Module9

advertisement
1
Which two commands are used to deny a specific SNMP version and then enable SNMP application inspection on a Cisco PIX Security Applian
(Choose two.)
snmp-map
snmp inspect
inspect snmp
inspect snmp-map
snmp-map inspect
2
Which two URL-filtering applications can be used with the PIX Security Appliance? (Choose two.)
IIS
Websense
NetSensor
N2H2
3
The Cisco PIX Security Appliance allows the use of network, protocol, service and ICMP-type object grouping with ACLs. Which statement desc
service object group?
It is used to group client hosts, server hosts, or subnets.
It is used to group protocols, such as IP, TCP, and UDP.
It is used to group TCP or UDP port numbers.
It is used to group ICMP message types.
4
A network administrator has created the object group 10HOSTS to allow ten hosts access to specific network services. Which command does a
administrator use to verify that the object group has been configured successfully?
show access-list
show host-group
show 10HOSTS
show object-group
5
A network administrator is considering a URL-filtering application server to work with the Cisco PIX Security Appliance running OS version 6.2. W
application would support the filtering of URL strings longer than 1159 bytes?
N2H2
Websense
either Websense or N2H2
any URL-based filtering application
6
What is the function of the service-policy command within the Modular Policy Framework?
defines a set of services set by policies
enables a set of policies on an interface
identifies traffic flows according to services
groups a set of policies according to services
7
Why would Service object groups be placed in an access list?
A Service object group is used to indicate either the source or the destination port in an access list.
A Service object group is used in place of the keyword ip, tcp, udp or icmp.
A Service object group is used in place of source or destination server address.
A Service object group is used in place of listing individual servers that offer the same service.
8
The Cisco PIX Security Appliance with software version 6.2 or higher has eliminated the need for the alias command when configuring NAT tran
IP addresses imbedded in DNS messages. Which two commands can now support NAT translation of DNS messages, so that the alias comma
longer required? (Choose two.)
dns-route
nat
route-map
static
dns
9
Refer to the configuration shown in the graphic. Both commands have been entered into the Cisco PIX Security Appliance. Why might the admi
have chosen to allow ICMP unreachable traffic to be permitted at the outside interface?
Denying ICMP unreachable traffic will disable routing updates.
ICMP unreachable traffic is required by web browsers.
Denying ICMP unreachable traffic can halt PPTP and IPSec traffic.
ICMP unreachable traffic is required for ACLs to work properly.
10
A network administrator wants to configure an object group to permit hosts 10.1.1.1, 10.1.1.2, and 10.1.1.3 access to network servers. Which co
must be entered to correctly configure an object group for the three hosts?
object-group host 3HOSTS
network-object host 10.1.1.1
network-object host 10.1.1.2
network-object host 10.1.1.3
object-group network 3HOSTS
network-object host 10.1.1.1
network-object host 10.1.1.2
network-object host 10.1.1.3
object-group network 3HOSTS
host-object host 10.1.1.1
host-object host 10.1.1.2
host-object host 10.1.1.3
object-group host 3HOSTS
host-object host 10.1.1.1
host-object host 10.1.1.2
host-object host 10.1.1.3
11
Which three statements describe the use of ACLs on a Cisco PIX Security Appliance? (Choose three.)
ACLs are used to restrict outbound traffic flowing from a lower to a higher security level interface.
ACLs are used to restrict outbound traffic flowing from a higher to a lower security level interface.
If no ACL is attached to an interface, inbound traffic is permitted by default unless explicitly denied.
If no ACL is attached to an interface, outbound traffic is permitted by default unless explicitly denied.
Cisco PIX Security Appliance ACLs use a wildcard mask like Cisco IOS ACLs.
Cisco PIX Security Appliance ACLs use a regular subnet mask unlike Cisco IOS ACLs.
12
Which two statements describe the object-group and group-object commands? (Choose two.)
The object-group command is a subcommand of the group-object command.
The object-group command defines which type of object group will be created.
The object-group command can contain other group objects.
The group-object command can contain object groups of different types.
The group-object command enables the construction of hierarchical, or nested, object groups.
13
Which command is used to enable a Turbo ACL after it has been configured in global configuration mode?
pixfirewall(config)# access-list compiled
pixfirewall(config)# ip access-list compiled
pixfirewall(config)# access-group ACL_ID turbo
pixfirewall(config)# access-list compiled ACL_ID
14
Which three channels are used by RTSP applications in standard RTP mode? (Choose three.)
master control channel
RTP data channel
TCP control channel
RDT data channel
RTP resend channel
RTCP reports
15
What is the effect when the command shown in the graphic is configured on a Cisco PIX Security Appliance?
ActiveX objects are allowed to local host 192.168.2.5 only.
ActiveX objects are sent to a filtering server at 192.168.2.5.
ActiveX objects are blocked on all inbound connections to local host 192.168.2.5.
ActiveX objects are blocked from local host 192.168.2.5 to all outbound connections.
16
A network administrator configured a Cisco PIX Security Appliance to limit connections to the application server at 192.168.10.5. Which configu
identifies traffic flows for the application server?
PIX(config)# access-list 125 permit tcp any host 192.168.10.5
PIX(config)# class-map APP_Server
PIX(config-cmap)# match any
PIX(config)# access-list 125 permit tcp any host 192.168.10.5
PIX(config)# service-policy APP_Server
PIX(config-smap)# match access-group 125
PIX(config)# access-list 125 permit tcp any host 192.168.10.5
PIX(config)# policy-map APP_Server
PIX(config-pmap)# match access-list 125
PIX(config)# access-list 125 permit tcp any host 192.168.10.5
PIX(config)# class-map APP_Server
PIX(config-cmap)# match access-list 125
17
Refer to the graphic. What is the result when the network administrator enters the command shown?
fw1(config)# access-list aclout line 4 permit tcp any host 192.168.0.9 eq www
It will replace the existing line 4 in the ACL.
It will push the current ACL line 4 and all of the lines that follow down one line.
It will require the ACL to be deleted and rewritten because it cannot be inserted as line 4.
It will be appended to the end of the ACL, and the current line 4 will be deleted.
Score: 91.7%
Download