passguide 642-515 demo
QUESTION: 22
Refer to the exhibit. You have been asked to verify the Cisco ASA security appliance interfaces that are used for a web connection from the Internet to a DMZ web server. Based on the Configuration > Device Setup > Interfaces pane that is shown, which two interfaces will a connection traverse when it is coming from the Internet and connecting to the web server with the IP address 172.16.20.10? (Choose two.)
A. GigabitEthernet0/0
B. GigabitEthernet0/1
C. GigabitEthernet0/2.10
D. GigabitEthernet0/2.20
E. GigabitEthernet0/2.30
F. Management0/0
Answer: A, D
QUESTION: 23
Refer to the exhibit. Based on the Configuration > Device Setup > Interfaces pane that is shown, what is the model number of this Cisco ASA security appliance?
***Exhibit Missing***
A. Cisco ASA 5505 Adaptive Security Appliance
B. Cisco ASA 5510 Adaptive Security Appliance
C. Cisco ASA 5520 Adaptive Security Appliance
D. Cisco ASA 5540 Adaptive Security Appliance
E. Cisco ASA 5550 Adaptive Security Appliance F. Cisco ASA 5580 Adaptive Security Appliance
Answer: A
QUESTION: 24
Refer to the exhibit. You are reviewing the configuration of the clientssl SSL VPN connection profile, which was created by a junior administrator. In the clientssl profile, which authentication method is configured?
A. The Cisco ASA security appliance requires AAA authenticate to the external AAA server
LOCAL if the remote user does not have an identity certificate for authentication.
B. The Cisco ASA security appliance accepts an identity certificate or a username and password for authentication of remote users, but not both.
C. The Cisco ASA security appliance requires a username and password if the remote user does not have an identity certificate for authentication.
D. The Cisco ASA security appliance requires both an identity certificate and username and password for authentication of remote users.
Answer: D
QUESTION: 25
You are the administrator of a Cisco ASA security appliance. Your management has asked you to configure the Cisco ASA security appliance, using Modular Policy Framework to block executables with the .exe file extension from being downloaded. Which regular expression must you create to match the .exe file extension?
A. .*\.[Ee][Xx][Ee.
B. .*.[Ee][Xx][Ee]
C. .+\.[Ee][Xx][Ee]
D. *.exe
E. +.exe
F. .+.[Ee][Xx][Ee]
Answer: C
QUESTION: 26
Which of these commands causes the Cisco CSC-SSM to load a new software image from a remote TFTP server, via the CLI?
A. hw module 1 recover boot
B. hw module 1 recover config
C. hw module 1 recover reload
D. copy tftp hardware:module1
Answer: A
QUESTION: 27
Refer to the exhibit. The HTTP inspection map named MY_HTTP_MAP is applied to the outside interface of the security appliance. As a result of this configuration, which action does the security appliance take on HTTP traffic entering its outside interface? NOTE: The CLI version of this configuration is provided here.
regex URL_ABC “.+abc\.com” regex URL_DEF “.+def\.com” regex URL_XYZ “.+xyz\.com”
. . .
class-map OUTSIDE_CLASS
match any
class-map type regex match-any URLs match regex URL_ABC
match regex URL_XYZ
class-map type inspect http match-all
RESTRICTED_HTTP
match request body length gt 1000 match not request uri regex class URLs
. . .
policy-map type inspect http MY_HTTP_MAP
parameters
protocol-violation action drop-connection class RESTRICTED_HTTP
drop-connection
policy-map OUTSIDE_POLICY class OUTSIDE_CLASS inspect http MY_HTTP_MAP
. . .
service-policy OUTSIDE_POLICY interface outside
A. Drops any HTTP packet that is destined for def.com and has a header length greater than
1000 bytes
B. Drops any HTTP packet destined for abc.com that has a header length greater than 1000 bytes
C. Drops any HTTP request for xyz.com that has a body length greater than 1000 bytes
D. Drops any HTTP request for def.com that has a body length greater than 1000 bytes
E. Drops any HTTP packet that is destined for abc.com or has a body length greater than 1000 bytes
F. Drops any HTTP request that is destined for xyz.com or has a header length greater than
1000 bytes
Answer: D
QUESTION: 28
Refer to the exhibit. You are the administrator of a Cisco ASA security appliance with a Cisco ASA CSC-SSM. You have upgraded the CSC-SSM with a new version of software. When the upgrade has finished, you issue the show module 1 detail command; the results of the command are shown in the exhibit. Why does the command output show that the status of the CSC-SSM is “Up” when it is not activated?
