I passed the Cisco 642-522 exam this week with nearly 920 pts.I prepared myself with 140 Q&As, all questions from this dump.Cisco 642-522 questions, 2hrs time limit.New questions in Exampass like “AD FS components in the environment”,“Windows PowerShell cmdlet ” “Office 365”.Just know all new Cisco 642-522 questions you will be fine.
QUESTION 49
Certkiller remote access users connect to the network via a web based VPN. Which type of access list supports filtering for WebVPN?
A. Extended
B. Standard
C. Ethertype
D. Webtype
E. One way
F. None of the above
Correct Answer: D Section: (none) Explanation Explanation/Reference:
Explanation: WebVPN lets users establish a secure, remote-access VPN tunnel to the security appliance using a web browser. There is no need for either a software or hardware client. WebVPN provides easy access to a broad range of web resources and web-enabled applications from almost any computer that can reach HTTP(S) Internet sites. WebVPN uses Secure Socket Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site. The security appliance recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users. The following table describes the different types of access lists and some common uses for them, including the webtype shown at the bottom.
Access List Types and Common Uses Access List Use Access List Type Description Control network access Extended The security appliance for IPtraffic (routed and does not allow any traffic transparent mode) unless it is explicitly permitted by an extendedaccess list. Identify traffic for AAA Extended AAA rules use access rules lists to identify traffic. Control network access Extended, downloaded You can configure the for IP traffic for a given from a AAA server per RADIUS server to user user download a dynamic access list to be applied to the user, or the server can send the name of an access list that you already configured on the security appliance. Identify addresses for Extended Policy NAT lets you NAT (policy NAT and identify local traffic for NATexemption) address translation by specifying the source and destination addresses in an extended access list. Establish VPN access Extended You can use an extended access list in VPN commands. Identify traffic in a traffic Extended Access lists can be used class map for Modular EtherType to identify traffic in a Policy class map, which is used for features that support Modular Policy Framework. Features that support Modular Policy Framework include TCP and general connection settings, and inspection. For transparent firewall EtherType You can configure an mode, control network access list that controls access for non-IP traffic traffic based on its EtherType. Filtering for WebVPN Webtype You can configure a Webtype access list to filter URLs.
Reference: http://www.cisco.com/en/US/products/sw/secursw/ps2120/ products_configuration_guide_chapter09186a00804
QUESTION 50
While in global configuration mode, the Certkiller administrator issued the “url-list” command on a Cisco security appliance. What is the purpose of the url-list command in global configuration mode?
A. Allow end users access to URLs.
B. Allow end users access to CIFS shares and URLs.
C. Stop the end user from accessing pre-defined URLs.
D. Configure a set of URLs for Web VPN users to access.
E. List URLs that the end user cannot access.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Use the port forward, url-list, and access-list commands in global configuration mode to configure lists of ports to forward and URLs to present to WebVPN users, and their level of access. Before you can enter the url-list command in webvpn mode to identify a URL list that you want to display on the WebVPN home page for a group policy, you must create the list. Enter the url-list command in global configuration mode to create one or more lists. Reference: Cisco Security Appliance Command Line Configuration Guide 7.0, Page 508
QUESTION 51
A new Certkiller security appliance is being configured for Web VPN. What is the result if the WebVPN url-entry parameter is disabled?
A. The end user is unable to access any CIFS shares or URLs.
B. The end user is able to access CIFS shares but not URLs.
C. The end user is unable to access pre-defined URLs.
D. The end user is able to access pre-defined URLs.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The “url-entry” command enables or disables user entry of URLs. When enabled, the security appliance
still restricts URLs with any configured URL or network ACLs. When URL entry is disabled, the security
appliance restricts WebVPN users to the URLs on the home page.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/
products_configuration_guide_chapter09186a00804
QUESTION 52
The Certkiller network is shown in the following diagram: Refer to the exhibit. In the network diagram there are four servers on the DMZ; two web servers and two FTP servers. According to the group configuration in the ny_acs server, when a remote user accesses the security appliance and is authenticated, the user is authorized to perform which two actions? (Choose two)
A. Access any server on the DMZ.
B. Access any FTP server.
C. Access FTP1 server only.
D. Utilize FTP and HTTP protocol to attach to the server.
E. Utilize HTTP protocol only to attach to the server.
F. Utilize FTP protocol only to attach to the server.
Correct Answer: CF Section: (none) Explanation
Explanation/Reference:
Explanation:
According to the authorization set shown in this example, everything is being denied by default, except for
the single rule allowing access to the server with IP address 172.26.26.50 (which is shown as server
FTP1), and only the FTP protocol is allowed as shown by the protocol value within the checked box.
