ccna sec 1.2 exas

5/20/2018 ccna sec 1.2 exas

1/27

EXMEN 191.3%

1. What is a ping sweep?

A ping sweep is a network scanning technique that indicates the live hosts in a range of IP addresses.

2. A port scan is classified as what type of attack?

reconnaissance attack

3. An attacker is using a laptop as a rogue access point to capture all network traffic from a targeted user. Which type ois this?

man in the middle

4. What are the three major components of a worm attack? (Choose three.)

enabling vulnerability

payload

propagation mechanism

5. What are the basic phases of attack that can be used by a virus or worm in sequential order?

probe, penetrate, persist, propagate, and paralyze

6. Which access attack method involves a software program attempting to discover a system password by using an e

dictionary?

brute-force attack

7. How is a Smurf attack conducted?

by sending a large number of ICMP requests to directed broadcast addresses from a spoofed source address

same network

8. Which two statements describe access attacks? (Choose two.)

Password attacks can be implemented using brute-force attack methods, Trojan Horses, or packet sniffers.

Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or exploit sys

execute malicious code.

9. Which type of software typically uses a network adapter card in promiscuous mode to capture all network packets

sent across a LAN?

packet sniffer

10. Which phase of worm mitigation requires compartmentalization and segmentation of the network to slow down

the worm and prevent currently infected hosts from targeting and infecting other systems?

containment phase

11. What is a characteristic of a Trojan Horse?

A Trojan Horse can be carried in a virus or worm.


2/27

12. Which two statements are characteristics of a virus? (Choose two.)

A virus typically requires end-user activation.

A virus can be dormant and then activate at a specific time or date.

13. Which two are characteristics of DoS attacks? (Choose two.)

They attempt to compromise the availability of a network, host, or application.

Examples include smurf attacks and ping of death attack

14. Which three options describe the phases of worm mitigation? (Choose three.)

The containment phase requires the use of incoming and outgoing ACLs on routers and firewalls.

The inoculation phase patches uninfected systems with the appropriate vendor patch for the vulnerability.

The treatment phase disinfects actively infected systems.

15. A disgruntled employee is using Wireshark to discover administrative Telnet usernames and passwords. What

network attack does this describe?

reconnaissance

16. Which two network security solutions can be used to mitigate DoS attacks? (Choose two.)

anti-spoofing technologies

intrusion protection systems

17. Users report to the helpdesk that icons usually seen on the menu bar are randomly appearing on their computer

What could be a reason that computers are displaying these random graphics?

A virus has infected the computers.

18. A network administrator detects unknown sessions involving port 21 on the network. What could be causing this

breach?

An FTP Trojan Horse is executing.

19. Which statement accurately characterizes the evolution of network security?

Internal threats can cause even greater damage than external threats.

20. What is considered a valid method of securing the control plane in the Cisco NFP framework?

routing protocol authentication

21. What are two reasons for securing the data plane in the Cisco NFP framework? (Choose two.)

to protect against DoS attacks

to force technicians to use SSH and HTTPS when managing devices

22. Which type of security threat can be described as software that attaches to another program to execute a

unwanted function?

Virus


3/27

EXMEN 2100%

1. What are three requirements that must be met if an administrator wants to maintain device configurations via se

band management? (Choose three.)

network devices configured to accommodate SSH

encryption of all remote access management traffic

connection to network devices through a production network or the Internet

2. What are two characteristics of SNMP community strings? (Choose two.)

SNMP read-only community strings can be used to get information from an SNMP-enabled device.

SNMP read-write community strings can be used to set information on an SNMP-enabled device.

3. Refer to the exhibit. Based on the output of the show running-config command, which type of view is SUPPORT?

superview, containing SHOWVIEW and VERIFYVIEW views

4. An administrator defined a local user account with a secret password on router R1 for use with SSH. Which three ad

steps are required to configure R1 to accept only encrypted SSH connections? (Choose three.)

configure the IP domain name on the router

generate the SSH keys

enable inbound vty SSH sessions

5. Which command is used to verify the existence of a secure Cisco IOS image file? - Ojo

show secure bootset

6. Refer to the exhibit. Which statement regarding the JR-Admin account is true?

JR-Admin can issue ping and reload commands.

