1.
What security feature allows a private IP address to access the Internet by translating it to a public address?
Correct Answer
A. NAT
Explanation
NAT (Network Address Translation) is a security feature that allows a private IP address to access the Internet by translating it to a public address. It works by modifying the source and/or destination IP addresses in IP packets as they pass through a router or firewall, allowing multiple devices with private IP addresses to share a single public IP address. This helps to hide the private IP addresses from the public network, providing an additional layer of security.
2.
You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site VPN
tunnel. What action can you take to correct the problem?
Correct Answer
A. Edit the crypto keys on R1 and R2 to match
3.
What is the effect of the given command?
Correct Answer
A. It merges authentication and encryption methods to protect traffic that matches an ACL.
Explanation
The effect of the given command is that it merges authentication and encryption methods to protect traffic that matches an ACL. This means that the command combines both authentication and encryption techniques to secure the data traffic that meets the criteria specified in the ACL.
4.
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does
the given output show?
Correct Answer
A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5.
Explanation
The given output shows that IPSec Phase 1 is established between the IP addresses 10.10.10.2 and 10.1.1.5. This means that the initial negotiation and authentication process for the VPN tunnel has been successfully completed between the two endpoints. However, the output does not provide any information about the status of IPSec Phase 2.
5.
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does
the given output show?
Correct Answer
A. IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2.
Explanation
The given output indicates that the IKE Phase 1 main mode was initiated on 10.1.1.5, but it failed to negotiate with 10.10.10.2. This means that there was a problem in establishing the secure channel between the two VPN endpoints.
6.
Which statement about IOS privilege levels is true?
Correct Answer
A. Each privilege level supports the commands at its own level and all levels below it.
Explanation
Each privilege level supports the commands at its own level and all levels below it. This means that a user with a higher privilege level can access and execute commands at their own level as well as all lower privilege levels.
7.
Which line in this configuration prevents the HelpDesk user from modifying the interface configuration?
Correct Answer
A. Privilege exec level 9 configure terminal
Explanation
The line "Privilege exec level 9 configure terminal" prevents the HelpDesk user from modifying the interface configuration because it sets the privilege level required for the user to access the "configure terminal" command to 9. Since the HelpDesk user has a privilege level of 6 (as indicated by the line "Username HelpDesk privilege 6 password help"), they do not have the necessary privilege level to execute the "configure terminal" command.
8.
In the router ospf 200 command, what does the value 200 stand for?
Correct Answer
A. Process ID
Explanation
The value 200 in the "router ospf 200" command stands for the process ID. OSPF (Open Shortest Path First) is a routing protocol that uses process IDs to identify different instances of OSPF running on a router. Each OSPF process is assigned a unique process ID, and the router ospf command is used to enable OSPF routing and specify the process ID for that instance.
9.
Which feature filters CoPP packets?
Correct Answer
A. Access control lists
Explanation
Access control lists (ACLs) are used to filter CoPP (Control Plane Policing) packets. ACLs allow network administrators to define rules that determine which packets are allowed to pass through a network device and which ones are dropped. In the case of CoPP, ACLs are used to filter and control the traffic that is destined for the control plane of a network device, ensuring that only authorized packets are allowed to reach the control plane and protecting it from potential attacks or excessive traffic.
10.
The Admin user is unable to enter configuration mode on a device with the given configuration
Correct Answer
A. Remove the autocommand keyword and arguments from the username admin privilege line.
Explanation
The Admin user is unable to enter configuration mode on a device because there is an autocommand keyword and arguments present in the username admin privilege line. This autocommand is preventing the user from accessing the configuration mode. By removing the autocommand keyword and arguments from the username admin privilege line, the issue will be resolved and the Admin user will be able to enter configuration mode on the device.
11.
In which type of attack does the attacker attempt to overload the CAM table on a switch so that the
switch acts as a hub?
Correct Answer
C. MAC flooding
Explanation
MAC flooding is the correct answer because in this type of attack, the attacker floods the switch's CAM table with fake MAC addresses, causing it to become full. When the CAM table is full, the switch is unable to determine the correct port to forward network traffic to, and it starts acting like a hub, broadcasting all incoming traffic to all ports. This allows the attacker to intercept and analyze network traffic, compromising the security and performance of the network.
12.
Which type of PVLAN port allows hosts in the same VLAN to communicate directly with each other?
Correct Answer
A. Community for hosts in the PVLAN
Explanation
A community PVLAN port allows hosts in the same PVLAN to communicate directly with each other. This means that hosts within the community PVLAN can send and receive traffic among themselves without any restriction.
13.