QUESTION 53
The Certkiller administrator needs to verify the IPSec parameters on a security appliance. Which of the following commands displays the default isakmp policy suite parameters?
A. show crypto isakmp
B. show crypto policy
C. show ipsec isakmp
D. show isakmp policy
E. None of the above
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Issuing a “show isakmp policy” command on a Cisco security appliance will display all configured policies,
as well as the default policy the appliance will use if none of the ISAKMP values are adjusted when a new
policy is created.
QUESTION 54
A new Certkiller firewall is being configured for transparent mode. How is NAT configured in transparent firewall mode?
A. NAT must be configured on all interfaces.
B. NAT must be configured on all outbound traffic flows.
C. NAT must be configured on all inbound traffic flows.
D. NAT is not configured in transparent firewall mode.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: The security appliance can run in two firewall modes: Routed mode Transparent mode In routed mode, the security appliance is considered to be a router hop in the network. It can perform NAT between connected networks, and can use OSPF or passive RIP (in single context mode). Routed mode supports many interfaces. Each interface is on a different subnet. You can share interfaces between contexts. In transparent mode, the security appliance acts like a “bump in the wire,” or a “stealth firewall,” and is not a router hop. The security appliance connects the same network on its inside and outside interfaces. No dynamic routing protocols or NAT are used. However, like routed mode, transparent mode also requires access lists to allow any traffic through the security appliance, except for ARP packets, which are allowed automatically. Transparent mode can allow certain types of traffic in an access list that are blocked by routed mode, including unsupported routing protocols. Transparent mode can also optionally use EtherType access lists to allow non-IP traffic. Transparent mode only supports two interfaces, an inside interface and an outside interface, in addition to a dedicated management interface, if available for your platform. Reference: http://www.cisco.com/en/US/products/ps6120/ products_configuration_guide_chapter09186a0080450b68.html
QUESTION 55
What can the Certkiller security administrator do to ensure users require authentication for connections through the PIX Firewall using services or protocols that do not support authentication?
A. Make use of Virtual HTTP.
B. Create a virtual Telnet address, and have users authenticate to this address before accessing other services.
C. There is currently no way to require authentication for services other than those that support it; FTP, HTTP, and Telnet.
D. Create a virtual FTP address, and have users authenticate to this address before accessing other services.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: The virtual telnet command allows the Virtual Telnet server to provide a way to pre-authenticate users who require connections through the PIXFirewall using services or protocols that do not support authentication. The virtual telnet command can be used both to log in and log out of the PIXFirewall. When an unauthenticated user Telnets to the virtual IP address, they are challenged for their username and password, and then authenticated with the TACACS+ or RADIUS server. Once authenticated, they see the message “Authentication Successful” and their authentication credentials are cached in the PIXFirewall for the duration of the uauth timeout. If a user wishes to log out and clear their entry in the PIXFirewall uauth cache, the user can again Telnet to the virtual address. The user is prompted for their username and password, the PIXFirewall removes the associated credentials from the uauth cache, and the user will receive a “Logout Successful” message. If inbound users on either the perimeter or outside interfaces need access to the Virtual Telnet server, a static and access-list command pair must accompany use of the virtual telnet command. The Virtual Telnet server provides a way to pre-authenticate users who require connections through the PIXFirewall using services or protocols that do not support authentication. Users first connect to the Virtual Telnet server IP address, where the user is prompted for a username and password.
QUESTION 56
Two Certkiller firewalls have been configured for failover to provide network redundancy. During failover, which security appliance attribute does NOT change?
