. IP Spoofing
D. MAC Spoofing

D
QUESTION 72
How does a zone-based firewall implementation handle traffic between Interfaces in the same Zon
A. traffic between interfaces in the same zone is blocked unless yoc configure the same-security pe

B. Traffic between interfaces in the same zone is always blocked


C. Traffic between two interfaces in the same zone is allowed by default
D. Traffic between interfaces in the same zone is blocked unless you apply a service policy to the z

C
QUESTION 73
An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible r
A. The switch could offer fake DHCP addresses.
B. The switch could become the root bridge.

C. The switch could be allowed to join the VTP domain


D. The switch could become a transparent bridge.

B
QUESTION 74, 141
Which two next generation encrytption algorithms does Cisco recommend? (Choose two)
A. AES
B. 3DES
C. DES
D. MD5
E. DH-1024
F. SHA-384

AF
QUESTION 75, 114
What three actions are limitations when running IPS in promiscous mode? (Choose three)
A. deny attacker
B. request block connection
C. deny packet
D. modify packet
E. request block host
F. reset TCP connection

ACD
QUESTION 76
Which two feature do CoPP and CPPr use to protect the control plane? (Choose two)
A. QoS
B. traffic classification
C. access lists
D. policy maps
E. class maps

F. Cisco Express Forwarding

AB
QUESTION 77
What is an advantage of implementing a Trusted Platform Module for disk encryption?
A. It provides hardware authentication
B. It allows the hard disk to be transferred to another device without requiring re-encryption.dis
C. it supports a more complex encryption algorithm than other disk-encryption technologies.
D. it can protect against single poins of failure.

A
QUESTION 78
Refer to the exhibit. What is the effect of the given command sequence?

A. It configures IKE Phase 1


B. It configures a site-to-site VPN Tunnel
C. It configures a crypto policy with a key size of 14400
D. It configures IPSec Phase 2

A
QUESTION 79
A specific URL has been identified as containing malware. What action can you take to block users

A. Enable URL filtering on the perimeter firewall and add the URLs you want to allow to the routers
B. Enable URL filtering on the perimeter router and add the URLs you want to allow to the firewalls
C. Create a blacklist that contains the URL you want to block and activate the blacklist on the perim
D. Enable URL filtering on the perimeter router and add the URLs you want to block to the routers l
E. Create a whitelist that contains the URls you want to allow and activate the whitelist on the perim

E
QUESTION 80
If you change the native VLAN on the port to an unused VLAN, what happens if an attacker attemp
A. The trunk port would go into an error-disable state.
B. A VLAN hopping attack would be successful
C. A VLAN hopping attack would be prevented
D. the attacked VLAN will be pruned

C
QUESTION 81
What is an advantage of placing an IPS on the inside of a network?
A. It can provide higher throughput.
B. It receives traffic that has already been filtered.
C. It receives every inbound packet.
D. It can provide greater security.

B
QUESTION 83
Which syslog severity level is level number 7?
A. Warning
B. Informational
C. Notification
D. Debugging

D
QUESTION 84
Which type of mirroring does SPAN technology perform?
A. Remote mirroring over Layer 2

B. Remote mirroring over Layer 3


C. Local mirroring over Layer 2
D. Local mirroring over Layer 3

C
QUESTION 85
Which tasks is the session management path responsible for? (Choose three.)
A. Verifying IP checksums
B. Performing route lookup
C. Performing session lookup
D. Allocating NAT translations
E. Checking TCP sequence numbers
F. Checking packets against the access list

BDF
QUESTION 86
Which network device does NTP authenticate?
A. Only the time source
B. Only the client device
C. The firewall and the client device
D. The client device and the time source

A
QUESTION 87
What hash type does Cisco use to validate the integrity of downloaded images?
A. Sha1
B. Sha2
C. Md5
D. Md1

C
QUESTION 88
Which option is the most effective placement of an IPS device within the infrastructure?
A. Inline, behind the internet router and firewall
B. Inline, before the internet router and firewall
C. Promiscuously, after the Internet router and before the firewall
D. Promiscuously, before the Internet router and the firewall

A
QUESTION 89

If a router configuration includes the lineaaa authentication login default group tacacs+ en
A. The user will be prompted to authenticate using the enable password
B. Authentication attempts to the router will be denied
C. Authentication will use the router`s local database
D. Authentication attempts will be sent to the TACACS+ server

AD
QUESTION 90
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?
A. SDEE
B. Syslog
C. SNMP
D. CSM

