Cuestinario Final CCNAS 1.1

EXÁMEN 1 – 91.3% 1. What is a ping sweep? A ping sweep is a network scanning technique that indicates the live hosts in a range of  IP addresses. 2. A port scan is classified classified as what type of attack?

reconnaissance attack  3. An attacker is using a laptop as a rogue rogue access point to capture all network traffic from a targeted user. Which type of attack is this? man in the middle 4. What are the three major components of a worm attack? (Choose three.) enabling vulnerability payload propagation mechanism 5. What are the basic basic phases phases of attack that can can be used used by a virus virus or worm in in sequential sequential order? probe, penetrate, persist, propagate, and paralyze 6. Which access attack method involves a software program attempting to discover a system password by using an electronic dictionary? brute-force attack  7. How is a Smurf attack conducted? by sending a large number of ICMP requests to directed broadcast addresses from a spoofed source address on the same network  8. Which two statements describe access attacks? (Choose (Choose two.) Password attacks can be implemented using brute-force attack methods, Trojan Horses, or packet sniffers. Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or exploit systems to execute malicious code. 9. Which type of of software software typically typically uses a network network adapter adapter card in promiscuous promiscuous mode to capture all network packets that are sent across a LAN? packet sniffer 10. Which phase of worm mitigation requires compartmentalization compartmentalization and segmentation segmentation of the network to slow down or stop the worm and prevent currently infected hosts from targeting and infecting other systems? containment phase 11. What is a characteristic of a Trojan Trojan Horse?

A Trojan Horse can be carried in a virus or worm. 12. Which two statements are characteristics of a virus? (Choose (Choose two.) A virus typically requires end-user activation. A virus can be dormant and then activate at a specific time or date. 13. Which two are characteristics of DoS attacks? (Choose (Choose two.) They attempt to compromise the availability of a network, host, or application. Examples include smurf attacks and ping of death attack  14. Which three options describe the phases of worm mitigation? (Choose (Choose three.) The containment phase requires the use of incoming and outgoing ACLs on routers and firewalls. The inoculation phase patches uninfected systems with the appropriate vendor patch for the vulnerability. The treatment phase disinfects actively infected systems. 15. A disgruntled disgruntled employee employee is using using Wireshark Wireshark to discover administrative Telnet usernames and passwords. What type of network attack does this describe? reconnaissance 16. Which two network security solutions can be used to mitigate DoS attacks? (Choose two.) anti-spoofing technologies intrusion protection systems 17. 17. Users Users report report to the the helpdesk helpdesk that that icons icons usually usually seen seen on the menu menu bar are are randoml randomly y appearing on their computer screens. What could be a reason that computers are displaying these random graphics? A virus has infected the computers. 18. A network network adminis administrator trator detects unknown unknown sessio sessions ns involvin involving g port 21 on the network network.. What could be causing this security breach? An FTP Trojan Horse is executing. 19. Which statement accurately characterizes the evolution of network security? Internal threats can cause even greater damage than external threats. 20. 20. What What is consi conside dered red a valid valid meth method od of securi securing ng the cont contro roll plane plane in the Cisco Cisco NFP framework? routing protocol authentication 21. What are are two reasons reasons for securing securing the the data plane plane in the Cisco Cisco NFP framework? framework? (Choos (Choose e two.) to protect against DoS attacks

to force technicians to use SSH and HTTPS when managing devices 22. 22. Which Which type of secur security ity threat threat can can be descri described bed as softwa software re that that attaches attaches to anoth another er program to execute a specific unwanted function? Virus

EXÁMEN 2 – 100% 1. What What are three three require requiremen ments ts that that must must be met if an admini administr strator ator want wants s to maintai maintain n device configurations via secure in-band management? (Choose three.) network devices configured to accommodate SSH encryption of all remote access management traffic connection to network devices through a production network or the Internet 2. What are two characteristics of SNMP community strings? (Choose (Choose two.) SNMP read-only community strings can be used to get information from an SNMPenabled device. SNMP read-write community strings can be used to set information on an SNMP-enabled device.

