Vendor:
Juniper
Exam Code:
JN0-633
Exam Name:
Security, Professional (JNCIP-SEC)
QUESTION 1
Click the Exhibit button.
userehost# run show route inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:05:06 > to 172.16.1.1 via ge-0/0/1.0 172.16.1.0/24 *[Direct/O] 00:05:06 > via ge-0/0/1.0 172.16.1.3/32 *[Local/0] 00:05:07 Local via ge-0/0/1.0 192.168.200.2/32 *[Local/0] 00:05:07 Reject
vr-a.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
192.168.1.0/24 *[Direct/0] 00:01:05 > via ge-0/0/2.0 192.168.1.1/32 *[Local/0] 00:01:05 Local via ge-0/0/2.0
vr-b.inet.0: 2 destinations, 2 routes (2 active, 0 holddcwn, 0 hidden) + = Active Route, - = Last Active, * = Both
192.168.1.0/24 *[Direct/O] 00:01:05 > via go-0/0/3.0 192.168.1.1/32 *[Local/0] 00:01:05 Local via ge-0/0/3.0
User 1 will access Server 1 using IP address 10.2.1.1. You need to ensure that return traffic is able to reach User 1 from Server 1.
Exhibit:
A. [edit security nat static] user@host# show
rule-set server-nat {
from zone [ untrust ];
rule 1 {
match {
} then { static-nat { prefix { 192.168.1.2/32; } } } } }
B. [edit security nat static] user@host# show rule-set server-nat { from zone [ junos-host untrust ]; rule 1 { match { destination-address 10.2.1.1/32; } then { static-nat { prefix { 192.168.1.2/32; routing-instance vr-b; } } } } }
C. [edit security nat static] user@host# show rule-set server-nat { from zone untrust; rule 1 { match { destination-address 10.2.1.1/32; } then { static-nat { prefix { 192.168.1.2/32; routing-instance vr-a; } } } } }
D. [edit security nat static] user@host# show rule-set in { from zone untrust; to zone cust-a; rule overload { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } }
Correct Answer: B
QUESTION 2
Your company provides managed services for two customers. Each customer has been segregated within its own routing instance on your SRX device. Customer A and customer B inform you that they need to be able to reach certain hosts on each other\\'s network. Which two configuration settings would be used to share routes between these routing instances? (Choose two.)
A. routing-group B. instance-import C. import-rib D. next-table Correct Answer: BD QUESTION 3
Click the Exhibit button.
forward all Web traffic to ISP1 and all other traffic to ISP2. However, your configuration is not producing the expected results.
Part of the configuration is shown in the exhibit. When you run the show route table isp1 command, you do not see the default route listed.
What is causing this behavior?
Exhibit:
A. The autonomous system number is incorrect, which is preventing the device from receiving a default route from ISP1.
B. The device is not able to resolve the next-hop.
C. The isp1 routing instance is configured with an incorrect instance-type.
D. The show route table isp1 command does not display the default route unless you add the exact 0.0.0.0/0 option.
Correct Answer: B
QUESTION 4
Click the Exhibit button.
In the exhibit, the SRX device has hosts connected to interface ge-0/0/1 and ge-0/0/6. The devices are not able to ping each other. What is causing this behavior?
A. The interfaces must be in trunk mode.
B. The interfaces need to be configured for Ethernet switching.
C. The default security policy does not apply to transparent mode.
D. A bridge domain has not been defined.
Correct Answer: D
QUESTION 5
user@key-server> show security group-vpn server ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 97 UP bb224408940cc5d 435b9404284083c2 Main 192.168.11.1 98 UP
242c840089404d15 ab19284089408ba8 Main 192.168.11.2
user@key-server> show security group-vpn server ipsec security-associations Group: group-1, Group Id: Total IPsec SAs: 1 IPsec SA Algorithm SPI Lifetime group-l-sa ESP:3des/shal 1343991c 2736 Group: group-2, Group id: 2 Total IPsec SAs: 1 IPsec SA Algorithm SPI Lifetime group-2-sa ESP:3des/shal 13be9e9 2741 Group: group-3, Group Id: 3 Total IPsec SAs: 1 IPsec SA Algorithm SPI Lifetime group-3-sa ESP:3des/shal 20709057 2741 Group: group-4, Group Id: 4 Total IPsec SAs: 1 IPsec SA Algorithm SPI Lifetime group-4-sa ESP:3des/shal 5111c2e1 2741
Which statement is correct regarding the outputs shown in the exhibit?
Which statement is correct regarding the outputs shown in the exhibit?
A. Two established peers are in the group VPNs.
B. One established peer is in the group VPNs.
C. No established peer is in the group VPNs.
D. Four established peers are in the group VPNs.
Correct Answer: A
QUESTION 6
You want requests from the same internal transport address to be mapped to the same external transport address. Only internal hosts can initialize the session. Which Junos configuration setting supports the requirements?
A. any-remote-host B. target-host C. source-host D. address-persistent Correct Answer: D QUESTION 7
You are deploying a standalone SRX650 in transparent mode for evaluation purposes in a potential client\\'s network. The client will need to access the device to modify security policies and perform other various configurations. Where would you configure a Layer 3 interface to meet this requirement?
A. fxp0.0
B. vlan.1
C. irb.1
Correct Answer: C
QUESTION 8
What is a benefit of using a group VPN?
A. It provides a layer of redundancy on top of a point-to-point VPN mesh architecture.
B. It eliminates the need for point-to-point VPN tunnels.
C. It provides a way to grant VPN access on a per-user-group basis.
D. It simplifies IPsec access for remote clients.
Correct Answer: B
QUESTION 9
Your SRX device is performing NAT to provide an internal resource with a public address. Your DNS server is on the same network segment as the server. You want your internal hosts to be able to reach the internal resource using the DNS
name of the resource.
How do you accomplish this goal?
A. Implement proxy ARP.
B. Implement NAT-Traversal.
C. Implement NAT hairpinning.
D. Implement persistent NAT.
Correct Answer: A
QUESTION 10
Which two configuration components are required for enabling transparent mode on an SRX device? (Choose two.)
A. IRB
B. bridge domain
C. interface family bridge
D. interface family ethernet-switching
QUESTION 11
Which two are required for the SRX device to perform DNS doctoring? (Choose two.)
A. DNS ALG B. dns-doctoring stanza C. name-server D. static NAT Correct Answer: AD QUESTION 12 -- Exhibit -user@srx240
In the output, how many user-configured routing instances have active routes?
A. 1
B. 2
C. 3
D. 4
