Base 28 QUESTION 28

Base 28 What is the purpose of the Integrity component of the CIA triad?
Base 28 A. to ensure that only authorized parties can modify data
Base 28 B. to determine whether data is relevant
Base 28 C. to create a process for accessing data
Base 28 D. to ensure that only authorized parties can view data
Base 45 QUESTION 45
Base 45 What type of attack was the Stuxnet virus?
Base 45 A. cyber warfare
Base 45 B. hactivism
Base 45 C. botnet
Base 45 D. social engineering
Base 58 QUESTION 58
Base 58 Which tool can an attacker use to attempt a DDos attack?
Base 58 A. botnet
Base 58 B. Trojan horse
Base 58 C. virus
Base 58 D. adware
Base 63 QUESTION 63
Base 63 When is the best time to perform an anti-virus signature update?
Base 63 A. When the local scanner has detected a new virus
Base 63 B. When a new virus is discovered in the wild
Base 63 C. Every time a new update is available
Base 63 D. When the system detects a browser hook
Base 104 QUESTION 104
Base 104 In a security context, which action can you take to address compliance?
Base 104 A. Implement rules to prevent a vulnerability
Base 104 B. Correct or counteract a vulnerability
Base 104 C. Reduce the severity of a vulnerability
Base 104 D. Follow directions from the security appliance manufacturer to remediate a vu
Base 119 QUESTION 119
Base 119 By which kind of threat is the victim tricked into entering username and passwo
Base 119 disguised website?
Base 119 A. Spoofing
Base 119 B. Malware
Base 119 C. Spam
Base 119 D. Phishing
Base 128 QUESTION 128
Base 128 In which stage of an attack does the attacker discover devices on a target netwo
Base 128 A. Reconnaissance
Base 128 B. Covering tracks
Base 128 C. Gaining access
Base 128 D. Maintaining access
Base 129 QUESTION 129
Base 129 Which type of security control is defense in depth?
Base 129 A. Threat mitigation
Base 129 B. Risk analysis
Base 129 C. Botnet mitigation
Base 129 D. Overt and covert channels
Base 166 QUESTION 166
Base 166 In which type of attack does an attacker send email message that ask the recipi
Base 166 such as https://www.cisco.net.cc/securelogs?
Base 166 A. pharming
Base 166 B. phishing
Base 166 C. solicitation
Base 166 D. secure transaction
Base 168 QUESTION 168
Base 168 Your security team has discovered a malicious program that has been harvestin
Base 168 email messages and the company's user database for the last 6 months. What t
Base 168 your team discover?
Base 168 A. social activism
Base 168 B. drive-by spyware
Base 168 C. targeted malware
Base 168 D. advance persistent threat
Base 168 E. Polymorphic virus
Base 175 QUESTION 175
Base 175 What are the three layers of a hierarchical network design? (Choose three.)
Base 175 A. core
Base 175 B. access
Base 175 C. server
Base 175 D. user
Base 175 E. internet
Base 175 F. distribution
Base 181 QUESTION 181
Base 181 A data breach has occurred and your company database has been copied. Whic
Base 181 principle has been violated?
Base 181 A. Confidentiality
Base 181 B. Access
Base 181 C. Control
Base 181 D. Availability
ss compliance?

turer to remediate a vulnerability

username and password information at a

evices on a target network?

sage that ask the recipient to click a link

hat has been harvesting the CEO's

e last 6 months. What type of attack did

n? (Choose three.)

has been copied. Which security

AAA 22 QUESTION 22
AAA 22 In which three ways does the TACACS protocol differ from RADIUS? (Choose thre
AAA 22 A. TACACS uses TCP to communicate with the NAS
AAA 22 B. TACACS can encrypt the entire packet that is sent to the NAS
AAA 22 C. TACACS authenticates and authorizes simultaneously, causing fewer packets
AAA 22 D. TACACS uses UDP to communicate with the NAS
AAA 22 E. TACACS encrypts only the password field in an authentication packet
AAA 22 F. TACACS support per-command authorization
AAA 35 QUESTION 35
AAA 35 What is a possible reason for the error message?
AAA 35 Router(config)#aaa server?
AAA 35 % Unrecognized command
AAA 35 A. The command syntax requires a space after the word "server"
AAA 35 B. The command is invalid on the target device
AAA 35 C. The router is already running the latest operating system
AAA 35 D. The router is a new device on which the aaa new-model command m
AAA 35 continuing
AAA 52 QUESTION 52
AAA 52 Which statement about Cisco ACS authentication and authorization is true?
AAA 52 A. ACS servers can be clustered to provide scalability
AAA 52 B. ACS can query multiple Active Directory domains
AAA 52 C. ACS uses TACACS to proxy other authentication servers
AAA 52 D. ACS can use only one authorization profile to allo or deny requests
AAA 89 QUESTION 89
AAA 89 If a router configuration includes the line aaa authentication login default group
AAA 89 which events will occur when the TACACS+ server returns an error? (Choose two
AAA 89 A. The user will be prompted to authenticate using the enable passwor
AAA 89 B. Authentication attempts to the router will be denied
AAA 89 C. Authentication will use the router`s local database
AAA 89 D. Authentication attempts will be sent to the TACACS+ server
AAA 93 QUESTION 93
AAA 93 What is the default timeout interval during which a router waits for responses fr
AAA 93 server before declaring a timeout failure?
AAA 93 A. 5 seconds
AAA 93 B. 10 seconds
AAA 93 C. 15 seconds
AAA 93 D. 20 seconds
AAA 116 QUESTION 116
AAA 116 Which accounting notices are used to send a failed authentication attempt reco
AAA 116 server? (Choose two.)
AAA 116 A. start-stop
AAA 116 B. stop-record
AAA 116 C. stop-only
AAA 116 D. stop
AAA 130 QUESTION 130
AAA 130 On which Cisco Configuration Professional screen do you enable AAA?
AAA 130 A. AAA Summary
AAA 130 B. AAA Servers and Groups
AAA 130 C. Authentication Policies
AAA 130 D. Authorization Policies
AAA 151 QUESTION 151
AAA 151 Refer to the exhibit. Which statement about the given configuration is true?
AAA 151 Tacacs server tacacsl
AAA 151 Address ipv4 1.1.1.1
AAA 151 Timeout 20
AAA 151 Single- connection
AAA 151 Tacacs server tacacs2
AAA 151 Address ipv4 2.2.2.2
AAA 151 Timeout 20
AAA 151 Single- connection
AAA 151 Tacacs server tacacs3
AAA 151 Address ipv4 3.3.3.3
AAA 151 Timeout 20
AAA 151 Single- connection
AAA 151 A. The timeout command causes the device to move to the next server after 20
AAA 151 inactivity.
AAA 151 B. The single-connection command causes the device to process one TACACS re
AAA 151 move to the next server.
AAA 151 C. The single-connection command causes the device to establish one c
AAA 151 transactions.
AAA 151 D. The router communicates with the NAS on the default port, TCP 1645
AAA 169 QUESTION 169
AAA 169 What is the best way to confirm that AAA authentication is working properly?
AAA 169 A. use the test aaa command
AAA 169 B. use the Cisco-recommended configuration for AAA authentication
AAA 169 C. Log into and out of the router, and then check the NAS authentication log
AAA 169 D. Ping the NAS to confirm connectivity
AAA 180 QUESTION 180
AAA 180 Which three ways does the RADIUS protocol differ from TACACS?? (Choose three
AAA 180 A. RADIUS authenticates and authorizes simultaneously. Causing fewer
AAA 180 B. RADIUS encrypts only the password field in an authentication packe
AAA 180 C. RADIUS can encrypt the entire packet that is sent to the NAS
AAA 180 D. RADIUS uses UDP to communicate with the NAS
AAA 180 E. RADIUS uses TCP to communicate with the NAS
AAA 180 F. RADIUS support per-command authentication
m RADIUS? (Choose three)

nt to the NAS
causing fewer packets to be transmitted

tication packet

w-model command must be applied before

thorization is true?

eny requests

tion login default group tacacs+ enable,

s an error? (Choose two.)
g the enable password

ACS+ server

r waits for responses from a TACACS

entication attempt record to a AAA

 enable AAA?

nfiguration is true?

he next server after 20 seconds of TACACS

process one TACACS request and then

ice to establish one connection for all TACACS

port, TCP 1645

is working properly?

thentication
S authentication log

ACACS?? (Choose three)

eously. Causing fewer packets to be transmitted
authentication packets
ISE 54 QUESTION 54
ISE 54 What is one requirement for locking a wired or wireless device from ISE?
ISE 54 A. The ISE agent must be installed on the device
ISE 54 B. The device must be connnected to the network when the lock command is ex
ISE 54 C. The user must approve the locking action
ISE 54 D. The organization must implement an acceptable use policy allowing device lo
ISE 142 QUESTION 142
ISE 142 When an administrator initiates a device wipe command from the ISE, what is th
ISE 142 effect?
ISE 142 A. It requests the administrator to choose between erasing all device data or on
ISE 142 corporate data.
ISE 142 B. It requests the administrator to enter the device PIN or password before proce
ISE 142 operation
ISE 142 C. It immediately erases all data on the device.
ISE 142 D. It notifies the device user and proceeds with the erase operation
ISE 143 QUESTION 143
ISE 143 How does a device on a network using ISE receive its digital certificate during th
ISE 143 registration process?
ISE 143 A. ISE acts as a SCEP proxy to enable the device to receive a certificate from a c
ISE 143 B. The device request a new certificate directly from a central CA
ISE 143 C. ISE issues a pre-defined certificate from a local database
ISE 143 D. ISE issues a certificate from its internal CA server.
device from ISE?

the lock command is executed

policy allowing device locking

from the ISE, what is the immediate

ng all device data or only managed

r password before proceeding with the

e operation

ital certificate during the new-device

ve a certificate from a central CA server

Encryption 6 QUESTION 6
Encryption 6 What type of algorithm uses the same key to encryp and decrypt data?
Encryption 6 A. a symmetric algorithm
Encryption 6 B. an asymetric algorithm
Encryption 6 C. a Public Key infrastructure algorithm
Encryption 6 D. an IP Security algorithm
Encryption 9 QUESTION 9
Encryption 9 Which EAP method uses protected Access Credentials?
Encryption 9 A. EAP-TLS
Encryption 9 B. EAP-PEAP
Encryption 9 C. EAP-FAST
Encryption 9 D. EAP-GTC
Encryption 74 QUESTION 74, 141
Encryption 74 Which two next generation encrytption algorithms does Cisco recommend? (Cho
Encryption 74 A. AES
Encryption 74 B. 3DES
Encryption 74 C. DES
Encryption 74 D. MD5
Encryption 74 E. DH-1024
Encryption 74 F. SHA-384
Encryption 87 QUESTION 87
Encryption 87 What hash type does Cisco use to validate the integrity of downloaded images?
Encryption 87 A. Sha1
Encryption 87 B. Sha2
Encryption 87 C. Md5
Encryption 87 D. Md1
Encryption 92 QUESTION 92
Encryption 92 Which components does HMAC use to determine the authenticity and integrity o
Encryption 92 A. The password
Encryption 92 B. The hash
Encryption 92 C. The key
Encryption 92 D. The transform set
Encryption 98 QUESTION 98
Encryption 98 Which protocols use encryption to protect the confidentiality of data transmitted
Encryption 98 parties? (Choose two.)
Encryption 98 A. FTP
Encryption 98 B. SSH
Encryption 98 C. Telnet
Encryption 98 D. AAA
Encryption 98 E. HTTPS
Encryption 138 QUESTION 138
Encryption 138 Which of encryption technology has the broadcast platform support to protect o
Encryption 138 A. Middleware
Encryption 138 B. Hardware
Encryption 138 C. software
Encryption 138 D. file-level
Encryption 171 QUESTION 171
Encryption 171 What improvement does EAP-FASTv2 provide over EAP-FAST?
Encryption 171 A. It support more secure encryption protocols.
Encryption 171 B. It allows multiple credentials to be passed in a single EAP exchange
Encryption 171 C. It addresses security vulnerabilities found in the original protocol.
Encryption 171 D. It allows faster authentication by using fewer packets.
Encryption 173 QUESTION 173
Encryption 173 What mechanism does asymmetric cryptography use to secure data?
Encryption 173 A. an RSA nonce
Encryption 173 B. a public/private key pair.
Encryption 173 C. an MD5 hash.
Encryption 173 D. shared secret keys.
Encryption 184 QUESTION 184
Encryption 184 How does PEAP protect EAP exchange?
Encryption 184 A. it encrypts the exchange using the client certificate.
Encryption 184 B. it validates the server-supplied certificate and then encrypts the exchange us
Encryption 184 certificate
Encryption 184 C. it encrypts the exchange using the server certificate
Encryption 184 D. it validates the client-supplied certificate and then encrypts the exchange us
Encryption 184 certificate.
 decrypt data?

Cisco recommend? (Choose two)

of downloaded images?

henticity and integrity of a message?

ality of data transmitted between two

rm support to protect operating systems?

EAP exchange
nal protocol.

secure data?

crypts the exchange using the client

crypts the exchange using the server

IPSec 2 QUESTION 2, 146
IPSec 2 Which three ESP fields can be encrypted during transmission? (Choose three)
IPSec 2 A. Security Parameter Index
IPSec 2 B. Sequence Number
IPSec 2 C. MAC Address
IPSec 2 D. Padding
IPSec 2 E. Pad Length
IPSec 2 F. Next Header
IPSec 21 QUESTION 21
IPSec 21 Which command is needed to enable SSH support on a Cisco Router?
IPSec 21 A. crypto key lock rsa
IPSec 21 B. crypto key generate rsa
IPSec 21 C. crypto key zeroize rsa
IPSec 21 D. crypto key unlock rsa
IPSec 33 QUESTION 33
IPSec 33 What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose two.)
IPSec 33 A. The Internet Key Exchange protocol establishes security association
IPSec 33 B. The Internet Key Exchange protocol provides data confidentiality
IPSec 33 C. The Internet Key Exchange protocol provides replay detection
IPSec 33 D. The Internet Key Exchange protocol is responsible for mutual authen
IPSec 38 QUESTION 38
IPSec 38 Which source port does IKE use when NAT has been detected between two VPN
IPSec 38 A. TCP 4500
IPSec 38 B. TCP 500
IPSec 38 C. UDP 4500
IPSec 38 D. UDP 500
IPSec 39 QUESTION 39
IPSec 39 Which of the following are features of IPsec transport mode? (Choose three.)
IPSec 39 A. IPsec transport mode is used between end stations
IPSec 39 B. IPsec transport mode is used between gateways
IPSec 39 C. IPsec transport mode supports multicast
IPSec 39 D. IPsec transport mode supports unicast
IPSec 39 E. IPsec transport mode encrypts only the payload
IPSec 39 F. IPsec transport mode encrypts the entire packet
IPSec 41 QUESTION 41
IPSec 41 Which command verifies phase 1 of an IPsec VPN on a Cisco router?
IPSec 41 A. show crypto map
IPSec 41 B. show crypto ipsec sa
IPSec 41 C. show crypto isakmp sa
IPSec 41 D. show crypto engine connection active
IPSec 57 QUESTION 57
IPSec 57 What is the effect of the given command sequence?
IPSec 57
IPSec 57
IPSec 57
IPSec 57
IPSec 57
IPSec 57 A. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a d
IPSec 57 10.100.100.0/24
IPSec 57 B. It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a destina
IPSec 57 C. it defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination o
IPSec 57 D. It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destinatio
IPSec 64 QUESTION 64
IPSec 64 What is the effect of thesend-lifetime local 23:59:00 31 December 31 201
IPSec 64 A. It configures the device to begin transmitting the authentication key to other
IPSec 64 local time on January 1, 2014 and continue using the key indefinitely.
IPSec 64 B. It configures the device to begin transmitting the authentication key
IPSec 64 local time on December 31, 2013 and continue using the key indefinite
IPSec 64 C. It configures the device to begin accepting the authentication key from other
IPSec 64 and stop accepting the key at 23:59:00 local time on December 31, 2013.
IPSec 64 D. It configures the device to generate a new authentication key and transmit it
IPSec 64 23:59 00 local time on December 31, 2013.
IPSec 64 E. It configures the device to begin accepting the authentication key from other
IPSec 64 local time on December 31, 2013 and continue accepting the key indefinitely.
IPSec 64 F. It configures the device to begin accepting the authentication key from other
IPSec 64 local time on January 1, 2014 and continue accepting the key indefinitely.
IPSec 78 QUESTION 78
IPSec 78 Refer to the exhibit. What is the effect of the given command sequence?
IPSec 78
IPSec 78
IPSec 78
IPSec 78
IPSec 78
IPSec 78
IPSec 78
IPSec 78 A. It configures IKE Phase 1
IPSec 78 B. It configures a site-to-site VPN Tunnel
IPSec 78 C. It configures a crypto policy with a key size of 14400
IPSec 78 D. It configures IPSec Phase 2
IPSec 108 QUESTION 108, 164
IPSec 108 Which two authentication types does OSPF support? (Choose two)
IPSec 108 A. plaintext
IPSec 108 B. MD5
IPSec 108 C. HMAC
IPSec 108 D. AES 256
IPSec 108 E. SHA-1
IPSec 108 F. DES
IPSec 152 QUESTION 152
IPSec 152 Refer to the exhibit. What is the effect of the given command?
IPSec 152 Crypto ipsec transform-set myset esp-md5-hmac esp-esp-aes-256
IPSec 152 A. It configure the network to use a different transform set between peers.
IPSec 152 B. It merges authentication and encryption methods to protect traffic that match
IPSec 152 C. It configures encryption for MD5 HMAC.
IPSec 152 D. It configures authentications as AES 256.
 sion? (Choose three)

Cisco Router?

sec VPN? (Choose two.)

security associations
fidentiality

ble for mutual authentication

cted between two VPN gateways?

de? (Choose three.)

sco router?
0.10.10.0/24 with a desstination of

100.0/24 with a destination of 10.10.10.0/24

0/24 with a destination of 10.100.100.0/24
0.0/24 with a destination of 10.10.10.0/24

0 31 December 31 2013infinite command?

entication key to other devices at 00:00:00
y indefinitely.
he authentication key to other devices at 23:59:00
ng the key indefinitely.
tication key from other devices immediately
cember 31, 2013.
tion key and transmit it to other devices at

tication key from other devices at 23:59:00

g the key indefinitely.
tication key from other devices at 00:00:00
e key indefinitely.

mand sequence?

