9E0-111 (CSPFA) Cisco Secure PIX Firewall Advanced Version 7.0 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 2 - Important Note, Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Further Material For this test TestKing also provides: * Interactive Test Engine Examinator. Check out an Examinator Demo at http://www.testking.com/index.cfm?pageid=724 Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 90 days after the purchase. You should check your member zone at TestKing an update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1. Go to www.testking.com 2. Click on Member zone/Log in 3. The latest versions of all purchased products are downloadable from here. Just click the links. For most updates, it is enough just to print the new questions at the end of the new version, not the whole document. Feedback Feedback on specific questions should be send to feedback@testking.com. You should state: Exam number and version, question number, and login ID. Our experts will answer your mail promptly. Explanations Currently this product does not include explanations. If you are interested in providing TestKing with explanations contact feedback@testking.com . Include the following information: exam, your background regarding this exam in particular, and what you consider a reasonable compensation for the work. Copyright Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws. 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 3 - Note: Section A contains 106 questions. Section B contains 57 questions. Section C contains 170 questions. The total numbers of questions is 333. Section A QUESTION NO: 1 You are the network security administrator for an enterprise network with a complex security policy. Which PIX Firewall feature should you configure to minimize the number of ACLs needed to implement your policy? A. ASA B. Packet capture C. Turbo ACLs D. IP helper E. Object grouping Answer: E Explanation: To simplify your configuration, object grouping is supported in Cisco PIX Device Manager Version 2.0. Object grouping enables you to define groups of objects such as hosts, IP addresses, or network services. You can use these groups, for example, when you create and apply access rules. When you include a Cisco PIX Firewall object group in a PIX Firewall command, it is the equivalent of applying every element of the object group to the PIX Firewall command. Reference: Cisco PIX Device Manager Version 2.0 http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pixge_ds.pdf QUESTION NO: 2 IPSec works with which switching paths: (Select all that apply.) A. Process switching B. Optimum switching C. Fast switching D. Flow switching Answer: A, C Explanation: Supported Switching Paths IPSec works with process switching, fast switching, and Cisco Express Forwarding (CEF). IPSec does not work with optimum or flow switching. 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 4 - Reference: Configuring IPSec Network Security http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt 4/scdipsec.pdf QUESTION NO: 3 Speaking of Security Association requirements, which of the following statements is true? A. A set of SAs are needed, one per direction, per protected data pipe. B. A set of SAa are needed, one per direction, per protocol, per protected data pipe. C. A set of SAs are needed, one per protocol only. D. A set of SAs are needed, per protocol, per protected data pipe. Answer: B Explanation: A set of SAs are needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports ESP between peers, one ESP SA is required for each direction. SAs are uniquely identified by destination (IPSec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI). Reference: Configuring IKE Shared Secret Using AAA Server http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t1/i kessaaa.pdf QUESTION NO: 4 The graphic shows the output from the show failover command. ** Graphic output missing *** This unit is active and the other unit is Standby. For an unknown reason, the failover is triggered and this unit has become Standby. We enter the command “show failover” again. What shall we see as the ip address of the [active-interface-inside]? A. 172.29.1.2 B. 192.168.89.1 C. 0.0.0.0 D. 172.29.1.1 Answer: D Explanation: When the primary PIX Firewall fails and the secondary PIX firewall become active, the secondary {PIX Firewall assumes the system IP addresses and MAC addresses of the primary PIX Firewall. Then the primary PIX Firewall, functioning in standby, assumes the failover IP addresses and MAC addresses of the secondary PIX Firewall. Note: The graphic is missing so it's hard to choose the correct answer. 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 5 - Reference: Cisco Secure PIX Firewalls (Ciscopress) page 176 QUESTION NO: 5 Which of the following statements is not true regarding the DNS Guard? A. If disabled, can be enabled by the command: fixed protocol dns 53 B. The default UDP time expires in two minutes. C. Immediately tears down the UDP conduit on the PIX Firewall as soon as the DNS response is received. D. Prevents against UDP session hijacking and denial of service attacks. Answer: A Explanation: The DNS Guard performs the following actions:  Automatically tears down the UDP conduit on the PIX firewall as soon as the DNS response is received. It doesn’t wait for the default UDP timer to close the session. The default UDP session is two minutes.  