implementing cisco network security · implementing cisco network security cisco 210-260 dumps...

28
Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at: https://www.certification-questions.com/cisco-exam/210-260-dumps.html Enrolling now you will get access to 274 questions in a unique set of 210- 260 dumps Question 1 You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please click exhibit to answer the following questions. Exhibit: Cisco 210-260 https://www.certification-questions.com

Upload: lyphuc

Post on 07-Jun-2018

234 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

Implementing Cisco Network Security

Cisco 210-260 Dumps Available Here at:

https://www.certification-questions.com/cisco-exam/210-260-dumps.html

Enrolling now you will get access to 274 questions in a unique set of 210-

260 dumps

Question 1 You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an

ASA. Please click exhibit to answer the following questions.

Exhibit:

Cisco 210-260

https://www.certification-questions.com

Page 2: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

Which of the following user accounts will be able to connect to the ASA by using ASDM? (Select the best

answer.)

Options:

A. only john

B. only boson

Cisco 210-260

https://www.certification-questions.com

Page 3: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

C. only jane

D. both john and jane

E. both jane and boson

F. john, jane, and boson

Answer: E

Explanation:

Both the jane and the boson user accounts will be able to connect to the Cisco Adaptive Security

Appliance (ASA) by using Cisco Adaptive Security Device Manager (ASDM). When you add a user to the

local Authentication, Authorization, and Accounting (AAA) database on an ASA, you can specify security

parameters for the user. One security option you can specify is whether the user can establish a

management connection to the ASA. This option is configured in the Add or Edit User Account dialog box

in ASDM. Under Access Restriction, you can select Full Access (ASDM, SSH, Telnet and Console), CLI

login prompt for SSH, Telnet and console (no ASDM access), or No ASDM, SSH, Telnet or Console

access. The Full Access (ASDM, SSH, Telnet and Console) option will let the user use ASDM or the

command line interface (CLI) to administer the ASA. In this scenario, this option is selected for both the

jane and the boson user accounts, as shown in the following exhibits:

Cisco 210-260

https://www.certification-questions.com

Page 4: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

You can access the Add or Edit User Account dialog box in ASDM by clicking Configuration, clicking the

Remote Access VPN button, expanding AAA/Local Users, and clicking Local Users. To open the Edit User

Account dialog box, you should double click the user account that you want to open.

The john user account is configured with the No ASDM, SSH, Telnet or Console access option. This option

will prevent the user from establishing a management connection to the device by using ASDM, SSH,

Telnet, or the console.

Reference:

Cisco: Configuring AAA Servers and the Local Database: Adding a User Account

Question 2 You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an

ASA. Please click exhibit to answer the following questions.

Which of the following tunneling protocols will the jane user account be able to use when establishing a

clientless SSL VPN connection by using the boson tunnel group? (Select the best answer.)

Exhibit:

Cisco 210-260

https://www.certification-questions.com

Page 5: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

Options:

A. only clientless SSL VPN

B. only SSL VPN client

C. only IPSec

D. only L2TP/IPSec

E. both client and clientless SSL VPN

Cisco 210-260

https://www.certification-questions.com

Page 6: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

F. both clientless SSL VPN and IPSec

Answer: A

Explanation:

The jane user account will be able to use only the clientless Secure Sockets Layer (SSL) virtual private

network (VPN) tunneling protocol when establishing a clientless SSL VPN connection by using the boson

tunnel group. You can specify the tunneling protocols that can be used to establish a connection to a

tunnel group, which is also known as a connection profile, either in a group policy or within a user account,

depending on whether the tunneling protocol configuration should be applied to a group or to a single user.

When you configure a tunneling protocol, you can specify one or more of the following four options:

Clientless SSL VPN, SSL VPN Client, IPSec, or L2TP/IPSec.

In this scenario, you can view the tunneling protocols that are configured for the jane user account by

accessing her user account information in Cisco Adaptive Security Device Manager (ASDM) by clicking

Configuration, clicking the Remote Access VPN button, expanding AAA/Local Users, clicking Local Users,

and doubleclicking the jane user account, which will open the Edit User Account dialog box. You should

then click VPN Policy, which will display a pane that includes a Tunneling Protocols entry. This entry for

the jane user account is configured with the Inherit option, which means that the tunneling protocols that

the jane user account can use will be inherited from a group policy that is associated with the jane user

account. In this scenario, the jane user account is associated with the boson_grp group policy.

