Cisco 642-552 Question Description, Prepare for the Cisco 642-552 Prep Guide On Store

GOOD NEWS:Flydumps has published the new version with all the new added questions and answers.By training the Cisco 642-552 VCE dumps, you can pass the exam easily and quickly.

QUESTION 35
Which three ways can AAA services be implemented for Cisco routers? (Choose three.)
A. self-contained AAA services in the router itself
B. Cisco Secure ACS Network Module
C. Cisco Secure ACS Solution Engine
D. Cisco Security Manager AAA Service Module
E. Cisco Secure ACS for Windows Servers
F. Cisco Security Manager ACS Service Module

Correct Answer: ACE Section: (none) Explanation
Explanation/Reference:
Explanation: Authentication, authorization, and accounting (AAA) is a way to control who is allowed to access your network (authenticate), what they can do while they are there (authorize), and to audit what actions they performed while accessing the network (accounting). AAA can be used in Internet Protocol Security (IPSec) to provide preshared keys during the Internet Security Association and Key Management Protocol (ISAKMP) process or to provide per-user authentication, known as XAUTH, during ISAKMP. AAA can be used to provide a mechanism for authorizing commands that administrators enter at the command line of a Cisco device. This is called command-line authorization. AAA is also seen in a Virtual Private Dial-Up Networking (VPDN) tunnel set up between two routers.
QUESTION 36
Which authentication method is based on the 802.1x authentication framework, and mitigates several of the weaknesses by using dynamic WEP and sophisticated key management on a peer-packet basis?
A. PAP
B. CHAP
C. LEAP
D. ARAP
Correct Answer: C Section: (none) Explanation

Explanation/Reference:
Explanation: Cisco LEAP is an 802.1X authentication type for wireless LANs (WLANs) that supports strong mutual authentication between the client andaRADIUS server using a logon password as the shared secret. It provides dynamic per-user, per-session encryption keys
QUESTION 37
Which two protocols does Cisco Secure ACS use for AAA services? (Choose two.)
A. TACACS+
B. Telnet
C. SSH
D. RADIUS
E. SSL
F. SMP

Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
Cisco Secure ACS uses two distinct protocols for AAA services:

1.
Remote Authentication Dial-In User Service (RADIUS) and

2.
Terminal Access Controller Access Control System (TACACS+)
QUESTION 38
Referring to the network diagram shown, Remote Access LAN users need access to the Corporate LAN. Which three Cisco IOS configuration commands will prevent users on the Remote LAN from spoofing their source IP address as Corporate LAN user? (Choose three.)

A. access-list 1 deny 16.1.1.0 0.0.0.255 access-list 1 permit any
B. access-list 2 deny 16.2.1.0 0.0.0.255 access-list 2 permit any
C. int e0/0
D. int e0/1
E. ip access-group 1 in
F. ip access-group 2 out

Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:
Explanation:
Explanation: We don’t want to see any 16.1.1.0/24 traffic originating from (i.e. being spoofed from) the Remote Access LAN 16.2.1.0/24. Therefore, we would choose access-list 1 and apply it inbound on interface e0/1. Not F: It is clear that option F could not be the answer because you would never enter “ip access-group 2 out” when you just completed creating “access-list 1 …”. You shouldn’t be applying an ACL that doesn’t exist (ACL 2) to any interface. In addition, standard access lists (numbered 1 to 99) can only define the SOURCE IP of the traffic. Therefore, it must be applied inbound on the e0/1 interface to have any affect on traffic sourced from 16.1.1.0/24 network (which is why we are trying to block).
QUESTION 39
Which method does a Cisco router use for protocol type IP packet filtering?
A. inspection rules
B. standard ACLs
C. security policies
D. extended ACLs

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
There are many reasons to configure access lists–for example, you can use access lists to restrict
contents of routing updates, or to provide traffic flow control. But one of the most important reasons to
configure access lists is to provide security for your network. Standard ACL can filter the packets based on
the Source Address only but Extended ACL can filter based on Source Address, Destination Address,
Type of Protocol, Port Number etc. So Extended ACL is mostly used to ACL type to filter packets.