Prevents against UDP session hijacking and DoS attacks. Reference: Cisco Secure PIX Firewalls (Ciscopress) page 166 QUESTION NO: 6 In helping the user to choose the right IPSec transforms combinations, the following rules apply: (Choose all that apply) A. To provide authentication services for the transform set, include an AH transform. B. For authentication services include an ESP authentication transform. C. To provide data authentication for the data and the outer IP header, include an AH transform. D. For data confidentiality include an ESP encryption transform. E. ND5 is stronger than SHA. Answer: A, B, C, D Explanation: Choosing IPSec transforms combination can be complex. The following tips may help you select transforms that are appropriate for your situation:  To provide data confidentiality, include an ESP encryption transform. Also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set.  To ensure data authentication for the outer IP header as well as the data, include an AH transform. 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 6 -  To ensure data authentication (using either ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5, but it is slower. Reference: Cisco Secure PIX Firewalls (Ciscopress) page 212 -213 QUESTION NO: 7 What is the command that enables IPSec traffic to bypass the check of conduit or access- group command statements? A. conduit permit ip any any all B. access-list acl_out permit tcp any any all access-group acl_out interface outside C. sysopt connection permit-ipsec D. conduit permit tcp any any all Answer: C Explanation: Use the sysopt connection permit-ipsec command in IPSec configurations to permit IPSec traffic to pass through the PIX Firewall without a check of conduit or access-list command statements. Reference: Cisco PIX Firewall Command Reference, Version 6.3 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/index.h tm QUESTION NO: 8 All of the following statements are true, except: A. Use nat command to let users on the respective interfaces start outbound connections. Associate the nat id with the global-id in the global command. B. An interface is always outside when compared to another interface that has a higher security level. C. Use a single default route statement to the outside interface only. Set the default route with the ip route command. D. To permit access to servers on protected networks, use the static conduit commands. E. Packets can not flow between interfaces that have the same security level. Answer: C Explanation: The route command defines a static route for an interface. The route statement may have a specific destination, or a default static route may be created. The ip route command is used in the Cisco IOS. To establish static routes, use the ip route command in global configuration mode. Reference: Cisco Secure PIX Firewalls (Ciscopress) page 61 Cisco IOS Master Commands List, Release 12.3(1) 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 7 - http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123mindx/crgindx.htm QUESTION NO: 9 Which of the following statements are not true: (Choose all that apply) A. DMZ interface can be considered an inside, or outside interface. B. DMZ interface is always considered inside. C. Traffic originating from the inside interface to the outside interface of the PIX Firewall will be allowed to flow unless restricted by access lists. D. Traffic originating from the outside interface to the inside interface of the PIX Firewall will be dropped unless specifically allowed. E. DMZ interface is always considered outside. Answer: B, E Explanation: DMZ is considered inside or outside depending on the security level of the inside and outside interface. A static translation and a access list must be configured to enable sessions originated from the outside interface to the DMZ (inside) interface. Global and NAT are typically configured to enable sessions originated from the inside interface to the DMZ interface. Another option is the static command to ensure the internal host has the same source address all the time. Reference: Cisco Secure PIX Firewalls (Ciscopress) page 55 QUESTION NO: 10 Adaptive Security Algorithm (ASA) is the heart of the PIX Firewall. Choose the strict rules that ASA follows: (Choose all that apply) A. The highest security interface is the inside interface. B. The highest security interface is the outside interface. C. No outbound packet can exit the PIX Firewall without a connection and state. D. No packet, regardless of its direction, can traverse the PIX Firewall without a connection or state. E. No inbound packet can enter the PIX Firewall without a connection and state. Answer: A, D Explanation: A. The inside interface security level is 100 and is the default setting for the PIX firewall. It cannot be changed because 100 is the most trusted interface security level, the organization’s network should be set up behind that interface. D. It allows (ASA) data packets to flow through the PIX Firewall only if an appropriate connection exists to validate their passage. Reference: Cisco Secure PIX Firewalls (Ciscopress) page 20, 53 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 8 - QUESTION NO: 11 Which statements about the PIX Firewall in VoIP environments are true? (Choose two) A. The PIX Firewall does not support the popular call setup protocol SIP because TCP can be used for call setup. B. The PIX Firewall