Cisco.Passguide.642-617.v2011-05-14.by.Jorge

7/30/2019 Cisco.Passguide.642-617.v2011-05-14.by.Jorge

1/42

PassGuide 642-617 V3.20

Number: 000-000Passing Score: 800Time Limit: 120 minFile Version: 1.0

PassGuide 642-617

Cisco 642-617

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

Q&A V3.20

(C) Copyright 2006-2010 CertBible Tech LTD,All Rights Reserved.

Build Your DreamsPassGuide 642-617

Important NotePlease Read Carefully

Study Tips

This product will provide you questions and answers carefully compiled and written by our experts. Try tounderstand the concepts behind the questions instead of cramming the questions.

Go through the entire document at least twice so that you make sure that you are not missing anything.

Latest Version

We are constantly reviewing our products. New material is added and old material is revised. Free updates areavailable for 120 days after the purchase. You should check your member zone at PassGuide an update 3-4


2/42

days before the scheduled exam date.

Feedback

If you spot a possible improvement then please let us know. We always interested in improving product quality.Feedback should be send to [email protected]. You should include the following:Exam number, version, page number, question number, and your login ID.Our experts will answer your mail promptly.

Be Prepared. Be Confident. Get Certified.------------------------------------------------------------------------------------------------------------------------- Sales and SupportManagerSales Team: [email protected] Support Team: support@passguide.com---------------------------------------------------------------------------------------------------------------------

Copyright

Each pdf file contains a unique serial number associated with your particular name and contact information forsecurity purposes. So if we find out that a particular pdf file is being distributed by you, CertBible reserves theright to take legal action against you according to the International Copyright Laws.



3/42

Exam A

QUESTION 1

Using the default modular policy framework global configuration on the Cisco ASA, how does the Cisco ASAprocess outbound HTTP traffic?

A. HTTP flows are not permitted through the Cisco ASA, because HTTP is not inspected bydefault.

B. HTTP flows match theinspection_default traffic class and are inspected using HTTP inspection.C. HTTP outbound traffic is permitted, but all return HTTP traffic is denied.

D. HTTP flows arestatefully inspected using TCP stateful inspection.

Answer: D

Section: (none)

Explanation/Reference:

QUESTION 2

Which Cisco ASA feature enables the ASA to do these two things? 1) Act as a proxy for the server andgenerate a SYN-ACK response to the client SYN request. 2) When the Cisco ASA receives an ACK back fromthe client, the Cisco ASA authenticates the client and allows the connection to the server.

A. TCPnormalizer

B. TCP state bypass

C. TCP intercept

D. basic threat detection

E. advanced threat detection

F. botnet traffic filter

Answer: C

Section: (none)


QUESTION 3

By default, which traffic can pass through a Cisco ASA that is operating in transparent mode without explicitlyallowing it using an ACL?

A. ARP

B. BPDU

C. CDPD. OSPF multicasts

E. DHCP

Answer:A

Section: (none)



4/42

QUESTION 4

Refertothe exhibit. Which Cisco ASA feature can be configured using this Cisco ASDM screen?


A. Cisco ASA command authorization using TACACS+B. AAA accounting to track serial,ssh, and telnet connections to the Cisco ASA

C. Exec Shell access authorization using AAA

D. cut-thru proxy

E. AAA authentication policy for Cisco ASDM access

Answer: D

Section: (none)


QUESTION 5

Refer to the exhibit. The Cisco ASA is dropping all the traffic that is sourced from the internet and is destinedto any security context inside interface. Which configuration should be verified on the Cisco ASA to solve thisproblem?


5/42

A. The Cisco ASA has NAT control disabled on each security context.

B. The Cisco ASA is using inside dynamic NAT on each security context.

C. The Cisco ASA is using a unique MAC address on each security context outside interface.

D. The Cisco ASA is using a unique dynamic routing protocol process on each security Build Your DreamsPassGuide 642-617context.

E. The Cisco ASA packet classifier is configured to use the outside physical interface to assign the packets toeach security context.

Answer: C

Section: (none)


QUESTION 6

Which four types of ACL object group are supported on the Cisco ASA (release 8.2)? (Choose four.)