QUESTION 40
Referring to the network diagram shown, which ACL entry will block any Telnet Client traffic from the Corporate LAN to any Telnet Servers on the Remote Access LAN?

A. access-list 190 deny tcp any eq 23 16.2.1.0 0.0.0.255
B. access-list 190 deny tcp 16.1.1.0 0.0.0.255 eq 23 16.2.1.0 0.0.0.255 eq 23
C. access-list 190 deny tcp any 16.1.1.0 0.0.0.255 eq 23
D. access-list 190 deny tcp any 16.2.1.0 0.0.0.255 eq 23
E. access-list 190 deny tcp 16.2.1.0 0.0.0.255 eq 23 16.1.1.0 0.0.0.255 eq 23

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: There are many reasons to configure access lists–for example, you can use access lists to restrict contents of routing updates, or to provide traffic flow control. But one of the most important reasons to configure access lists is to provide security for your network. Standard ACL can filter the packets based on the Source Address only but Extended ACL can filter based on Source Address, Destination Address, Type of Protocol, Port Number etc. So Extended ACL is mostly used to ACL type to filter packets. Syntax of Extended ACL is: Access-list <ACL Number> permit or deny <protocol> <Source Address> <Destination Address> eq port number According to questions, block the telnet connection from any source so used the any wildcard. Telnet is TCP based service and is used 23 port number.
QUESTION 41
At which location in an access control list is it recommended that you place the more specific entries?
A. in the middle of the access control list?
B. higher in the access control list
C. lower in the access control list
D. at the bottom of the access control list

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Place more specific access list statements higher in the access list. Ensure statements at the top of the
access list do not negate any statements found lower in the list. For example; blocking all UDP traffic at the
top of the list negates the blocking of SNMP packets lower in the list.
Care must be taken that statements at the top of the access list do not negate any statements found lower
in the list.

QUESTION 42
To which router platform can Turbo ACLs be applied?
A. Cisco 800 Router
B. Cisco 2600 series router
C. Cisco 3500
D. Cisco 7200 Router

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The Turbo ACL feature, supported by Cisco 7200 Series, 7500 Series and 12000 Series routers,
processes access lists into lookup tables. Packet headers are used to access these tables in a small, fixed
number of lookups, independent of the existing number of ACL entries.
The benefits of the Turbo ACL feature are:

1. For ACLs larger than 3 entries, the CPU load required to match the packet to the predetermined packet-
matching rule is lessened.
The CPU load is fixed, regardless of the size of the ACL, which allows for larger ACLs without incurring
additional CPU overhead penalties.
The larger the ACL, the greater the benefit.

1. The time taken to match the packet is fixed, so that latency of the packets are smaller (significantly in
the case of large ACLs) and more importantly, the time taken to match Is consistent, which allows better
network stability and more accurate transit times.

QUESTION 43
Which Cisco IOS command enables the AAA access-control commands and functions on the router, and overrides the older TACACS and extended TACACS commands?
A. no aaa authentication login default enable
B. aaa authentication login default local
C. aaa new-model
D. login authentication default
E. no login authentication default
Correct Answer: C Section: (none) Explanation

Explanation/Reference:
Explanation:
The aaa new-model command forces the router to override every other authentication method previously
configured for the router lines.
Warning!
If an administrative Telnet or console session is lost while enabling AAA on a Cisco router, and no local
AAA user authentication account and method exists, the administrator will be locked out of the router.

