640-442 1

21certify.com CISCO:

Managing Cisco Network Security (MCNS)

640-442
Version 6.0

Jun. 17th, 2003


This 21certify Exam has been carefully written and compiled by 21certify Exams experts. It is
designed to help you learn the concepts behind the questions rather than be a strict memorization
tool. Repeated readings will increase your comprehension.

We continually add to and update our 21certify Exams with new questions, so check that you have
the latest version of this 21certify Exam right before you take your exam.

For security purposes, each PDF file is encrypted with a unique serial number associated with your
21certify Exams account information. In accordance with International Copyright Law, 21certify
Exams reserves the right to take legal action against you should we find copies of this PDF file has
been distributed to other parties.

Please tell us what you think of this 21certify Exam. We appreciate both positive and critical
comments as your feedback helps us improve future versions.

We thank you for buying our 21certify Exams and look forward to supplying you with all your
Certification training needs.

Good studying!

21certify Exams Technical and Support Team
640-442 3

21certify.com

Q.1 What are three commands that can be used in enabling NAT? (Choose three)
A. nat
B. static
C. global

Q.5 Java inspection was properly configured with Context based Access Control (CBAC) to allow only
applets from a trusted Web server. What happens when a user attempts to download an applet from an
untrusted server using FTP (assuming that FTP is allowed between the two by CBAC)?
A. CBAC requests user authentication.
640-442 4

21certify.com

B. The applet is downloaded successfully.
C. The FTP session is terminated by CBAC.
D. The packets containing the applet are dropped by CBAC.
Answer: B
Q.6 Which Cisco IOS feature should be used when hiding multiple hosts behind a single IP address?
A. PAT
B. ACL
C. DHCP
D. CBAC
Answer: A Q.7 Which encryption algorithms are supported by the Cisco Secure VPN Client?
A. Null, CAST-128 and DES
B. DES, Triple-DES and Null
C. DES, CAST-128 and Blowfish
D. DES, Blowfish and Diffie-Hellman
Answer: B
Q.8 Given the following output:
Crypto Map: "s1first" idb: Serial0 local address: 172.16.254.201 Crypto Map "s1first" 20
ipsec-isakmp Peer = 172.16.254.212 Extended IP access list 101 access-list 101 permit ip
source: addr = 172.16.152.0/0.0.0.255 dest: addr 0.0.0.0/255.255.255.255 Current peer:

Q.11 Which three statements apply to AAA on a PIX firewall? (Choose three)
A. Only inbound connections can be authenticated by AAA.
B. FTP, HTTP and Telnet can be authenticated using AAA.
C. The PIX can authenticate Enable mode access using AAA.
D. The PIX can authenticate serial console access using AAA.
Answer: A, B, C
Q.12 Exhibit:

Which PIX command statically translates the IP address of the Mail server to 182.16.1.4?
A. static(dmz, outside) 172.16.2.4 182.16.1.4
B. static(outside,dmz ) 182.16.1.4 172.16.2.4
C. static(dmz, outside) 182.16.1.4 172.16.2.4
D. static(inside, outside) 182.16.1.4 172.16.2.4
Answer: B
Q.13 Which statement best describes the Encapsulation Security Payload (ESP) header?
A. It is inserted before an encapsulated IP header in Tunnel mode.
B. It is inserted before an encapsulated IP header in Transparent mode.
640-442 6

21certify.com

C. It is inserted after the IP header and before the upper layer protocol header in Tunnel mode.
D. It is inserted after the IP header and after the upper layer protocol header in Transport mode.
Answer: A
Q.14 Which two protocols are known to pose security threats? (Choose two)
A. SNMP
B. NNTP
C. SMTP
D. CHAP
E. Frame Relay


C. Account ID
D. Challenge handshake authentication protocol (CHAP) password
Answer: B
Q.19 Which command is most useful to troubleshoot a Challenge Handshake Authentication Protocol
(CHAP) authentication attempt?
Answer: D
Q.20 When the nat (inside) 0 command is configured on a PIX firewall, ________ IP address are
translated
A. DMZ
B. No inside
C. Only private
D. Global outside
Answer: B
Q.21 Which two commands prevent a chargen attack? (Choose two)
A. no ip redirects
B. no service finger
C. no chargen enable
D. no tcp-small-servers
E. no udp-small-servers
Answer: D
Q.22 Which 3 services can be authenticated using AAA on a PIX firewall? (Choose three)
A. FTP
B. POP
C. HTTP
D. SMTP
E. TFTP

B. Ping –s 10.1.1.1
C. Ping –t 10.1.1.1
D. Ping inside 10.1.1.1
E. Ping outside 10.1.1.1
Answer: D
640-442 9

21certify.com

Q.27 Which PIX firewall command denies any internal hosts from downloading Java Applets? Answer: A
Q.28 Which command allows you to view PIX firewall software version?
A. Show os
B. Show pix
C. Show version
D. Debug version
E. Show software
Answer: C
Q.29 With TCP inspection, which three parameters are used by Context Based Access Control (CBAC) to
permit a packet received on the external interface? (Choose Three)
A. A Source IP address
B. Source port number
C. TCP sequence number
D. Destination port number
E. Destination MAC address
Answer: A, B, D
Q.30 Which three statements about PIX firewall multimedia support are true? (Choose three)
A. It supports multimedia with or without NAT.


B. access-list 101 permit isakmp host 172.16.1.2 host
172.16.1.1

C. access-list 101 permit udp host 172.16.1.2 host 172.16.1.1 eq isakmp
D. access-list 101 permit tcp host 172.16.1.2 host
172.16.1.1 eq isakmp

Answer: C
Q.34 Context based Access Control (CBAC) allows replies for sessions originating from the ______ hosts.
A. WAN
B. internal
C. external
D. destination

Answer: B
Q.35 Which IOS feature best prevents eavesdropping?
A. IPSec
B. CBAC
C. Lock and Key
D. TCP intercepts
640-442 11

21certify.com

Answer: A
Q.36 What does the following command do?
Crypto map map-name local-address interface-id
A. It applies a crypto map to an interface.
B. It defines a crypto map set to be used by multiple interfaces.

C. Challenge Handshake Authentication Protocol (CHAP) authentication
640-442 12

21certify.com

Answer: B, C, D
Q.41 Exhibit: The crypto map is implemented on the
serial interface of the remote router. Which access list
(ACL) line configured on the remote router enables
encryption of traffic between workstation B to
workstation A

A. Access-list 101 permit ip host 192.168.255.2 host 10.34.2.3
B. Access-list 101 permit ip host 192.168.255.2 host 172.34.2.1
C. Access-list 101 permit ip host 10.34.2.3 172.16.1.0 0.0.0.255
D. Access-list 101 permit ip 172.16.1.0 0.0.0.255 10.34.2.0 0.0.0.255
Answer: A
Q.42 The client’s public/private key pair is generated by ____________
A. The client.
B. The certificate authority (CA).
C. The peer during the security association (SA) establishment.
D. Both peers during the SA establishment.
Answer: A
Q.43 Which two demonstrate a security policy weakness? (Choose two)
A. ping of death
B. denial of service
C. improper change control
D. no disaster recovery plan
E. misconfigured network equipment
Answer: C, D