Cisco.actualTests.642 617.v2011!12!02.by.chips

Actual Tests v3.0-2.12.2011.105q.Chips

Number: 642-617Passing Score: 800Time Limit: 60 minFile Version: 1.1

For the Lab - Download the ASDM Demo from herehttp://www.4shared.com/file/dbE_vbdo/asdm-demo-634.htm

Improvements over other filesFixed Drag and DropsFixed incomplete questionsFixed checked all questionsRemoved duplicates - just really dont like duplicated questionsAdded Hotspot Area style for LABsAdded screenshots for simlet question

NB:none of the answers are guaranteed -- please check the answers yourself - and check back inthe comments for other people's ideas.Its an open and collobrative effort - if you feel that a question is wrong -- please publish forward sopeople can decide for themselves.

If you make any changes - please publish under a new name -- not this name. ThanksSteak & Chips

Sections1. Lab2. Pre-Production Design3. Complex Operations4. Advanced Troubleshooting5. New Questions6. LAB

Exam A

QUESTION 1Using the default modular policy framework global configuration on the Cisco ASA, how does the CiscoASA process outbound HTTP traffic?

A. HTTP flows are not permitted through the Cisco ASA, because HTTP is not inspected bydefault.

B. HTTP flows match the inspection_default traffic class and are inspected using HTTP inspection.

C. HTTP outbound traffic is permitted, but all return HTTP traffic is denied.

D. HTTP flows statefully inspected using TCP stateful inspection.

Answer: DSection: Pre-Production Design

Explanation/Reference:

QUESTION 2Which Cisco ASA feature enables the ASA to do these two things? 1) Act as a proxy for the server and generate a SYN-ACK response to the client SYN request. 2) When the Cisco ASA receives an ACK back from the client, the Cisco ASA authenticates the client andallows the connection to the server.

A. TCPnormalizer

B. TCP state bypass

C. TCP intercept

D. basic threat detection

E. advanced threat detection

F. botnet traffic filter

Answer: CSection: Pre-Production Design


QUESTION 3By default, which traffic can pass through a Cisco ASA that is operating in transparent mode withoutexplicitly allowing it using an ACL?

A. ARP

B. BPDU

C. CDP

D. OSPF multicasts

E. DHCP

Answer: ASection: Pre-Production Design


QUESTION 4Refertothe exhibit. Which Cisco ASA feature can be configured using this Cisco ASDM screen?

A. Cisco ASA command authorization using TACACS+

B. AAA accounting to track serial,ssh, and telnet connections to the Cisco ASA

C. Exec Shell access authorization using AAA

D. cut-thru proxy

E. AAA authentication policy for Cisco ASDM access



QUESTION 5Refer to the exhibit. The Cisco ASA is dropping all the traffic that is sourced from the internet and isdestined to any security context inside interface. Which configuration should be verified on the Cisco ASAto solve this problem?

A. The Cisco ASA has NAT control disabled on each security context.

B. The Cisco ASA is using inside dynamic NAT on each security context.

C. The Cisco ASA is using a unique MAC address on each security context outside interface.

D. The Cisco ASA is using a unique dynamic routing protocol process on each security context.

E. The Cisco ASA packet classifier is configured to use the outside physical interface to assign thepackets to each security context.

Answer: CSection: Complex Operations


QUESTION 6Which four types of ACL object group are supported on the Cisco ASA (release 8.2)? (Choose four.)

A. protocol

B. network

C. port

D. service

E. icmp-type

F. host

Answer: ABDESection: Pre-Production Design


QUESTION 7Refer to the exhibit. Which two statements about the class maps are true? (Choose two.)

A. These class maps are referenced within the global policy by default for HTTP inspection.

B. These class maps are all type inspect http class maps.

C. These class maps classify traffic using regular expressions.

D. These class maps are Layer 3/4 class maps.

E. These class maps are used within the inspection_default class map for matching the default inspectiontraffic.

Answer: BESection: Pre-Production Design


QUESTION 8Refer to the exhibit. A Cisco ASA in transparent firewall mode generates the log messages seen in theexhibit. What should be configured on the Cisco ASA to allow the denied traffic?

A. extended ACL on the outside and inside interface to permit the multicast traffic

B. EtherType ACL on the outside and inside interface to permit the multicast traffic

C. stateful packet inspection

D. static ARP mapping

E. static MAC address mapping

Answer: ASection: Advanced Troubleshooting


QUESTION 9The Cisco ASA must support dynamic routing and terminating VPN traffic. Which three Cisco ASA optionswill not support these requirements? (Choose three.)