oose two)
sp-esp-aes-256
et between peers.
rotect traffic that matches an ACL.
VPN 4 QUESTION 4
VPN 4 Refer to the exhibit. If a supplicant supplies incorrect credentials for all authenti
VPN 4 configured on the switch, how will the switch respond?
VPN 4
VPN 4
VPN 4
VPN 4
VPN 4
VPN 4
VPN 4
VPN 4 A. The switch will cycle through the configured authentication methods indefinit
VPN 4 B. The supplicant will fail to advance beyond the webauth method.
VPN 4 C. The authentication attempt will time out and the switch will place the port int
VPN 4 state
VPN 4 D. The authentication attempt will time out and the switch will place the port int
VPN 44 QUESTION 44, 149
VPN 44 Refer to the exhibit. While troubleshooting site-to-site VPN, you issued the show
VPN 44 command. What does the given output show?
VPN 44
VPN 44
VPN 44
VPN 44
VPN 44 A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5
VPN 44 B. IPSec Phase 2 is established between 10.10.10.2 and 10.1.1.5
VPN 44 C. IPSec Phase 1 is down due to a QM_IDLE state
VPN 44 D. IPSEc Phase 2 is down due to a QM_IDLE state
VPN 46 QUESTION 46, 153
VPN 46 Which type of secure connectivity does an extranet provide?
VPN 46 A. remote branch offices to your company network
VPN 46 B. your company network to the Internet
VPN 46 C. new networks to your company network
VPN 46 D. other company networks to your company network
VPN 50 QUESTION 50
VPN 50 What VPN feature allows traffic to exit the security appliance through the same
VPN 50 entered?
VPN 50 A. Hairpinning
VPN 50 B. NAT
VPN 50 C. NAT traversal
VPN 50 D. split tunneling
VPN 62 QUESTION 62
VPN 62 What VPN feature allows Internet traffic and local LAN/WAN traffic to use the sam
VPN 62 connection.
VPN 62 A. split tunneling
VPN 62 B. hairpinning
VPN 62 C. tunnel mode
VPN 62 D. transparent mode
VPN 66 QUESTION 66
VPN 66 Refer to the exhibit. While troubleshooting site-to-site VPN, you issued the show
VPN 66 command. What does the given output show?
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66 A. ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1
VPN 66 B. IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5
VPN 66 C. IKE version 2 security associations are established between 10.1.1.1 and 10.1
VPN 66 D. IPSec Phase 2 is down due to a mismatch between encrypted and decrypted
VPN 67 QUESTION 67
VPN 67 Which statement about a PVLAN isolated port configured on a switch is true?
VPN 67 A. The isolated port can communicate only with the promiscous port
VPN 67 B. The isolated port can communicate with other isolated ports and the promisc
VPN 67 C. The isolated port can communicate only with community ports
VPN 67 D. The isolated port can communicate only with other isolated ports
VPN 100 QUESTION 100
VPN 100 How can the administrator enable permanent client installation in a Cisco AnyCo
VPN 100 firewall configuration?
VPN 100 A. Issue the command anyconnect keep-installer under the group polic
VPN 100 B. Issue the command anyconnect keep-installer installed in the global configur
VPN 100 C. Issue the command anyconnect keep-installer installed under the group polic
VPN 100 webvpn mode
VPN 100 D. Issue the command anyconnect keep-installer installer under the group polic
VPN 100 webvpn mode
VPN 147 QUESTION 147
VPN 147 Which type of PVLAN port allows host in the same VLAN to communicate directl
VPN 147 A. promiscuous for hosts in the PVLAN
VPN 147 B. span for hosts in the PVLAN
VPN 147 C. Community for hosts in the PVLAN
VPN 147 D. isolated for hosts in the PVLAN
VPN 148 QUESTION 148
VPN 148 Refer to the exhibit while troubleshooting site-to-site VPN, you issued the show
VPN 148 sa command. What does the given output shows?
VPN 148 Dst src state conn-id slot
VPN 148 10.10.10.2 10.1.1.5 MM_NO_STATE 1 0
VPN 148 A. IKE Phase 1 main mode was created on 10.1.1.5, but it failed to neg
VPN 148 B. IKE Phase 1 main mode has successfully negotiate between 10.1.1.5 and10.1
VPN 148 C. IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to negotia
VPN 148 D. IKE Phase 1 aggressive mode was create on 10.1.1.5, but it failed to negotiat
VPN 150 QUESTION 150
VPN 150 Refer to the exhibit. You have configured R1 and R2 as shown, but the routers a
VPN 150 establish a site-to-site VPN tunnel. What action can you take to correct the prob
VPN 150 R1
VPN 150 Interface GigabitEthernet 0/0
VPN 150 IP address 10.20.20.4 255.255.255.255.0
VPN 150 Crypto isakmp policy 1
VPN 150 Authentication pre-share
VPN 150 Lifetime 84600
VPN 150 Crypto isakmp key test67890 address 10.20.20.4
VPN 150 R2
VPN 150 Interface GigabitEthernet 0/0
VPN 150 IP address 10.20.20.4 255.255.255.255.0
VPN 150 Crypto isakmp policy 10
VPN 150 Authentication pre-share
VPN 150 Lifetime 84600
VPN 150 Crypto isakmp key test12345 address 10.30.30.5
VPN 150 A. Edit the crypto keys on R1 and R2 to match.
VPN 150 B. Edit the crypto isakmp key command on each router with the address value o
VPN 150 C. Edit the ISAKMP policy sequence numbers on R1 and R2 to match.
VPN 150 D. set a valid value for the crypto key lifetime on each router.
VPN 161 QUESTION 161
VPN 161 What configuration allows AnyConnect to authenticate automatically establish a
VPN 161 when a user logs in to the computer?
VPN 161 A. proxy
VPN 161 B. Trusted Network Detection
VPN 161 C. transparent mode
VPN 161 D. always-on
dentials for all authentication methods

ation methods indefinitely

h method.
ch will place the port into the unathorized

ch will place the port into VLAN 101

N, you issued the show crypto isakmp as

2 and 10.1.1.5

ance through the same interface it

AN traffic to use the same network

 N, you issued the show crypto ipsec sa

10.1.1.5 and 10.1.1.1

and 10.1.1.5
ween 10.1.1.1 and 10.1.1.5
crypted and decrypted packets

on a switch is true?
e promiscous port
d ports and the promiscuous port

olated ports

allation in a Cisco AnyConnect VPN

nder the group policy or username webvpn mode

d in the global configuration
d under the group policy or username

r under the group policy or username

to communicate directly with the other?

N, you issued the show crypto isakamp

5, but it failed to negotiate with 10.10.10.2

tween 10.1.1.5 and10.10.10.2
, but it failed to negotiate with 10.10.10.2
but it failed to negotiate with 10.10.10.2

hown, but the routers are unable to

ake to correct the problem?

with the address value of its own interface

R2 to match.

utomatically establish a VPN session

SecL2 13 QUESTION 13
SecL2 13 What is the transition order of STP states on a Layer 2 switch interface?
SecL2 13 A. listening, learning, blocking, forwarding, disabled
SecL2 13 B. listening, blocking, learning, forwarding, disabled
SecL2 13 C. blocking, listening, learning, forwarding, disabled
SecL2 13 D. forwarding, listening, learning, blocking, disabled
SecL2 40 QUESTION 40
SecL2 40 Which command causes a Layer 2 switch interface to operate as a Layer 3 inter
SecL2 40 A. no switchport nonnegotiate
SecL2 40 B. switchport
SecL2 40 C. no switchport mode dynamic auto
SecL2 40 D. no switchport
SecL2 71 QUESTION 71
SecL2 71 In what type of attack does an attacker virtually change a devices burned in add
SecL2 71 to circumvent access lists and mask the device's true identity?
SecL2 71 A. gratuitous ARP
SecL2 71 B. ARP poisoning
SecL2 71 C. IP Spoofing
SecL2 71 D. MAC Spoofing
SecL2 73 QUESTION 73
SecL2 73 An attacker installs a rogue switch that sends superior BPDUs on your network.
SecL2 73 What is a possible result of this activity?
SecL2 73 A. The switch could offer fake DHCP addresses.
SecL2 73 B. The switch could become the root bridge.
SecL2 73 C. The switch could be allowed to join the VTP domain
SecL2 73 D. The switch could become a transparent bridge.
SecL2 80 QUESTION 80
SecL2 80 If you change the native VLAN on the port to an unused VLAN, what happens if
SecL2 80 attempts a double tagging attack?
SecL2 80 A. The trunk port would go into an error-disable state.
SecL2 80 B. A VLAN hopping attack would be successful
SecL2 80 C. A VLAN hopping attack would be prevented
SecL2 80 D. the attacked VLAN will be pruned
SecL2 99 QUESTION 99
SecL2 99 What are the primary attack methods of VLAN hopping? (Choose two.)
SecL2 99 A. VoIP hopping
SecL2 99 B. Switch spoofing
SecL2 99 C. CAM-table overflow
SecL2 99 D. Double tagging
SecL2 110 QUESTION 110
SecL2 110 What command can you use to verify the binding table status?
SecL2 110 A. Show ip dhcp snooping binding
SecL2 110 B. Show ip dhcp snooping database
SecL2 110 C. show ip dhcp snooping statistics
SecL2 110 D. show ip dhcp pool
SecL2 110 E. show ip dhcp source binding
SecL2 110 F. show ip dhcp snooping
SecL2 111 QUESTION 111
SecL2 111 If a switch receives a superior BPDU and goes directly into a blocked state, what
SecL2 111 be in use?
SecL2 111 A. Etherchannel guard
SecL2 111 B. root guard
SecL2 111 C. loop guard
SecL2 111 D. BPDU guard
SecL2 117 QUESTION 117
SecL2 117 If the native VLAN on a trunk is different on each end of the link, what is a poten
SecL2 117 consequence?
SecL2 117 A. The interface on both switches may shut down
SecL2 117 B. STP loops may occur
SecL2 117 C. The switch with the higher native VLAN may shut down
SecL2 117 D. The interface with the lower native VLAN may shut down
SecL2 121 QUESTION 121
SecL2 121 Which statement correctly describes the function of a private VLAN?
SecL2 121 A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN in
SecL2 121 B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdo
SecL2 121 C. A private VLAN enables the creation of multiple VLANs using one broadcast d
SecL2 121 D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into
SecL2 121 broadcast domain
SecL2 123 QUESTION 123
SecL2 123 What is the most common Cisco Discovery Protocol version 1 attack?
SecL2 123 A. Denial of Service
SecL2 123 B. MAC-address spoofing
SecL2 123 C. CAM-table overflow
SecL2 123 D. VLAN hopping
SecL2 124 QUESTION 124
SecL2 124 What is the Cisco preferred countermeasure to mitigate CAM overflows?
SecL2 124 A. Port security
SecL2 124 B. Dynamic port security
SecL2 124 C. IP source guard
SecL2 124 D. Root guard
SecL2 125 QUESTION 125
SecL2 125 When a switch has multiple links connected to a downstream switch, what is the
SecL2 125 STP takes to prevent loops?
SecL2 125 A. STP elects the root bridge
SecL2 125 B. STP selects the root port
SecL2 125 C. STP selects the designated port
SecL2 125 D. STP blocks one of the ports
SecL2 126 QUESTION 126
SecL2 126 Which countermeasures can mitigate ARP spoofing attacks? (Choose two.)
SecL2 126 A. Port security
SecL2 126 B. DHCP snooping
SecL2 126 C. IP source guard
SecL2 126 D. Dynamic ARP inspection
SecL2 156 QUESTION 156
SecL2 156 What is the potential drawback to leaving VLAN 1 as the native VLAN?
SecL2 156 A. Gratuitous ARPs might be able to conduct a man-in-the-middle attack.
SecL2 156 B. The CAM might be overloaded, effectively turning the switch into hub.
SecL2 156 C. VLAN 1 might be vulnerable to IP address spoofing
SecL2 156 D. It may be susceptible to a VLAN hopping attack
SecL2 176 QUESTION 176
SecL2 176 In which type of attack does the attacker attempt to overload the CAM table on
SecL2 176 the switch acts as a hub?
SecL2 176 A. gratuitous ARP
SecL2 176 B. MAC flooding
SecL2 176 C. MAC spoofing
SecL2 176 D. DoS
SecL2 182 QUESTION 182
SecL2 182 If a switch receives a superior BPDU and goes directly into a blocked state, what
SecL2 182 must be in use?
SecL2 182 A. BPDU guard
SecL2 182 B. portfast
SecL2 182 C. EherCahannel guard
SecL2 182 D. loop guard
SecL2 182 E. STP Root guard
SecL2 192 QUESTION 192
SecL2 192 Which three statements are characteristics of DHCP Spoofing? (choose three)
SecL2 192 A. Arp Poisoning
SecL2 192 B. Modify Traffic in transit
SecL2 192 C. Used to perform man-in-the-middle attack
SecL2 192 D. Physically modify the network gateway
SecL2 192 E. Protect the identity of the attacker by masking the DHCP address
SecL2 192 F. can access most network devices
witch interface?

erate as a Layer 3 interface?

a devices burned in address in an attempt

PDUs on your network.

VLAN, what happens if an attacker

(Choose two.)
o a blocked state, what mecanism must

the link, what is a potential

vate VLAN?
domain of a VLAN into subdomains
in of a VLAN into subdomains
s using one broadcast domain
ins of many VLANs into one major

on 1 attack?

CAM overflows?

eam switch, what is the first step that

ks? (Choose two.)

native VLAN?
e-middle attack.
switch into hub.

rload the CAM table on a switch so that

o a blocked state, what mechanism

ofing? (choose three)

CP address
SecMP 10 QUESTION 10
SecMP 10 In which two situations should you use out-of-band management? (Choose two)
SecMP 10 A. when a network device fails to forward packets
SecMP 10 B. when management applications need concurrent access to the device
SecMP 10 C. when you require ROMMON access
SecMP 10 D. when you require adminstrator access from multiple locations
SecMP 10 E. when the control plane fails to respond
SecMP 20 QUESTION 20
SecMP 20 Which Cisco Security Manager application collects information about device stat
SecMP 20 generate notifications and alerts?
SecMP 20 A. FlexConfig
SecMP 20 B. Device Manager
SecMP 20 C. Report Manager
SecMP 20 D. Health and Performance Monitor
SecMP 30 QUESTION 30
SecMP 30 Which protocol provides security to Secure Copy?
SecMP 30 A. IPsec
SecMP 30 B. SSH
SecMP 30 C. HTTPS
SecMP 30 D. ESP
SecMP 47 QUESTION 47
SecMP 47 After reloading a router, you issue the dir command to verify the installation and
SecMP 47 image file appears to be missing. For what reason could the image file fail to ap
SecMP 47 output?
SecMP 47 A. The secure boot-image command is configured
SecMP 47 B. The secure boot-comfit command is configured
SecMP 47 C. The confreg 0x24 command is configured.
SecMP 47 D. The reload command was issued from ROMMON.
SecMP 56 QUESTION 56
SecMP 56 What are two default Cisco IOS privilege levels? (Choose two)
SecMP 56 A. 0
SecMP 56 B. 5
SecMP 56 C. 1
SecMP 56 D. 7
SecMP 56 E. 10
SecMP 56 F. 15
SecMP 83 QUESTION 83
SecMP 83 Which syslog severity level is level number 7?
SecMP 83 A. Warning
SecMP 83 B. Informational
SecMP 83 C. Notification
SecMP 83 D. Debugging
SecMP 95 QUESTION 95
SecMP 95 Which command initializes a lawful intercept view?
SecMP 95 A. username cisco1 view lawful-intercept password cisco
SecMP 95 B. parser view cisco li-view
SecMP 95 C. li-view cisco user cisco1 password cisco
SecMP 95 D. parser view li-view inclusive
SecMP 105 QUESTION 105
SecMP 105 How many times was a read-only string used to attempt a write operation?
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105 A. 6
SecMP 105 B. 9
SecMP 105 C. 4
SecMP 105 D. 3
SecMP 105 E. 2
SecMP 109 QUESTION 109, 159
SecMP 109 Refer to the exhibit. The Admin user is unable to enter configuration mode on a
SecMP 109 given configuration. What change can you make to the configuration to correct
SecMP 109
SecMP 109
SecMP 109
SecMP 109
SecMP 109
SecMP 109
SecMP 109 A. Remove the Autocommand keyword and arguments from the Userna
SecMP 109 B. Change the Privilege exec level value to 15
SecMP 109 C. Remove the two Username Admin lines
SecMP 109 D. Remove the Privilege exec line.
SecMP 157 QUESTION 157
SecMP 157 Refer to the exhibit. Which line in this configuration prevents the HelpDesk user
SecMP 157 the interface configuration?
SecMP 157 Username Engineer privilege 9 password 0 configure
SecMP 157 Username Monitor privilege 8 password 0 vatcher
SecMP 157 Username HelpDesk privilege 6 password help
SecMP 157 Privilege exec level 6 show running
SecMP 157 Privilege exec level 7show start-up
SecMP 157 Privilege exec level 9 show configure terminal
SecMP 157 Privilege exec level 10 interface
SecMP 157 A. Privilege exec level 9 show configure terminal
SecMP 157 B. Privilege exec level 7show start-up
SecMP 157 C. Privilege exec level 10 interface
SecMP 157 D. Username HelpDesk privilege 6 password help
SecMP 172 QUESTION 172
SecMP 172 Which statement about IOS privilege levels is true?
SecMP 172 A. Each privilege level is independent of all other privilege levels.
SecMP 172 B. Each privilege level supports the commands at its own level and all levels ab
SecMP 172 C. Each privilege level supports the commands at its own level and all
SecMP 172 D. Privilege-level commands are set explicitly for each user.
SecMP 178 QUESTION 178
SecMP 178 What are two ways to protect eavesdropping when you perform device-manage
SecMP 178 (Choose two)
SecMP 178 A. use SNMPv2
SecMP 178 B. use SSH connection
SecMP 178 C. use SNMPv3
SecMP 178 D. use in-band management
SecMP 178 E. use out-band management
agement? (Choose two)

ss to the device

mation about device status and uses it to

erify the installation and observe that the

the image file fail to appear in the dir
a write operation?

onfiguration mode on a device with the

onfiguration to correct the problem?

ents from the Username Admin privilege line

ents the HelpDesk user from modifying

n level and all levels above it.

its own level and all levels below it.

erform device-management task?

SecDP 11 QUESTION 11
SecDP 11 What features can protect the data plane? (Choose three.)
SecDP 11 A. policing
SecDP 11 B. ACLs
SecDP 11 C. IPS
SecDP 11 D. antispoofing
SecDP 11 E. QoS
SecDP 11 F. DHCP-snooping
SecDP 34 QUESTION 34
SecDP 34 Which address block is reserved for locally assigned unique local addresses?
SecDP 34 A. 2002::/16
SecDP 34 B. FD00::/8
SecDP 34 C. 2001::/32
SecDP 34 D. FB00::/8
SecDP 122 QUESTION 122
SecDP 122 Which Cisco feature can help mitigate spoofing attacks by verifying symmetry o
SecDP 122 A. Unidirectional Link Detection
SecDP 122 B. Unicast Reverse Path Forwarding
SecDP 122 C. TrustSec
SecDP 122 D. IP Source Guard
ue local addresses?

y verifying symmetry of the traffic path?