A. Failover unit status-active and standby.
B. Active and standby interfaces-IP address.
C. Failover unit type-primary and secondary.
D. Active and standby interfaces-MAC address.
E. None of the above
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network. With failover, the active/standby status of each firewall is unrelated to the primary/secondary unit type status, meaning that it is possible for a secondary unit to become the active firewall. Primary/Secondary Status and Active/Standby Status The main differences between the two units in a failover pair are related to which unit is active and which unit is standby, namely which IP addresses to use and which unit actively passes traffic. However, a few differences exist between the units based on which unit is primary (as specified in the configuration) and which unit is secondary: The primary unit always becomes the active unit if both units start up at the same time (and are of equal operational health). The primary unit MAC address is always coupled with the active IP addresses. The exception to this rule occurs when the secondary unit is active, and cannot obtain the primary MAC address over the failover link. In this case, the secondary MAC address is used. Reference: Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series, page 11-6.
QUESTION 57
The Certkiller network perimeter is shown below: Refer to the exhibit. The Certkiller administrator is configuring the failover link on the secondary unit, pix2, and needs to configure the IP addresses of the failover link. At pix2, which of these additional commands should be entered?
A. pix2(config)# failover lan nip 172.17.2.1 255.255.255.0 standby 172.17.2.7
B. pix2(config)# failover link 172.17.2.7 255.255.255.0 standby 172.17.2.1
C. pix2(config)# failover interface ip LANFAIL 172.17.2.1 255.255.255.0 standby 172.17.2.7
D. pix2(config)# interface ethernet3 pix2(config-if)# failover ip address 172.17.2.7 255.255.255.0 standby 172.17.2.1
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: To configure the active and failover IP addresses of the PIX for LAN failover, perform the following task: Assign the active and standby IP address to the failover link: hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr The standby IPaddress must be in the same subnet as the active IPaddress. You do not need to identify the standby address subnetmask. The failoverlink IP address and MAC address do not change at failover. The active IP address for the failover link always stays with the primary unit, while the standby IP address stays with the secondary unit. The following is a complete configuration example using LAN failoever: failover failover lan unit primary failover lan interface failover Ethernet2 failover lan enable failover key ****** failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2 Reference: http://www.cisco.com/en/US/products/sw/secursw/ps2120/ products_configuration_guide_chapter09186a00804
QUESTION 58
You have configured two Certkiller PIX Firewalls for failover but it is not working. What could you have done that would cause failover to not work correctly? (Choose two)
A. You did not set a failover IP address.
B. You used a crossover Ethernet cable between the two PIX Firewalls.
C. You used a hub for failover operation.
D. You used a switch for failover operation.
E. You used a dedicated VLAN for failover operation.
F. You did not use a crossover Ethernet cable between the two PIX Firewalls.
Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
Explanation: You must set a Failover IP address for LAN-based failover. Ethernet connection (“LAN-based failover”)-You can use any unused Ethernet interface on the device. If the units are further than six feet apart, use this method. We recommend that you connect this link through a dedicated switch. You cannot use a crossover Ethernet cable to link the units directly. Reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover.pdf
QUESTION 59
The team at Certkiller Inc. is troubleshooting a non-working failover configuration between two firewalls. Which of the following are the most likely reasons to prevent a serial-cable failover from working? (Choose two)
A. The problem is the hardware models are the same.
B. The problem is the two PIX Firewalls are running different version of the software.
C. The problem is the secondary PIX Firewall has not been properly configured as a secondary PIX Firewall.
D. The problem is the secondary PIX Firewall has a 3DES license.
E. The problem is the standby PIX Firewall has not yet replicated its configuration to the primary PIX Firewall.
F. The problem is the hardware models are different.
Correct Answer: BF Section: (none) Explanation
Explanation/Reference:
Explanation:
Failover System Requirements:
1.
Identical PIX Firewall hardware and software versions
2.
The failover feature requires two units that are identical in the following respects: For example, a PIX 515E cannot be used with a PIX 515.
3.
Same number and type of interfaces
4.
Identical software version
5.
Same activation key type (DES or 3DES)
6.