7. By default, how many seconds of delay between virtual login attempts is invoked when the login block-for com

configured?

one


4/27

8. Which recommended security practice prevents attackers from performing password recovery on a Cisco IOS route

purpose of gaining access to the privileged EXEC mode?

Locate the router in a secure locked room that is accessible only to authorized personnel.

9. Which set of commands are required to create a username of admin, hash the password using MD5, and force the r

access the internal username database when a user attempts to access the console?

R1(config)# username admin secret Admin01pa55

R1(config)# line con 0

R1(config-line)# login local

10. Which two statements describe the initial deployed services of Cisco routers and recommended security confi

changes? (Choose two.)

ICMP unreachable notifications are enabled by default but should be disabled on untrusted interfaces.

TCP keepalives are disabled by default but should be enabled globally to prevent certain DoS attacks.

11. Which three services does CCP One-Step Lockdown enable? (Choose three.)

SSH access to the router

password encryption

firewall on all outside interfaces

12. Which three areas of router security must be maintained to secure an edge router at the network perimeter?

three.)

physical security

operating system security

router hardening

13. Refer to the exhibit. What two pieces of information can be gathered from the generated message? (Choose two.)

This message is a level five notification message.

This message indicates that service timestamps have been globally enabled.


5/27

14. Refer to the exhibit. Routers R1 and R2 are connected via a serial link. One router is configured as the NTP master,

other is an NTP client. Which two pieces of information can be obtained from the partial output of the show ntp asso

detail command on R2? (Choose two.)

Router R1 is the master, and R2 is the client.

The IP address of R1 is 192.168.1.2.

15. Why is the usernamenamesecretpassword command preferred over the usernamenamepasswordpassword comma

It uses the MD5 algorithm for encrypting passwords.

16. Which three options can be configured by Cisco AutoSecure? (Choose three.)

CBAC

security banner

enable secret password

17. Which two characteristics apply to Role-Based CLI Access superviews? (Choose two.)

Users logged in to a superview can access all commands specified within the associated CLI views.

Commands cannot be configured for a specific superview.

18. Which statement describes the operation of the CCP Security Audit wizard?

The wizard compares a router configuration against recommended settings.

19. Which three types of views are available when configuring the Role-Based CLI Access feature? (Choose three.)

root view

superview

CLI view

20. If AAA is already enabled, which three CLI steps are required to configure a router with a specific view? (Choose thr

Assign a secret password to the view.

Assign commands to the view.

Create a view using the parser viewview-name command.

EXMEN 3

100%

1. Which technology provides the framework to enable scalable access security?

authentication, authorization, and accounting

2. Which authentication method stores usernames and passwords in the router and is ideal for small networks?

local AAA


6/27

3. How does a Cisco Secure ACS improve performance of the TACACS+ authorization process?

reduces delays in the authorization queries by using persistent TCP sessions

4. When configuring a Cisco Secure ACS, how is the configuration interface accessed?

A Web browser is used to configure a Cisco Secure ACS.

5. In regards to Cisco Secure ACS, what is a client device?

a router, switch, firewall, or VPN concentrator

6. What is a difference between using the login local command and using local AAA authentication for authen

administrator access?

Local AAA provides a way to configure backup methods of authentication; login local does not.

7. Refer to the exhibit. Router R1 has been configured as shown, with the resulting log message. On the basi

information presented, which two AAA authentication statements are true? (Choose two.)

The locked-out user failed authentication.

The locked-out user stays locked out until the clear aaa local user lockout username Admin command is issued.

8. Due to implemented security controls, a user can only access a server with FTP. Which AAA component accomplishe

authorization

9. Which two modes are supported by AAA to authenticate users for accessing the network and devices? (Choose two.

character mode

packet mode

10. When configuring a method list for AAA authentication, what is the effect of the keyword local?

It accepts a locally configured username, regardless of case.

11. Which two statements describe Cisco Secure ACS? (Choose two.)

Cisco Secure ACS supports LDAP.

