Flydumps provides the guaranteed preparation material to boost up your confidence in Cisco 642-521 exam.Successful candidates have provided their reviews about our guaranteed Cisco 642-521 preparation material, you can come to realize the real worth of our featured products through overviewing the reviews and testimonials.
QUESTION 60
A client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface. How can the PIX Firewall be configured to translate the DNS A-record correctly? (Choose three)
A. By making use of the alias command.
B. By making use of the dns arecord command.
C. By specifying the dns option in the alias command.
D. By specifying the dns option in the nat command.
E. By specifying the dns option in the static command.
F. By specifying the dnsarec option in the nat command.
Correct Answer: ADE Section: (none) Explanation
QUESTION 61
Jason the security administrator at Certkiller Inc. and he is working on the PAT feature. Which statements about the PIX Firewalls PAT feature are true? (Choose three)
A. The true statement is it maps TCP port numbers to a single IP address.
B. The true statement is it cannot be used with NAT.
C. The true statement is it provides security by hiding the outside source address, using a global IP address from the PIX Firewall.
D. The true statement is the IP address of a PIX Firewall interface cannot be used as the PAT address.
E. The true statement is the PAT address can be a virtual address, different from the outside address.
F. The true statement is it provides security by hiding the inside source address, using a single IP address from the PIX Firewall.
Correct Answer: AEF Section: (none) Explanation
Explanation/Reference:
Explanation:
Pat maps TCP port numbers to a single IP address Pat provides security by hiding the inside source
address by using a single IP address from PIX PAT can be used with NAT A Pat address can be a virtual
address, different from the outside address. Do not use PAT when running multimedia applications through
the PIX firewall. Multimedia applications need access to specific ports and can conflict with port mappings
provided by PAT.
Reference:
Cisco Secure PIX Firewall Advanced 3.1 chap 6 page 39
QUESTION 62
How many ip addresses can be translated to a single ip address with PAT?
A. 160
B. 2450
C. 12600
D. D 64000
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
From just a single IP address using PAT, there are approximately 64,000 available ports that can be used
to translate IP addresses to.
QUESTION 63
Jason the security administrator for Certkiller Inc. wants to know which command enables the PIX Firewall to permit hosts on different interfaces to ping each other.
A. The icmp command
B. The conduit command
C. The ping command D. The ip audit command
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: By default, the PIX Firewall denies all inbound traffic through the outside interface. Based on your network security policy, you should consider configuring the PIX Firewall to deny all ICMP traffic at the outside interface, or any other interface you deem necessary, by using the icmp command The icmp deny command disables pinging to an interface, and the icmp permit command enables pinging to an interface. With pinging disabled, the PIXFirewall cannot be detected on the network. This is also referred to as configurable proxy pinging. For traffic that is routed through the PIX Firewall only, you can use the access-list or access-group commands to control the ICMP traffic routed through the PIX Firewall.
Reference: http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/ products_command_reference_chapter09186 a008017
QUESTION 64
You are a network administrator at Certkiller .com. You already created an ACL named ACLIN to permit
traffic from certain Internet hosts to the web server on Certkiller ‘s DMZ.
How do you make the ACL work? (Choose two)
A. Bind the ACL to the DMZ interface.
B. Bind the ACL to the outside interface.
C. Bind the ACL to the inside interface.
D. Create a static mapping for the DMZ interface.
E. Create a conduit mapping for the web server.
F. Create a static mapping for the web server.
Correct Answer: BF Section: (none) Explanation
Explanation/Reference:
Explanation: Static address translation creates a permanent, one-to-one mapping between an address on an internal network (a higher security level interface) and a perimeter or external network (lower security level interface). For example, to share a web server on a perimeter interface with users on the public Internet, use static address translation to map the server’s actual address to a registered IP address. Static address translation hides the actual address of the server from users on the less secure interface, making casual access by unauthorized users less likely. Unlike NAT or PAT, it requires a dedicated address on the outside network for each host, so it does not save registered IP addresses. If you use a static command to allow inbound connections to a fixed IP address, use the access-list and access-group commands to create an access list and to bind it to the appropriate interface. For more information, refer to “Allowing Inbound Connections.”
Reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_61/config/mngacl.pdf
QUESTION 65
You are the network security administrator at Certkiller for an enterprise network with a complex security
policy.
Which PIX Firewall feature should you configure to minimize the average search time for access lists
containing a large number of entries?
A. object grouping
B. turbo ACLs
C. nested object groups
D. ASA
E. IP helper
F. comments in ACLs
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Turbo ACLs improve the average search time for ACLs containing a large number of entries by causing the
PIX firewall to compile tables for ACLs.