A. protocol

B. network

C. port

D. service

E. icmp-type

F. host

Answer:ABDE

Section: (none)



6/42

QUESTION 7

Refer to the exhibit. Which two CLI commands will result? (Choose two. )

A. aaa authorization network LOCAL

B. aaa authorization network default authentication-server LOCAL

C. aaa authorization command LOCAL

D. aaa authorization exec LOCAL

E. aaa authorization exec authentication-server LOCAL

F. aaa authorization exec authentication-server

Answer: CD

Section: (none)



QUESTION 8

Refer to the exhibit. Which two statements about the class maps are true? (Choose two.)


7/42

A. These class maps are referenced within the global policy by default for HTTP inspection.B. These class maps are all type inspect http class maps.

C. These class maps classify traffic using regular expressions.

D. These class maps are Layer 3/4 class maps.

E. These class maps are used within theinspection_default class map for matching the default inspectiontraffic.

Answer: CE

Section: (none)


QUESTION 9

Refer to the exhibit. A Cisco ASA in transparent firewall mode generates the log messages seen in the exhibit.What should be configured on the Cisco ASA to allow the denied traffic?

A. extended ACL on the outside and inside interface to permit the multicast traffic

B. EtherType ACL on the outside and inside interface to permit the multicast traffic

C. stateful packet inspection

D. static ARP mapping

E. static MAC address mapping

Answer:A

Section: (none)



8/42

QUESTION 10

The Cisco ASA must support dynamic routing and terminating VPN traffic. Which three Cisco


ASA options will not support these requirements? (Choose three.)

A. transparent mode

B. multiple context mode

C. active/standby failover mode

D. active/active failover mode

E. routed mode

F. no NAT-control

Answer:ABD

Section: (none)


QUESTION 11

Refer to the exhibits. Which five options should be entered into the five fields in the Cisco ASDM Add StaticPolicy NAT Rule screen? (Choose five.) access-list POLICY_NAT_ACL extended permit ip host 172.16.0.1010.0.1.0 255.255.255.0 static (dmz,outside) 192.168.2.10 access-list POLICY_NAT_ACL

A. dmz = Original Interface


9/42

B. outside = Original Interface

C. 172.16.0.10 = Original Source

D. 192.168.2.10 = Original Source

E. 10.0.1.0/24 = Original Destination

F. 192.168.2.10 = Original Destination

G. dmz = Translated Interface


H. outside = Translated Interface

I. 192.168.2.10 = Translated Use IP Address

J. 172.16.0.10 = Translated Use IP Address

Answer:ACEHI

Section: (none)


QUESTION 12By default, which access rule is applied inbound to the inside interface?

A. All IP traffic is denied.

B. All IP traffic is permitted.

C. All IP traffic sourced from any source to any less secure network destinations is permitted.

D. All IP traffic sourced from any source to any more secure network destinations is permitted

Answer: B

Section: (none)


QUESTION 13In which type of environment is the Cisco ASA MPF set connection advanced-options tcp-statebypass optionthe most useful?

A. SIP proxy

B. WCCP

C. BGP peering through the Cisco ASA

D. asymmetric traffic flow

E. transparent firewall

Answer: D

Section: (none)


QUESTION 14


10/42

Which Cisco ASA platform should be selected if the requirements are to support 35,000 connections persecond, 600,000 maximum connections, and traffic shaping?

A. 5540

B. 5550

C. 5580-20

D. 5580-40

Answer: B

Section: (none)


QUESTION 15Refer to the exhibit. What is the resulting CLI command?

Build Your Dreams

PassGuide 642-617

A. match requesturi regex _default_GoToMyPC-tunneldrop-connection log

B. matchregex _default_GoToMyPC-tunneldrop-connection log

C. class _default_GoToMyPC-tunneldrop-connection log

D. match class-map _default_GoToMyPC-tunneldrop-connection log


11/42

Answer: C

Section: (none)


QUESTION 16A customer is ordering a number of Cisco ASAs for their network. For the remote or home office, they arepurchasing the Cisco ASA 5505. When ordering the licenses for their Cisco ASAs, which two licenses mustthey order that are "platform specific" to the Cisco ASA 5505? (Choose two.)

A. AnyConnect Essentials license

B. per-user Premium SSL VPN license

C. VPN shared license

D. internal user licenses

E. Security Plus license

Answer:AE

Section: (none)



QUESTION 17

With Cisco ASA active/standby failover, what is needed to enable subsecond failover?

