Here are some questions that I recall and formulated in my own words:

1 question.

2) The question was about mixed ACLs and object groups – I choose “You can mix IPv4 and
IPv6 addresses in the sa) Hacker is intercepting CDP packets in the network. Which info he can
get from captured CDP packets? I choose “VTP Domain”, “Hardware Platform”, “Device ID or
something like this”. You can find that info in “show cdp neighbors detail” output or get more
info on CDP protocol from Cisco docs to be confident with that me ACE” and “You can mix
IPv4 and IPv6 entries in network object group”. So, get confident with that topic as well.

3) Prime Infrastructure admin discovers the network and wants to use Web Services
Management Agent for configuring devices. Which protocol allows use of WSMA?

– Telnet
– SSHv2
– SNMPv2
– SNMPv3

I choose “SSHv2” as it is valid protocol supporting WSMA on PI. (you can find some info on
that on following link: https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-
3/user/guide/bk_CiscoPrimeInfrastructure_3_3_0_UserGuide/bk_CiscoPrimeInfrastructure_3_3
_0_UserGuide_chapter_0100010.html#task_1114937)

4) How many servers Prime Infrastructure High Availability supports?

–2
–4
–6
–8

I choose “2” as I have experience with PI in HA deployment mode and there is just Primary and
Secondary PI. (BTW, check it out for more confidence)

5) D&D question with ASA capture parameters. You must map correct options (from left
column) to “asp-drop”, “data_path”, and “ethertype” (on right column). I can’t recall all options
from left column, so get more info on ASA capture options to be confident with that question.

6) You are going to add ASA to CSM (Cisco Security Manager). Which port on ASA must be
reachable for CSM to succeed?

– 21
– 22
– 80
– 443
I choose “443”. Again, get more info on that topic.

7) You are network engineer at some company. There are issues with Internet access. Which
capture ACL must be used in order to capture only return web traffic?
I choose “permit tcp any eq 80 10.10.1.0 255.255.255.0” (network IP I choosed just for example)

8) In which cases DHCP Snooping will drop DHCP packets?

There were two options that exactly match word by word to what is in Cisco doc
(https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-
2SX/configuration/guide/book/snoodhcp.html)

– The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or

DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.

– The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host

with an entry in the DHCP snooping binding table, and the interface information in the binding
table does not match the interface on which the message was received.

Again, read carefully about DHCP Snooping topic in order to feel confident on that.
9) There is web server that runs on TCP 1521 port. Assuming ASA uses default inspection
policy, which protocol inspection will be used?

– MGCP
– HTTP
– HTTPS
– SQL*Net

I choose “HTTP” and now I know that I made mistake. The correct one must be “SQL*Net” as
TCP/1521 is its port.
(https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_confi
g/inspect_overview.html#wp1536127)

10) There was question abou Storm Control best practises, I can’t recall my second answer, but
first was “Enable it on PortChannel interface instead of physical”. The question was simple and
if you read and understand Storm Control topic carefully – you will win.

11) There is some custom application that on first communication channel negotiates second data
channel for data transfer. What allows for allowing traffic from second negotiated data channel?
I choose “inspection”. The question was quite simple.

12) SSHv2 is not explicitly allowed on router by command “ip ssh version 2”. Which statement
is true? I choose “both SSHv1 and SSHv2 are allowed”.

13) D&D on CSM (or Prime Infra) dashboards:

top attackers –> attack dashboard

top users –> users dashboard
top operating systems –> endpoints dashboard
etc.

Extremely simple and intuitive D&D – even don’t worry about it.

14) There was some question about Nexus1000V (I can’t exactly recall it, something about
where to apply security policies for group of VMs instead of applying it directly on interface):

– port group
– port profile
– security group
– security profile

I choose “port profile” as this was the only thing familiar to me about Nexus1000V. Again, get
more info on that topic as well.
15) Which command enables URPF on router’s interface? I choose “ip verify unicast source
reachable-via interface_name”.

16) D&D about Syslog levels, but there were just 4-to-4 options:

– 1 –> Alert
– 2 –> Critical
– 5 –> Notification
– 6 –> Informational (or 7 –> Debugging)
NEW QUESTION 301
When will a Cisco ASA that is operating in transparent firewall mode perform a routing table
lookup instead of a MAC address table lookup to determine the outgoing interface of a packet?

A. If multiple context mode is configured.

B. If the destination MAC address is unknown.
C. If the destination is more than a hop away from the Cisco ASA.
D. If NAT is configured.
E. If dynamic ARP inspection is configured.

Answer: D

NEW QUESTION 302

Which Cisco ASA feature is implemented by the ip verify reverse-path interface interface_name
command?

A. uRPF
B. TCP intercept
C. botnet traffic filter
D. scanning threat detection
E. IPS (IP audit)

Answer: A

NEW QUESTION 303

In one custom dynamic application, the inside client connects to an outside server using TCP
port 4444 and negotiates return client traffic in the port range of 5000 to 5500. The server then
starts streaming UDP data to the client on the negotiated port in the specified range. Which Cisco
ASA feature or command supports this custom dynamic application?