Reference:
Cisco Secure PIX Firewall Advanced 3.1 chap 7 page 10
QUESTION 66
end of the ACL will block traffic as needed?
A. You can view the hit counters with the show access-list command.
B. You can enable the turbot ACL feature for individual ACLs.
C. As a back-up, in case the implicit deny does not work.
D. There is no reason to include the deny statement.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
When you use the show access-list command you will get a counter for how many hit that specific line got.
If you want to see the denied statements you will need to specify them in an access-list.
QUESTION 67
Which of the following statements regarding ACLs are valid? Choose two.
A. By default, all access in an ACL is permitted.
B. Using the access-group command creates ACL entries.
C. For traffic moving form a lower security level interface to a higher security level interface, the destination address argument of the ACL command is the global IP address assigned in the static command.
D. For traffic moving form a lower security level interface to a higher security level interface, the destination host must have a statically mapped address.
E. For traffic moving from a higher security level interface to a lower security level interface, the source address argument of the ACL command is the translated address of the host or network.
F. For traffic moving from a lower security level interface to a higher security level interface, the source address argument of the ACL command is the translated address of the host or network.
Correct Answer: CF Section: (none) Explanation
Explanation/Reference:
Explanation:
The access-list command is used to permit or deny traffic. The following are guidelines to use when
designing and implementing ACLs:
1) Higher to lower security:
–
The ACL is used to restrict outbound traffic.
–
The source address argument of the ACL command is the actual address of the host or network.
2) Lower to higher:
–
The ACL is used to restrict inbound traffic/ – The destination address argument of the ACL command is the translated global IP address.
Reference:
CSPFA Student Guide v3.2 – Cisco Secure PIX Advanced p.8-6
QUESTION 68
Why are turbo ACLs the most suitable to make use of for high-end PIX Firewall models such as the PIX Firewall 525 and 535?
A. Turbo ACLs are not supported in any of the low-end models, such as the 506.
B. Turbo ACLs are processor-intensive.
C. Turbo ACLs require significant amounts of memory.
D. Although turbo ACLs can improve ACL search time with any PIX Firewall model, they are complicate and rather difficult to configure. It is unlikely that environments using low-end models have personnel property trained to configure turbo ACLs.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
The Turbo ACL feature requires significant amounts of memory and is most appropriate for high-end PIX
Firewall models, such as the PIX Firewall 525 or 535. The minimum memory required for Turbo ACL
support is 2.1 MB, and approximately 1 MB of memory is required for every 2,000 ACL elements. The
actual amount of memory required depends not only on the number of ACL elements but also on the
complexity of the entries.
Reference:
CSPFA Student Guide v3.2 – Cisco Secure PIX Advanced p.7-22
QUESTION 69
The newly appointed Certkiller trainee technician wants to know which type of downloadable ACLs are best when there are frequent requests for downloading a large ACL. What will your reply be?
A. Unnamed ACLs
B. Dynamic ACLs
C. Named ACLs
D. Static ACLs
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: The actual ACL entries can be named or unnamed, depending on whether the ACL will be used by multiple users. A named ACL should be used when frequent request occur for downloading large list. Whit named ACL, after authentication the ACS server sends the ACL name to the firewall to see if the ACL already exists. If not the firewall request the ACL to be downloaded. A named ACL isn’t downloaded again as log as it exists on the firewall.
QUESTION 70
Which of the following pix 535 slot ranges support gigabit ethernet interface cards?
A. 0-1
B. 0-2
C. 0-3
D. 5-6
E. 5-7
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Gigabit line cards on the pix 535 can only be installed in slots 0-3. Slots 4-8 cannot support gigabit cards
because they run at a slower bus speed.
QUESTION 71
How many lines are needed in an access list before TurboACL will compile them?
A. 2
B. 13
C. 16
D. 19
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
When you enable TurboACL on your pix firewall, only access lists with 19 or more entries can be compiled
by TurboACL.
QUESTION 72
Exhibit:
In the network above, which two methods will enable a PC on the parinernet to connect to a server on DMZ1 and deny the Parinerent PC access to DMZ2 and the inside network? (Choose two.)