QUESTION 44
Which type of access control list can secure multichannel operations that are based on upper-layer information?
A. dynamic
B. CBAC
C. Reflexive
D. Time-based

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: CBAC can secure multichannel operations based on upper-layer information. CBAC examines packets as they enter or leave router interfaces, and determines which application protocols to allow. CBAC access lists are available starting in Cisco IOS Software Release 12.0T as part of the firewall feature set. Incorrect: Dynamic Dynamic access lists (also known as lock and key), create specific, temporary openings in response to user authentication. Reflexive These access lists create dynamic entries for IP traffic on one interface of the router based upon sessions originating from a different interface of the router. Time-based These access lists are simply numbered or named access lists that are implemented based upon the time of day or the day of the week.
QUESTION 45
Which three new features does SNMPv3 provide? (Choose three.)
A. HMAC with MD5
B. AES encryption
C. 3DES encryption
D. HMAC with SHA
E. DES-56 encryption
F. IDEA encryption

Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:
Explanation: Simple Network Management Protocol Version 3 (SNMPv3) is an interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. The security features provided in SNMPv3 are: Message integrity-Ensuring that a packet has not been tampered with in-transit. Authentication-Determining the message is from a valid source. Encryption-Scrambling the contents of a packet prevent it from being seen by an unauthorized source. SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level will determine which security mechanism is employed when handling an SNMP packet. Three security models are available: SNMPv1, SNMPv2c, and SNMPv3.
QUESTION 46
What is a secure way of providing clock synchronization between network routers?
A. sync each router acting as an NTPv2 client to the UTC via the Internet
B. implement an NTPv3 server synchronized to the UTC via an external clock source like a radio or atomic clock, then configure the other routers as NTPv3 clients
C. use CDPv2 and NTPv3 to pass and sync the clocking information between the adjacent routers in the network
D. implement in-band management to sync the clock between the routers using a peer-to-peer architecture using NTPv4 or higher

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: The Network Time Protocol (NTP) was first described in RFC 958 and has developed into the standard Internet time synchronization protocol. It is extremely efficient and needs no more than about one packet a minute to synchronize systems on a LAN to within 1 millisecond, and systems across WANs to within about 10 milliseconds. Without proper time synchronization between your routers, you may not only have trouble with correlating log files, but inaccurate time may also affect your ability to perform accounting, fault analysis, network management, and even time-based AAA authentication and authorization. So good time management is a necessary part of keeping your network healthy and secure. NTP modes differ based on how NTP allows communication between systems. NTP communication consists of time requests and control queries. Time requests provide the standard client/server relationship in which a client requests time synchronization from an NTP server. Control queries provide ways for remote systems to get configuration information and reconfigure NTP servers. Here is a short explanation of the NTP modes: Client An NTP client is configured to let its clock be set and synchronized by an external NTP timeserver. NTP clients can be configured to use multiple servers to set their local time and are able to give preference to the most accurate time sources. They will not, however, provide synchronization services to any other devices. Server An NTP server is configured to synchronize NTP clients. Servers can be configured to synchronize any client or only specific clients. NTP servers, however, will accept no synchronization information from their clients and therefore will not let clients update or affect the server’s time settings. Peer With NTP peers, one NTP-enabled device does not have authority over the other. With the peering model, each device shares its time information with the other, and each device can also provide time synchronization to the other. Broadcast/multicast Broadcast/multicast mode is a special server mode with which the NTP server broadcasts its synchronization information to all clients. Broadcast mode requires that clients be on the same subnet as the server, and multicast mode requires that clients and servers have multicast access available and configured.
QUESTION 47
Which security log messaging method is the most common message logging facility and why?
A. SNMP traps, because the router can act as an SNMP agent and forward SNMP traps to an external SNMP server
B. buffered logging, because log messages are stored in router memory and events are cleared whenever
the router is rebooted
C. console logging, because security messages are not stored and do not take up valuable storage space on network servers
D. syslog, because this method is capable of providing long-term log storage capabilities and supporting a central location for all router messages
E. logging all events to the Cisco Incident Control System to correlate events and provide recommended mitigation actions

