Share your FIREWALL Experience

NEW QUESTION 490
Which action do you take on a Cisco router to limit the management traffic to only one interface?

A. Filter incoming connections by applying an extended ACL on a loopback interface.
B. Filter incomingsdagement Plan Protection feature.
D. Add an interface by using the management-interface command.

Answer: C

Exam 300-206 Dual SSD? Single SSD?

Passed today,

Two new questions :

1) primary function of HTTPS in Cisco IOS XE -> redirect requests to HTTP :
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/configuration/xe-16-5/https-xe-16-5-book/HTTPS–HTTP_Server_and_Client_with_SSL_3-0.html

2) Configuration of ASDM : http server enable

Question about MKA ; response was protecting traffic between switch & endpoint.

In Gon file, question about traffic reaching FW, I answered with both capture commands (packet-capture is incorrect because it simulates traffic only).

Good luck for all !

Hi Congratulations!
help me today I will take the exam. Lab, D&D, Spot are the same?
Are there these questions about ISE dual a single SSD?
Thanks in advance

Yes, D&D and Labs are the same.
No question about ISE SSD.

Thanks ,
Which two verification commands do you run on the perimeter firewall to confirm that the packets reach the
firewall?
answer: show capture capin
capture capin inteface inside
Correct?

D&D
Trustsec D&D – ISE and ASA ?
Register with iSE
ASA downloads PAC
Device authenticates using Trustsec
Devices sends SGT to upstream switches
Receives petition and lookup for SGT

D&D NTP ?
Step 1 ntp authenticate
Step 2 ntp trusted-key key_id
Step 3 ntp authentication-key key_id md5 key
Step 4 ntp server ip_address [ key key_id ] [ source interface_name ] [ prefer ]

A. AsaV in front-end
B. VSG in front-end
C. AsaV in Back-end
D. VSG in back-end
Correct Answer: A e D
really thank you

Correct for first questions, just for the last question ;
There was only one answer to choose and it was about protecting multitenant datacenter in the perimeter. really don’t know the correct answer (ASAv or VSG..)

There was only one answer to choose and it was about protecting multitenant datacenter in the perimeter. really don’t know the correct answer (ASAv or VSG..) I think ASV in front- end

hi guys

how to verify my conf. in LAB in 300-206 exam

NAT ?

@RCV

https**//www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/2-2/design_guide/vmdcDesign22/VMDC_2-2_DG_2.html#wp1358647

@SecGuy

Congratulations, what was your score?

@scubasteve thanks !

@SecGuy

The TrustSec D&D, how many options?

D&D trustsec, 5 options.
My response was ASAv in front-end too.
I got 95X.

Should they be put in order? or drag vs ISE or ASAr?

1)Register with iSE
2)downloads PAC
3)Device authenticates using Trustsec
4)Devices sends SGT to upstream switches
5)Receives petition and lookup for SGT
or DRAG

ISE
Register with iSE
downloads PAC ( ASA download fron ISE)
Device authenticates using Trustsec ( ISE)
Devices sends SGT to upstream switches ( ASA)
Receives petition and lookup for SGT (ASA)
Thanks

My friend is looking for the 210-260 IINS , drop me a email if you have the latest accurate dump. Thanks.

medave775 *at* gmail.com

Can anyone please help if gon 166 question is still enough to pass 300-206? Will seat for exam on Saturday.

@Secguy thanks for the feedback…..did u use the gon jan file ? what else did u use to prepare….i have my exam in 4 hours….are there any other wrong answer in Gon file?

same query like Ras… Is it enough to attend 300-206 exam if i follow Gon suggestions of 166 question?

@Danny,
Gon file is sufficient, I had only 2 new questions.

@Danny, you have to review Gon file including 61Q.

@RCV,
That’s a D&D and the question is about how to configure RBAC. Not sure what’s RBAC word in here as the questions are about configuring trustsec. I used the cisco trustsec configuration for ASA to answer this D&D

@RCV
yes NAT
is there any marks on verifying and testing?