Same amount of flash memory 7 Same amount of RAM Reference: Cisco PIX Firewall Software – Using PIX Firewall Failover www.cisco.com/en/US/products/sw/ secursw/ps2120/products_configuration_guide_chapter09186a008017278a. h
QUESTION 60
Certkiller ‘s primary PIX Firewall is currently the active unit in your failover topology. What will happen to the current IP addresses on the primary PIX Firewall if it fails?
A. The current IP addresses on the primary PIX Firewall remain the same, but the current IP addresses of the secondary become the virtual IP addresses you configured.
B. The current IP addresses will be deleted.
C. The ones on both the primary and secondary PIX Firewalls are deleted and both assume the failover IP addresses you configured.
D. The current IP addresses will become those of the standby PIX Firewall.
E. None of the above.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The failover feature allows you to use a standby PIX Firewall to take over the functionality of a failed PIX
Firewall. When the active unit fails, it changes to the standby state, while the standby unit changes to the
active state. The unit that becomes active takes over the active unit’s IP addresses and MAC addresses,
and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and
MAC addresses.
Reference: Cisco PIX Firewall Software – Using PIX Firewall Failover www.cisco.com/en/US/products/sw/
secursw/ps2120/products_configuration_guide_chapter09186a008017278a.
h
QUESTION 61
Two Certkiller firewalls are configured in an Active/Active fashion. Which of these statements regarding Active/Active failover configurations is correct?
A. Use the failover active command to enable Active/Active failover on the Cisco ASA Security Appliance.
B. Allocate interfaces to a failover group using the failover group sub-command mode.
C. Configure two failover groups: group 1 and group 2.
D. Configure failover interface parameters in the “admin” context.
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation: Active/Active failover is only available to security appliances in multiple context mode. In an Active/Active failover configuration, both security appliances can pass network traffic. In Active/Active failover, you divide the security contexts on the security appliance into failover groups. A failover group is simply a logical group of one or more security contexts. You can create a maximum of two failover groups on the security appliance. The admin context is always a member of failover group 1, and any unassigned security contexts are also members of failover group 1 by default. The failover group forms the base unit for failover in Active/Active failover. Interface failure monitoring, failover, and active/standby status are all attributes of a failover group, rather than the unit. When an active failover group fails, it changes to the standby state while the standby failover group becomes active. The interfaces in the failover group that becomes active assume the MAC and IP addresses of the interfaces in the failover group that failed. The interfaces in the failover group that is now in the standby state take over the standby MAC and IP addresses. As in Active/Standby failover, one unit in an Active/Active failover pair is designated the primary unit, and the other unit the secondary unit. Unlike Active/Standby failover, this designation does not indicate which unit becomes active when both units start simultaneously. Instead, the primary/secondary designation determines which unit provides the running configuration to the pair and on which unit each failover group appears in the active state when both start simultaneously. Each failover group in the configuration is given a primary or secondary unit preference. This preference determines on which unit in the failover pair the contexts in the failover group appear in the active state when both units start simultaneously. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices. Incorrect Answers:
A: This command is used to failover the active PIX, forcing the secondary PIX to take over as the active one.
B: A sub-command configuration is not used.
QUESTION 62
The following was issues on a Certkiller security appliance: CKSA-2# show failover Failover On Cable status: N/A – LAN-based failover enabled Failover unit Primary Failover LAN Interface: lanfail Ethernet2 (up) Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 15 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Group 1 last failover at: 15.54.49 UTC Jun 14 2005 Group 2 last failover at: 15.55.00 UTC Jun 14 2005 Refer to the “show failover” output shown above. This security appliance is configured for what two types of failover? (Choose two)
A. Unit-based failover
B. LAN based failover
C. Stateful failover
D. Active/Standby failover
E. Active/Active failover
F. Context/Group failover
Correct Answer: BE Section: (none) Explanation
Explanation/Reference:
Explanation:
Active/Active failover is only available to security appliances in multiple context mode. In an Active/Active
failover configuration, both security appliances can pass network traffic.
In Active/Active failover, you divide the security contexts on the security appliance into failover groups. A
failover group is simply a logical group of one or more security contexts. You can create a maximum of two
failover groups on the security appliance. The admin context is always a member of failover group1, and
any unassigned security contexts are also members of failover group 1 by default. The failover group forms
the base unit for failover in Active/Active failover. Interface failure monitoring, failover, and active/standby
status are all attributes of a failover group, rather than the unit.
