642-515
Securing Networks with ASA Advanced
QUESTION NO: 1
Which two statements correctly describe configuring active/active failover? (Choose two.)
A. You must assign contexts to failover groups from the admin context.
B. Both units must be in multiplemode.
C. You must configure two failover groups: group 1 and group 2.
D. You must use a crossover cable to connect the failover links on the two failover peers.
Answer: B,C
QUESTION NO: 2
Observe the following exhibit carefully. When TCP connections are tunneled over another TCP connection and latency exists between the two endpoints, each TCP session would trigger a retransmission, which can quickly spiral out of control when the latency issues persist. This issue is often called TCP-over-TCP meltdown. According to the presented Cisco ASDM configuration, which Cisco ASA security appliance configuration will most likely solve this problem?
A. Compression
B. MTU size of 500
C. Keepalive Messages
D. Datagram TLS
Answer: D
QUESTION NO: 3
The IT department of your company must perform a custom-built TCP application within the clientless SSL VPN portal configured on your Cisco ASA security appliance. The application should be run by users who have either guest or normal user mode privileges. In order to allow this application to run, how to configure the clientless SSL VPN portal?
A. configure a smart tunnel for the application
B. configure a bookmark for the application
C. configure the plug-in that best fits the application
D. configure port forwarding for the application
Answer: A
QUESTION NO: 4
According to the following exhibit. When a host on the inside network attempted an HTTP connection to a host at IP address 172.26.10.100, which address pool will be used by the Cisco ASA security appliance for the NAT?
A. 192.168.8.101 - 192.168.8.105
B. 192.168.8.20 - 192.168.8.100
C. 192.168.8.106 - 192.168.8.110
D. 192.168.8.20 - 192.168.8.110
Answer: B
QUESTION NO: 5
Study the following exhibit carefully. You are asked to configure the Cisco ASA security appliance with a connection profile and group policy for full network access SSL VPNs. During a test of the configuration using the Cisco AnyConnect VPN Client, the connection times out. In the process of troubleshooting, you determine to make configuration changes. According to the provided Cisco ASDM configuration, which configuration change will you begin with?
A. Require a client certificate on the interface.
B. Enable an SSL VPN client type on the interface.
C. Enable DTLS on the interface.
D. Enable a different access port that doesn't conflict with Cisco ASDM.
Answer: B
QUESTION NO: 6
You are the network security administrator for the P4S company. You create an FTP inspection policy including the strict option, and it is applied to the outside interface of the corporate adaptive security appliance. How to handle FTP on the security appliance after this policy is applied? (Choose three.)
A. FTP inspection is applied to traffic entering the inside interface.
B. Strict FTP inspection is applied to traffic entering the outside interface.
C. FTP inspection is applied to traffic exiting the inside interface.
D. Strict FTP inspection is applied to traffic exiting the outside interface.
Answer: A,B,D
QUESTION NO: 7
Which three statements correctly describe protocol inspection on the Cisco ASA adaptive security appliance? (Choose three.)
A. The protocol inspection feature of the security appliance securely opens and closes negotiated ports and IP addresses for legitimate client-server connections through the security appliance.
B. For the security appliance to inspect packets for signs of malicious application misuse, you must enable advanced (application layer) protocol inspection.
C. If inspection for a protocol is notenabled, traffic for that protocol may be blocked.
D. If you want to enable inspection globally for a protocol that is not inspected by default or if you want to globally disable inspection for a protocol, you can edit the default global policy.
Answer: A,C,D
QUESTION NO: 8
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. After configuring port forwarding for a clientless SSL VPN connection, if port forwarding is to work, which end user privilege level is required at the endpoint?
A. system level
B. guest level
C. user level
D. administrator level
Answer: D
QUESTION NO: 9
Which two methods can be used to decrease the amount of time it takes for an active Cisco ASA adaptive security appliance to fail over to its standby failover peer in an active/active failover configuration? (Choose two.)
A. decrease the interface failover poll time
B. decrease the unit failover poll time
C. use the special serial failover cable to connect the security appliances
D. use single mode
Answer: A,B
QUESTION NO: 10
Multimedia applications transmit requests on TCP, get responses on UDP or TCP, use dynamic ports, and use the same port for source and destination, so they can pose challenges to a firewall. Which three items are true about how the Cisco ASA adaptive security appliance handles multimedia applications? (Choose three.)
A. It dynamically opens and closes UDP ports for secure multimedia connections, so you do not need to open a large range of ports.
B. It supports SIP with NAT but not with PAT.
C. It supports multimedia with or without NAT.
D. It supports RTSP, H.323, Skinny, and CTIQBE.
Answer: A,C,D
QUESTION NO: 11
Which options can a clientless SSL VPN user access from a web browser without port forwarding, smart tunnels, or browser plug-ins?
A. web-enabled applications
B. Microsoft Outlook Web Access
C. files on the network, via FTP or the CIFS protocol
D. internal websites
Answer: A,B,C,D
QUESTION NO: 12
Cisco ASA 5505 Adaptive Security Appliance is designed for providing high-performance security services. Study the following exhibit carefully. You are asked to configure a Cisco ASA 5505 Adaptive Security Appliance as an Easy VPN hardware client. When the telecommuter using the ASA 5505 Adaptive Security Appliance for remote access first tries to connect to resources on the corporate network, he is prompted for authentication. Which two group policy features will require authentication, even if a username and password are configured on the Easy VPN hardware client? (Select two.)
A. Individual User Authentication
B. Certificate Authentication
C. Secure Unit Authentication
D. Extended Authentication
Answer: A,C
QUESTION NO: 13
Study the following exhibit carefully. You work as the network administrator of a corporate Cisco ASA security appliance with a Cisco ASA AIP-SSM. You are asked to use the AIP-SSM to protect corporate DMZ web servers. The AIP-SSM has been configured, and a service policy has been configured to identify the traffic to be passed to the AIP-SSM.
