Are you struggling for the Cisco 642-521 exam? Good news,Flydumps IT technical experts have collected and certified 445 questions and answers which are updated to cover the knowledge points and enhance candidates’abilities.With Cisco 642-521 preparation tests you can pass the exam easily and go further on Microsoft career path.
QUESTION 91
John the security administrator at Certkiller Inc. is configuring the PIX Firewall to forward multicast transmissions from an inside source. Which of these steps are necessary? (Choose two)
A. It is necessary for John to use the igmp join-group command to enable the PIX Firewall to forward IGMP reports.
B. It is necessary for John to use the multicast interface command to enable multicast forwarding on each PIX Firewall interface.
C. It is necessary for John to use the igmp forward command to enable multicast forwarding on each PIX Firewall interface.
D. It is necessary for John to use the mroute command to create a static route from the transmission source to the next-hop router interface.
E. It is necessary for John to use the route command to create a static route from the transmission source to the next-hop router interface.
Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the Mroute command to create a static route from the transmission source to the next-hop router
interface.
Inside Multicast transmission source example
Pixfirewall (config)# multicast interface outside
Pixfirewall (config-multicast)# exit
Pixfirewall (config))# multicast interface inside
Pixfirewall (config-multicast)# mroute 10.0.0.11 255.255.255.255 inside 230.1.1.2 255.255.255.255 outside
In the figure, multicast traffic is enabled on the inside and outside interface. A static multicast route is
configured to enable inside host 10.0.0.11 to transmit multicasts to members of group 230.1.1.2 on the
outside interface
Reference:
Cisco Secure PIX Firewall Advanced 3.1 chap 9 pages 13-14
QUESTION 92
Greg the security administrator at Certkiller Inc. is working allowing multicast transmissions to host on the
PIX Firewall.
What must Greg do to enable hosts behind the PIX Firewall to receive multicast transmissions? (Choose
two)
A. Greg must use the multicast interface command to enable multicast forwarding on each interface and place the interfaces in multicast promiscuous mode.
B. Greg must use the igmp forward command to enable IGMP forwarding on each PIX Firewall interface connected to hosts that will receive multicast transmissions.
C. Greg must use the igmp join-group command to configure the PIX Firewall to join a multicast group.
D. Greg must use the multicast interface command to enable multicast forwarding on each interface and place the interfaces in multicast safe mode.
E. v the permit option of the access-list command to configure an ACL that allows traffic to permissible Class D destination addresses.
Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the multicast interface command to enable multicast forwarding on each interface and place the
interface in multicast promiscuous mode.
Use the igmp forward command to enable IGMP forwarding on each PIX interface connected to hosts that
will receive multicast transmissions.
Pixfirewall (config)# multicast interface dmz
Pixfirewall (config-multicast)# exit
Pixfirewall (config)# multicast interface inside
Pixfirewall (Config-multicast)#igmp forward interface dmz
Reference:
Cisco Secure PIX Firewall Advanced 3.1 chap 9 pages 10 and 12
QUESTION 93
Kathy is the security administrator at Certkiller Inc. and she needs to know which protocols does the PIX Firewall use to enable call handling sessions, particularly two-party audio conferences or calls?
A. Remote Function Call
B. Real-Time Transport Protocol
C. Session Initiation Protocol
D. Point-to-Point Protocol over Ethernet
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Session Initiation Protocol (SIP) enables call handling sessions-particulary two party audio conference, or
“calls.”
Reference:
Cisco Secure PIX Firewall Advanced 3.1 chap10 page 13
QUESTION 94
What will you advice the Certkiller trainee to do to enable hosts behind the PIX Firewall to receive multicast transmissions? Choose all that apply.
A. Use the igmp join-group command to configure the PIX Firewall to join a multicast group.
B. Use the multicast interface command to enable multicast forwarding on each interface and place the interface in multicast safe mode.
C. Use the multicast interface command to enable multicast forwarding on each interface and place the interfaces in multicast promiscuous mode.
D. Use the igmp forward command to enable IGMP forwarding on each PIX Firewall interface connected to hosts that will receive multicast transmissions.