Thanks i am doing both Gon jan 166Q and Gon Feb 61 Q….and your comments about Trustsec DND and 2 new questions…

can someone please tell me the correct answer for this question:
Which command must you configure on a Cisco IOS XR or XE device to enable cisco Prime infra to perform event triggered backups? Logging level or Logging ?

Passing!
RCV:
No new questions

I had a problem with the de Nat / Pat lab.
I was unable to see the translator. I have tried through CLI from ASA, commands show Nat and Show xlate and also through ASDM, monitoring.

Which command must you configure on a Cisco IOS XR or XE device to enable cisco Prime infra to perform event triggered backups? Logging tap level or Logging ?

VSG in back-end is the correct answer

Good luck Danny!! Good luck all!!

Which statement about SenderBase reputation scoring on an ESA Device is true?
A. Application traffic from known bad sites can be throttled or blocked
B. Sender reputation scores can be assigned to domains IP address and MAC address
C. Mail with scores in the medium range can be automatically routed for antimalware scanning
D. A high score indicates that a message is very likely to be spam
E. You can configure a custom score threshold for whitelisting messages
F. By default all messages with a score below zero are dropped or throttled
which one is correct??

A network engineer must manage and push configuration to a cisco networking environment,
in which 10 cisco ASA with IPS modules reside. Which solution accomplishes this task?
A. Cisco adaptive security device manager to push configuration to each of the IPS units
B. FireSIGHT manager to bundle and push configurations to the ips installed on an SSD within the
cisco ASA 5500 series ASA
C. Cisco security manager 4.5 or later pushing configuration bundles to each of the IPS units
D. Cisco IPS manager express and pushing configuration to the IPS units

which one is the correct ??

Which statement about SenderBase reputation scoring on an ESA Device is true?
A. Application traffic from known bad sites can be throttled or blocked
B. Sender reputation scores can be assigned to domains IP address and MAC address
C. Mail with scores in the medium range can be automatically routed for antimalware scanning
D. A high score indicates that a message is very likely to be spam
E. You can configure a custom score threshold for whitelisting messages
F. By default all messages with a score below zero are dropped or throttled
I think “F”

—
A network engineer must manage and push configuration to a cisco networking environment,
in which 10 cisco ASA with IPS modules reside. Which solution accomplishes this task?
A. Cisco adaptive security device manager to push configuration to each of the IPS units
B. FireSIGHT manager to bundle and push configurations to the ips installed on an SSD within the
cisco ASA 5500 series ASA
C. Cisco security manager 4.5 or later pushing configuration bundles to each of the IPS units
D. Cisco IPS manager express and pushing configuration to the IPS units
I think “C”

RCV:
D&D NTP/trusted Sec/QOS
Lab NAT /PAT
Syslog Server
Packet tracer
Read
Gon Feb 61 Q and the question Up this page

B. FireSIGHT manager to bundle and push configurations to the ips installed on an SSD within the
cisco ASA 5500 series ASA

the correct answer

F. By default all messages with a score below zero are dropped or throttled

correct

Hi Guys, i passed with 9XX…..thank you everyone for their invaluable contribution Gon Freecs, Chnuky, Chuck, SecGuy, scubasteve, RCV…..you guys are the best…..you guys rock…..

everything is from Gon feb and some new questions posted by Chuck….just read those questions last minute…….

congratulations! Good luck to all

I have taken it with 9xx today.

D&D for NTP; Routed mode and Transparent mode; QoS policing; trustsec

This question When you configure a Botnet Traffic Filter on a Cisco firewall. What are two optional tasks? (Choose two)
A. Enable the use of dynamic databases.
B. Add static entries to the database.
C. Enable DNS snooping.
D. Enable traffic classification and actions.
E. Block traffic manually based on its syslog information.
Correct Answer: BE

An engineer has found that threat detection has been turned on by default on a Cisco ASA. Which two security
events are monitored? (Choose two)
A. Concurrent NAT interface overload addresses
B. Denial of service attack occurrences
C. Packet allowed by the inspection engine
D. Number of times the rates were exceeded
E. Total number of malformed packets received
Correct Answer: BD