Cisco Secure ACS supports both TACACS+ and RADIUS protocols.


7/27

12. Which two AAA access method statements are true? (Choose two.)

Character mode provides users with administrative privilege EXEC access and requires use of the console, vty

ports.

Packet mode provides remote users with access to network resources and requires use of dialup or VPN.

13. Which statement identifies an important difference between TACACS+ and RADIUS?

The TACACS+ protocol allows for separation of authentication from authorization.

14. What is a characteristic of TACACS+?

TACACS+ provides authorization of router commands on a per-user or per-group basis.

15. Refer to the exhibit. Router R1 is configured as shown. An administrative user attempts to use Telnet from rout

router R1 using the interface IP address 10.10.10.1. However, Telnet access is denied. Which option corrects this proble

The administrative user should use the username Admin and password Str0ngPa55w0rd.

16. Which two features are included by both TACACS+ and RADIUS protocols? (Choose two.)

password encryption

utilization of transport layer protocols

17. What is an effect if AAA authorization on a device is not configured?

Authenticated users are granted full access rights.

18. Why is local database authentication preferred over a password-only login?

It provides for authentication and accountability.


8/27

19. Refer to the exhibit. In the network shown, which AAA command logs the use of EXEC session commands?

aaa accounting exec start-stop group tacacs+

20. After accounting is enabled on an IOS device, how is a default accounting method list applied?

Accounting method lists are applied only to the VTY interfaces. (ojo)

21. What is the result if an administrator configures the aaa authorization command prior to creating a user with fu

rights?

The administrator is immediately locked out of the system.

EXMEN 485.4%

1. To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface

echo reply

2. For a stateful firewall, which information is stored in the stateful session flow table?

source and destination IP addresses, and port numbers and sequencing information associated with a particular

3. Which statement describes one of the rules governing interface behavior in the context of implementing a zon

policy firewall configuration?

By default, traffic is allowed to flow among interfaces that are members of the same zone.


9/27

4. Refer to the exhibit. Which statement is true about the effect of this Cisco IOS zone-based policy firewall configurati

The firewall will automatically allow HTTP, HTTPS, and FTP traffic from fa0/0 to s0/0 and will track the conn

Tracking the connection allows only return traffic to be permitted through the firewall in the opposite direction.

5. When configuring a Cisco IOS zone-based policy firewall, which two actions can be applied to a traffic class? (Choose

drop

inspect

6. Which two parameters are tracked by CBAC for TCP traffic but not for UDP traffic? (Choose two.)

sequence number

SYN and ACK flags

7. Which two are characteristics of ACLs? (Choose two.)

Extended ACLs can filter on destination TCP and UDP ports.

Extended ACLs can filter on source and destination IP addresses.

8. When using CCP to apply an ACL, the administrator received an informational message indicating that a rule was

associated with the designated interface in the designated direction. The administrator continued with the associa

selecting the merge option. Which statement describes the effect of the option that was selected?

A new combined access rule was created using the new access rule number. Duplicate ACEs were removed.


10/27

9. Refer to the exhibit. Which statement describes the function of the ACEs?

These ACEs allow for IPv6 neighbor discovery traffic.

10. Which statement correctly describes how an ACL can be used with the access-class command to filter vty acc

router?

An extended ACL can be used to restrict vty access based on specific source addresses and protocol but the des

can only specify the keyword any

11. Which zone-based policy firewall zone is system-defined and applies to traffic destined for the router or originatthe router?

self zone

12. What is the first step in configuring a Cisco IOS zone-based policy firewall using the CLI?

Create zones.

13. Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic

accessing the routing table?

ipv6 traffic-filter ENG_ACL in

14. Refer to the exhibit. If a hacker on the outside network sends an IP packet with source address 172.30.1.50, des

address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS firewall do with the packet?

The packet is dropped.

15. What is a limitation of using object groups within an access control entry?

It is not possible to delete an object group or make an object group empty if the object group is already applie

ACE.

16. Class maps identify traffic and traffic parameters for policy application based on which three criteria? (Choose thre

access group

protocol

subordinate class map


11/27

17. Which statement describes a typical security policy for a DMZ firewall configuration?

Traffic that originates from the DMZ interface is permitted to traverse the firewall to the outside interface with

no restrictions.