On which two interfaces would application of the service policy for the AIP-SSM be most effective while causing the least amount of impact to Cisco ASA security appliance performance? (Choose two.)
A. dmz interface
B. outside interface
C. globally on all interfaces
D. Internet interface
Answer: A,B
QUESTION NO: 14
You work as the network administrator for your company. Now, you are asked to configure the Cisco ASA security appliance, using Modular Policy Framework to prevent executables with the .exe file extension from being downloaded. Which regular expression should be created to match the .exe file extension?
A. *.exe
B. .+\.[Ee][Xx][Ee]
C. .+.[Ee][Xx][Ee]
D. .*\.[Ee][Xx][Ee.
Answer: B
QUESTION NO: 15
For the following commands, which one causes the Cisco CSC-SSM to load a new software image from a remote TFTP server, via the CLI?
A. hw module 1 recover reload
B. copytftp hardware:module1
C. hw module 1 recover config
D. hw module 1 recover boot
Answer: D QUESTION NO: 16
You work as a network administrator for your company. Study the exhibit carefully. ASDM is short for Adaptive Security Device Manager. You are responsible for multiple remote Cisco ASA security appliances administered through Cisco ASDM. Recently, you have been tasked to configure one of these Cisco ASA security appliances for SSL VPNs and are requiring a client certificate, as shown. How will this configuration affect your next ASDM connection to this Cisco ASA security appliance?
A. You would be asked to present an identity certificate. If you did not have one, the Cisco ASA security appliance would prompt you for authentication credentials, consisting of a username and password.
B. Your connection would be handled the way it is always handled by this Cisco ASA security appliance.
C. You would be required to have an identity certificate that the Cisco ASA security appliance can use for authentication.
D. You would be required to download the identity certificate of the remote Cisco ASA security appliance.
Answer: C
QUESTION NO: 17
You are a new employee of your company. Recently, you have been tasked to configure Cisco ASA security appliance for multiple VLANs that use one physical interface. The switch to which the physical Cisco ASA security appliance interface is connected should be configured for the appropriate VLAN tagging protocol. In order to achieve this goal, which VLAN tagging protocol will the Cisco ASA security appliance use to communicate with this switch?
A. ISL
B. IEEE 802.1Q
C. IEEE 802.1AE
D. IEEE 802.3
Answer: B
QUESTION NO: 18
In an active/active failover configuration, which event triggers failover at the failover group level?
A. The no failover active groupgroup_id command is entered in the system configuration.
B. The no failover active command is entered in the system configuration.
C. The unit has a software failure.
D. Two monitored interfaces in the group fail.
Answer: A
QUESTION NO: 19
Cisco ASA 5500 Series Adaptive Security Appliances are easy-to-deploy solutions that integrate world-class firewall, Unified Communications (voice/video) security, SSL and IPsec VPN, intrusion prevention (IPS), and content security services in a flexible, modular product family. You are asked to configure a Cisco ASA 5505 Adaptive Security Appliance as an Easy VPN hardware client. In the process of configuration, you defined a list of backup servers for the security appliance to use. After several hours of being connected to the primary VPN server, the security appliance fails. You notice that your Easy VPN hardware client has now connected to a backup server that is not defined within the configuration of the client. Where did your Easy VPN hardware client get this backup server?
A. The backup servers that you listed were no longer available, so the Easy VPN hardware client used the list of backup servers that it retrieved from the primary server.
B. The connection profile that was configured on the primary VPN server was pushed to your Easy VPN hardware client and overwrote the list of backup servers that you had configured.
C. The backup servers that you listed were not configured as VPN servers, so the Easy VPN hardware client used the list of backup servers retrieved from the primary server.
D. The group policy that was configured on the primary VPN server was pushed to your Easy VPN client and overwrote the list of backup servers that you had configured.
Answer: D
QUESTION NO: 20
Refer to the exhibit. You have configured a Layer 7 policy map to match the size of HTTP header fields that are traversing the network. Based on this configuration, will HTTP headers that are greater than 200 bytes be logged?
A. No, because the reset action for headers greater than 100 bytes would be the first match.
B. Yes, because the log action for headers greater than 200 bytes would be the last match.
C. Yes, because the reset action for headers greater than 100 bytes and the log action for headers greater than 200 bytes would both be applied.
D. No, because reset or log actions are a part of the service policy and the Layer 7 policy map.
Answer: A
QUESTION NO: 21
Annie is a network administrator of her company. She is responsible for a Cisco ASA security appliance. Using a valid identity certificate from her certificate authority, she has created the necessary configuration for remote-access VPN tunnels by use of the IPsec VPN Wizard. When she tests the remote-access VPN, the VPN tunnel does not come up. If the remote-access VPN configuration created by the wizard is correct and valid certificates are being used by the Cisco ASA security appliance and Cisco VPN Client, which corrective action should be configured or corrected for the VPN tunnel to come up properly?
A. The IKE phase two configuration is not part of the IPsec VPN Wizard configuration and must be configured.
B. NAT-Transparency configuration is not part of theIPsec VPN Wizard configuration and must be configured.
C. The IKE phase one configuration is not part of the IPsec VPN Wizard configuration and must be configured.
D. The mapping of digital certificates to connection profile is not part of theIPsec VPN Wizard configuration and must be configured.
Answer: D QUESTION NO: 22
Reverse route injection (RRI) is the ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities. Study the following exhibit carefully. What does Reverse Route Injection enable in this configuration?
A. The Cisco ASA security appliance will advertise its default routes to the distant end of the site-to-site VPN tunnel.
B. The Cisco ASA security appliance will advertise routes that are at the distant end of the site-to-site VPN tunnel.
C. The Cisco ASA security appliance will advertise routes that are on its side of the site-to-site VPN tunnel to the distant end of the site-to-site VPN tunnel.
D. The Cisco ASA security appliance will advertise routes from the dynamic routing protocol that is running on the Cisco ASA security appliance to the distant end of the site-to-site VPN tunnel.