3. Refer to the exhibit. Based on the output of the show show running-config command, which type of view is SUPPORT? superview, containing SHOWVIEW and VERIFYVIEW views 4. An administrator defined a local user account with a secret secret password on router R1 R1 for use with SSH. Which three additional steps are required to configure R1 to accept only encrypted SSH connections? (Choose three.) configure the IP domain name on the router generate the SSH keys enable inbound vty SSH sessions 5. Which command command is used to verify the existence existence of a secure Cisco IOS image file? - Ojo show secure bootset

6. Refer to the exhibit. Which statement statement regarding the JR-Admin account is true?  JR-Admin  JR-Ad min can can issue issue ping ping and reload comma commands. nds. 7. By default, how many seconds of delay between virtual login attempts is is invoked when the login block-for command is configured? one 8. Which recommende recommended d security security practice practice prevents prevents attackers attackers from performing performing password password recovery on a Cisco IOS router for the purpose of gaining access to the privileged EXEC mode? Locate the router in a secure locked room that is accessible only to authorized personnel. 9. Which Which set of commands commands are required required to create create a username username of admin, admin, hash the the password password using MD5, and force the router to access the internal username database when a user attempts to access the console? R1(config)# username admin secret Admin01pa55 R1(config)# line con 0 R1(config-line)# login local 10. Which Which two state statemen ments ts descr describe ibe the the initial initial deplo deployed yed servi services ces of Cisc Cisco o routers routers and and recommended security configuration changes? (Choose two.) ICMP un ICMP unrea reach chabl able e no noti tific ficati ation ons s are en enabl abled ed by de defau fault lt but sh shou ould ld be di disa sabl bled ed on untrusted interfaces. TCP keepalives are disabled by default but should be enabled globally to prevent certain DoS attacks. 11. Which three services does does CCP One-Step Lockdown Lockdown enable? (Choose three.) SSH access to the router password encryption firewall on all outside interfaces 12. Which three areas of router security must be maintained to secure an edge router at the network perimeter? (Choose three.) physical security operating system security router hardening

13. Refer to the exhibit. What two pieces of information can be gathered from the generated message? (Choose two.) This message is a level five notification message. This message indicates that service timestamps have been globally enabled.

14. 14. Ref Refer er to the exhib exhibit. it. Route Routers rs R1 and and R2 are connec connected ted via via a serial serial link. One One router router is configured as the NTP master, and the other is an NTP client. Which two pieces of information can be obtained from the partial output of the show ntp associations detail command on R2? (Choose two.) Router R1 is the master, and R2 is the client. The IP address of R1 is 192.168.1.2. 15. Why is the usernamenamesecret etpa pas sswor word usernamenamepasswordpassword usernamenamepassw ordpassword command?

com comman and d

prefe eferre rred

over

the th e

It uses the MD5 algorithm for encrypting passwords. 16. Which three options can be configured by Cisco AutoSecure? (Choose (Choose three.) CBAC security banner enable secret password 17. Which two characteristics apply to Role-Based CLI Access superviews? (Choose two.) Users logged in to a superview can access all commands specified within the associated CLI views. Commands cannot be configured for a specific superview. 18. Which statement statement describes the operation of the CCP Security Audit wizard? The wizard compares a router configuration against recommended settings. 19. Which three types types of views are available available when configu configuring ring the the Role-Based Role-Based CLI Access Access feature? (Choose three.) root view superview CLI view

20. If AAA is already enabled, which three CLI steps are required to configure a router with a specific view? (Choose three.) Assign a secret password to the view. Assign commands to the view. Create a view using the parser viewview-name command.

EXÁMEN 3 – 100% 1. Which technology provides the framework to enable scalable access security? authentication, authorization, and accounting

2. Which authentication authentication method method stores stores usernames and passwords passwords in the router and is ideal for small networks? local AAA

3. How does a Cisco Secure ACS improve performance of the TACACS+ TACACS+ authorization authorization process? reduces delays in the authorization queries by using persistent TCP sessions 4. When configuring a Cisco Secure Secure ACS, how is the configuration interface accessed? A Web browser is used to configure a Cisco Secure ACS. 5. In regards to Cisco Secure ACS, ACS, what is a client device? a router, switch, firewall, or VPN concentrator 6.