18. Which statement describes the characteristics of packet-filtering and stateful firewalls as they relate to the OSI mo

A packet-filtering firewall typically can filter up to the transport layer, while a stateful firewall can filter up

session layer.

19. Refer to the exhibit. The ACL statement is the only one explicitly configured on the router. Based on this infor

which two conclusions can be drawn regarding remote access network connections? (Choose two.)

SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are allowed.

Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked.

20. When implementing an inbound Internet traffic ACL, what should be included to prevent the spoofing of networks?

ACEs to prevent traffic from private address spaces

EXMEN 587.5%

1. Refer to the exhibit. When modifying an IPS signature action, which two check boxes should be selected to create

that denies all traffic from the IP address that is considered the source of the attack and drops the packet and all future

from the TCP flow? (Choose two.)

Deny Attacker Inline

Deny Connection Inline


12/27

2. Why is a network that deploys only IDS particularly vulnerable to an atomic attack?

The IDS permits malicious single packets into the network.

3. A network security administrator would like to check the number of packets that have been audited by the IP

command should the administrator use?

show ip ips statistics

4. Which two Cisco IOS commands are required to enable IPS SDEE message logging? (Choose two.)

ip http server

ip ips notify sdee

5. Refer to the exhibit. Based on the configuration that is shown, which statement is true about the IPS signature categ

Only signatures in the ios_ips basic category will be compiled into memory for scanning.

6. Which two benefits does the IPS version 5.x signature format provide over the version 4.x signature format? (Choose

addition of a signature risk rating

support for encrypted signature parameters

7. Which two files could be used to implement Cisco IOS IPS with version 5.x format signatures? (Choose two.)

IOS-Sxxx-CLI.pkg

realm-cisco.pub.key.txt

8. A network administrator tunes a signature to detect abnormal activity that might be malicious and likely t

immediate threat. What is the perceived severity of the signature?

medium

9. Refer to the exhibit. As an administrator is configuring an IPS, the error message that is shown appears. What d

error message indicate?

The public crypto key is invalid or entered incorrectly.


13/27

10. Refer to the exhibit. What action will be taken if a signature match occurs?

The packet will be allowed, and an alert will be generated.

11. Which Cisco IPS feature allows for regular threat updates from the Cisco SensorBase Network database?

global correlation

12. Refer to the exhibit. Based on the configuration, what traffic is inspected by the IPS?

all traffic entering the s0/0/1 interface and all traffic entering and leaving the fa0/1 interface


14/27

13. What is a disadvantage of network-based IPS as compared to host-based IPS?

Network-based IPS cannot examine encrypted traffic.

14. Refer to the exhibit. What is the significance of the number 10 in the signature 6130 10 command?

It is the subsignature ID.

15. Which statement is true about an atomic alert that is generated by an IPS?

It is an alert that is generated every time a specific signature has been found.

16. Refer to the exhibit. Based on the configuration commands that are shown, how will IPS event notifications be sen

syslog format

17. An administrator is using CCP to modify a signature action so that if a match occurs, the packet and all future pack

the TCP flow are dropped. What action should the administrator select?

reset-tcp-connection

18. What information is provided by the show ip ips configuration configuration command?

the default actions for attack signatures

19. Refer to the exhibit. What is the result of issuing the Cisco IOS IPS commands on router R1?

All traffic that is permitted by the ACL is subject to inspection by the IPS.

20. Which protocol is used when an IPS sends signature alarm messages?

SDEE


15/27

EXMEN 683.3%

1. Which Cisco IronPort appliance would an organization install to protect against malware?

S-Series

2. What is the goal of the Cisco NAC framework and the Cisco NAC appliance?

to ensure that only hosts that are authenticated and have had their security posture examined and appro

permitted onto the network

3. Which two methods are used to mitigate VLAN attacks? (Choose two.)

implementing BPDU guard on all access ports

disabling DTP autonegotiation on all trunk ports

4. Which two measures are recommended to mitigate VLAN hopping attacks? (Choose two.)

Use a dedicated native VLAN for all trunk ports.