A. TCP normalizer
B. TCP intercept
C. ip verify command
D. established command
E. tcp-map and tcp-options commands

Answer: D

NEW QUESTION 304

On Cisco ASA Software Version 8.3 and later, which two statements correctly describe the NAT
table or NAT operations? (Choose two.)

A. The NAT table has four sections.

B. Manual NAT configurations are found in the first (top) and/or the last (bottom) section(s) of
the NAT table.
C. Auto NAT also is referred to as Object NAT.
D. Auto NAT configurations are found only in the first (top) section of the NAT table.
E. The order of the NAT entries in the NAT table is not relevant to how the packets are matched
against the NAT table.
F. Twice NAT is required for hosts on the inside to be accessible from the outside.

Answer: BC

NEW QUESTION 305

The Cisco ASA software image has been erased from flash memory. Which two statements
about the process to recover the Cisco ASA software image are true? (Choose two.)

A. Access to the ROM monitor mode is required.

B. The Cisco ASA appliance must have connectivity to the TFTP server where the Cisco ASA
image is stored through the Management 0/0 interface.
C. The copy tftp flash command is necessary to start the TFTP file transfer.
D. The server command is necessary to set the TFTP server IP address.
E. Cisco ASA password recovery must be enabled.

Answer: AD

NEW QUESTION 306

Which option is one requirement before a Cisco ASA appliance can be upgraded from Cisco
ASA Software Version 8.2 to 8.3?

A. Remove all the pre 8.3 NAT configurations in the startup configuration.
B. Upgrade the memory on the Cisco ASA appliance to meet the memory requirement of Cisco
ASA Software Version 8.3.
C. Request new Cisco ASA licenses to meet the 8.3 licensing requirement.
D. Upgrade Cisco ASDM to version 6.2.
E. Migrate interface ACL configurations to include interface and global ACLs.

Answer: B

NEW QUESTION 307

Which Cisco ASA (8.4.1 and later) CLI command is the best command to use for
troubleshooting SSH connectivity from the Cisco ASA appliance to the outside 192.168.1.1
server?

A. telnet 192.168.1.1 22
B. ssh -l username 192.168.1.1
C. traceroute 192.168.1.1 22
D. ping tcp 192.168.1.1 22
E. packet-tracer input inside tcp 10.0.1.1 2043 192.168.4.1 ssh

Answer: D
NEW QUESTION 308
By default, which traffic can pass through a Cisco ASA that is operating in transparent mode
without explicitly allowing it using an ACL?

A. ARP
B. BPDU
C. CDP
D. OSPF multicasts
E. DHCP

Answer: A

NEW QUESTION 309

Which Cisco ASA CLI command is used to enable HTTPS (Cisco ASDM) access from any
inside host on the 10.1.16.0/20 subnet?

A. http 10.1.16.0 0.0.0.0 inside

B. http 10.1.16.0 0.0.15.255 inside
C. http 10.1.16.0 255.255.240.0 inside
D. http 10.1.16.0 255.255.255.255 inside

Answer: C

NEW QUESTION 310

Which configuration step is the first to enable PIM-SM on the Cisco ASA appliance?

A. Configure the static RP IP address.

B. Enable IGMP forwarding on the required interface(s).
C. Add the required static mroute(s).
D. Enable multicast routing globally on the Cisco ASA appliance.
E. Configure the Cisco ASA appliance to join the required multicast groups.

Answer: D
Hacker is intercepting CDP packets in the network. Which info he can get from captured CDP packets?

you want to enable sshv2 but you did not configure correction what will the response be....

The question was about mixed ACLs and object groups

Prime Infrastructure admin discovers the network and wants to use Web Services Management Agent
for configuring devices. Which protocol allows use of WSMA?

– Telnet
– SSHv2
– SNMPv2
– SNMPv3

How many servers Prime Infrastructure High Availability supports?

–2
–4
–6
–8

D&D question with ASA capture parameters. You must map correct options (from left column) to “asp-
drop”, “data_path”, and “ethertype” (on right column). I can’t recall all options from left column, so get
more info on ASA capture options to be confident with that question.

6) You are going to add ASA to CSM (Cisco Security Manager). Which port on ASA must be reachable for
CSM to succeed?

– 21
– 22
– 80
– 443

7) You are network engineer at some company. There are issues with Internet access. Which capture
ACL must be used in order to capture only return web traffic?
I choose  access-list capture permit tcp host x.x.x.x any eq 80 (x.x.x.x is host ip address)
In which cases DHCP Snooping will drop DHCP packets?

someone suggest this but didnt check before my exam. There were two options that exactly match word
by word to what is in Cisco doc
(https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-
2SX/configuration/guide/book/snoodhcp.html)

verify these two options

– The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY

packet) from a DHCP server outside the network or firewall.

– The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in
the DHCP snooping binding table, and the interface information in the binding table does not match the
interface on which the message was received.

then there are 4 drag and drops

The syslog just know your ACEWNID it will help

the one for mandatory parent child.....

then two new ones

yes two new ones

one from the output of prime infrastructure  

and another from the output of data capture.

that is all i remenber, i was statured with the lap a bit. looking for where the access is. just click on the
Admin PC

The lab is same the object Nat,

botnet
I think that is all
I will advice a more detailed preparation the break down of my score is scary