Latest CCNP Security 642-618 Real Exam Download 121-130

Ensurepass

QUESTION 121

Which two configurations are the minimum needed to enable EIGRP on the Cisco ASA appliance? (Choose two.)

 

A.      Enable the EIGRP routing process and specify the AS number.

B.      Define the EIGRP default-metric.

C.      Configure the EIGRP router ID.

D.      Use the neighbor command(s) to specify the EIGRP neighbors.

E.       Use the network command(s) to enable EIGRP on the Cisco ASA interface(s).

 

Answer: A,E

 

 

QUESTION 122

Refer to the exhibit and to the four HTTP inspection requirements and the Cisco ASA configuration.

clip_image002

Which two statements about why the Cisco ASA configuration is not meeting the specified HTTP inspection requirements are true? (Choose two.)

 

1.         All outside clients can use only the HTTP GET method on the protected 10.10.10.10 web server.

2.         All outside clients can access only HTTP URIs starting with the “/myapp” string on the protected

3.         10.10.10.10 web server.

4.         The security appliance should drop all requests that contain basic SQL injection attempts (the string “SELECT” followed by the string “FROM”) inside HTTP arguments.

5.         The security appliance should drop all requests that do not conform to the HTTP protocol.

 

A.      Both instances of match not request should be changed to match request.

B.      The policy-map type inspect http MY-HTTP-POLICY configuration is missing the references to the class maps.

C.      The BASIC-SQL-INJECTION regular expression is not configured correctly.

D.      The MY-URI regular expression is not configured correctly.

E.       The WEB-SERVER-ACL ACL is not configured correctly.

 

Answer: D,E

 

 

QUESTION 123 DRAG DROP

Based on this NAT command, drag the IP address network on the left to the correct NAT address type on the right. Nat(inside, outside) source dynamic 10.0.1.0_obj 192.168.1.7_obj destination static 209.165.200.226_Server 209.265.201.21_Server

clip_image004

Answer:

clip_image006

 

 

QUESTION 124 DRAG DROP

Drag the Cisco ASR modes from the left to the correct description on the right.

clip_image008

Answer:

clip_image010

 

 

QUESTION 125 DRAG DROP

Click and drag the supported ASA QoS option on the left to the correct description on the right. (Some of the options on the left are not used)

clip_image012

Answer:

clip_image014

 

 

QUESTION 126 DRAG DROP

Drag the correct three access list entries (from the left) and drop them (on the right) in the order that is used when the interface ACL and global ACL are configured. Not all access list entries are required.

clip_image016

Answer:

clip_image018

 

 

QUESTION 127

Scenario: To access Cisco ASDM, click the PC icon in the Topology window, ASDM and answer the following question as:

clip_image020

clip_image022clip_image024clip_image026clip_image028clip_image030Which statement about the Cisco ASA configuration is true?

 

A.        All input traffic on the inside interface is denied by the global ACL.

B.        All input and output traffic on the outside interface is denied by the global ACL.

C.        ICMP echo-request traffic is permitted from the inside to the outside, and ICMP echo-reply will be permitted from the outside back to inside.

D.       HTTP inspection is enabled in the global policy.

E.        Traffic between two hosts connected to the same interface is permitted.

 

Answer: B

 

 

QUESTION 128

Scenario: To access Cisco ASDM, click the PC icon in the Topology window, ASDM and answer the following question as:

clip_image032

clip_image034

clip_image036clip_image038clip_image040clip_image042Which two statements about the running configuration of the Cisco ASA are true? (Choose Two)

 

A.      The auto NAT configuration causes all traffic arriving on the inside interface destined to any outside destinations to be translated with dynamic port address transmission using the outside interface IP address.