Answer: B
QUESTION NO: 23
Alex is tasked with installing a digital certificate for a Cisco VPN Client on a laptop for a user. What is the reason that the certificate is in an "invalid:not active" state?
A. The certificate passphrase must be sent to the CA for validation.
B. The time on the CA server and the time on the laptop are out of sync.
C. The certificate number of "0" indicates that the certificate has expired.
D. The user has not clicked the Verify button within the Cisco VPN Client.
Answer: B
QUESTION NO: 24
You are a network engineer of your company. Recently, you have been tasked to configure Cisco ASA security appliance for EIGRP routing. Which two Cisco ASDM configurations will add these networks to the configuration of EIGRP according to the information displayed in the exhibit? (Choose two.)
A. Configuration 1
B. Configuration 2
C. Configuration 3
D. Configuration 4
E. Configuration 5
F. Configuration 6
Answer: A,E
QUESTION NO: 25
During a stateful active/standby failover, which two events will happen? (Choose two.)
A. The user authentication (uauth) table is passed to the standby unit.
B. The secondary unit inherits the IP addresses of the primary unit.
C. SIP signaling sessions are lost.
D. The standby unit becomes the active unit.
Answer: B,D
QUESTION NO: 26
Cisco Secure Desktop, an innovative feature found in Cisco's WebVPN solutions, can help organizations respond to government regulations for data protection by safeguarding the privacy and security of confidential information. Afer configuring Cisco Secure Desktop on your Cisco ASA security appliance, you should configure Cisco Secure Desktop to run Host Scan checks on the remote endpoint. Which three available Basic Host Scan checks can be configured? (Choose three.)
A. process
B. file
C. groups
D. registry
Answer: A,B,D
QUESTION NO: 27
Which two options are correct about the impacts of this configuration? (Choose two.)
class-map INBOUND_HTTP_TRAFFIC match access-list TOINSIDEHOST class-map OUTBOUND_HTTP_TRAFFIC match access-list TOOUTSIDEHOST policy-map MYPOLICY class INBOUND_HTTP_TRAFFIC inspect http set connection conn-max 100 policy-map MYOTHERPOLICY class OUTBOUND_HTTP_TRAFFIC inspect http service-policy MYOTHERPOLICY interface inside service-policy MYPOLICY interface outside A. Traffic that matches access control list TOINSIDEHOST is subject to HTTP inspection and maximum connection limits.
B. Traffic that enters the security appliance through the inside interface is subject to HTTP inspection.
C. Traffic that enters the security appliance through the outside interface and matches access control list TOINSIDEHOST is subject to HTTP inspection and maximum connection limits.
D. Traffic that enters the security appliance through the insideinterface and matches access control list TOOUTSIDEHOST is subject to HTTP inspection.
Answer: C,D
QUESTION NO: 28
Modular Policy Framework provides a consistent and flexible way to configure security appliance features in a manner similar to Cisco IOS software QoS CLI. Which three Cisco Modular Policy Framework features are bidirectional? (Choose three.)
A. CSC policy
B. AIP policy
C. QoS priority queue
D. application inspection
Answer: A,B,D
QUESTION NO: 29
Which three encapsulation types will be supported by the Cisco ASA security appliance for IPsec NAT transparency? (Choose three.)
A. NAT-T
B. IPsec over TCP
C. IPsec over UDP
D. IPsec over PPTP
Answer: A,B,C
QUESTION NO: 30
Which two options are correct about the threat detection feature of the Cisco ASA adaptive security appliance? (Choose two.)
A. The security appliance scanning threat detection feature is based on traffic signatures.
B. The threat detection feature can help you determine the level of severity for packets that are detected and dropped by the security appliance inspection engines.
C. Because of their impact on performance, both basic threat detection and scanning threat detection are disabled by default.
D. Scanning threat detection detects network sweeps and scans and optionally takes appropriate preventative action.
Answer: B,D
QUESTION NO: 31
Refer to the following internal channels , which two can be used for communication between the Cisco ASA AIP-SSM and the Cisco ASA security appliance? (Choose two.)
A. control channel
B. promiscuous channel
C. inline channel
D. data channel
Answer: A,D
QUESTION NO: 32
For creating and configuring a security context, which three tasks are mandatory? (Choose three.)
A. allocating interfaces to the context
B. assigning MAC addresses to context interfaces
C. specifying the location of the context startup configuration
D. creating a context name
Answer: A,C,D
QUESTION NO: 33
For configuring VLAN trunking on a security appliance interface, which three actions are mandatory? (Choose three.)
A. associating a logical interface with a physical interface
B. specifying a VLAN ID for asubinterface
C. specifying a name for asubinterface
D. specifying the maximum transmission unit for asubinterface
Answer: A,B,C
QUESTION NO: 34
Which three features can the Cisco ASA adaptive security appliance support? (Choose three.)
A. 802.1Q VLANs
B. OSPF dynamic routing
C. static routes
D. BGP dynamic routing
Answer: A,B,C
QUESTION NO: 35
Modular Policy Framework provides a consistent and flexible way to configure security appliance features in a manner similar to Cisco IOS software QoS CLI. Your company asked you to examine the current Cisco Modular Policy Framework configurations on the LA-ASA Cisco Adaptive Security Appliance (ASA) by use of the Cisco Adaptive Security Device Manager (ASDM).
Which two impacts are of the policy map named PARTNERNET-POLICY on FTP traffic entering the partnernet interface?
A. Prevents all users except "root" from accessing the path /root.
B. Logs all attempts to download files from the FTP server on the inside interface.
C. Blocks the FTP request commands DELE, MKD, PUT, RMD, RNFR, and RNTO.
D. Resets connections that send embedded commands.
Answer: C,D
QUESTION NO: 36
What is the reason that you want to configure VLANs on a security appliance interface?