E. Use the permit option of the access-list command to configure an ACL that allows traffic to permissible Class D destination addresses.
Correct Answer: CD Section: (none) Explanation
QUESTION 95
Which of the following statements regarding PIX Firewall’s multicasting capabilities are valid? Select three.
A. The PIX Firewall is incapable of supporting multicast.
B. The PIX Firewall is capable of supporting Stub Multicast Routing.
C. The only way you can currently enable the PIX Firewall to pass multicast traffic is by constructing GRE tunnels.
D. To enable the PIX Firewall for Stub Multicast Routing, you must configure GRE tunnels for passing multicast traffic.
E. The PIX Firewall can be configured to act as an IGMP proxy agent.
F. When the PIX Firewall is configured for Stub Multicast Routing, it is not necessary to construct GRE tunnels to allow multicast traffic to bypass the PIX Firewall.
Correct Answer: BEF Section: (none) Explanation
Explanation/Reference:
Explanation:
With SMR, the PIX Firewall acts as an IGMP proxy agent. It forwards IGMP messages from hosts to the
upstream multicast router, which takes responsibility for forwarding multicast datagrams from one multicast
group to all other network that have members in the group. When SMR is used, it is not necessary to
construct Generic Route Encapsulation (GRE) tunnels to allow multicast traffic to bypass the PIX Firewall.
Reference:
CSPFA Student Guide v3.2 – Cisco Secure PIX Advanced p.13-30
QUESTION 96
pix1 (config) # multicast interface outside pix1 (config-multicast) ” igmp access-group 120 pix1 (config) # accesss-list 120 permit udp any host 10.0.1.20 pix1 (config) # multicast interface inside pix1 (config-multicast) # igmp forward interface outside Certkiller just completed the rollout of IP/TV. The first inside network MC client to use the new feature claims they can not access the service. After viewing the above PIX Firewall configuration and network diagram, the administrator was able to determine the following:
A. The PIX multicast configuration is correct, the configuration problem exists in the MC client’s PC.
B. The igmp forward command was not correct, it should be changed to the following: pix1 (config-multicast)# igmp forward interface inside
C. The igmp access-group command was not correct, it should be changed to the following: pix1(config-multicast)# igmp object-group 120
D. The access-list command was not correct, it should be changed to the following: pix1 (config)# access-list 120 permit udp any host 224.0.1.50
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 97
Your new network administrator at Certkiller has recently modified your PIX Firewall’s configuration.
You are suddenly experiencing security breaches involving Internet mail.
What change did the administrator make?
A. The administrator disabled the PIX Firewalls smtp fixup.
B. The administrator disabled the PIX Firewalls mailport fixup.
C. The administrator enabled the PIX Firewalls ils fixup on port 25.
D. The administrator defined the ports on which to activate Mail Guard.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
The fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the
RFC 821, section 4.5.1, commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT.
Reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/qref.htm
QUESTION 98
What port does the PIX Firewall inspect for FTP traffic, by default?
A. It does not inspect any port for FTP traffic.
B. The default port is 23
C. The default port is 21
D. The default port is 20
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
By default, the PIX Firewall inspects port 21 connections for FTP traffic. If you have FTP servers using
ports other than ports 21, you need to use the fixup protocol ftp command to have the pix firewall inspect
these other ports for FTP traffic.
Reference:
Cisco Secure PIX Firewall Advanced 3.1 chap 10 page 7
QUESTION 99
James the security administrator at Certkiller Inc. is working on the SYN Flood Guard command. Which two commands can James use to enable SYN Flood Guard? (Choose two)
A. The nat command
B. The static command
C. The alias command
D. The synflood command
Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the static command to limit the number of embryonic connections allowed to the server to protect
internal hosts against DoS attacks.
Use the nat command to protect external hosts against DoS attacks, and to limit the number of embryonic
connections allowed to the server.
Reference:
Cisco Secure PIX Firewall Advanced 3.1 chap 5 pages 69 and 71
QUESTION 100
Certkiller ‘s web traffic has come to a halt because your PIX Firewall is dropping all new connection
attempts.
Why?
A. The shun feature of the PIX Firewall has taken effect because the embryonic threshold you set in the nat command was reached.
