Pass4sure Cisco Certification

Securing Networks with PIX and ASA Exam

Last day to test 10/13/2007
Exam Number: 642-522
Associated Certifications: CCSP, Cisco Firewall Specialist
Duration: 90 minutes (60-70 questions)
Available Languages: English
Click Here to Register: Pearson VUE
Exam Policies: Read current policies and requirements
Exam Tutorial: Review type of exam questions

Exam Description Exam Topics Recommended Training Additional Resources
Exam Description
The Securing Networks with PIX and ASA exam is one of the exams associated with the Cisco Certified Security Professional and the Cisco Firewall Specialist certifications. Candidates can prepare for this exam by taking the SNPA v4.0 course. This exam includes simulations and tests a candidate’s knowledge and ability to describe, configure, verify and manage the Cisco PIX and ASA security appliance products.

Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.

Install and configure a security appliance for basic network connectivity
Describe the Security Appliance hardware and software architecture
Determine the Security Appliance hardware and software configuration and verify if it is correct
Use setup or the CLI to configure basic network settings, including interface configurations
Use appropriate show commands to verify initial configurations
Configure NAT and global addressing to meet user requirements
Configure DHCP client option
Set default route
Configure logging options
Describe the firewall technology
Explain the information contained in syslog files
Configure static address translations
Configure Network Address Translations: PAT
Configure static port redirection
Configure a net static
Set embryonic and connection limits on the security appliance
Verify network address translation operation

Configure a security appliance to restrict inbound traffic from untrusted sources
Configure access-lists to filter traffic based on address, time, and protocols
Configure object-groups to optimize access-list processing
Configure Network Address Translations: Nat0
Configure Network Address Translations: Policy NAT
Configure java/activeX filtering
Configure URL filtering
Verify inbound traffic restrictions

Configure a security appliance to provide secure connectivity using site-to-site VPNs
Explain certificates, certificate authorities and how they are used
Explain the basic functionality of IPSec
Configure IKE with preshared keys
Configure IKE to use certificates
Differentiate between the types of encryption
Configure IPSec parameters
Configure crypto-maps and ACLs

Configure a security appliance to provide secure connectivity using remote access VPNs
Explain the functions of EasyVPN
Configure IPSec using EasyVPN Server/Client
Configure the Cisco Secure VPN client
Explain the purpose of WebVPN
Configure WebVPN services: Server/Client
Verify VPN operations

Configure transparent firewall, virtual firewall, and high availability firewall features on a security appliance
Explain differences between L2 and L3 operating modes
Configure security appliance for transparent mode (L2)
Explain purpose of virtual firewalls
Configure security appliance to support virtual firewall
Monitor and maintain virtual firewall
Explain the types, purpose and operation of fail-over
Install appropriate topology to support cable-based or LAN-based fail-over
Explain the hardware, software and licensing requirements for high-availability
Configure the SA for active/standby fail-over
Configure the SA for stateful fail-over
Configure the SA for active-active fail-over
Verify fail-over operation
Recover from a fail-over

Configure AAA services for access through a security appliance
Configure ACS for security appliance support
Configure security appliance to use AAA feature
Configure authentication using both local and external databases
Configure authorization using an external database
Configure the ACS server for downloadable ACLs
Configure accounting of connection start/stop
Verify AAA operation

Configure routing and switching on a security appliance
Enable DHCP server and relay functionality
Configure VLANs on a security appliance interface
Configure routing functionality of security appliance including OSPF, RIP
Configure security appliance to pass multi-cast traffic
Configure ICMP on the security appliance

Configure a modular policy on a security appliance
Configure a class-map
Configure a policy-map
Configure a service-policy
Configure a ftp-map
Configure a http-map
Configure an inspection protocol
Explain the function of protocol inspection
Explain DNS guard feature
Describe the AIP-SSM HW and SW
Load IPS SW on the AIP-SSM
Verify AIP-SSM
Configure an IPS modular policy

Monitor and manage an installed security appliance
Obtain and apply OS updates
Backup and restore configurations and software
Explain the security appliance file management system
Perform password/lockout recovery procedures
Obtain and upgrade license keys
Configure passwords for various access methods: Telnet, serial, enable, SSH
Configure various access methods: Telnet, SSH, PDM
Configure command authorization and privilege levels
Configure local username database
Verify access control methods
Enable ASDM functionality
Verify a security appliance configuration via ASDM
Verify the licensing available on a security appliance

QUESTION 1:

A new PIX firewall was installed in the Certkiller network to guard against outside attacks. Why does this PIX security appliance record information about a packet in
its stateful session flow table?