A. Apply a static command and ACL to the partnernet interface.
B. Raise the security level of the partnernet interface to 70.
C. Raise the security level of the partnernet interface to 55.
D. Apply a static command and ACL to the DMZ1 interface.
E. Apply a static command and ACL to the DMZ2 interface.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation:
Sec for Partner=40, DMZ 1=50 and DMZ2= 60
QUESTION 73
Which of the following commands can you use to accomplish the addition of an access control entry for
192.168.0.9. between line 3 and line 4 for the existing access-list while entering a slit of host addresses to an ACL, the administrator left out an ACE for host 192.168.0.9?
A. Certkiller 1 (config)#access-list aclin line 4 permit tcp any host 192.168.0.9 eq www
B. pix (config)#access-list aclin line 3 permit tcp any host 192.168.0.9 eq www
C. Certkiller 1 (config)# access-list aclin add-line 4 permit tcp any host 192.168.0.9 eq www
D. Certkiller 1 (config)# access-list aclin add-line 3 permit tcp any host 192.168.0.9 eq www
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 74
A user on the dmz is complaining that they are unable to gain access to the inside host via HTTP. After reviewing the network diagram and partial configuration, the network administrator determined the following:
A. The global (dmz) command is not configured correctly.
B. The static (inside, dmz) command is not configured correctly.
C. The nat (dmz) command is missing.
D. The dmzin access list is not configured correctly.
E. The PIX is configured correctly, the issue is with the user’s PC.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: The DMZ can`t get access to inside host in www port 80 . static (inside,DMZ) 172.16.1.11 insidehost (10.0.1.11) netmask 255.255.255.255 access-list DMZ-IN permit tcp 172.16.1.0 255.255.255.0 (or any) host 172.16.1.11 eq www NB : access-list DMZ-IN permit tcp any host 10.0.1.11 eq www ==> the ip address 10.0.1.11 is an internal address must and can only be translated but not used to contact the external address
QUESTION 75
Which of the following commands enables TurboACL on a pix?
A. turboacl enable
B. turboacl global
C. turboacl setup
D. turboacl compiled
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The turboacl compiled command on a pix firewall will globally enable the turboacl process and cause all
access lists to be checked for turboacl eligibility. If any access lists have 19 or more entries, they are
eligible and will be compiled into a table for more efficient access list checking.
QUESTION 76
You have 100 users on your internal network at Certkiller Inc., you want only six of these users to perform
FTP, Telnet, or HTTP outside the network.
Which PIX Firewall feature do you enable?
A. You would enable access lists
B. You would enable object grouping
C. You would enable VAC+
D. You would enable AAA
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Tricky question, of course a ACS can provide this services, and if you choose to implement an ACS, D would be the right answer. But the fact that there only is 100 users, and then to implement an ACS to provide additional services for only 6 users seems a little overload since this requirement also can be accomplished with ACL. If we were the administrator we would use ACL for the six users: access-list 101 permit tcp host x.x.x.x any eq www access-list 101 permit tcp host x.x.x.x any eq telnet access-list 101 permit tcp host x.x.x.x any eq ftp
QUESTION 77
Kathy the security administrator at Certkiller Inc. and is working on ACLs. She needs to know which ACL parameters can be replaced by object-groups. (Choose three)
A. acl_ID
B. if_name
C. port
D. ICMP-type
E. source_addr
F. remote mask
Correct Answer: CDE Section: (none) Explanation
Explanation/Reference:
Explanation: Object grouping provides a way to group objects of a similar type so that a single ACL can apply to all the objects in the group. You can create the following types object groups Network – Used to group client hosts, server hosts or subnets Protocol – ip, tcp, or udp Service – Used to group TCP or UDP port numbers assigned to a different service Icmp – Used to group ICMP message types to which you permit or deny access.
Reference:
Cisco Secure PIX Firewall Advanced 3.1 chap 8 page 4
QUESTION 78
You are the network security administrator at Certkiller Inc., Certkiller has an enterprise network with a
complex security policy.
Which PIX Firewall feature should you configure to minimize the number of ACLs needed to implement
your policy?
A. You should configure the ASA
B. You should configure the packet capture
C. You should configure the object grouping
D. You should configure the turbo ACLs
E. You should configure the IP helper
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
To simplify the task of creating and applying ACLs, you can group network objects such as hosts and
services such as FTP and HTTP. This reduces the number of ACLs required to implement complex
security policies.
Reference:
Cisco Secure PIX Firewall Advanced 3.1 chap 8 page 3
QUESTION 79
Which of the following object group types can be created in the PIX Firewall? Choose three.
A. icmp-type
B. service
C. server host
D. ACL out
E. DHCP
F. protocol
Correct Answer: ABF Section: (none) Explanation
Explanation/Reference:
Explanation:
Object grouping provides a way to group objects of a similar type so that a single ACL can apply to all the
objects in the group. You can create the following types of object groups:
1) Network – Used to group client hosts, server hosts, or subnets.
