江浙沪招生考试网

　　1. The following exhibit shows a Cisco ASA security appliance configured to participate in a VPN cluster. According to the exhibit, to which value will you set the priority to increase the chances of this Cisco ASA security appliance becoming the cluster master?

　　A. 100 B. 0 C. 10 D. 1 Answer: C

　　2. Tom works as a network administrator for the CISCO company. The primary adaptive security appliance in an active/standby failover configuration failed, so the secondary adaptive security appliance was automatically activated. Tom then fixed the problem. Now he would like to restore the primary to active status. Which one of the following commands can reactivate the primary adaptive security appliance and restore it to active status while issued on the primary adaptive security appliance? A. failover reset B. failover primary active C. failover active

　　D. failover exec standby Answer: C

　　3. You work as a network administrator for your company. Study the exhibit carefully. ASDM is short for Adaptive Security Device Manager. You are responsible for multiple remote Cisco ASA security appliances administered through Cisco ASDM. Recently, you have been tasked to configure one of these Cisco ASA security appliances for SSL VPNs and are requiring a client certificate, as shown. How will this configuration affect your next ASDM connection to this Cisco ASA security appliance?

　　A. You would be required to download the identity certificate of the remote Cisco ASA security appliance. B. You would be asked to present an identity certificate. If you did not have one, the Cisco ASA security appliance would prompt you for authentication credentials, consisting of a username and password. C. Your connection would be handled the way it is always handled by this Cisco ASA security appliance. D. You would be required to have an identity certificate that the Cisco ASA security appliance can use for authentication. Answer: D

　　4. Which three statements correctly describe protocol inspection on the Cisco ASA adaptive security appliance? (Choose three.) A. For the security appliance to inspect packets for signs of malicious application misuse, you must enable advanced (application layer) protocol inspection. B. If you want to enable inspection globally for a protocol that is not inspected by default or if you want to globally disable inspection for a protocol, you can edit the default global policy. C. The protocol inspection feature of the security appliance securely opens and closes negotiated ports and IP addresses for legitimate client­server connections through the security appliance. D. If inspection for a protocol is not enabled, traffic for that protocol may be blocked.

　　Answer: BCD

　　5. Study the following exhibit carefully. You work as the network administrator of a corporate Cisco ASA security appliance with a Cisco ASA AIP­SSM. You are asked to use the AIP­SSM to protect corporate DMZ web servers. The AIP­SSM has been configured, and a service policy has been configured to identify the traffic to be passed to the AIP­SSM. On which two interfaces would application of the service policy for the AIP­SSM be most effective while causing the least amount of impact to Cisco ASA security appliance performance? (Choose two.)

　　A. Internet interface B. dmz interface C. globally on all interfaces D. outside interface Answer: BD

　　6. Multimedia applications transmit requests on TCP, get responses on UDP or TCP, use dynamic ports, and use the same port for source and destination, so they can pose challenges to a firewall. Which three items are true about how the Cisco ASA adaptive security appliance handles multimedia applications? (Choose three.) A. It dynamically opens and closes UDP ports for secure multimedia connections, so you do not need to open a large range of ports. B. It supports SIP with NAT but not with PAT. C. It supports multimedia with or without NAT. D. It supports RTSP, H.323, Skinny, and CTIQBE. Answer:ACD

　　7. Which two options are correct about the impacts of this configuration? (Choose two.) class­map INBOUND_HTTP_TRAFFIC

　　match access­list TOINSIDEHOST class­map OUTBOUND_HTTP_TRAFFIC match access­list TOOUTSIDEHOST policy­map MYPOLICY class INBOUND_HTTP_TRAFFIC inspect http set connection conn­max 100 policy­map MYOTHERPOLICY class OUTBOUND_HTTP_TRAFFIC inspect http service­policy MYOTHERPOLICY interface inside service­policy MYPOLICY interface outside A. Traffic that matches access control list TOINSIDEHOST is subject to HTTP inspection and maximum connection limits. B. Traffic that enters the security appliance through the inside interface is subject to HTTP inspection. C. Traffic that enters the security appliance through the outside interface and matches access control list TOINSIDEHOST is subject to HTTP inspection and maximum connection limits. D. Traffic that enters the security appliance through the inside interface and matches access control list TOOUTSIDEHOST is subject to HTTP inspection. Answer: CD

　　8. Refer to the exhibit. You have configured a Layer 7 policy map to match the size of HTTP header fields that are traversing the network. Based on this configuration, will HTTP headers that are greater than 200 bytes be logged?