A. The software upgrade image has failed to load properly.
B. The software upgrade image is not the correct software image for the CSC-SSM.
C. The software upgrade image loaded successfully but the CSC-SSM has not had its license applied.
D. The CSC-SSM cannot communicate with the network and therefore cannot apply its configuration to network traffic.
E. The CSC-SSM is in the administrative down state and is waiting to be changed to the administrative up state.
Answer: C
QUESTION: 29
Refer to the exhibit. You installed a digital certificate for a Cisco VPN Client on a laptop for a user. Which reason explains why the certificate is in an “invalid:not active” state?
A. The user has not attempted a VPN connection to the Cisco ASA security appliance.
B. The time on the CA server and the time on the laptop are out of sync.
C. The user has not clicked the Verify button within the Cisco VPN Client.
D. The certificate passphrase must be sent to the CA for validation.
E. The certificate number of “0″ indicates that the certificate has expired.
Answer: B
QUESTION: 30
Refer to the exhibit. You are the administrator of a new Cisco ASA security appliance with a Cisco ASA CSC-SSM. You are using the CSC Setup Wizard from within Cisco ASDM to configure the CSC-SSM for traffic selection. During the configuration of traffic selection, the CSC Setup Wizard asks If CSC card fails and provides two options. What will each of these options do if chosen? (Choose two.)
A. The Permit option allows traffic that is configured for CSC inspection to continue through the Cisco ASA security appliance, if the CSC card fails.
B. The Close option allows traffic that is configured for CSC inspection to bypass the CSC if the CSC card fails.
C. The Permit option allows the Cisco ASA security appliance to apply the CSC inspection configuration through the Cisco Modular Policy Framework, even if the CSC card fails.
D. The Close option does not allow traffic that is configured for CSC inspection to continue when the CSC card fails.
E. The Permit option allows traffic to continue to flow to the CSC for inspection, even when a hardware failure has been detected.
F. The Close option does not allow any traffic that is traversing the Cisco ASA security appliance to continue when the CSC card fails.
Answer: A, D
QUESTION: 31
Which three types of encapsulation does the Cisco ASA security appliance support for IPsec
NAT transparency? (Choose three.)
A. L2TP over IPsec
B. IPsec over GRE
C. IPsec over TCP
D. IPsec over UDP
E. IPsec over PPTP
F. NAT-T
Answer: C, D, F
QUESTION: 32
Refer to the exhibit. The HTTP inspection map named HTTP_POLICY is applied to the partnernet interface of the security appliance. Which of these actions does the security appliance take as a result of its configuration for HTTP traffic that enters its partnernet interface?
A. Drops and logs HTTP request messages for which the request method is put or the request header host field contains either the string example1.com or the string example2.com
B. Drops and logs HTTP request messages for which the request method is put and the request header host field contains either the string example1.com or the string example2.com C. Drops and logs HTTP request messages for which the request method is put and the request header host field contains the strings example1.com and example2.com
D. Drops and logs HTTP request messages for which the request method is put or the request header host field contains the strings example1.com and example2.com
E. Drops HTTP request messages for which the request method is put, and logs HTTP request messages for which the request header host field contains either the string example1.com or the string example2.com
F. Logs HTTP request messages for which the request method is put, and drops HTTP request messages for which the request header host field contains either the string example1.com or the string example2.com
Answer: B
QUESTION: 33
A recent network upgrade at a branch office has changed the network topology of the branch, and the site-to-site VPN tunnel that runs between the branch and the corporate office has been reconfigured to perform Reverse Route Injection to accommodate the recent change. You are running OSPF between the corporate Cisco ASA security appliance and routers on the internal network. Assuming that the VPN configuration is correct, which step do you need to perform on the corporate Cisco ASA security appliance to ensure that these new routes are visible to internal routers that are running OSPF?
A. Reverse Route Injection requires that you configure a new OSPF process that will add these routes to the Cisco ASA security appliance routing table.
B. Reverse route injection requires that you add a static route for each branch-office network to the Cisco ASA security appliance routing table.
C. Reverse Route Injection uses static routes, so you must configure OSPF to redistribute the static routes.
D. Reverse Route Injection uses RIP, so you must add a RIP process and redistribute the learned RIP routes into OSPF.
E. Reverse Route Injection uses EIGRP, so you must add an EIGRP process and redistribute the learned EIGRP routes into OSPF.
Answer: C
QUESTION: 34
Using a valid identity certificate from her certificate authority, an administrator of a Cisco ASA security appliance has used the IPsec VPN Wizard to create the necessary configuration for remote-access VPN tunnels. When she tests the remote-access VPN, the VPN tunnel does not come up. Assuming that the remote-access VPN configuration created by the wizard is correct and that valid certificates are being used by the Cisco ASA security appliance and Cisco VPN Client, which corrective action must be configured or corrected for the VPN tunnel to come up properly?