In this example, it can be seen that LAN based failover is being used as opposed to using a failover cable.
This can be seen by the “Cable status: N/A – LAN-based failover enabled” output, making choice B correct.
E is also correct due to the fact that there are two failover groups shown here, meaning that an active/
active configuration is used.
QUESTION 63
The Certkiller security admin has issued the “show failover” command and the status shows a “waiting” state. What does this state mean?
A. The active PIX Firewall is operational and the standby PIX Firewall is ready.
B. The active PIX Firewall is waiting for configuration replication to be completed.
C. Monitoring the other Pix Firewall’s network interfaces has not yet started.
D. The primary PIC Firewall has completed testing the standby PIX Firewall’s interfaces and the standby PIX Firewall is waiting to take control.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
The Cable Status that displays with the “show failover” command has these values:
(a)
Normal-Indicates that the Active unit is working and that the Standby unit is ready. (b) Waiting-Indicates
that monitoring of the other unit’s network interfaces has not yet started.
(c)
Failed-Indicates that the PIX Firewall has failed.
QUESTION 64
A Certkiller security appliance is being configured to support the use of external AAA servers. What external AAA servers can the pix firewall use to authenticate users? (Choose all that apply)
A. TACACS
B. TACACS+
C. RADIUS
D. RADIUS+
E. KERBEROS
F. KERBOROS+
Correct Answer: BC Section: (none) Explanation
Explanation/Reference:
Explanation:
RADIUS and TACACS+ AAA servers are supported by the pix to authenticate remote users with. The pix
can also authenticate with an internal database, but that is only recommended for small networks due to
scalability issues.
QUESTION 65
AAA is being implemented within the Certkiller network. What are the three parts of AAA? (Choose all that apply)
A. Administration
B. Authorization
C. Accounting
D. Authentication
E. Auditing
Correct Answer: BCD Section: (none) Explanation
Explanation/Reference:
Explanation:
An AAA server provides three different functions: Authorization, Authentication, and Accounting.
QUESTION 66
Part of the configuration file of a Certkiller firewall is shown below:
Refer to the exhibit shown above. Given this configuration, what traffic will be logged to the AAA server?
A. All connection information will be logged in the accounting database.
B. All outbound connection information will be logged in the accounting database.
C. Only the authenticated console connection information will be logged in the accounting database.
D. This is not a valid configuration because TACAS+ connection information cannot be captured and logged.
E. No traffic will be logged
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The “include” option is used to enable, disable, or view TACACS+ or RADIUS user authentication,
authorization, and accounting for the server previously designated with the aaa-server command. In the
configuration shown above, all traffic sourced from the inside network to anywhere (all outbound traffic). An
example outbound AAA configuration using RADIUS instead of TACACS is found in the link shown below.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps5338/
products_configuration_guide_chapter09186a00801f d
QUESTION 67
The security administrator at Certkiller is working on configuring a PIX Firewallfor AA
A. Why is the group tag in the “aaa-server” command important?
B. It is important because the group tag identifies which users require authorization to use certain services.
C. It is important because the group tag identifies which user groups must authenticate.
D. It is important because the aaa command references the group tag to know where to direct authentication, authorization, or accounting traffic.
E. It is important because the group tag enables or disables user authentication services.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the “aaa-server” command to specify AAA server groups…The AAA command references the group
tag to direct authentication, authorization, and accounting traffic to the appropriate AAA server.
Reference: Cisco Secure PIX Firewall Advanced 3.1, page 12-12
QUESTION 68
You are having problems with HTTP authentication on a new Certkiller security appliance. You have configured the security appliance and an AAA server for authentication. Why does Telnet and FTP authentication work normally but HTTP authentication does not?
