640-442 CISCO: Managing Cisco Network Security (MCNS) 640-442 Version 6.0 Jun 17th, 2003 21certify.com 640-442 Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts Try to understand the concepts behind the questions instead of cramming the questions Go through the entire document at least twice so that you make sure that you are not missing anything Latest Version We are constantly reviewing our products New material is added and old material is revised Free updates are available for 365 days after the purchase You should check the products page on the www.21certify.com web site for an update 3-4 days before the scheduled exam date Important Note: Please Read Carefully This 21certify Exam has been carefully written and compiled by 21certify Exams experts It is designed to help you learn the concepts behind the questions rather than be a strict memorization tool Repeated readings will increase your comprehension We continually add to and update our 21certify Exams with new questions, so check that you have the latest version of this 21certify Exam right before you take your exam For security purposes, each PDF file is encrypted with a unique serial number associated with your 21certify Exams account information In accordance with International Copyright Law, 21certify Exams reserves the right to take legal action against you should we find copies of this PDF file has been distributed to other parties Please tell us what you think of this 21certify Exam We appreciate both positive and critical comments as your feedback helps us improve future versions We thank you for buying our 21certify Exams and look forward to supplying you with all your Certification training needs Good studying! 21certify Exams Technical and Support Team 21certify.com 640-442 Q.1 What are three commands that can be used in enabling NAT? (Choose three) A nat B static C global D conduit E xlate enable Answer: A, B, C Q.2 Which three databases are supported by the Cisco Secure ACS for UNIX? (Choose three) A Oracle B Sybase C NDS (Novell) D SQL Anywhere E Windows NT user database Answer: A, B, D Q.3 Given the following debug output: 1d16h: %UPLINK-3-UPDOWN: Interface Serial3/0, changed state to up*Mar 16:52:297: Se3/0 PPP: Treating connection as a dedicated line *Mar 16:52:441: Se3/0 PPP: Phase is AUTHENTICATING, by this end *Mar 16:52:445: Se3/0 CHAP: O CHALLENGE id len 29 from "NASx Which two statements are true? (Choose two) A The user ID is NASx B This is a connection attempt to an async port C The connection is established on serial interface 3/0 D The user is authenticating using Challenge Handshake Authentication Protocol (CHAP) E The client is attempting to setup a Serial Internet Protocol (SLIP) connection Answer: C, D Q.4 To ensure compatibility with IPSec when using Internet Key Exchange (IKE), what must be allowed through an access list (ACL)? A IP protocol 50 and TCP port 500 B IP protocol 50 and UDP port 51 C IP protocol 51, TCP port 500 and UDP port 50 D IP protocol 50, IP Protocol 51 and UDP port 500 Answer: D Q.5 Java inspection was properly configured with Context based Access Control (CBAC) to allow only applets from a trusted Web server What happens when a user attempts to download an applet from an untrusted server using FTP (assuming that FTP is allowed between the two by CBAC)? A CBAC requests user authentication 21certify.com 640-442 B The applet is downloaded successfully C The FTP session is terminated by CBAC D The packets containing the applet are dropped by CBAC Answer: B Q.6 Which Cisco IOS feature should be used when hiding multiple hosts behind a single IP address? A PAT B ACL C DHCP D CBAC Answer: A Q.7 Which encryption algorithms are supported by the Cisco Secure VPN Client? A Null, CAST-128 and DES B DES, Triple-DES and Null C DES, CAST-128 and Blowfish D DES, Blowfish and Diffie-Hellman Answer: B Q.8 Given the following output: Crypto Map: "s1first" idb: Serial0 local address: 172.16.254.201 Crypto Map "s1first" 20 ipsec-isakmp Peer = 172.16.254.212 Extended IP access list 101 access-list 101 permit ip source: addr = 172.16.152.0/0.0.0.255 dest: addr 0.0.0.0/255.255.255.255 Current peer: 172.16.254.212 Security association lifetime: 4608000 kilobytes/3600 seconds PP3 (Y/N): N Transform sets=(secure1, ) Which command was used to generate this display? A show crypto ip map B show crypto ipsec sa C show crypto map D show crypto ipsec transform set Answer: C Q.9 The PIX firewall operates with three rules that govern how to use the security level field What are these three rules? (Choose three) A Security level is the least secure B Security level 100 is the most secure C The lowest security level is for the inside interface D The highest security level is for the outside interface 21certify.com 640-442 E Conduit and static commands are required to enable traffic that originates from outside and has an inside destination Answer: A, B, E Q.10 Which statement about the PIX password recovery procedure is