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: By default Cisco routers send syslog messages to their logging server with a default facility of local7. Don’t set the facility in this case, but do tell the router to timestamp the messages and make the messages have the source IP address of the loopback interface. Example: service timestamps log datetime localtime no logging console no logging monitor logging 192.168.1.100
QUESTION 48
What is a syslog configuration oversight that makes system event logs hard to interpret and what can be done to fix this oversight?
A. The system time does not get set on the router, making it difficult to know when events occurred. Recommend that an NTP facility be used to ensure that all the routers operate at the correct time.
B. Third-party flash memory gets installed and doesn’t provide easily understandable error or failure codes. Only Cisco-authorized memory modules should be installed in Cisco devices.
C. The syslog message stream does not get encrypted and invalid syslog messages get sent to the syslog server. Encrypt the syslog messages.
D. The syslog messages filter rules did not get configured on the router, resulting in too many unimportant messages. Configure syslog messages filter rules so that low-severity messages are blocked from being sent to the syslog server and are logged locally on the router.

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: By default Cisco routers send syslog messages to their logging server with a default facility of local7. Don’t set the facility in this case, but do tell the router to timestamp the messages and make the messages have the source IP address of the loopback interface. Log messages stores based on time and date. If there is time mismatch between syslog server and client very hard to interpret the log.
QUESTION 49
What is the first step you need to perform on a router when configuring role-based CLI?
A. place the router in global configuration mode
B. create a parser view called root view
C. enable role-based CLI globally on the router using the privilege exec level Cisco IOS command.
D. enable the root view on the router
E. log in to the router as the “root” user

Correct Answer: D Section: (none) Explanation Explanation/Reference:
Explanation: he Role-Based CLI Access feature allows the network administrator to define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to CiscoIOS EXEC and configuration (Config) mode commands. Views restrict user access to CiscoIOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices. When a system is in “root view,” it has all of the access privileges as a user who has level 15 privileges. If the administrator wishes to configure any view to the system (such as a CLI view, a superview, or a lawful intercept view), the system must be in root view. The difference between a user who has level 15 privileges and a root view user is that a root view user can configure a new view and add or remove commands from the view. Also, when you are in a CLI view, you have access only to the commands that have been added to that view by the root view user.
QUESTION 50
In which version did NTP begin to support cryptographic authentication?
A. version 5
B. version 4
C. version 3
D. version 2

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: The Network Time Protocol (NTP) was first described in RFC 958 and has developed into the standard Internet time synchronization protocol. It is extremely efficient and needs no more than about one packet a minute to synchronize systems on a LAN to within 1 millisecond, and systems across WANs to within about 10 milliseconds. Without proper time synchronization between your routers, you may not only have trouble with correlating log files, but inaccurate time may also affect your ability to perform accounting, fault analysis, network management, and even time-based AAA authentication and authorization. So good time management is a necessary part of keeping your network healthy and secure. NTP modes differ based on how NTP allows communication between systems. NTP communication consists of time requests and control queries. Time requests provide the standard client/server relationship in which a client requests time synchronization from an NTP server. Control queries provide ways for remote systems to get configuration information and reconfigure NTP servers. Here is a short explanation of the NTP modes: Client An NTP client is configured to let its clock be set and synchronized by an external NTP timeserver. NTP clients can be configured to use multiple servers to set their local time and are able to give preference to the most accurate time sources. They will not, however, provide synchronization services to any other devices. Server An NTP server is configured to synchronize NTP clients. Servers can be configured to synchronize any client or only specific clients. NTP servers, however, will accept no synchronization information from their clients and therefore will not let clients update or affect the server’s time settings. Peer With NTP peers, one NTP-enabled device does not have authority over the other. With the peering model, each device shares its time information with the other, and each device can also provide time synchronization to the other. Broadcast/multicast Broadcast/multicast mode is a special server mode with which the NTP server broadcasts its synchronization information to all clients. Broadcast mode requires that clients be on the same subnet as the server, and multicast mode requires that clients and servers have multicast access available and configured. NTP Version 3 Supports cryptographic authentication. Example: AuthenticationFor additional security, you can configure your NTP servers and clients to use authentication. Cisco routers support only MD5 authentication for NTP. To enable a router to do NTP authentication:
1.
Enable NTP authentication with the ntp authenticate command.