A. The IKE phase one configuration is not part of the IPsec VPN Wizard configuration and must be configured.
B. The IKE phase two configuration is not part of the IPsec VPN Wizard configuration and must be configured.
C. The crypto ACL configuration is not part of the IPsec VPN Wizard configuration and must be configured.
D. The mapping of digital certificates to connection profile is not part of the IPsec VPN Wizard configuration and must be configured.
E. NAT-Transparency configuration is not part of the IPsec VPN Wizard configuration and must be configured.
Answer: D
QUESTION: 35
You are configuring a Cisco ASA 5520 Adaptive Security Appliance as a Easy VPN hardware client. But from within Cisco ASDM, you cannot find the Easy VPN Remote configuration option within the Remote Access VPN menu. Why would you not be able to find this configuration option within Cisco ASDM on the ASA 5520 Adaptive Security Appliance?
A. The version of Cisco ASDM software loaded on the Cisco ASA security appliance does not support the Easy VPN feature.
B. The version of Cisco ASDM software loaded on the Cisco ASA security appliance is corrupt.
C. Only the Cisco ASA 5505 Adaptive Security Appliance can be a Easy VPN hardware client.
D. The Easy VPN feature with the BIOS of the ASA 5520 Adaptive Security Appliance was not enabled.
Answer: C
QUESTION: 36
Refer to the exhibit. You have been tasked to configure your Cisco ASA security appliance for port forwarding access to the internal e-mail server that is running POP3 (TCP port 110) and SMTP (TCP port 25). Which two configurations of the port forwarding list will allow remote users to access the internal email server through port forwarding? (Choose two.)
Answer: Pending
QUESTION: 37
You have configured Cisco Secure Desktop on your Cisco ASA security appliance. You need to configure Cisco Secure Desktop to perform Host Scan checks on the remote endpoint. Which three available Basic Host Scan checks can you configure? (Choose three.)
A. Registry
B. User rights
C. File
D. Groups E. Process F. Shares
Answer: A, C, E
QUESTION: 38
As the administrator of a Cisco ASA security appliance, you have been tasked to configure SSL VPNs to require digital certificates. Which four configuration options are available on the Cisco ASA security appliance for digital certificate management for SSL VPNs ? (Choose four.)
A. The Cisco ASA security appliance can be configured to have a local CA that is subordinate to an external CA.
B. The subordinate local CA on the Cisco ASA security appliance can issue certificates to users who require a certificate for their SSL VPN connections.
C. The Cisco ASA security appliance can generate a self-signed certificate to be used as its identity certificate for SSL VPN connections.
D. The Cisco ASA security appliance can be configured to retrieve its identity certificate from an external CA.
E. The Cisco ASA security appliance can be configured as a standalone local CA.
F. The local CA on the Cisco ASA security appliance can issue certificates to users who require certificates for SSL VPN connections.
G. An external CA must be used for SSL VPN users who require certificates for their SSL VPN connections.
H. The Cisco ASA security appliance must be configured to retrieve its identity certificate from an external CA.
Answer: C, D, E, F
QUESTION: 39
Which two types of digital certificate enrollment processes are available for the Cisco ASA
security appliance? (Choose two.)
A. LDAP
B. FTP
C. HTTP
D. SCEP
E. Manual
F. TFTP
Answer: D, E
QUESTION: 40
With Cisco ASA Adaptive Security Appliance Software Version 7.x and later, which IPsec standard is not supported on the Cisco ASA security appliance?
A. SHA-1
B. DES C. MD5
D. ESP E. AH F. AES
Answer: E
QUESTION: 41
Refer to the exhibit. You have configured Telnet port forwarding to a specific server on the clientless SSL VPN portal. A clientless SSL VPN user has called to complain that after she starts the application helper, her attempts to establish a Telnet connection to 10.0.4.3 time out. Assuming that the clientless SSL VPN configuration is correct, which type of Telnet connection would you have the end user make?
A. To 10.0.4.3 on TCP port 2300
B. To 10.0.4.3 on TCP port 23
C. To 127.0.0.1 on TCP port 23
D. To 127.0.0.1 on TCP port 2300
Answer: D
QUESTION: 42
Refer to the exhibit. You are configuring a DAP for SSL VPN connections to your Cisco ASA security appliance. You add an Endpoint Attribute Type of “File” and select the Endpoint ID of “10,” based on the configuration that is shown. Within which area of the Cisco ASA security appliance configuration is this endpoint attribute defined?
A. DAP policy
B. SSL VPN group policy
C. SSL VPN connection profile
D. user-specific policy
E. Cisco Secure Desktop
Answer: E
Recent Comments