What What is a diff differ eren ence ce be betw twee een n usin using g th the e logi login n loca locall comm comman and d an and d usin using g loca locall AA AAA A authentication for authenticating administrator access? Local AAA provides a way to configure backup methods of authentication; login local does not.

7. Ref Refer er to the exhib exhibit. it. Route Routerr R1 has been been confi configur gured ed as shown shown,, with the the resulti resulting ng log message. On the basis of the information presented, which two AAA authentication statements are true? (Choose two.)

The locked-out user failed authentication. The locked-out user stays locked out until the clear aaa local user lockout username Admin command is issued. 8.

Due to implemented security security controls, a user can only access a server with FTP. Which Which AAA component accomplishes this? authorization

9. Which two two modes modes are supporte supported d by AAA to to authenticat authenticate e users for accessing accessing the network  network  and devices? (Choose two.) character mode packet mode 10. When configuring configuring a method list for AAA authentication, what is the effect of the keyword local? It accepts a locally configured username, regardless of case. 11. Which two statements describe Cisco Cisco Secure ACS? (Choose two.) Cisco Secure ACS supports LDAP. Cisco Secure ACS supports both TACACS+ T ACACS+ and RADIUS protocols.

12. Which two AAA access method statements are true? (Choose two.) Character mode provides users with administrative privilege EXEC access and requires use of the console, vty, or tty ports. Packet mode provides remote users with access to network resources and requires use of dialup or VPN. 13. Which statement identifies an important difference between TACACS+ and RADIUS? RADIUS? The TACACS+ protocol allows for separation of authentication from authorization. 14. What is a characteristic of TACACS+? TACACS+ provides authorization of router commands on a per-user or per-group basis.

15. Refer to the exhibit. Router R1 is configured as shown. An administrative administrative user attempts to use Telnet from router R2 to router R1 using the interface IP address 10.10.10.1. However, Telnet access is denied. Which option corrects this problem? The administrative user should use the username Admin and password Str0ngPa55w0rd. 16. Which two features are included by both TACACS+ and RADIUS RADIUS protocols? (Choose two.) password encryption utilization of transport layer protocols 17. What is an effect if AAA authorization on a device is not configured? Authenticated users are granted full access rights. 18. Why is local database authentication preferred over a password-only password-only login? It provides for authentication and accountability.

19. Refer to the the exhibit. exhibit. In the network network shown, shown, which which AAA comman command d logs the the use of EXEC session commands? aaa accounting exec start-stop group tacacs+ 20. After accounti accounting ng is enabled enabled on on an IOS device, how how is a default default accounti accounting ng method method list list applied?

Accounting method lists are applied only to the VTY interfaces. (ojo) 21. What is the result if an administrator administrator configures the aaa authorization command prior to creating a user with full access rights? The administrator is immediately locked out of the system.

EXÁMEN 4 – 85.4% 1.

To facili facilitat tate e th the e trou troubl bles esho hoot otin ing g proces process, s, which which inbou inbound nd ICMP ICMP messag message e should should be permitted on an outside interface? echo reply

2. For a stateful firewall, which which information is stored in the stateful session flow table? source and destination IP addresses, and port numbers and sequencing information associated with a particular session

3. Which statement describes one of the rules governing interface behavior in the context of  implementing a zone-based policy firewall configuration? By default, traffic is allowed to flow among interfaces that are members of the same zone.

4. Refer to the exhibit. Which statement statement is true about the effect of this Cisco IOS zone-based zone-based policy firewall configuration? The firewall will automatically allow HTTP, HTTPS, and FTP traffic from fa0/0 to s0/0 and will track the connections. Tracking the connection allows only return traffic to be permitted through the firewall in the opposite direction.

5. When configuring a Cisco IOS zone-based zone-based policy firewall, which two actions can be applied to a traffic class? (Choose two.) drop inspect 6. Which two parameters are tracked by CBAC for TCP traffic but not for UDP traffic? (Choose two.) sequence number SYN and ACK flags 7. Which two are characteristics of ACLs? (Choose two.) Extended ACLs can filter on destination TCP and UDP ports. Extended ACLs can filter on source and destination IP addresses. 8. When using using CCP CCP to apply apply an ACL, ACL, the admini administrat strator or received received an informat informational ional message message indicating that a rule was already associated with the designated interface in the designated direction. The administrator continued with the association by selecting the merge option. Which statement describes the effect of the option that was selected? A new combined access rule was created using the new access rule number. Duplicate ACEs were removed.