B. You are running a software version older than 5.2, and the embryonic threshold you set in the static command was reached.
C. The TCP Intercept feature of the PIX Firewall has taken effect because the embryonic threshold you set in the static command was reached.
D. The intrusion detection feature of the PIX Firewall has taken effect because the embryonic threshold you set in the conduit command was reached.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Prior to version 5.2, PIX Firewall offered no mechanism to protect systems reachable via a static and TCP conduit from TCP SYN segment attacks. With the new TCP intercept feature, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN segment bound for the affected server is intercepted. This feature requires no change to the PIX Firewall command set, only that the embryonic connection limit on the static command now has a new behavior.
Reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/relnotes/pixrn521.pdf also see: Cisco Secure PIX Firewall Advanced 3.1 chap 11 page 13
QUESTION 101
How will you go about configuring the PIX Firewall to protect against SYN floods?
A. Make use of the emb_conns argument to limit the number of fully opened connections.
B. Set the max_conns option in the nat command to less than the server can handle.
C. Set the emb_limit option in the name command to less than the server can handle.
D. Set the emb_limit option in the static command to less than the server can handle.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Specifies the maximum number of embryonic connections per host. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set a small value for slower systems, and a higher value for faster systems. The default is 0, which means unlimited embryonic connections. The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. When the embryonic limit is surpassed, the TCP intercept feature intercepts TCP synchronization (SYN) packets from clients to servers on a higher security level. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and combines the two half-connections together transparently. Thus, connection attempts from unreachable hosts never reach the server. The PIX firewall accomplishes TCP intercept functionality using SYN cookies. Note This option does not apply to outside NAT. The TCP intercept feature applies only to hosts or servers on a higher security level. If you set the embryonic limitfor outside NAT, the embryonic limit is ignored.
QUESTION 102
In which way does the DNS Guard feature help in the prevention of UDP session hijacking and DoS attacks?
A. It prevents all DNS responses from passing through the PIX Firewall.
B. It prevents any DNS name resolution requests to DNS servers behind the PIX Firewall.
C. If multiple DNS servers are queried, only the first answer from the first server to reply is allowed through the PIX Firewall. The PIX does not wait for the default UDP timer to close the sessions but tears down connections to all DNS servers after receiving the first reply.
D. Only the first reply from any given DNS server is allowed through the PIX Firewall. The PIX discards all other replies from the same server.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Generic UDP handling of DNS queries leaves connection opens longer than prudent. Instead, the PIX Firewall identifies each outbound DNS resolve request and then tears down the connection as soon at the reply is received. PIX FW Advanced, Cisco Press, p. 365-366
QUESTION 103
What pix feature prevents DNS DOS attacks?
A. DNS MAX
B. Dynamic DNS
C. DNS SYN Reject
D. DNS Flood Guard
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
DNS Flood Guard prevents multiple responses to a DNS request. Only 1 DNS response is let through the
pix to the requesting host, and all other DNS responses are dropped. This helps the requesting host from
possibly experiencing a DNS DOS.
QUESTION 104
Johnthe security administrator for Certkiller Inc. is working on securing the Firewall with using a blocking
function.
Which command applies a blocking function to an interface receiving an attack?
A. The shun command
B. The conduit command
C. The ip deny command
D. The interface command
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Shun src_ip [dst_ip sport dport [protocol] Applies a blocking function to an interface –
Reference:
Cisco Secure PIX Firewall Advanced 3.1 11-22
QUESTION 105
Kathy the security administrator at Certkiller Inc. is working on enabling IDS in the PIX Firewall. Which command enables intrusion detection in the PIX Firewall?
A. The shun command
B. The ip audit command
C. The enable ids command
D. The ids enable command
Correct Answer: B Section: (none) Explanation Explanation/Reference:
Explanation:
Intrusion detection, or auditing, is enabled on the PIX Firewall with the ip audit commands.
Reference:
Cisco Secure PIX Firewall Advanced 3.1 chap 5 pages 69 and 71
QUESTION 106
Which of the following statements regarding incursion detection in the PIX Firewall are valid? Choose two.
