Actualtests 642-522
642-522 : Securing Hosts Using Cisco Security Agent Last Updated Wednesday, July 02, 2008 with 69 Questions
Securing Networks with PIX and ASA Exam(SNPA)
Exam Number: 642-522 Exam
Associated Certifications: Securing Networks with PIX and ASA Exam(SNPA)
Duration: 63 Q&A we offer correct answe
Available Language(s): English
Exam Details
The Securing Networks with PIX and ASA exam is one of the exams associated with the Cisco Certified Security Professional and the Cisco Firewall Specialist certifications. Candidates can prepare for this exam by taking the SNPA v4.0 course. This exam includes simulations and tests a candidate’s knowledge and ability to describe, configure, verify and manage the Cisco PIX and ASA security appliance products.
Free 642-522 Exams’s PDF Download
Free Actualtests offers free demo for 642-522 PDF(Securing Networks with PIX and ASA Exam(SNPA)). You can check out the interface, question quality and usability of our practice exams . We are the only one site can offer demo for almost all Securing Networks with PIX and ASA Exam(SNPA).
Recommended Training about 642-522 exam PDF
The following courses are the recommended training for 642-522 exam PDF.
642-522 Q & A with Explanations
642-522 Audio Exam
642-522 Study Guide
642-522 Preparation Lab
642-522 Exam Preparation from Actualtests with FULL explanations include:
Comprehensive questions with complete details
Detailed explanations of all the questions
Questions accompanied by exhibits
Verified Answers Researched by Industry Experts
Drag and Drop questions as experienced in the Actual Exams
Questions updated on regular basis
These questions and answers are backed by our GUARANTEE.
Like actual certification exams our product is in multiple-choice questions (MCQs).
642-522 Exam: Actualtests’s Securing Networks with PIX and ASA Exam(SNPA) PDF
The Securing Networks with PIX and ASA Exam(SNPA) PDF for preparing for the 642-522 exam - Actualtests’s Securing Networks with PIX and ASA Exam(SNPA). Actualtests is your premier source for practice tests, and true testing environment. Nothing will prepare you for your next exam like a Actualtests. You find it all here at ciscoexams.org.
QUESTION 1
A new PIX firewall was installed in the Certkiller network to guard against outside
attacks. Why does this PIX security appliance record information about a packet in
its stateful session flow table?
A. To build the reverse path forwarding (RFP) table to prevent spoofed source IP
address.
B. To establish a proxy session by relaying the application layer requests and response
between two endpoints.
C. To compare against return packets for determining whether the packet should be
allowed through the firewall.
D. To track outbound UDP connections.
Answer: C
Explanation:
The Adaptive Security Algorithm (ASA), used by the PIXFirewall for stateful application
inspection, ensures the secure use of applications and services. Some applications require
special handling by the PIXFirewall application inspection function. Applications that
require special application inspection functions are those that embed IP addressing
information in the user data packet or open secondary channels on dynamically assigned
ports.
The application inspection function monitors sessions to determine the port numbers for
secondary channels. Many protocols open secondary TCP or UDP ports to improve
performance. The initial session on a well-known port is used to negotiate dynamically
assigned port numbers. The application inspection function monitors these sessions,
identifies the dynamic port assignments, and permits data exchange on these ports for the
duration of the specific session.
Packets going through PIX are checked using these steps:
Access control lists (ACLs)-Used for authentication and authorization of connections
based on specific networks, hosts, and services (TCP/UDP port numbers).
Inspections-Contains a static, pre-defined set of application-level inspection functions.
Connections (XLATE and CONN tables)-Maintains state and other information about
each established connection. This information is used by ASA and cut-through proxy to
efficiently forward traffic within established sessions.
1.A TCP SYN packet arrives at the PIXFirewall to establish a new connection.
2.The PIXFirewall checks the access control list (ACL) database to determine if the
connection is permitted.
3.The PIXFirewall creates a new entry in the connection database (XLATE and CONN
tables).
4.The PIXFirewall checks the Inspections database to determine if the connection requires
application-level inspection.
5.After the application inspection function completes any required operations for the
packet, the PIXFirewall forwards the packet to the destination system.
6.The destination system responds to the initial request.
642-522
Actualtests.com - The Power of Knowing
7.The PIXFirewall receives the reply packet, looks up the connection in the connection
database, and forwards the packet because it belongs to an established session.