SecCP 76 QUESTION 76
SecCP 76 Which two feature do CoPP and CPPr use to protect the control plane? (Choose t
SecCP 76 A. QoS
SecCP 76 B. traffic classification
SecCP 76 C. access lists
SecCP 76 D. policy maps
SecCP 76 E. class maps
SecCP 76 F. Cisco Express Forwarding
SecCP 77 QUESTION 77
SecCP 77 What is an advantage of implementing a Trusted Platform Module for disk encry
SecCP 77 A. It provides hardware authentication
SecCP 77 B. It allows the hard disk to be transferred to another device without requiring re
SecCP 77 C. it supports a more complex encryption algorithm than other disk-encryption t
SecCP 77 D. it can protect against single poins of failure.
SecCP 96 QUESTION 96
SecCP 96 Which security measures can protect the control plane of a Cisco router? (Choos
SecCP 96 A. CCPr
SecCP 96 B. Parser views
SecCP 96 C. Access control lists
SecCP 96 D. Port security
SecCP 96 E. CoPP
SecCP 112 QUESTION 112
SecCP 112 What type of packet creates and performs network operations on a network dev
SecCP 112 A. data plane packets
SecCP 112 B. management plane packets
SecCP 112 C. services plane packets
SecCP 112 D. control plane packets
SecCP 165 QUESTION 165
SecCP 165 Which feature filters CoPP packets?
SecCP 165 A. Policy maps
SecCP 165 B. route maps
SecCP 165 C. access control lists
SecCP 165 D. class maps
ontrol plane? (Choose two)

m Module for disk encryption?

vice without requiring re-encryption.dis

other disk-encryption technologies.

f a Cisco router? (Choose two.)

ations on a network device?

Firewall 16 QUESTION 16
Firewall 16 When a company puts a security policy in place, what is the effect on the compa
Firewall 16 A. Minimizing risk
Firewall 16 B. Minimizing total cost of ownership
Firewall 16 C. Minimizing liability
Firewall 16 D. Maximizing compliance
Firewall 43 QUESTION 43
Firewall 43 Which type of firewall can act on the behalf of the end device?
Firewall 43 A. Stateful packet
Firewall 43 B. Application
Firewall 43 C. Packet
Firewall 43 D. Proxy
Firewall 48 QUESTION 48
Firewall 48 What is a reason for an organization to deploy a personal firewall?
Firewall 48 A. To protect endpoints such as desktops from malicious activity
Firewall 48 B. To protect one virtual network segment from another
Firewall 48 C. To determine whether a host meets minimum security posture requirements
Firewall 48 D. To create a separate, non-persistent virtual environment that can be destroye
Firewall 48 E. To protect the network from DoS and syn-flood attacks
Firewall 55 QUESTION 55
Firewall 55 Refer to the exhibit. What type of firewall would use the given cofiguration line?
Firewall 55
Firewall 55
Firewall 55
Firewall 55 A. a stateful firewall
Firewall 55 B. a personal firewall
Firewall 55 C. a proxy firewall
Firewall 55 D. an application firewall
Firewall 55 E. a stateless firewall
Firewall 65 QUESTION 65
Firewall 65 Which Statement about personal firewalls is true?
Firewall 65 A. They are resilient against kernal attacks
Firewall 65 B. They can protect email messages and private documents in a similar way to a
Firewall 65 C. They can protect the network against attacks
Firewall 65 D. They can protect a system by denying probing requests
Firewall 84 QUESTION 84
Firewall 84 Which type of mirroring does SPAN technology perform?
Firewall 84 A. Remote mirroring over Layer 2
Firewall 84 B. Remote mirroring over Layer 3
Firewall 84 C. Local mirroring over Layer 2
Firewall 84 D. Local mirroring over Layer 3
Firewall 107 QUESTION 107
Firewall 107 You want to allow all of your companies users to access the Internet without allo
Firewall 107 servers to collect the IP addresses of individual users.
Firewall 107 What two solutions can you use? (Choose two).
Firewall 107 A. Configure a proxy server to hide users local IP addresses
Firewall 107 B. Assign unique IP addresses to all users.
Firewall 107 C. Assign the same IP addresses to all users
Firewall 107 D. Install a Web content filter to hide users local IP addresses
Firewall 107 E. Configure a firewall to use Port Address Translation.
Firewall 113 QUESTION 113, 145
Firewall 113 Which two statements about stateless firewalls are true? (Choose two.)
Firewall 113 A. They compare the 5-tuple of each incoming packet against configura
Firewall 113 B. They cannot track connections.
Firewall 113 C. They are designed to work most efficiently with stateless protocols such as H
Firewall 113 D. Cisco IOS cannot implement them because the platform is stateful by nature.
Firewall 113 E. The Cisco ASA is implicitly stateless because it blocks all traffic by default.
Firewall 162 QUESTION 162
Firewall 162 Which statement about the communication between interfaces on the same sec
Firewall 162 A. All Traffic is allowed by default between interfaces on the same security level
Firewall 162 B. Interface on the same security level require additional configuration
Firewall 162 communication.
Firewall 162 C. Configuring interface on the same security level can cause asymmetric routin
Firewall 162 D. You can configure only one interface on an individual security level.
Firewall 187 QUESTION 187
Firewall 187 A proxy firewall protects against which type of attacks?
Firewall 187 A. DDoS
Firewall 187 B. port scanning
Firewall 187 C. worm traffic
Firewall 187 D. cross-site scripting attacks
the effect on the company's business?

l firewall?
licious activity

posture requirements
ent that can be destroyed after a session

given cofiguration line?

nts in a similar way to a VPN

he Internet without allowing other Web

addresses

(Choose two.)
ket against configurable rules.

ess protocols such as HTTP or HTTPS.

m is stateful by nature.
all traffic by default.

erfaces on the same security level is true?

the same security level.
ditional configuration to permit inter-interface

ause asymmetric routing.

security level.
ZBF 12 QUESTION 12
ZBF 12 How many crypto map sets can you apply to a router interface?
ZBF 12 A. 3
ZBF 12 B. 2
ZBF 12 C. 4
ZBF 12 D. 1
ZBF 32 QUESTION 32
ZBF 32 Which security zone is automatically defined by the system?
ZBF 32 A. The source zone
ZBF 32 B. The self zone
ZBF 32 C. The destination zone
ZBF 32 D. The inside zone
ZBF 36 QUESTION 36
ZBF 36 Which statements about smart tunnels on a Cisco firewall are true? (Choose two
ZBF 36 A. Smart tunnels can be used by clients that do not have administrator privilege
ZBF 36 B. Smart tunnels support all operating systems
ZBF 36 C. Smart tunnels offer better performance than port forwarding
ZBF 36 D. Smart tunnels require the client to have the application installed locally
ZBF 53 QUESTION 53, 137
ZBF 53 What is the only permitted operation for processing multicast traffic on zone-ba
ZBF 53 A. Stateful inspection of multicast traffic is supported only for the self zone
ZBF 53 B. Stateful inspection for multicast traffic is supported only between the self-zon
ZBF 53 zone
ZBF 53 C. Only control plane policing can protect the control plane against mu
ZBF 53 D. Stateful inspection of multicast traffic is supported only for the internal zone.
ZBF 72 QUESTION 72
ZBF 72 How does a zone-based firewall implementation handle traffic between Interface
ZBF 72 Zone?
ZBF 72 A. traffic between interfaces in the same zone is blocked unless yoc configure th
ZBF 72 permit command
ZBF 72 B. Traffic between interfaces in the same zone is always blocked
ZBF 72 C. Traffic between two interfaces in the same zone is allowed by defaul
ZBF 72 D. Traffic between interfaces in the same zone is blocked unless you apply a ser
ZBF 72 zone pair
ZBF 179 QUESTION 179
ZBF 179 Which firewall configuration must you perform to allow traffic to flow in both dire
ZBF 179 two zones?
ZBF 179 A. You can configure a single zone pair that allows bidirectional traffic flows from
ZBF 179 except the self-zone
ZBF 179 B. You must configure two zone pair, one for each direction
ZBF 179 C. You can configure a single zone pair that allows bidirectional traffic flows for a
ZBF 179 D. You can configure a single zone pair that allows bidirectional traffic flows only
ZBF 179 is the less secure zone.
ll are true? (Choose two.)
administrator privileges

on installed locally

icast traffic on zone-based firewalls?

y for the self zone
nly between the self-zone and the internal

rol plane against multicast traffic.

ly for the internal zone.

raffic between Interfaces in the same

unless yoc configure the same-security

is allowed by default
unless you apply a service policy to the

raffic to flow in both directions between

ctional traffic flows from for any zone

direction
ctional traffic flows for any zone
ctional traffic flows only if the source zone
ASA 1 QUESTION 1
ASA 1 Which statement about communication over failover interfaces is true?
ASA 1 A. All information that is sent over the failover interface is sent as clear text, bu
ASA 1 link is encrypted by default.
ASA 1 B. All information that is sent over the failover and stateful failover interfaces is
ASA 1 C. All information that is sent over the failover and stateful failover interfaces is
ASA 1 D. Usernames, password and preshared keys are encrypted by default when the
ASA 1 failover and stateful failover interfaces, but other information is sent as clear te
ASA 1 Ref: http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guid
ASA 7 QUESTION 7, 133
ASA 7 If a packet matches more than one class map in an individual feature type's pol
ASA 7 does the ASA handle the packet?
ASA 7 A. The ASA will apply the actions from only the most specific matching class ma
ASA 7 feature type
ASA 7 B. The ASA will apply the actions from all matching class maps it finds for the fe
ASA 7 C. The ASA will apply the actions from only the last matching class map it finds
ASA 7 D. The ASA will apply the actions from only the first matching class map it finds
ASA 29 QUESTION 29
ASA 29 Which two statements about Telnet access to the ASA are true? (Choose two).
ASA 29 A. You may VPN to the lowest security interface to telnet to an inside interface.
ASA 29 B. You must configure an AAA server to enable Telnet.
ASA 29 C. You can access all interfaces on an ASA using Telnet.
ASA 29 D. You must use the command virtual telnet to enable Telnet.
ASA 29 E. Best practice is to disable Telnet and use SSH.
ASA 31 QUESTION 31
ASA 31 A clientless SSL VPN user who is connecting on a Windows Vista computer is mis
ASA 31 option for Remote Desktop Protocol on the portal web page.
ASA 31 Which action should you take to begin troubleshooting?
ASA 31 A. Ensure that the RDP2 plug-in is installed on the VPN gateway
ASA 31 B. Reboot the VPN gateway
ASA 31 C. Instruct the user to reconnect to the VPN gateway
ASA 31 D. Ensure that the RDP plug-in is installed on the VPN gateway
ASA 59 QUESTION 59
ASA 59 how does the Cisco ASA use Active Directory to authorize VPN users?
ASA 59 A. It queries the Active Directory server for a Specfic attribute for the specific us
ASA 59 B. It sends the username and password to retire an ACCEPT or Reject message f
ASA 59 Directory server
ASA 59 C. It downloads and stores the Active Directory databas to query for future auth
ASA 59 D. It redirects requests to the Active Directory server defined for the VPN group
ASA 61 QUESTION 61
ASA 61 For what reason would you configure multiple security contexts on the ASA firew
ASA 61 A. To enable the use of VFRs on routers that are adjacently connected
ASA 61 B. To provide redundancy and high availability within the organization
ASA 61 C. To enable the use of multicast routing and QoS through the firewall
ASA 61 D. To seperate different departments and business units
ASA 85 QUESTION 85
ASA 85 Which tasks is the session management path responsible for? (Choose three.)
ASA 85 A. Verifying IP checksums
ASA 85 B. Performing route lookup
ASA 85 C. Performing session lookup
ASA 85 D. Allocating NAT translations
ASA 85 E. Checking TCP sequence numbers
ASA 85 F. Checking packets against the access list
ASA 91 QUESTION 91
ASA 91 Which type of address translation should be used when a Cisco ASA is in transpa
ASA 91 A. Static NAT
ASA 91 B. Dynamic NAT
ASA 91 C. Overload
ASA 91 D. Dynamic PAT
ASA 94 QUESTION 94
ASA 94 Which RADIUS server authentication protocols are supported on Cisco ASA firew
ASA 94 three.)
ASA 94 A. EAP
ASA 94 B. ASCII
ASA 94 C. PAP
ASA 94 D. PEAP
ASA 94 E. MS-CHAPv1
ASA 94 F. MS-CHAPv2
ASA 115 QUESTION 115
ASA 115 Which command will configure a Cisco ASA firewall to authenticate users when t
ASA 115 enable syntax using the local database with no fallback method?
ASA 115 A. aaa authentication enable console LOCAL SERVER_GROUP
ASA 115 B. aaa authentication enable console SERVER_GROUP LOCAL
ASA 115 C. aaa authentication enable console local
ASA 115 D. aaa authentication enable console LOCAL
ASA 154 QUESTION 154
ASA 154 What is a valid implicit permit rule for traffic that is traversing the ASA firewall?
ASA 154 A. Unicast IPv6 traffic from a higher security interface to a lower security interfa
ASA 154 transparent mode only
ASA 154 B. Only BPDUs from a higher security interface to a lower security interface are
ASA 154 mode.
ASA 154 C. ARPs in both directions are permitted in transparent mode only
ASA 154 D. Unicast IPv4 traffic from a higher security interface to a lower security interfa
ASA 154 routed mode only
ASA 154 E. Only BPDUs from a higher security interface to a lower security interface are
ASA 154 transparent mode.
ASA 185 QUESTION 185
ASA 185 In which three cases does the ASA firewall permit inbound HTTP GET requests d
ASA 185 operations? (Choose three)
ASA 185 A. When matching ACL entries are configured
ASA 185 B. when matching NAT entries are configured
ASA 185 C. When the firewall requires strict HTTP inspection
ASA 185 D. When the firewall requires HTTP inspection
ASA 185 E. When the firewall receives a SYN-ACK packet
ASA 185 When the firewall receives a SYN packet
ASA 188 QUESTION 188
ASA 188 Which two statements regarding the ASA VPN configurations are correct? (Choo
ASA 188 A. The ASA has a certificate issued by an external Certificate Authority associate
ASA 188 ASDM_TrustPoint1.
ASA 188 B. The DefaultWEBVPNGroup Connection Profile is using the AAA with RADIUS se
ASA 188 C. The Inside-SRV bookmark references thehttps://192.168.1.2URL
ASA 188 D. Only Clientless SSL VPN access is allowed with the Sales group policy
ASA 188 E. AnyConnect, IPSec IKEv1, and IPSec IKEv2 VPN access is enabled on the outsi
ASA 188 F. The Inside-SRV bookmark has not been applied to the Sales group policy
erfaces is true?
s sent as clear text, but the stateful failover

ul failover interfaces is encrypted by default

ul failover interfaces is sent as clear text by default
ted by default when they are sent over the
ation is sent as clear text
sa72/configuration/guide/conf_gd/failover.html

idual feature type's policy map, how

cific matching class map it finds for the

maps it finds for the feature type

hing class map it finds for the feature type.
ching class map it finds for the feature type.

e true? (Choose two).

to an inside interface.

ws Vista computer is missing the menu

e VPN users?
ibute for the specific user
EPT or Reject message from the Active

o query for future authorization

fined for the VPN group

ontexts on the ASA firewall?

ly connected
organization
h the firewall
e for? (Choose three.)

a Cisco ASA is in transparent mode?

rted on Cisco ASA firewalls? (Choose

thenticate users when they enter the

rsing the ASA firewall?

a lower security interface is permitted in

r security interface are permitted in routed

a lower security interface is permitted in

r security interface are permitted in

d HTTP GET requests during normal

ions are correct? (Choose two)
cate Authority associated to the

the AAA with RADIUS server method.

68.1.2URL
es group policy
is enabled on the outside interface
Sales group policy
IPS 14 QUESTION 14
IPS 14 Which sensor mode can deny attackers inline?
IPS 14 A. IPS
IPS 14 B. fail-close
IPS 14 C. IDS
IPS 14 D. fail-open
IPS 15 QUESTION 15
IPS 15 Which options are filtering options used to display SDEE message types?
IPS 15 A. stop
IPS 15 B. none
IPS 15 C. error
IPS 15 D. all
IPS 19 QUESTION 19
IPS 19 Which actions can a promiscuous IPS take to mitigate an attack?
IPS 19 A. modifying packets
IPS 19 B. requesting connection blocking
IPS 19 C. denying packets
IPS 19 D. resetting the TCP connection
IPS 19 E. requesting host blocking
IPS 19 F. denying frames
IPS 42 QUESTION 42
IPS 42 What is the purpose of a honeypot IPS?
IPS 42 A. To create customized policies
IPS 42 B. To detect unknown attacks
IPS 42 C. To normalize streams
IPS 42 D. To collect information about attacks
IPS 51 QUESTION 51
IPS 51 When an IPS detects an attack, which action can the IPS take to prevent the atta
IPS 51 spreading?
IPS 51 A. Perform a Layer 6 reset
IPS 51 B. Deploy an antimalware system
IPS 51 C. Enable bypass mode
IPS 51 D. Deny the connection inline
IPS 68 QUESTION 68, 82, 131
IPS 68 Which three statements about host-based IPS are true? (Choose three)
IPS 68 A. It can view encrypted files
IPS 68 B. It can be deployed at the perimeter
IPS 68 C. It uses signature-based policies
IPS 68 D. It can have more restrictive policies than network-based IPS
IPS 68 E. It works with deployed firewalls
IPS 68 F. It can generate alerts based on behavior at the desktop level.
IPS 75 QUESTION 75, 114
IPS 75 What three actions are limitations when running IPS in promiscous mode? (Choo
IPS 75 A. deny attacker
IPS 75 B. request block connection
IPS 75 C. deny packet
IPS 75 D. modify packet
IPS 75 E. request block host
IPS 75 F. reset TCP connection
IPS 81 QUESTION 81
IPS 81 What is an advantage of placing an IPS on the inside of a network?
IPS 81 A. It can provide higher throughput.
IPS 81 B. It receives traffic that has already been filtered.
IPS 81 C. It receives every inbound packet.
IPS 81 D. It can provide greater security.
IPS 88 QUESTION 88
IPS 88 Which option is the most effective placement of an IPS device within the infrastr
IPS 88 A. Inline, behind the internet router and firewall
IPS 88 B. Inline, before the internet router and firewall
IPS 88 C. Promiscuously, after the Internet router and before the firewall
IPS 88 D. Promiscuously, before the Internet router and the firewall
IPS 90 QUESTION 90
IPS 90 Which alert protocol is used with Cisco IPS Manager Express to support up to 10
IPS 90 A. SDEE
IPS 90 B. Syslog
IPS 90 C. SNMP
IPS 90 D. CSM
IPS 118 QUESTION 118
IPS 118 Which type of IPS can identify worms that are propagating in a network?
IPS 118 A. Policy-based IPS
IPS 118 B. Anomaly-based IPS
IPS 118 C. Reputation-based IPS
IPS 118 D. Signature-based IPS
IPS 132 QUESTION 132
IPS 132 What are two users of SIEM software? (Choose two)
IPS 132 A. performing automatic network audits
IPS 132 B. configuring firewall and IDS devices
IPS 132 C. alerting administrators to security events in real time
IPS 132 D. scanning emails for suspicious attachments
IPS 132 E. collecting and archiving syslog data
IPS 144 QUESTION 144
IPS 144 How can you detect a false negative on an IPS?
IPS 144 A. View the alert on the IPS
IPS 144 B. Use a third-party to audit the next-generation firewall rules
IPS 144 C. Review the IPS console
IPS 144 D. Review the IPS log
IPS 144 E. Use a third-party system to perform penetration testing
IPS 158 QUESTION 158
IPS 158 Which IPS mode provides the maximum number of actions?
IPS 158 A. Inline
IPS 158 B. bypass
IPS 158 C. span
IPS 158 D. failover
IPS 158 E. promiscuous
IPS 160 QUESTION 160
IPS 160 Which technology can be used to rate data fidelity and to provide an authentica
IPS 160 A. Network blocking
IPS 160 B. signature updates
IPS 160 C. file analysis
IPS 160 D. file reputation
IPS 183 QUESTION 183
IPS 183 What is the primary purposed of a defined rule in an IPS?
IPS 183 A. to detect internal attacks
IPS 183 B. to define a set of actions that occur when a specific user logs in to the system
IPS 183 C. to configure an event action that is pre-defined by the system admin
IPS 183 D. to configure an event action that takes place when a signature is triggered.
message types?