　　A. No, because the reset action for headers greater than 100 bytes would be the first match. B. Yes, because the log action for headers greater than 200 bytes would be the last match. C. Yes, because the reset action for headers greater than 100 bytes and the log action for headers greater than 200 bytes would both be applied. D. No, because reset or log actions are a part of the service policy and the Layer 7 policy map.

　　Answer:A

　　9. What is the reason that you want to configure VLANs on a security appliance interface? A. for use in conjunction with device­level failover to increase the reliability of your security appliance B. for use in transparent firewall mode, where only VLAN interfaces are used C. to increase the number of interfaces available to the network without adding additional physical interfaces or security appliances D. for use in multiple context mode, where you can map only VLAN interfaces to contexts Answer: C

　　10. You work as a network security administrator for your company. Now, you are asked to configure the corporate Cisco ASA security appliance to take the following steps on its outside interface: ­­rate limit all IP traffic from telecommuting system engineers to the insidehost ­­drop all HTTP requests from the Internet to the web server that have a body length greater than 1000 bytes ­­prevent users on network 192.168.6.0/24 from using the FTP PUT command to store .exe files on the FTP server In order to achieve this objective, which set of Modular Policy Framework components will be included?

　　A. one Layer 7 class map, two Layer 7 policy maps, three Layer 3/4 class maps, one Layer 3/4 policy map B. three Layer 7 policy maps, one Layer 3/4 class map, one Layer 3/4 policy map

　　C. one Layer 7 class map, one Layer 7 policy map, three Layer 3/4 class maps, one Layer 3/4 policy map D. two Layer 7 class maps, one Layer 7 policy map, three Layer 3/4 class maps, one Layer 3/4 policy map Answer:A

　　11. Which one of the following commands can provide detailed information about the crypto map configurations of a Cisco ASA adaptive security appliance? A. show ipsec sa B. show crypto map C. show run ipsec sa D. show run crypto map Answer: D

　　12. Cisco ASA 5500 Series Adaptive Security Appliances are easy­to­deploy solutions that integrate world­class firewall, Unified Communications (voice/video) security, SSL and IPsec VPN, intrusion prevention (IPS), and content security services in a flexible, modular product family. You are asked to configure a Cisco ASA 5505 Adaptive Security Appliance as an Easy VPN hardware client. In the process of configuration, you defined a list of backup servers for the security appliance to use. After several hours of being connected to the primary VPN server, the security appliance fails. You notice that your EasyVPN hardware client has now connected to a backup server that is not defined within the configuration of the client. Where did your Easy VPN hardware client get this backup server?

　　A. The connection profile that was configured on the primary VPN server was pushed to your Easy VPN hardware client and overwrote the list of backup servers that you had configured. B. The group policy that was configured on the primary VPN server was pushed to your Easy VPN client and overwrote the list of backup servers that you had configured. C. The backup servers that you listed were not configured as VPN servers, so the Easy VPN hardware client used the list of backup servers retrieved from the primary server. D. The backup servers that you listed were no longer available, so the Easy VPN hardware client used the list of backup servers that it retrieved from the primary server. Answer: B

　　13. Which three features can the Cisco ASA adaptive security appliance support? (Choose three.) A. BGP dynamic routing B. 802.1Q VLANs C. OSPF dynamic routing D. static routes Answer: BCD

　　14. You are the network administrator for your company. Study the exhibit carefully. You are responsible for a Cisco ASA security appliance configured with a local CA. According to the exhibit below, what is the reason that the user student1 will use this password?