9. Refer to the exhibit. Which statement statement describes describes the function of the ACEs? ACEs? These ACEs allow for IPv6 neighbor discovery traffic. 10. Which Which stateme statement nt correc correctly tly descri describes bes how how an ACL can be used used with the the accessaccess-clas class s command to filter vty access to a router? An extended ACL can be used to restrict vty access based on specific source addresses and protocol but the destination can only specify the keyword any 11. Which zone-b zone-based ased policy policy firewall firewall zone zone is system-d system-defined efined and and applies to traffic destin destined ed for the router or originating from the router? self zone 12. What is the first step in configuring a Cisco IOS zone-based policy firewall using using the CLI? Create zones. 13. Which command command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table? ipv6 traffic-filter ENG_ACL in

14. Refer to the the exhibit. exhibit. If a hacker on on the outside outside network network sends sends an IP packet packet with with source source address 172.30.1.50, destination address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS firewall do with the packet? The packet is dropped.

15. What is a limitation of using object groups within an access control entry? It is not possible to delete an object group or make an object group empty if the object group is already applied to an ACE. 16. Class maps identify identify traffic and and traffic traffic parameters parameters for policy policy application application based on on which which three criteria? (Choose three.) access group protocol subordinate class map

17. Which statement statement describes a typical security policy for a DMZ firewall configuration? Traffic that originates from the DMZ interface is permitted to traverse the firewall to the outside interface with little or no restrictions. 18. Which statement statement describes describes the characteristics of packet-filtering and stateful firewalls as they relate to the OSI model? A packet-filtering firewall typically can filter up to the transport layer, while a stateful firewall can filter up to the session layer.

19. 19. Refer Ref er to the exhib exhibit. it. The The ACL state statemen mentt is the only only one explic explicitl itly y configur configured ed on the router. Based on this information, which two conclusions can be drawn regarding remote access network connections? (Choose two.)

SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are allowed. Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked. 20. When implementing an inbound Internet traffic ACL, what what should should be included to prevent the spoofing of internal networks? ACEs to prevent traffic from private address spaces

EXÁMEN 5 – 87.5%

1. Ref Refer er to the exhibi exhibit. t. When When modify modifying ing an IPS IPS signatur signature e action, action, which which two check check boxes boxes should be selected to create an ACL that denies all traffic from the IP address that is considered the source of the attack and drops the packet and all future packets from the TCP flow? (Choose two.) Deny Attacker Inline Deny Connection Inline 2. Why is a network that deploys only IDS particularly vulnerable to an atomic attack? The IDS permits malicious single packets into the network. 3. A network security administrator would like to check the number of packets that have been audited by the IPS. What command should the administrator use? show ip ips statistics 4. Which two Cisco IOS commands are required to enable IPS SDEE message message logging? (Choose two.) ip http server ip ips notify sdee

5. Refer to the exhibit. exhibit. Based Based on the the configurati configuration on that that is shown, shown, which which statemen statementt is true true about the IPS signature category? Only signatures in the ios_ips basic category will be compiled into memory for scanning. 6. Which two benefits does the IPS version 5.x signature format provide over the version 4.x signature format? (Choose two.) addition of a signature risk rating support for encrypted signature parameters

7. Whic Which h two files files could could be used used to implem implemen entt Cisco Cisco IOS IPS IPS with with versio version n 5.x forma formatt signatures? (Choose two.) IOS-Sxxx-CLI.pkg realm-cisco.pub.key.txt 8. A network network admini administr strator ator tune tunes s a signatur signature e to detect detect abnormal abnormal activi activity ty that that might might be mali malici ciou ous s an and d likel likely y to be an immed immedia iate te th thre reat. at. What What is the percei perceive ved d sever severit ity y of th the e signature? medium

9. Refer to the exhibit. exhibit. As an administr administrator ator is configu configuring ring an IPS, the error messag message e that is shown appears. What does this error message indicate? The public crypto key is invalid or entered incorrectly.