A. Use redundant interfaces.

B. Enable thestateful failover interface between the primary and secondary Cisco ASA.

C. Decrease the defaultunitfailover polltime to 300 msec and the unitfailover holdtime to 900 msec

D. Decrease the default number of monitored interfaces to 1.

Answer: C

Section: (none)


QUESTION 18

When enabling a Cisco ASA to send syslog messages to a syslog server, which syslog level will produce themost messages?

A. notifications

B. informational

C. alerts

D. emergencies

E. errors

F. debugging

Answer: F


12/42

Section: (none)


QUESTION 19

Which Cisco ASA feature is implemented by the ip verify reverse-path interface interface_name command?

A. uRPF

B. TCP intercept

C. botnet traffic filter

D. scanning threat detection

E. IPS (IP audit)

Answer:A

Section: (none)


QUESTION 20

A Cisco ASA requires an additional feature license to enable which feature?

A. transparent firewall

B. cut-thru proxy

C. threat detection

D. botnet traffic filteringBuild Your DreamsPassGuide 642-617

E. TCPnormalizer

Answer: D

Section: (none)


QUESTION 21Refer to the exhibit. What can be determined about the connection status?


13/42

A. The output is showing normal activity to the inside 10.1.1.50 web server.

B. Many HTTP connections to the 10.1.1.50 web server have successfully completed the threeway TCPhandshake

C. Many embryonic connections are made from random sources to the 10.1.1.50 web server.

D. The 10.1.1.50 host is triggering SYN flood attacks against random hosts on the outside.

E. The 10.1.1.50 web server is terminating all the incoming HTTP connections.

Answer: C

Section: (none)


QUESTION 22When troubleshooting a Cisco ASA that is operating in multiple context mode, which two verification stepsshould be performed if a user context does not pass user traffic? (Choose two.)

A. Verify the interface status in the system execution space.

B. Verify themac-address-table on the Cisco ASA.

C. Verify that unique MAC addresses are configured if the contexts are usingnonshared interfaces.D. Verify the interface status in the user context.


E. Verify the resourceclasses configuration by accessing the admin context.

Answer:AD

Section: (none)



14/42

QUESTION 23Which statement about the default ACL logging behavior of the Cisco ASA is true?

A. The Cisco ASA generates system message 106023 for each denied packet when a deny ACE is configured

B. The Cisco ASA generates system message 106023 for each packet that matched an ACE.C. The Cisco ASA generates system message 106100 only for the first packet that matched an ACE.

D. The Cisco ASA generates system message 106100 for each packet that matched an ACE.

E. No ACL logging is enabled by default.

Answer: D

Section: (none)


QUESTION 24When will a Cisco ASA that is operating in transparent firewall mode perform a routing table lookup instead ofa MAC address table lookup to determine the outgoing interface of a packet?

A. if multiple context mode is configured

B. if the destination MAC address is unknown

C. if the destination is more than a hop away from the Cisco ASA

D. if NAT is configured

E. if dynamic ARP inspection is configured

Answer: D

Section: (none)


QUESTION 25Which flags should the show conn command normally show after a TCP connection has successfully beenestablished from an inside host to an outside host?

A. aB

B. saA

C. slO

D. AIOE. UIO

F. F

Answer: E

Section: (none)



15/42

QUESTION 26

Refer to the exhibit. Which three configuration commands will enable the VPN client to get


PATed to the 10.3.3.3 IP address when accessing the DMZ? (Choose three.)

A. access-listclient extended permit ip 209.165.202.128 255.255.255.224 any

B. access-list client extended permitip 10.3.3.3 255.255.255.255 any

C. access-list client extended permit ip any 10.3.3.3 255.255.255.255

D. nat (outside) 1 access-list client

E. nat (dmz) 1 209.165.202.128 255.255.255.224

F. nat (dmz) 1 access-list client

Answer:ACD

Section: (none)


QUESTION 27

Refer to the exhibit. What is a reasonable conclusion?



16/42

A. The maximum number of TCP connections that the 10.1.1.99 host can establish will be 146608.

B. All the connections from the 10.1.1.99 have completed the TCP three-way handshake.

C. The 10.1.1.99 hosts are generating a vast number of outgoing connections, probably due to a virus

D. The 10.1.1.99 host on the inside is undera SYN flood attack.

E. The 10.1.1.99 host operations on the inside look normal.

Answer: C

Section: (none)


QUESTION 28What is the default interval for how often the dynamic database of the Cisco ASA botnet traffic filter is updatedfrom Cisco/lronPort?