To view the tunneling protocols that are associated with the boson_grp group policy in ASDM, you should

click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, select

Group Policies, and doubleclick boson_grp, which will open the Edit Internal Group Policy dialog box. The

More Options section on the General pane displays the Tunneling Protocols entry. Only the Clientless SSL

VPNoption is selected, as shown in the following exhibit:

Cisco 210-260

https://www.certification-questions.com

Page 7: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

Reference:

Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes

Question 3 You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an

ASA. Please click exhibit to answer the following questions.

Exhibit:

Cisco 210-260

https://www.certification-questions.com

Page 8: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

Which of the following statements are true regarding clientless SSL VPN connections that are made by

using the boson tunnel group? (Select 3 choices.)

Options:

A. VPN clients will be authenticated using the local AAA database.

B. VPN clients will be authenticated using digital certificates.

Cisco 210-260

https://www.certification-questions.com

Page 9: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

C. The DfltGrpPolicy group policy will be applied to the VPN connections.

D. The boson_grp group policy will be applied to the VPN connections.

E. No welcome banner will be displayed to VPN clients.

F. A welcome banner will be displayed to VPN clients.

Answer: A, D, F

Explanation:

Virtual private network (VPN) clients will be authenticated using the local Authentication, Authorization, and

Accounting (AAA) database, the boson_grp group policy will be applied to the VPN connections, and a

welcome banner will be displayed to VPN clients. When configuring a tunnel group, which is also known as

a connection profile, in Cisco Adaptive Security Device Manager (ASDM), you can specify a number of

parameters. For example, you can specify the type of authentication to use and the default group policy to

use for VPN connections made by using the tunnel group. This information can be configured or modified

on the Add or Edit Clientless SSL VPN Connection Profile dialog box in ASDM. To access this dialog box

in ASDM, you should click Configuration, click the Remote Access VPN button, expand Clientless SSL

VPN Access, and click Connection Profiles. You should then doubleclick a connection profile, which will

open the Edit Clientless SSL VPN Connection Profile dialog box for the selected connection profile. The

Edit Clientless SSL VPN Connection Profile dialog box for the boson tunnel group is shown in the following

exhibit:

Cisco 210-260

https://www.certification-questions.com

Page 10: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

The Authentication section of the Basic screen of the Edit Clientless SSL VPN Connection Profile dialog

box indicates that the tunnel group will use the local AAA database for user authentication. Thus any VPN

connections made by using this tunnel group will be authenticated against the AAA database.

The Default Group Policy section indicates that the boson_grp group policy will be applied to this

connection profile. That is, the settings in the boson_grp group policy will apply to VPN users who connect

by using the boson tunnel group.

You can view the details of the boson_grp group policy to determine whether a banner message will be

displayed to VPN clients. This information is displayed on the Generalpane of the Add or Edit Internal

Group Policy dialog box. To view the details of an existing group policy for clientless SSL VPN users in

ASDM, you should click Configuration, expand Clientless SSL VPN Access, and click Group Policies. You

can then doubleclick boson_grp, which will open the Edit Internal Group Policy dialog box, which is shown

in the following exhibit:

Cisco 210-260

https://www.certification-questions.com

Page 11: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

The Banner entry contains a value of Welcome to Boson Software! Because VPN connections made by

using the boson tunnel group will use the boson_grp group policy, you can determine that VPN users will

be shown a welcome banner in this scenario.

Reference:

Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profiles

Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes

Question 4 You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an

ASA. Please click exhibit to answer the following questions.

Exhibit:

Cisco 210-260

https://www.certification-questions.com

Page 12: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

Which of the following statements is true regarding VPN connections made by a user who is using the john

user account? (Select the best answer.)

Options:

A. The user will be unable to establish a VPN connection by using the boson tunnel group.

B. The user will be able to establish a connection by using any tunnel group.

Cisco 210-260

https://www.certification-questions.com

Page 13: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

C. The DfltGrpPolicy group policy will be applied to any VPN connection that the user established.

D. The user will be able to establish only clientless SSL VPN connections.

Answer: D

Explanation:

The user will be able to establish only clientless Secure Sockets Layer (SSL) virtual private network (VPN)

connections. The tunneling protocols that a user can use to establish a VPN connection can be configured

in the user profile or in a group policy. To configure the tunneling protocols in a user profile, you should

access the VPN Policy pane of the Add or Edit User Account dialog box. To access this pane, you should

click Configuration, click the Remote Access VPN button, expand AAA/Local Users, click Local Users,

doubleclick john, and then click VPN Policy. The VPN Policy pane of the john user account is shown in the

following exhibit:

The Tunneling Protocols entry indicates that the john user account is inheriting the tunneling protocol

settings from a group policy. The Group Policy entry indicates that the group policy associated with the

john user account is boson_grp. Therefore, you must view the details of the boson_grp group policy to

determine the tunneling protocols that the john user account can use.