What is a potential drawback to leaving VLAN 1 as the native VLAN?
Correct Answer
A. It may be susceptible to a VLAN hoping attack.
Explanation
Leaving VLAN 1 as the native VLAN can be a potential drawback because it may make the network susceptible to a VLAN hopping attack. In a VLAN hopping attack, an attacker can gain unauthorized access to VLANs other than the native VLAN by exploiting the way VLAN trunking protocols work. By leaving VLAN 1 as the native VLAN, the attacker can potentially bypass security measures and gain access to sensitive information or resources in other VLANs. Therefore, it is recommended to change the native VLAN to a different VLAN number to mitigate the risk of VLAN hopping attacks.
14.
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal
operations? (Choose three).
Correct Answer(s)
A. When matching NAT entries are configured
B. When matching ACL entries are configured
D. When the firewall receives a SYN packet
Explanation
The ASA firewall permits inbound HTTP GET requests during normal operations when matching NAT entries are configured, when matching ACL entries are configured, and when the firewall receives a SYN packet.
15.
Which firewall configuration must you perform to allow traffic to flow in both directions between two zones?
Correct Answer
A. You must configure two zone pairs, one for each direction
Explanation
The correct answer states that you must configure two zone pairs, one for each direction. This means that in order to allow traffic to flow in both directions between two zones, you need to create separate zone pairs for traffic going from Zone A to Zone B and for traffic going from Zone B to Zone A. This ensures that bidirectional traffic flows are allowed between the two zones.
16.
What is a valid implicit permit rule for traffic that is traversing the ASA firewall?
Correct Answer
A. ARPs in both directions are permitted in transparent mode only
Explanation
In a transparent mode ASA firewall, ARPs in both directions are permitted. This means that Address Resolution Protocol (ARP) requests and replies are allowed to pass through the firewall. Transparent mode allows the firewall to act as a bridge, forwarding traffic between interfaces without performing any network address translation (NAT) or IP routing. In this mode, the firewall does not inspect or modify the IP packets, but it still allows the necessary ARP traffic for proper communication between devices on different networks.
17.
Which statement about the communication between interfaces on the same security level is true?
Correct Answer
A. Interfaces on the same security level require additional configuration to permit inter-interface communication
Explanation
Interfaces on the same security level require additional configuration to permit inter-interface communication. This means that by default, communication between interfaces on the same security level is not allowed. Therefore, additional configuration is necessary to explicitly permit this type of communication.
18.
Which IPS mode provides the maximum number of actions?
Correct Answer
A. Inline
Explanation
The inline IPS mode provides the maximum number of actions because it operates directly in the network traffic path and can actively block or allow traffic in real-time. This mode allows for the most granular control and flexibility in terms of taking actions on detected threats.
19.
How can you detect a false negative on an IPS?
Correct Answer
D. Use a third-party system to perform penetration testing
Explanation
To detect a false negative on an IPS (Intrusion Prevention System), one can use a third-party system to perform penetration testing. This involves simulating attacks on the system to identify any vulnerabilities or weaknesses that the IPS may have missed. By conducting penetration testing with a third-party system, it helps validate the effectiveness of the IPS and identify any false negatives where the system failed to detect or block an actual attack. This allows for improvements to be made to the IPS configuration or rules to enhance its security capabilities.
20.
What is the primary purpose of a defined rule in an IPS?
Correct Answer
A. To configure an event action that takes place when a signature is triggered
Explanation
A defined rule in an IPS is used to configure an event action that takes place when a signature is triggered. This means that when a specific behavior or pattern is detected by the IPS, it will initiate a pre-defined action such as blocking the traffic, sending an alert, or logging the event. The purpose of this is to provide an automated response to potential security threats and ensure that appropriate actions are taken in real-time to protect the system from attacks.
21.
How can FirePOWER block malicious email attachments?
Correct Answer
C. It sends the traffic through a file policy
Explanation
FirePOWER can block malicious email attachments by sending the traffic through a file policy. This means that when an email with an attachment is received, FirePOWER will analyze the file based on predefined rules and policies. If the file is identified as malicious or suspicious, FirePOWER will block the attachment from being delivered to the recipient. This helps to prevent potential malware or other harmful content from entering the network through email attachments.
22.
You have been tasked with blocking user access to websites that violate company policy, but the sites
use dynamic IP addresses. What is the best practice for URL filtering to solve the problem?