A. every 5 minutes

B. every 15 minutes

C. every 30 minutes

D. every 1 hour

E. every 12 hours

F. every 24 hours

Answer: D

Section: (none)



17/42

QUESTION 29In one custom dynamic application, the inside client connects to an outside server using TCP


port 4444 and negotiates return client traffic in the port range of 5000 to 5500. The server then starts streamingUDP data to the client on the negotiated port in the specified range. Which Cisco ASA feature or commandsupports this custom dynamic application?

A. TCPnormalizer

B. TCP intercept

C. ip verify command

D. established command

E. tcp-map and tcp-options commands

F. set connection advanced-options command

Answer: DSection: (none)


QUESTION 30

Which two statements about Cisco ASA failover troubleshooting are true? (Choose two.)

A. With active/active failover, failover link troubleshooting should be done in the system execution space.

B. With active/active failover, ASR groups must be enabled.

C. With active/active failover, user data passing interfaces troubleshooting should be done within the contextexecution space.

D. The failed interface threshold is set to 1. Using the show monitor-interface command, if one of themonitored interfaces on both the primary and secondary Cisco ASA appliances is in the unknown state, afailover should occur.

E. Syslog level 1 messages will be generated on the standby unit only if the logging standby command isused.

Answer:AC

Section: (none)


QUESTION 31

A Cisco ASA is operating in transparent firewall mode, but the MAC address table of the Cisco ASA is alwaysempty, which causes connectivity issues. What should you verify to troubleshoot this issue?

A. if ARP inspection has been disabled

B. if MAC learning has been disabled

C. if NAT has been disabled


18/42

D. if ARP traffic is explicitly allowed usingEtherType ACL

E. if BPDU traffic is explicitly allowed usingEtherType ACL

Answer: B

Section: (none)


QUESTION 32When configuring security contexts on the Cisco ASA, which three resource class limits can be


set using a rate limit? (Choose three.)

A. address translation rate

B. Cisco ASDM session rate

C. connections rate

D. MAC-address learning rate (when in transparent mode)

E. syslog messages rate

F. stateful packet inspections rate

Answer: CEF

Section: (none)


QUESTION 33

Refer to the exhibit. Which statement about the Telnet session from 10.0.0.1 to 172.26.1.200 is true?



19/42

A. The Telnet session should be successful.

B. The Telnet session should fail because the route lookup to the destination fails.

C. The Telnet session should fail because the inside interface inbound access list will block it

D. The Telnet session should fail because no matching flow was found.

E. The Telnet session should fail because inside NAT has not been configured.

Answer: C

Section: (none)



20/42

QUESTION 34

In which two directions are the Cisco ASA modular policy framework inspection policies applied? (Choose two.)


A. in the ingress direction only when applied globally

B. in the ingress direction only when applied on an interfaceC. in the egress direction only when applied globally

D. in the egress direction only when applied on an interface

E. bi-directionally when applied globally

F. bi-directionally when applied on an interface

Answer:AF

Section: (none)


QUESTION 35Which Cisco ASA show command groups the xiates and connections information together in its output?

A. show conn

B. showconn detailC showxlate

C. show asp

D. show local-host

Answer: B

Section: (none)


QUESTION 36By default, how does the Cisco ASA authenticate itself to the Cisco ASDM users?

A. The administrator validates the Cisco ASA by examining the factory built-in identity certificate thumbprint ofthe Cisco ASA.

B. The Cisco ASA automatically creates and uses a persistent self-signed X.509 certificate to authenticateitself to the administrator

C. The Cisco ASA automatically creates a self-signed X.509 certificate on each reboot to authenticate itself tothe administrator.

D. The Cisco ASA and the administrator use a mutual password to authenticate each other.

E. The Cisco ASA authenticates itself to the administrator using a one-time password.

Answer: B

Section: (none)



21/42

QUESTION 37Refer to the exhibit. Which command enables the stateful failover option?