B.      The Cisco ASA is using the Cisco ASDM image from disk1:/asdm-642.bin

C.      The Cisco ASA is setup as the DHCP server for hosts that are on the inside and outside interfaces.

D.      SSH and Cisco ASDM access to the Cisco ASA requires AAA authentication using the LOCAL user database.

E.       The Cisco ASA is using a persistent self-signed certified so users can authenticate the Cisco ASA when accessing it via ASDM

 

Answer: A,E

 

 

QUESTION 129

Scenario: To access Cisco ASDM, click the PC icon in the Topology window, ASDM and answer the following question as:

clip_image044clip_image046clip_image048clip_image050clip_image052clip_image054The Cisco ASA administration must enable the Cisco ASA to automatically drop suspicious botnet traffic. After the Cisco ASA administrator entered the initial configuration, the Cisco ASA is not automatically dropping the suspicious botnet traffic. What else must be enabled in order to make it work?

 

A.      DNS snooping

B.      Botnet traffic filtering on atleast one of the Cisco ASA interface.

C.      Periodic download of the dynamic botnet database from Cisco.

D.      DNS inspection in the global policy.

E.       Manual botnet black and white lists.

 

Answer: A

 

 

QUESTION 130 CORRECT TEXT

Instructions

This item contains a simulation task. Refer to the scenario and topology before you start. When you are ready, open the Topology window and click the required device to open the GUI window on a virtual terminal. Scroll to view all parts of the Cisco ASDM screens.

 

Scenario

Click the PC icon to launch Cisco ASDM. You have access to a Cisco ASA 5505 via Cisco ASDM. Use Cisco ASDM to edit the Cisco ASA 5505 configurations to enable Advanced HTTP Application inspection by completing the following tasks:

 

1.Enable HTTP inspection globally on the Cisco ASA

2.Create a new HTTP inspect Map named: http-inspect-map to:

a.Enable the dropping of any HTTP connections that encounter HTTP protocol violations

b.Enable the dropping and logging of any HTTP connections when the content type in the HTTP response does not match one of the MIME types in the accept filed of the HTTP request

 

Note: In the simulation, you will not be able to test the HTTP inspection policy after you complete your configuration. Not all Cisco ASDM screens are fully functional.

 

After you complete the configuration, you do not need to save the running configuration to the start-up config, you will not be able to test the HTTP inspection policy that is created after you complete your configuration. Also not all the ASDM screens are filly functional.

clip_image056clip_image058

clip_image060

clip_image062

 

Answer: Here are the step by step Solution for this:

1.>Go to Configuration>>Firewall>>Objects>>Inspect Maps>>HTTP>>Add>>Add name “http-inspect-map”>>click on detail>>

a.select “check for protocol violations”

b.Action: Drop connection

c.Log: Enable

d.Click on Inspection: Click Add

e.Select Single Match>>Match type: No Match

f.Criterion: response header field

g.Field: Predefined: Content type

h.value: Content type

i.Action: Drop connection

j.Log: Enable

h.ok>>>ok>>>Apply

 

HTTP inspection is disabled in global policy by default – we need to enable and use this Inspect Map

Achieve this through command line:

Policy-map type inspect http http-inspect-map

parameters

protocol-violation action drop-connection

match req-resp content-type mismatch

drop-connection log

policy-map global_policy

class inspaection_default

inspect http http-inspect-map

also you have to edit the global policy to apply this inspection into it.

Add/Edit HTTP Map

The Add/Edit HTTP Map dialog box is accessible as follows:

Configuration > Global Objects > Inspect Maps > HTTP > HTTP Inspect Map > Advanced View > Add/Edit HTTP Inspect

The Add/Edit HTTP Inspect dialog box lets you define the match criterion and value for the HTTP inspect map.

 

Fields

.Single Match—Specifies that the HTTP inspect has only one match statement.

.Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string “example.com,” then any traffic that contains

“example.com”is excluded from the class map.

.Criterion—Specifies which criterion of HTTP traffic to match.

Request/Response Content Type Mismatch—Specifies that the content type in the response

must match oneof the MIME types in the accept field of the request.

Request Arguments—Applies the regular expression match to the arguments of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

 

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure

regularexpression class maps.