2.
Define an NTP authentication key with the ntp authentication-key command. A unique number identifies each NTP key. This number is the first argument to the ntp authentication-key command.

3.
Use the ntp trusted-key command to tell the router which keys are valid for authentication. The ntp trusted-key command’s only argument is the number of the key defined in the previous step. To enable authentication on RouterOne and define key number 10 as MySecretKey, type: RouterOne#configterminalEnter configuration commands, one per line. End with CNTL/Z.RouterOne (config)#ntpauthenticateRouterOne(config)# ntpauthentication-key 10 md5 MySecretKeyRouterOne (config)# ntptrusted-key 10RouterOne(config)#^Z
QUESTION 51
Which command is used to configure syslog on a Cisco router?
A. syslog
B. logging
C. logging-host
D. syslog-host

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: By default Cisco routers send syslog messages to their logging server with a default facility of local7. Don’t set the facility in this case, but do tell the router to timestamp the messages and make the messages have the source IP address of the loopback interface. Example: service timestamps log datetime localtime no logging console no logging monitor logging 192.168.1.100
QUESTION 52
When Cisco routers are configured for SSH, how do they act?
A. as SSH servers
B. as SSH clients
C. as SSH and SSL servers
D. as SSH and SSL clients
E. as SSH accelerators
F. as SsH proxies

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: Secure Shell (SSH) is an application and a protocol that provide a secure replacement to the Berkeley r-tools. The protocol secures the sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. There are currently two versions of SSH available: SSHVersion 1 and SSHVersion
2. Only SSHVersion 1 is implemented in the CiscoIOS software The SSH Server feature enables a SSH client to make a secure, encrypted connection to a Cisco router. This connection provides functionality that is similar to that of an inbound Telnet connection. Before SSH, security was limited to Telnet security. SSH allows a strong encryption to be used with the CiscoIOS software authentication. The SSH server in Cisco IOS software will work with publicly and commercially available SSH clients
QUESTION 53
Which management protocol is used to synchronize the clocks across a network?
A. SNMP
B. Syslog
C. NTP
D. TFTP

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: The Network Time Protocol (NTP) was first described in RFC 958 and has developed into the standard Internet time synchronization protocol. It is extremely efficient and needs no more than about one packet a minute to synchronize systems on a LAN to within 1 millisecond, and systems across WANs to within about 10 milliseconds. Without proper time synchronization between your routers, you may not only have trouble with correlating log files, but inaccurate time may also affect your ability to perform accounting, fault analysis, network management, and even time-based AAA authentication and authorization. So good time management is a necessary part of keeping your network healthy and secure.
QUESTION 54
What are two ways of preventing VLAN hopping attacks? (Choose two.)
A. Disable DTP on all the trunk ports.
B. Enable VTP pruning on all trunk ports to limit the VLAN broadcast.
C. Set the native VLAN on all the trunk ports to an unused VLAN.
D. Using port security, set the maximum number of secure MAC addresses to 1 on all trunk and access ports.
E. Disable portfast on all access ports.

Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation: Dynamic Trunking Protocol (DTP). If a port can become a trunk, it may also have the ability to trunk automatically, and in some cases even negotiate what type of trunking to use on the port. DTP provides this ability to negotiate the trunking method with the other device. On an IEEE 802.1Q trunk port, all transmitted and received frames are tagged except for those on the VLAN configured as the native VLAN for the port. Frames on the native VLAN are always transmitted untagged and are normally received untagged.
QUESTION 55
You work as a network administrator at Certkiller .com. A mission critical server application embeds a private IP address and port number in the payload of packets that is used by the client to reply to the server. Why is implementing NAT over the Internet supporting this type of application an issue?
A. Embedded IP addresses causes NAT to do extensive packet manipulation. This process is very time intensive and the added delay causes the connection in these types of applications to time out and fail.
B. When the client attempts to reply to the server using the embedded private IP address instead of the public IP address mapped by NAT, the embedded private IP address will not be routable over the Internet.
C. NAT traversal can’t be used for embedded IP addresses. Mission critical applications typically use NAT transversal to ensure stable timely connections, but not when embedded IP addresses and ports are used.
D. Using NAT makes troubleshooting difficult. You must know the IP address assigned to a device on its NIC and its translated address; it takes too long to determine the source and destination of an embedded IP address, and this delay is not appropriate for mission critical applications.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Network Address Translation (NAT) simplifies and conserves IP address usage. NAT enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) address in the internal network into legal addresses before packets are forwarded onto another network. NAT can be configured to advertise only one address for the entire network to the outside world. This ability provides additional security, effectively hiding the entire internal network behind that one address.
QUESTION 56
How does an application-layer firewall work?
A. examines the data in all network packets at the application layer and maintains complete connection state and sequencing information
B. operates at Layers 3, 4 and 5, and keeps track of the actual application communication process by using an application table
C. determines whether the connection between two applications is valid according to configurable rules
D. allows an application on your private network that does not have a valid registered IP address to communicate with other applications through the Internet

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: An application layer firewall is a third-generation firewall technology that evaluates network packets for valid data at the application layer before allowing a connection. It examines the data in all network packets at the application layer and maintains complete connection state and sequencing information. In addition, an application layer firewall can validate other security items that only appear within the application layer data, such as user passwords and service requests. Most application layer firewalls include specialized application software and proxy services. Proxy servicesare special-purpose programs that manage traffic through a firewall for a specific service, such as HTTP or FTP. Proxy services are specific to the protocol that they are designed to forward, and they can provide increased access control, careful detailed checks for valid data, and generate audit records about the traffic that they transfer.
QUESTION 57
Why does PAT fail with ESP packets?
A. because ESP is a portless protocol riding directly over IP, ESP prevents the PAT from creating IP address and port mappings
B. because using tunnel mode, ESP includes the outer IP header in computing the ICV, thus if PAT modifies the outer IP header, the ICV will fail
C. because ESP does not support tunnel mode
D. because the ESP header is encrypted
E. because ESP uses dynamic port number

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
PAT does not work with Encapsulating Security Payload (ESP) packets due to the lack of L4(TCP/UDP)
port information in them. UDP encapsulation must be used instead to hide the ESP packet behind the UDP

header so that PAT treats the ESP packet as a UDP packet and processes the ESP packet as a normal UDP packet.
QUESTION 58
Using a stateful firewall, which information is stored in the stateful session flow table?
A. the outbound and inbound access rules (ACL entries)
B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session
C. all TCP and UDP header information only
D. all TCP SYN packets and the associated return ACK packets only
E. the inside private IP address and the translated global IP address

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: A stateful firewall is able to hold in memory significant attributes of each connection, from start to finish. These attributes, which are collectively known as the state of the connection, may include such details as the IP addresses and ports involved in the connection and the sequence numbers of the packets traversing the connection. The most CPU intensive checking is performed at the time of setup of the connection. All packets after that (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened session. Once the session has ended, its entry in the state-table is discarded. The stateful firewall depends on the famous three-way handshake of the TCP protocol. When a client initiates a new connection, it sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. Such a firewall will pass all outgoing packets through but will only allow incoming packets if they are part of an ESTABLISHED connection, ensuring that hackers cannot start unsolicited connections with the protected machine.
QUESTION 59
What is a potential security weakness of traditional stateful firewall?
A. cannot support non-TCP flows
B. retains the state of user data packet and dynamically assigned ports in the state table
C. cannot track the state of each connection setup to ensure that each connection follows a legitimate TCP three-way handshake
D. cannot detect application-layer attacks