To view the details of the boson_grp group policy, you should click Configuration, expand Clientless SSL

VPN Access, click Group Policies, and doubleclick boson_grp, which will open the Edit Internal Group

Policy dialog box, as shown in the following exhibit:

Cisco 210-260

https://www.certification-questions.com

Page 14: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

The Tunneling Protocols entry indicates that the group policy allows only clientless SSL VPN connections.

Because the john user account inherits this setting, the john user account will be able to establish a VPN

connection by using only a clientless SSL VPN connection.

Reference:

Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes

Question 5 You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an

ASA. Please click exhibit to answer the following questions.

Exhibit:

Cisco 210-260

https://www.certification-questions.com

Page 15: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

Which of the following connection profiles will use the boson_grp group policy? (Select the best answer.)

Options:

A. only the boson connection profile

B. only the DefaultRAGroup connection profile

Cisco 210-260

https://www.certification-questions.com

Page 16: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

C. only the DefaultWEBVPNGroup connection profile

D. both the boson connection profile and the DefaultWEBVPNGroup connection profile

E. both the DefaultRAGroup connection profile and the DefaultWEBVPNGroup

Answer: A

Explanation:

Only the boson connection profile will use the boson_grp group policy. To determine which connection

profiles will use the boson_grp group policy, you should access the Connection Profiles pane in Cisco

Adaptive Security Device Manager (ASDM). To access this pane, you should click Configuration, click the

Remote Access VPN button, expand Clientless SSL VPN Access, and click Connection Profiles, which will

open the Connection Profiles configuration pane, as shown in the following exhibit:

This pane displays a summary of the connection profiles that are configured on the Cisco Adaptive

Security

Appliance (ASA). In this scenario, there are three connection profiles. There are two default profiles,

DefaultRAGroup and DefaultWEBVPNGroup, and one userspecified connection profile, boson. To view

which group policy is associated with which connection profile, you should doubleclick the connection

Cisco 210-260

https://www.certification-questions.com

Page 17: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

profiles to open the Edit Clientless SSL VPN Connection Profile dialog box. The default group policy that is

associated with a connection profile is displayed on the Basic pane of this dialog box. By viewing this

information, you can determine that only the boson connection profile uses the boson_grp group policy.

The Basic pane of the boson connection profile is shown in the following exhibit:

The two default connection profiles use the default group policy, which is DfltGrpPolicy.

Reference:

Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profiles

Question 6 Which of the following is typically used to manage a Cisco router in-band? (Select the best answer.)

Options:

A. a VTY port

Cisco 210-260

https://www.certification-questions.com

Page 18: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

B. a serial port

C. a console port

D. an auxiliary port

Answer: A

Explanation:

A virtual terminal (VTY) port is typically used to manage a Cisco router in-band. When a Cisco device is

operating in its normal state, another device can connect to it by using VTY application protocols such as

Telnet or Secure Shell (SSH). The use of VTY lines typically allows multiple administrators or management

applications to concurrently access a device from more than one location.

You would not use a console port or an auxiliary (AUX) port to manage a Cisco router in-band. You are

most likely to use either an AUX port or a console port to manage a Cisco router out-of-band, such as

when the router is in read-only memory (ROM) monitor (ROMmon) mode. The AUX port on a Cisco router

is typically capable of supporting most of the features available on a console port. Cisco switches either do

not have AUX ports or do not support certain features, such as system recovery, on their AUX ports if they

have them.

ROMmon is a management mode that Cisco routers and switches revert to when the system cannot find a

software image, the software image is corrupted, or the configuration register has been set to manually

enter ROMmon mode. Because ROMmon is an out-of-band management method, it can be used to

recover system software images, passwords, or other configuration data even when the router or switch is

in a state where it can no longer forward packets.