A. failover link MYFAILOVER GigabitEthernetO/2

B. failover Ian interface MYFAILOVER GigabitEthernetO/2 C failover interface ip MYFAILOVER 172.16.5.1255.255.255.0 standby 172.16.5.10

C. preempt

D. failover group 1 primary

E. failover Ian unit primary

Answer:ASection: (none)


QUESTION 38On Cisco ASA version 8.2, which four inspections are enabled by default in the global_policy? (Choose four.)

A. HTTP

B. ESMTP

C. SKINNYD. ICMP

E. TFTP

F. SIP

Answer: BCEF

Section: (none)



22/42

QUESTION 39Which flag shown in the output of the show conn command is used to indicate that an initial SYN packet isfrom the outside (lower security-level interface)?

A. B

B. DC. B

D. ABuild Your DreamsPassGuide 642-617

E. A

F. I

G. 1

H. O

Answer:A

Section: (none)


QUESTION 40

Using the default modular policy framework global configuration on the Cisco ASA, how does the Cisco ASAprocess outbound HTTP traffic?

A. HTTP flows are not permitted through the Cisco ASA, because HTTP is not inspected bydefault.

B. HTTP flows match theinspection_default traffic class and are inspected using HTTP inspection.

C. HTTP outbound traffic is permitted, but all return HTTP traffic is denied.

D. HTTP flows arestatefully inspected using TCP stateful inspection.

Answer: D

Section: (none)


QUESTION 41

Which feature is not supported on the Cisco ASA 5505 with the Security Plus license? O A.security contexts

A. stateless active/standby failover

B. transparent firewall

C. threat detection

D. traffic shaping

Answer:A

Section: (none)



23/42

QUESTION 42What is the first configuration step when using Cisco ASDM to configure a new Layer 3/4 inspection policy onthe Cisco ASA?

A. Create a new class map.B. Create a new policy map and apply actions to the traffic classes.

C. Create a new service policy rule.

D. Create the ACLs to be referenced by any of the new class maps.

E. Disable the default global inspection policy.

F. Create a new firewall access rule.

Answer: D

Section: (none)


Build Your Dreams

PassGuide 642-617

QUESTION 43

Which statement about the Cisco ASA 5505 configuration is true?

A. The IP address is configured under the physical interface (ethemet 0/0 to ethemet 0/7).

B. With the default factory configuration, the management interface (management 0/0) is configured with the192.168.1.1/24 IP address

C. With the default factory configuration, Cisco ASDM access is not enabled.

D. Theswitchport access vlan command can be used to assign the VLAN to each physical interface (ethemet0/0 to ethemet 0/7).

E. With the default factory configuration, both the inside and outside interface will use DHCP to acquire its IPaddress.

Answer: D

Section: (none)


QUESTION 44

Refer to the exhibit. What does the * next to the CTX security context indicate?


24/42

A. The CTX context is the active context on the Cisco ASA.

B. The CTX context is the standby context on the Cisco ASA.

C. The CTX context contains the system configurations.

D. The CTX context has the admin role.

Answer: D

Section: (none)


QUESTION 45

Which three Cisco ASA configuration commands are used to enable the Cisco ASA to log only the debugoutput to syslog? (Choose three.)

A. loggingHsttest message 711001

B. logging debug-trace

C. logging trap debugging

D. logging message 711001 level 7

E. logging trap test

Answer: BCD

Section: (none)



QUESTION 46

Refer to the exhibit. Which two configurations are required on the Cisco ASAs so that the return traffic from the10.10.10.100 outside server back to the 10.20.10.100 inside client can be rerouted from the Active CtxBcontext in ASA Two to the Active Ctx A context in ASA One? (Choose two.)


25/42

A. stateful active/active failover

B. dynamic routing (EIGRP or OSPF or RIP)

C. ASR-group

D. no NAT-control

E. policy-based routing

F. TCP/UDP connections replication

Answer:AC

Section: (none)


QUESTION 47

Where in the ACS are the individual downloadable ACL statements configured to achieve the most scalabledeployment?

A. Group Setup

B. User Setup

C. Shared Profile Components

D. Network Access Profiles

E. Network ConfigurationBuild Your DreamsPassGuide 642-617

F. Interface Configuration


26/42

Answer: C

Section: (none)


QUESTION 48Which two methods can be used to access the Cisco AIP-SSM CLI? (Choose two.)