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: A stateful firewall is able to hold in memory significant attributes of each connection, from start to finish. These attributes, which are collectively known as the state of the connection, may include such details as the IP addresses and ports involved in the connection and the sequence numbers of the packets traversing the connection. The most CPU intensive checking is performed at the time of setup of the connection. All packets after that (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened session. Once the session has ended, its entry in the state-table is discarded. The stateful firewall depends on the famous three-way handshake of the TCP protocol. When a client initiates a new connection, it sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. Such a firewall will pass all outgoing packets through but will only allow incoming packets if they are part of an ESTABLISHED connection, ensuring that hackers cannot start unsolicited connections with the protected machine. The problem of traditional stateful firewall is unable to detect application-layer attacks.
QUESTION 60
A client wants their web server on the DMZ to use a private IP address and to be reachable over the Internet with a fixed outside public IP address. Which type of technology will be effective in this scenario?
A. PAT
B. Dynamic NAT
C. Cut-Through Proxy
D. Application inspection
E. Static NAT

Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation: Static NAT is used to map a single inside global IP address to a single inside local IP address. Usually the inside IP address is one from the RFC 1918 address space and the outside IP address is an Internet routable address. IP addresses must be assigned to interfaces on the router that will be participating in NAT. You must be in global configuration mode in order to configure NAT. The command to use is ip nat inside source static local-ip global-ip. The local-ip is the IP address of the host on the inside of the network to translate, and the global-ip is the IP address this inside host will be known as to the outside world. In this example a host on the inside network needs to access the Internet. Its IP address is 10.1.2.25 and is not routable on the Internet. When the NAT border router receives a packet from 10.1.2.25 destined for the Internet, the router must be configured to translate that IP address to one that is globally routable. In this case it is 200.1.1.25 and the following command is used: Router(config)#ip nat inside source static 10.1.2.25 200.1.1.25
QUESTION 61
Which feature is available only in the Cisco SDM Advanced Firewall Wizard?
A. configure a router interface connected to a WLAN
B. create a firewall policy to block SDM access to the router from the outside interface
C. specify the router outside interface to use for remote management access
D. choose physical and logical interfaces connected to a WLAN
E. configure DMZ interfaces with access and inspection rules

Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation: Cisco SDM Advanced Firewall wizard allows security administrators to easily and quickly manage ACLs and packet-inspection rules through a graphical and intuitive policy table
QUESTION 62
Which command on the Cisco PIX Security Appliance is used to write the current running config to the Flash memory startup config?
A. write terminal
B. write config
C. write memory D. write startup config

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Incorrect: A – Shows running configuration on screen, like show running-configuration B – No such command D – No such command
QUESTION 63
In which Cisco Catalyst Series switches can the Firewall Service Modules be installed?
A. Catalyst 2900 and 3500 XL Series
B. Catalyst 1900 and 2000 Series
C. Catalyst 4200 and 4500 Series
D. Catalyst 6500 and 7600 Series

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Cisco Firewall Services Module (FWSM)-a high-speed, integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers-provides the fastest firewall data rates in the industry: 5-Gbps throughput, 100,000 CPS, and 1M concurrent connections. Up to four FWSMs can be installed in a single chassis, providing scalability to 20 Gbps per chassis. Based on Cisco PIX Firewall technology, the Cisco FWSM offers large enterprises and service providers unmatched security, reliability, and performance. Reference: http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/index.html
QUESTION 64
Which method does a Cisco firewall use for packet filtering?
A. inspection rules
B. ACLs
C. Security policies
D. VACLs

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: The access list is a group of statements. Each statement defines a pattern that would be found in an IP packet. As each packet comes through an interface with an associated access list, the list is scanned from top to bottom and in the exact order in which it was entered, for a pattern that matches the incoming packet. A permit or deny rule associated with the pattern determines the fate of that packet. Cisco uses access lists as packet filters to decide which packets can access a router service or which packets can be allowed across an interface. Packets that are allowed across an interface are called permitted packets. Packets that are not allowed across an interface are called denied packets. Access lists contain one or more rules or statements that determine what data is to be permitted or denied, or both permitted or denied, across an interface.
QUESTION 65
Which command is used to reboot the Cisco PIX Security Appliance?
A. reboot
B. restart
C. boot
D. reload

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The reload command reboots the PIX Security Appliance and reloads the configuration from Flash
memory. You are prompted with .Proceed with reload?. for confirmation before the reload process begins.
Any response other than no causes the reboot to occur. The noconfirm command option permits the PIX
Security Appliance to reload without user confirmation. The PIX Security Appliance does not accept
abbreviations to the keyword noconfirm.