You would not use a serial port to manage a Cisco router in-band. Serial ports and Ethernet ports are used

to directly connect Cisco routers to other network devices. For example, you might use a serial port to

directly connect a Cisco router to other data terminal equipment (DTE) or data circuit-terminating

equipment (DCE) devices. You would also use a serial port to connect a router to a Channel Service Unit/

Data Service Unit (CSU/DSU).

Reference:

Cisco: Cisco Guide to Harden Cisco IOS Devices: Management Interface Use

Question 7 Which of the following enables the validation of both user and device credentials in a single EAP

transaction? (Select the best answer.)

Options:

A. PEAP

B. EAP-FAST

C. EAP-FAST with EAP chaining

D. EAP-MD5

Cisco 210-260

https://www.certification-questions.com

Page 19: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

Answer: C

Explanation:

Extensible Authentication Protocol (EAP)Flexible Authentication via Secure Tunneling (FAST) with EAP

chaining, which is also sometimes called EAPFAST version 2 (EAPFASTv2), enables the validation of both

user and device credentials in a single EAP transaction. EAP chaining enables a Cisco security device to

validate authentication credentials for both a user and the user's device. In order to enable EAP chaining,

both the Cisco security device and the supplicant device must support EAP chaining. The Cisco security

device will assign a different level of authorization access depending on one of four success and failure

possibilities, as shown in the following table:

EAPFAST is an authentication protocol that can be used for point-to-point connections and for both wired

and wireless links. The EAPFAST authentication process consists of three phases. The first phase, which

is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a digital

credential that is used for authentication. A PAC can be manually configured on a client, in which case

phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure

tunnel between the client and the server. The final phase, which is referred to as phase 2, involves

authenticating the client. If the client is authenticated, the client will be able to access the network.

EAPTransport Layer Security (TLS) is an Internet Engineering Task Force (IETF) standard that is defined

in Request for Comments (RFC) 5216. It does not support EAP chaining. Protected EAP (PEAP) is an

open standard developed by Cisco, Microsoft, and RSA? it does not support EAP chaining.

EAPMessage Digest 5 (MD5) uses an MD5 hash function to provide security and is therefore considered

weak when compared to later methods. EAP is an IETF standard that was originally defined in RFC 2284?

it does not support EAP chaining.

Reference:

Cisco: Cisco Identity Services Engine Administrator Guide, Release 1.3: Allowed Protocols

Question 8 Which of the following features protects the control plane by classifying traffic into three separate control

plane subinterfaces? (Select the best answer.)

Options:

A. CoPP

B. CPPr

Cisco 210-260

https://www.certification-questions.com

Page 20: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

C. RBAC

D. uRPF

Answer: B

Explanation:

Control Plane Protection (CPPr) protects the control plane by classifying control plane traffic into three

separate subinterfaces: the host subinterface, the transit subinterface, and the Cisco Express Forwarding

(CEF)exception subinterface. The host subinterface contains control plane IP traffic that is destined for a

router interface, including traffic from the following sources and protocols:

- Terminating tunnels

- Secure Shell (SSH)

- Simple Network Management Protocol (SNMP)

- Internal Border Gateway Protocol (iBGP)

- Enhanced Interior Gateway Routing Protocol (EIGRP)

The transit subinterface contains control plane IP traffic that is traversing the router, including the following

traffic:

- Nonterminating tunnel traffic

- Traffic that is softwareswitched by the route processor

The CEFexception subinterface contains control plane traffic that is redirected by CEF for process

switching, as well as traffic from the following sources and protocols:

- NonIP hosts

- Address Resolution Protocol (ARP)

- External BGP (eBGP)

- Open Shortest Path First (OSPF)

- Label Distribution Protocol (LDP)

- Layer 2 keepalives

CPPr is used to protect the control plane by filtering and rate limiting traffic in order to prevent excessive

CPU and memory consumption. To configure CPPr, you must perform the following steps:

- Create access control lists (ACLs) to identify traffic.

- Create a traffic class.

- Create a traffic policy, and associate the traffic class to the policy

- Apply the policy to the specific control plane subinterface.

Control Plane Policing (CoPP) is similar to CPPr, except CoPP does not separate control plane traffic into

three subinterfaces. To configure CoPP, you must perform the following steps:

- Create ACLs to identify traffic.

- Create a traffic class.

- Create a traffic policy, and associate the traffic class to the policy.

- Apply the policy to the control plane interface.