Disable trunk negotiation on all ports connecting to workstations.

5. As a recommended practice for Layer 2 security, how should VLAN 1 be treated?

VLAN 1 should not be used.

6. Which attack relies on the default automatic trunking configuration on most Cisco switches?

VLAN hopping attack

7. Under which circumstance is it safe to connect to an open wireless network?

The device has been updated with the latest virus protection software.

8. Why are traditional network security perimeters not suitable for the latest consumer-based network endpoint devic

These devices are more varied in type and are portable.

9. Which three switch security commands are required to enable port security on a port so that it will dynamically

single MAC address and disable the port if a host with any other MAC address is connected? (Choose three.)

switchport mode access

switchport port-security

switchport port-security mac-address sticky

10. Which command is used to configure the PVLAN Edge feature?

switchport protected

11. Which Cisco IronPort appliance would an organization install to manage and monitor security policy settings a

information?

M-Series


16/27

12. Refer to the exhibit. What action will the switch take when the maximum number of secure MAC addresses has

the allowed limit on the Fa0/2 port?

Packets with unknown source addresses are dropped without notification.

13. What is the default configuration of the PVLAN Edge feature on a Cisco switch?

No ports are defined as protected.

14. Which three are SAN transport technologies? (Choose three.)

Fibre Channel

iSCSI

FCIP

15. What is an example of a trusted path in an operating system?

Ctrl-Alt-Delete key sequence

16. Which software tool can a hacker use to flood the MAC address table of a switch?

macof

17. Which statement is true about a characteristic of the PVLAN Edge feature on a Cisco switch?

All data traffic that passes between protected ports must be forwarded through a Layer 3 device.

18. Which option best describes a MAC address spoofing attack?

An attacker alters the MAC address of his host to match another known MAC address of a target host.

19. With IP voice systems on data networks, which two types of attacks target VoIP specifically? (Choose two.)

SPIT

vishing

20. When the Cisco NAC appliance evaluates an incoming connection from a remote device against the defined

policies, what feature is being used?

authentication and authorization


17/27

EXMEN 785.4%

1. A customer purchases an item from an e-commerce site. The e-commerce site must maintain proof that the data e

took place between the site and the customer. Which feature of digital signatures is required?

nonrepudiation of the transaction

2. Which encryption protocol provides network layer confidentiality?

IPsec protocol suite

3. Which characteristic of security key management is responsible for making certain that weak cryptographic keys

used?

verification

4. Refer to the exhibit. Which type of cipher method is depicted?

transposition cipher

5. Why is RSA typically used to protect only small amounts of data?

The algorithms used to encrypt data are slow.

6. Which statement describes a cryptographic hash function?

A one-way cryptographic hash function is hard to invert.

7. Two users must authenticate each other using digital certificates and a CA. Which option describes the CA authen

procedure?

The users must obtain the certificate of the CA and then their own certificate.

8. Which statement describes asymmetric encryption algorithms?

They are relatively slow because they are based on difficult computational algorithms.


18/27

9. Which statement is a feature of HMAC?

HMAC uses a secret key as input to the hash function, adding authentication to integrity assurance.

10. Which two non-secret numbers are initially agreed upon when the Diffie-Hellman algorithm is used? (Choose two.)

generator

prime modulus

11. Which two statements correctly describe certificate classes used in the PKI? (Choose two.)

A class 0 certificate is for testing purposes.

A class 4 certificate is for online business transactions between companies.

12. The network administrator for an e-commerce website requires a service that prevents customers from claim

legitimate orders are fake. What service provides this type of guarantee?

nonrepudiation

13. How do modern cryptographers defend against brute-force attacks?

Use a keyspace large enough that it takes too much money and too much time to conduct a successful attack.

14. Which type of cryptographic key would be used when connecting to a secure website?

symmetric keys

15. An administrator requires a PKI that supports a longer lifetime for keys used for digital signing operations than

used for encrypting data. Which feature should the PKI support?

usage keys

16. Which three primary functions are required to secure communication across network links? (Choose three.)

authentication

confidentiality

integrity

17. What is the basic method used by 3DES to encrypt plaintext?

The data is encrypted, decrypted, and encrypted using three different keys.