A. transparent mode

B. multiple context mode

C. active/standby failover mode

D. active/active failover mode

E. routed mode

F. no NAT-control

Answer: ABDSection: Complex Operations


QUESTION 10Refer to the exhibits. Which five options should be entered into the five fields in the Cisco ASDM AddStatic Policy NAT Rule screen? (Choose five.)

access-list POLICY_NAT_ACL extended permit ip host 172.16.0.10 10.0.1.0 255.255.255.0 static(dmz,outside) 192.168.2.10 access-list POLICY_NAT_ACL

A. dmz = Original Interface

B. outside = Original Interface

C. 172.16.0.10 = Original Source

D. 192.168.2.10 = Original Source

E. 10.0.1.0/24 = Original Destination

F. 192.168.2.10 = Original Destination

G. dmz = Translated Interface

H. outside = Translated Interface

I. 192.168.2.10 = Translated Use IP Address

J. 172.16.0.10 = Translated Use IP Address

Answer: ACEHISection: Pre-Production Design


QUESTION 11By default, which access rule is applied inbound to the inside interface?

A. All IP traffic is denied.

B. All IP traffic is permitted.

C. All IP traffic sourced from any source to any less secure network destinations is permitted.

D. All IP traffic sourced from any source to any more secure network destinations is permitted



QUESTION 12In which type of environment is the Cisco ASA MPF set connection advanced-options tcp-statebypassoption the most useful?

A. SIP proxy

B. WCCP

C. BGP peering through the Cisco ASA

D. asymmetric traffic flow

E. transparent firewall

Answer: DSection: Complex Operations


QUESTION 13Which Cisco ASA platform should be selected if the requirements are to support 35,000 connections persecond, 600,000 maximum connections, and traffic shaping?

A. 5540

B. 5550

C. 5580-20

D. 5580-40

Answer: BSection: Pre-Production Design


QUESTION 14Refer to the exhibit. What is the resulting CLI command?

A. match requesturi regex _default_GoToMyPC-tunneldrop-connection log

B. match regex _default_GoToMyPC-tunneldrop-connection log

C. class_default_GoToMyPC-tunneldrop-connection log

D. match class-map _default_GoToMyPC-tunneldrop-connection log



QUESTION 15A customer is ordering a number of Cisco ASAs for their network. For the remote or home office, they arepurchasing the Cisco ASA 5505. When ordering the licenses for their Cisco ASAs, which two licensesmust they order that are "platform specific" to the Cisco ASA 5505? (Choose two.)

A. AnyConnect Essentials license

B. per-user Premium SSL VPN license

C. VPN shared license

D. internal user licenses

E. Security Plus license

Answer: DESection: Pre-Production Design


QUESTION 16With Cisco ASA active/standby failover, what is needed to enable sub-second failover?

A. Use redundant interfaces.

B. Enable the stateful failover interface between the primary and secondary Cisco ASA.

C. Decrease the default unit failover polltime to 300 msec and the unit failover holdtime to 900 msec

D. Decrease the default number of monitored interfaces to 1.



QUESTION 17Which Cisco ASA feature is implemented by the ip verify reverse-path interface interface_namecommand?

A. uRPF

B. TCP intercept

C. botnet traffic filter

D. scanning threat detection

E. IPS (IP audit)



QUESTION 18Refer to the exhibit. What can be determined about the connection status?

A. The output is showing normal activity to the inside 10.1.1.50 web server.

B. Many HTTP connections to the 10.1.1.50 web server have successfully completed the threeway TCPhandshake

C. Many embryonic connections are made from random sources to the 10.1.1.50 web server.

D. The 10.1.1.50 host is triggering SYN flood attacks against random hosts on the outside.

E. The 10.1.1.50 web server is terminating all the incoming HTTP connections.

Answer: CSection: Advanced Troubleshooting


QUESTION 19When troubleshooting a Cisco ASA that is operating in multiple context mode, which two verification stepsshould be performed if a user context does not pass user traffic? (Choose two.)

A. Verify the interface status in the system execution space.

B. Verify the mac-address-table on the Cisco ASA.

C. Verify that unique MAC addresses are configured if the contexts are using non-shared interfaces.

D. Verify the interface status in the user context.

E. Verify the resource classes configuration by accessing the admin context.

Answer: ADSection: Advanced Troubleshooting


QUESTION 20Which statement about the default ACL logging behavior of the Cisco ASA is true?

