1. Which two statements are true regarding classic Cisco IOS Firewall configurations? (Choose two.)
A. You can apply the IP inspection rule in the inbound direction on the trusted interface.
B. You can apply the IP inspection rule in the outbound direction on the untrusted interface.
C. For temporary openings to be created dynamically by Cisco IOS Firewall, the access list for the
returning traffic must be a standard ACL.
D. For temporary openings to be created dynamically by Cisco IOS Firewall, you must apply the IP
inspectionrule to the trusted interface.
E. For temporary openings to be created dynamically by Cisco IOS Firewall, the inbound access list on
the trustedinterface must be an extended ACL.
Answer: AB
2. Refer to the exhibit. Why is the Cisco IOS Firewall authentication proxy not working?
A. The aaa authentication authproxy
default group tacacs+ command is missing in the configuration.
B. The router local username and password database is not configured.
C. Cisco IOS authentication proxy only supports RADIUS and not TACACS+.
D. HTTP server and AAA authentication for the HTTP server is not enabled.
E. The AAA method lists used for authentication proxy should be named “pxy” rather than “default” to
match the authentication proxy rule name.
Answer: D
3. Refer to the exhibit. What additional configuration is required for the Cisco IOS Firewall to reset the
TCPconnection if any peertopeer,
tunneling, or instant messaging traffic is detected over HTTP?
A. classmap
configuration for matching peertopeer,
tunneling, and instant messaging traffic over HTTP,
and a policy map specifying the reset action
B. the portmisuse
default action reset alarm command in the HTTP application firewall policy
configuration
C. the PAM configuration for mapping the peertopeer,
tunneling, and instant messaging TCP ports to the
HTTPapplication
D. the ip inspect name firewall im, ip inspect name firewall p2p, and ip inspect name firewall tunnel
commands
E. the service default action reset command in the HTTP application firewall policy configuration
Answer: B
4. Refer to the exhibit. Why is the Total Active Signatures count zero?
A. The 128MB.sdf file in flash is corrupted.
B. IPS is in failopen
mode.
C. IPS is in failclosed
mode.
D. IPS has not been enabled on an interface yet.
E. The flash:/128MB.sdf needs to be merged with the builtin
signatures first.
Answer: D
5. Which three configurations are required to enable the Cisco IOS Firewall to inspect a userdefined
application which uses TCP ports 8000 and 8001? (Choose three.)
A. accesslist
101 permit tcp any any eq 8000 accesslist
101 permit tcp any any eq 8001 classmap
user10
match accessgroup
101
B. policymap
user10
class user10
inspect
C. ip portmap
user10
port tcp 8000 8001 description “TEST PROTOCOL”
D. ip inspect name test appfw user10
E. ip inspect name test user10
F. int {type|number} ip inpsect name test in
Answer: CEF
6. What are two benefits of using an IPsec GRE tunnel? (Choose two.)
A. It allows dynamic routing protocol to run over the tunnel interface.
B. It has less overhead than running IPsec in tunnel mode.
C. It allows IP multicast traffic.
D. It requires a more restrictive crypto ACL to provide finer security control.
E. It supports the use of dynamic crypto maps to reduce configuration complexity.
Answer: AC
7. Refer to the DMVPN topology diagram in the exhibit. Which two statements are correct? (Choose two.)
A. The hub router needs to have EIGRP split horizon disabled.
B. At the Spoke A router, the next hop to reach the 192.168.2.0/24 network is 10.0.0.1.
C. Before a spoketospoke
tunnel can be built, the spoke router needs to send an NHRP query to the hub
toresolve the remote spoke router physical interface IP address.
D. At the Spoke B router, the next hop to reach the 192.168.1.0/24 network is 172.17.0.1.
E. The spoke routers act as the NHRP servers for resolving the remote spoke physical interface IP
address.
F. At the Spoke A router, the next hop to reach the 192.168.0.0/24 network is 172.17.0.1.
Answer: AC
8. Referring to a DMVPN hub router tunnel interface configuration, what can happen if the ip nhrp map
multicastdynamic command is missing on the tunnel interface?
A. The NHRP request and response between the spoke router and hub router will fail.
B. The GRE tunnel between the hub router and the spoke router will be down.
C. The IPsec peering between the hub router and the spoke router will fail.
D. The dynamic routing protocol between the hub router and the spoke router will fail.
E. The NHRP mappings at the spoke routers will be incorrect.
F. The NHRP mappings at the hub router will be incorrect.
Answer: D
9. Which three of these statements are correct regarding DMVPN configuration? (Choose three.)
A. If running EIGRP over DMVPN, the hub router tunnel interface must have “next hop self” enabled: ip
nexthopself
eigrp ASNumber
B. If running EIGRP over DMVPN, the hub router tunnel interface must have split horizon disabled: no ip
splithorizon
eigrp ASNumber
C. The spoke routers must be configured as the NHRP servers: ip nhrp nhs spoketunnelipaddress
D. At the spoke routers, static NHRP mapping to the hub router is required: ip nhrp map
hubtunnelipaddress
hubphysicalipaddress
E. The GRE tunnel mode must be set to pointtopoint
mode: tunnel mode gre pointtopoint
F. The GRE tunnel must be associated with an IPsec profile: tunnel protection ipsec profile profilename
Answer: BDF
10. When you configure Cisco IOS WebVPN, you can use the portforward
command to enable which
function?
A. webenabled
applications
B. Cisco Secure Desktop
C. fulltunnel
client
D. thin clientE. CIFS
F. OWA
Answer: D
11. Refer to the exhibit. What additional configuration is required to enable split tunneling?
A. the reverseroute
command under “crypto dynamicmap
mode 1″
B. the includelocallan
under “crypto dynamicmap
mode 1″
C. the match address 199 command under “crypto dynamicmap
mode 1″
D. the acl 199 command under “crypto isakmp client configuration group cisco”
E. the includelocallan
command under “crypto isakmp client configuration group cisco”
F. the reverseroute
command under “crypto isakmp client configuration group cisco”
Answer: D
12. Refer to the exhibit. Which two statements are true about the configurations shown? (Choose two.)
A. The clickable links will have a heading entitled “MYLINKS”.
B. The home page will have three clickable links on it.
C. ACS will be used for remoteuser
authentication by default.
D. This is an example of a clientless configuration.
E. Thin client (port forwarding) has been enabled using the urltext
command.
Answer: BD
13. Which two commands are used to only allow SSH traffic to the router Eth0 interface and deny
othermanagement traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router interfaces?
(Choose two.)
A. interface eth0
B. controlplane
host
C. policymap
type portfilter
policyname
D. servicepolicy
type portfilter
input policyname
E. managementinterface
eth0 allow sshF. line vty 0 5transport input ssh
Answer: BE
14. Refer to the exhibit. Which optional AAA or RADIUS configuration command is used to support 802.1x
guestVLAN functionality?
A. aaa authentication dot1x default group radius
B. aaa authorization network default group radius
C. aaa accounting dot1x default startstop
group radius
D. aaa accounting system default startstop
group radius
E. radiusserver
host 10.1.1.1 authport
1812 acctport
1813
Answer: B
15. When configuring FPM, what should be the next step after the PHDFs have been loaded?
A. Define a stack of protocol headers.
B. Define a traffic policy.
C. Define a service policy.
D. Define a class map of type “accesscontrol”
for classifying packets.
E. Reload the router.
F. Save the PHDFs to startupconfig.
Answer: A
Link : http://www.killtest.co.kr/CCSP/642-503.asp