A. initiating an SSH connection to the Cisco AIP-SSM external management Ethernet port

B. connecting to the console port on the Cisco AIP-SSM

C. using the setup command on the Cisco ASA CLI

D. using thesession 1 command on the Cisco ASA CLI

E. using the hw-module command on the Cisco ASA CLI

Answer:AD

Section: (none)


QUESTION 49

Refer to the exhibit. Which three CLI configuration commands result from this configuration? (Choose three.)

A. global (outside) 1 192.168.11

B. nat (inside) 110.16.1.1

C. static(inside.outside) 192.168.1.1 10.16.1.1 netmask 255.255.255.255 tcp 0 0 udp 0

D. static(inside,outside) tcp 192.168.1.1 80 10.16.1.1 80

E. access-listoutside_access_in line 1 extended permit tcp any host 192.168.1.1 eq http

F. access-listoutside_access_in line 1 extended permit tcp any host 10.16.1.1 eq http

Answer: DEF


27/42

Section: (none)


QUESTION 50


Which three configuration options are available when configuring static routes on the Cisco ASA? (Choosethree.)

A. Change the default metric (admin distance) from 1 to some other value.

B. Enable route tracking.

C. Specify the static route as the default tunnel gateway for VPN traffic.

D. Specify that the static route will not be removed, even if the interface shuts down.

E. Specify a tag value to the static route that can be used as a "match" value for controlling redistribution viaroute maps

Answer:ABC

Section: (none)


QUESTION 51

On the Cisco ASA, what is the default access rule if no user-defined access lists are defined on the interfaces?

A. All inbound connections from the lower-security interfaces to the higher-security interfaces are permitted.


28/42

B. All outbound connections from the higher-security interfaces to the lower-security interfaces are permitted

C. All IP traffic between interfaces with the same security levelare permitted.

D. All IP traffic in and out of the same interface is permitted.

E. All IP traffic is denied.

Answer: B

Section: (none)



QUESTION 52

When the Cisco ASA detects scanning attacks, how long is the attacker who is performing the scan shunned?

A. 120 seconds

B. 600 seconds

C. 1200 seconds

D. 3600 seconds

E. 6000 seconds

Answer: D

Section: (none)


QUESTION 53


29/42

The ASA administrator wants to configure Botnet Traffic Filter using the dynamic database but it is not workingproperly after the initiate configuration has been entered. What other configuration is missing?


A. Enabling DNS Snooping

B. Enabling Botnet Traffic Filtering on at least one of the ASA interface

C. Enabling the ASA to periodically download the dynamic database from CiscoD. Enabling DNS inspection globally

E. Configuring the manual white and black lists

Answer:A

Section: (none)


QUESTION 54Which two statements about the Cisco ASA configuration is true? (Choose two.)



30/42

A. NAT Control is enabled

B. The Cisco ASAis setup as the DHCP server for hosts on the inside and outside interfaces

C. All IP traffic is permitted from the inside host to the outside

D. All hosts on the inside and on the outside can access Cisco ASDM

E. Access to the CLI in privileged mode will be authenticated using the LOCAL database on the Cisco ASA

F. The ASAis using a persistent self-signed certificated so users can authenticate the Cisco ASA whenaccessing it via Cisco ASDM

Answer: CF

Section: (none)


QUESTION 55

On the Cisco ASA, tcp-map can be applied to a traffic class using which MPF CLI configuration command?



31/42

A. inspect

B. sysopt connection

C. tcp-options

D. parameters

E. set connection advanced-options

Answer: E

Section: (none)


QUESTION 56

On the Cisco ASA, where are the Layer 5-7 policy maps applied?

A. inside the Layer 3-4 policy map

B. inside the Layer 3-4 class map

C. inside the Layer 5-7 class map

D. inside the Layer 3-4 service policy

E. inside the Layer 5-7 service policy

Answer: B

Section: (none)


QUESTION 57Refer to the exhibit. Which two options will result from the Cisco ASA configuration? (Choose two.)



32/42

A. The outside hosts can use the 192.168.100.1 IP address to reach the web server on the inside network.B. The global IP address of the web server is 209.165.200.230.

C. The inside web client will use the 209.165.200.230 IP address to reach the web server and the Cisco ASAwill translate the 209.165.200.230 IP address to the 192.168.100.1 IP address.