A. The Cisco ASA generates system message 106023 for each denied packet when a deny ACE isconfigured

B. The Cisco ASA generates system message 106023 for each packet that matched an ACE.

C. The Cisco ASA generates system message 106100 only for the first packet that matched an ACE.

D. The Cisco ASA generates system message 106100 for each packet that matched an ACE.

E. No ACL logging is enabled by default.



QUESTION 21When will a Cisco ASA that is operating in transparent firewall mode perform a routing table lookup insteadof a MAC address table lookup to determine the outgoing interface of a packet?

A. if multiple context mode is configured

B. if the destination MAC address is unknown

C. if the destination is more than a hop away from the Cisco ASA

D. if NAT is configured

E. if dynamic ARP inspection is configured

Answer: DSection: Advanced Troubleshooting


QUESTION 22Which flags should the show conn command normally show after a TCP connection has successfullybeen established from an inside host to an outside host?

A. aB

B. saA

C. slO

D. AIO

E. UIO

F. F

Answer: ESection: Advanced Troubleshooting


QUESTION 23Refer to the exhibit. Which three configuration commands will enable the VPN client to getPATed to the 10.3.3.3 IP address when accessing the DMZ? (Choose three.)

A. access-list client extended permit ip 209.165.202.128 255.255.255.224 any

B. access-list client extended permit ip 10.3.3.3 255.255.255.255 any

C. access-list client extended permit ip any 10.3.3.3 255.255.255.255

D. nat (outside) 1 access-list client

E. nat (dmz) 1 209.165.202.128 255.255.255.224

F. nat (dmz) 1 access-list client

Answer: ACDSection: Pre-Production Design


QUESTION 24Refer to the exhibit. What is a reasonable conclusion?

A. The maximum number of TCP connections that the 10.1.1.99 host can establish will be 146608.

B. All the connections from the 10.1.1.99 have completed the TCP three-way handshake.

C. The 10.1.1.99 hosts are generating a vast number of outgoing connections, probably due to a virus

D. The 10.1.1.99 host on the inside is under a SYN flood attack.

E. The 10.1.1.99 host operations on the inside look normal.



QUESTION 25In one custom dynamic application, the inside client connects to an outside server using TCP port 4444and negotiates return client traffic in the port range of 5000 to 5500. The server then starts streaming UDPdata to the client on the negotiated port in the specified range. Which Cisco ASA feature or commandsupports this custom dynamic application?

A. TCPnormalizer

B. TCP intercept

C. ip verify command

D. established command

E. tcp-map and tcp-options commands

F. set connection advanced-options command



QUESTION 26Which two statements about Cisco ASA failover troubleshooting are true? (Choose two.)

A. With active/active failover, failover link troubleshooting should be done in the system execution space.

B. With active/active failover, ASR groups must be enabled.

C. With active/active failover, user data passing interfaces troubleshooting should be done within thecontext execution space.

D. The failed interface threshold is set to 1. Using the show monitor-interface command, if one of themonitored interfaces on both the primary and secondary Cisco ASA appliances is in the unknown state,a failover should occur.

E. Syslog level 1 messages will be generated on the standby unit only if the logging standby command isused.

Answer: ACSection: Advanced Troubleshooting


QUESTION 27A Cisco ASA is operating in transparent firewall mode, but the MAC address table of the Cisco ASA isalways empty, which causes connectivity issues. What should you verify to troubleshoot this issue?

A. if ARP inspection has been disabled

B. if MAC learning has been disabled

C. if NAT has been disabled

D. if ARP traffic is explicitly allowed using EtherType ACL

E. if BPDU traffic is explicitly allowed using EtherType ACL

Answer: BSection: Advanced Troubleshooting


QUESTION 28When configuring security contexts on the Cisco ASA, which three resource class limits can be set using arate limit? (Choose three.)

A. address translation rate

B. Cisco ASDM session rate

C. connections rate

D. MAC-address learning rate (when in transparent mode)

E. syslog messages rate

F. stateful packet inspections rate

Answer: CEFSection: Complex Operations


QUESTION 29Refer to the exhibit. Which statement about the Telnet session from 10.0.0.1 to 172.26.1.200 is true?

