If the Cisco ASA 1000V has too few licenses, what is its behavior?
A.
It drops all traffic.
B.
It drops all outside-to-inside packets.
C.
It drops all inside-to-outside packets.
—D. It passes the first outside-to-inside packet and drops all remaining packets.
Answer is D
1
0
how this will be the behaviour? if ASA allow traffic by default from inside to outside and if the packet came back as response check the ACL and the table sessionsand then goes to deny. The asnwer D specified the packet coming from outside where security level is lower. so first how this will be allow. even when license remaining. ?
0
0
oh i got the answer
Licensing Enforcement for the ASA 1000V
The Nexus 1000V Virtual Service Module (VSM) requires a license that controls the number of CPU sockets on each Virtual Ethernet Module (VEM) used for the ASA 1000V. If the VSM does not have enough licenses, and you deploy an ASA 1000V without license support, then traffic is not allowed to pass through the ASA 1000V. This means the following:
•For traffic passing from inside to outside, traffic never reaches the ASA 1000V. See syslog 4450002 for more information.
•For traffic passing from outside to inside, the ASA 1000V allows the initial packet to pass through, but the vPath module on the Nexus 1000V rejects the packet, and the ASA 1000V deletes the flow. See syslog 4450002 for more information.
0
0
that means answer is A
0
0
Not really, as it says the packet never reaches the ASA 1000v when coming from inside, so the ASA wont drop it as stated in A.
0
0
Cisco New Released Exam 300-206 exam questions are now can be downloaded! All questions and answers are the latest! 100% exam pass guarantee! Get this IT exam certification in a short time!
QUESTION 201
Refer to the exhibit. Which statement about this access list is true?
A. This access list does not work without 6to4 NAT
B. IPv6 to IPv4 traffic permitted on the Cisco ASA by default
C. This access list is valid and works without additional configuration
D. This access list is not valid and does not work at all
E. We can pass only IPv6 to IPv6 and IPv4 to IPv4 traffic
Answer: A
Explanation:
ASA 9.0(1) code introduced the Unified ACL for IPv4 and IPv6. ACLs now support IPv4 and IPv6 addresses. You can even specify a mix of IPv4 and IPv6 addresses for the source and destination. The any keyword was changed to represent IPv4 and IPv6 traffic. The any4 and any6 keywords were added to represent IPv4-only and IPv6-only traffic, respectively. The IPv6-specific ACLs are deprecated. Existing IPv6 ACLs are migrated to extended ACLs.
QUESTION 202
Which option must be configured on a transparent Cisco ASA adaptive security appliance for it to be managed over Layer 3 networks?
A. Static routes
B. Routed interface
C. Security context
D. BVI
Answer: D
QUESTION 203
Which statement about Dynamic ARP Inspection is true ?
A. In a typical network, you make all ports as trusted expect for the ports connection to switches , which are untrusted
B. DAI associates a trust state with each switch
C. DAI determines the validity of an ARP packet based on valid IP to MAC address binding from the DHCP snooping database
D. DAI intercepts all ARP requests and responses on trusted ports only
E. DAI cannot drop invalid ARP packets
Answer: C
QUESTION 204
Which command is the first that you enter to check whether or not ASDM is installed on the ASA?
A. Show ip
B. Show running-config asdm
C. Show running-config boot
D. Show version
E. Show route
Answer: B
QUESTION 205
Which option is the Cisco ASA on-box graphical management solution?
A. SSH
B. ASDM
C. Console
D. CSM
Answer: B
QUESTION 206
Which action is needed to set up SSH on the Cisco ASA firewall?
A. Create an ACL to aloew the SSH traffic to the Cisco ASA.
B. Configure DHCP for the client that will connect via SSH.
C. Generate a crypto key
D. Specify the SSH version level as either 1 or 2.
E. Enable the HTTP server to allow authentication.
Answer: C
QUESTION 207
At which layer does MACsecprovide encryption?
A. Layer 1
B. Layer 2
C. Layer 3
D. Layer 4
Answer: B
QUESTION 208
Which command is used to disable Cisco Discovery Protocol globally on a router?
A. Cdp disable
B. No cdp enable
C. No cdp
D. No cdp run
Answer: D
QUESTION 209
……
I have uploaded all the real questions of 300-206 exam to my Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDQ0xqNGttYzZGYk0
Welcome to download them freely!
0
0
D is almost the correct answer. The problem is, that the terms “reject” and “drop” are wrong or confusing in this context.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa87/asdm67/configuration_guide/asa_67_asdm_config/intro_intro.html#13342
For me is the meaning of “drop” similar to “deny”:
http://www.informit.com/articles/article.aspx?p=2303307&seqNum=3
0
0