Net Auth Exam 3

What is the most trustworthy security level that can be configured on an ASA device interface? 0 50 100 255

100

Which IPsec framework protocol provides data integrity and data authentication, but does not provide data confidentiality? AH IP protocol 50 ESP DH

AH

Which statement is true about ASA CLI and IOS CLI commands? Both CLIs recognize the Tab key to complete a partial command. Only the ASA CLI requires the use of Ctrl-C to interrupt�show�commands. The�show ip interface brief�command is valid for both CLIs.? The ASA CLI does not recognize the�write erase�command, but the IOS CLI does.

Both CLIs recognize the Tab key to complete a partial command.

What is the default group policy name on an ASA 5505 device? Dflt.Grp.Policy Dflt-Grp-Policy Dflt Grp Policy DfltGrpPolicy

DfltGrpPolicy

Which protocol creates a virtual point-to-point connection to tunnel unencrypted traffic between Cisco routers from a variety of protocols? OSPF IPsec IKE GRE PPP

GRE

Which are the five security associations to configure in ISAKMP policy configuration mode? Hash, Authentication, Group, Lifetime, Encryption Hash, Authentication, GRE, Lifetime, ESP Hash, Authorization, Group, Lifetime, Encryption Hash, Accounting, Group, Lifetime, ESP

Hash, Authentication, Group, Lifetime, Encryption

During which part of establishing an IPsec VPN tunnel between two sites would NAT-T detection occur? IKE Phase 1 IKE Phase 2 ISAKMP Phase 1 ISAKMP Phase 2 IKE&NIXON 56 IKE Phase 12

IKE Phase 1

What takes place during IKE Phase 2 when establishing an IPsec VPN? IPsec security associations are exchanged. Traffic is exchanged between IPsec peers. ISAKMP security associations are exchanged. Interesting traffic is identified.

IPsec security associations are exchanged.

Which statement describes the operation of the IKE protocol? It uses IPsec to establish the key exchange process. It uses sophisticated hashing algorithms to transmit keys directly across a network. It calculates shared keys based on the exchange of a series of data packets. It uses TCP port 50 to exchange IKE information between the security gateways.

It calculates shared keys based on the exchange of a series of data packets.

What is one benefit of using ASDM to configure a Cisco ASA? It is easier to use. It does not require software setup to begin configuration. It does not require any knowledge of networking. It does not require a remote connection to a Cisco device.

It is easier to use

Which Cisco secure access solution can be used to determine if hosts are compliant with security policies? Network Admission Control Appliance Cisco Secure Access Control System Cisco AnyConnect Secure Mobility Solutions Cisco Adaptive Wireless IPS Software

Network Admission Control Appliance

What are the two methods that can be used to start the Cisco ASDM? (Choose two.) Run Cisco ASDM as a local service. Run Cisco ASDM as a flash application. Run Cisco ASDM as a local application.? Run Cisco ASDM as a local startup application.? Run Cisco ASDM as a Java Web Start application.?

Run Cisco ASDM as a local application.? Run Cisco ASDM as a Java Web Start application.?

What protocol is used by SCP for secure transport? IPSec HTTPS SSH Telnet TFTP

SSH

Where is an IP address configured on an ASA 5505 device? SVI interface physical Layer 3 interface physical Layer2 interface VTY lines

SVI interface

Which ASDM wizard would allow a network administrator to configure an ASA for NAT/PAT? ASDM Identify Certificate Wizard? High Availability and Scalability Wizard Startup Wizard VPN wizards

Startup Wizard

When testing the tunnel to verify a site-to-site VPN connection between an ISR and an ASA, why does an initial ping fail, but subsequent pings succeed? The connection was not successful. The first ping is not considered interesting traffic. The ASA�and ISR must negotiate the tunnel parameters. The ISR has an incorrect configuration.

The ASA�and ISR must negotiate the tunnel parameters.

What are three characteristics of ASA transparent mode? (Choose three.) This mode does not support VPNs, QoS, or DHCP Relay. The interfaces of the ASA separate Layer 3 networks and require IP addresses in different subnets. It is the traditional firewall deployment mode. NAT can be implemented between connected networks. This mode is referred to as a "bump in the wire." In this mode the ASA is invisible to an attacker.

This mode does not support VPNs, QoS, or DHCP Relay. This mode is referred to as a "bump in the wire." In this mode the ASA is invisible to an attacker.

What are the two examples of minimum configurations that are required on an ASA 5505 before ASDM can be used? (Choose two.) SSH AAA authentication and authorization Ethernet 0/0 a logical VLAN interface and an Ethernet port other than 0/0 a dedicated Layer 3 management interface

a logical VLAN interface and an Ethernet port other than 0/0 a dedicated Layer 3 management interface

Which method is used to identify interesting traffic needed to create an IKE phase a permit access list entry a security association transform sets hashing algorithms

a permit access list entry

What are the two major components of a security awareness program? (Choose two.) awareness campaign security policy development security solution development self-defending network implementation training and education

awareness campaign training and education

The use of 3DES within the IPsec framework is an example of which of the five IPsec building blocks? authentication confidentiality Diffie-Hellman integrity nonrepudiation

confidentiality

What is the first step in establishing an IPsec VPN? detection of interesting traffic negotiation of ISAKMP policies creation of a secure tunnel to negotiate a security association policy creation of an IPsec tunnel between two IPsec peers

detection of interesting traffic

What two features must match between ASA devices to implement a failover configuration? (Choose two.)? source IP address device model amount of RAM next-hop destination software configuration

device model amount of RAM

Where is the Cisco AnyConnect client image found on the Cisco ASA? RAM ROM TFTP�server flash

flash

Which IPsec security function provides assurance that the data received via a VPN has not been modified in transit? confidentiality integrity authentication secure key exchange

integrity

Which three security features do ASA models 5505 and 5510 support by default? (Choose three.) content security and control module Cisco Unified Communications (voice and video) security intrusion prevention system stateful firewall VPN concentrator Zone-Based Policy Firewall

intrusion prevention system stateful firewall VPN concentrator

What is the purpose of configuring an IP address on an ASA device in transparent mode? management NAT VPN connectivity routing

management

Which object or object group is required to implement NAT on an ASA 5505 device? network object group network object service object protocol object group

network object

Which solution allows workers to telecommute effectively and securely? site-to-site VPN remote-access VPN dial-up connection DSL connection

remote-access VPN

What is a benefit of having users or remote employees use a VPN to connect to the existing network rather than growing the network infrastructure? security scalability cost savings compatibility

scalability

By default, which type of certificate is used by an ASA 5505 for client authentication? purchased certificate self-signed certificate third-party certificate No certificates are used by default. The type must be specified.

self-signed certificate

Which VPN implementation allows traffic that originates from a remote-access client to be separated into trusted VPN traffic and untrusted traffic destined for the public hairpinning split tunneling GRE MPL

split tunneling

When ASDM is used to configure the ASA for a site-to-site VPN, which address is entered in the Peer Device Identification window?' the IP address of the outbound interface the MAC address of the outbound interface the IP address of the peer the MAC address of the peer

the IP address of the peer

What is defined by an ISAKMP policy the security associations that IPsec peers are willing to use the preshared keys that will be exchanged between IPsec peers access lists that identify interesting traffic the IP addresses of IPsec peers

the security associations that IPsec peers are willing to use

When the CLI is used to configure an ISR for a site-to-site VPN connection, what is the purpose of the�crypto map�command in interface configuration mode? to bind the interface to the ISAKMP policy to create the crypto map to identify the location of the peer to create the ISAKMP policy

to bind the interface to the ISAKMP policy