A. for use in multiple contextmode, where you can map only VLAN interfaces to contexts
B. for use in conjunction with device-level failover to increase the reliability of your security appliance
C. to increase the number of interfaces available to the network without adding additional physical interfaces or security appliances
D. for use in transparent firewall mode, where only VLAN interfaces are used
Answer: C
QUESTION NO: 37
You are the network administrator for your company. Study the exhibit carefully. You are responsible for a Cisco ASA security appliance configured with a local CA. According to the exhibit below, what is the reason that the user student1 will use this password?
A. retrieval of the digital certificate from the local CA on the Cisco ASA security appliance
B. authentication to the SSL VPN server
C. retrieval of the Cisco ASA security appliance identity certificate
D. the initial authentication to the SSL VPN server
Answer: A
QUESTION NO: 38
Modular Policy Framework provides a consistent and flexible way to configure security appliance features in a manner similar to Cisco IOS software QoS CLI. Your company asked you to examine the current Cisco Modular Policy Framework configurations on the LA-ASA Cisco Adaptive Security Appliance (ASA) by use of the Cisco Adaptive Security Device Manager (ASDM).
Which two steps should the Cisco Adaptive Security Applicance take on HTTP traffic entering its outside interface? (Choose two.)
A. Drops HTTP request messages whose request method is post and whose user-agent field contains either the string Some_New_P2P_Client1 or the string Some_New_P2P_Client2.
B. Forwards all HTTP request messages that are permitted by access control lists (ACLs) on the outside interface.
C. Logs HTTP request messages whose request method is post and whose user-agent field contains either the string Some_New_P2P_Client1 or the string Some_New_P2P_Client2.
D. Drops HTTP request messages whose user-agent field contains the string Some_New_P2P_Client1 and the string Some_New_P2P_Client2.
Answer: A,C
QUESTION NO: 39
While setting up a remote access VPN, which three items does the Cisco ASDM IPsec VPN Wizard require you to configure? (Choose three.)
A. tunnel group name
B. a pool of addresses to be assigned to remote users
C. IPsec encryption and authentication parameters
D. peer IP address
Answer: A,B,C
QUESTION NO: 40
On the basis of the Configuration > Device Setup > Interfaces pane displayed in the following exhibit, which is the model number of this Cisco ASA security appliance?
A. Cisco ASA 5505 Adaptive Security Appliance
B. Cisco ASA 5550 Adaptive Security Appliance
C. Cisco ASA 5580 Adaptive Security Appliance
D. Cisco ASA 5540 Adaptive Security Appliance
Answer: A
QUESTION NO: 41
Which three items are main components of Cisco Modular Policy Framework? (Choose three.)
A. traffic policy
B. policy map
C. class map
D. service policy
Answer: B,C,D
QUESTION NO: 42
Study the exhibit carefully. Apply the HTTP inspection map named HTTP_POLICY to the partnernet interface of the security appliance. Which step will be taken by the security appliance as a result of its configuration for HTTP traffic that enters its partnernet interface?
A. drops HTTP request messages for which the request method is put, and logs HTTP request messages for which the request header host field contains either the string example1.com or the string example2.com
B. logs HTTP request messages for which the request method is put, and drops HTTP request messages for which the request header host field contains either the string example1.com or the string example2.com
C. drops and logs HTTP request messages for which the request method is put or the request header host field contains the strings example1.com and example2.com
D. drops and logs HTTP request messages for which the request method is put and the request header host field contains either the string example1.com or the string example2.com
Answer: D
QUESTION NO: 43
DAP is short for Dynamic Access Policies. You are configuring a DAP for SSL VPN connections to your Cisco ASA security appliance. You add an Endpoint Attribute Type of "File" and select the Endpoint ID of "10," according to the presented configuration. Within which area of the Cisco ASA security appliance configuration is this endpoint attribute defined?
A. SSL VPN connection profile
B. SSL VPN group policy
C. user-specific policy
D. Cisco Secure Desktop
Answer: D
QUESTION NO: 44
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. SSL VPNs can provide increased flexibility over IPsec VPNs, on the basis of the location of the client and ownership of the endpoint. But, security of the endpoint is a potential problem. Which three potential security issues could the Cisco ASA security appliance address through SSL VPN policies or features? (Select three.)
A. phishing
B. spyware
C. viruses
D. malware
Answer: B,C,D
QUESTION NO: 45
While implementing QoS, which two types of queues are available on the Cisco ASA security appliance? (Choose two.)
A. best effort queue
B. round robin queue
C. weighted fair
D. low latency queue
Answer: A,D
QUESTION NO: 46
The following exhibit shows a Cisco ASA security appliance configured to participate in a VPN cluster. According to the exhibit, to which value will you set the priority to increase the chances of this Cisco ASA security appliance becoming the cluster master?
A. 10
B. 100
C. 0
D. 1
Answer: A
QUESTION NO: 47
On the basis of the following information. Applying the HTTP inspection map named MY_HTTP_MAP to the outside interface of the security appliance. Because of this configuration, which action will be taken by the security appliance on HTTP traffic entering its outside interface?
NOTE: The CLI version of this configuration is provided here.
regex URL_ABC ".+abc\.com" regex URL_DEF ".+def\.com" regex URL_XYZ ".+xyz\.com" . . . class-map OUTSIDE_CLASS match any class-map type regex match-any URLs match regex URL_ABC match regex URL_XYZ class-map type inspect http match-all RESTRICTED_HTTP match request body length gt 1000 match not request uri regex class URLs . . . policy-map type inspect http MY_HTTP_MAP parameters protocol-violation action drop-connection class RESTRICTED_HTTP drop-connection policy-map OUTSIDE_POLICY class OUTSIDE_CLASS inspect http MY_HTTP_MAP . . . service-policy OUTSIDE_POLICY interface outside A. drops any HTTP request that is destined for xyz.com or has a header length greater than 1000 bytes
B. drops any HTTP request for def.com that has a body length greater than 1000 bytes
C. drops any HTTP packet that is destined for def.com and has a header length greater than 1000 bytes
D. drops any HTTP packet that is destined for abc.com or has a body length greater than 1000 bytes
Answer: B
QUESTION NO: 48
In your company, you are responsible for administrating a Cisco ASA security appliance with a Cisco ASA CSC-SSM. You use a new version of software to upgrade the CSC-SSM. After finishing the upgrade, you issue the show module 1 detail command; The following exhibit displays the results of this command. What is the reason that the status of the CSC-SSM is "Up" when it is not activated?