take to prevent the attack from

Choose three)

desktop level.

romiscous mode? (Choose three)

a network?

evice within the infrastructure?

ess to support up to 10 sensors?

g in a network?

n testing
o provide an authenticated hash for data?

ser logs in to the system

by the system administrator
signature is triggered.
IOS ZBF 5 QUESTION 5
IOS ZBF 5 Which SOURCEFIRE logging action should you choose to record the most detail a
IOS ZBF 5 connection.
IOS ZBF 5 A. Enable logging at the beginning of the session
IOS ZBF 5 B. Enable logging at the end of the session
IOS ZBF 5 C. Enable alerts via SNMP to log events off-box
IOS ZBF 5 D. Enable eStreamer to log events off-box
IOS ZBF 8 QUESTION 8, 163
IOS ZBF 8 You have implemented a Sourcefire IPS and configured it to block certain addres
IOS ZBF 8 Security Intelligence IP address Reputation. A user calls and is not able to acces
IOS ZBF 8 address. What action can you take to allow the user access to the IP address?
IOS ZBF 8 A. Create a custom blacklist to allow traffic
IOS ZBF 8 B. Create a whitelist and add the appropriate IP address to allow traffic.
IOS ZBF 8 C. Create a user based access control rule to allo the traffic.
IOS ZBF 8 D. Create a network based access control rule to allow the traffic.
IOS ZBF 8 E. Create a rule to bypass inspection to allow the traffic
IOS ZBF 49 QUESTION 49, 136
IOS ZBF 49 Which FirePOWER preprocessor engine is used to prevent SYN attacks?
IOS ZBF 49 A. Rate-Based Prevention
IOS ZBF 49 B. Portscan Detection
IOS ZBF 49 C. IP Defragmentation
IOS ZBF 49 D. Inline Normalization
IOS ZBF 102 QUESTION 102
IOS ZBF 102 What is the FirePOWER impact flag used for?
IOS ZBF 102 A. A value that indicates the potential severity of an attack.
IOS ZBF 102 B. A value that the administrator assigns to each signature.
IOS ZBF 102 C. A value that sets the priority of a signature.
IOS ZBF 102 D. A value that measures the application awareness.
IOS ZBF 106 QUESTION 106
IOS ZBF 106 What can the SMTP preprocessor in a FirePOWER normalize?
IOS ZBF 106 A. It can extract and decode email attachments in client to server traffi
IOS ZBF 106 B. It can look up the email sender
IOS ZBF 106 C. it compares known threats to the email sender
IOS ZBF 106 D. It can forward the SMTP traffic to an email filter server
IOS ZBF 106 E. It uses the Traffic Anomaly Detector
IOS ZBF 140 QUESTION 140
IOS ZBF 140 Which Sourfire secure action should you choose if you want to block only malicio
IOS ZBF 140 particular end-user?
IOS ZBF 140 A. Trust
IOS ZBF 140 B. Block
IOS ZBF 140 C. Allow without inspection
IOS ZBF 140 D. Monitor
IOS ZBF 140 E. Allow with inspection
IOS ZBF 186 QUESTION 186
IOS ZBF 186 How can firepower block malicious email attachments?
IOS ZBF 186 A) It forwards email requests to an external signature engine
IOS ZBF 186 B) It sends the traffic through a file policy
IOS ZBF 186 C) It scans inbound email messages for known bad URLs
IOS ZBF 186 D) It sends an alert to the administrator to verify suspicious email messages
record the most detail about a

to block certain addresses utilizing

and is not able to access a certain IP
ess to the IP address?

to allow traffic.

t SYN attacks?

an attack.

client to server traffic

ant to block only malicious traffic from a

ous email messages
ACL 3 QUESTION 3
ACL 3 According to Cisco best practices, which three protocols should the default ACL
ACL 3 port to enable wired BYOD devices to supply valid credentials and connect to th
ACL 3 (Choose three)
ACL 3 A. BOOTP
ACL 3 B. TFTP
ACL 3 C. DNS
ACL 3 D. MAB
ACL 3 E. HTTP
ACL 3 F. 802.1x
ACL 18 QUESTION 18
ACL 18 Which statements about reflexive access lists are true?
ACL 18 A. Reflexive access lists create a permanent ACE
ACL 18 B. Reflexive access lists approximate session filtering using the established keyw
ACL 18 C. Reflexive access lists can be attached to standard named IP ACLs
ACL 18 D. Reflexive access lists support UDP sessions
ACL 18 E. Reflexive access lists can be attached to extended named IP ACLs
ACL 18 F. Reflexive access lists support TCP sessions
ACL 37 QUESTION 37
ACL 37 Which option describes information that must be considered when you apply an
ACL 37 physical interface?
ACL 37 A. Protocol used for filtering
ACL 37 B. Direction of the access class
ACL 37 C. Direction of the access group
ACL 37 D. Direction of the access list
ACL 97 QUESTION 97
ACL 97 Which statement about extended access lists is true?
ACL 97 A. Extended access lists perform filtering that is based on source and destinatio
ACL 97 effective when applied to the destination
ACL 97 B. Extended access lists perform filtering that is based on source and d
ACL 97 effective when applied to the source
ACL 97 C. Extended access lists perform filtering that is based on destination and are m
ACL 97 applied to the source
ACL 97 D. Extended access lists perform filtering that is based on source and are most e
ACL 97 applied to the destination
ACL 17 QUESTION 17
ACL 17 Which wildcard mask is associated with a subnet mask of /27?
ACL 17 A. 0.0.0.31
ACL 17 B. 0.0.0.27
ACL 17 C. 0.0.0.224
ACL 17 D. 0.0.0.255
ACL 127 QUESTION 127
ACL 127 Which of the following statements about access lists are true? (Choose three.)
ACL 127 A. Extended access lists should be placed as near as possible to the destination
ACL 127 B. Extended access lists should be placed as near as possible to the so
ACL 127 C. Standard access lists should be placed as near as possible to the de
ACL 127 D. Standard access lists should be placed as near as possible to the source
ACL 127 E. Standard access lists filter on the source address
ACL 127 F. Standard access lists filter on the destination address
should the default ACL allow an access
ntials and connect to the network?

ng the established keyword

med IP ACLs

med IP ACLs

ered when you apply an access list to a

n source and destination and are most

ased on source and destination and are most

n destination and are most effective when

n source and are most effective when

true? (Choose three.)

sible to the destination
as possible to the source
as possible to the destination
sible to the source
WebMail 60 QUESTION 60, 174
WebMail 60 Which statement about application blocking is true?
WebMail 60 A. It blocks access to files with specific extensions
WebMail 60 B. It blocks access to specific network addresses
WebMail 60 C. It blocks access to specific programs
WebMail 60 D. It blocks access to specific network services.
WebMail 69 QUESTION 69, 101
WebMail 69 What type of security support is provided by the Open Web Application Security
WebMail 69 A. Education about common Web site vulnerabilities
WebMail 69 B. A wb site security framework
WebMail 69 C. A security discussion forum for Web site developers
WebMail 69 D. Scoring of common vulnerabilities and exposures
WebMail 79 QUESTION 79
WebMail 79 A specific URL has been identified as containing malware. What action can you t
WebMail 79 users from accidentaly visiting the URL and becoming infected with malware?
WebMail 79 A. Enable URL filtering on the perimeter firewall and add the URLs you want to a
WebMail 79 local URL list
WebMail 79 B. Enable URL filtering on the perimeter router and add the URLs you want to al
WebMail 79 local URL list
WebMail 79 C. Create a blacklist that contains the URL you want to block and activate the bl
WebMail 79 perimeter router.
WebMail 79 D. Enable URL filtering on the perimeter router and add the URLs you want to bl
WebMail 79 local URL list
WebMail 79 E. Create a whitelist that contains the URls you want to allow and activ
WebMail 79 perimeter router.
WebMail 103 QUESTION 103
WebMail 103 Which two services define cloud networks? (Choose two.)
WebMail 103 A. Infrastructure as a Service
WebMail 103 B. Platform as a Service
WebMail 103 C. Compute as a Service
WebMail 103 D. Security as a Service
WebMail 103 E. Tenancy as a Service
WebMail 120 QUESTION 120
WebMail 120 Which Cisco product can help mitigate web-based attacks within a network?
WebMail 120 A. Adaptive Security Appliance
WebMail 120 B. Web Security Appliance
WebMail 120 C. Email Security Appliance
WebMail 120 D. Identity Services Engine
WebMail 139 QUESTION 139
WebMail 139 Which feature of the Cisco Email Security Appliance can mitigate the impact of s
WebMail 139 and sophisticated phishing attack?
WebMail 139 A. holistic understanding of threats
WebMail 139 B. graymail management and filtering
WebMail 139 C. signature-based IPS
WebMail 139 D. contextual analysis
WebMail 155 QUESTION 155
WebMail 155 You have been tasked with blocking user access to website that violate compan
WebMail 155 site use dynamic IP Addresses. What is the best practice URL filtering to solve th
WebMail 155 A. Enable URL filtering and create a blacklist to block the websites that violate c
WebMail 155 B. Enable URL filtering and create a whitelist to allow only the websites the com
WebMail 155 users to access.
WebMail 155 C. Enable URL filtering and use URL categorization to allow only the websites th
WebMail 155 allow users to access
WebMail 155 D. Enable URL filtering and create a whitelist to block the websites that violate c
WebMail 155 E. Enable URL filtering and use URL categorization to block the websites that vio
WebMail 155 policy.
WebMail 170 QUESTION 170
WebMail 170 What is the benefit of web application firewall?
WebMail 170 A. It accelerate web traffic
WebMail 170 B. It blocks know vulnerabilities without patching applications
WebMail 170 C. It supports all networking protocols.
WebMail 170 D. It simplifies troubleshooting
eb Application Security Project?

e. What action can you take to block

fected with malware?
the URLs you want to allow to the routers

he URLs you want to allow to the firewalls

lock and activate the blacklist on the

he URLs you want to block to the routers

ant to allow and activate the whitelist on the

s within a network?

mitigate the impact of snowshoe spam

te that violate company policy, but the
URL filtering to solve the problem?
websites that violate company policy.
y the websites the company policy allow

ow only the websites the company policy

e websites that violate company policy.

ck the websites that violate company
NTP 70 QUESTION 70
NTP 70 Refer to the exhibit. Which statement about the device time is true?
NTP 70
NTP 70
NTP 70
NTP 70
NTP 70
NTP 70 A. The time is authoritative because the clock is in sync
NTP 70 B. The time is authoritative, but the NTP process has lost contact with its server
NTP 70 C. The clock is out of sync
NTP 70 D. NTP is configured incorrectly
NTP 70 E. The time is not authoritative
NTP 86 QUESTION 86
NTP 86 Which network device does NTP authenticate?
NTP 86 A. Only the time source
NTP 86 B. Only the client device
NTP 86 C. The firewall and the client device
NTP 86 D. The client device and the time source
NTP 177 QUESTION 177
NTP 177 Refer to the exhibit. With which NTP server has the router synchronized?
NTP 177 209.114.111.1 Configure, ipv4, same, valid, stratum 2 ref ID 132.163.4.103, tim
NTP 177 D7AD124D.9D6FC576 (03:17:33.614 UTC Sun Aug 31 2014) our mode client, pe
NTP 177 our poll intvl 64, peer poll intvl 64 root delay 46.34 msec, root disp 23.52, reach
NTP 177 268.59 delay 63.27 msec, offset 7.9817 msec, dispersion 187.56, jitter 2.07 mse
NTP 177 2**23, version 4
NTP 177 204.2.134.164 Configure, ipv4, same, valid, stratum 2 ref ID 241.199.164.101, t
NTP 177 D7AD1D149.9EB5272B (03:25:13.619 UTC Sun Aug 31 2014) our mode client, p
NTP 177 server, our poll intvl 64, peer poll intvl 256 root delay 30.83 msec, root disp 4.88
NTP 177 dist 223.80 delay 28.69 msec, offset 6.4331 msec, dispersion 187.56, jitter 1.39
NTP 177 2**23, version 4
NTP 177 192.168.10.7 Configure, ipv4, our_master, sane, valid, stratum 3 ref ID 108.61.7
NTP 177 D7AD0D8F.AE79A23A (02:57:19.681 UTC Sun Aug 31 2014) our mode client, pe
NTP 177 our poll intvl 64, peer poll intvl 64 root delay 86.45 msec, root disp 87.82, reach
NTP 177 134.25 delay 0.89 msec, offset 19.5087 msec, dispersion 1.69, jitter 0.84 msec
NTP 177 version 4
NTP 177 A. 192.168.10.7
NTP 177 B. 108.61.73.243
NTP 177 C. 209.114.111.1
NTP 177 D. 204.2.134.164
NTP 177 E. 132.163.4.103
NTP 177 F. 241.199.164.101
 me is true?

contact with its servers

r synchronized?
f ID 132.163.4.103, time
14) our mode client, peer mode server,
, root disp 23.52, reach 1, sync dist
n 187.56, jitter 2.07 msec precision

f ID 241.199.164.101, time
014) our mode client, peer mode
.83 msec, root disp 4.88, reach 1, sync
rsion 187.56, jitter 1.39 msec precision

ratum 3 ref ID 108.61.73.243, time

14) our mode client, peer mode server,
, root disp 87.82, reach 377, sync dist
n 1.69, jitter 0.84 msec precision 2**23,
Lab 23 QUESTION 23
Lab 23 Scenario
Lab 23 In this simulation, you have access to ASDM only. Review the various ASA config
Lab 23 ASDM then answer the five multiple choice questions about the ASA SSLVPN con
Lab 23 To access ASDM, click the ASA icon in the topology diagram.
Lab 23 Note: Not all ASDM functionalities are enabled in this simulation.
Lab 23 To see all the menu options available on the left navigation pane, you may also
Lab 23 the expanded menu first.
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23 Which user authentication method is used when users login to the Clientless SS
Lab 23 using https://209.165.201.2/test?
Lab 23 A. Both Certificate and AAA with LOCAL database
Lab 23 B. AAA with RADIUS server
Lab 23 C. Both Certificate and AAA with RADIUS server
Lab 23 D. AAA with LOCAL database
Lab 23 E. Certificate
Lab 24 QUESTION 24
Lab 24 Scenario
Lab 24 In this simulation, you have access to ASDM only. Review the various ASA config
Lab 24 ASDM then answer the five multiple choice questions about the ASA SSLVPN con
Lab 24 To access ASDM, click the ASA icon in the topology diagram.
Lab 24 Note: Not all ASDM functionalities are enabled in this simulation.
Lab 24 To see all the menu options available on the left navigation pane, you may also
Lab 24 the expanded menu first.
Lab 24 When users login to the Clientless SSL VPN using https://209.165.201.2/test, wh
Lab 24 will be applied?
Lab 24 A. test
Lab 24 B. Sales
Lab 24 C. DefaultRAGroup
Lab 24 D. DefaultWEBVPNGroup
Lab 24 E. clientless
Lab 24 F. DFTGrpPolicy
Lab 25 QUESTION 25
Lab 25 Scenario
Lab 25 In this simulation, you have access to ASDM only. Review the various ASA config
Lab 25 ASDM then answer the five multiple choice questions about the ASA SSLVPN con
Lab 25 To access ASDM, click the ASA icon in the topology diagram.
Lab 25 Note: Not all ASDM functionalities are enabled in this simulation.
Lab 25 To see all the menu options available on the left navigation pane, you may also
Lab 25 the expanded menu first.
Lab 25 Which two statements regarding the ASA VPN configurations are correct? (Choo
Lab 25 A. The Inside-SRV bookmark has not been applied to the Sales group policy
Lab 25 B. The ASA has a certificate issued by an external Certificate Authority associate
Lab 25 ASDM_Trustpoint1
Lab 25 C. The Inside-SRV bookmark references the https://192.168.1.2 URL
Lab 25 D. Any Connect, IPSec IKEv1 and IPSec IKEv2 VPN access is enabled on the outs
Lab 25 E. Only Clientless SSL VPN VPN access is allowed with the Sales group Policy
Lab 25 F. The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius ser
Lab 26 QUESTION 26
Lab 26 Scenario
Lab 26 In this simulation, you have access to ASDM only. Review the various ASA config
Lab 26 ASDM then answer the five multiple choice questions about the ASA SSLVPN con
Lab 26 To access ASDM, click the ASA icon in the topology diagram.
Lab 26 Note: Not all ASDM functionalities are enabled in this simulation.
Lab 26 To see all the menu options available on the left navigation pane, you may also
Lab 26 the expanded menu first.
Lab 26 Which four tunneling protocols are enabled in the DfltGrpPolicy group policy? (ch
Lab 26 A. IPsec IKEv1
Lab 26 B. IPsec IKEv2
Lab 26 C. L2TP/IPsec
Lab 26 D. Clientless SSL VPN
Lab 26 E. SSL VPN Client
Lab 26 F. PPTP
Lab 27 QUESTION 27
Lab 27 Scenario
Lab 27 Given the new additional connectivity requirements and the topology diagram,
Lab 27 accomplish the required ASA configurations to meet the requirements.
Lab 27 New additional connectivity requirements:
Lab 27 - Currently, the ASA configurations only allow on the Inside and DMZ
Lab 27 networks to access any hosts on the Outside. Your task is to use ASDM
Lab 27 to configure the ASA to also allow any host only on the Outside to HTTP
Lab 27 to the DMZ server. The hosts on the Outside will need to use the
Lab 27 209.165.201.30 public IP address when HTTPing to the DMZ server.
Lab 27 - Currently, hosts on the ASA higher security level interfaces are not
Lab 27 able to ping any hosts on the lower security level interfaces. Your
Lab 27 task in this simulation is to use ASDM to enable the ASA to dynamically
Lab 27 allow the echo-reply responses back through the ASA.
Lab 27 Once the correct ASA configurations have been configured:
Lab 27 - You can test the connectivity tohttp://209.165.201,30from the Outside
Lab 27 PC browser.
Lab 27 - You can test the pings to the Outside (www.cisco.com) by opening the
Lab 27 inside PC command prompt window. In this simulation, only testing
Lab 27 pings to www.cisco.com will work.
Lab 27 To access ASDM, click the ASA icon in the topology diagram.
Lab 27 To access the Firefox Browser on the Outside PC, click the Outside PC icon in the
Lab 27 diagram.
Lab 27 To access the Command prompt on the Inside PC, click the Inside PC icon in the
Lab 27 diagram.
Lab 27 Note:
Lab 27 After you make the configuration changes in ASDM, remember to click Apply to
Lab 27 configuration changes.
Lab 27 Not all ASDM screens are enabled in this simulation, if some screen is not enabl
Lab 27 different methods to configure the ASA to meet the requirements.
Lab 27 In this simulation, some of the ASDM screens may not look and function exactly
Lab 27 ASDM.
Lab 27 Answer:
Lab 27 Step1: Firewall, Configuration, NAT Rules, Name=http, IP version=IPv4, IP
Lab 27 address=209.165.201.30, Static NAT=172.16.1.2
Lab 27 Step2: Firewall, Config, NAT Rules, Interface=Outside, Action=Permit, Source=a
Lab 27 Destination=209.165.201.30, Service= tcp/http
Lab 27 Step3: Firewall, Config, Service policy Rules, Click Global Policy and edit, Rule Ac
Lab 27 ICMP and apply
Lab 27 Step4: Ping www.cisco.com from Inside PC
 the various ASA configurations using
out the ASA SSLVPN configurations.