A
QUESTION 91
Which type of address translation should be used when a Cisco ASA is in transparent mode?
A. Static NAT
B. Dynamic NAT
C. Overload
D. Dynamic PAT

A
QUESTION 92
Which components does HMAC use to determine the authenticity and integrity of a message?
A. The password
B. The hash
C. The key
D. The transform set

BC
QUESTION 93
What is the default timeout interval during which a router waits for responses from a TACACS serve
A. 5 seconds
B. 10 seconds
C. 15 seconds
D. 20 seconds

A
QUESTION 94
Which RADIUS server authentication protocols are supported on Cisco ASA firewalls? (Choose three
A. EAP
B. ASCII
C. PAP
D. PEAP
E. MS-CHAPv1
F. MS-CHAPv2

CEF
QUESTION 95
Which command initializes a lawful intercept view?
A. username cisco1 view lawful-intercept password cisco
B. parser view cisco li-view
C. li-view cisco user cisco1 password cisco
D. parser view li-view inclusive

C
QUESTION 96
Which security measures can protect the control plane of a Cisco router? (Choose two.)
A. CCPr
B. Parser views
C. Access control lists
D. Port security
E. CoPP

AE
QUESTION 97
Which statement about extended access lists is true?
A. Extended access lists perform filtering that is based on source and destination and are most effe
B. Extended access lists perform filtering that is based on source and destination and are most effe
C. Extended access lists perform filtering that is based on destination and are most effective when

D. Extended access lists perform filtering that is based on source and are most effective when app

B
QUESTION 98
Which protocols use encryption to protect the confidentiality of data transmitted between two part
A. FTP

B. SSH
C. Telnet
D. AAA
E. HTTPS

BE
QUESTION 99
What are the primary attack methods of VLAN hopping? (Choose two.)
A. VoIP hopping
B. Switch spoofing
C. CAM-table overflow
D. Double tagging

BD
QUESTION 100

How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall
A. Issue the command anyconnect keep-installer under the group policy or username webvpn mod
B. Issue the command anyconnect keep-installer installed in the global configuration
C. Issue the command anyconnect keep-installerinstalledunder the group policy or username webv
D. Issue the command anyconnect keep-installer installer under the group policy or username web

C
QUESTION 102
What is the FirePOWER impact flag used for?
A. A value that indicates the potential severity of an attack.
B. A value that the administrator assigns to each signature.
C. A value that sets the priority of a signature.
D. A value that measures the application awareness.

A
QUESTION 103
Which two services define cloud networks? (Choose two.)
A. Infrastructure as a Service
B. Platform as a Service
C. Compute as a Service
D. Security as a Service
E. Tenancy as a Service

AB
QUESTION 104
In a security context, which action can you take to address compliance?
A. Implement rules to prevent a vulnerability
B. Correct or counteract a vulnerability
C. Reduce the severity of a vulnerability
D. Follow directions from the security appliance manufacturer to remediate a vulnerability

A
QUESTION 105
How many times was a read-only string used to attempt a write operation?

A. 6
B. 9
C. 4
D. 3
E. 2

B
QUESTION 106
What can the SMTP preprocessor in a FirePOWER normalize?
A. It can extract and decode email attachments in client to server traffic
B. It can look up the email sender
C. it compares known threats to the email sender
D. It can forward the SMTP traffic to an email filter server
E. It uses the Traffic Anomaly Detector

A
QUESTION 107

You want to allow all of your companies users to access the Internet without allowing other Web se
(Choose two).
A. Configure a proxy server to hide users local IP addresses
B. Assign unique IP addresses to all users.
C. Assign the same IP addresses to all users
D. Install a Web content filter to hide users local IP addresses
E. Configure a firewall to use Port Address Translation.

AE
QUESTION 108, 164
Which two authentication types does OSPF support? (Choose two)
A. plaintext

B. MD5
C. HMAC
D. AES 256
E. SHA-1
F. DES

AB
QUESTION 109, 159

Refer to the exhibit. The Admin user is unable to enter configuration mode on a device with the giv

A. Remove the Autocommand keyword and arguments from the Username Admin privilege line
B. Change the Privilege exec level value to 15
C. Remove the two Username Admin lines
D. Remove the Privilege exec line.

