Which three of these commands will show you the contents of flash memory on the Cisco ASA? (Choose three.)
A. dir
B. info flash
C. directory
D. show disk
E. flash
F. show flash
Answer: A,D,F

On a Cisco ASA adaptive security appliance, the administrator enters the boot config disk0:/startup.txt command. What will this command do when the system is rebooted?

A. It will copy the current config file to the startup.txt file on disk 0.
B. It will configure the Cisco ASA to boot using the startup.txt config file stored in flash memory.
C. It will do nothing until the file extension is changed to .cfg, at which time it will boot the startup.cfg config file
D. It will configure the ASA to skip the hardware diagnostics and perform a warm boot of the startup.txt config file
Answer: B

The administrator needs to know the command to enable command authorization. What is this command?
A. aaa authorization command LOCAL
B. aaa authorization permit any LOCAL
C. level-priv
D. passwd
E. None of the above
Answer: A

Which of the following statements regarding SSH and the PIX Firewall are valid? (Choose three)
A. You must generate an RSA key-pair for the PIX Firewall before SSH clients can connect to the PIX Firewall console.
B. You can use either an SSH version 1 or 2 client because the two versions are essentially the same and are entirely compatible.
C. The PIX Firewall supports the SSH remote functionality as provided in SSH version.1.
D. You must upgrade you DES activation key to 3DES.
E. The PIX Firewall allows up to 5 SSH clients to simultaneously access its console.
F. The PIX Firewall does not support SSH remote functionality as provided in SSH version 1.
Answer: A, C, E

There are usually 5 VTY lines on Cisco routers (VTY 0 to 4). An attacker can perform a Denial of Service attack by opening several simultaneous Telnet or SSH connections to the router, thus occupying all available lines and prohibiting the legitimate administrators for managing the device.

To protect from this kind of attack, we can configure and apply an ACL on lines 0 to 3 allowing the general Network Management address range, and then configure a more restrictive ACL for the last VTY line 4, which allows only a specific management station to connect.

 Configuration Example:

! Allow access from the general Network Management range (assume management network is 10.10.10.0/24)
Router(config)# access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq ssh

! Allow access from a single management station
Router(config)# access-list 101 permit tcp host 10.10.10.10 any eq ssh

Router(config)# line vty 0 3
Router(config-line)# access-class 100 in
Router(config)# line vty 4
Router(config-line)# access-class 101 in

Starting with the new Cisco ASA firewall version 7.2(1), you can now capture detailed packet information traversing the firewall for analysis and for troubleshooting problems.

To enable packet tracing capabilities for packet sniffing and network fault isolation, use the packet-tracer command. To disable packet capture capabilities, use the no form of this command.

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

no packet-tracer

In addition to capturing packets, it is possible to trace the lifespan of a packet through the security appliance to see if it is behaving as expected. The packet-tracer command lets you do the following:

• Debug all packet drops in production network.
• Verify the configuration is working as intended.
• Show all rules applicable to a packet along with the CLI lines which caused the rule addition.
• Show a time line of packet changes in a data path.
• Inject tracer packets into the data path.

The packet-tracer command provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet-tracer command will provide information about the cause in an easily readable manner. For example if a packet was dropped because of an invalid header validation, a message is displayed that says, “packet dropped due to bad ip header (reason).”

Examples
To enable packet tracing from inside host 10.2.25.3 to external host 209.165.202.158 with detailed information, enter the following:

hostname# packet-tracer input inside tcp 10.2.25.3 www 209.165.202.158 aol detailed 

A Remote Access VPN (Virtual Private Network) is a connection technology to provide secure and confidential connection of remote users to internal company resources through the Internet. The remote company user needs to have a VPN client software (e.g Cisco VPN client)  installed on his/her laptop plus a normal Internet connection (through Dial-up, broadband ADSL, wifi hotspot etc). Since traffic from the remote user will be passing through the untrusted Internet, it has to be encrypted to keep data confidential. To achieve confidentiality, the IPSEC protocol is used to encrypt and secure the user data.
Cisco VPN client is the most popular software used to provide remote access connectivity to the corporate home network. 

The figure above shows a basic setup for a remote employee using Cisco VPN client to connect securely over the Internet to his corporate network. First, the remote user connects to his public Internet Service Provider. Next, the user starts his Cisco VPN client installed on his laptop and initiates a VPN connection to the company VPN server. This can be a Cisco firewall (PIX or ASA), a Cisco VPN concentrator, or a Cisco Router with IPSEC software. Once the VPN connection has been established, the remote vpn user can communicate with internal company servers and resources just as if it were a local host.