10. Refer to the exhibit. What action will be taken if a signature match occurs? The packet will be allowed, and an alert will be generated. 11. Which Which Cisco Cisco IPS feature allows for regular regular threat threat updates updates from the the Cisco Cisco SensorBas SensorBase e Network database? global correlation

12. Refer to the exhibit. Based on the configuration, what traffic is inspected by the IPS?

all traffic entering the s0/0/1 interface and all traffic entering and leaving the fa0/1 interface

13. What is a disadvantage of network-based IPS as compared to host-based IPS? Network-based IPS cannot examine encrypted traffic.

14. Refer to the the exhibit. exhibit. What What is the signific significance ance of the the number number 10 in the signatu signature re 6130 6130 10 command? It is the subsignature ID. 15. Which statement is true about about an atomic alert that is generated by an IPS? It is an alert that is generated every time a specific signature has been found.

16. Refer to the exhibit. Based on the configuration commands that are shown, how will IPS event notifications be sent? syslog format 17. An administrator is using CCP to modify a signature action so that if a match occurs, the packe packett an and d all futu future re packe packets ts from from th the e TCP TCP flow flow are are drop dropped ped.. What What actio action n shou should ld th the e administrator select? reset-tcp-connection 18. What information is provided by the show ip ips configuration configuration command? the default actions for attack signatures

19. Refer to the exhibit. What is the result result of issuing the Cisco IOS IPS commands on router R1? All traffic that is permitted by the ACL is subject to inspection by the IPS. 20. Which protocol is used when an IPS sends signature signature alarm messages? SDEE

EXÁMEN 6 – 83.3% 1. Which Cisco IronPort appliance would an organization install to protect against malware? S-Series 2. What is the goal of the Cisco NAC framework and the Cisco NAC appliance? to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network  3. Which two methods are used to mitigate VLAN attacks? (Choose (Choose two.) implementing BPDU guard on all access ports disabling DTP autonegotiation on all trunk ports 4. Which two measures are recommended to mitigate VLAN hopping attacks? (Choose two.) Use a dedicated native VLAN for all trunk ports. Disable trunk negotiation on all ports connecting to workstations. 5. As a recommended practice for Layer 2 security, how should VLAN 1 be treated? VLAN 1 should not be used. 6. Which Which attack attack relie relies s on the defau default lt automa automatic tic trunk trunking ing confi configur guratio ation n on most most Cisco Cisco switches? VLAN hopping attack  7. Under which circumstance is it safe to connect to an open wireless network? The device has been updated with the latest virus protection software. 8. Why are traditional network security perimeters not suitable for the latest consumer-based consumer-based network endpoint devices? These devices are more varied in type and are portable. 9. Which three three switch switch security security comma commands nds are are required required to enable enable port securit security y on a port so so that it will dynamically learn a single MAC address and disable the port if a host with any other MAC address is connected? (Choose three.) switchport mode access switchport port-security switchport port-security mac-address sticky

10. Which command command is used to configure the PVLAN Edge feature? switchport protected 11. Which Cisco Cisco IronPort IronPort applianc appliance e would would an organizatio organization n install install to manage manage and monitor monitor security policy settings and audit information? M-Series

12. 12. Ref Refer er to the exhibi exhibit. t. What What action action will will the switch switch take take when the the maximum maximum numb number er of  secure MAC addresses has reached the allowed limit on the Fa0/2 port? Packets with unknown source addresses are dropped without notification.

13. What is the default configuration of the PVLAN PVLAN Edge feature on a Cisco switch? No ports are defined as protected. 14. Which three are SAN transport technologies? (Choose three.) Fibre Channel iSCSI FCIP 15. What is an example of a trusted path in an operating system? Ctrl-Alt-Delete key sequence 16. Which software tool can a hacker use to flood the MAC MAC address table of a switch? macof  17. Which statement statement is is true about about a charact characteristi eristic c of the PVLAN PVLAN Edge feature feature on on a Cisco Cisco switch? All data traffic that passes between protected ports must be forwarded through a Layer 3 device. 18. Which option best describes a MAC address spoofing spoofing attack? An attacker alters the MAC address of his host to match another known MAC address of a target host. 19. 19. With With IP voice voice syst system ems s on data data netwo networks rks,, which which two types types of atta attack cks s targe targett VoIP VoIP specifically? (Choose two.)