Correct Answer
A. Enable URL filtering and use URL categorization to block the websites that violate company policy
Explanation
The best practice for URL filtering to solve the problem of blocking user access to websites that violate company policy is to enable URL filtering and use URL categorization to block the websites. This approach allows for a more efficient and effective filtering process as it categorizes the websites based on their content or purpose and blocks the ones that violate the company policy. This ensures that only the websites that comply with the policy are accessible to the users. Using a blacklist or whitelist may not be as comprehensive or flexible in addressing the dynamic IP addresses of the websites.
23.
Which technology can be used to rate data fidelity and to provide an authenticated hash for data?
Correct Answer
A. File reputation
Explanation
File reputation technology can be used to rate data fidelity and provide an authenticated hash for data. This technology assesses the reputation of files based on their behavior and characteristics, determining whether they are trustworthy or potentially malicious. By analyzing the reputation of files, it can help ensure data fidelity by identifying and flagging any files that may be compromised or tampered with. Additionally, file reputation technology can generate authenticated hashes for data, allowing for verification and integrity checks to ensure the data has not been altered.
24.
Which type of encryption technology has the broadest platform support to protect operating
systems?
Correct Answer
A. Software
Explanation
Software encryption technology has the broadest platform support to protect operating systems. This is because software encryption can be implemented on any operating system regardless of the underlying hardware or middleware. It provides a versatile and flexible solution that can be easily integrated into different software applications and platforms. Hardware encryption, on the other hand, is limited to specific hardware devices, while middleware and file-level encryption are more specific to certain applications or file types. Therefore, software encryption is the most widely supported option for protecting operating systems.
25.
A proxy firewall protects against which type of attack?
Correct Answer
A. Cross-site scripting attack
Explanation
A proxy firewall protects against cross-site scripting attacks, which are a type of security vulnerability where an attacker injects malicious scripts into trusted websites. These scripts can then be executed by unsuspecting users, leading to unauthorized access, data theft, or other malicious activities. By acting as an intermediary between clients and servers, a proxy firewall can inspect and filter incoming web traffic, identifying and blocking any attempts to exploit cross-site scripting vulnerabilities. This helps to prevent attackers from compromising websites and compromising user data.
26.
What is a benefit of a web application firewall?
Correct Answer
A. It blocks known vulnerabilities without patching applications
Explanation
A web application firewall provides a benefit by blocking known vulnerabilities without requiring the patching of applications. This means that even if there are vulnerabilities in the applications being used, the web application firewall can still prevent attacks and unauthorized access. This is advantageous as it adds an extra layer of security and reduces the risk of exploitation.
27.
Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe spam and
sophisticated phishing attacks?
Correct Answer
A. Contextual analysis
Explanation
Contextual analysis is the feature of the Cisco Email Security Appliance that can mitigate the impact of snowshoe spam and sophisticated phishing attacks. Contextual analysis involves examining the content, context, and behavior of emails to determine if they are legitimate or malicious. By analyzing various factors such as the sender's reputation, email content, and attachment behavior, the appliance can identify and block suspicious emails, reducing the risk of snowshoe spam and sophisticated phishing attacks. This feature provides a more advanced and comprehensive approach to email security compared to traditional signature-based IPS or graymail management and filtering.
28.
What do you use when you have a network object or group and want to use an IP address?
Correct Answer
B. Dynamic NAT
Explanation
Dynamic NAT is used when you have a network object or group and want to use an IP address. Dynamic NAT allows multiple private IP addresses to be translated to a smaller pool of public IP addresses. This allows for more efficient use of IP addresses and allows multiple devices to share a limited number of public IP addresses.
29.
Which three statements are characteristics of DHCP Spoofing? (choose three)
Correct Answer(s)
A. Arp Poisoning
B. Modify Traffic in transit
C. Used to perform man-in-the-middle attack
Explanation
DHCP Spoofing is a technique used to perform a man-in-the-middle attack. It involves ARP poisoning, where the attacker modifies the ARP tables of the target devices to redirect their traffic through the attacker's machine. This allows the attacker to modify the traffic in transit, potentially intercepting sensitive information. By masking the DHCP address, the attacker can protect their identity. However, DHCP spoofing does not grant the attacker access to most network devices, nor does it require physically modifying the network gateway.
30.
Which feature allow from dynamic NAT pool to choose next IP address and not a port on a used IP
address?
Correct Answer
B. Round robin
Explanation
The feature that allows the dynamic NAT pool to choose the next IP address instead of a port on a used IP address is round robin. In round robin, the NAT pool assigns IP addresses in sequential order, ensuring that each IP address is used before repeating the cycle. This allows for efficient utilization of IP addresses without the need for port-based selection.
31.
Which NAT option is executed first during in case of multiple nat translations?