A
QUESTION 110, 135
What command can you use to verify the binding table status?
A. Show ip dhcp snooping binding
B. Show ip dhcp snooping database
C. show ip dhcp snooping statistics
D. show ip dhcp pool
E. show ip dhcp source binding
F. show ip dhcp snooping

B
QUESTION 111

If a switch receives asuperiorBPDU and goes directly into a blocked state, what mecanism must be
A. Etherchannel guard
B. root guard
C. loop guard
D. BPDU guard

B
QUESTION 112
What type of packet creates and performs network operations on a network device?
A. data plane packets
B. management plane packets
C. services plane packets
D. control plane packets

D
QUESTION 113, 145
Which two statements about stateless firewalls are true? (Choose two.)
A. They compare the 5-tuple of each incoming packet against configurable rules.
B. They cannot track connections.
C. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS.
D. Cisco IOS cannot implement them because the platform is stateful by nature.
E. The Cisco ASA is implicitly stateless because it blocks all traffic by default.

AB
QUESTION 115
Which command will configure a Cisco ASA firewall to authenticate users when they enter the enab
A. aaa authentication enable console LOCAL SERVER_GROUP

B. aaa authentication enable console SERVER_GROUP LOCAL


C. aaa authentication enable console local
D. aaa authentication enable console LOCAL

D
QUESTION 116
Which accounting notices are used to send a failed authentication attempt record to a AAA server?
A. start-stop
B. stop-record
C. stop-only
D. stop

AC
QUESTION 117
If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
A. The interface on both switches may shut down
B. STP loops may occur
C. The switch with the higher native VLAN may shut down
D. The interface with the lower native VLAN may shut down

B
QUESTION 118
Which type of IPS can identify worms that are propagating in a network?
A. Policy-based IPS
B. Anomaly-based IPS
C. Reputation-based IPS
D. Signature-based IPS

B
QUESTION 119

By which kind of threat is the victim tricked into entering username and password information at a
A. Spoofing
B. Malware
C. Spam
D. Phishing

D
QUESTION 120
Which Cisco product can help mitigate web-based attacks within a network?
A. Adaptive Security Appliance
B. Web Security Appliance
C. Email Security Appliance
D. Identity Services Engine

B
QUESTION 121

Which statement correctly describes the function of a private VLAN?


A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains
B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains
C. A private VLAN enables the creation of multiple VLANs using one broadcast domain
D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadca

A
QUESTION 122
Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path?

A. Unidirectional Link Detection


B. Unicast Reverse Path Forwarding
C. TrustSec
D. IP Source Guard

B
QUESTION 123
What is the most common Cisco Discovery Protocol version 1 attack?
A. Denial of Service
B. MAC-address spoofing
C. CAM-table overflow
D. VLAN hopping

A
QUESTION 124
What is the Cisco preferred countermeasure to mitigate CAM overflows?
A. Port security
B. Dynamic port security
C. IP source guard
D. Root guard

B
QUESTION 125
When a switch has multiple links connected to a downstream switch, what is the first step that STP
A. STP elects the root bridge
B. STP selects the root port
C. STP selects the designated port
D. STP blocks one of the ports

A
QUESTION 126
Which countermeasures can mitigate ARP spoofing attacks? (Choose two.)
A. Port security
B. DHCP snooping
C. IP source guard
D. Dynamic ARP inspection

BD
QUESTION 127
Which of the following statements about access lists are true? (Choose three.)
A. Extended access lists should be placed as near as possible to the destination
B. Extended access lists should be placed as near as possible to the source
C. Standard access lists should be placed as near as possible to the destination
D. Standard access lists should be placed as near as possible to the source
E. Standard access lists filter on the source address
F. Standard access lists filter on the destination address

BCE
QUESTION 128
In which stage of an attack does the attacker discover devices on a target network?
A. Reconnaissance
B. Covering tracks
C. Gaining access
D. Maintaining access

A
QUESTION 129
Which type of security control is defense in depth?
A. Threat mitigation
B. Risk analysis
C. Botnet mitigation
D. Overt and covert channels

A
QUESTION 130
On which Cisco Configuration Professional screen do you enable AAA?
A. AAA Summary
B. AAA Servers and Groups
C. Authentication Policies
D. Authorization Policies

A
QUESTION 132
What are two users of SIEM software? (Choose two)
A. performing automatic network audits
B. configuring firewall and IDS devices
C. alerting administrators to security events in real time
D. scanning emails for suspicious attachments
E. collecting and archiving syslog data

CE
QUESTION 134
What statement provides the best definition of malware?
A. Malware is tools and applications that remove unwanted programs.
B. Malware is a software used by nation states to commit cyber-crimes.
C. Malware is unwanted software that is harmful or destructive
D. Malware is a collection of worms, viruses and Trojan horses that is distributed as a single.