A. The software upgrade image has failed to load properly.
B. The CSC-SSM cannot communicate with the network and therefore cannot apply its configuration to network traffic.
C. The CSC-SSM is in the administrative down state and is waiting to be changed to the administrative up state.
D. The software upgrade image loaded successfully but the CSC-SSM has not had its license applied.
Answer: D
QUESTION NO: 49
You work as a network administrator for your company. You are in charge of a Cisco ASA security appliance for remote access IPsec VPNs, you are assisting a user who has a digital certificate configured for the Cisco VPN Client. How to find the MD5 and SHA-1 thumb print of the certificate on the basis of the following exhibit?
A. Choose the certificate and then click the Certificate drop-down menu.
B. Choose the certificate and then click the Verify button.
C. Choose the certificate and then click Options > Properties.
D. Choose the certificate and then click the View button.
Answer: D
QUESTION NO: 50
Charles is a network administrator for his company. He has configured Cisco ASA security appliance for SSL VPNs. What will happen when the remote user has successfully authenticated according to the following exhibit?
A. The Cisco ASA security appliance will open the clientless SSL VPN portal if no Cisco AnyConnect VPN Client is installed on the remote system.
B. The Cisco ASA security appliance will push the Cisco AnyConnect VPN Client down to the remote system, install the client, and ask the user to authenticate again.
C. The Cisco ASA security appliance will wait indefinitely for the user to select clientless SSL VPN portal or an SSL VPN client to use for the SSL VPN connection.
D. The Cisco ASA security appliance will push the Cisco AnyConnect VPN Client down to the remote system, install the client, and use it to complete the SSL VPN connection.
Answer: D
QUESTION NO: 51
For the following items, which three types of information could be found in the syslog output for an adaptive security appliance? (Choose three.)
A. hostname of the packet sender
B. time stamp and date
C. message text
D. logging level
Answer: B,C,D
QUESTION NO: 52
Observe the following items carefully, which two types of digital certificate enrollment processes are available for the Cisco ASA security appliance? (Choose two.)
A. HTTP
B. manual
C. FTP
D. SCEP
Answer: B,D
QUESTION NO: 53
Observe the exhibit carefully. You are asked to review the configuration of the clientless SSL VPN connection profile, which was created by a junior administrator. Which authentication method is configured in the clientless profile?
A. The Cisco ASA security appliance requires AAA authenticate to the external AAA server LOCAL if the remote user does not have an identity certificate for authentication.
B. The Cisco ASA security appliance requires a username and password if the remote user does not have an identity certificate for authentication.
C. The Cisco ASA security appliance accepts an identity certificate or a username and password for authentication of remote users, but not both.
D. The Cisco ASA security appliance requires both an identity certificate and username and password for authentication of remote users.
Answer: D
QUESTION NO: 54
Study the following exhibit carefully. You have been tasked to administrate a new Cisco ASA security appliance with a Cisco ASA CSC-SSM. You are using the CSC Setup Wizard from within Cisco ASDM to configure the CSC-SSM for traffic selection. In the process of the configuration of traffic selection, the CSC Setup Wizard asks If CSC card fails and provides two options. What will each of these options do if chosen? (Choose two.)
A. The Close option does not allow any traffic that is traversing the Cisco ASA security appliance to continue when the CSC card fails.
B. The Close option does not allow traffic that is configured for CSC inspection to continue when the CSC card fails.
C. The Permit option allows traffic to continue to flow to the CSC for inspection, even when a hardware failure has been detected.
D. The Permit option allows traffic that is configured for CSC inspection to continue through the Cisco ASA security appliance, if the CSC card fails.
Answer: B,D
QUESTION NO: 55
You are the administrator for Cisco ASA security appliances that are used for site-to-site VPNs between remote and corporate offices. You have used the Service Policy Rule Wizard within ASDM to configure low-latency queuing for unified communications on all the appropriate ASAs. Users are still having issues with unified communications between the remote and corporate offices. Assuming that the Cisco Unified Communications equipment is functioning properly and that the VPN configurations are correct, which of these choices is most likely the cause of the problems?
A. The DSCP, expedite forward, ef (46), was used to determine unified communications traffic within the Service Policy Rule Wizard.
B. The tunnel group and DSCP traffic matching criteria were configured within the Service Policy Rule Wizard.
C. Both a policing and priority queue must be applied on the interface to expedite the voice and control data flows.
D. A priority queue must be created on the interface where the site-to-site VPN tunnel is terminated.
Answer: D
QUESTION NO: 56
The Cisco ASA 5520 Adaptive Security Appliance delivers a wide range of security services with Active/Active high availability and Gigabit Ethernet connectivity for medium-sized enterprise networks, in a modular, high performance appliance. You have configured a Cisco ASA 5520 Adaptive Security Appliance as a Easy VPN hardware client. But from within Cisco ASDM, you cannot find the Easy VPN Remote configuration option within the Remote Access VPN menu. What is the reason that you can not find this configuration option within Cisco ASDM on the ASA 5520 Adaptive Security Appliance?
A. The Easy VPN feature with the BIOS of the ASA 5520 Adaptive Security Appliance was not enabled.
B. The version of Cisco ASDM software loaded on the Cisco ASA security appliance is corrupt.
C. The version of Cisco ASDM software loaded on the Cisco ASA security appliance does not support the Easy VPN feature.
D. Only the Cisco ASA 5505 Adaptive Security Appliance can bea Easy VPN hardware client.
Answer: D
QUESTION NO: 57
Study the exhibit below carefully. Apply the FTP inspection map named L7FTPPOLICY to the outside interface of the security appliance. Because of this configuration, which action will the
security appliance take on FTP traffic entering its outside interface?