on pane, you may also need to unexpand

gin to the Clientless SSL VPN portal

the various ASA configurations using

out the ASA SSLVPN configurations.
on pane, you may also need to unexpand

209.165.201.2/test, which group policy

the various ASA configurations using

out the ASA SSLVPN configurations.

on pane, you may also need to unexpand

ions are correct? (Choose two)

Sales group policy
cate Authority associated to the

68.1.2 URL
is enabled on the outside interface
e Sales group Policy
he AAA with Radius server method

the various ASA configurations using

out the ASA SSLVPN configurations.

on pane, you may also need to unexpand

pPolicy group policy? (choose four)

the topology diagram, use ASDM to
requirements.

de and DMZ
s to use ASDM
utside to HTTP

MZ server.
aces are not

to dynamically

om the Outside

by opening the
nly testing

e Outside PC icon in the topology

he Inside PC icon in the topology

ember to click Apply to apply the

me screen is not enabled, try to use

irements.
ok and function exactly like the real

version=IPv4, IP

tion=Permit, Source=any,

Policy and edit, Rule Action tab, Click

OSPF 167 QUESTION 167
OSPF 167 If the router ospf 200 command, what does the value 200 stands for?
OSPF 167 A. Administrative distance value
OSPF 167 B. process ID
OSPF 167 C. area ID.
OSPF 167 D. ABR ID
0 stands for?
 25 25-E/F 25-E/F yes
94 94-C/E/F 94-C/E/F yes
142 142-A 142-A yes
143 143-A 143-A yes
152 152-(I do not have clear) 152- they provide 5 answ
160 160-D 160-D yes
168 168-C 168-C and D (on the test
169 169-A 169-A yes
177 177-A 177-A yes
182 182-Root Guard (missing in responses) 182-STP Root Guard in
185 185-A/B/D 185-A/B in the exam diffe
4-C/E/F yes

52- they provide 5 answers you have chosse two answers HMAC authentication AES encryption not encrypto

68-C and D (on the test, its two choices and E.polymorphic Virus is an option on the test)

82-STP Root Guard in the exam this updated

85-A/B in the exam different choices
 1-OK
2-ok same as q. 146
3-OK
4-ok c on FLASH CARDS?
encryption not encrypto 5-OK
6-OK
7-ok same as q. 133
8-ok same as q. 163
9-ok
10-ok
11-ok
12-ok
13-ok
14-ok
15-ok
16-ok
17-ok
18-ok
19-ok
20-ok
21-ok
22-ok

23-ok Via Configuration > Remote Access VPN > Clientless SSL VPN Access >
Via Configuration > Remote Access VPN > AAA/Local Users > AAA Server Grou
24-ok Via Configuration > Remote Access VPN > Clientless SSL VPN Access >
25- EF secondo 9tut Via Via Configuration > Remote Access VPN > Clientless
25-ok Via Configuration > Remote Access VPN > Certificate Management > Id
26-ok Via Configuration > Remote Access VPN > Clientless SSL VPN Access >
27 SIM

28-ok
29-ok
30-ok
31-9Tut ans D RDP 1 o 2?
32-ok
33-ok
34-ok
35-ok
36-9tut ans AC\AD Smart Tunnels
37-ok
38-ok
39-ok
40-ok
41-ok
42-ok
43-ok
44-ok
45-ok
46-ok same as q. 153
47-ok
48-ok
49-ok same as q. 136
50-ok
51-ok
52-ok
53-ok same as q. 137
54-ok
55-ok
56-ok
57-ok
58-ok
59-ok
60-ok same as q. 174
61-ok
62-ok
63-ok
64-ok
65-ok
66-ok
67-ok
68-ok same as q. 82
69-ok
70-ok
71-ok
72-ok
73-ok
74-ok
75-ok
76-ok
77-ok
78-ok
79-ok maybe E????? confirmed in Quizlet
80-ok
81-ok
82-ok same as q. 68
83-ok
84-ok
85-ok
86-ok
87-ok
88-ok
89-AB or AC or AD
90-ok
91-ok
92-ok
93-ok
94-ACF, CEF
95-ok
96-ok
97-ok
98-ok
99-ok
100-ok
101-ok
102-ok
103-ok
104-ok
105-ok
106-ok or C on 9 tut
107-ok
108-ok same as q. 164
109-ok same as q. 159
110 C o B same as q. 135 qualcuno dice ok (mOLTE CONFERME SU B)
111-root guard BPDU Guard same as q. 182
112-ok
113-ok same as q. 145
114-ok
115-ok
116-ok
117-ok
118-ok
119-ok
120-ok
121-ok
122-ok
123-ok
124-ok Dynamic Port Security, CAM
125-ok
126-ok
127-ok
128-ok
129-ok
130-ok
131-ok
132-ok
133-ok same as q. 7
134-ok
135-C o B same as q. 110 (lots telling B)
136-ok same as q. 49
137-ok same as q. 53
138-ok
139-ok
140-ok
141-ok
142-A more likely
143-D (5x) ore A (3x)
144-ok
145-ok same as q. 113
146-ok same as q. 2
147-ok 3x
148-ok
149-ok
150-ok
151-ok
152-B secondo 9tut (molti) 152- they provide 5 answers you have chosse two an
153-ok same as q. 46
154-ok
155-ok
156-ok
157-ok
158-ok
159-ok same as q. 109
160-ok maybe D (2x)
161-ok
162-ok
163-ok same as q. 8
164-ok same as q. 108
165-ok
166-ok
167-ok
168-ok CD on the exam (test gives more options)
169-A test AAA (lot of people)
170-B on 9tut
171-ok
172-ok
173-ok
174-ok same as q. 60
175-ok
176-ok
177-A
178-ok
179-ok
180-ok
181-ok
182-ok STP Root Guard
183-ok
184-ok
185-ABD
less SSL VPN Access > Connection Profiles
sers > AAA Server Groups
less SSL VPN Access > Connection Profiles > Edit
Access VPN > Clientless SSL VPN Access > Portal > Bookmarks
cate Management > Identity Certificates
less SSL VPN Access > Group Policies
FERME SU B)
you have chosse two answers HMAC authentication AES encryption not encrypto
Type Number
ASA 1
ASA 1
ASA 1
ASA 1
ASA 1

ASA 1

iii

IPSec 2
IPSec 2
IPSec 2
IPSec 2
IPSec 2
IPSec 2
IPSec 2
IPSec 2

iii

iii

ACL 3

ACL 3
ACL 3
ACL 3
ACL 3
ACL 3
ACL 3
ACL 3

iii
iii

VPN 4
VPN 4
VPN 4
VPN 4
VPN 4
VPN 4
VPN 4
VPN 4
VPN 4
VPN 4
VPN 4
VPN 4
VPN 4

IOS ZBF 5
IOS ZBF 5
IOS ZBF 5
IOS ZBF 5
IOS ZBF 5
IOS ZBF 5

iii

iii

iii

Encryption 6
Encryption 6
Encryption 6
Encryption 6
Encryption 6
Encryption 6

iii

iii

ASA 7
ASA 7
ASA 7
ASA 7
ASA 7
ASA 7
ASA 7

iii

IOS ZBF 8

IOS ZBF 8
IOS ZBF 8
IOS ZBF 8
IOS ZBF 8
IOS ZBF 8
IOS ZBF 8

iii

iii

Encryption 9
Encryption 9
Encryption 9
Encryption 9
Encryption 9
Encryption 9

SecMP 10
SecMP 10
SecMP 10
SecMP 10
SecMP 10
SecMP 10
SecMP 10

iii

iii

SecDP 11
SecDP 11
SecDP 11
SecDP 11
SecDP 11
SecDP 11
SecDP 11
SecDP 11

iii

iii

ZBF 12
ZBF 12
ZBF 12
ZBF 12
ZBF 12
ZBF 12

iii

SecL2 13
SecL2 13
SecL2 13
SecL2 13
SecL2 13
SecL2 13

IPS 14
IPS 14
IPS 14
IPS 14
IPS 14
IPS 14

iii

IPS 15
IPS 15
IPS 15
IPS 15
IPS 15
IPS 15

Firewall 16
Firewall 16
Firewall 16
Firewall 16
Firewall 16
Firewall 16

ACL 17
ACL 17
ACL 17
ACL 17
ACL 17
ACL 17

ACL 18
ACL 18
ACL 18
ACL 18
ACL 18
ACL 18
ACL 18
ACL 18

IPS 19
IPS 19
IPS 19
IPS 19
IPS 19
IPS 19
IPS 19
IPS 19

IOS ZBF
SecMP 20
SecMP 20
SecMP 20
SecMP 20
SecMP 20
SecMP 20

IPSec 21
IPSec 21
IPSec 21
IPSec 21
IPSec 21
IPSec 21

AAA 22
AAA 22
AAA 22
AAA 22
AAA 22
AAA 22
AAA 22
AAA 22

Lab 23
Lab 23

Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23
Lab 23

Lab 24
Lab 24

Lab 24
Lab 24
Lab 24
Lab 24
Lab 24
Lab 24
Lab 24
Lab 25
Lab 25

Lab 25
Lab 25
Lab 25
Lab 25
Lab 25
Lab 25
Lab 25
Lab 25

Lab 26
Lab 26

Lab 26
Lab 26
Lab 26
Lab 26
Lab 26
Lab 26
Lab 26

Lab 27
Lab 27
Lab 27
Lab 27
Lab 27
Lab 27
Lab 27

Base 28
Base 28
Base 28
Base 28
Base 28
Base 28

ASA 29
ASA 29
ASA 29
ASA 29
ASA 29
ASA 29
ASA 29

SecMP 30
SecMP 30
SecMP 30
SecMP 30
SecMP 30
SecMP 30

ASA 31

ASA 31
ASA 31
ASA 31
ASA 31
ASA 31

ZBF 32
ZBF 32
ZBF 32
ZBF 32
ZBF 32
ZBF 32

IOS ZBF
IPSec 33
IPSec 33
IPSec 33
IPSec 33
IPSec 33
IPSec 33

SecDP 34
SecDP 34
SecDP 34
SecDP 34
SecDP 34
SecDP 34

AAA 35
AAA 35
AAA 35
AAA 35
AAA 35
AAA 35
AAA 35
AAA 35

ZBF 36
ZBF 36
ZBF 36
ZBF 36
ZBF 36
ZBF 36
ACL 37
ACL 37
ACL 37
ACL 37
ACL 37
ACL 37

IPSec 38
IPSec 38
IPSec 38
IPSec 38
IPSec 38
IPSec 38

IPSec 39
IPSec 39
IPSec 39
IPSec 39
IPSec 39
IPSec 39
IPSec 39
IPSec 39

SecL2 40
SecL2 40
SecL2 40
SecL2 40
SecL2 40
SecL2 40
IPSec 41
IPSec 41
IPSec 41
IPSec 41
IPSec 41
IPSec 41

IPS 42
IPS 42
IPS 42
IPS 42
IPS 42
IPS 42

Firewall 43
Firewall 43
Firewall 43
Firewall 43
Firewall 43
Firewall 43

VPN 44
VPN 44
VPN 44
VPN 44
VPN 44
VPN 44
VPN 44
VPN 44
VPN 44
VPN 44

Base 45
Base 45
Base 45
Base 45
Base 45
Base 45

VPN 46
VPN 46
VPN 46
VPN 46
VPN 46
VPN 46

SecMP 47

SecMP 47
SecMP 47
SecMP 47
SecMP 47
SecMP 47
Firewall 48
Firewall 48
Firewall 48
Firewall 48
Firewall 48
Firewall 48
Firewall 48

IOS ZBF 49
IOS ZBF 49
IOS ZBF 49
IOS ZBF 49
IOS ZBF 49
IOS ZBF 49

VPN 50
VPN 50
VPN 50
VPN 50
VPN 50
VPN 50
IPS 51
IPS 51
IPS 51
IPS 51
IPS 51
IPS 51

AAA 52
AAA 52
AAA 52
AAA 52
AAA 52
AAA 52

IOS ZBF

ZBF 53
ZBF 53
ZBF 53
ZBF 53
ZBF 53
ZBF 53

ISE 54
ISE 54
ISE 54
ISE 54
ISE 54
ISE 54
Firewall 55
Firewall 55
Firewall 55
Firewall 55
Firewall 55
Firewall 55
Firewall 55
Firewall 55
Firewall 55
Firewall 55

SecMP 56
SecMP 56
SecMP 56
SecMP 56
SecMP 56
SecMP 56
SecMP 56
SecMP 56

IOS ZBF

IPSec 57
IPSec 57
IPSec 57
IPSec 57
IPSec 57
IPSec 57
IPSec 57
IPSec 57
IPSec 57
IPSec 57
IPSec 57

IOS ZBF

Base 58
Base 58
Base 58
Base 58
Base 58
Base 58
iii

iii

ASA 59
ASA 59
ASA 59
ASA 59
ASA 59
ASA 59

iii

WebMail 60
WebMail 60
WebMail 60
WebMail 60
WebMail 60
WebMail 60

iii
iii

ASA 61
ASA 61
ASA 61
ASA 61
ASA 61
ASA 61

iii

VPN 62
VPN 62
VPN 62
VPN 62
VPN 62
VPN 62
iii

Base 63
Base 63
Base 63
Base 63
Base 63
Base 63

IPSec 64
IPSec 64
IPSec 64
IPSec 64
IPSec 64
IPSec 64
IPSec 64
IPSec 64

Firewall 65
Firewall 65
Firewall 65
Firewall 65
Firewall 65
Firewall 65

VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 66
VPN 67
VPN 67
VPN 67
VPN 67
VPN 67
VPN 67

IPS 68
IPS 68
IPS 68
IPS 68
IPS 68
IPS 68
IPS 68
IPS 68

WebMail 69
WebMail 69
WebMail 69
WebMail 69
WebMail 69
WebMail 69
NTP 70
NTP 70
NTP 70
NTP 70
NTP 70
NTP 70
NTP 70
NTP 70
NTP 70
NTP 70
NTP 70
NTP 70

SecL2 71
SecL2 71
SecL2 71
SecL2 71
SecL2 71
SecL2 71

ZBF 72
ZBF 72
ZBF 72
ZBF 72
ZBF 72
ZBF 72

iii

SecL2 73
SecL2 73
SecL2 73
SecL2 73
SecL2 73
SecL2 73

Encryption 74
Encryption 74
Encryption 74
Encryption 74
Encryption 74
Encryption 74
Encryption 74
Encryption 74

iii

IPS 75
IPS 75
IPS 75
IPS 75
IPS 75
IPS 75
IPS 75
IPS 75

SecCP 76
SecCP 76
SecCP 76
SecCP 76
SecCP 76
SecCP 76
SecCP 76
SecCP 76

SecCP 77
SecCP 77
SecCP 77
SecCP 77
SecCP 77
SecCP 77
IPSec 78
IPSec 78
IPSec 78
IPSec 78
IPSec 78
IPSec 78
IPSec 78
IPSec 78
IPSec 78
IPSec 78
IPSec 78
IPSec 78
IPSec 78

WebMail 79

WebMail 79
WebMail 79
WebMail 79
WebMail 79
WebMail 79
WebMail 79

SecL2 80
SecL2 80
SecL2 80
SecL2 80
SecL2 80
SecL2 80

IPS 81
IPS 81
IPS 81
IPS 81
IPS 81
IPS 81
iii

SecMP 83
SecMP 83
SecMP 83
SecMP 83
SecMP 83
SecMP 83

iii

Firewall 84
Firewall 84
Firewall 84
Firewall 84
Firewall 84
Firewall 84
ASA 85
ASA 85
ASA 85
ASA 85
ASA 85
ASA 85
ASA 85
ASA 85

NTP 86
NTP 86
NTP 86
NTP 86
NTP 86
NTP 86

Encryption 87
Encryption 87
Encryption 87
Encryption 87
Encryption 87
Encryption 87
IPS 88
IPS 88
IPS 88
IPS 88
IPS 88
IPS 88

AAA 89

AAA 89
AAA 89
AAA 89
AAA 89
AAA 89

IPS 90
IPS 90
IPS 90
IPS 90
IPS 90
IPS 90
ASA 91
ASA 91
ASA 91
ASA 91
ASA 91
ASA 91

Encryption 92
Encryption 92
Encryption 92
Encryption 92
Encryption 92
Encryption 92

AAA 93
AAA 93
AAA 93
AAA 93
AAA 93
AAA 93
ASA 94
ASA 94
ASA 94
ASA 94
ASA 94
ASA 94
ASA 94
ASA 94

SecMP 95
SecMP 95
SecMP 95
SecMP 95
SecMP 95
SecMP 95

SecCP 96
SecCP 96
SecCP 96
SecCP 96
SecCP 96
SecCP 96
SecCP 96
ACL 97
ACL 97
ACL 97
ACL 97
ACL 97
ACL 97

Encryption 98
Encryption 98
Encryption 98
Encryption 98
Encryption 98
Encryption 98
Encryption 98

SecL2 99
SecL2 99
SecL2 99
SecL2 99
SecL2 99
SecL2 99
VPN 100
VPN 100
VPN 100
VPN 100
VPN 100
VPN 100

IOS ZBF 102

IOS ZBF 102
IOS ZBF 102
IOS ZBF 102
IOS ZBF 102
IOS ZBF 102

WebMail 103
WebMail 103
WebMail 103
WebMail 103
WebMail 103
WebMail 103
WebMail 103
Base 104
Base 104
Base 104
Base 104
Base 104
Base 104

SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
SecMP 105
IOS ZBF 106
IOS ZBF 106
IOS ZBF 106
IOS ZBF 106
IOS ZBF 106
IOS ZBF 106
IOS ZBF 106

Firewall 107

Firewall 107
Firewall 107
Firewall 107
Firewall 107
Firewall 107
Firewall 107

IPSec 108
IPSec 108
IPSec 108
IPSec 108
IPSec 108
IPSec 108
IPSec 108
IPSec 108

SecMP 109

SecMP 109
SecMP 109
SecMP 109
SecMP 109
SecMP 109
SecMP 109
SecMP 109
SecMP 109
SecMP 109
SecMP 109
SecMP 109

SecL2 110
SecL2 110
SecL2 110
SecL2 110
SecL2 110
SecL2 110
SecL2 110
SecL2 110
SecL2 111
SecL2 111
SecL2 111
SecL2 111
SecL2 111
SecL2 111