A. The AAA server is not properly configured to accept HTTP authentication requests.
B. You have not enabled HTTP authorization, which is required for HTTP authentication.
C. You must specify HTTPS authentication in your configuration.
D. HTTP re-authentication may be taking place with the web browser sending the cached username and password back to the security appliance.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: HTTP Authentication When using HTTP authentication to a site running Microsoft IIS that has “Basic text authentication” or “NT Challenge” enabled, users might be denied access from the Microsoft IIS server. This occurs because the browser appends the string: “Authorization: Basic=Uuhjksdkfhk==” to the HTTP GET commands. This string contains the security appliance authentication credentials. Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the security appliance username-password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied. To solve this problem, the security appliance provides the virtual http command, which redirects the browser’s initial connection to another IP address, authenticates the user, then redirects the browser back to the URL that the user originally requested. Once authenticated, a user never has to reauthenticate, no matter how low the security appliance uauth timeout is set, because the browser caches the “Authorization: Basic=Uuhjksdkfhk==” string in every subsequent connection to that particular site. This can be cleared only when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use. As long as the user repeatedly browses the Internet, the browser resends the “Authorization: Basic=Uuhjksdkfhk==” string to transparently reauthenticate the user. Multimedia applications such as CU-SeeMe, Intel Internet Phone, MeetingPoint, and MS NetMeeting silently start the HTTP service before an
H.323 session is established from the inside to the outside.
Network browsers such as Netscape Navigator do not present a challenge value during authentication;
therefore, only password authentication can be used from a network browser.
Reference: Cisco Security Appliance Command Reference for the Cisco ASA 5500 Series and Cisco PIX
500 Series, page 2-20.
QUESTION 69
The Certkiller network is shown in the display below:
The Certkiller network administrator for this small site shown above has chosen to authenticate HTTP cut-through proxy traffic via a local database on the Cisco PIX Security Appliance. Which command strings should the administrator enter to accomplish this?
A. pix1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 pix1(config)# access-list 150 permit tcp any host 172.16.16.6 eq www pix1(config)# aaa authentication match 150 outside LOCAL
B. pix1(config)# static (dmz,outside) 192.168.16.6 172.16.16.16 pix1(config)# access-list 150 permit tcp any host 192.168.16.6 eq www pix1(config)# aaa authentication match 150 outside pix 1
C. pix1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 pix1(config)# access-list 150 permit tcp any host 172.16.16.6 eq www pix1(config)# aaa authentication match 150 outside pix1
D. pix1(config)# static (dmz,outside) 192.168.16.6 172.16.16.6 pix1(config)# access-list 150 permit tcp any host 192.168.16.6 eq www pix1(config)# aaa authentication match 150 outside LOCAL
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Choice D is correct as the source traffic that needs to be authenticated is 192.168.16.6, and the PIX needs
to be configured to authenticate traffic as shown in the access list in choice D. In this access list, only web
traffic sourced from 192.168.16.6 should be authenticated using the local user database configured on the
PIX.
Incorrect Answers:
A: Since the initial traffic is coming from 192.168.16.6 (before NAT) the access list should use this IP address, and not 172.16.16.6
B: To configure authentication using the local user database configured on the PIX, use the “local” keyword, not the “pix 1” keyword. Using the “pix 1” phrase is invalid.
C: In this choice, both the IP address used in the access list is incorrect, as well as the use of the invalid “pix 1” keyword instead of the local keyword.
QUESTION 70
Authorization services have been applied on a new Certkiller appliance. Which is a method of identifying the traffic requiring authorization on the security appliance?
A. Implicitly enabling TACAS+ authorization rules in the response packet.
B. Specifying ACLs that authorization rules must match.
C. Independently interpreting authorized rules before authentication has occurred to decrease overall AAA processing time.
D. Checking the authentication rules for a match thus allowing the traffic to be authorized.
E. None of the above
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Access lists are made up of one or more Access Control Entries. An ACE is a single entry in an access list
that specifies a permit or deny rule, and is applied to a protocol, a source and destination IPaddress or
network, and optionally the source and destination ports.
Access lists are used in a variety of feature, as shown by the table below:
Access List Types and Common Uses
Access List Use Access List Type Description
Control network access Extended The security appliance for IPtraffic (routed and does not allow any traffic
transparent mode) unless it is explicitly
permitted by an
extendedaccess list.
Identify traffic for AAA Extended AAA rules use access rules lists to identify traffic.