true? A The password recovery of the PIX 515 requires an FTP server B The PIX firewall needs to be reloaded during password recovery C Password recovery can only be done on PIX firewall with floppy drive D The config-register has to be set to 0x2142 before password recovery Answer: C Q.11 Which three statements apply to AAA on a PIX firewall? (Choose three) A Only inbound connections can be authenticated by AAA B FTP, HTTP and Telnet can be authenticated using AAA C The PIX can authenticate Enable mode access using AAA D The PIX can authenticate serial console access using AAA Answer: A, B, C Q.12 Exhibit: Which PIX command statically translates the IP address of the Mail server to 182.16.1.4? A static(dmz, outside) 172.16.2.4 182.16.1.4 B static(outside,dmz ) 182.16.1.4 172.16.2.4 C static(dmz, outside) 182.16.1.4 172.16.2.4 D static(inside, outside) 182.16.1.4 172.16.2.4 Answer: B Q.13 Which statement best describes the Encapsulation Security Payload (ESP) header? A It is inserted before an encapsulated IP header in Tunnel mode B It is inserted before an encapsulated IP header in Transparent mode 21certify.com 640-442 C It is inserted after the IP header and before the upper layer protocol header in Tunnel mode D It is inserted after the IP header and after the upper layer protocol header in Transport mode Answer: A Q.14 Which two protocols are known to pose security threats? (Choose two) A SNMP B NNTP C SMTP D CHAP E Frame Relay Answer: A, C Q.15 If a Security Association (SA) was previously established with Internet Key Exchange (IKE), what will the following command on the router? A It clears the SA symmetric key B It clears the SA authentication key C It deletes SA from the SA database D It re-initializes every peer’s secret key Answer: C Q.16 After the installation of Cisco Secure VPN Client is complete, you need either for authentication A A user ID or a password B An error-correcting code (ECC) key or a pre-shared key C An ECC key or a digital certificate D A pre-shared key or a digital certificate Answer: A Q.17 Which two statements are true (Choose two) A There are few good security products B A lack of a consistent security policy is a security risk C Security should only be implemented on the perimeter devices D Individual products must be integrate from a complete network solution Answer: B, C Q.18 A masquerade attack occurs when an attacker pretends to come from a trusted host by stealing its _ A User group B IP address 21certify.com 640-442 C Account ID D Challenge handshake authentication protocol (CHAP) password Answer: B Q.19 Which command is most useful to troubleshoot a Challenge Handshake Authentication Protocol (CHAP) authentication attempt? Answer: D Q.20 When the nat (inside) command is configured on a PIX firewall, IP address are translated A DMZ B No inside C Only private D Global outside Answer: B Q.21 Which two commands prevent a chargen attack? (Choose two) A no ip redirects B no service finger C no chargen enable D no tcp-small-servers E no udp-small-servers Answer: D Q.22 Which services can be authenticated using AAA on a PIX firewall? (Choose three) A FTP B POP C HTTP D SMTP E TFTP F TELNET Answer: A, C, F Q.23 Which three external databases are supported by CSNT (Choose three) A NDS 21certify.com 640-442 B Oracle C Windows NT D Token server Answer: A, C, D Q.24 You generate general purpose RSA keys The router will have one _ A RSA key pair B RSA key pair per peer C RSA key pair and one certificate per peer D RSA key pair per peer and one certificate per peer Answer: A Q.25 Which three statements about Encapsulation Security Payload are true? (Choose three) A It encapsulates the data B It uses symmetric secret key algorithms C It provides protection to the outer headers D It encrypts the payload for data confidentiality Answer: A, B, D Q.26 Exhibit: Which command you use to ping the NAS from the PIX firewall A Ping B Ping C Ping D Ping E Ping 10.1.1.1 –s 10.1.1.1 –t 10.1.1.1 inside 10.1.1.1 outside 10.1.1.1 Answer: D 21certify.com 640-442 Q.27 Which PIX firewall command denies any internal hosts from downloading Java Applets? Answer: A Q.28 Which command allows you to view PIX firewall software version? A Show os B Show pix C Show version D Debug version E Show software Answer: C Q.29 With TCP inspection, which three parameters are used by Context Based Access Control (CBAC) to permit a packet received on the external interface? (Choose Three) A A Source IP address B Source port number C TCP sequence number D Destination port number E Destination MAC address Answer: A, B, D Q.30 Which three statements about PIX firewall multimedia support are true? (Choose three) A It supports multimedia with or without NAT B It reserves all available UDP and TCP ports C Using PAT with multimedia can create port conflict D It statically opens/closes UDP ports for multimedia connections Answer: A, B, C Q.31 Given the following configuration command: Router(config)#aaa authorization network