SecCP 112
SecCP 112
SecCP 112
SecCP 112
SecCP 112
SecCP 112

Firewall 113
Firewall 113
Firewall 113
Firewall 113
Firewall 113
Firewall 113
Firewall 113

ASA 115
ASA 115
ASA 115
ASA 115
ASA 115
ASA 115

AAA 116
AAA 116
AAA 116
AAA 116
AAA 116
AAA 116

SecL2 117
SecL2 117
SecL2 117
SecL2 117
SecL2 117
SecL2 117

IPS 118
IPS 118
IPS 118
IPS 118
IPS 118
IPS 118

Base 119
Base 119
Base 119
Base 119
Base 119
Base 119

WebMail 120
WebMail 120
WebMail 120
WebMail 120
WebMail 120
WebMail 120
SecL2 121
SecL2 121
SecL2 121
SecL2 121
SecL2 121
SecL2 121

SecL2 121
SecDP 122
SecDP 122
SecDP 122
SecDP 122
SecDP 122
SecDP 122

SecL2 123
SecL2 123
SecL2 123
SecL2 123
SecL2 123
SecL2 123

SecL2 124
SecL2 124
SecL2 124
SecL2 124
SecL2 124
SecL2 124

SecL2 125
SecL2 125
SecL2 125
SecL2 125
SecL2 125
SecL2 125

SecL2 126
SecL2 126
SecL2 126
SecL2 126
SecL2 126
SecL2 126

ACL 127
ACL 127
ACL 127
ACL 127
ACL 127
ACL 127
ACL 127
ACL 127

Base 128
Base 128
Base 128
Base 128
Base 128
Base 128
Base 129
Base 129
Base 129
Base 129
Base 129
Base 129

AAA 130
AAA 130
AAA 130
AAA 130
AAA 130
AAA 130

IPS 132
IPS 132
IPS 132
IPS 132
IPS 132
IPS 132
IPS 132
Base 134
Base 134
Base 134
Base 134
Base 134
Base 134

Encryption 138
Encryption 138
Encryption 138
Encryption 138
Encryption 138
Encryption 138

WebMail 139
WebMail 139
WebMail 139
WebMail 139
WebMail 139
WebMail 139
WebMail 139
IOS ZBF 140
IOS ZBF 140
IOS ZBF 140
IOS ZBF 140
IOS ZBF 140
IOS ZBF 140
IOS ZBF 140
AAA

ISE 142
ISE 142
ISE 142
ISE 142
ISE 142
ISE 142

ISE 143
ISE 143
ISE 143
ISE 143
ISE 143
ISE 143

IPS 144
IPS 144
IPS 144
IPS 144
IPS 144
IPS 144
IPS 144

VPN 147
VPN 147
VPN 147
VPN 147
VPN 147
VPN 147
VPN 148
VPN 148
VPN 148
VPN 148
VPN 148
VPN 148
VPN 148
VPN 148

iii

VPN 150

VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
VPN 150
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151
AAA 151

IPSec 152
IPSec 152
IPSec 152
IPSec 152
IPSec 152
IPSec 152
IPSec 152
ASA 154
ASA 154
ASA 154
ASA 154
ASA 154
ASA 154
ASA 154

WebMail 155

WebMail 155
WebMail 155
WebMail 155
WebMail 155
WebMail 155
WebMail 155

SecL2 156
SecL2 156
SecL2 156
SecL2 156
SecL2 156
SecL2 156

SecMP 157
SecMP 157
SecMP 157
SecMP 157
SecMP 157
SecMP 157
SecMP 157
SecMP 157
SecMP 157
SecMP 157
SecMP 157
SecMP 157
SecMP 157

IPS 158
IPS 158
IPS 158
IPS 158
IPS 158
IPS 158
IPS 158
IPS 160
IPS 160
IPS 160
IPS 160
IPS 160
IPS 160

VPN 161
VPN 161
VPN 161
VPN 161
VPN 161
VPN 161

Firewall 162
Firewall 162
Firewall 162
Firewall 162
Firewall 162
Firewall 162

SecCP 165
SecCP 165
SecCP 165
SecCP 165
SecCP 165
SecCP 165

Base 166
Base 166
Base 166
Base 166
Base 166
Base 166

iii
OSPF 167
OSPF 167
OSPF 167
OSPF 167
OSPF 167
OSPF 167

Base 168

Base 168
Base 168
Base 168
Base 168
Base 168
Base 168

AAA 169
AAA 169
AAA 169
AAA 169
AAA 169
AAA 169

WebMail 170
WebMail 170
WebMail 170
WebMail 170
WebMail 170
WebMail 170

iii
Encryption 171
Encryption 171
Encryption 171
Encryption 171
Encryption 171
Encryption 171

SecMP 172
SecMP 172
SecMP 172
SecMP 172
SecMP 172
SecMP 172

Encryption 173
Encryption 173
Encryption 173
Encryption 173
Encryption 173
Encryption 173

Base 175
Base 175
Base 175
Base 175
Base 175
Base 175
Base 175
Base 175
SecL2 176
SecL2 176
SecL2 176
SecL2 176
SecL2 176
SecL2 176

NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
NTP 177
SecMP 178
SecMP 178
SecMP 178
SecMP 178
SecMP 178
SecMP 178
SecMP 178

ZBF 179
ZBF 179
ZBF 179
ZBF 179
ZBF 179
ZBF 179

AAA 180
AAA 180
AAA 180
AAA 180
AAA 180
AAA 180
AAA 180
AAA 180

Base 181
Base 181
Base 181
Base 181
Base 181
Base 181

SecL2 182
SecL2 182
SecL2 182
SecL2 182
SecL2 182
SecL2 182
SecL2 182
IPS 183
IPS 183
IPS 183
IPS 183
IPS 183
IPS 183

Encryption 184
Encryption 184
Encryption 184
Encryption 184
Encryption 184
Encryption 184
Encryption 184

ASA 185
ASA 185
ASA 185
ASA 185
ASA 185
ASA 185
ASA 185
ASA 185

iii

IOS ZBF 186

IOS ZBF 186
IOS ZBF 186
IOS ZBF 186
IOS ZBF 186
IOS ZBF 186

Firewall 187
Firewall 187
Firewall 187
Firewall 187
Firewall 187
Firewall 187
ASA 188
ASA 188
ASA 188
ASA 188
ASA 188
ASA 188
ASA 188
ASA 188

NAT 189
NAT 189
NAT 189
NAT 189
NAT 189
NAT 189

NAT 190
NAT 190
NAT 190
NAT 190
NAT 190
NAT 190

NAT 191
NAT 191
NAT 191
NAT 191
NAT 191
NAT 191

SecL2 192
SecL2 192
SecL2 192
SecL2 192
SecL2 192
SecL2 192
SecL2 192
SecL2 192
Question
QUESTION 1
Which statement about communication over failover interfaces is true?
A. All information that is sent over the failover interface is sent as clear text, but the stateful failover l
B. All information that is sent over the failover and stateful failover interfaces is encrypted by default
C. All information that is sent over the failover and stateful failover interfaces is sent as clear text by d

D. Usernames, password and preshared keys are encrypted by default when they are sent over the fa

C
QUESTION 2, 146
Which three ESP fields can be encrypted during transmission? (Choose three)
A. Security Parameter Index
B. Sequence Number
C. MAC Address
D. Padding
E. Pad Length
F. Next Header

DEF
QUESTION 3
According to Cisco best practices, which three protocols should the default ACL allow an access port to
(Choose three)
A. BOOTP
B. TFTP
C. DNS
D. MAB
E. HTTP
F. 802.1x
ABC
QUESTION 4
Refer to the exhibit. If a supplicant supplies incorrect credentials for all authentication methods config

A. The switch will cycle through the configured authentication methods indefinitely
B. The supplicant will fail to advance beyond the webauth method.
C. The authentication attempt will time out and the switch will place the port into the unathorized stat
D. The authentication attempt will time out and the switch will place the port into VLAN 101

B
QUESTION 5
Which SOURCEFIRE logging action should you choose to record the most detail about a connection.
A. Enable logging at the beginning of the session
B. Enable logging at the end of the session
C. Enable alerts via SNMP to log events off-box
D. Enable eStreamer to log events off-box

B
QUESTION 6
What type of algorithm uses the same key to encryp and decrypt data?
A. a symmetric algorithm
B. an asymetric algorithm
C. a Public Key infrastructure algorithm
D. an IP Security algorithm

A
QUESTION 7, 133
If a packet matches more than one class map in an individual feature type's policy map, how does the
A. The ASA will apply the actions from only the most specific matching class map it finds for the
feature type
B. The ASA will apply the actions from all matching class maps it finds for the feature type
C. The ASA will apply the actions from only the last matching class map it finds for the feature type.
D. The ASA will apply the actions from only the first matching class map it finds for the feature type.

D
QUESTION 8, 163
You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing Security
address. What action can you take to allow the user access to the IP address?
A. Create a custom blacklist to allow traffic
B. Create a whitelist and add the appropriate IP address to allow traffic.
C. Create a user based access control rule to allow the traffic.
D. Create a network based access control rule to allow the traffic.
E. Create a rule to bypass inspection to allow the traffic

B
QUESTION 9
Which EAP method uses protected Access Credentials?
A. EAP-TLS
B. EAP-PEAP
C. EAP-FAST
D. EAP-GTC

C
QUESTION 10
In which two situations should you use out-of-band management? (Choose two)
A. when a network device fails to forward packets
B. when management applications need concurrent access to the device
C. when you require ROMMON access
D. when you require adminstrator access from multiple locations
E. when the control plane fails to respond

AC
QUESTION 11
What features can protect the data plane? (Choose three.)
A. policing
B. ACLs
C. IPS
D. antispoofing
E. QoS
F. DHCP-snooping

BDF
QUESTION 12
How many crypto map sets can you apply to a router interface?
A. 3
B. 2
C. 4
D. 1

D
QUESTION 13
What is the transition order of STP states on a Layer 2 switch interface?
A. listening, learning, blocking, forwarding, disabled
B. listening, blocking, learning, forwarding, disabled
C. blocking, listening, learning, forwarding, disabled
D. forwarding, listening, learning, blocking, disabled

C
QUESTION 14
Which sensor mode can deny attackers inline?
A. IPS
B. fail-close
C. IDS
D. fail-open

A
QUESTION 15
Which options are filtering options used to display SDEE message types?
A. stop
B. none
C. error
D. all

CD
QUESTION 16
When a company puts a security policy in place, what is the effect on the company's business?
A. Minimizing risk
B. Minimizing total cost of ownership
C. Minimizing liability
D. Maximizing compliance

A
QUESTION 17
Which wildcard mask is associated with a subnet mask of /27?
A. 0.0.0.31
B. 0.0.0.27
C. 0.0.0.224
D. 0.0.0.255

A
QUESTION 18
Which statements about reflexive access lists are true?
A. Reflexive access lists create a permanent ACE
B. Reflexive access lists approximate session filtering using the established keyword
C. Reflexive access lists can be attached to standard named IP ACLs
D. Reflexive access lists support UDP sessions
E. Reflexive access lists can be attached to extended named IP ACLs
F. Reflexive access lists support TCP sessions

DEF
QUESTION 19
Which actions can a promiscuous IPS take to mitigate an attack?
A. modifying packets
B. requesting connection blocking
C. denying packets
D. resetting the TCP connection
E. requesting host blocking
F. denying frames

BDE
QUESTION 20
Which Cisco Security Manager application collects information about device status and uses it to gene
A. FlexConfig
B. Device Manager
C. Report Manager
D. Health and Performance Monitor

D
QUESTION 21
Which command is needed to enable SSH support on a Cisco Router?
A. crypto key lock rsa
B. crypto key generate rsa
C. crypto key zeroize rsa
D. crypto key unlock rsa

B
QUESTION 22
In which three ways does the TACACS protocol differ from RADIUS? (Choose three)
A. TACACS uses TCP to communicate with the NAS
B. TACACS can encrypt the entire packet that is sent to the NAS
C. TACACS authenticates and authorizes simultaneously, causing fewer packets to be transmitted
D. TACACS uses UDP to communicate with the NAS
E. TACACS encrypts only the password field in an authentication packet
F. TACACS support per-command authorization

ABF
QUESTION 23
Scenario
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM
access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabl
you may also need to unexpand the expanded menu first.
Which user authentication method is used when users login to the Clientless SSL VPN portal using http
A. Both Certificate and AAA with LOCAL database
B. AAA with RADIUS server
C. Both Certificate and AAA with RADIUS server
D. AAA with LOCAL database
E. Certificate

p 148

D
QUESTION 24
Scenario

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM
access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabl
you may also need to unexpand the expanded menu first. When users login to the Clientless SSL VPN
A. test
B. Sales
C. DefaultRAGroup
D. DefaultWEBVPNGroup
E. clientless
F. DFTGrpPolicy

p 270

B
QUESTION 25
Scenario

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM
access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabl
you may also need to unexpand the expanded menu first. Which two statements regarding the ASA V
A. The Inside-SRV bookmark has not been applied to the Sales group policy
B. The ASA has a certificate issued by an external Certificate Authority associated to the
ASDM_Trustpoint1
C. The Inside-SRV bookmark references the https://192.168.1.2 URL
D. Any Connect, IPSec IKEv1 and IPSec IKEv2 VPN access is enabled on the outside interface
E. Only Clientless SSL VPN VPN access is allowed with the Sales group Policy
F. The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius server method

P 206

CF
QUESTION 26
Scenario

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM
access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabl
you may also need to unexpand the expanded menu first. Which four tunneling protocols are enabled
A. IPsec IKEv1
B. IPsec IKEv2
C. L2TP/IPsec
D. Clientless SSL VPN
E. SSL VPN Client
F. PPTP

P 88

ABCD
QUESTION 27
Given the new additional connectivity requirements and the topology diagram, use ASDM to accompli
connectivity requirements:
- Currently, the ASA configurations only allow on the Inside and DMZ networks to access any hosts on
the Outside to HTTP to the DMZ server. The hosts on the Outside will need to use the 209.165.201.30
- Currently, hosts on the ASA higher security level interfaces are not able to ping any hosts on the low
to dynamically allow the echo-reply responses back through the ASA.
Once the correct ASA configurations have been configured:
- You can test the connectivity tohttp://209.165.201,30from the Outside PC browser.
- You can test the pings to the Outside (www.cisco.com) by opening the inside PC command prompt w
To access ASDM, click the ASA icon in the topology diagram.
To access the Firefox Browser on the Outside PC, click the Outside PC icon in the topology diagram.
To access the Command prompt on the Inside PC, click the Inside PC icon in the topology diagram.
Note:
After you make the configuration changes in ASDM, remember to click Apply to apply the configuratio
Not all ASDM screens are enabled in this simulation, if some screen is not enabled, try to use different
ASDM screens may not look and function exactly like the real ASDM.
Answer:
Step1: Firewall, Configuration, NAT Rules, Name=http, IP version=IPv4, IP address=209.165.201.30, S
Step2: Firewall, Config, NAT Rules, Interface=Outside, Action=Permit, Source=any, Destination=209.1
Step3: Firewall, Config, Service policy Rules, Click Global Policy and edit, Rule Action tab, Click ICMP an
Step4: Ping www.cisco.com from Inside PC

P 340

QUESTION 28
What is the purpose of the Integrity component of the CIA triad?
A. to ensure that only authorized parties can modify data
B. to determine whether data is relevant
C. to create a process for accessing data
D. to ensure that only authorized parties can view data

A
QUESTION 29
Which two statements about Telnet access to the ASA are true? (Choose two).
A. You may VPN to the lowest security interface to telnet to an inside interface.
B. You must configure an AAA server to enable Telnet.
C. You can access all interfaces on an ASA using Telnet.
D. You must use the command virtual telnet to enable Telnet.
E. Best practice is to disable Telnet and use SSH.

AE
QUESTION 30
Which protocol provides security to Secure Copy?
A. IPsec
B. SSH
C. HTTPS
D. ESP

B
QUESTION 31
A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option
begin troubleshooting?
A. Ensure that the RDP2 plug-in is installed on the VPN gateway
B. Reboot the VPN gateway
C. Instruct the user to reconnect to the VPN gateway
D. Ensure that the RDP plug-in is installed on the VPN gateway

D
QUESTION 32
Which security zone is automatically defined by the system?
A. The source zone
B. The self zone
C. The destination zone
D. The inside zone

B
QUESTION 33
What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose two.)
A. The Internet Key Exchange protocol establishes security associations
B. The Internet Key Exchange protocol provides data confidentiality
C. The Internet Key Exchange protocol provides replay detection
D. The Internet Key Exchange protocol is responsible for mutual authentication

AD
QUESTION 34
Which address block is reserved for locally assigned unique local addresses?
A. 2002::/16
B. FD00::/8
C. 2001::/32
D. FB00::/8

B
QUESTION 35
What is a possible reason for the error message?
Router(config)#aaa server?
% Unrecognized command
A. The command syntax requires a space after the word "server"
B. The command is invalid on the target device
C. The router is already running the latest operating system
D. The router is a new device on which the aaa new-model command must be applied before continui

D
QUESTION 36
Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)
A. Smart tunnels can be used by clients that do not have administrator privileges
B. Smart tunnels support all operating systems
C. Smart tunnels offer better performance than port forwarding
D. Smart tunnels require the client to have the application installed locally
AD
QUESTION 37
Which option describes information that must be considered when you apply an access list to a physic
A. Protocol used for filtering
B. Direction of the access class
C. Direction of the access group
D. Direction of the access list

C
QUESTION 38
Which source port does IKE use when NAT has been detected between two VPN gateways?
A. TCP 4500
B. TCP 500
C. UDP 4500
D. UDP 500

QUESTION 39
Which of the following are features of IPsec transport mode? (Choose three.)
A. IPsec transport mode is used between end stations
B. IPsec transport mode is used between gateways
C. IPsec transport mode supports multicast
D. IPsec transport mode supports unicast
E. IPsec transport mode encrypts only the payload
F. IPsec transport mode encrypts the entire packet

ADE
QUESTION 40
Which command causes a Layer 2 switch interface to operate as a Layer 3 interface?
A. no switchport nonnegotiate
B. switchport
C. no switchport mode dynamic auto
D. no switchport
D
QUESTION 41
Which command verifies phase 1 of an IPsec VPN on a Cisco router?
A. show crypto map
B. show crypto ipsec sa
C. show crypto isakmp sa
D. show crypto engine connection active

C
QUESTION 42
What is the purpose of a honeypot IPS?
A. To create customized policies
B. To detect unknown attacks
C. To normalize streams
D. To collect information about attacks

D
QUESTION 43
Which type of firewall can act on the behalf of the end device?
A. Stateful packet
B. Application
C. Packet
D. Proxy

D
QUESTION 44, 149
Refer to the exhibit. While troubleshooting site-to-site VPN, you issued the show crypto isakmp as com
A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5
B. IPSec Phase 2 is established between 10.10.10.2 and 10.1.1.5
C. IPSec Phase 1 is down due to a QM_IDLE state
D. IPSEc Phase 2 is down due to a QM_IDLE state

A
QUESTION 45
What type of attack was the Stuxnet virus?
A. cyber warfare
B. hactivism
C. botnet
D. social engineering

A
QUESTION 46, 153
Which type of secure connectivity does an extranet provide?
A. remote branch offices to your company network
B. your company network to the Internet
C. new networks to your company network
D. other company networks to your company network

D
QUESTION 47
After reloading a router, you issue the dir command to verify the installation and observe that the ima
dir output?
A. The secure boot-image command is configured
B. The secure boot-comfit command is configured
C. The confreg 0x24 command is configured.
D. The reload command was issued from ROMMON.
A
QUESTION 48
What is a reason for an organization to deploy a personal firewall?
A. To protect endpoints such as desktops from malicious activity
B. To protect one virtual network segment from another
C. To determine whether a host meets minimum security posture requirements
D. To create a separate, non-persistent virtual environment that can be destroyed after a session
E. To protect the network from DoS and syn-flood attacks

A
QUESTION 49, 136
Which FirePOWER preprocessor engine is used to prevent SYN attacks?
A. Rate-Based Prevention
B. Portscan Detection
C. IP Defragmentation
D. Inline Normalization

A
QUESTION 50
What VPN feature allows traffic to exit the security appliance through the same interface it entered?
A. Hairpinning
B. NAT
C. NAT traversal
D. split tunneling

A
QUESTION 51
When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading?
A. Perform a Layer 6 reset
B. Deploy an antimalware system
C. Enable bypass mode
D. Deny the connection inline

D
QUESTION 52
Which statement about Cisco ACS authentication and authorization is true?
A. ACS servers can be clustered to provide scalability
B. ACS can query multiple Active Directory domains
C. ACS uses TACACS to proxy other authentication servers
D. ACS can use only one authorization profile to allo or deny requests

A
QUESTION 53, 137
What is the only permitted operation for processing multicast traffic on zone-based firewalls?
A. Stateful inspection of multicast traffic is supported only for the self zone
B. Stateful inspection for multicast traffic is supported only between the self-zone and the internal zon
C. Only control plane policing can protect the control plane against multicast traffic.
D. Stateful inspection of multicast traffic is supported only for the internal zone.