　　A. retrieval of the Cisco ASA security appliance identity certificate B. retrieval of the digital certificate from the local CA on the Cisco ASA security appliance C. the initial authentication to the SSL VPN server D. authentication to the SSL VPN server Answer: B

　　15. Which two statements are true about multiple context mode? (Choose two.)

　　A. Multiple context mode does not support IPS, IPsec, and SSL VPNs, or dynamic routing protocols. B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security policies and interfaces. C. Multiple context mode enables you to add to the security appliance a hardware module that supports up to four independent virtual firewalls. D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin." Answer: BD

　　16. Observe the following exhibit carefully. When TCP connections are tunneled over another TCP connection and latency exists between the two endpoints, each TCP session would trigger a retransmission, which can quickly spiral out of control when the latency issues persist. This issue is often called TCP­over­TCP meltdown. According to the presented Cisco ASDM configuration, which Cisco ASA security appliance configuration will most likely solve this problem?

　　A. Compression B. MTU size of 500 C. Keepalive Messages D. Datagram TLS Answer: D

　　17. For creating and configuring a security context, which three tasks are mandatory? (Choose three.) A. allocating interfaces to the context B. assigning MAC addresses to context interfaces C. creating a context name D. specifying the location of the context startup configuration Answer:ACD

　　18. Which two statements about the downloadable ACL feature of the security appliance are correct? (Choose two.)

　　A. Downloadable ACLs are supported using TACACS+ or RADIUS. B. Downloadable ACLs enable you to store full ACLs on aAAA server and download them to the security appliance. C. The security appliance supports only per­user ACL authorization. D. The downloadable ACL must be attached to a user or group profile on a AAA server. Answer: BD

　　19. While implementing QoS, which two types of queues are available on the Cisco ASA security appliance? (Choose two.) A. weighted fair B. round robin queue C. low latency queue D. best effort queue Answer: CD

　　20. Which three commands can display the contents of flash memory on the CiscoASA adaptive security appliance? (Choose three.) A. show disk0: B. show memory C. dir D. show flash: Answer:ACD

　　21. Study the exhibit below carefully. Apply the FTP inspection map named L7FTPPOLICY to the outside interface of the security appliance. Because of this configuration, which action will the security appliance take on FTP traffic entering its outside interface?

　　A. resets and logs connections from abc.com users only when they attempt to retrieve files via FTP: resets connections from xyz.com users only when they attempt to deliver files via FTP B. resets and logs connections from any user who attempts to retrieve files via FTP; resets connections from xyz.com users who attempt to deliver files via FTP C. resets and logs connections from abc.com users when they attempt to retrieve files via FTP; resets all FTP connections from xyz.com users; resets any user connections that attempt to deliver files via FTP D. resets connections from abc.com and xyz.com users when they attempt to retrieve files via FTP; logs any user connections that attempt to deliver files via FTP Answer: C

　　22. Which options can a clientless SSL VPN user access from a web browser without port forwarding, smart tunnels, or browser plug­ins? A. internal websites B. Microsoft Outlook Web Access C. files on the network, via FTP or the CIFS protocol D. web­enabled applications Answer:ABCD

　　23. Refer to the following internal channels , which two can be used for communication between the Cisco

　　ASA AIP­SSM and the Cisco ASA security appliance? (Choose two.) A. inline channel B. promiscuous channel C. control channel D. data channel Answer: CD

　　24. The CISCO security department would like to apply specific restrictions to one network user, Bob, because he works from home and accesses the corporate network from the outside interface of the security appliance. CISCO decides to control network access for this user by using the downloadable ACL feature of the security appliance. Authentication of inbound traffic is already configured on the security appliance, and Bob already has a user account on the Cisco Secure ACS. Which three tasks should be completed in order to achieve the goal of limiting network access for Bob via downloadable ACLs? (Choose three.) A. Configure the security appliance to use downloadable ACLs. B. Attach the downloadable ACL to the user profile for Bob on the Cisco Secure ACS. C. Configure the Cisco Secure ACS to use downloadable ACLs. D. Configure the downloadable ACLs on the Cisco Secure ACS. Answer: BCD

　　25. You work as a network administrator for your company. You are asked to edit user­specific policy. And you have configured a group policy for Sales to use the IP address pool defined by the pool VPNPOOL and to allow as many as three simultaneous logins. According to the exhibit below, when this user connects, what will be the IP address assigned to the connection and what will be the number of simultaneous logins allowed for this user? (Choose two.)