D. The Cisco ASA will translate the DNS A-Record reply from the DNS server to any inside client for the webserver (web server IP = 192.168.100.1).

E. The web server will be reachable only from the inside.

F. The web server will be reachable only from the outside.

Answer: BD

Section: (none)


QUESTION 58

The Cisco ASA is configured in multiple mode and the security contexts share the same outside physicalinterface. Which two packet classification methods can be used by the Cisco ASA to determine which securitycontext to forward the incoming traffic from the outside interface? (Choose two.)

A. unique interface IP address

B. unique interface MAC address

C. routing table lookup

D. MAC address table lookupE. unique global mapped IP addresses

Answer: BE

Section: (none)



33/42

QUESTION 59

With Cisco ASA active/active or active/standby stateful failover, which state information or


table is not passed between the active and standby Cisco ASA by default?

A. NAT translation table

B. TCP connection states

C. UDP connection states

D. ARP table

E. HTTP connection table

Answer: E

Section: (none)


QUESTION 60

Refer to the exhibit. What requirement is mandatory when configuring a Cisco ASA to operate in transparentfirewall mode?

A. IP routing must be disabled on the Cisco ASA using the noip routing global configuration command.

B. The Cisco ASA must be configured to use the same MAC address on its outside and inside interfaces.

C. ARP inspection must be enabled on both the inside and outside interfaces using thearpinspection interface-name enable flood command.

D. Both the inside and outside interfaces must be configured with the same security level.

E. An inboundEtherType ACL is required on the inside and outside interfaces to permit ARP traffic.

F. The management IP address of the Cisco ASA configured with theip address global configurationcommand must belong in the 10.0.1.0/24 subnet.


34/42

Answer: F

Section: (none)


QUESTION 61Build Your DreamsPassGuide 642-617

Refer to the exhibit. Which two statements are true? (Choose two.)

A. The connection isawaiting outside ACK to SYN.

B. The connection is initiated from the inside.

C. The connection is active and has received inbound and outbound data.

D. The connection is an incomplete TCP connection.

E. The connection is a DNS connection.

Answer: BC

Section: (none)


QUESTION 62

Which five options are valid logging destinations for the Cisco ASA? (Choose five.)

A. AAA server

B. Cisco ASDM

C. buffer

D. SNMP traps

E. LDAP server

F. email

G. TCP-based securesyslog server

Answer: BCDF

Section: (none)


QUESTION 63When troubleshooting redundant interface operations on the Cisco ASA, which configuration should be


35/42

verified?

A. Thenameif configuration on the member physical interfaces are identical.

B. The MAC address configuration on the member physical interfaces are identical.

C. The active interface is sending periodic hellos to the standby interface.

D. The IP address configuration on the logical redundant interface is correct.

E. The duplex and speed configuration on the logical redundant interface are correct.

Answer: D

Section: (none)


QUESTION 64What mechanism is used on the Cisco ASA to map IP addresses to domain names that are contained in thebotnet traffic filter dynamic database or local blacklist?


A. HTTP inspection

B. DNS inspection and snooping

C. WebACL

D. dynamicbotnet database fetches (updates)

E. staticblacklist

F. static white list

Answer: B

Section: (none)


QUESTION 65

Which three statements about traffic shaping capability on the Cisco ASA are true? (Choose three.)

A. Traffic shaping can be applied to all outgoing traffic on a physical interface or in the case of the Cisco ASA5505, on a VLAN

B. Traffic shaping can be applied in the input or output direction.

C. Traffic shaping can cause jitter and delay.

D. You can configure both traffic shaping and priorityqueueing on the same interface.

E. Traffic shaping is not supported on the Cisco ASA 5580.

Answer:ADE

Section: (none)



36/42

QUESTION 66

Refer to the exhibit. Which statement about the policy map named test is true?

A. Only HTTP inspection will be applied to the TCP port 21 traffic.

B. Only FTP inspection will be applied to the TCP port 21 traffic.

C. both HTTP and FTP inspections will be applied to the TCP port 21 traffic.

D. No inspection will be applied to the TCP port 21 traffic, because the http class map configuration conflictswith the ftp class map

E. All FTP traffic will be denied, because the FTP traffic will fail the HTTP inspection.

Answer: C

Section: (none)

Explanation/Reference:Build Your DreamsPassGuide 642-617

QUESTION 67

When troubleshooting a Cisco ASA (running 8.2.2) that is operating in transparent firewall mode, what shouldyou verify to ensure proper operation?

