Q1. What is an advantage of placing an IPS on the inside of a network? 

A. It can provide higher throughput. 

B. It receives traffic that has already been filtered. 

C. It receives every inbound packet. 

D. It can provide greater security. 

View Answer

Q2. What is the effect of the send-lifetime local 23:59:00 31 December 31 2013 infinite command? 

A. It configures the device to begin transmitting the authentication key to other devices at 00:00:00 local time on January 1, 2014 and continue using the key indefinitely. 

B. It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time on December 31, 2013 and continue using the key indefinitely. 

C. It configures the device to begin accepting the authentication key from other devices immediately and stop accepting the key at 23:59:00 local time on December 31, 2013. 

D. It configures the device to generate a new authentication key and transmit it to other devices at 23:59:00 local time on December 31, 2013. 

E. It configures the device to begin accepting the authentication key from other devices at 23:59:00 local time on December 31, 2013 and continue accepting the key indefinitely. 

F. It configures the device to begin accepting the authentication key from other devices at 00:00:00 local time on January 1, 2014 and continue accepting the key indefinitely. 

View Answer

Q3. Which type of secure connectivity does an extranet provide? 

A. other company networks to your company network 

B. remote branch offices to your company network 

C. your company network to the Internet 

D. new networks to your company network 

View Answer

Q4. What is the only permitted operation for processing multicast traffic on zone-based firewalls? 

A. Only control plane policing can protect the control plane against multicast traffic. 

B. Stateful inspection of multicast traffic is supported only for the self-zone. 

C. Stateful inspection for multicast traffic is supported only between the self-zone and the internal zone. 

D. Stateful inspection of multicast traffic is supported only for the internal zone. 

View Answer

Q5. Which two statements about stateless firewalls are true? (Choose two.) 

A. They compare the 5-tuple of each incoming packet against configurable rules. 

B. They cannot track connections. 

C. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS. 

D. Cisco IOS cannot implement them because the platform is stateful by nature. 

E. The Cisco ASA is implicitly stateless because it blocks all traffic by default. 

View Answer

Q6. When is the best time to perform an anti-virus signature update? 

A. Every time a new update is available. 

B. When the local scanner has detected a new virus. 

C. When a new virus is discovered in the wild. 

D. When the system detects a browser hook. 

View Answer

Q7. Which three ESP fields can be encrypted during transmission? (Choose three.) 

A. Security Parameter Index 

B. Sequence Number 

C. MAC Address 

D. Padding 

E. Pad Length 

F. Next Header 

View Answer

Q8. If a packet matches more than one class map in an individual feature type's policy map, how does the ASA handle the packet? 

A. The ASA will apply the actions from only the first matching class map it finds for the feature type. 

B. The ASA will apply the actions from only the most specific matching class map it finds for the feature type. 

C. The ASA will apply the actions from all matching class maps it finds for the feature type. 

D. The ASA will apply the actions from only the last matching class map it finds for the feature type. 

View Answer

Q9. How does the Cisco ASA use Active Directory to authorize VPN users? 

A. It queries the Active Directory server for a specific attribute for the specified user. 

B. It sends the username and password to retrieve an ACCEPT or REJECT message from the Active Directory server. 

C. It downloads and stores the Active Directory database to query for future authorization requests. 

D. It redirects requests to the Active Directory server defined for the VPN group. 

View Answer

Q10. CORRECT TEXT 

Scenario 

Given the new additional connectivity requirements and the topology diagram, use ASDM to accomplish the required ASA configurations to meet the requirements. 

New additional connectivity requirements: 

. Currently, the ASA configurations only allow on the Inside and DMZ networks to access any hosts on the Outside. Your task is to use ASDM to configure the ASA to also allow any host only on the Outside to HTTP to the DMZ server. The hosts on the Outside will need to use the 209.165.201.30 public IP address when HTTPing to the DMZ server. 

. Currently, hosts on the ASA higher security level interfaces are not able to ping any hosts on the lower security level interfaces. Your task in this simulation is to use ASDM to enable the ASA to dynamically allow the echo-reply responses back through the ASA. 

Once the correct ASA configurations have been configured: 

. You can test the connectivity to http://209.165.201.30 from the Outside PC browser. 

. You can test the pings to the Outside (www.cisco.com) by opening the inside PC command prompt window. In this simulation, only testing pings to www.cisco.com will work. 

To access ASDM, click the ASA icon in the topology diagram. 

To access the Firefox Browser on the Outside PC, click the Outside PC icon in the topology diagram. 

To access the Command prompt on the Inside PC, click the Inside PC icon in the topology diagram. 

Note: 

After you make the configuration changes in ASDM, remember to click Apply to apply the configuration changes. 

Not all ASDM screens are enabled in this simulation, if some screen is not enabled, try to use different methods to configure the ASA to meet the requirements. 

In this simulation, some of the ASDM screens may not look and function exactly like the real ASDM. 

View Answer