Control network access Extended, downloaded You can configure the for IP traffic for a given from a AAA
server per RADIUS server to user user download a dynamic
access list to be applied
to the user, or the server
can send the name of an
access list that you
already configured on the
security appliance.
Identify addresses for Extended Policy NAT lets you NAT (policy NAT and identify local traffic for
NATexemption) address translation by
specifying the source and
destination addresses in
an extended access list.
Establish VPN access Extended You can use an extended access list in VPN
commands.
Identify traffic in a traffic Extended Access lists can be used class map for Modular EtherType to identify
traffic in a Policy class map, which is used
for features that support
Modular Policy
Framework. Features that
support Modular Policy
Framework include TCP
and general connection
settings, and inspection.
For transparent firewall EtherType You can configure an mode, control network access list that controls
access for non-IP traffic traffic based on its
EtherType.
Filtering for WebVPN Webtype You can configure a Webtype access list to
filter URLs.
Reference:
http://www.cisco.com/en/US/products/ps6120/
products_configuration_guide_chapter09186a0080450bf0.html
QUESTION 71
On a new Certkiller PIX, an access group was created using the “per-user-override” keyword. What is the effect of the per-user override option when applied to the access-group command syntax?
A. It increases security by building upon the existing access list applied to the interface. All subsequent users are also subject to the additional access list entries.
B. The log option in the per-user access list overrides existing interface log options.
C. It allows downloadable user access lists to override the access list applied to the interface.
D. It allows for extended authentication on a per-user basis.
E. None of the above.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
To apply an extended access list to the inbound or outbound direction of an interface, enter the following
command:
hostname(config)# access-group access_list_name {in | out} interface interface_name [per-user-override]
You can apply one access list of each type (extended and EtherType) to both directions of the interface.
The per-user-override keyword allows dynamic access lists that are downloaded for user authorization to
override the access list assigned to the interface. For example, if the interface access list denies all traffic
from 10.0.0.0, but the dynamic access list permits all traffic from 10.0.0.0, then the dynamic access list
overrides the interface access list for that user. The per-user-override keyword is only available for inbound
access lists.
Reference:
http://www.cisco.com/en/US/products/ps6120/
products_configuration_guide_chapter09186a0080450b93.html
QUESTION 72
A Certkiller security appliance needs to have a large number of ACL configuration lines applied to it. In what way can downloading ACLs increase your efficiency when you find yourself creating massive amounts of ACLs on several different PIX Firewalls?
A. They enable you to configure your PIX Firewall to download pre-written ACLs from Cisco Connection Online.
B. You can create all ACLs on one PIX Firewall and distribute them to other PIX Firewalls by using the download command on the receiving PIX Firewall or the upload command on the sending Pix Firewall.
C. You can enter an ACL once, in Cisco Secure ACS, and then have it downloaded to any number of PIX Firewalls during user authentication.
D. You can enter an ACL once in Cisco Secure ACS, and then have it downloaded to no more than 10 PIX Firewalls during authentication.
Correct Answer: C Section: (none) Explanation Explanation/Reference:
Explanation: Downloadable ACLs enable you to enter an ACL once, in Cisco Secure ACS, and then load that ACL to any number of PIX Firewalls. Downloadable ACLs work in conjunction with ACLs that are configured directly on the PIX Firewall and applied to its interfaces. Neither type of ACL takes precedence over the other. In order to pass through the PIX Firewall, traffic must be permitted by both the interface ACL and the dynamic ACL if both are applicable. If either ACL denies the traffic, the traffic is prohibited. Reference: CSPFA Student Guide v3.2 – Cisco Secure PIX Advanced p.11-48
QUESTION 73
A Certkiller security appliance is being configured to use multiple AAA servers for redundancy. By default, how many times will a pix attempt to contact an AAA server before trying to contact a new AAA server?
A. 0
B. 1
C. 2
D. 3
E. 4
F. 5
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation:
By default, a pix firewall will try to contact an AAA server for user authentication 4 times before considering
that server unresponsive and attempting to contact a different AAA server.
Worried about Cisco 642-522 pass results? Adopt most reliable way of exam preparation that is Cisco 642-522 Questions & Answers with explanations to get reliable Cisco 642-522 pass result.Flydumps definitely guarantees it!