　　A. The user will be allowed to make as many as three simultaneous connections. B. The user will be allowed to make only one connection. C. The user will receive an IP address from the address pool that is defined in the default group policy. D. The user will be assigned the IP address from the user­specific policy. Answer: BD

　　26. Which two options are correct about the threat detection feature of the Cisco ASA adaptive security appliance? (Choose two.) A. The security appliance scanning threat detection feature is based on traffic signatures. B. Because of their impact on performance, both basic threat detection and scanning threat detection are disabled by default. C. The threat detection feature can help you determine the level of severity for packets that are detected and dropped by the security appliance inspection engines. D. Scanning threat detection detects network sweeps and scans and optionally takes appropriate preventative action. Answer: CD

　　27. Modular Policy Framework provides a consistent and flexible way to configure security appliance features in a manner similar to Cisco IOS software QoS CLI. Which three Cisco Modular Policy Framework features are bidirectional? (Choose three.) A. AIP policy

　　B. QoS priority queue C. CSC policy D. application inspection Answer:ACD

　　28. You have just cleared the configuration on your Cisco ASA adaptive security appliance, which contains in its flash memory one ASA image file (asa802­k8.bin), one ASDM image file (asdm­602.bin), and no configuration files. You would like to reconfigure the Cisco ASA adaptive security appliance by use of Cisco ASDM, but you realize that you can't access Cisco ASDM. Which set of commands offers the minimal configuration required to access Cisco ASDM? A. interface, nameif, setup (followed by the setup command interactive prompts) B. setup (followed by the setup command interactive prompts) C. interface, nameif, ip address, no shutdown, hostname, domain­name, clock set, http server enable D. interface, nameif, ip address, hostname, domain­name, clock set, http server enable, asdm image Answer:A

　　29. You are a new employee of your company. Recently, you have been tasked to configure Cisco ASA security appliance for multiple VLANs that use one physical interface. The switch to which the physical Cisco ASA security appliance interface is connected should be configured for the appropriate VLAN tagging protocol. In order to achieve this goal, which VLAN tagging protocol will the Cisco ASA security appliance use to communicate with this switch? A. IEEE 802.1AE B. IEEE 802.1Q C. ISL D. IEEE 802.3 Answer: B

　　30. For configuring VLAN trunking on a security appliance interface, which three actions are mandatory? (Choose three.) A. specifying the maximum transmission unit for a subinterface B. specifying a name for a subinterface C. associating a logical interface with a physical interface D. specifying a VLAN ID for a subinterface Answer: BCD

　　31. According to the following exhibit. When a host on the inside network attempted an HTTP connection to a host at IP address 172.26.10.100, which address pool will be used by the Cisco ASA security appliance for the NAT?

　　A. 192.168.8.20 ­ 192.168.8.110 B. 192.168.8.101 ­ 192.168.8.105 C. 192.168.8.106 ­ 192.168.8.110 D. 192.168.8.20 ­ 192.168.8.100 Answer: D

　　32. For the following items, which three types of information could be found in the syslog output for an adaptive security appliance? (Choose three.) A. time stamp and date B. logging level C. hostname of the packet sender D. message text Answer:ABD

　　33. You are the administrator for Cisco ASA security appliances that are used for site­to­site VPNs between remote and corporate offices. You have used the Service Policy Rule Wizard within ASDM to configure low­latency queuing for unified communications on all the appropriate ASAs. Users are still having issues with unified communications between the remote and corporate offices. Assuming that the Cisco Unified Communications equipment is functioning properly and that the VPN configurations are correct, which of these choices is most likely the cause of the problems? A.A priority queue must be created on the interface where the site­to­site VPN tunnel is terminated. B. Both a policing and priority queue must be applied on the interface to expedite the voice and control data flows. C. The DSCP, expedite forward, ef (46), was used to determine unified communications traffic within the Service Policy Rule Wizard. D. The tunnel group and DSCP traffic matching criteria were configured within the Service Policy Rule

　　Wizard. Answer:A

　　34. During a stateful active/standby failover, which two events will happen? (Choose two.) A. The user authentication (uauth) table is passed to the standby unit. B. SIP signaling sessions are lost. C. The standby unit becomes the active unit. D. The secondary unit inherits the IP addresses of the primary unit. Answer: CD