allows SCCP signaling and media packets to traverse the PIX Firewall and interoperate with H.323 terminals. C. The PIX Firewall supports the Skinny Client Control Protocol, which allows you to place IP phones and Call Manager on separate sides of the PIX Firewall. D. Users behind the PIX Firewall can place outbound calls with IP phones because they use HTTP tunneling to route packets through port 80, making them appear as web traffic. Answer: B, C Explanation: Cisco Secure PIX Firewall application handling has been enhanced to support the Skinny Client Control Protocol (SCCP), used by Cisco IP phones for VoIP call signaling. This capability dynamically opens pinholes for media sessions and Network Address Translation (NAT)-embedded IP addresses. SCCP supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and interoperate with H.323 terminals. Reference: Cisco PIX Firewall Version 6.0 http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pix60_ds.pdf QUESTION NO: 12 Your organization’s web traffic has come to a halt because your PIX Firewall is dropping all new connection attempts. Why? A. You are running a software version older than 5.2, and the embryonic threshold you set in the static command was reached. B. The shun feature of the PIX Firewall has taken effect because the embryonic threshold you set in the nat command was reached. C. The TCP Intercept feature of the PIX Firewall has taken affect because the embryonic threshold you set in the static command was reached. D. The intrusion detection feature of the PIX Firewall has taken effect because the embryonic threshold you set in the conduit command was reached. Answer: A Explanation: Prior to version 5.2, PIX Firewall offered no mechanism to protect systems reachable via a static and TCP conduit from TCP SYN segment attacks. With the new TCP intercept feature, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN segment bound for the affected server is intercepted. This feature requires no change to the PIX Firewall command set, only that the embryonic connection limit on the static command now has a new behavior. 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 9 - Reference: Release Notes for the Cisco Secure PIX Firewall Version 5.2(1) http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/relnotes/pixrn521.p df QUESTION NO: 13 Which tasks can be performed from the Access Rules tab? (Choose three) A. Configure translation rules. B. Configure Cisco Secure ACS. C. Configure access rules. D. Define Java and ActiveX filtering rules. E. Configure command authorization. F. Create service groups and apply them to ACLs. Answer: B, C, D Explanation: Each interface on the PIX Firewall is associated with a list of Access Control Entries (ACEs), called Access Control Lists (ACLs). An ACL is an ordered list of rules that describe how an entire subnet or specific network host interacts with another to permit or deny a specific service, protocol, or both. You can also define authentication, authorization, and accounting (AAA), and filter rules for ActiveX and Java. Reference: Configuring Settings, Rules, and Building Blocks http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/v ms_2_1/pix/use_man/px_cnfig.pdf QUESTION NO: 14 Where in PDM do you go to add, delete, or view global pools of addresses to be used by NAT? A. Global Pools tab B. System Properties tab C. Manage Pools button on the Translation Rules tab D. IP Address Pools button on the VPN tab Answer: C Explanation: The Translation Rules feature allows you to view all address translation rules applied to your network. Address translation means that when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses. Network Address Translation (NAT) allows your network to have any IP addressing scheme, and the PIX Firewalls protect these addresses from visibility on the external network. You access this feature by selecting Configure > Translation Rules. Reference: Configuring Settings, Rules, and Building Blocks http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/v ms_2_1/pix/use_man/px_cnfig.pdf QUESTION NO: 15 9E0 - 111 Leading the way in IT testing and certification tools, www.testking.com - 10 - Which step is optional when creating a crypto map on the PIX Firewall? A. Create a crypto map entry identifying the crypto map with a unique crypto map name and sequence number. B. Specify which transform sets are allowed for this crypto map entry. C. Specify a dynamic crypto map to act as a policy template where the missing parameters are later dynamically configured to match a peer’s requirements. D. Assign an ACL to the crypto map entry. E. Specify the peer to which IPSec-protected traffic can be forwarded. Answer: C Explanation: If you are not sure how to configure each crypto map parameter to guarantee compatibility with other peers, you might consider configuring dynamic crypto maps as described in the section "Dynamic Crypto Maps ." Dynamic crypto maps are useful when the establishment of the IPSec tunnels is initiated by the peer. They are not useful if the establishment of the IPSec tunnels is locally initiated, because the dynamic crypto maps are policy templates, not complete statements of policy. (Although the access lists in any referenced dynamic crypto map entry are used for crypto packet filtering.) Reference: About IPSec http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/ipsec/ipsec.pdf QUESTION NO: 16 Which type of downloadable ACLs are best when there are frequent requests for downloading a large ACL? A. Named ACLs B. Unnamed ACLs C. Dynamic ACLs D. Static ACLs Answer: A Explanation: The following are the two methods for downloading an access list from an AAA server to the PIX Firewall:  Downloading a named access list—Configure a user (real) authentication profile to include a Shared Profile Component (SPC) and then configure the SPC to include the access list name and the actual access list. This method should be used when there are frequent requests for downloading a large access list.  