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800
e
QUESTION 2
A new Certkiller ASA 5500 was installed in the Certkiller network. In the Cisco ASA
5500 series, what is the flash keyword aliased to?
A. Disk0
B. Disk1
C. Both Disk0 and Disk1
D. Flash0
E. Flash1
Answer: A
Explanation:
See the following URL syntax:
disk0:/[path/]filename
For the ASA 5500 series adaptive security appliance, this URL indicates the internal
Flash memory. You can also use flash instead of disk0; they are aliased.
Reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b90.html
QUESTION 3
Cisco firewalls maintain state awareness of all traffic going through it. What is the
core component of the PIX firewall that accommodates for this?
A. PFS
B. ASA
C. VAC
D. FWSM
E. None of the above
Answer: B
Explanation:
The Adaptive Security Algorithm (ASA) is the brains of the pix, keeping track of stateful
connection information. This allows the firewall to maintain stateful packet awareness to
allow for the return traffic to traverse through the firewall.
QUESTION 4
A new Cisco PIX 535 is being installed in the Certkiller network. What is the
maximum number of physical interfaces the PIX Firewall 535 supports with an
642-522
Actualtests.com - The Power of Knowing
unrestricted license?
A. 20
B. 10
C. 6
D. 5
E. 3
Answer: B
Explanation:
A total of eight interface circuit boards are configurable with the restricted license and a
total of ten are configurable with the unrestricted license.
- The Cisco PIX 535 Security Appliance support up to 10 Physical Ethernet interfaces.
- A total of 8 interfaces are configurable on the PIX 535 with the restricted license, and a
total of 10 are configurable with the unrestricted license.
PIX model license Comparison:
Reference:
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_installation_guide_chapter09186a
0
QUESTION 5
On a new Certkiller PIX the “same-security-traffic permit intra-interface”
configuration command was issued. What are two purposes of this command?
(Choose two)
A. It allows all of the VPN spokes in a hub-and-spoke configuration to be terminated on a
single interface.
B. It allows communication between different interfaces that have the same security
level.
C. It permits communication in and out of the same interface when the traffic is IPSec
protected.
D. It enabled Dynamic Multipoint VPN.
642-522
Actualtests.com - The Power of Knowing
Answer: A, B
Explanation:
B is correct, however the other correct answer to this question is certainly not C because
in order to make this happen with this command the syntax must be changed from
intra-interface to inter-interface.
It must be A because the purpose of allowing IPSec to go in and out of the same interface
is for a hub and spoke VPN configuration or hairpinning. In other words two clients
connected with IPSec to the same interface of a security appliance can send protected
traffic between the two of them via the termination point.
QUESTION 6
A new Certkiller security appliance is being installed for the first time. By default,
the AIP-SSM IPS software is accessible from the management port at IP address
10.1.9.201/24. Which CLI command should and administrator use to change the
default AIP-SSM management port IP address?
A. hw module 1 setup
B. interface
C. setup
D. hw module 1 recover
E. None of the above
Answer: C
Explanation:
After you have completed configuration of the ASA 5500 series adaptive security
appliance to divert traffic to the AIP SSM, session to the AIP SSM and run the setup
utility for initial configuration.
To session to the AIP SSM from the adaptive security appliance, perform the following
steps:
Step 1 Enter the session 1 command to session from the ASA 5500 series adaptive
security appliance to the AIP SSM.
hostname# session 1
Step 2 Enter the username and password. The default username and password are both
cisco.
Note: The first time you log in to the AIP SSM you are prompted to change the default
password.
Step 3 Enter the setup command to run the setup utility for initial configuration of the
AIP SSM.
AIP SSM# setup
You are now ready to configure the AIP SSM for intrusion prevention, including the
ability to change the AIP-SSM management IP address..
Reference: Cisco Security Appliance Command Line Configuration Guide for the Cisco
ASA 5500 Series and Cisco PIX 500 Series Software Version 7.0(4) page 19-3
642-522
Actualtests.com - The Power of Knowing
QUESTION 7
A Certkiller ASA appliance is shown below:
Refer to the exhibit above. The Certkiller administrator has configured the first four
ports on a Cisco ASA 5540 Security Appliance. The technician attached the next
data cable to Port A.
When configuring this interface, what physical type, slot, and port number should
the administrator add to the configuration?