C
QUESTION 54
What is one requirement for locking a wired or wireless device from ISE?
A. The ISE agent must be installed on the device
B. The device must be connnected to the network when the lock command is executed
C. The user must approve the locking action
D. The organization must implement an acceptable use policy allowing device locking
A
QUESTION 55
Refer to the exhibit. What type of firewall would use the given cofiguration line?

A. a stateful firewall
B. a personal firewall
C. a proxy firewall
D. an application firewall
E. a stateless firewall

A
QUESTION 56
What are two default Cisco IOS privilege levels? (Choose two)
A. 0
B. 5
C. 1
D. 7
E. 10
F. 15

CF
QUESTION 57
What is the effect of the given command sequence?
A. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24
B. It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24
C. it defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24
D. It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24

A
QUESTION 58
Which tool can an attacker use to attempt a DDos attack?
A. botnet
B. Trojan horse
C. virus
D. adware

A
QUESTION 59
how does the Cisco ASA use Active Directory to authorize VPN users?
A. It queries the Active Directory server for a Specfic attribute for the specific user
B. It sends the username and password to retire an ACCEPT or Reject message from the Active Directo
C. It downloads and stores the Active Directory databas to query for future authorization
D. It redirects requests to the Active Directory server defined for the VPN group

A
QUESTION 60, 174
Which statement about application blocking is true?
A. It blocks access to files with specific extensions
B. It blocks access to specific network addresses
C. It blocks access to specific programs
D. It blocks access to specific network services.
C
QUESTION 61
For what reason would you configure multiple security contexts on the ASA firewall?
A. To enable the use of VFRs on routers that are adjacently connected
B. To provide redundancy and high availability within the organization
C. To enable the use of multicast routing and QoS through the firewall
D. To seperate different departments and business units

D
QUESTION 62
What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connectio
A. split tunneling
B. hairpinning
C. tunnel mode
D. transparent mode

A
QUESTION 63
When is the best time to perform an anti-virus signature update?
A. When the local scanner has detected a new virus
B. When a new virus is discovered in the wild
C. Every time a new update is available
D. When the system detects a browser hook

C
QUESTION 64
What is the effect of thesend-lifetime local 23:59:00 31 December 31 2013infinite command?
A. It configures the device to begin transmitting the authentication key to other devices at 00:00:00 lo
B. It configures the device to begin transmitting the authentication key to other devices at 23:59:00 lo
C. It configures the device to begin accepting the authentication key from other devices immediately
D. It configures the device to generate a new authentication key and transmit it to other devices at 23
E. It configures the device to begin accepting the authentication key from other devices at 23:59:00 lo
F. It configures the device to begin accepting the authentication key from other devices at 00:00:00 lo

B
QUESTION 65
Which Statement about personal firewalls is true?
A. They are resilient against kernal attacks
B. They can protect email messages and private documents in a similar way to a VPN
C. They can protect the network against attacks
D. They can protect a system by denying probing requests

D
QUESTION 66
Refer to the exhibit. While troubleshooting site-to-site VPN, you issued theshow crypto ipsec sacom

A. ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1

B. IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5
C. IKE version 2 security associations are established between 10.1.1.1 and 10.1.1.5
D. IPSec Phase 2 is down due to a mismatch between encrypted and decrypted packets
B
QUESTION 67
Which statement about a PVLAN isolated port configured on a switch is true?
A. The isolated port can communicate only with the promiscous port
B. The isolated port can communicate with other isolated ports and the promiscuous port
C. The isolated port can communicate only with community ports
D. The isolated port can communicate only with other isolated ports

A
QUESTION 68, 82, 131
Which three statements about host-based IPS are true? (Choose three)
A. It can view encrypted files
B. It can be deployed at the perimeter
C. It uses signature-based policies
D. It can have more restrictive policies than network-based IPS
E. It works with deployed firewalls
F. It can generate alerts based on behavior at the desktop level.

ADF
QUESTION 69, 101
What type of security support is provided by the Open Web Application Security Project?
A. Education about common Web site vulnerabilities
B. A wb site security framework
C. A security discussion forum for Web site developers
D. Scoring of common vulnerabilities and exposures
A
QUESTION 70
Refer to the exhibit. Which statement about the device time is true?

A. The time is authoritative because the clock is in sync

B. The time is authoritative, but the NTP process has lost contact with its servers
C. The clock is out of sync
D. NTP is configured incorrectly
E. The time is not authoritative

B
QUESTION 71
In what type of attack does an attacker virtually change a devices burned in address in an attempt to
A. gratuitous ARP
B. ARP poisoning
C. IP Spoofing
D. MAC Spoofing

D
QUESTION 72
How does a zone-based firewall implementation handle traffic between Interfaces in the same Zone?
A. traffic between interfaces in the same zone is blocked unless yoc configure the same-security perm
B. Traffic between interfaces in the same zone is always blocked
C. Traffic between two interfaces in the same zone is allowed by default
D. Traffic between interfaces in the same zone is blocked unless you apply a service policy to the zone

C
QUESTION 73
An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible resu
A. The switch could offer fake DHCP addresses.
B. The switch could become the root bridge.
C. The switch could be allowed to join the VTP domain
D. The switch could become a transparent bridge.

B
QUESTION 74, 141
Which two next generation encrytption algorithms does Cisco recommend? (Choose two)
A. AES
B. 3DES
C. DES
D. MD5
E. DH-1024
F. SHA-384

AF
QUESTION 75, 114
What three actions are limitations when running IPS in promiscous mode? (Choose three)
A. deny attacker
B. request block connection
C. deny packet
D. modify packet
E. request block host
F. reset TCP connection

ACD
QUESTION 76
Which two feature do CoPP and CPPr use to protect the control plane? (Choose two)
A. QoS
B. traffic classification
C. access lists
D. policy maps
E. class maps
F. Cisco Express Forwarding

AB
QUESTION 77
What is an advantage of implementing a Trusted Platform Module for disk encryption?
A. It provides hardware authentication
B. It allows the hard disk to be transferred to another device without requiring re-encryption.dis
C. it supports a more complex encryption algorithm than other disk-encryption technologies.
D. it can protect against single poins of failure.
A
QUESTION 78
Refer to the exhibit. What is the effect of the given command sequence?

A. It configures IKE Phase 1

B. It configures a site-to-site VPN Tunnel
C. It configures a crypto policy with a key size of 14400
D. It configures IPSec Phase 2

A
QUESTION 79

A specific URL has been identified as containing malware. What action can you take to block users fro
A. Enable URL filtering on the perimeter firewall and add the URLs you want to allow to the routers loc
B. Enable URL filtering on the perimeter router and add the URLs you want to allow to the firewalls loc
C. Create a blacklist that contains the URL you want to block and activate the blacklist on the perimet
D. Enable URL filtering on the perimeter router and add the URLs you want to block to the routers loca
E. Create a whitelist that contains the URls you want to allow and activate the whitelist on the perime

E
QUESTION 80
If you change the native VLAN on the port to an unused VLAN, what happens if an attacker attempts a
A. The trunk port would go into an error-disable state.
B. A VLAN hopping attack would be successful
C. A VLAN hopping attack would be prevented
D. the attacked VLAN will be pruned

C
QUESTION 81
What is an advantage of placing an IPS on the inside of a network?
A. It can provide higher throughput.
B. It receives traffic that has already been filtered.
C. It receives every inbound packet.
D. It can provide greater security.

B
QUESTION 83
Which syslog severity level is level number 7?
A. Warning
B. Informational
C. Notification
D. Debugging

D
QUESTION 84
Which type of mirroring does SPAN technology perform?
A. Remote mirroring over Layer 2
B. Remote mirroring over Layer 3
C. Local mirroring over Layer 2
D. Local mirroring over Layer 3
C
QUESTION 85
Which tasks is the session management path responsible for? (Choose three.)
A. Verifying IP checksums
B. Performing route lookup
C. Performing session lookup
D. Allocating NAT translations
E. Checking TCP sequence numbers
F. Checking packets against the access list

BDF
QUESTION 86
Which network device does NTP authenticate?
A. Only the time source
B. Only the client device
C. The firewall and the client device
D. The client device and the time source

A
QUESTION 87
What hash type does Cisco use to validate the integrity of downloaded images?
A. Sha1
B. Sha2
C. Md5
D. Md1
C
QUESTION 88
Which option is the most effective placement of an IPS device within the infrastructure?
A. Inline, behind the internet router and firewall
B. Inline, before the internet router and firewall
C. Promiscuously, after the Internet router and before the firewall
D. Promiscuously, before the Internet router and the firewall

A
QUESTION 89

If a router configuration includes the lineaaa authentication login default group tacacs+ enab
A. The user will be prompted to authenticate using the enable password
B. Authentication attempts to the router will be denied
C. Authentication will use the router`s local database
D. Authentication attempts will be sent to the TACACS+ server

AD
QUESTION 90
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?
A. SDEE
B. Syslog
C. SNMP
D. CSM
A
QUESTION 91
Which type of address translation should be used when a Cisco ASA is in transparent mode?
A. Static NAT
B. Dynamic NAT
C. Overload
D. Dynamic PAT

A
QUESTION 92
Which components does HMAC use to determine the authenticity and integrity of a message?
A. The password
B. The hash
C. The key
D. The transform set

BC
QUESTION 93
What is the default timeout interval during which a router waits for responses from a TACACS server b
A. 5 seconds
B. 10 seconds
C. 15 seconds
D. 20 seconds
A
QUESTION 94
Which RADIUS server authentication protocols are supported on Cisco ASA firewalls? (Choose three.)
A. EAP
B. ASCII
C. PAP
D. PEAP
E. MS-CHAPv1
F. MS-CHAPv2

CEF
QUESTION 95
Which command initializes a lawful intercept view?
A. username cisco1 view lawful-intercept password cisco
B. parser view cisco li-view
C. li-view cisco user cisco1 password cisco
D. parser view li-view inclusive

C
QUESTION 96
Which security measures can protect the control plane of a Cisco router? (Choose two.)
A. CCPr
B. Parser views
C. Access control lists
D. Port security
E. CoPP
AE
QUESTION 97
Which statement about extended access lists is true?
A. Extended access lists perform filtering that is based on source and destination and are most effecti
B. Extended access lists perform filtering that is based on source and destination and are most effecti
C. Extended access lists perform filtering that is based on destination and are most effective when ap
D. Extended access lists perform filtering that is based on source and are most effective when applied

B
QUESTION 98
Which protocols use encryption to protect the confidentiality of data transmitted between two parties
A. FTP
B. SSH
C. Telnet
D. AAA
E. HTTPS

BE
QUESTION 99
What are the primary attack methods of VLAN hopping? (Choose two.)
A. VoIP hopping
B. Switch spoofing
C. CAM-table overflow
D. Double tagging

BD
QUESTION 100
How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall co
A. Issue the command anyconnect keep-installer under the group policy or username webvpn mode
B. Issue the command anyconnect keep-installer installed in the global configuration
C. Issue the command anyconnect keep-installer installed under the group policy or username webvpn
D. Issue the command anyconnect keep-installer installer under the group policy or username webvpn

C
QUESTION 102
What is the FirePOWER impact flag used for?
A. A value that indicates the potential severity of an attack.
B. A value that the administrator assigns to each signature.
C. A value that sets the priority of a signature.
D. A value that measures the application awareness.

A
QUESTION 103
Which two services define cloud networks? (Choose two.)
A. Infrastructure as a Service
B. Platform as a Service
C. Compute as a Service
D. Security as a Service
E. Tenancy as a Service
AB
QUESTION 104
In a security context, which action can you take to address compliance?
A. Implement rules to prevent a vulnerability
B. Correct or counteract a vulnerability
C. Reduce the severity of a vulnerability
D. Follow directions from the security appliance manufacturer to remediate a vulnerability

A
QUESTION 105
How many times was a read-only string used to attempt a write operation?

A. 6
B. 9
C. 4
D. 3
E. 2
B
QUESTION 106
What can the SMTP preprocessor in a FirePOWER normalize?
A. It can extract and decode email attachments in client to server traffic
B. It can look up the email sender
C. it compares known threats to the email sender
D. It can forward the SMTP traffic to an email filter server
E. It uses the Traffic Anomaly Detector

A
QUESTION 107
You want to allow all of your companies users to access the Internet without allowing other Web serve
(Choose two).
A. Configure a proxy server to hide users local IP addresses
B. Assign unique IP addresses to all users.
C. Assign the same IP addresses to all users
D. Install a Web content filter to hide users local IP addresses
E. Configure a firewall to use Port Address Translation.

AE
QUESTION 108, 164
Which two authentication types does OSPF support? (Choose two)
A. plaintext
B. MD5
C. HMAC
D. AES 256
E. SHA-1
F. DES

AB
QUESTION 109, 159

Refer to the exhibit. The Admin user is unable to enter configuration mode on a device with the given

A. Remove the Autocommand keyword and arguments from the Username Admin privilege line
B. Change the Privilege exec level value to 15
C. Remove the two Username Admin lines
D. Remove the Privilege exec line.

A
QUESTION 110, 135
What command can you use to verify the binding table status?
A. Show ip dhcp snooping binding
B. Show ip dhcp snooping database
C. show ip dhcp snooping statistics
D. show ip dhcp pool
E. show ip dhcp source binding
F. show ip dhcp snooping
B
QUESTION 111
If a switch receives asuperiorBPDU and goes directly into a blocked state, what mecanism must be in
A. Etherchannel guard
B. root guard
C. loop guard
D. BPDU guard

B
QUESTION 112
What type of packet creates and performs network operations on a network device?
A. data plane packets
B. management plane packets
C. services plane packets
D. control plane packets

D
QUESTION 113, 145
Which two statements about stateless firewalls are true? (Choose two.)
A. They compare the 5-tuple of each incoming packet against configurable rules.
B. They cannot track connections.
C. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS.
D. Cisco IOS cannot implement them because the platform is stateful by nature.
E. The Cisco ASA is implicitly stateless because it blocks all traffic by default.

AB
QUESTION 115
Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable
A. aaa authentication enable console LOCAL SERVER_GROUP
B. aaa authentication enable console SERVER_GROUP LOCAL
C. aaa authentication enable console local
D. aaa authentication enable console LOCAL

D
QUESTION 116
Which accounting notices are used to send a failed authentication attempt record to a AAA server? (C
A. start-stop
B. stop-record
C. stop-only
D. stop

AC
QUESTION 117
If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
A. The interface on both switches may shut down
B. STP loops may occur
C. The switch with the higher native VLAN may shut down
D. The interface with the lower native VLAN may shut down

B
QUESTION 118
Which type of IPS can identify worms that are propagating in a network?
A. Policy-based IPS
B. Anomaly-based IPS
C. Reputation-based IPS
D. Signature-based IPS

B
QUESTION 119
By which kind of threat is the victim tricked into entering username and password information at a dis
A. Spoofing
B. Malware
C. Spam
D. Phishing

D
QUESTION 120
Which Cisco product can help mitigate web-based attacks within a network?
A. Adaptive Security Appliance
B. Web Security Appliance
C. Email Security Appliance
D. Identity Services Engine
B
QUESTION 121
Which statement correctly describes the function of a private VLAN?
A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains
B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains
C. A private VLAN enables the creation of multiple VLANs using one broadcast domain
D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast

A
QUESTION 122
Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path?
A. Unidirectional Link Detection
B. Unicast Reverse Path Forwarding
C. TrustSec
D. IP Source Guard

B
QUESTION 123
What is the most common Cisco Discovery Protocol version 1 attack?
A. Denial of Service
B. MAC-address spoofing
C. CAM-table overflow
D. VLAN hopping

A
QUESTION 124
What is the Cisco preferred countermeasure to mitigate CAM overflows?
A. Port security
B. Dynamic port security
C. IP source guard
D. Root guard

B
QUESTION 125
When a switch has multiple links connected to a downstream switch, what is the first step that STP ta
A. STP elects the root bridge
B. STP selects the root port
C. STP selects the designated port
D. STP blocks one of the ports

A
QUESTION 126
Which countermeasures can mitigate ARP spoofing attacks? (Choose two.)
A. Port security
B. DHCP snooping
C. IP source guard
D. Dynamic ARP inspection

BD
QUESTION 127
Which of the following statements about access lists are true? (Choose three.)
A. Extended access lists should be placed as near as possible to the destination
B. Extended access lists should be placed as near as possible to the source
C. Standard access lists should be placed as near as possible to the destination
D. Standard access lists should be placed as near as possible to the source
E. Standard access lists filter on the source address
F. Standard access lists filter on the destination address

BCE
QUESTION 128
In which stage of an attack does the attacker discover devices on a target network?
A. Reconnaissance
B. Covering tracks
C. Gaining access
D. Maintaining access
A
QUESTION 129
Which type of security control is defense in depth?
A. Threat mitigation
B. Risk analysis
C. Botnet mitigation
D. Overt and covert channels

A
QUESTION 130
On which Cisco Configuration Professional screen do you enable AAA?
A. AAA Summary
B. AAA Servers and Groups
C. Authentication Policies
D. Authorization Policies

A
QUESTION 132
What are two users of SIEM software? (Choose two)
A. performing automatic network audits
B. configuring firewall and IDS devices
C. alerting administrators to security events in real time
D. scanning emails for suspicious attachments
E. collecting and archiving syslog data
CE
QUESTION 134
What statement provides the best definition of malware?
A. Malware is tools and applications that remove unwanted programs.
B. Malware is a software used by nation states to commit cyber-crimes.
C. Malware is unwanted software that is harmful or destructive
D. Malware is a collection of worms, viruses and Trojan horses that is distributed as a single.