Downloading an access list without a name—Configure a user authentication profile on an AAA server to include the PIX Firewall access list to be downloaded. This method should be used when there are no frequent requests for the same access list. Reference: Controlling Network Access and Use http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/mngacl. pdf [...]... Reference: Cisco PIX Firewall Release Notes, Version 4.4(1) http://www .cisco. com/univercd/cc/td/doc/product/iaabu /pix/ pix_v44/relnotes/pixrn44.pd f QUESTION NO: 58 Which statement about the PIX Firewall is true? A The PIX Firewall passes RIP updates between interfaces B You cannot configure the PIX Firewall to learn routes dynamically from RIP version 1 or RIP version 2 broadcast C The PIX Firewall uses... status waiting mean? A B C D The active PIX Firewall is working and the standby PIX Firewall is ready Monitoring the other PIX Firewall s network interface has not yet started The active PIX Firewall is waiting for configuration replication to be completed The primary PIX Firewall has finished testing the standby PIX Firewall s interfaces and the standby PIX Firewall is waiting to take control Answer:... PIX Firewall supports multimedia with or without NAT Firewalls that cannot support multimedia with NAT limit multimedia usage to registered users only or require exposing inside IP addresses to the Internet Reference: Cisco Secure PIX Firewalls (Ciscopress) page 159 QUESTION NO: 54 Which command sets the Telnet password to cisco? A B C D enable telnet password cisco telnet password cisco password cisco. .. connection The interface type is determined from the hardware Reference: Cisco PIX Firewall Software - Release Notes for the Cisco Secure PIX Firewall Version 6.0(1) http://www .cisco. com/en/US/products/sw/secursw/ps2120/prod_release_note09186a0080 08c3ce.html QUESTION NO: 67 If you configure a VPN between a Cisco VPN Client and the PIX Firewall using preshared keys for authentication, which should you do?... inside Answer: B Explanation: The command nameif assigns a name to each interface on the PIX Firewall and specifies its security level (except for the inside and outside PIX Firewall interfaces, which are named by default) Reference: Cisco Secure PIX Firewalls (Ciscopress) page 56 QUESTION NO: 53 How does the PIX Firewall handle multimedia applications? (Choose two) Leading the way in IT testing and... an interface Reference: Cisco PIX 500 Series Firewalls - Cisco PIX Firewall Software v5.2 http://www .cisco. com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a00 80091b32.html QUESTION NO: 35 Why are packets inspected on the PIX Firewall? A B C D For valid users For misconfiguration For incorrect address For malicious application misuse Answer: D Explanation: PIX Firewall is based on stateful... supported in Cisco PIX Device Manager Version 2.0 Object grouping enables you to define groups of objects such as hosts, IP addresses, or network services You can use these groups, for example, when you create and apply access rules When you include a Cisco PIX Firewall object group in a PIX Firewall command, it is the equivalent of applying every element of the object group to the PIX Firewall command... permit option in an access-list command statement, the PIX Firewall continues to process the packet If you enter the deny option in an access-list command statement, PIX Firewall discards the packet and generates the following syslog message Reference: PIX Firewall Software Version 6.3 Commands http://www .cisco. com/univercd/cc/td/doc/product/iaabu /pix/ pix_sw/v_63/cmdref/qref.ht m QUESTION NO: 22 Which... cisco passwd cisco Answer: D Explanation: The password command sets a password for Telnet access to the PIX Firewall console The keyword passwd is also accepted as a shortened form of password Additionally, the firewall configuration displays the password using the short form, passwd Reference: PIX Firewall Software Version 6.3 Commands http://www .cisco. com/univercd/cc/td/doc/product/iaabu /pix/ pix_sw/v_63/cmdref/qref.ht... peer Reference: PIX Firewall Software Version 6.3 Commands http://www .cisco. com/univercd/cc/td/doc/product/iaabu /pix/ pix_sw/v_63/cmdref/qref.ht m QUESTION NO: 49 Which of the following statements are true regarding the sanity check of PIX Firewall s failover feature? (Choose all that apply) Leading the way in IT testing and certification tools, www.testking.com - 25 - 9E0 - 111 A Both PIX Firewalls exchange . Cisco PIX 500 Series Firewalls - Cisco PIX Firewall Software v5.2 http://www .cisco. com/en/US/products/hw/vpndevc/ps 203 0/products_data_sheet09186a 00 800 91b32.html. [active-interface-inside]? A. 172 .29.1.2 B. 192.168.89.1 C. 0. 0 .0. 0 D. 172 .29.1.1 Answer: D Explanation: When the primary PIX Firewall fails and the secondary PIX firewall become