A. To build the reverse path forwarding (RFP) table to prevent spoofed source IP
address.
B. To establish a proxy session by relaying the application layer requests and response between two endpoints.
C. To compare against return packets for determining whether the packet should be allowed through the firewall.
D. To track outbound UDP connections. Answer: C
Explanation:
The Adaptive Security Algorithm (ASA), used by the PIXFirewall for stateful application inspection, ensures the secure use of applications and services. Some applications require special handling by the PIXFirewall application inspection function. Applications that require special application inspection functions are those that embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports.
The application inspection function monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or UDP ports to improve performance. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection function monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session.
Packets going through PIX are checked using these steps:
Access control lists (ACLs)-Used for authentication and authorization of connections based on specific networks, hosts, and services (TCP/UDP port numbers).
Inspections-Contains a static, pre-defined set of application-level inspection functions. Connections (XLATE and CONN tables)-Maintains state and other information about each established connection. This information is used by ASA and cut-through proxy to
efficiently forward traffic within established sessions.
1.
A TCP SYN packet arrives at the PIXFirewall to establish a new connection.
2.
The PIXFirewall checks the access control list (ACL) database to determine if the connection is permitted.
3.
The PIXFirewall creates a new entry in the connection database (XLATE and CONN
tables).
4.

The PIXFirewall checks the Inspections database to determine if the connection requires
application-level inspection.
5.
After the application inspection function completes any required operations for the packet, the PIXFirewall forwards the packet to the destination system.
6.
The destination system responds to the initial request.
7.
The PIXFirewall receives the reply packet, looks up the connection in the connection database, and forwards the packet because it belongs to an established session. Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800

e

QUESTION 2:

A new Certkiller ASA 5500 was installed in the Certkiller network. In the Cisco ASA
5500 series, what is the flash keyword aliased to?

A. Disk0
B. Disk1
C. Both Disk0 and Disk1
D. Flash0
E. Flash1
Answer: A Explanation:
See the following URL syntax:
disk0:/[path/]filename
For the ASA 5500 series adaptive security appliance, this URL indicates the internal
Flash memory. You can also use flash instead of disk0; they are aliased. Reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b90.html

QUESTION 3:

Cisco firewalls maintain state awareness of all traffic going through it. What is the core component of the PIX firewall that accommodates for this?

A. PFS B. ASA C. VAC
D. FWSM
E. None of the above

Answer: B

Explanation:
The Adaptive Security Algorithm (ASA) is the brains of the pix, keeping track of stateful connection information. This allows the firewall to maintain stateful packet awareness to allow for the return traffic to traverse through the firewall.

QUESTION 4:

A new Cisco PIX 535 is being installed in the Certkiller network. What is the maximum number of physical interfaces the PIX Firewall 535 supports with an unrestricted license?

A. 20
B. 10
C. 6
D. 5
E. 3
Answer: B Explanation:
A total of eight interface circuit boards are configurable with the restricted license and a total of ten are configurable with the unrestricted license.
- The Cisco PIX 535 Security Appliance support up to 10 Physical Ethernet interfaces.
- A total of 8 interfaces are configurable on the PIX 535 with the restricted license, and a total of 10 are configurable with the unrestricted license.
PIX model license Comparison:

Reference:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_installation_guide_chapter09186a

0

QUESTION 5:
Free 642-522 Exams’s PDF Download
Free Testking offers free demo for 642-522 PDF(Securing Networks with PIX and ASA Exam(SNPA)). You can check out the interface, question quality and usability of our practice exams . We are the only one site can offer demo for almost all Securing Networks with PIX and ASA Exam(SNPA).

Recommended Training about 642-522 exam PDF
The following courses are the recommended training for 642-522 exam PDF.
642-522 Q & A with Explanations
642-522 Audio Exam
642-522 Study Guide
642-522 Preparation Lab
Exam Number/Code: 642-522
Exam Name: Securing Networks with PIX and ASA Exam(SNPA)
VUE Code: 642-522
Questions Type: Single choice,
Question Numbers of Real-exam: 60-70 questions

“Securing Networks with PIX and ASA Exam(SNPA)”, also known as 642-522 exam, is a Cisco certification.
Preparing for the 642-522 exam? Searching 642-522 Test Questions, 642-522 Practice Exam, 642-522 Dumps?

With the complete collection of questions and answers, Pass4sure has assembled to take you through 63 Q&A we offer correct answe to your 642-522 Exam preparation. In the 642-522 exam resources, you will cover every field and category in CCSP helping to ready you for your successful Cisco Certification.

Questions and Answers : 63 Q&A we offer correct answe
Updated: April 30th , 2008
Market Price: $129.99
Member Price: $89.99

Pass4sure 642-522 SNPA
Interactive Testing Engine Included!
146 Questions
Updated : 09/18/2008
Price : $87.99 $79.99

Free download?pass4sure 642-522 SNPA
Free download?testking 642-522 SNPA

PassGuide Braindumps: provides high quality Cisco exam practice questions and Training Materials.Hel you Pass Cisco Certifications

Download Free Latest Pass4sure P4S PassForsure Braindumps

1. Free Pass4sure 642-523 SNPA 2.93
2. Free Pass4sure 642-524 SNAF 2.83
3. Free pass4sure 642-515 SNAA 2.83
4. Free Pass4sure 642-521 CSPFA 2.93
5. Free Pass4sure 642-591 CANAC 2.83
6. Free pass4sure cisco ccsp mars 642-545 v2.83
7. Free Pass4sure 642-532 IPS 2.83
8. Free Pass4sure 650-261 CUCBE 2.83
9. Free Pass4sure 642-551 SND 2.83
10. Free Pass4sure 350-022 CCIE 2.83