SPIT vishing 20. When the the Cisco Cisco NAC applianc appliance e evaluates evaluates an incoming incoming connection connection from a remote remote device device against the defined network policies, what feature is being used? authentication and authorization

EXÁMEN 7 – 85.4% 1. A custom customer er purch purchase ases s an item item from an an e-comm e-commerc erce e site. site. The e-com e-commer merce ce site site must must maintain proof that the data exchange took place between the site and the customer. Which feature of digital signatures is required? nonrepudiation of the transaction 2. Which encryption protocol provides network layer confidentiality? IPsec protocol suite 3. Which charact characteristi eristic c of security security key managemen managementt is responsibl responsible e for making making certain certain that weak cryptographic keys are not used? verification

4. Refer to the exhibit. Which type of cipher method is depicted? transposition cipher 5. Why is RSA typically used to protect only small amounts of data? The algorithms used to encrypt data are slow. 6. Which statement describes a cryptographic hash function?

A one-way cryptographic hash function is hard to invert. 7. Two users users must must authenticat authenticate e each other other using digital digital certificate certificates s and a CA. Which Which option option describes the CA authentication procedure? The users must obtain the certificate of the CA and then their own certificate. 8. Which statement describes asymmetric encryption algorithms? They are relatively slow because they are based on difficult computational algorithms.

9. Which statement is a feature of HMAC? HMAC uses a secret key as input to the hash function, adding authentication to integrity assurance. 10. 10. Which Which two two non-se non-secre crett number numbers s are initi initially ally agre agreed ed upon upon when when the the DiffieDiffie-Hell Hellman man algorithm is used? (Choose two.) generator prime modulus 11. Which two statemen statements ts correctl correctly y describe describe certifica certificate te classes classes used in the PKI? (Choos (Choose e two.) A class 0 certificate is for testing purposes. A class 4 certificate is for online business transactions between companies. 12. The network network adminis administrator trator for an e-commerc e-commerce e website website requires requires a service service that prevents prevents customers from claiming that legitimate orders are fake. What service provides this type of  guarantee? nonrepudiation

13. How do modern cryptographers defend against brute-force attacks? Use a keyspace large enough that it takes too much money and too much time to conduct a successful attack. 14. Which type of cryptographic key would be used when connecting to a secure website? symmetric keys 15. An administ administrator rator requires requires a PKI that supports supports a longer longer lifetime lifetime for for keys used used for digital digital signing operations than for keys used for encrypting data. Which feature should the PKI support? usage keys 16. Which three primary primary functions functions are required required to to secure secure communi communication cation across network  network  links? (Choose three.) authentication

confidentiality integrity

17. What is the basic method used by 3DES to encrypt plaintext? The data is encrypted, decrypted, and encrypted using three different keys. 18. Which algorithm is used to automatically generate a shared shared secret for two systems to use in establishing an IPsec VPN? DH

19. Refer to the exhibit. Which encryption algorithm is described in the exhibit? 3DES 20. What does it mean when when a hashing algorithm algorithm is collision resistant? resistant? Two messages with the same hash are unlikely to occur.

EXÁMEN 8 – 85.4%

1. Refer to the exhibit. A site-to-site site-to-site VPN is required from R1 to R3. The administrator is using using the CCP Site-to-Site VPN wizard on R1. Which IP address should the administrator enter in the highlighted field?

10.2.2.2 2. A network network administra administrator tor is planning planning to implem implement ent centraliz centralized ed management management of Cisco VPN VPN devices to simplify VPN deployment for remote offices and teleworkers. Which Cisco IOS feature would provide this solution? Cisco Easy VPN 3. Which UDP UDP port must must be permitted permitted on any IP interface interface used used to exchange exchange IKE IKE information information between security gateways? 500

4. Refer to the exhibit. A network administrator is troubleshooting a GRE VPN tunnel between R1 an and d R2. R2. Assu Assumi ming ng th the e R2 GR GRE E conf config igur urat atio ion n is corr correc ectt an and d ba base sed d on th the e runn runnin ing g configuration of R1, what must the administrator do to fix the problem? Change the tunnel destination to 209.165.200.22 209.165.200.225. 5.