Request Body Length—Applies the regular expression match to the body of the request with field lengthgreater than the bytes specified.

Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.

Request Body—Applies the regular expression match to the body of the request.

Regular Expression— Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

 

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regularexpression class maps.

 

Request Header Field CountApplies the regular expression match to the header of the request with amaximum number of header fields.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language,allow, authorization, cache-control, connection, content-encoding, content-language, content-length, contentlocation,content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, ifmodified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxyauthorization,range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

 

Greater Than Count—Enter the maximum number of header fields.

Request Header Field Length—Applies the regular expression match to the header of the request with fieldlength greater than the bytes specified.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language,allow, authorization, cache-control, connection, content-encoding,

content-language, content-length, contentlocation, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, ifmodified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxyauthorization,

range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.

Request Header Field—Applies the regular expression match to the header of the request.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language,allow, authorization, cache-control, connection, content-encoding, content-language, content-length, contentlocation,content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, ifmodified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxyauthorization,range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure

regularexpression class maps.

Request Header Count—Applies the regular expression match to the header of the request with a maximumnumber of headers.

Greater Than Count—Enter the maximum number of headers.

Request Header Length—Applies the regular expression match to the header of the request with lengthgreater than the bytes specified.

Greater Than Length—Enter a header length value in bytes.

Request Header non-ASCII—Matches non-ASCII characters in the header of the request.

Request Method—Applies the regular expression match to the method of the request.

Method—Specifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect,copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move,notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute,startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe.

Regular Expression—Specifies to match on a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regularexpression class maps.

Request URI Length—Applies the regular expression match to the URI of the request with length greater thanthe bytes specified.

Greater Than Length—Enter a URI length value in bytes.

Request URI—Applies the regular expression match to the URI of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure

regularexpression class maps.

Response Body—Applies the regex match to the body of the response.

ActiveX—Specifies to match on ActiveX.

Java Applet—Specifies to match on a Java Applet.

Regular Expression—Specifies to match on a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular

Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure

regularexpression class maps.

Response Body Length—Applies the regular expression match to the body of the response with field lengthgreater than the bytes specified.

Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against.

Response Header Field Count—Applies the regular expression match to the header of the response with amaximum number of header fields.

Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control,

connection,content-encoding, content-language, content-length, content-location, content-md5, content-range, contenttype,date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie,trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Count—Enter the maximum number of header fields.

Response Header Field Length—Applies the regular expression match to the header of the

response withfield length greater than the bytes specified.

Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control,

connection,content-encoding, content-language, content-length, content-location, content-md5,

content-range, contenttype,date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie,trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against.

Response Header Field—Applies the regular expression match to the header of the response.

Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control,

connection,content-encoding, content-language, content-length, content-location, content-md5,

content-range, contenttype,date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie,trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure

regularexpression class maps.

Response Header Count—Applies the regular expression match to the header of the response

with amaximum number of headers.

Greater Than Count—Enter the maximum number of headers.

Response Header Length—Applies the regular expression match to the header of the response with lengthgreater than the bytes specified.

Greater Than Length—Enter a header length value in bytes.

Response Header non-ASCII—Matches non-ASCII characters in the header of the response.

Response Status Line—Applies the regular expression match to the status line.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

.Multiple Matches—Specifies multiple matches for the HTTP inspection.

H323 Traffic Class—Specifies the HTTP traffic class match.

Manage—Opens the Manage HTTP Class Maps dialog box to add, edit, or delete HTTP Class

Maps.

.Action—Drop connection, reset, or log.

.Log—Enable or disable.

NOTE:

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/inspect_basic.h

tml#wp1144259

and/or

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080b84568.shtml

 

Through achieve this command line:

policy-map type inspect http http-inspect-map

Parameters

protocol-violation action drop-connection log

 

policy-map type inspect http http-inspect-map match not response header content-type application/msword

drop-connection log

 

 

Download Latest CCNP 642-618 Real Free Tests , help you to pass exam 100%.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.