A. When a policy for a given signature class is crated and applied to an interface, all supported signatures of that class are monitored unless you disable them.
B. Only the signatures you enable will be monitored.
C. The PIX Firewall supports only inbound auditing.
D. IP audit policies must be applied to an interface with the ip audit interface command.
E. When a policy for a given signature class is created and applied to an interface, all supported signatures of that class are monitored and cannot be disabled until you remove the policy from the interface.
F. IP audit policies must be applied to an interface with the ip audit signature command
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
Each interface can have two policies: one for informational signatures and one for attack signatures. If you
want them both to be active simultaneously, they shoud share the same policy name. When a policy for a
given signature class is created and applied to an interface, all supported signatures of that class are
monitored unless you disable them with the ip audit signature disable command.
Reference:
CSPFA Student Guide v3.2 – Cisco Secure PIX Advanced p.10-18
QUESTION 107
What is the rationale behind using the shun command?
A. PIX Firewall does not support shunning.
B. To enable the PIX Firewall to detect and block intrusion attempts.
C. You know the IP address of an attacking host and want the PIX Firewall to drop packets containing its source address.
D. You know the IP address of an attacking host and want the PIX Firewall to drop packets containing its destination address.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: The shun command applies a blocking function to the interface receiving the attack. Packets containing the IP source address of the attacking host will be dropped and logged until the blocking function is removed manually or by the Cisco IDS master unit. No traffic from the IP source address will be allowed to traverse the PIXFirewall unit and any remaining connections will time out as part of the normal architecture. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active. If the shun command is used only with the source IP address of the host, then the other defaults will be 0. No further traffic from the offending host will be allowed. Because the shun command is used to block attacks dynamically, it is not displayed in your PIXFirewall configuration.
QUESTION 108
Which of the following statements regarding intrusion detection in the PIX Firewall is valid?
A. The PIX Firewall supports a subset of the intrusion detection signatures supported by the Cisco IDS product family.
B. The PIX Firewall can detect three different types of signatures: information signatures, alarm signatures, and attack signatures.
C. The PIX Firewall supports the Cisco IDS PostOffice protocol that is used by the Cisco IDS appliances and the Catalyst 6000 IDSM.
D. The PIX Firewall recognizes the same signatures supported by the Cisco IDS product family.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
The Cisco IDS family can detect over 700 signatures while the PIX IDS can detect 56 different signatures.
QUESTION 109
How many different intrusion detection signatures (IDS) can a pix firewall detect?
A. 5
B. 17
C. 53
D. 96
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
The pix firewall has modest IDS capabilities, including the scanning of up to 53 of the most common IDS
signatures.
QUESTION 110
Johnthe security administrator at Certkiller Inc. has configured the PIX Firewall and an AAA server for authentication. Telnet and FTP authentication work normally, but HTTP authentication does not. Why?
A. The problem is John has not enabled HTTP, Telnet, and FTP authorization, which is required for HTTP authentication.
B. The problem is John has not enabled HTTP authorization, which is required for HTTP authentication.
C. The problem is HTTP authentication is not supported.
D. The problem is re-authentication may be taking place with the web browser sending the cached username and password back to the PIX Firewall.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: HTTP – A window is displayed in the browser requesting username and password. If authentication (and authorization) is successful, the user arrives at the destination web site beyond. Keep in mind that browsers cache usernames and passwords! If it appears that the PIX should be timing out an HTTP connection but is not doing so, it is likely that re-authentication actually is taking place with the browser “shooting” the cached username and password to the PIX, which then forwards this to the authentication
server.
PIX syslog and/or server debug will show this phenomenon. If Telnet and FTP seem to work “normally”,
but HTTP connections do not, this is why.
Flydumps.com Cisco 642-521 study guides are patterned into Questions and Answers pdf format and test engine and it will sharpen your skills and expand your knowledge to obtain a definite success. Everything you need to prepare and quickly pass the Cisco 642-521 certification exams the first time, Cisco 642-521 can be found in Flydumps.com study guides.
Cisco 642-521 Dumps PDF, The Most Effective Cisco 642-521 Exam Demo Latest Version PDF&VCE