A. GigabitEthernet0/0
B. GigabitEthernet0/5
C. GigabitEthernet0/4
D. Management0/0
Answer: D
Explanation:
If you want to use ASDM to configure the security appliance instead of the
command-line interface, you can connect to the default management address of
192.168.1.1 (if your security appliance includes a factory default configuration). On the
ASA 5500 series adaptive security appliance, the interface to which you connect with
ASDM is Management 0/0. For the PIX 500 series security appliance, the interface to
which you connect with ASDM is Ethernet 1. If you do not have a factory default
configuration, follow the steps in this section to access the command-line interface. You
can then configure the minimum parameters to access ASDM by entering the setup
command.
Reference: Cisco Security Appliance Command Line Configuration Guide for the Cisco
ASA 5500 Series and Cisco PIX 500 Series, page 2-84
QUESTION 8
The files on a Certkiller security appliance need to be verified. How can you view the
files listed in a PIX flash memory?
A. show pix flash
B. show flash memory
C. show flashfs
D. show flash mfs
E. None of the above
Answer: C
642-522
Actualtests.com - The Power of Knowing
Explanation:
You can view the size of your configuration from the PIX Firewall console. Either
connect a computer to the PIX Firewall unit or use Telnet to access the console. After
entering the enable mode password, use the show flashfs command to view the
configuration size, as shown in the following example:
CK1 #show flashfs
flash file system: version:2 magic:0×12345679
file 0: origin: 0 length:2502712
file 1: origin: 2621440 length:2324
file 2: origin: 0 length:0
file 3: origin: 2752512 length:2608708
file 4: origin: 8257536 length:280
The “file 1″ line lists the number of characters in your configuration after the “length”
parameter. In this example, the configuration consists of 2,324 characters. Divide this
number by 1,024 to view the number of kilobytes. The configuration in this example is
slightly more than 2 KB.
The optimal configuration file size to use with PDM is less than 100KB, which is
approximately 1500 lines. PIXFirewall configuration files over 100KB may interfere
with the performance of PDM on your workstation.
Reference:
http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/products_installation_guide_chapter09186a008007
d
QUESTION 9
The Certkiller network is displayed in the following diagram:
642-522
Actualtests.com - The Power of Knowing
Refer to the exhibit above. Users on the DMZ are complaining that they cannot gain
access to the inside host via HTTP. What did the network administrator determine
after reviewing the network diagram and partial configuration?
A. The static (inside,dmz) command is not configured correctly.
B. The global (dmz) command is not configured correctly.
C. The nat (dmz) command is missing.
D. The dmzin access list is not configured correctly.
E. None of the above
Answer: D
Explanation:
Based on the configuration above, the real IP address of the WWW server (insidehost) is
10.0.1.11, but there is a static NAT entry that translates this address to 192.168.1.18.
Users from the outside will attempt to connect to the server “insidehost” using the
192.168.1.18 IP address. The access list must therefore permit WWW traffic to this host,
not the 10.0.1.11 host. The DMZ access list should read “access-list dmzin permit tcp any
host 192.168.1.18 eq www”
QUESTION 10
The security team at Certkiller is working on dynamic NAT. How can dynamic
outside NAT simplify router configuration on your internal or perimeter networks?
A. It can simplify because you can configure your routing within the nat command.
B. It can simplify because you can configure your routing within the global command.
C. It can simplify by controlling the addresses that appear on these networks.
D. It can simplify because statics take precedence over nat and global command pairs.
Answer: C
Explanation:
Dynamic outside NAT -Translates host addresses on less secure interfaces to a range or
pool of IP address on a more secure interface. This is most useful for controlling the
address on a more secure interface. This is most useful for controlling the address that
appear on inside of the pix firewall and for connecting networks with overlapping
addresses.
Reference: Cisco Secure PIX Firewall Advanced 3.1 6-11
Inside dynamic NAT:
Translates between host addresses on more secure interfaces and a range or pool of IP
addresses on a less secure interface. This provides a one-to-one mapping between
internal and external addresses that allows internal users to share registered IP addresses
and hides internal addresses from view on the public Internet.
Free download:pass4sure 642-522
Free download:testking 642-522
TestKing - TestKing.com Help you pass Cisco exams
Pass4sure -Pass4sure.com The Worldwide Renowned Cisco Certification Material Provider .
Random Posts