Correct Answer
D. Static nat with longest pre
Explanation
Static NAT with longest prefix is executed first during multiple NAT translations. This means that when there are multiple translations available, the system will prioritize the static NAT translation with the longest prefix match. This allows for more specific mappings to be applied before more general ones, ensuring that the correct translation is chosen for a given packet.
32.
If a switch port goes directly into a blocked state only when a superior BPDU is received, what mechanism must be in use?
Correct Answer
A. STP BPDU guard
Explanation
The correct answer is STP BPDU guard. This mechanism is used to prevent the receipt of superior BPDUs on a switch port. When a superior BPDU is received, the switch port is immediately put into a blocked state to avoid any potential loops in the network. This feature is commonly used to protect against misconfigurations or unauthorized switches being connected to the network.
33.
What are two effects of the given command? (Choose two.)
Correct Answer(s)
B. It configures authentication to use MD5 HMAC
E. It configures encryption to use AES 256
Explanation
The given command configures authentication to use MD5 HMAC, which is a type of cryptographic hash function that provides message integrity and authentication. It also configures encryption to use AES 256, which is a symmetric encryption algorithm that provides confidentiality and data protection.
34.
Which feature allows a dynamic PAT pool to select the next address in the PAT pool instead of the
next port of an existing address?
Correct Answer
B. Round robin
Explanation
Round robin is a feature that allows a dynamic PAT pool to select the next address in the pool instead of the next port of an existing address. This means that instead of using the next available port on the same address, the PAT pool will cycle through the available addresses in a circular manner, distributing the traffic evenly among them. This helps to balance the load and prevent overutilization of a single address in the pool.
35.
Which 2 NAT type allows only objects or groups to reference an IP address?
Correct Answer(s)
A. Dynamic NAT
C. Static NAT
Explanation
Dynamic NAT and static NAT are the two NAT types that allow only objects or groups to reference an IP address. Dynamic NAT is a type of NAT where a pool of public IP addresses is used to translate private IP addresses. It allows multiple private IP addresses to share a smaller pool of public IP addresses. Static NAT, on the other hand, is a one-to-one mapping of private IP addresses to public IP addresses. It allows specific private IP addresses to be permanently associated with specific public IP addresses. Both of these NAT types restrict access to the IP address by allowing only objects or groups to reference them.
36.
Which security term refers to a person, property, or data of value to a company?
Correct Answer
A. Risk
Explanation
The term "risk" refers to a potential harm or loss that could occur to a person, property, or data of value to a company. It involves the possibility of negative consequences and the likelihood of those consequences happening. In the context of security, identifying and managing risks is crucial to protect assets and ensure the safety and integrity of valuable resources.
37.
What’s the technology that you can use to prevent non malicious program to run in the
computer that is disconnected from the network?
Correct Answer
D. Host IPS
Explanation
Host IPS (Intrusion Prevention System) is a technology that can be used to prevent non-malicious programs from running on a computer that is disconnected from the network. It monitors the activities and behavior of programs running on the host computer, and if it detects any suspicious or unauthorized behavior, it blocks or prevents those programs from executing. This helps to protect the computer from potential threats or malicious activities even when it is not connected to the network.
38.
What command could you implement in the firewall to conceal internal IP address?
Correct Answer
D. No proxy-arp
Explanation
The "no proxy-arp" command can be implemented in the firewall to conceal internal IP addresses. Proxy ARP is a technique used by routers to respond to ARP requests on behalf of other devices. By disabling proxy ARP with the "no proxy-arp" command, the firewall will not respond to ARP requests for internal IP addresses, effectively concealing them from external networks. This helps to enhance network security by preventing potential attackers from gathering information about the internal network topology.
39.
Which statement about college campus is true?
Correct Answer
A. College campus has geographical position
Explanation
The statement "College campus has geographical position" is true because a college campus is a physical location that exists in a specific geographic area. It can be identified by its coordinates on a map and can be located within a city, town, or rural area. The geographical position of a college campus is important for various purposes such as navigation, transportation, and understanding its surroundings.
40.
Which firepower preprocessor block traffic based on IP?
Correct Answer
D. Reputation-Based
Explanation
The Reputation-Based firepower preprocessor is designed to block traffic based on the IP address. It evaluates the reputation of the source IP address and determines whether it is trustworthy or not. This preprocessor uses reputation data to make decisions about allowing or blocking traffic from specific IP addresses. It helps to identify and block traffic from known malicious sources, improving the overall security of the network.
41.
Which Sourcefire event action should you choose if you want to block only malicious traffic from a particular end user?