A. The Telnet session should be successful.

B. The Telnet session should fail because the route lookup to the destination fails.

C. The Telnet session should fail because the inside interface inbound access list will block it

D. The Telnet session should fail because no matching flow was found.

E. The Telnet session should fail because inside NAT has not been configured.

Answer: C

Section: Pre-Production Design


QUESTION 30Which Cisco ASA show command groups the xiates and connections information together in its output?

A. show conn

B. show conn detail

C. show asp

D. show local-host



QUESTION 31By default, how does the Cisco ASA authenticate itself to the Cisco ASDM users?

A. The administrator validates the Cisco ASA by examining the factory built-in identity certificatethumbprint of the Cisco ASA.

B. The Cisco ASA automatically creates and uses a persistent self-signed X.509 certificate to authenticateitself to the administrator

C. The Cisco ASA automatically creates a self-signed X.509 certificate on each reboot to authenticateitself to the administrator.

D. The Cisco ASA and the administrator use a mutual password to authenticate each other.

E. The Cisco ASA authenticates itself to the administrator using a one-time password.



QUESTION 32Refer to the exhibit. Which command enables the stateful failover option?

A. failover link MYFAILOVER GigabitEthernetO/2

B. failover Ian interface MYFAILOVER GigabitEthernetO/2 C failover interface ip MYFAILOVER172.16.5.1 255.255.255.0 standby 172.16.5.10

C. preempt

D. failover group 1 primary

E. failover Ian unit primary

Answer: ASection: Complex Operations


QUESTION 33On Cisco ASA version 8.2, which four inspections are enabled by default in the global_policy? (Choosefour.)

A. HTTP

B. ESMTP

C. SKINNY

D. ICMP

E. TFTP

F. SIP

Answer: BCEFSection: Pre-Production Design


QUESTION 34Which flag shown in the output of the show conn command is used to indicate that an initial SYN packet isfrom the outside (lower security-level interface)?

A. B

B. D

C. b

D. A

E. a

F. I

G. 1

H. O


Explanation/Reference:Official Guide page 343 onwards

a = awaiting outside ACK to SYNA = awaiting inside ACK to SYN

B = initial SYN from outside

f = inside FINF = outside FIN

I = inbound dataO = outbound data

r = inside acknowleged FINR = outside acknowlegded FIN

s = awating outside SYNS = awaiting inside SYNU = connection UP

QUESTION 35

A. allows the configuration of predifined user account privileges

B. allows tacacs

C. allow backup for group fail

D. allows AAA



QUESTION 36

Refer to the exhibit. Which two CLI commands will result? (Choose two. )

A. aaa authorization network LOCAL

B. aaa authorization network default authentication-server LOCAL

C. aaa authorization command LOCAL

D. aaa authorization exec LOCAL

E. aaa authorization exec authentication-server LOCAL

F. aaa authorization exec authentication-server

Answer: CDSection: Pre-Production Design


QUESTION 37

A. create an access list on the inside and outside interface to permit multicast traffic

B. create a policy map to match the routing protocol ospf

C. map the mac addresses of the two routers in the mac-address table

D.

Answer: A

Section: New Questions


QUESTION 38What SNMP feature supported by new ASA OS version?

A. SNMPv3 with 3 modes

B. SNMP 1 and 2c only

C. read-only and read-write

D. SNMPv2 with aes authentication encryption

Answer: ASection: New Questions

Explanation/Reference:http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html

QUESTION 39Which ASA model has a 4 port module attached to it, which can not be removed?

A. ASA 5505

B. ASA 5520

C. ASA 5540

D. ASA 5550

E. ASA 5580

Answer: DSection: New Questions

Explanation/Reference:Official Guide - Page 49

QUESTION 40Which of the following configurations are needed to enable SNMPv3 on a Cisco ASA? (Choose four)

A. SNMPv3 local Engin ID

B. SNMPv3 Remote Engin ID

C. SNMP User

D. SNMP Group

E. SNMP Community Strings

F. SNMP Host

Answer: ACDFSection: New Questions

Explanation/Reference:Official Guide Page 220+

and

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html#wp18853

QUESTION 41How many monitored interfaces should be down to transfer to failover state?

A. 1

B. 2

C. 3

D. 4

E. 5



QUESTION 42Which URI regular expression would match any webpage with the welcome.jpg?