A. resets and logs connections from abc.com users when they attempt to retrieve files via FTP; resets all FTP connections from xyz.com users; resets any user connections that attempt to deliver files via FTP
B. resets and logs connections from abc.com users only when they attempt to retrieve files via FTP: resets connections from xyz.com users only when they attempt to deliver files via FTP
C. resets and logs connections from any user who attempts to retrieve files via FTP; resets connections from xyz.com users who attempt to deliver files via FTP
D. resets connections from abc.com and xyz.com users when they attempt to retrieve files via FTP; logs any user connections that attempt to deliver files via FTP
Answer: A
QUESTION NO: 58
The P4S security department would like to apply specific restrictions to one network user, Bob, because he works from home and accesses the corporate network from the outside interface of the security appliance. P4S decides to control network access for this user by using the downloadable ACL feature of the security appliance. Authentication of inbound traffic is already configured on the security appliance, and Bob already has a user account on the Cisco Secure ACS. Which three tasks should be completed in order to achieve the goal of limiting network access for Bob via downloadable ACLs? (Choose three.)
A. Configure the security appliance to use downloadable ACLs.
B. Configure the downloadable ACLs on the Cisco Secure ACS.
C. Attach the downloadable ACL to the user profile for Bob on the Cisco Secure ACS.
D. Configure the Cisco Secure ACS to use downloadable ACLs.
Answer: B,C,D
QUESTION NO: 59
Observe the exhibit below carefully. You have been tasked to configure the Cisco ASA security appliance as the hub in a hub-and-spoke site-to-site VPN. Which configurations can enable traffic to flow between spokes?
A. Configuration 1
B. Configuration 2
C. Configuration 3
D. Configuration 4
Answer: D
QUESTION NO: 60
Alexander is a network engineer of his company. He is asked to configure split tunneling to use the ACL split-tunnel for remote access IPsec VPNs. According to the exhibit below, which two Cisco ASDM configurations would tunnel traffic to the inside network and allow connected users to access their local network and the Internet? (Select two.)
A. Configuration 1
B. Configuration 2
C. Configuration 3
Answer: B,C
QUESTION NO: 61
Which three of these choices are potential groups of users for clientless SSL VPNs? (Choose three.)
A. partners who access specific internal applications from desktops and laptops that are not managed by IT
B. customers who use a customer service kiosk placed in a retail store
C. temporary or remote employees who only rarely need access to a few applications
D. employees who need access to a wide range of corporate applications
Answer: A,B,C
QUESTION NO: 62
Tom works as a network administrator for the P4S company. The primary adaptive security appliance in an active/standby failover configuration failed, so the secondary adaptive security appliance was automatically activated. Tom then fixed the problem. Now he would like to restore the primary to active status. Which one of the following commands can reactivate the primary adaptive security appliance and restore it to active status while issued on the primary adaptive security appliance?
A. failover exec standby
B. failover reset
C. failover primary active
D. failover active
Answer: D
QUESTION NO: 63
The security department of the P4S company wants to configure cut-through proxy authentication via RADIUS to require users to authenticate before accessing the corporate DMZ servers. Which three tasks are needed to achieve this goal? (Choose three.)
A. Configure a rule that specifies which traffic flow to authenticate.
B. Designate an authentication server.
C. Specifya AAA server group.
D. Configure per-user override.
Answer: A,B,C
QUESTION NO: 64
Which two statements correctly describe the local user database in the security appliance? (Choose two.)
A. You can create user accounts with or without passwords in the local database.
B. You cannot use the local database for network access authentication.
C. You can configure the security appliance to lock a user out after the user meets a configured maximum number of failed authentication attempts.
D. The default privilege level for a new user is 15.
Answer: A,C
QUESTION NO: 65
John works as a network engineer for your company. Study the following exhibit carefully. John is asked to configure Cisco ASA security appliance for port forwarding access to the internal e-mail server running POP3 (TCP port 110) and SMTP (TCP port 25). Which two configurations of the port forwarding list will allow remote users to access the internal email server through port forwarding? (Choose two.)
A.
B.
Answer: A,B
QUESTION NO: 66
Modular Policy Framework provides a consistent and flexible way to configure security appliance features in a manner similar to Cisco IOS software QoS CLI. Your company asked you to examine the current Cisco Modular Policy Framework configurations on the LA-ASA Cisco Adaptive Security Appliance (ASA) by use of the Cisco Adaptive Security Device Manager (ASDM).
Which step will be taken by the Cisco Adaptive Security Appliance on FTP traffic entering its outside interface?
A. Masks the FTP greeting banner.
B. Translates embedded IP addresses.
C. Blocks the FTP request commands APPE, GET, RNFR, RNTO, DELE, MKD, and RMD.
D. Prevents all users except "root" from accessing the path/root.
Answer: B QUESTION NO: 67
A Cisco ASA security appliance can obtain a certificate revocation list from a certificate authority in which three ways? (Choose three.)
A. TFTP
B. SCEP
C. LDAP
D. HTTP
Answer: B,C,D
QUESTION NO: 68
You work as a network engineer for your company. Recently, you have been tasked with verifying the Cisco ASA security appliance interfaces that are used for a web connection from the Internet to a DMZ web server. According to the presented Configuration > Device Setup > Interfaces pane, which two interfaces will a connection traverse when it is coming from the Internet and connecting to the web server with the IP address 172.16.20.10? (Choose two.)
A. GigabitEthernet0/2.30
B. Management0/0
C. GigabitEthernet0/2.20
D. GigabitEthernet0/0
Answer: C,D
QUESTION NO: 69
Refer to the exhibit. You are configuring a laptop with the Cisco VPN Client, which will use digital certificates for authentication. Which protocol will the Cisco VPN client use to retrieve the digital certificate from the CA server?