C
QUESTION 138
Which of encryption technology has the broadcast platform support to protect operating systems?
A. Middleware
B. Hardware
C. software
D. file-level

D
QUESTION 139
Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe spam
and sophisticated phishing attack?
A. holistic understanding of threats
B. graymail management and filtering
C. signature-based IPS
D. contextual analysis

D
QUESTION 140
Which Sourfire secure action should you choose if you want to block only malicious traffic from a p
A. Trust
B. Block
C. Allow without inspection
D. Monitor
E. Allow with inspection

E
QUESTION 142
When an administrator initiates a device wipe command from the ISE, what is the immediate effec
A. It requests the administrator to choose between erasing all device data or only managed corpor

B. It requests the administrator to enter the device PIN or password before proceeding with the ope
C. It immediately erases all data on the device.
D. It notifies the device user and proceeds with the erase operation

A
QUESTION 143
How does a device on a network using ISE receive its digital certificate during the new-device regis
A. ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA server
B. The device request a new certificate directly from a central CA
C. ISE issues a pre-defined certificate from a local database
D. ISE issues a certificate from its internal CA server.

A
QUESTION 144
How can you detect a false negative on an IPS?
A. View the alert on the IPS
B. Use a third-party to audit the next-generation firewall rules
C. Review the IPS console
D. Review the IPS log
E. Use a third-party system to perform penetration testing

E
QUESTION 147
Which type of PVLAN port allows host in the same VLAN to communicate directly with the other?
A. promiscuous for hosts in the PVLAN
B. span for hosts in the PVLAN
C. Community for hosts in the PVLAN
D. isolated for hosts in the PVLAN

C
QUESTION 148
Refer to the exhibit while troubleshooting site-to-site VPN, you issued the show crypto isakamp sa
Dst src state conn-id slot
10.10.10.2 10.1.1.5 MM_NO_STATE 1 0
A. IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2
B. IKE Phase 1 main mode has successfully negotiate between 10.1.1.5 and10.10.10.2
C. IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2
D. IKE Phase 1 aggressive mode was create on 10.1.1.5, but it failed to negotiate with 10.10.10.2

A
QUESTION 150

Refer to the exhibit. You have configured R1 and R2 as shown, but the routers are unable to establ
R1
Interface GigabitEthernet 0/0
IP address 10.20.20.4 255.255.255.255.0
Crypto isakmp policy 1
Authentication pre-share
Lifetime 84600
Crypto isakmp key test67890 address 10.20.20.4
R2
Interface GigabitEthernet 0/0
IP address 10.20.20.4 255.255.255.255.0
Crypto isakmp policy 10
Authentication pre-share
Lifetime 84600
Crypto isakmp key test12345 address 10.30.30.5
A. Edit the crypto keys on R1 and R2 to match.
B. Edit the crypto isakmp key command on each router with the address value of its own interface
C. Edit the ISAKMP policy sequence numbers on R1 and R2 to match.
D. set a valid value for the crypto key lifetime on each router.

A
QUESTION 151
Refer to the exhibit. Which statement about the given configuration is true?
Tacacs server tacacsl
Address ipv4 1.1.1.1
Timeout 20
Single- connection
Tacacs server tacacs2
Address ipv4 2.2.2.2
Timeout 20
Single- connection
Tacacs server tacacs3
Address ipv4 3.3.3.3
Timeout 20
Single- connection

A. The timeout command causes the device to move to the next server after 20 seconds of TACACS
B. The single-connection command causes the device to process one TACACS request and then mo
C. The single-connection command causes the device to establish one connection for all TACACS tr
D. The router communicates with the NAS on the default port, TCP 1645

C
QUESTION 152
Refer to the exhibit. What is the effect of the given command?
Crypto ipsec transform-set myset esp-md5-hmac esp-aes-256
A. It configures authentication to use AES 256.
B. It configures authentication to use MD5 HMAC.
C. It configures authorization use AES 256.
D. It configures encryption to use MD5 HMAC.
E. It configures encryption to use AES 256.