Both CoPP and CPPr use class maps to filter and ratelimit traffic. However, CPPr separates control plane

traffic into three subinterfaces: the host subinterface, the transit subinterface, and the Cisco Express

Forwarding (CEF)exception subinterface. For this reason, Cisco recommends that you use CPPr instead

of CoPP whenever possible.

Cisco 210-260

https://www.certification-questions.com

Page 21: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

RoleBased Access Control (RBAC) does not protect the control plane. RBAC protects the management

plane by granting limited access to administrators so that they can perform only the tasks required for their

job. For example, you can configure permissions on an administrator's account so that the administrator

can issue only certain commands, which will prevent the administrator from making unauthorized

configuration changes or from viewing restricted information.

Unicast Reverse Path Forwarding (uRPF) does not protect the control plane. uRPF protects the data plane

by checking the source IP address of a packet to determine whether an inbound packet arrived on the best

path back to the source based on routing table information. If the uRPF check passes, the packet is

transmitted? if the uRPF check fails, the packet is dropped.

Reference:

Cisco: Control Plane Protection

Question 9 Which of the following is an outputspreading technique that spammers use to manipulate reputation scores

and defeat filters? (Select the best answer.)

Options:

A. phishing

B. snowshoe spam

C. waterfalling

D. listwashing

Answer: B

Explanation:

Of the available choices, snowshoe spam is an outputspreading technique that spammers use to

manipulate reputation scores and defeat filters. Snowshoe spammers establish many false company

names and identities, often with unique post office addresses and telephone numbers, so that reputation

filters do not perceive the source of the spam as a threat. In addition, the spam output is spread across

multiple IP addresses and domain names in order to defeat blacklists.

The Cisco Context Adaptive Scanning Engine (CASE) on a Cisco Email Security Appliance (ESA) is a

contextual analysis technology that is intended to detect email threats, such as snowshoe spam, as they

are received. CASE checks the reputation of email senders, scans the content of email messages, and

analyzes the construction of email messages. As part of this process, CASE submits the email sender to

the Cisco SenderBase Network, which contains data on hundreds of thousands of email networks. The

sender is assigned a score based on this information. The content of the email messaging is scanned

because it could contain language, links, or a call to action that is indicative of a phishing scam.

Phishing is a social engineering technique in which a malicious person uses a seemingly legitimate

electronic communication, such as email or a webpage, in an attempt to dupe a user into submitting

personal information, such as a Social Security number (SSN), account login information, or financial

information. To mitigate the effects of a phishing attack, users should use email clients and web browsers

Cisco 210-260

https://www.certification-questions.com

Page 22: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

that provide phishing filters. In addition, users should also be wary of any unsolicited email or web content

that requests personal information. The CASE on a Cisco ESA appliance is capable of detecting phishing

scams.

Listwashing is a spammer technique of cleaning lists of email recipients who complain about spam but

without stopping the spam from being sent to other recipients who do not complain. Listwashing is similar

to an optout address policy, meaning that email addresses are included in the list without the permission of

the email address owner and only removed if the owner complains.

Waterfalling is a spammer technique of cleaning lists of email recipients by sending the lists through

multiple email service providers. Spammers with bad lists use this technique to uncover email addresses

that bounce or that result in complaints against the spammer. The spammer can then remove those email

addresses from the list, which increases the likelihood that spam will be delivered to the remaining

recipients.

Reference:

Cisco: Cisco Email Security Appliance Data Sheet

Spamhaus: Frequently Asked Questions (FAQ): Snowshoe Spamming

Question 10 You are configuring dynamic PAT on a Cisco ASA 5500 using the CLI. The ASA is running software

version 8.3.

Which of the following IP addresses can you configure inline? (Select the best answer.)

Options:

A. inside global

B. outside global

C. inside local

D. outside local

Answer: A

Explanation:

You can configure an inside global address inline if you are configuring dynamic Port Address Translation

(PAT) on a Cisco Adaptive Security Appliance (ASA) using the commandline interface (CLI). A global

address is a source or destination IP address as seen from the perspective of a host on the outside

network. An inside global address is an IP address that represents an internal host to the outside network?

it can be configured inline by using the nat command or defined within a network object.

On a Cisco ASA, a network object is a data structure that is used in place of inline IP information. You

might use a network object in place of configuring IP addresses, subnet masks, protocols, and port

numbers if you must configure that same information in multiple places. If the information you configure

within the object ever changes, you then need only modify the single object instead of locating and

modifying each instance of the inline IP information.