18. Which algorithm is used to automatically generate a shared secret for two systems to use in establishing an IPsec V

DH


19/27

19. Refer to the exhibit. Which encryption algorithm is described in the exhibit?

3DES

20. What does it mean when a hashing algorithm is collision resistant?

Two messages with the same hash are unlikely to occur.

EXMEN 885.4%

1. Refer to the exhibit. A site-to-site VPN is required from R1 to R3. The administrator is using the CCP Site-to-Site VPN

on R1. Which IP address should the administrator enter in the highlighted field?

10.2.2.2

2. A network administrator is planning to implement centralized management of Cisco VPN devices to simp

deployment for remote offices and teleworkers. Which Cisco IOS feature would provide this solution?

Cisco Easy VPN

3. Which UDP port must be permitted on any IP interface used to exchange IKE information between security gateway

500


20/27

4. Refer to the exhibit. A network administrator is troubleshooting a GRE VPN tunnel between R1 and R2. Assumin

GRE configuration is correct and based on the running configuration of R1, what must the administrator do to fix the pro

Change the tunnel destination to 209.165.200.225.

5. Refer to the exhibit. Based on the CCP settings that are shown, which Easy VPN Server component is being configure

group policy

6. With the Cisco Easy VPN feature, which process ensures that a static route is created on the Cisco Easy VPN Serve

internal IP address of each VPN client?

Reverse Route Injection

7. When using ESP tunnel mode, which portion of the packet is not authenticated?

new IP header


21/27

8. Which statement describes an important characteristic of a site-to-site VPN?

It must be statically set up.

9. Which action do IPsec peers take during the IKE Phase 2 exchange?

negotiation of IPsec policy

10. When configuring an IPsec VPN, what is used to define the traffic that is sent through the IPsec tunnel and prote

the IPsec process?

crypto ACL

11. Which two statements accurately describe characteristics of IPsec? (Choose two.)

IPsec works at the network layer and operates over all Layer 2 protocols.

IPsec is a framework of open standards that relies on existing algorithms.

12. A user launches Cisco VPN Client software to connect remotely to a VPN service. What does the user select before

the username and password?

the desired preconfigured VPN server site

13. Refer to the exhibit. Based on the CCP screen that is shown, which two conclusions can be drawn about the IKE pol

is being configured? (Choose two.)

It will use digital certificates for authentication.

It will use a very strong encryption algorithm.

14. What is the default IKE policy value for encryption?

DES

15. How many bytes of overhead are added to each IP packet while it is transported through a GRE tunnel?

24


22/27

16. Which two authentication methods can be configured when using the CCP Site-to-Site VPN wizard? (Choose two.)

pre-shared keys

digital certificates

17. When verifying IPsec configurations, which show command displays the encryption algorithm, hash alg

authentication method, and Diffie-Hellman group configured, as well as default settings?

show crypto isakmp policy

18. Refer to the exhibit. Which two IPsec framework components are valid options when configuring an IPsec VPN on

ISR router? (Choose two.)

Confidentiality options include DES, 3DES, and AES.

Diffie-Hellman options include DH1, DH2, and DH5.

19. What are two benefits of an SSL VPN? (Choose two.)

It has the option of only requiring an SSL-enabled web browser.

It is compatible with DMVPNs, Cisco IOS Firewall, IPsec, IPS, Cisco Easy VPN, and NAT.

20. What is required for a host to use an SSL VPN to connect to a remote network device?

A web browser must be installed on the host.


23/27

EXMEN 1090.4%

1. Which three components must be configured when implementing a client-based SSL VPN on an ASA 5505 device?

three.)

client address assignment

client image

group policy

2. Which option lists the four steps to configure the Modular Policy Framework on an ASA?

1) Configure extended ACLs to identify specific granular traffic. This step may be optional.

2) Configure the class map to define interesting traffic.

3) Configure a policy map to apply actions to the identified traffic.