Refer to the exhibit. which two verification commands do you run on the perimeter firewall to
confirm that the packets reach the firewall?
ASA-Per# show access-list acl_web
.
.
Access-list acl_web line 6 extended
permit tcp 10.10.1.0 255.255.255.0
host 172.16.31.8 eq www (hitcnt=0)
0x9726335c
ASA-Per# sh run access-group
.
.
Access-group acl_web global

A. ASA-Per# packet-tracer input outside tcp 10.10.1.100 49000 172.16.31.8 www
B. ASA-Per# capture capin interface inside match tcp 10.10.1.100 host 172.16.31.8 eq www
C. ASA-Per# show logging
D. ASA-Per# show capture capin
E. ASA-Per# packet-tracer input inside tcp 10.10.1.100 49000 172.16.31.8 www
Answer: BE

SPOTO and Gon Freco are enough to pass

Passed today.

Question change.

QUESTION 26
Which type of authentication and encryption does SNMPv3 use at the authPriv security level?
A. Username authentication without encryption
B. MD5 or SHA authentication with DES encryption
C. Username authentication with DES encryption
D. MD5 or SHA authentication with DES encryption

Correct Answer: B

Also, I went with VSG in the back-end, because the question mentioned Intratenant.

Good luck all.

Previous post, option D is:

D. MD5 or SHA authentication with no encryption.

@scubasteve

Great work!!! Well done!!!

Hi guys,

Doing my exam this friday and am struggeling with the NAT DND. There are a lot of conflicting answers, mostly because of the terrible question. Is the answer in Gon the correct one?

209.165.202.130 – Source address in translated packet
209.165.200.228 – Destination address in original packet
172.16.0.50 – Source address in original packet
172.16.0.100 – Destination address in translated packet

And the “old” simulations, such as Botnet, are they retired from the exam? Is NAT and the Inspect-map the only possible ones?

Thanks in advance!

@ginodesilva

NAT D&D is no longer on the exam. But the correct answer is below:

209.165.202.130 – Source address in original packet
209.165.200.228 – Destination address in original packet
172.16.0.50 – Source address in translated packet
172.16.0.100 – Destination address in translated packet

Only sim left is NAT/PAT.

Good luck in your exam.

@scubasteve

Thanks for the quick response. It’s my last one…

Security Levels

SNMP offers 3 different security levels:

noAuthNoPriv
AuthNoPriv
AuthPriv

Auth stands for Authentication and Priv for Privacy (encryption).

noAuthNoPriv = username authentication and no encryption.
AuthNoPriv = MD5 or SHA authentication but no encryption.
AuthPriv = MD5 or SHA authentication AND encryption.

SNMPv1 and SNMPv2 only support noAuthNoPriv since they don’t offer any authentication or encryption. SNMPv3 supports any of the three security levels. When you decide to use noAuthNoPriv for SNMPv3 then the username will replace the community-string.

The community-string for SNMPv1 and SNMPv2 is send in clear-text. SNMPv3 is far more secure because it doesn’t send the user passwords in clear-text but uses MD5 or SHA1 hash-based authentication, encryption is done using DES, 3DES or AES.

Hi Guys, i passed with 930…..thank you everyone for their invaluable contribution Gon Freecs, Chnuky, Chuck, SecGuy, scubasteve, RCV

Hi everybody,

Passed with 965 just now. Thanks for the contributions and all the hard work!

Just passed!!! Thanks all for support!!!!

What is the right answer to this question? Is it A,C or C,E?

Which two features does DNSSEC leverage for proper functionality? (Choose two.)

A. It uses TCP to ensure reliable delivery.
B. It uses UDP to reduce the DNS responses time.
C. It uses EDNS to manage the larger DNS packets it requires.
D. It uses UDP to minimize packet size.
E. It uses AD and DO inside UDP to reduce response time.

I failed it, lots of new questions that I haven’t seen in any of these materials. I was only sitting this one to renew my ccnp which is expiring in couple of weeks.
What other options do I have that I can easily renew my ccnp?

It not supposed to be on last day by changing questions. Is there any authentic news? Anyone can confirm? I will seat for exam after 2 hours.