abc tacacs local Assuming all interfaces are configured to use default authentication, which statement is true? A The NAS will use the enable password by default B If the TACACS server is unreachable, the local database will be used 21certify.com 640-442 10 C If the TACACS server is unreachable, the NAS access will be enabled by default D If the Terminal Access Controller Access Control System (TACACS) server is unreachable, no access will be permitted Answer: B Q.32 Which authentication method is the most secure? A S/KEY B username/password C one-time passwords D token cards/soft tokens Answer: D Q.33 Given the following interface configuration: interface serial ip address 172.16.1.1 255.255.255.0 ip address-group 101 in Which access list (ACL) line allows Internet Security Association Key Management Protocol (ISAKMP) from router 172.16.1.2? A access-list 101 permit ahp host 172.16.1.2 host 172.16.1.1 B access-list 101 permit isakmp host 172.16.1.2 host 172.16.1.1 C access-list 101 permit udp host 172.16.1.2 host 172.16.1.1 eq isakmp D access-list 101 permit tcp host 172.16.1.2 host 172.16.1.1 eq isakmp Answer: C Q.34 Context based Access Control (CBAC) allows replies for sessions originating from the hosts A WAN B internal C external D destination Answer: B Q.35 Which IOS feature best prevents eavesdropping? A IPSec B CBAC C Lock and Key D TCP intercepts 21certify.com 640-442 Given the configuration example in the exhibit, authentication through the vty port would use which method? A Line password B No access permitted C No authentication required D Default authentication used Answer: D Q.65 The _ command shows ICMP packet information on a PIX firewall A show icmp B debug ping C debug ip icmp D debug icmp trace Answer: C Q.66 Which AAA server products are used on a PIX firewall (Choose two) A AUTH B RADIUS C XTACACS Nameif ethernet0 outside sec0 21certify.com 18 640-442 19 Nameif Ethernet1 inside sec100 Nameif ehternet2 dmz sec50 Interface ethernet0 auto interface ethernet1 auto Interface ethernet2 auto Ip address outside 182.16.1.1 255.255.255.0 Ip address inside 10.1.1.3 255.255.255.0 Ip address dmz 172.16.2.1 255.255.255.0 (partial configuration of a PIX firewall) D TACACS+ E KERBEROS Answer: B, D Q.67 Which three databases are supported by the Cisco Secure ACS for UNIX (Choose three) A Oracle B Sybase C NDS (Novell) D SQL Anywhere E Windows NT user database Answer: A, B, D Q.68 To enable Network address translation on the PIX firewall for all internal hosts, which two commands need to be used? (Choose two) A Nat (inside) 0.0.0.0 0.0.0.0 0 B Nat (inside) 0.0.0.0 0.0.0.0 0 C Nat (outside) 0.0.0.0 0.0.0.0 0 D Global (inside) 192.168.1.10-192.168.1.254 netmask 255.255.255.0 E Global (outside) 192.168.1.10-192.168.1.254 netmask 255.255.255.0 Answer: B, E Q.69 Which firewall command manually saves the configuration of the active failover unit to the standby failover unit from the RAM in the active to the RAM in the standby? A Write network B Write standby C Write failover D Write secondary Answer: B 21certify.com 640-442 20 Q.70 Given the inspect statement ip inspect name mcns http java-list 12 If you only trust java applets from web server 10.16.2.2, which access list line is required to permit java applets? A access-list 12 permit 10.16.2.2 B access-list 12 permit tcp host 10.16.2.2 any C access-list 12 permit tcp 10.16.2.2 any eq www D access-list 12 permit host 10.16.2.2 any eq http Answer: A Q.71 Given the following output of the sh xlate command: Global 16.130.3.17 Local 16.130.3.17 static nconns 10 econns Global 16.130.3.16 Local 16.130.3.16 static nconns 42 econns How many embryonic connections are in the translation table? A B 13 C 44 D 52 E 57 Answer: A Q.72 Given the following configuration statement: Router(config)# aaa account network wait-start radius Which three statements are true? (Choose three) A The accounting records are stored on a Remote Access Dial-In User Service (RADIUS) Server B Stop-accounting records for network service requests are sent to the RADIUS server C Start-accounting records for network service requests are sent to the local database D The requested service cannot start until the acknowledgement has been received from the RADIUS server Answer: D Q.73 MD5 routing authentication is used with which three protocols? (Choose three) A RIP B BGP C OSPF D IGRP E EIGRP 21certify.com ... govern how to use the security level field What are these three rules? (Choose three) A Security level is the least secure B Security level 100 is the most secure C The lowest security level is for... two statements are true (Choose two) A There are few good security products B A lack of a consistent security policy is a security risk C Security should only be implemented on the perimeter devices... have the latest version of this 21certify Exam right before you take your exam For security purposes, each PDF file is encrypted with a unique serial number associated with your 21certify Exams