4) Configure a service policy to identify which interface should be activated for the service.

3. Refer to the exhibit. What will be displayed in the output of the show running-config object command after the e

configuration commands are entered on an ASA 5505?

range 192.168.1.10 192.168.1.20


24/27

4. Refer to the exhibit. An administrator has entered the indicated commands on an ASA 5505. Based on the info

presented, what type of remote access VPN has the administrator configured?

a clientless SSL VPN via a web browser

5. Which Cisco ASDM menu sequence would be used to edit a client-based AnyConnect SSL VPN configuration?

Configuration > Remote Access VPN > Network (Client) Access

6. Which three types of remote access VPNs are supported on ASA devices? (Choose three.)

Clientless SSL VPN using a web browser

IPsec (IKEv1) VPN using the Cisco VPN Client

SSL or IPsec (IKEv2) VPN using the Cisco AnyConnect Client

7. Refer to the exhibit. Which ASDM menu sequence would be required to configure Telnet or SSH AAA authentication

TACACS server first or the local device user database if the TACACS server authentication is unavailable?

Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

8. When the ASA recognizes that the incoming packets are part of an already established connection, which three f

tasks are executed? (Choose three.)

adjusting Layer 3 and Layer 4 headers

performing IP checksum verification

performing TCP sequence number checks


25/27

9. Which two statements correctly describe the ASA as an advanced stateful firewall? (Choose two.)

In routed mode, an ASA can support two or more Layer 3 interfaces.

The first packet of a flow examined by an ASA goes through the session management path.

10. Which three wizards are included in Cisco ASDM 6.4? (Choose three.)

Security Audit wizard

Startup wizard

VPN wizard

11. Refer to the exhibit. Which three sets of configuration commands were entered on the ASA 5505? (Choose three.)

2.1- interface e0/0

2.2.- switchport access vlan 2

2.3.- no shut

2.4.- exit

3.1.- interface vlan 2

3.2.- nameif outside

3.3.- security-level 0

3.4.- ip address 209.165.200.226 255.255.255.248

12. Which three components must be configured when using the Site-to-Site VPN Connection Setup wizard in ASDM?

three.)

authentication method

encryption algorithms

IKE version


26/27

13. Which three components must be configured when implementing a clientless SSL VPN on an ASA 5505 device?

three.)

bookmark lists

connection profile name

group policy

14. Which option lists the ASA adaptive security algorithm session management tasks in the correct order?

1) performing the access list checks

2) performing route lookups

3) allocating NAT translations (xlates)

4) establishing sessions in the "fast path"

15. Refer to the exhibit. A remote host is connecting to an ASA 5505 via a VPN connection. Once authenticated, t

displays the highlighted system tray icon. On the basis of the information that is presented, what three assumptions

made? (Choose three.)

The host has connected to the ASA via a client-based SSL VPN connection.

The host is connected via the AnyConnect VPN client.

The host is connected via the Cisco VPN client.

16. What are three characteristics of ASA transparent mode? (Choose three.)

This mode does not support VPNs, QoS, or DHCP Relay.

This mode is referred to as a "bump in the wire."

In this mode the ASA is invisible to an attacker.


27/27

17. Refer to the exhibit. According to the exhibited command output, which three statements are true about th

options entered on the ASA 5505? (Choose three.)

The dhcpd auto-config outside command was issued to enable the DHCP client.

The dhcpd address [start-of-pool]-[end-of-pool] inside command was issued to enable the DHCP server.

The dhcpd enable insidecommand was issued to enable the DHCP server.

18. An administrator has successfully configured a site-to-site VPN on an ASA 5505. Which ASDM menu sequence dispnumber of packets encrypted, decrypted, and security association requests?

Monitoring > VPN > VPN Statistics > Crypto Statistics

19. In what three ways do the 5505 and 5510 Adaptive Security Appliances differ? (Choose three.)

in the maximum traffic throughput supported

in the number of interfaces

in types of interfaces

20. Which three security features do ASA models 5505 and 5510 support by default? (Choose three.)

intrusion prevention system

stateful firewall

VPN concentrator

Documents

ccna sec 1.2 exas