A. The Cisco ASA has not been configured for inside static or dynamic NAT.

B. The Cisco ASA global IP address belongs to the same subnet as the directly connected interfaces.

C. The outside and inside interfaceare connected to different Layer 3 subnets.

D. The Cisco ASA is using a dedicated management interface for management access.

E. The Cisco ASA is configured for ARP inspection.

Answer: B

Section: (none)


QUESTION 68Which Cisco ASA object group type offers the most flexibility for grouping different services together based onarbitrary protocols?

A. network


37/42

B. ICMP

C. protocol

D. TCP-UDP

E. service

Answer: E

Section: (none)


QUESTION 69

DRAG DROP

A. Build Your DreamsPassGuide 642-617

Answer:A

Section: (none)


QUESTION 70

Which three parameters are set using the set connection command within a policy map on the Cisco ASA 8.2release? (Choose three.)

A. per-client TCP and/or UDP idle timeout

B. per-client TCP and/or UDP maximum session time


38/42

C. TCP sequence number randomization

D. maximum number of simultaneous embryonic connections

E. maximum number of simultaneous TCP and/or UDP connections

F. fragments reassembly options

Answer: CDE

Section: (none)


QUESTION 71

DRAG DROP


Answer:A


39/42

Section: (none)


QUESTION 72

DRAG DROP


Answer:A

Section: (none)


QUESTION 73


40/42

A customer is ordering a number of Cisco ASAs for their network. For the remote or home office, they arepurchasing the Cisco ASA 5505. When ordering the licenses for their Cisco ASAs, which two licenses mustthey order that are "platform specific" to the Cisco ASA 5505? (Choose two.)

A. AnyConnect Essentials license

B. per-user Premium SSL VPN license

C. VPN shared license

D. internal user licenses

E. Security Plus license

Answer:AE

Section: (none)


QUESTION 74

With Cisco ASA active/standby failover, what is needed to enable subsecond failover?

A. Use redundant interfaces.

B. Enable thestateful failover interface between the primary and secondary Cisco ASA.

C. Decrease the defaultunitfailover polltime to 300 msec and the unitfailover holdtime to 900 msec

D. Decrease the default number of monitored interfaces to 1.

Answer: C

Section: (none)


QUESTION 75

When enabling a Cisco ASA to send syslog messages to a syslog server, which syslog level will produce themost messages?


A. notifications

B. informational

C. alerts

D. emergencies

E. errorsF. debugging

Answer: F

Section: (none)



41/42

QUESTION 76

Which Cisco ASA feature is implemented by the ip verify reverse-path interface interface_name command?

A. uRPF

B. TCP intercept

C. botnet traffic filter

D. scanning threat detection

E. IPS (IP audit)

Answer:A

Section: (none)


QUESTION 77

A Cisco ASA requires an additional feature license to enable which feature?

A. transparent firewallB. cut-thru proxy

C. threat detection

D. botnet traffic filtering

E. TCPnormalizer

Answer: D

Section: (none)


QUESTION 78

Refer to the exhibit. What can be determined about the connection status?



42/42

A. The output is showing normal activity to the inside 10.1.1.50 web server.

B. Many HTTP connections to the 10.1.1.50 web server have successfully completed the threeway TCPhandshake

C. Many embryonic connections are made from random sources to the 10.1.1.50 web server.

D. The 10.1.1.50 host is triggering SYN flood attacks against random hosts on the outside.

E. The 10.1.1.50 web server is terminating all the incoming HTTP connections.

Answer: C

Section: (none)


QUESTION 79When troubleshooting a Cisco ASA that is operating in multiple context mode, which two verification stepsshould be performed if a user context does not pass user traffic? (Choose two.)

A. Verify the interface status in the system execution space.

B. Verify themac-address-table on the Cisco ASA.

C. Verify that unique MAC addresses are configured if the contexts are usingnonshared interfaces.D. Verify the interface status in the user context.

E. Verify the resourceclasses configuration by accessing the admin context.

Answer:AD

Section: (none)

Cisco.Passguide.642-617.v2011-05-14.by.Jorge

Documents

Transcript of Cisco.Passguide.642-617.v2011-05-14.by.Jorge