2) Protocol – Used to group protocols. It can contain one of the keywords icmp, ip, tcp, or udp, or an integer
in the range 1 to 254 representing an IP protocol number. Use the keyword to match any Internet protocol,
including Internet Control Message Protocol (ICMP), TCP, and UDP.
3) Servcie – Used to group TCP or UDP port numbers assigned to a different service.
4) ICMP-type – Used to group ICMP message types to which you permit or deny access.
Reference:
CSPFA Student Guide v3.2 – Cisco Secure PIX Advanced p.8-6
QUESTION 80
What role does the object-group command fulfill? Choose two.
A. defines members of an object group
B. inserts an object group in an ACL
C. displays a list of the currently configured object groups of the specified type.
D. names an object group
E. enables sub-command mode
F. Describes the object group
Correct Answer: DE Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the object-group command to enter the appropriate subcommand mode for the type of group you want
to configure. When you enter the object-group command, the system enters the appropriate subcommand
mode for the type of object you specify in the object-group command. All subcommands entered from the
subcommand prompt apply to the object group identified by the object-group command.
Reference:
CSPFA Student Guide v3.2 – Cisco Secure PIX Advanced p.8-7
QUESTION 81
What pix command enables object-grouping for the network object-group type?
A. object-group network servers
B. object-grouping network servers
C. group-object network servers
D. group-object type network servers
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Create pix object-groups with the object-group (type) (name) command.
QUESTION 82
Jason the security administrator at Certkiller Inc. is working on the object-group command on the PIX
Firewall.
Which are functions of the object-group command? (Choose two)
A. A function of the object-group command defines members of an object group.
B. A function of the object-group command inserts an object group in an ACL.
C. A function of the object-group command displays a list of the currently configured object groups of the specified type.
D. A function of the object-group command names an object group.
E. A function of the object-group command enables sub-command mode.
F. A function of the object-group command describes the object group.
Correct Answer: DE Section: (none) Explanation
Explanation/Reference:
Explanation:
Object-group network grp_id assigns a name to the group and enables the network sub-command mode.
Reference:Cisco Secure PIX Firewall Advanced 3.1 chap 8 page10 To simplify your configuration, object
grouping is supported in Cisco PIX Device Manager Version 2.0. Object grouping enables you to define
groups of objects such as hosts, IP addresses, or network services. You can use these groups, for example, when you create and apply access rules. When you include a Cisco PIX Firewall object group in a PIX Firewall command, it is the equivalent of applying every element of the object group to the PIX Firewall command.
Reference: http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pixge_ds.pdf
QUESTION 83
How do you view all object-groups configured on a pix?
A. show object-group
B. show group-object
C. show object-types
D. show object-group types
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
All of the object-groups configured on a pix can be viewed with the show object-group command.
QUESTION 84
When are duplicate objects allowed in object groups?
A. When they are due to the inclusion of group objects.
B. When a group object is included, which causes the group hierarchy to become circular.
C. Never
D. Always, because there are not conditions of restrictions.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Duplicated objects are allowed in an object group if it is due to the inclusion of group objects.
Reference:
Cisco Secure PIX Firewall Advanced 3.1 chap 8 page 15
QUESTION 85
If the FTP protocol fixup is not enabled for a given port, which statements are true? (Choose two)
A. The true statement is outbound standard FTP will not work properly on that port.
B. The true statement is outbound standard FTP will work properly on that port.
C. The true statement is outbound passive FTP will not work properly on that port.
D. The true statement is outbound passive FTP will work properly on that port as long as outbound traffic is not explicitly disallowed.
E. The true statement is outbound standard FTP will work properly on that port if outbound traffic is not explicitly disallowed.
F. The true statement is inbound standard FTP will not work properly on that port even if a conduit to the inside server exists.
Correct Answer: AD Section: (none) Explanation Explanation/Reference:
Explanation:
If the Fixup protocol ftp command is not enabled for a given port, then:
Outbound standard FTP will NOT work properly on that port.
Outbound PFTP will work properly on that port as long as outbound traffic is not explicitly disallowed
Inbound standard FTP will work properly on that port if a conduit to the inside server exists Inbound PFTP
will NOT work properly on that port.
Reference:
Cisco Secure PIX Firewall Advanced 3.1 chap 10 page 7
QUESTION 86
Jason the security administrator at Certkiller Inc. is working on the SMTP fixup command on the PIX Fiewall. If the SMTP fixup is disabled, what happens?