　　35. Which three items are main components of Cisco Modular Policy Framework? (Choose three.) A. traffic policy B. policy map C. class map D. service policy Answer: BCD

　　36. The security department of the CISCO company wants to configure cut­through proxy authentication via RADIUS to require users to authenticate before accessing the corporate DMZ servers. Which three tasks are needed to achieve this goal? (Choose three.) A. Specify a AAA server group. B. Designate an authentication server. C. Configure per­user override. D. Configure a rule that specifies which traffic flow to authenticate. Answer:ABD

　　37. An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. After configuring port forwarding for a clientless SSL VPN connection, if port forwarding is to work, which end user privilege level is required at the endpoint? A. system level B. administrator level C. user level D. guest level Answer: B

　

　　38. In an active/active failover configuration, which event triggers failover at the failover group level? A. The no failover active command is entered in the system configuration. B. The unit has a software failure. C. Two monitored interfaces in the group fail. D. The no failover active group group_id command is entered in the system configuration. Answer: D

　　39. Tom wants to configure bookmarks for the clientless SSL VPN portal on his Cisco ASA security appliance. Which items are supported bookmark types? A. HTTP B. HTTPS C. FTP D. CIFS Answer:ABCD

　　40. Which two statements correctly describe the local user database in the security appliance? (Choose two.) A. You can create user accounts with or without passwords in the local database. B. You cannot use the local database for network access authentication. C. You can configure the security appliance to lock a user out after the user meets a configured maximum number of failed authentication attempts. D. The default privilege level for a new user is 15. Answer:AC

　　41. You work as a network engineer for your company. Recently, you have been tasked with verifying the Cisco ASA security appliance interfaces that are used for a web connection from the Internet to a DMZ web server. According to the presented Configuration > Device Setup > Interfaces pane, which two interfaces will a connection traverse when it is coming from the Internet and connecting to the web server with the IP address 172.16.20.10? (Choose two.)

.

　　A. GigabitEthernet0/0 B. GigabitEthernet0/2.30 C. Management0/0 D. GigabitEthernet0/2.20 Answer:AD

　　42. You are the network security administrator for CISCO Corporation. You are asked to configure active/standby failover using Cisco ASDM between two Cisco ASA adaptive security appliances at corporate headquarters. You deploy the Cisco ASDM High Availability and Scalability Wizard and feels confident that the configuration is correct on both security appliances. But, the show failover command output indicates that one interface remains constantly in the waiting state and never normalizes. Which two troubleshooting steps should be taken? (Choose two.) A. Verify that EtherChanneling is enabled on any switch port that connects to the security appliances. B. Verify that the line and protocol of the interface are up on the primary and secondary security appliance interfaces. C. Verify that PortFast is enabled on any switch port that connects to the security appliances. D. Verify that the security appliances have the same feature licenses.

 

　　Answer: BC

　　43. On the basis of the Configuration > Device Setup > Interfaces pane displayed in the following exhibit, which is the model number of this Cisco ASA security appliance?

　　A. Cisco ASA 5505 Adaptive Security Appliance B. Cisco ASA 5540 Adaptive Security Appliance C. Cisco ASA 5550 Adaptive Security Appliance D. Cisco ASA 5580 Adaptive Security Appliance Answer:A

　　44. What does the redundant interface feature of the security appliance accomplish? A. to allow a VPN client to send IPsec­protected traffic to another VPN user by allowing such traffic in and out of the same interface B. to increase the number of interfaces available to your network without requiring you to add additional physical interfaces or security appliances C. to increase the reliability of your security appliance D. to facilitate out­of­band management

 

　　Answer: C

　　45. Observe the exhibit carefully. You are asked to review the configuration of the clientless SSL VPN connection profile, which was created by a junior administrator. Which authentication method is configured in the clientless profile?

　　A. The Cisco ASA security appliance requires AAA authenticate to the external AAA server LOCAL if the remote user does not have an identity certificate for authentication. B. The Cisco ASA security appliance accepts an identity certificate or a username and password for authentication of remote users, but not both. C. The Cisco ASA security appliance requires a username and password if the remote user does not have an identity certificate for authentication. D. The Cisco ASA security appliance requires both an identity certificate and username and password for authentication of remote users. Answer: D