C
QUESTION 138
Which of encryption technology has the broadcast platform support to protect operating systems?
A. Middleware
B. Hardware
C. software
D. file-level

D
QUESTION 139
Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe spam
and sophisticated phishing attack?
A. holistic understanding of threats
B. graymail management and filtering
C. signature-based IPS
D. contextual analysis
D
QUESTION 140
Which Sourfire secure action should you choose if you want to block only malicious traffic from a parti
A. Trust
B. Block
C. Allow without inspection
D. Monitor
E. Allow with inspection

E
QUESTION 142
When an administrator initiates a device wipe command from the ISE, what is the immediate effect?
A. It requests the administrator to choose between erasing all device data or only managed corporate
B. It requests the administrator to enter the device PIN or password before proceeding with the operat
C. It immediately erases all data on the device.
D. It notifies the device user and proceeds with the erase operation

A
QUESTION 143
How does a device on a network using ISE receive its digital certificate during the new-device registra
A. ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA server
B. The device request a new certificate directly from a central CA
C. ISE issues a pre-defined certificate from a local database
D. ISE issues a certificate from its internal CA server.

A
QUESTION 144
How can you detect a false negative on an IPS?
A. View the alert on the IPS
B. Use a third-party to audit the next-generation firewall rules
C. Review the IPS console
D. Review the IPS log
E. Use a third-party system to perform penetration testing

E
QUESTION 147
Which type of PVLAN port allows host in the same VLAN to communicate directly with the other?
A. promiscuous for hosts in the PVLAN
B. span for hosts in the PVLAN
C. Community for hosts in the PVLAN
D. isolated for hosts in the PVLAN
C
QUESTION 148
Refer to the exhibit while troubleshooting site-to-site VPN, you issued the show crypto isakamp sa com
Dst src state conn-id slot
10.10.10.2 10.1.1.5 MM_NO_STATE 1 0
A. IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2
B. IKE Phase 1 main mode has successfully negotiate between 10.1.1.5 and10.10.10.2
C. IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2
D. IKE Phase 1 aggressive mode was create on 10.1.1.5, but it failed to negotiate with 10.10.10.2

A
QUESTION 150

Refer to the exhibit. You have configured R1 and R2 as shown, but the routers are unable to establish
R1
Interface GigabitEthernet 0/0
IP address 10.20.20.4 255.255.255.255.0
Crypto isakmp policy 1
Authentication pre-share
Lifetime 84600
Crypto isakmp key test67890 address 10.20.20.4
R2
Interface GigabitEthernet 0/0
IP address 10.20.20.4 255.255.255.255.0
Crypto isakmp policy 10
Authentication pre-share
Lifetime 84600
Crypto isakmp key test12345 address 10.30.30.5
A. Edit the crypto keys on R1 and R2 to match.
B. Edit the crypto isakmp key command on each router with the address value of its own interface
C. Edit the ISAKMP policy sequence numbers on R1 and R2 to match.
D. set a valid value for the crypto key lifetime on each router.
A
QUESTION 151
Refer to the exhibit. Which statement about the given configuration is true?
Tacacs server tacacsl
Address ipv4 1.1.1.1
Timeout 20
Single- connection
Tacacs server tacacs2
Address ipv4 2.2.2.2
Timeout 20
Single- connection
Tacacs server tacacs3
Address ipv4 3.3.3.3
Timeout 20
Single- connection
A. The timeout command causes the device to move to the next server after 20 seconds of TACACS in
B. The single-connection command causes the device to process one TACACS request and then move
C. The single-connection command causes the device to establish one connection for all TACACS trans
D. The router communicates with the NAS on the default port, TCP 1645

QUESTION 152
Refer to the exhibit. What is the effect of the given command?
Crypto ipsec transform-set myset esp-md5-hmac esp-aes-256
A. It configures authentication to use AES 256.
B. It configures authentication to use MD5 HMAC.
C. It configures authorization use AES 256.
D. It configures encryption to use MD5 HMAC.
E. It configures encryption to use AES 256.

BE
QUESTION 154
What is a valid implicit permit rule for traffic that is traversing the ASA firewall?
A. Unicast IPv6 traffic from a higher security interface to a lower security interface is permitted in tran
B. Only BPDUs from a higher security interface to a lower security interface are permitted in routed m
C. ARPs in both directions are permitted in transparent mode only
D. Unicast IPv4 traffic from a higher security interface to a lower security interface is permitted in rout
E. Only BPDUs from a higher security interface to a lower security interface are permitted in transpare

C
QUESTION 155

You have been tasked with blocking user access to website that violate company policy, but the site u
A. Enable URL filtering and create a blacklist to block the websites that violate company policy.
B. Enable URL filtering and create a whitelist to allow only the websites the company policy allow user
C. Enable URL filtering and use URL categorization to allow only the websites the company policy allow
D. Enable URL filtering and create a whitelist to block the websites that violate company policy.
E. Enable URL filtering and use URL categorization to block the websites that violate company policy.

E
QUESTION 156
What is the potential drawback to leaving VLAN 1 as the native VLAN?
A. Gratuitous ARPs might be able to conduct a man-in-the-middle attack.
B. The CAM might be overloaded, effectively turning the switch into hub.
C. VLAN 1 might be vulnerable to IP address spoofing
D. It may be susceptible to a VLAN hopping attack

D
QUESTION 157
Refer to the exhibit. Which line in this configuration prevents the HelpDesk user from modifying the in
Username Engineer privilege 9 password 0 configure
Username Monitor privilege 8 password 0 vatcher
Username HelpDesk privilege 6 password help
Privilege exec level 6 show running
Privilege exec level 7show start-up
Privilege exec level 9 show configure terminal
Privilege exec level 10 interface
A. Privilege exec level 9 show configure terminal
B. Privilege exec level 7show start-up
C. Privilege exec level 10 interface
D. Username HelpDesk privilege 6 password help

D
QUESTION 158
Which IPS mode provides the maximum number of actions?
A. Inline
B. bypass
C. span
D. failover
E. promiscuous
A
QUESTION 160
Which technology can be used to rate data fidelity and to provide an authenticated hash for data?
A. Network blocking
B. signature updates
C. file analysis
D. file reputation

D
QUESTION 161
What configuration allows AnyConnect to authenticate automatically establish a VPN session when a u
A. proxy
B. Trusted Network Detection
C. transparent mode
D. always-on

D
QUESTION 162
Which statement about the communication between interfaces on the same security level is true?
A. All Traffic is allowed by default between interfaces on the same security level.
B. Interface on the same security level require additional configuration to permit inter-interface comm
C. Configuring interface on the same security level can cause asymmetric routing.
D. You can configure only one interface on an individual security level.

B
QUESTION 165
Which feature filters CoPP packets?
A. Policy maps
B. route maps
C. access control lists
D. class maps

C
QUESTION 166
In which type of attack does an attacker send email message that ask the recipient to click a link such
A. pharming
B. phishing
C. solicitation
D. secure transaction
B
QUESTION 167
If the router ospf 200 command, what does the value 200 stands for?
A. Administrative distance value
B. process ID
C. area ID.
D. ABR ID

B
QUESTION 168
Your security team has discovered a malicious program that has been harvesting the CEO's email mes
your team discover?
A. social activism
B. drive-by spyware
C. targeted malware
D. advance persistent threat
E. Polymorphic virus

CD
QUESTION 169
What is the best way to confirm that AAA authentication is working properly?
A. use the test aaa command
B. use the Cisco-recommended configuration for AAA authentication
C. Log into and out of the router, and then check the NAS authentication log
D. Ping the NAS to confirm connectivity

A
QUESTION 170
What is the benefit of web application firewall?
A. It accelerate web traffic
B. It blocks know vulnerabilities without patching applications
C. It supports all networking protocols.
D. It simplifies troubleshooting

B
QUESTION 171
What improvement does EAP-FASTv2 provide over EAP-FAST?
A. It support more secure encryption protocols.
B. It allows multiple credentials to be passed in a single EAP exchange
C. It addresses security vulnerabilities found in the original protocol.
D. It allows faster authentication by using fewer packets.

B
QUESTION 172
Which statement about IOS privilege levels is true?
A. Each privilege level is independent of all other privilege levels.
B. Each privilege level supports the commands at its own level and all levels above it.
C. Each privilege level supports the commands at its own level and all levels below it.
D. Privilege-level commands are set explicitly for each user.

C.
QUESTION 173
What mechanism does asymmetric cryptography use to secure data?
A. an RSA nonce
B. a public/private key pair.
C. an MD5 hash.
D. shared secret keys.

B
QUESTION 175
What are the three layers of a hierarchical network design? (Choose three.)
A. core
B. access
C. server
D. user
E. internet
F. distribution
ABF
QUESTION 176
In which type of attack does the attacker attempt to overload the CAM table on a switch so that the sw
A. gratuitous ARP
B. MAC flooding
C. MAC spoofing
D. DoS

B
QUESTION 177
Refer to the exhibit. With which NTP server has the router synchronized?
209.114.111.1 Configure, ipv4, same, valid, stratum 2 ref ID 132.163.4.103, time
D7AD124D.9D6FC576 (03:17:33.614 UTC Sun Aug 31 2014) our mode client, peer mode server,
our poll intvl 64, peer poll intvl 64 root delay 46.34 msec, root disp 23.52, reach 1, sync dist
268.59 delay 63.27 msec, offset 7.9817 msec, dispersion 187.56, jitter 2.07 msec precision
2**23, version 4
204.2.134.164 Configure, ipv4, same, valid, stratum 2 ref ID 241.199.164.101, time
D7AD1D149.9EB5272B (03:25:13.619 UTC Sun Aug 31 2014) our mode client, peer mode
server, our poll intvl 64, peer poll intvl 256 root delay 30.83 msec, root disp 4.88, reach 1, sync
dist 223.80 delay 28.69 msec, offset 6.4331 msec, dispersion 187.56, jitter 1.39 msec precision
2**23, version 4
192.168.10.7 Configure, ipv4, our_master, sane, valid, stratum 3 ref ID 108.61.73.243, time
D7AD0D8F.AE79A23A (02:57:19.681 UTC Sun Aug 31 2014) our mode client, peer mode server,
our poll intvl 64, peer poll intvl 64 root delay 86.45 msec, root disp 87.82, reach 377, sync dist
134.25 delay 0.89 msec, offset 19.5087 msec, dispersion 1.69, jitter 0.84 msec precision 2**23,
version 4
A. 192.168.10.7
B. 108.61.73.243
C. 209.114.111.1
D. 204.2.134.164
E. 132.163.4.103
F. 241.199.164.101
A
QUESTION 178
What are two ways to protect eavesdropping when you perform device-management task? (Choose tw
A. use SNMPv2
B. use SSH connection
C. use SNMPv3
D. use in-band management
E. use out-band management

BC
QUESTION 179
Which firewall configuration must you perform to allow traffic to flow in both directions between two z
A. You can configure a single zone pair that allows bidirectional traffic flows from for any zone except t
B. You must configure two zone pair, one for each direction
C. You can configure a single zone pair that allows bidirectional traffic flows for any zone
D. You can configure a single zone pair that allows bidirectional traffic flows only if the source zone is t

B
QUESTION 180
Which three ways does the RADIUS protocol differ from TACACS?? (Choose three)
A. RADIUS authenticates and authorizes simultaneously. Causing fewer packets to be transmitted
B. RADIUS encrypts only the password field in an authentication packets
C. RADIUS can encrypt the entire packet that is sent to the NAS
D. RADIUS uses UDP to communicate with the NAS
E. RADIUS uses TCP to communicate with the NAS
F. RADIUS support per-command authentication

ABD
QUESTION 181
A data breach has occurred and your company database has been copied. Which security principle ha
A. Confidentiality
B. Access
C. Control
D. Availability

A
QUESTION 182
If a switch receives aonlysuperior BPDU and goes directly into a blocked state, what mechanism must
A.STP BPDU guard
B. portfast
C. EherCahannel guard
D. loop guard
E. STP Root guard
E
QUESTION 183
What is the primary purposed of a defined rule in an IPS?
A. to detect internal attacks
B. to define a set of actions that occur when a specific user logs in to the system
C. to configure an event action that is pre-defined by the system administrator
D. to configure an event action that takes place when a signature is triggered.

D.
QUESTION 184
How does PEAP protect EAP exchange?
A. it encrypts the exchange using the client certificate.
B. it validates the server-supplied certificate and then encrypts the exchange using the client certifica
C. it encrypts the exchange using the server certificate
D. it validates the client-supplied certificate and then encrypts the exchange using the server
certificate.

C.
QUESTION 185
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operation
A. When matching ACL entries are configured
B. when matching NAT entries are configured
C. When the firewall requires strict HTTP inspection
D. When the firewall requires HTTP inspection
E. When Firewall Recieves a FIN packet
F. When the firewall already has a TCP connection

ABD
QUESTION 186
How can firepower block malicious email attachments?
A) It forwards email requests to an external signature engine
B) It sends the traffic through a file policy
C) It scans inbound email messages for known bad URLs
D) It sends an alert to the administrator to verify suspicious email messages

B
QUESTION 187
A proxy firewall protects against which type of attacks?
A. DDoS
B. port scanning
C. worm traffic
D. cross-site scripting attacks
D.
QUESTION 188
Which two statements regarding the ASA VPN configurations are correct? (Choose two)
A. The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_TrustP
B. The DefaultWEBVPNGroup Connection Profile is using the AAA with RADIUS server method.
C. The Inside-SRV bookmark references thehttps://10.1.1.xURL
D. Only Clientless SSL VPN access is allowed with the Sales group policy
E. AnyConnect, IPSec IKEv1, and IPSec IKEv2 VPN access is enabled on the outside interface
F. The Inside-SRV bookmark has not been applied to the Sales group policy

BC
QUESTION 189
which feature allow to forward network host to the internet with public IP addres
A. NAT
B.Trusted network detection
C.
D.

A
QUESTION 190
which NAT option is executed first during in case of multiple nat translations
A. dynamic nat with shortest prefix
B. dynamic nat with longest prefix
C. static nat with shortest prefix
D. static nat with longest prefix

D.
QUESTION 191
which feature allow from dynamic NAT pool to choose next IP address and not a port on a used IP add
A. next IP
B. round robin
C. Dynamic rotation
D. Dynamic PAT rotation

B
QUESTION 192
Which three statements are characteristics of DHCP Spoofing? (choose three)
A. Arp Poisoning
B. Modify Traffic in transit
C. Used to perform man-in-the-middle attack
D. Physically modify the network gateway
E. Protect the identity of the attacker by masking the DHCP address
F. can access most network devices

ABC
Which NAT type allows only objects or groups to reference an IP address?
A. dynamic NAT
B. dynamic PAT
C. static NAT
D. identity NAT

A
QUESTION 10
In which two situations should you useout-of-bandmanagement? (Choose two)
A. when a network device fails to forward packets
B. when management applications need concurrent access to the device
C. when you require ROMMON access
D. when you require adminstrator access from multiple locations
E. when the control plane fails to respond

AC
In which two situations should you usein-bandmanagement? (Choose two.)
A. when management applications need concurrent access to the device
B. when you require administrator access from multiple locations
C. when a network device fails to forward packets
D. when you require ROMMON access
E. when the control plane fails to respond
Answer: A,B
A:http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1300-
series/prod_qas09186a00802030dc.html
A:http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1300-
series/prod_qas09186a00802030dc.html
p.:Very stupid question... I can't be 100%sure to get it right...

According to this article:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-
generation-firewalls/113600-technote-product-00.html

"RDP2 plug-in: Due to changes within the RDP protocol, the Proper Java RDP
Client was updated in order to support Microsoft Windows 2003 Terminal
Servers and Windows Vista Terminal Servers. "

So RDP2 tend to be the right answer. However, it says right after:

"Tip: The latest RDP plug-in combines both RDP and RDP2 protocols. As a
result the RDP2 plug-in is obsolete. It is recommended to utilize the most-
According to this article:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-
generation-firewalls/113600-technote-product-00.html

"RDP2 plug-in: Due to changes within the RDP protocol, the Proper Java RDP
Client was updated in order to support Microsoft Windows 2003 Terminal
Servers and Windows Vista Terminal Servers. "

So RDP2 tend to be the right answer. However, it says right after:

"Tip: The latest RDP plug-in combines both RDP and RDP2 protocols. As a
result the RDP2 plug-in is obsolete. It is recommended to utilize the most-
recent version of the RDP plug-in."

The question doesn't specify what version it is, neither "Ensure that the
LATEST RDP plug-in in installed on the VPN gateway"

So in my opinion, I would keep the same two answers, as rebooting or

reconnecting actions are not really the type of action Cisco would
recommend.
p.:Correct answer, according to this post:
https://supportforums.cisco.com/discussion/12043016/pls-explain-svi-
acl-source-and-destination-direction

The direction applies to the access-group

p.:A is the correct answer. Hairpinning consist of traffic
being forwarded through the same interface it came in.

NAT is definitly out of the topic and split tunneling is

splitting traffic between VPN and non VPN traffic.
p.:C makes no sense. If the user could simply refuse the lock
command of a stolen device, it would render the feature totally
useless.
B makes no sense to me neither, same as above, it would render the
feature useless. The lock command should apply once the device
connect for the first time, since it was initiated.

A is my only answer, as the ISE agent indeed needs to be installed on

devices, to allow ISE to control them.
p.:Seems right.
B makes no sense.
C apply to a network firewall, not a personal firewalls.
A seems wrong as well. A personal firewall is resilient against attacked to an
overall system, not only its kernel. So D seems right.
p.:A is correct as the data is unencrypted at the host end, its HIPS can see
encrypted data content.

Then all D, E and F seems as valid answer. Some HIPS even make use of
firewalls for active response, so E seems as an acceptable answer, unless
p.:A is correct as the data is unencrypted at the host end, its HIPS can see
encrypted data content.

Then all D, E and F seems as valid answer. Some HIPS even make use of
firewalls for active response, so E seems as an acceptable answer, unless
we're talking about Cisco HIPS only and some limitation I'm unaware of.

p.:Correct answer, see

CBT Nuggets, Video 28
for this.

A leading . Means time is

authoritative, but not
synchronized.
p.:Cisco Content Switching Module (CSM) is another thing, so D is
wrong.
SNMP is not an alert or event log protocol, so C is also wrong.
Syslog and SDEE could be the correct answer, but syslog is less
secure. I therefore assume Cisco IME allows to use the recommended
SDEE protocol for up to 10 sensors.

p.:See:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configurati
on/guide/conf_gd/cfgnat.html#wp1102744
p.:See:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configurati
on/guide/conf_gd/cfgnat.html#wp1102744

NAT in Transparent Mode

NAT in transparent mode has the following requirements and
limitations:
you cannot use interface PAT.
p.:not so sure. To
verify??

A.:Ref:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/
Unified_Access/BYOD_Design_Guide/Managing_Lost_or_Stolen_Device.pdf