5. Refer to the exhibit. exhibit. Based Based on on the CCP CCP settings settings that that are shown, shown, which which Easy Easy VPN VPN Server Server component is being configured? group policy 6. With the the Cisco Easy Easy VPN feature, which process process ensures ensures that that a static static route is is created on the Cisco Easy VPN Server for the internal IP address of each VPN client? Reverse Route Injection 7. When using using ESP tunnel mode, which portion of the packet is not authenticated? new IP header

8. Which statement describes an important characteristic characteristic of a site-to-site site-to-site VPN? It must be statically set up. 9. Which action do IPsec peers take during the IKE Phase 2 exchange? negotiation of IPsec policy 10. When configuring an IPsec VPN, what is used to define the traffic that is sent through the IPsec tunnel and protected by the IPsec process? crypto ACL 11. Which two statements accurately describe characteristics of IPsec? (Choose (Choose two.) IPsec works at the network layer and operates over all Layer 2 protocols. IPsec is a framework of open standards that relies on existing algorithms. 12. A user launches launches Cisco VPN VPN Client Client software software to connect connect remotely remotely to a VPN VPN service. service. What What does the user select before entering the username and password? the desired preconfigured VPN server site

13. Refer to the exhibit. exhibit. Based on the CCP screen that is shown, which two conclusions can be drawn about the IKE policy that is being configured? (Choose two.) It will use digital certificates for authentication. It will use a very strong encryption algorithm. 14. What is the default default IKE policy value for encryption? DES 15. How many bytes of overhead are added to each IP packet while it is transported through a GRE tunnel? 24

16. Which two authenti authentication cation methods methods can be configured configured when using using the CCP Site-toSite-to-Site Site VPN wizard? (Choose two.) pre-shared keys digital certificates 17. 17. When When verifyi verifying ng IPsec IPsec configu configurati rations ons,, which which show comma command nd displa displays ys the encryp encryptio tion n algorithm, hash algorithm, authentication method, and Diffie-Hellman group configured, as well as default settings? show crypto isakmp policy

18. Refer to to the exhibit. exhibit. Which Which two IPsec framewo framework rk componen components ts are are valid options options when when configuring an IPsec VPN on a Cisco ISR router? (Choose two.) Confidentiality options include DES, 3DES, and AES. Diffie-Hellman options include DH1, DH2, and DH5.

19. What are two benefits of an SSL VPN? (Choose (Choose two.) It has the option of only requiring an SSL-enabled web browser. It is compatible with DMVPNs, Cisco IOS Firewall, IPsec, IPS, Cisco Easy VPN, and NAT. 20. What is required for a host to use an SSL VPN to connect to a remote network device? A web browser must be installed on the host.

EXÁMEN 10 – 90.4% 1. Which three components components must be configured when implementing a client-based SSL VPN on an ASA 5505 device? (Choose three.) client address assignment client image group policy 2. Which option lists the four steps to configure the Modular Policy Framework on an ASA? 1) Co Conf nfig igur ure e ex exte tend nded ed AC ACLs Ls to id ident entif ify y sp speci ecific fic gr gran anul ular ar tr traff affic ic.. Thi This s st step ep ma may y be optional. 2) Configure the class map to define interesting traffic. 3) Configure a policy map to apply actions to the identified traffic. 4) Configure a service policy to identify which interface should be activated for the service.