Correct Answer
A. Allow with inspection
Explanation
Choosing the "Allow with inspection" event action allows you to inspect the traffic from a particular end user while still allowing it to pass through. This means that the traffic will be analyzed for any malicious content or behavior, and if any is detected, appropriate actions can be taken to block or mitigate the threat. This option provides a balance between allowing legitimate traffic and ensuring that any malicious activity is detected and dealt with effectively.
42.
Which command do you enter to enable authentication for OSPF on an interface?
Correct Answer
A. Router(config-if)#ip ospf message-digest-key 1 md5 CISCOPASS
Explanation
To enable authentication for OSPF on an interface, the correct command to enter is "router(config-if)#ip ospf message-digest-key 1 md5 CISCOPASS". This command configures OSPF to use message digest authentication on the specified interface with a key ID of 1 and a password of "CISCOPASS" using the MD5 algorithm.
43.
Which term best describes the concept of preventing the modification of data in transit and in storage?
Correct Answer
B. Integrity
Explanation
Integrity is the best term to describe the concept of preventing the modification of data in transit and in storage. This concept ensures that data remains accurate, consistent, and unaltered throughout its lifecycle. It involves implementing measures such as encryption, digital signatures, and access controls to protect data from unauthorized modifications or tampering. By maintaining data integrity, organizations can trust the reliability and authenticity of their data, ensuring its accuracy and preventing any unauthorized changes.
44.
Which command help user1 to use enable,disable,exit&etc commands?
Correct Answer
A. Catalyst1(config)#username user1 privilege 0 secret us1pass
Explanation
The correct answer is "catalyst1(config)#username user1 privilege 0 secret us1pass" because setting the privilege level to 0 allows the user to use basic commands such as enable, disable, and exit. Higher privilege levels (1, 2, and 5) provide additional commands and capabilities, but for the given question, privilege level 0 is sufficient.
45.
In which configuration mode do you configure the ip ospf authentication-key 1 command?
Correct Answer
A. Interface
Explanation
In the interface configuration mode, you can configure the "ip ospf authentication-key 1" command. This command is used to set the authentication key for OSPF on a specific interface. By configuring this command in the interface mode, you can specify the authentication key for OSPF on a particular interface, ensuring secure communication between OSPF routers.
46.
Which line in the following OSPF configuration will not be required for MD5 authentication to work?
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNA
!
router ospf 65000
router-id 192.168.10.1
area 20 authentication message-digest
network 10.1.1.0 0.0.0.255 area 10
network 192.168.10.0 0.0.0.255 area 0
!
Correct Answer
C. Area 20 authentication message-digest
Explanation
The line "area 20 authentication message-digest" will not be required for MD5 authentication to work. This is because MD5 authentication is configured at the interface level using the "ip ospf authentication message-digest" command, not at the area level. Therefore, the "area 20 authentication message-digest" line is unnecessary for MD5 authentication to function properly.
47.
Which of the following pairs of statements is true in terms of configuring MD authentication?
Correct Answer
C. Router process (only for OSPF) must be configured; key chain in EIGRP
Explanation
The correct answer is "Router process (only for OSPF) must be configured; key chain in EIGRP." This means that when configuring MD authentication, the router process for OSPF must be configured, while the key chain should be configured for EIGRP.
48.
Which two NAT types allows only objects or groups to reference an IP address? (choose two)
Correct Answer(s)
A. Dynamic NAT
C. Static NAT
Explanation
Dynamic NAT and Static NAT both allow only objects or groups to reference an IP address. In Dynamic NAT, a pool of public IP addresses is configured and dynamically assigned to internal private IP addresses. This allows multiple internal devices to share a limited number of public IP addresses. In Static NAT, a one-to-one mapping is created between an internal private IP address and a specific public IP address, allowing for a direct and fixed translation. Both types restrict the referencing of IP addresses to specific objects or groups, providing control and security.
49.
What port option in a PVLAN that can communicate with every other port?
Correct Answer
A. Promiscuous ports
Explanation
Promiscuous ports in a PVLAN can communicate with every other port. In a PVLAN, there are three types of ports: promiscuous, community, and isolated. Promiscuous ports can communicate with all other ports within the PVLAN, including community and isolated ports. Community ports can communicate with other community ports and promiscuous ports, while isolated ports can only communicate with promiscuous ports. Therefore, the correct answer is promiscuous ports.
50.
Which are two valid TCP connection states (pick 2) is the gist of the question.
Correct Answer(s)
A. SYN-RCVD
B. Closed
Explanation
The correct answer is SYN-RCVD and Closed. SYN-RCVD is a valid TCP connection state that occurs when a TCP connection request has been received and acknowledged by the server. Closed is also a valid state that indicates that the TCP connection has been terminated or has not been established yet.