BE
QUESTION 154
What is a valid implicit permit rule for traffic that is traversing the ASA firewall?
A. Unicast IPv6 traffic from a higher security interface to a lower security interface is permitted in t
B. Only BPDUs from a higher security interface to a lower security interface are permitted in routed

C. ARPs in both directions are permitted in transparent mode only


D. Unicast IPv4 traffic from a higher security interface to a lower security interface is permitted in r
E. Only BPDUs from a higher security interface to a lower security interface are permitted in transp

C
QUESTION 155

You have been tasked with blocking user access to website that violate company policy, but the sit
A. Enable URL filtering and create a blacklist to block the websites that violate company policy.
B. Enable URL filtering and create a whitelist to allow only the websites the company policy allow u
C. Enable URL filtering and use URL categorization to allow only the websites the company policy a
D. Enable URL filtering and create a whitelist to block the websites that violate company policy.
E. Enable URL filtering and use URL categorization to block the websites that violate company polic

E
QUESTION 156
What is the potential drawback to leaving VLAN 1 as the native VLAN?
A. Gratuitous ARPs might be able to conduct a man-in-the-middle attack.
B. The CAM might be overloaded, effectively turning the switch into hub.
C. VLAN 1 might be vulnerable to IP address spoofing
D. It may be susceptible to a VLAN hopping attack

D
QUESTION 157
Refer to the exhibit. Which line in this configuration prevents the HelpDesk user from modifying th
Username Engineer privilege 9 password 0 configure
Username Monitor privilege 8 password 0 vatcher
Username HelpDesk privilege 6 password help
Privilege exec level 6 show running
Privilege exec level 7show start-up
Privilege exec level 9 show configure terminal
Privilege exec level 10 interface
A. Privilege exec level 9 show configure terminal
B. Privilege exec level 7show start-up
C. Privilege exec level 10 interface
D. Username HelpDesk privilege 6 password help

D
QUESTION 158
Which IPS mode provides the maximum number of actions?
A. Inline
B. bypass

C. span
D. failover
E. promiscuous

A
QUESTION 160
Which technology can be used to rate data fidelity and to provide an authenticated hash for data?
A. Network blocking
B. signature updates
C. file analysis
D. file reputation

D
QUESTION 161
What configuration allows AnyConnect to authenticate automatically establish a VPN session when
A. proxy
B. Trusted Network Detection
C. transparent mode
D. always-on

D
QUESTION 162
Which statement about the communication between interfaces on the same security level is true?
A. All Traffic is allowed by default between interfaces on the same security level.
B. Interface on the same security level require additional configuration to permit inter-interface com

C. Configuring interface on the same security level can cause asymmetric routing.
D. You can configure only one interface on an individual security level.

B
QUESTION 165
Which feature filters CoPP packets?
A. Policy maps
B. route maps
C. access control lists
D. class maps

C
QUESTION 166
In which type of attack does an attacker send email message that ask the recipient to click a link s
A. pharming
B. phishing
C. solicitation
D. secure transaction

B
QUESTION 167
If the router ospf 200 command, what does the value 200 stands for?
A. Administrative distance value
B. process ID
C. area ID.
D. ABR ID

B
QUESTION 168

Your security team has discovered a malicious program that has been harvesting the CEO's email m
your team discover?
A. social activism
B. drive-by spyware
C. targeted malware
D. advance persistent threat
E. Polymorphic virus

CD
QUESTION 169
What is the best way to confirm that AAA authentication is working properly?
A. use the test aaa command
B. use the Cisco-recommended configuration for AAA authentication
C. Log into and out of the router, and then check the NAS authentication log
D. Ping the NAS to confirm connectivity

A
QUESTION 170
What is the benefit of web application firewall?
A. It accelerate web traffic
B. It blocks know vulnerabilities without patching applications
C. It supports all networking protocols.

D. It simplifies troubleshooting

B
QUESTION 171
What improvement does EAP-FASTv2 provide over EAP-FAST?
A. It support more secure encryption protocols.
B. It allows multiple credentials to be passed in a single EAP exchange
C. It addresses security vulnerabilities found in the original protocol.
D. It allows faster authentication by using fewer packets.

B
QUESTION 172
Which statement about IOS privilege levels is true?
A. Each privilege level is independent of all other privilege levels.
B. Each privilege level supports the commands at its own level and all levels above it.
C. Each privilege level supports the commands at its own level and all levels below it.
D. Privilege-level commands are set explicitly for each user.

C.
QUESTION 173
What mechanism does asymmetric cryptography use to secure data?
A. an RSA nonce
B. a public/private key pair.
C. an MD5 hash.
D. shared secret keys.