3. Refer to the exhibit. What will be displayed displayed in the output of the show running-config object command after the exhibited configuration commands are entered on an ASA 5505?

range 192.168.1.10 192.168.1.20

4. Refer to the exhibit. exhibit. An An administr administrator ator has has entered entered the indicated indicated command commands s on an ASA 5505 5505.. Ba Base sed d on th the e info inform rmat atiion pres presen ente ted, d, what what type type of remo remote te acce access ss VPN VPN ha has s th the e administrator configured? a clientless SSL VPN via a web browser 5. Which Cisco Cisco ASDM ASDM menu menu sequence sequence would would be used used to edit a client-b client-based ased AnyCon AnyConnect nect SSL SSL VPN configuration? Configuration > Remote Access VPN > Network (Client) Access 6. Which three types of remote access VPNs are supported on ASA devices? (Choose three.) Clientless SSL VPN using a web browser IPsec (IKEv1) VPN using the Cisco VPN Client SSL or IPsec (IKEv2) VPN using the Cisco AnyConnect Client

7. Refer to the exhibit. Which ASDM ASDM menu menu sequence would be required to configure Telnet or SSH AAA authentication using a TACACS server first or the local device user database if the TACACS server authentication is unavailable? Configuration > Device Management > Management Access > ASDM/HTTPS/ ASDM/HTTPS/Telnet/SSH Telnet/SSH 8. When the ASA ASA recognizes recognizes that that the the incoming incoming packets packets are part of an already already establi established shed connection, which three fast path tasks are executed? (Choose three.) adjusting Layer 3 and Layer 4 headers performing IP checksum verification performing TCP sequence number checks 9. Which two statements correctly describe the ASA as an advanced stateful stateful firewall? (Choose (Choose two.) In routed mode, an ASA can support two or more Layer 3 interfaces. The first packet of a flow examined by an ASA goes through the session management path. 10. Which three wizards are included in Cisco ASDM 6.4? (Choose three.) Security Audit wizard Startup wizard VPN wizard

11. Refer to the exhibit. exhibit. Which Which three three sets of configurati configuration on commands commands were entered entered on the ASA 5505? (Choose three.) 2.1- interface e0/0 2.2.- switchport access vlan 2 2.3.- no shut 2.4.- exit 3.1.- interface vlan 2 3.2.- nameif outside 3.3.- security-level 0 3.4.- ip address 209.165.200.226 255.255.255.248 255.255.255.248 12. Which three components must be configured when using using the Site-to-Site VPN Connection Setup wizard in ASDM? (Choose three.) authentication method encryption algorithms IKE version

13. Which three components must be configured when implementing a clientless SSL VPN on an ASA 5505 device? (Choose three.) bookmark lists connection profile name group policy 14. Which option lists the ASA adaptive security algorithm session management management tasks in the correct order? 1) performing the access list checks

2) performing route lookups 3) allocating NAT translations (xlates) 4) establishing sessions in the "fast path"

15. Refer to the the exhibit. exhibit. A remote remote host host is connecting connecting to an ASA ASA 5505 via a VPN connection. connection. Once authenticated, the host displays the highlighted system tray icon. On the basis of the information that is presented, what three assumptions can be made? (Choose three.) The host has connected to the ASA via a client-based SSL VPN connection. The host is connected via the AnyConnect VPN client. The host is connected via the Cisco VPN client. 16. What are three characteristics of ASA transparent transparent mode? (Choose three.) This mode does not support VPNs, QoS, or DHCP Relay. This mode is referred to as a "bump in the wire." In this mode the ASA is invisible to an attacker.

17. Refer to the exhibit. According to the exhibited command output, which three statements are true about the DHCP options entered on the ASA 5505? (Choose three.) The dhcpd auto-config outside command was issued to enable the DHCP client. The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP server. The dhcpd enable insidecommand was issued to enable the DHCP server.

18. An administra administrator tor has successfull successfully y configured configured a site-to-si site-to-site te VPN on an ASA ASA 5505. 5505. Which Which ASDM menu sequence displays the number of packets encrypted, decrypted, and security association requests?

Monitoring > VPN > VPN Statistics > Crypto Statistics 19. In what three three ways do the 5505 5505 and 5510 5510 Adaptive Adaptive Security Security Applianc Appliances es differ? differ? (Choose (Choose three.) in the maximum traffic throughput supported in the number of interfaces in types of interfaces 20. Which three security features do ASA models 5505 and 5510 support by default? (Choose three.) intrusion prevention system stateful firewall VPN concentrator