A. What happens is all SMTP commands are allowed to mail servers, and they are no longer protected from known security problems with some mail server implementations.
B. What happens is a safe conduit exists for SMTP connections from the outside to an inside e-mail server.
C. What happens is only the SMTP commands specified in RFC 821 section 4.5.1 are allowed to a mail server: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT.
D. What happens is all SMTP commands are allowed to a mail server, but mail servers are still protected from known security problems with some mail server implementations.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
If disabled, all SMTP commands are allowed through the firewall-potential mail server vulnerabilities are
exposed.
Reference:Cisco Secure PIX Firewall Advanced 3.1 chap 11 page 3 Mailguard allows only the seven
SMTP minimum-required commands as described in Section 4.5.1 of RFC 821. These seven minimum-
required commands are: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT.
Other commands, such as KILL, WIZ, and so forth, are intercepted by the PIX and they are never sent to
the mail server on the inside of your network. The PIX responds with an “OK” to even denied commands,
so attackers would not know that their attempts are being thwarted.
Reference:
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/
products_tech_note09186a00800b2ecb.shtm l
QUESTION 87
What port does the PIX Firewall inspect for FTP traffic by default?
A. Port 20
B. Port 21
C. Port 23
D. It does not inspect any port for FTP traffic
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Active mode FTP uses two channels for communications. When a clients start an FTP connection, it opens a TCP channel from one of its high-order ports to port 21 on the server. This is referred to as the command channel. When the client requests data from the server, it thells the server to send the data to given high-
order port. The server acknowledges the request and initiates a conncection from its own port 20 to the
high-order port that the client requested. This is referred to as the data channel.
Reference:
CSPFA Student Guide v3.2 – Cisco Secure PIX Advanced p.9-10
QUESTION 88
The graphic shows a partial configuration. An account manager (AM) at a small site wants to access the boston_sales. Certkiller .com server. The account manager knows the name, but not the IP address of the server. The AM’s PC requests DNS resolution of the inside web server address from a DNS server on an outside network. To enable the PIX Firewall to perform a DNS A record translation correctly for the above mention application, the DNS key word should be added to which of the above mention commands?
A. NAT command
B. Global command
C. Access-list command
D. Static command
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Both the NAT and the STACTIC statement have a DNS option, the difference is that the static rewrites the
local address in DNS replies to the global address, so since the DNS server is a server on the outside
interface this is the right answer.
QUESTION 89
John the security administrator for Certkiller Inc. is working to multicast.
How does John get to the multicast subcommand mode where he can enter the igmp commands for
further multicast support?
A. By using the clear IGMP group command.
B. By entering the igmp interface command in privileged mode.
C. By entering the multicast interface command in configuration mode.
D. By entering the multicast mode command in configuration mode.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the multicast interface command to enable multicast forwarding on each interface and place the
interfaces in multicast promiscuous mode. When you enter the command, the CLO enters multicast
subcommand mode and the prompt changes to (Config-mulitacast)#.
Reference:
Cisco Secure PIX Firewall Advanced 3.1 9-10
QUESTION 90
The security team at Certkiller Inc. is working on VoIP for the PIX Firewall.
Which statements about the PIX Firewall in VoIP environments are true? (Choose two)
A. The true statement is the PIX Firewall allows SCCP signaling and media packets to traverse the PIX Firewall and interoperate with H.323 terminals.
B. The true statement is the PIX Firewall does not support the popular call setup protocol SIP because TCP can be used for call setup.
C. The true statement is the PIX Firewall supports the Skinny Client Control Protocol, which allows you to place IP phones and Call Manager on separate sides of the PIX Firewall.
D. The true statement is users behind the PIX Firewall can place outbound calls with IP phones because they use HTTP tunneling to route packets through port 80, making them appear as web traffic.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation:
Fixup protocol skinny port [-port] Enables the SCCP (skinny) protocol Dynamically opens pinholes for
media sessions and nat -embedded IP addresses Supports Ip telephony Can coexist in an H323
environment Default port is 2000 Due to SCCP support, an IP phone and Cisco Call manager can now be
placed on separate sides of the PIX Firewall.
Reference:
Cisco Secure PIX Firewall Advanced 3.1 chap 10 page 14
We provide Cisco 642-521 help and information on a wide range of issues. Cisco 642-521 is professional and confidential and your issues will be replied within 12 hous.Cisco 642-521 free to send us any questions and we always try our best to keeping our Customers Satisfied.