B
QUESTION 175
What are the three layers of a hierarchical network design? (Choose three.)
A. core
B. access
C. server
D. user
E. internet
F. distribution

ABF
QUESTION 176
In which type of attack does the attacker attempt to overload the CAM table on a switch so that the
A. gratuitous ARP
B. MAC flooding
C. MAC spoofing
D. DoS

B
QUESTION 177
Refer to the exhibit. With which NTP server has the router synchronized?
209.114.111.1 Configure, ipv4, same, valid, stratum 2 ref ID 132.163.4.103, time
D7AD124D.9D6FC576 (03:17:33.614 UTC Sun Aug 31 2014) our mode client, peer mode server,
our poll intvl 64, peer poll intvl 64 root delay 46.34 msec, root disp 23.52, reach 1, sync dist
268.59 delay 63.27 msec, offset 7.9817 msec, dispersion 187.56, jitter 2.07 msec precision
2**23, version 4
204.2.134.164 Configure, ipv4, same, valid, stratum 2 ref ID 241.199.164.101, time
D7AD1D149.9EB5272B (03:25:13.619 UTC Sun Aug 31 2014) our mode client, peer mode
server, our poll intvl 64, peer poll intvl 256 root delay 30.83 msec, root disp 4.88, reach 1, sync
dist 223.80 delay 28.69 msec, offset 6.4331 msec, dispersion 187.56, jitter 1.39 msec precision
2**23, version 4
192.168.10.7 Configure, ipv4, our_master, sane, valid, stratum 3 ref ID 108.61.73.243, time
D7AD0D8F.AE79A23A (02:57:19.681 UTC Sun Aug 31 2014) our mode client, peer mode server,

our poll intvl 64, peer poll intvl 64 root delay 86.45 msec, root disp 87.82, reach 377, sync dist
134.25 delay 0.89 msec, offset 19.5087 msec, dispersion 1.69, jitter 0.84 msec precision 2**23,
version 4
A. 192.168.10.7
B. 108.61.73.243
C. 209.114.111.1
D. 204.2.134.164
E. 132.163.4.103
F. 241.199.164.101

A
QUESTION 178
What are two ways to protect eavesdropping when you perform device-management task? (Choose
A. use SNMPv2
B. use SSH connection
C. use SNMPv3
D. use in-band management
E. use out-band management

BC
QUESTION 179
Which firewall configuration must you perform to allow traffic to flow in both directions between tw
A. You can configure a single zone pair that allows bidirectional traffic flows from for any zone exce
B. You must configure two zone pair, one for each direction
C. You can configure a single zone pair that allows bidirectional traffic flows for any zone
D. You can configure a single zone pair that allows bidirectional traffic flows only if the source zone

B
QUESTION 180
Which three ways does the RADIUS protocol differ from TACACS?? (Choose three)
A. RADIUS authenticates and authorizes simultaneously. Causing fewer packets to be transmitted
B. RADIUS encrypts only the password field in an authentication packets
C. RADIUS can encrypt the entire packet that is sent to the NAS
D. RADIUS uses UDP to communicate with the NAS
E. RADIUS uses TCP to communicate with the NAS
F. RADIUS support per-command authentication

ABD
QUESTION 181
A data breach has occurred and your company database has been copied. Which security principle
A. Confidentiality
B. Access
C. Control
D. Availability

A
QUESTION 182
If a switch receives aonlysuperior BPDU and goes directly into a blocked state, what mechanism m
A.STP BPDU guard
B. portfast
C. EherCahannel guard
D. loop guard
E. STP Root guard

E
QUESTION 183
What is the primary purposed of a defined rule in an IPS?
A. to detect internal attacks
B. to define a set of actions that occur when a specific user logs in to the system
C. to configure an event action that is pre-defined by the system administrator
D. to configure an event action that takes place when a signature is triggered.

D.
QUESTION 184

How does PEAP protect EAP exchange?


A. it encrypts the exchange using the client certificate.
B. it validates the server-supplied certificate and then encrypts the exchange using the client certifi
C. it encrypts the exchange using the server certificate
D. it validates the client-supplied certificate and then encrypts the exchange using the server
certificate.

C.

QUESTION 185
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal opera
A. When matching ACL entries are configured
B. when matching NAT entries are configured
C. When the firewall requires strict HTTP inspection
D. When the firewall requires HTTP inspection
E. When Firewall Recieves a FIN packet
F. When the firewall already has a TCP connection

ABD
QUESTION 186
How can firepower block malicious email attachments?
A) It forwards email requests to an external signature engine
B) It sends the traffic through a file policy
C) It scans inbound email messages for known bad URLs
D) It sends an alert to the administrator to verify suspicious email messages

B
QUESTION 187
A proxy firewall protects against which type of attacks?
A. DDoS
B. port scanning
C. worm traffic
D. cross-site scripting attacks

D.
QUESTION 188
Which two statements regarding the ASA VPN configurations are correct? (Choose two)
A. The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_Tru
B. The DefaultWEBVPNGroup Connection Profile is using the AAA with RADIUS server method.
C. The Inside-SRV bookmark references thehttps://10.1.1.xURL
D. Only Clientless SSL VPN access is allowed with the Sales group policy
E. AnyConnect, IPSec IKEv1, and IPSec IKEv2 VPN access is enabled on the outside interface
F. The Inside-SRV bookmark has not been applied to the Sales group policy

BC
QUESTION 189
which feature allow to forward network host to the internet with public IP addres
A. NAT
B.Trusted network detection
C.
D.