A. ?/welcome*.jpg

B. ?/welcome\.jpg

C. ^*/welcome\.jpg

D. ./welcome.jpg

E. ^*/welcome.jpg

Answer: CSection: New Questions

Explanation/Reference:Official guide page 457-458

. = match any single character

^ = matches anything at the beginning of the line : any expression following the ^ will be matched only if itappears at the begining of the line* = matches 0,1 or any number of the character preceeding the * -- ie w* can equal w, ww, www, wwww\ = ignores the special function of the next letter - = just as it is printed

Further reading

http://en.wikipedia.org/wiki/Regular_expression_examples

QUESTION 43When a Cisco ASA is configured in multiple context mode, within which configuration are the interfacesallocated to the security contexts?

A. each security context

B. system configuration

C. admin context (context within the admin role)

D. context startup configuration file (.cfg file)

Answer: BSection: New Questions


QUESTION 44Which statement about NAT/PAT is true?

A. Dynamic PAT is used for any traffic that is sourced from the dmz_emailserver to the outside

B. Dynamic PAT is used for any traffic that is sourced from any host on the inside network to the outside

C. Static NAT is used for any traffic that is sourced from the dmz_emailserver to the outside

D. Static PAT is used for any traffic that is sourced from the dmz_emailserver to the outside

E. Dynamic NAT is used for any traffic that is sourced from the dmz_emailserver to the outside

F. Dynamic NAT is used for any traffic that is sourced from and host on the guest-network to the outside


Explanation/Reference:Official guide Page 300 onwards

QUESTION 45Which statement about SNMP support is true for the Cisco ASA running 8.2.2 is true?

A. Only support running SNMP version 1 and 2c simultaenously

B. Support both read-only and read/write access

C. Support three SNMP Groups: Authentication and Encryption, Authentication Only and NoAuthentication.

D. The Cisco ASA can send SNMP traps the the Network Management Station only using SNMPv2


Explanation/Reference:Official Guide - Chapter 5 - pages 217 onwards

Page219Three SNMPv3 group definitions are supported by the ASA:■ No Authentication, No Encryption: Cleartext communication between the ASAand NMS■ Authentication Only: Communication is authenticated but unencrypted■ Authentication and Encryption: Authentication and full encryption for communi-cation between the ASA and NMS

Exam B

QUESTION 1Which feature is not supported on the Cisco ASA 5505 with the Security Plus license? O A. securitycontexts

A. stateless active/standby failover

B. transparent firewall

C. threat detection

D. traffic shaping



QUESTION 2What is the first configuration step when using Cisco ASDM to configure a new Layer 3/4 inspection policyon the Cisco ASA?

A. Create a new class map.

B. Create a new policy map and apply actions to the traffic classes.

C. Create a new service policy rule.

D. Create the ACLs to be referenced by any of the new class maps.

E. Disable the default global inspection policy.

F. Create a new firewall access rule.



QUESTION 3Which statement about the Cisco ASA 5505 configuration is true?

A. The IP address is configured under the physical interface (ethemet 0/0 to ethemet 0/7).

B. With the default factory configuration, the management interface (management 0/0) is configured withthe 192.168.1.1/24 IP address

C. With the default factory configuration, Cisco ASDM access is not enabled.

D. The switchport access vlan command can be used to assign the VLAN to each physical interface(ethemet 0/0 to ethemet 0/7).

E. With the default factory configuration, both the inside and outside interface will use DHCP to acquire itsIP address.


Explanation/Reference:Official Guide - Page 51 - Chapter 2

In the initial configuration, the management interface is always configured to use IPaddress 192.168.1.1 and subnet mask 255.255.255.0. The DHCP server is configured toprovide addresses from a range of 192.168.1.2 to 192.168.1.254. The HTTP server is con-

figured to allow ASDM sessions from devices on the 192.168.1.0/24 management network.

On ASA 5510 and higher platforms, the initial configuration always uses the Manage-ment0/0 physical interface for the management network, as shown in the top portion ofFigure 2-7. The ASA 5505, however, doesn’t have a dedicated management interface.Instead, it uses VLAN 1 for the secure “inside” network, which is assigned to physicalinterfaces Ethernet0/1 through 0/7.

QUESTION 4Refer to the exhibit. What does the * next to the CTX security context indicate?

A. The CTX context is the active context on the Cisco ASA.

B. The CTX context is the standby context on the Cisco ASA.

C. The CTX context contains the system configurations.

D. The CTX context has the admin role.



QUESTION 5Which three Cisco ASA configuration commands are used to enable the Cisco ASA to log only the debugoutput to syslog? (Choose three.)