A. HTTPS
B. TFTP
C. LDAP
D. SCEP
Answer: D
QUESTION NO: 70
Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. With Cisco ASA Adaptive Security Appliance Software Version 7.x and later, which IPsec standard is not supported on the Cisco ASA security appliance?
A. AH
B. ESP
C. MD5
D. DES
Answer: A
QUESTION NO: 71
You work as a network administrator for your company, you are responsible for a Cisco ASA security appliance. Recently, you have been asked to configure SSL VPNs to require digital certificates. Which four configuration options are available on the Cisco ASA security appliance for digital certificate management for SSL VPNs ?
A. The Cisco ASA security appliance can be configured as a standalone local CA.
B. The Cisco ASA security appliance can generate a self-signed certificate to be used as its identity certificate for SSL VPN connections.
C. The local CA on the Cisco ASA security appliance can issue certificates to users who require certificates for SSL VPN connections.
D. The Cisco ASA security appliance can be configured to retrieve its identity certificate from an external CA.
Answer: A,B,C,D
QUESTION NO: 72
Recently, a branch office of your company has upgraded its network by changing the network topology of the branch, and the site-to-site VPN tunnel that runs between the branch and the corporate office has been reconfigured to perform Reverse Route Injection to accommodate the recent change. You are performing OSPF between the corporate Cisco ASA security appliance and routers on the internal network. Assume that the VPN configuration is correct, which step will be taken on the corporate Cisco ASA security appliance to make sure that these new routes are visible to internal routers running OSPF?
A. Reverse Route Injection uses RIP, so you must add a RIP process and redistribute the learned RIP routes into OSPF.
B. Reverse Route Injection requires that you configure a new OSPF process that will add these routes to the Cisco ASA security appliance routing table.
C. Reverse Route Injection uses static routes, so you must configure OSPF to redistribute the static routes.
D. Reverse Route Injection uses EIGRP, so you must add an EIGRP process and redistribute the learned EIGRP routes into OSPF.
Answer: C
QUESTION NO: 73
Which one of the following commands can provide detailed information about the crypto map configurations of a Cisco ASA adaptive security appliance?
A. show runipsec sa
B. show run crypto map
C. showipsec sa
D. show crypto map
Answer: B
QUESTION NO: 74
While using IPsec VPN tunnels, which primary benefit is provided by digital certificates?
A. scalability
B. obfuscation
C. resiliency
D. simplification
Answer: A
QUESTION NO: 75
Modular Policy Framework provides a consistent and flexible way to configure security appliance features in a manner similar to Cisco IOS software QoS CLI. Your company asked you to examine the current Cisco Modular Policy Framework configurations on the LA-ASA Cisco Adaptive Security Appliance (ASA) by use of the Cisco Adaptive Security Device Manager (ASDM).
Which option is correct with regard to HTTP inspection on the Cisco Adaptive Security Appliance?
A. HTTP traffic is inspected as it enters or exits the outside interface.
B. HTTP traffic is inspected only as it enters any interface.
C. Advanced HTTP inspection is applied to traffic entering the outside interface, and basic HTTP inspection is applied to traffic entering any interface.
D. HTTP traffic is inspected as it enters or exits any interface.
Answer: A
QUESTION NO: 76
You are the network administrator of your company. You would like to add SSL VPN Cisco AnyConnect VPN Client for use by remote users. After checking the Cisco software download site, you discovered a number of different versions of Cisco AnyConnect VPN Client Software available for download. If you know the Cisco ASA Adaptive Security Appliance Software version and the remote user's PC operating system, how to determine the appropriate version of Cisco AnyConnect VPN Client to download?
A. The version of CiscoAnyConnect VPN Client Software must only be compatible with the operating system.
B. Newer versions of the CiscoAnyConnect VPN Client Software are backward compatible with earlier versions.
C. The version of CiscoAnyConnect VPN Client Software and the compatible version of Cisco ASA Adaptive Security Appliance Software are based on release notes.
D. All versions of the CiscoAnyConnect VPN Client Software are compatible with all releases of Cisco ASA Adaptive Security Appliance Software.
Answer: C
QUESTION NO: 77
Which two statements are true about multiple context mode? (Choose two.)
A. Multiple context mode enables you to add to the security appliance a hardware module that supports up to four independent virtual firewalls.
B. Multiple contextmode does not support IPS, IPsec, and SSL VPNs, or dynamic routing protocols.
C. When you convert from single mode to multiplemode, the security appliance automatically adds an entry for the admin context to the system configuration with the name "admin."
D. Multiple contextmode enables you to create multiple independent virtual firewalls with their own security policies and interfaces.
Answer: C,D
QUESTION NO: 78
You are a senior Cisco ASA security appliance administrator. Now, a new employee of your company asks you to help to configure a Cisco ASA security appliance for an identity certificate to be used for IPsec VPNs. Refer to the two Cisco ASDM configuration screens presented, which is a requirement for configuring the Cisco ASA security appliance for an identity certificate?
A. To retrieve an identity certificate, the Cisco ASA security appliance must have the certificate of the CA.
B. Because of the lack of a CA certificate, the administrator must import the identity certificate from a file.
C. To retrieve an identity certificate, the common name must be an FQDN.
D. The Cisco ASA security appliance doesn't need to retrieve an identity certificate. It can use a self-signed identity certificate for IPsec.
Answer: A
QUESTION NO: 79
Modular Policy Framework provides a consistent and flexible way to configure security appliance features in a manner similar to Cisco IOS software QoS CLI. Your company asked you to examine the current Cisco Modular Policy Framework configurations on the LA-ASA Cisco Adaptive Security Appliance (ASA) by use of the Cisco Adaptive Security Device Manager (ASDM).
What is the impact of the FTP inspection policy named MY-FTP-MAP on FTP traffic entering the partnernet interface?