A
QUESTION 190
which NAT option is executed first during in case of multiple nat translations
A. dynamic nat with shortest prefix
B. dynamic nat with longest prefix
C. static nat with shortest prefix
D. static nat with longest prefix

D.
QUESTION 191
which feature allow from dynamic NAT pool to choose next IP address and not a port on a used IP a
A. next IP
B. round robin
C. Dynamic rotation
D. Dynamic PAT rotation

B
QUESTION 192
Which three statements are characteristics of DHCP Spoofing? (choose three)
A. Arp Poisoning
B. Modify Traffic in transit
C. Used to perform man-in-the-middle attack
D. Physically modify the network gateway
E. Protect the identity of the attacker by masking the DHCP address
F. can access most network devices

ABC
Which NAT type allows only objects or groups to reference an IP address?
A. dynamic NAT
B. dynamic PAT
C. static NAT
D. identity NAT

A
QUESTION 10
In which two situations should you useout-of-bandmanagement? (Choose two)
A. when a network device fails to forward packets
B. when management applications need concurrent access to the device
C. when you require ROMMON access
D. when you require adminstrator access from multiple locations
E. when the control plane fails to respond

AC
In which two situations should you usein-bandmanagement? (Choose two.)
A. when management applications need concurrent access to the device
B. when you require administrator access from multiple locations
C. when a network device fails to forward packets
D. when you require ROMMON access
E. when the control plane fails to respond

Answer: A,B

p.:Look at this doc:


http://www.cisco.com/c/
en/us/support/docs/sec
urity/firesightmanagementcenter/118012-

p.:Look at this doc:


http://www.cisco.com/c/
en/us/support/docs/sec
urity/firesightmanagementcenter/118012troubleshoot-firesight00.html#anc6
Step 2: Determine the
Logging Option
--> it clearly says:
For a single connection,
the end-of-connection
event contains all of
the information in the
beginning-ofconnection event as
well as information that
was gathered over the
duration of the session.
For Trust and Allow
rules, it is
recommended that
End-of-Connection is
used.
So the answer B is
correct

A:http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1300series/prod_qas09186a00802030dc.html

p.:not so sure. To
verify??

p.:to verify!!
NO Correct Answer is D
as I checked in Sim and
only LOCAL(AAA) is the
authentication methos in
it.

p.:According to this post:


https://supportforums.cisco.com/discussion/10987516/howenable-telnet-asa
Answer A is correct

p.:Very stupid question... I can't be 100%sure to get it right...


According to this article:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nextgeneration-firewalls/113600-technote-product-00.html
"RDP2 plug-in: Due to changes within the RDP protocol, the Proper Java RDP
Client was updated in order to support Microsoft Windows 2003 Terminal
Servers and Windows Vista Terminal Servers. "
So RDP2 tend to be the right answer. However, it says right after:
"Tip: The latest RDP plug-in combines both RDP and RDP2 protocols. As a
result the RDP2 plug-in is obsolete. It is recommended to utilize the mostrecent version of the RDP plug-in."
The question doesn't specify what version it is, neither "Ensure that the
LATEST RDP plug-in in installed on the VPN gateway"
So in my opinion, I would keep the same two answers, as rebooting or
reconnecting actions are not really the type of action Cisco would
recommend.

p.:By elimination I would answer the same.


According to prereq here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/152mt/sec-conn-sslvpn-smart-tunnels-support.html
Not all OS are supported, so B to be removed.
Smart tunnels doesn't open better performance than port forwarding. It offers an
easier user experience, or implementation, but not performance. So C to be
removed.

p.:Correct answer, according to this post:


https://supportforums.cisco.com/discussion/12043016/pls-explain-sviacl-source-and-destination-direction
The direction applies to the access-group

p.:A is the correct answer. Hairpinning consist of traffic


being forwarded through the same interface it came in.
NAT is definitly out of the topic and split tunneling is
splitting traffic between VPN and non VPN traffic.

p.:B to be removed: Only one AD can be queried.