An object group is simply a group of network objects. By grouping network objects, you can enable the use

Cisco 210-260

https://www.certification-questions.com

Page 23: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

of a single application control engine (ACE) to make requests of multiple devices.

Inside global addresses are typically public IP addresses assigned by the administrator of the outside

network. Dynamic PAT can translate many inside local IP addresses to a single inside global IP address.

In ASA terms, the inside global address is also known as the mapped address, because it is the IP

address that you want to map to.

You are more likely to configure an inside local address in a network object or object group, not inline. A

local address is a source or destination IP address as seen from the perspective of a host on the inside

network. An inside local address is an IP address that represents an internal host to the inside network.

Inside local addresses are typically private IP addresses defined by Request for Comments (RFC) 1918.

When a NAT router receives a packet from a local host destined for the Internet, the router changes the

inside local address to an inside global address and forwards the packet to its destination.

You would not necessarily configure an outside local address in this scenario. An outside local address is

an IP address that represents an external host to the inside network. The outside local address is often the

same as the outside global address, particularly when inside hosts attempt to access resources on the

Internet. However, in some configurations, it is necessary to configure a NAT translation that allows a local

address on the internal network to identify an outside host.

You would not configure an outside global address in this scenario. An outside global address is an IP

address that represents an external host to the outside network. Outside global addresses are typically

public IP addresses assigned to an Internet host by the host's operator. The outside global address is

usually the address registered with the Domain Name System (DNS) server that maps a host's public IP

address to a friendly name, such as www.example.com.

Reference:

Cisco: Cisco ASA 5500 Series Configuration Guide Using the CLI, 8.3: Configuring Dynamic PAT (Hide)

Question 11 Your company's active ASA currently shares its stateful failover link with a regular data interface. Your

supervisor asks you to configure a failover key on both the active ASA and the standby ASA.

Which of the following is most likely the reason? (Select the best answer.)

Options:

A. so that the risk of exposure of VPN configuration information is mitigated

B. so that both ASA devices forward traffic for a given group of security contexts

C. so that the active ASA can monitor the status of the standby ASA

D. so that the stateful failover link cannot use a regular data interface

Answer: A

Explanation:

Most likely, you would configure a failover key on both the active Cisco Adaptive Security Appliance (ASA)

and the standby ASA so that the risk of exposure of virtual private network (VPN) configuration is

mitigated. An ASA can share its stateful failover link with a regular data interface only when the unit is

Cisco 210-260

https://www.certification-questions.com

Page 24: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

operating in single context, routed mode. However, Cisco strongly recommends using a dedicated

Ethernet interface or sharing a LAN failover link instead because stateful failover traffic can increase the

possibility of congestion and can negatively impact the performance of the shared data interface. In

addition, all LAN failover and stateful failover information is transmitted as clear text by default. Therefore,

sharing the stateful failover link with a regular data interface can unnecessarily expose VPN configuration

information, such as user names, passwords, and preshared keys (PSKs) to malicious users on the shared

network segment. You can mitigate this risk by configuring a failover key on both the active unit and the

standby unit to protect failover information.

You would not configure a failover key so that the active ASA can monitor the status of the standby ASA.

An ASA can be configured to participate in either an active/standby or an active/active failover

configuration. In an active/standby configuration, one ASA serves as the active unit and forwards traffic. A

second ASA functions as a standby unit, which monitors the status of the active unit. If a failover event is

triggered, the standby unit takes on the role of the active unit.

You would not configure a failover key so that both ASA devices forward traffic for a given group of security

contexts. An active/active failover configuration enables both ASAs to forward traffic for a select group of

security contexts. With active/active failover, two failover groups exist as security contexts on each ASA.

When a failover event is triggered, a failover group can become active on a standby unit or the entire

standby unit can become the new active unit. Because an active/active failover configuration relies on

security contexts, both ASAs must be in multiple context mode before active/active failover can be

implemented. The failover configuration for each unit in an active/active failover configuration is managed

from within the system context. Unlike user contexts, the system context does not contain any normal data

interfaces.

You would not configure a failover key so that the stateful failover link cannot use a regular data interface.