A. Masks the FTP banner.
B. Tracks each FTP command and response sequence for certain anomalous activity.
C. Has no effect on the behavior of the Cisco Adaptive Security Appliance.
D. Prevents web browsers from sending embedded commands in FTP requests.
Answer: C
QUESTION NO: 80
You work as a network administrator for your company. Recently, you have been tasked to configure access for development partners by use of the clientless SSL VPN portal on your Cisco ASA security appliance. These partners want to access to the desktop of internal development servers. Which three configurations for the clientless SSL VPN portal can achieve this goal? (Choose three.)
A. RDP bookmark using the RDP plug-in
B. Citrixplugin using the Citrix plug-in
C. VNC bookmark using the VNC plug-in
D. SSH bookmark using the SSH plug-in
Answer: A,B,C
QUESTION NO: 81
You work as a network administrator for your company. You are asked to edit user-specific policy. And you have configured a group policy for Sales to use the IP address pool defined by the pool VPNPOOL and to allow as many as three simultaneous logins. According to the exhibit below, when this user connects, what will be the IP address assigned to the connection and what will be the number of simultaneous logins allowed for this user? (Choose two.)
A. The user will be allowed to make as many as three simultaneous connections.
B. The user will receive an IP address from the address pool that is defined in the default group policy.
C. The user will be allowed to make only one connection.
D. The user will be assigned the IP address from the user-specific policy.
Answer: C,D
QUESTION NO: 82
You are the network security administrator for P4S Corporation. You are asked to configure active/standby failover using Cisco ASDM between two Cisco ASA adaptive security appliances at corporate headquarters You deploy the Cisco ASDM High Availability and Scalability Wizard and feels confident that the configuration is correct on both security appliances. But, the show failover command output indicates that one interface remains constantly in the waiting state and never normalizes. Which two troubleshooting steps should be taken? (Choose two.)
A. Verify thatPortFast is enabled on any switch port that connects to the security appliances.
B. Verify thatEtherChanneling is enabled on any switch port that connects to the security appliances.
C. Verify that the line and protocol of the interface are up on the primary and secondary security appliance interfaces.
D. Verify that the security appliances have the same feature licenses.
Answer: A,C
QUESTION NO: 83
Which three commands can display the contents of flash memory on the Cisco ASA adaptive security appliance? (Choose three.)
A. show disk0:
B. dir
C. show flash:
D. show memory
Answer: A,B,C
QUESTION NO: 84
Which two statements about the downloadable ACL feature of the security appliance are correct? (Choose two.)
A. Downloadable ACLs enable you to store full ACLs ona AAA server and download them to the security appliance.
B. Downloadable ACLs are supported using TACACS+ or RADIUS.
C. The downloadable ACL must be attached to a user or group profile ona AAA server.
D. The security appliance supports only per-user ACL authorization.
Answer: A,C
QUESTION NO: 85
You have just cleared the configuration on your Cisco ASA adaptive security appliance, which contains in its flash memory one ASA image file (asa802-k8.bin), one ASDM image file (asdm-602.bin), and no configuration files. You would like to reconfigure the Cisco ASA adaptive security appliance by use of Cisco ASDM, but you realize that you can't access Cisco ASDM. Which set of commands offers the minimal configuration required to access Cisco ASDM?
A. interface,nameif, setup (followed by the setup command interactive prompts)
B. interface,nameif, ip address, hostname, domain-name, clock set, http server enable, asdm image
C. interface,nameif, ip address, no shutdown, hostname, domain-name, clock set, http server enable
D. setup (followed by the setup command interactive prompts)
Answer: A
QUESTION NO: 86
Clientless SSL VPN (WebVPN) allows a user to securely access resources on the corporate LAN from anywhere with an SSL-enabled Web browser. You are asked to configure Telnet port forwarding to a specific server on the clientless SSL VPN portal. A clientless SSL VPN user has called to complain that after she starts the application helper, her attempts to establish a Telnet connection to 10.0.4.3 time out. If the clientless SSL VPN configuration is correct, which type of Telnet connection would you have the end user make?
A. to 127.0.0.1 on TCP port 2300
B. to 10.0.4.3 on TCP port 23
C. to 127.0.0.1 on TCP port 23
D. to 10.0.4.3 on TCP port 2300
Answer: A
QUESTION NO: 87
You work as a network security administrator for your company. Now, you are asked to configure the corporate Cisco ASA security appliance to take the following steps on its outside interface:
--rate limit all IP traffic from telecommuting system engineers to the insidehost --drop all HTTP requests from the Internet to the web server that have a body length greater than 1000 bytes --prevent users on network 192.168.6.0/24 from using the FTP PUT command to store .exe files on the FTP server
In order to achieve this objective, which set of Modular Policy Framework components will be included?
A. one Layer 7 class map, one Layer 7 policy map, three Layer 3/4 class maps, one Layer 3/4 policy map
B. two Layer 7 class maps, one Layer 7 policy map, three Layer 3/4 class maps, one Layer 3/4 policy map
C. one Layer 7 class map, two Layer 7 policy maps, three Layer 3/4 class maps, one Layer 3/4 policy map
D. three Layer 7 policy maps, one Layer 3/4 class map, one Layer 3/4 policy map
Answer: C QUESTION NO: 88
Tom wants to configure bookmarks for the clientless SSL VPN portal on his Cisco ASA security appliance. Which items are supported bookmark types?
A. CIFS
B. HTTPS
C. HTTP
D. FTP
Answer: A,B,C,D
QUESTION NO: 89
In the default global policy, which three traffic types are inspected by default? (Choose three.)
A. TFTP
B. FTP
C. ESMTP
D. ICMP
Answer: A,B,C
QUESTION NO: 90
What does the redundant interface feature of the security appliance accomplish?
A. to increase the number of interfaces available to your network without requiring you to add additional physical interfaces or security appliances
B. to increase the reliability of your security appliance
C. to allow a VPN client to sendIPsec-protected traffic to another VPN user by allowing such traffic in and out of the same interface
D. to facilitate out-of-band management
Answer: B