D to be removed: Mulitple authroization profile is definitly possible.
According to:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_contro
l_system/5-1/user/guide/acsuserguide/policy_mod.html
"ACS 5.1 can function both as a RADIUS and RADIUS proxy server."
--> No mention of TACACS, so I would also remove answer C
Moreover, Cisco ACS can definitly be clustered to offer redundancy, so A
seems to be the only valid answer.

p.:C makes no sense. If the user could simply refuse the lock
command of a stolen device, it would render the feature totally
useless.
B makes no sense to me neither, same as above, it would render the
feature useless. The lock command should apply once the device
connect for the first time, since it was initiated.
A is my only answer, as the ISE agent indeed needs to be installed on
devices, to allow ISE to control them.

p.:Seems right.
B makes no sense.
C apply to a network firewall, not a personal firewalls.
A seems wrong as well. A personal firewall is resilient against attacked to an
overall system, not only its kernel. So D seems right.

p.:A is correct as the data is unencrypted at the host end, its HIPS can see
encrypted data content.
Then all D, E and F seems as valid answer. Some HIPS even make use of
firewalls for active response, so E seems as an acceptable answer, unless
we're talking about Cisco HIPS only and some limitation I'm unaware of.

p.:Correct answer, see


CBT Nuggets, Video 28
for this.
A leading . Means time is
authoritative, but not
synchronized.

p.:CoPP uses QoS together with other rate limit to


secure the control pane.
CPPr uses traffic classification with more control
over rate limitation and filtering.
So A and B are correct answers.

p.:Wiki page:
https://en.wikipedia.org/wiki/Trusted_Platform_Module
"Software can use a Trusted Platform Module to authenticate hardware
devices. Since each TPM chip has a unique and secret RSA key burned in as
it is produced, it is capable of performing platform authentication."
So A is the only choice.
Moreover, transferring disks without re-encryption or de-cryption would
render the feature useless, so we can forget about B.
Same for C and D, the answers make no sense.

p.:An IPS device Max throughput remain binded to the same


physical limit, wherever we place it, so A is wrong.
B is the right answer. Inbound devices such as Firewall would
already filter and block a certain amount of traffic, thus less to
process for the IPS once it's in the inside network.
C is also senseless as it would receive every inbound packets
anyway, wherever it is placed.
Same for D: placing it inside or outside doesn't necessarily
influence on its security performance

p.:C is the correct answer, see details here:


p.:Cisco Content Switching Module (CSM) is another thing, so D is
p.:See:
http://www.cisco.com/c/en/us/about/security-center/ios-imagewrong.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configurati
verification.html
SNMP is not an alert or event log protocol, so C is also wrong.
on/guide/conf_gd/cfgnat.html#wp1102744
Syslog and SDEE could be the correct answer, but syslog is less
secure. I therefore assume Cisco IME allows to use the recommended
NAT in Transparent Mode
SDEE protocol for up to 10 sensors.
NAT in transparent mode has the following requirements and
limitations:
you cannot use interface PAT.

A.:http://www.cisco.com/c/e
n/us/td/docs/ios/12_2/securit
y/command/reference/fsecur
_r/srfacct.html

p.:not so sure. To
verify??

A.:Ref:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/
A.:Ref:
http://www.cisco.com/c/en/us/td/docs/security/ise/1Unified_Access/BYOD_Design_Guide/Managing_Lost_or_Stolen_Device.pdf
3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01000.html
A.:http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/
guide/fsecur_c/scftplus.html

A.:Ref:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/
A.:Ref:
http://www.cisco.com/c/en/us/td/docs/security/ise/1Unified_Access/BYOD_Design_Guide/Managing_Lost_or_Stolen_Device.pdf
3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01000.html
A.:http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/
guide/fsecur_c/scftplus.html

A.:http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-userguide/asa-firepower-module-user-guide-v541/AMP-Config.html

A.:http://www.netcraftsmen.com/nat-configuration-on-asa-8-4-part-1/
A.:http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/asdm75/firewall/as
A static NAT rule is always preferred over a dynamic NAT rule. Thus, all the static NAT rules are enc
dm-75-firewall-config/nat-basics.html
dynamic NAT rules. As an example, a static NAT rule that translates the 192.168.13.0/26 will appea
NAT rule that translates the 192.168.13.0/24 block to an IP.

_01000.html

_01000.html

odule-user-

/firewall/as
static NAT rules are encountered before all
2.168.13.0/26 will appear before a static