CCNP Security FAQ : Cisco Security Appliance

CCNP Security FAQ : Cisco Security Appliance

Q1. True or false: You do not need a license for any Cisco PIX Firewall. If you own the appliance, you can do anything you want with it.
A. True
B. False

Answer: B

Q2. How many physical interfaces does the PIX 525 support?
A. Eight 10/100 interfaces or three Gigabit interfaces
B. Eight 10/100 interfaces and three Gigabit interfaces
C. Six 10/100 interfaces or three Gigabit interfaces
D. Six 10/100 interfaces and three Gigabit interfaces
E. None of the above

Answer: A

Q3. What are the three firewall technologies?
A. Packet filtering, proxy, connection dropping
B. Stateful inspection, packet filtering, proxy
C. Stateful proxy, stateful filtering, packet inspection
D. Cut-through proxy, ASA, proxy

Answer: B

Q4. How are optional component cards installed in the PIX Firewall?
A. ISA slot
B. USB port
C. Serial connection
D. PCI slot
E. PCMCIA slot

Answer: D

Q5. What is the maximum firewall throughput of the ASA Security Appliance 5540?
A. 1.0 Gbps
B. 1.7 Gbps
C. 100 Mbps
D. 400 Mbps

Answer: B

Q6. How many physical interfaces does a PIX 501 have, and how many network segments does it support?
A. Six interfaces, two network segments
B. Six interface, six network segments
C. Five interfaces, four network segments
D. Two interfaces, two network segments
E. None of these answers are correct

Answer: E

Q7. What happens to a reply that does not have the correct TCP sequence number?
A. It generates an alert.
B. The connection is dropped.
C. The connection information is added to the state table.
D. The session object is modified.
E. None of these answers are correct.

Answer: B

Q8. Which of the following is the best way to remove the ASA from a PIX Firewall?
A. Use the ASA removal tool, downloaded from
B. Use the asa disable command in the config mode.
C. Configure all NATs to a single external address.
D. Configure all NATs to a single internal address.
E. You cannot remove the ASA from the PIX Firewall.

Answer: E

Q9. Which of the following four authentication methods is not supported by the PIX Firewall for performing cut-through proxy?
A. Local Database
D. Active Directory
E. All of the above

Answer: D

Q10. What encryption algorithms does the PIX Firewall not support?
A. Data Encryption Standard
B. Triple Data Encryption Standard
C. Diffie-Hellman
D. Advanced Encryption Standard 128
E. Advanced Encryption Standard 256
F Answers C, D, and E

Answer: C

Q11. What is the ASA, and how does Cisco PIX Firewall use it?

Answer: The ASA is an algorithm used by the PIX Firewall to provide better security than packet filters and better performance than application proxies.

Q12. Why does the ASA generate random TCP sequence numbers?

Answer: The initial TCP sequence numbers for outbound connections are randomly generated by the Security Appliance to greatly reduce the chances of an inbound TCP session being hijacked.

Q13. What components of a TCP session does the ASA write to the state table to create a session object?

  • Source IP and port
  • Destination IP and port
  • TCP sequencing information
  • Additional TCP and UDP flags
  • A new random TCP sequence number

Q14. What can cause a session object to be deleted from the state table?

Answer: The session is not authorized by the security policy, the session has ended, or the session has timed out.

Q15. What are the three ways to initiate a cut-through proxy session?

Answer: Initiate an HTTP, FTP, or Telnet session.

Q16. What X.509 certificates do SCEP and the Security Appliance support?


  • Entrust Technologies, Inc.—Entrust/PKI 4.0
  • Microsoft Corp.—Windows 2000 Certificate Server 5.0
  • VeriSign—Onsite 4.5
  • Baltimore Technologies—UniCERT 3.05

Q17. How many physical interfaces does the PIX 515E support?

Answer: PIX 515E supports up to six 10/100 interfaces.

Q18. What is the lowest model number of the PIX Firewall family to support failover?

Answer: The PIX 515E is the lowest model to support failover.

Q19. What are two methods of managing a Cisco ASA Security Appliance?


  • Command-line interface (CLI)
  • Cisco Adaptive Security Device Manager (ASDM)

Q20. List four advantages of the ASA.


  • It is more secure than packet filtering.
  • It has greater performance than application proxy.
  • It can guard against session hijacking.
  • It is part of the embedded PIX operating system.

Q21. List the three parts to a Modular Policy.


  • A class-map identifies the type of traffic flow that the MPF will use. The flow type is packet specific and can be any packet type, such as a VPN tunnel, voice traffic, or basic IP traffic.
  • The policy-map assigns one or more actions to traffic flows specified by a class-map. For example, all basic IP traffic entering a site would be packet inspected and rate limited through a policy-map.
  • The service policy assigns one or more policy-maps to an interface.

More Resources

About the author


Leave a Comment