Instead, you would configure an ASA to operate in multiple context, routed mode or multiple context,

transparent mode. An ASA operating in multiple context, routed mode or multiple context, transparent

mode does not support using a regular data interface as the stateful failover link. When an ASA is

operating in multiple context mode, the stateful failover link resides in the system context, which does not

contain any regular data interfaces. Thus the stateful failover link cannot be a shared data link.

The implementation of the failover process between the active and standby units can be either stateless or

stateful. In a stateless failover implementation, the standby unit of a failover pair takes on the IP and Media

Access Control (MAC) addresses of the old active unit during a failover event. This mechanism enables

network clients to maintain their existing network configurations? however, because no network state

information is retained, the clients must reestablish their network connections through the new active unit.

By contrast, the active unit in a stateful failover implementation transmits certain types of state information

through a stateful failover link to the standby unit. This exchange of state information ensures that the

standby unit can preserve the state information for open connections during the failover process. Because

the state information is preserved, the impact of a failover event on network hosts with open connections

can be mitigated.

Reference:

Cisco: Information About High Availability: Stateful Failover Link

Question 12 You have configured a BYOD implementation at a branch location, including an extended ACL named

Cisco 210-260

https://www.certification-questions.com

Page 25: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

DEFAULTACL on the Layer 2 ports of each access switch. BYOD clients are able to obtain IP addresses,

but connectivity to other network services seems to be sporadic or nonexistent, depending on the service.

You issue the show ip accesslist command on the switch and receive the following partial output:

Extended IP access list DEFAULTACL

10 permit icmp any any

20 permit udp any eq bootpc any eq bootpc

30 permit udp any any eq tftp

40 deny ip any any log

According to Cisco BYOD best practices, which of the following should you perform on the ACL to fix the

problem? (Select the best answer.)

Options:

A. Add a rule to permit DNS traffic before rule 40.

B. Add a rule to deny ICMP traffic after rule 40.

C. Add a rule to deny TFTP traffic after rule 40.

D. Remove rule 40.

Answer: A

Explanation:

According to Cisco best practices, you should add a rule to permit Domain Name System (DNS) traffic

before rule 40 in the access control list (ACL) that has been applied to the Layer 2 ports of the access

switch. In a Bring Your Own Device (BYOD) environment, 802.1X, Web Authentication (WebAuth), or

Media Access Control (MAC) Authentication Bypass (MAB) are used to authenticate and authorize the

user and the user's associated device for network access. Once a wired device authenticates with the

Cisco Identity Services Engine (ISE), a downloadable ACL (dACL) is typically applied to the appropriate

access port on the Layer 2 switch to which the device is attached. Cisco recommends applying a default

ACL to the access ports of Layer 2 switches to mitigate situations where a configuration error might

prevent a dACL from being applied to the appropriate port during the authorization/authentication process.

The default ACL should permit Bootstrap Protocol (BOOTP), DNS, Trivial File Transfer Protocol (TFTP),

and Internet Control Message Protocol (ICMP). In addition, the default ACL should explicitly deny and log

all other IP traffic. For example, the following ACL complies with Cisco's best common practices (BCP) as

outlined in the BYOD Design Guide:

switch(config)#ip accesslist extended DEFAULTACL switch(configextnacl)#permit icmp any any

switch(configextnacl)#permit udp any eq bootpc any eq bootps switch(configextnacl)#permit udp any any

eq domain switch(configextnacl)#permit udp any any eq tftp switch(configextnacl)#deny ip any any log

You do not need to add any rules after rule 40 in this scenario. In addition, you should not remove rule 40

from the ACL in this scenario. Rule 40 denies and logs all IP traffic that has not already been matched by

the preceding rules. Both ICMP traffic and TFTP traffic should be and already are permitted by the ACL.

Reference:

Cisco: Cisco Bring Your Own Device (BYOD) CVD: ACL Design at Branch Location

Cisco 210-260

https://www.certification-questions.com

Page 26: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

Question 13 You enable logging at the end of the session in Cisco FireSIGHT Management Center.

Which of the following is true? (Select the best answer.)