QUESTION 66
Which connections does stateful packet filtering handle?
A. TCP and UDP
B. Packet
C. TCP only
D. ICMP

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Unlike static packet filtering, which examines a packet based on the information in its header, stateful
inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid.
A stateful firewall may examine not just the header information but also the contents of the packet up
through the application layer in order to determine more about the packet than just information about its
source and destination.

QUESTION 67
Which browser-based configuration device can be used to monitor and manage multiple Cisco PIX Security Appliance?
A. Cisco PIX Device Manager
B. Cisco ASA Device Manager
C. Firewall Management Center
D. PIX Management Center

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: The PDM monitors and configures a single PIX Security Appliance. You can use the PDM to create a new configuration and to monitor and maintain current PIX Security Appliances. You can point your browser to more than one PIX Security Appliance and administer several PIX Security Appliances from a single workstation. CiscoWorks 2000 Management Center for Firewalls (Firewall MC) is a web-based interface for configuring and managing multiple Cisco PIX Security Appliances. Firewall MC has a look and feel similar to the PDM; however, with Firewall MC, you can configure multiple firewalls instead of configuring only one at a time. Firewall MC centralizes and accelerates the deployment and management of multiple PIX Security Appliances.
QUESTION 68
What is the default security-level definition setting for the outside interface for the Cisco PIX Security Appliance?
A. 0
B. 100
C. 50
D. 25

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:

QUESTION 69
Which administrative access mode for the Cisco PIX Security Appliance allows you to change the current settings?
A. unprivileged mode
B. privileged mode
C. configuration mode
D. monitor mode

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The PIX Security Appliance contains a command set based on Cisco IOS software, and provides these
four administrative access modes:
Unprivileged mode:
This mode is available when you first access the PIX Security Appliance.
The > prompt is displayed.
This mode provides a restricted and limited view of PIX Security Appliance settings.
Privileged mode:
This mode displays the # prompt and enables you to change the current settings. Any unprivileged
command also works in privileged mode.
Configuration mode:
This mode displays the (config)# prompt and enables you to change system configurations.

All privileged, unprivileged, and configuration commands work in this mode.
Monitor mode:
This is a special mode that enables you to update the image over the network or to perform password
recovery. While in the monitor mode, you can enter commands specifying the location of the TFTP server
and the PIX Security Appliance software image or password recovery binary file to download.

QUESTION 70
Which administrative access mode for the Cisco PIX Security Appliance allows you to view a restricted and limited view of current settings?
A. unprivileged mode
B. privileged mode
C. configuration mode
D. monitor mode

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Unprivileged mode:
This mode is available when you first access the PIX Security Appliance.
The > prompt is displayed.
This mode provides a restricted and limited view of PIX Security Appliance settings.
Privileged mode:
This mode displays the # prompt and enables you to change the current settings. Any unprivileged
command also works in privileged mode.
Configuration mode:
This mode displays the (config)# prompt and enables you to change system configurations.
All privileged, unprivileged, and configuration commands work in this mode.
Monitor mode:
This is a special mode that enables you to update the image over the network or to perform password
recovery. While in the monitor mode, you can enter commands specifying the location of the TFTP server
and the PIX Security Appliance software image or password recovery binary file to download.

Well-regarded for its level of detail, assessment features, and challenging review questions and hands-on exercises, Cisco 642-552 helps you master the concepts and techniques that will enable you to succeed on the Cisco 642-552 exam the first time.