Options:

A. The log will contain less information than at the beginning of the session.

B. You will not be able to log connections handled by an SSL policy.

C. Information will be based on only the first few packets of a connection.

D. The log will contain information from throughout the course of a connection.

Answer: D

Explanation:

In Cisco FireSIGHT Management Center, the log will contain information from throughout the course of a

connection if you enable logging at the end of the session, which is also known as endofconnection

logging. Endofconnection events are generated when a connection closes, times out, or can no longer be

tracked because of memory constraints. Endofconnection events contain significantly more information

than beginningofconnection events because they can draw upon data collected throughout the course of a

connection. This additional information can be used to create traffic profiles, generate connection

summaries, or graphically represent connection data. In addition, the data can be used for detailed

analysis or to trigger correlation rules based on session data. Endofconnection events are also required to

log encrypted connections that are handled by a Secure Sockets Layer (SSL) policy because there is not

enough information in the first few packets to indicate that a connection is encrypted.

Beginningofconnection events contain less information than endofconnection events. Cisco FireSIGHT

Management Center, which was formerly called Sourcefire Defense Center, can log beginningofconnection

events and endofconnection events for various types of network traffic. Although most network traffic will

generate both kinds of events, blocked or blacklisted traffic is typically denied without further processing

and therefore only generates beginningofconnection events. Beginningofconnection events contain a

limited amount of information because they are generated based on the information contained in the first

few packets of a connection.

Reference:

Cisco: Logging Connections in Network Traffic: Logging the Beginning or End of Connections

Question 14 Which of the following MPF elements can be used to configure Application layer protocol inspection?

(Select the best answer.)

Options:

A. a class map

Cisco 210-260

https://www.certification-questions.com

Page 27: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

B. a policy map

C. a service policy

D. a global policy

E. an extended access list

F. a standard access list

Answer: B

Explanation:

A policy map can be used to configure Application layer protocol inspection. Modular Policy Framework

(MPF) is a Cisco Adaptive Security Appliance (ASA) feature that provides a flexible method of enabling

security policies on an interface. This framework consists of three basic components: class maps, policy

maps, and service policies. A class map identifies a specific flow of traffic, a policy map determines the

action that will be performed on the traffic, and a service policy ties this action to a specific interface.

Application inspection is one of the actions that can be applied to traffic with a policy map. Services that

embed IP addresses in the packet or utilize dynamically assigned ports for secondary channels require

deep packet inspection, which is provided by Application layer protocol inspection. Some traffic, such as

File Transfer Protocol (FTP) traffic, might be dropped if inspection for that protocol is not enabled.

Application inspection can be configured within the global service policy and within an interface service

policy. Service policies can be applied to an individual interface or globally to all interfaces? if traffic

matches both an interface policy and a global policy, only the interface policy will be applied to that

particular traffic flow.

A class map cannot be used to configure Application layer protocol inspection. Class maps identify traffic

by matching a variable characteristic that you specify, such as traffic going to a unique IP address or traffic

using a specific port. Generally, each class map can contain only a single match statement, and a packet

can match only a single class map within the policy map of a particular feature type. For example, if a

packet matched a class map for FTP inspection and a class map for traffic policing, the ASA would apply

both policy map actions to the packet. However, if a packet matched a class map for FTP inspection and a

second, different class map that included FTP inspection, the ASA would apply only the actions of the first

matching policy map. Class maps are assigned to a policy map, which defines the action or actions to be

performed on the traffic.

A service policy cannot be used to configure Application layer protocol inspection. Service policies tie the

policy map to the interface and can be applied to an individual interface or globally to all interfaces? if

traffic matches both an interface policy and a global policy, only the interface policy will be applied to that

particular traffic flow. Service policies can be configured by using Cisco Adaptive Security Device Manager

(ASDM) or by commandline interface (CLI) configuration. Neither an extended access list nor a standard

access list can be used to configure Application layer protocol inspection. Access control lists (ACLs) can

be used to filter traffic based on a set of configured rules. You can create either standard or extended

ACLs. Whereas standard ACLs can be used to filter based only on source IP addresses, extended ACLs

can be used to filter based on source and destination IP addresses, protocols, and ports. A class map can

match traffic to an extended ACL that is specified as a parameter to the accesslist keyword in a match

Cisco 210-260

https://www.certification-questions.com

Page 28: Implementing Cisco Network Security · Implementing Cisco Network Security Cisco 210-260 Dumps Available Here at:

statement.

Reference:

Cisco: Using Modular Policy Framework: Information About Inspection Policy Maps

Cisco: Getting Started With Application Layer Protocol Inspection: Configuring Application Layer Protocol

Inspection

Would you like to see more? Don't miss our 210-260 PDF

file at:

https://www.certification-questions.com/cisco-pdf/210-260-pdf.html

Cisco 210-260

https://www.certification-questions.com