A. logging Hst test message 711001

B. logging debug-trace

C. logging trap debugging

D. logging message 711001 level 7

E. logging trap test

Answer: BCDSection: Advanced Troubleshooting


QUESTION 6Refer to the exhibit. Which two configurations are required on the Cisco ASAs so that the return traffic fromthe 10.10.10.100 outside server back to the 10.20.10.100 inside client can be rerouted from the ActiveCtxB context in ASA Two to the Active Ctx A context in ASA One? (Choose two.)

A. stateful active/active failover

B. dynamic routing (EIGRP or OSPF or RIP)

C. ASR-group

D. no NAT-control

E. policy-based routing

F. TCP/UDP connections replication

Answer: ACSection: Complex Operations


QUESTION 7Where in the ACS are the individual downloadable ACL statements configured to achieve the mostscalable deployment?

A. Group Setup

B. User Setup

C. Shared Profile Components

D. Network Access Profiles

E. Network Configuration

F. Interface Configuration



QUESTION 8Which two methods can be used to access the Cisco AIP-SSM CLI? (Choose two.)

A. initiating an SSH connection to the Cisco AIP-SSM external management Ethernet port

B. connecting to the console port on the Cisco AIP-SSM

C. using the setup command on the Cisco ASA CLI

D. using the session 1 command on the Cisco ASA CLI

E. using the hw-module command on the Cisco ASA CLI

Answer: ADSection: Pre-Production Design


QUESTION 9Refer to the exhibit. Which three CLI configuration commands result from this configuration? (Choosethree.)

A. global (outside) 1 192.168.11

B. nat (inside) 110.16.1.1

C. static(inside.outside) 192.168.1.1 10.16.1.1 netmask 255.255.255.255 tcp 0 0 udp 0

D. static(inside,outside) tcp 192.168.1.1 80 10.16.1.1 80

E. access-list outside_access_in line 1 extended permit tcp any host 192.168.1.1 eq http

F. access-list outside_access_in line 1 extended permit tcp any host 10.16.1.1 eq http

G. access-group outside_access_in outside in

H. access-group outside acces in inside in

Answer: CEGSection: Pre-Production Design


QUESTION 10Which three configuration options are available when configuring static routes on the Cisco ASA? (Choosethree.)

A. Change the default metric (admin distance) from 1 to some other value.

B. Enable route tracking.

C. Specify the static route as the default tunnel gateway for VPN traffic.

D. Specify that the static route will not be removed, even if the interface shuts down.

E. Specify a tag value to the static route that can be used as a "match" value for controlling redistributionvia route maps

Answer: ABCSection: Pre-Production Design


QUESTION 11On the Cisco ASA, what is the default access rule if no user-defined access lists are defined on theinterfaces?

A. All inbound connections from the lower-security interfaces to the higher-security interfaces arepermitted.

B. All outbound connections from the higher-security interfaces to the lower-security interfaces arepermitted

C. All IP traffic between interfaces with the same security levelare permitted.

D. All IP traffic in and out of the same interface is permitted.

E. All IP traffic is denied.



QUESTION 12On the Cisco ASA, tcp-map can be applied to a traffic class using which MPF CLI configuration command?

A. inspect

B. sysopt connection

C. tcp-options

D. parameters

E. set connection advanced-options

Answer: ESection: Complex Operations


QUESTION 13On the Cisco ASA, where are the Layer 5-7 policy maps applied?

A. inside the Layer 3-4 policy map

B. inside the Layer 3-4 class map

C. inside the Layer 5-7 class map

D. inside the Layer 3-4 service policy

E. inside the Layer 5-7 service policy



QUESTION 14Refer to the exhibit. Which two options will result from the Cisco ASA configuration? (Choose two.)

A. The outside hosts can use the 192.168.100.1 IP address to reach the web server on the insidenetwork.

B. The global IP address of the web server is 209.165.200.230.

C. The inside web client will use the 209.165.200.230 IP address to reach the web server and the CiscoASA will translate the 209.165.200.230 IP address to the 192.168.100.1 IP address.

D. The Cisco ASA will translate the DNS A-Record reply from the DNS server to any inside client for theweb server (web server IP = 192.168.100.1).

E. The web server will be reachable only from the inside.

F. The web server will be reachable only from the outside.

Answer: BDSection: Complex Operations


QUESTION 15The Cisco ASA is configured in multiple mode and the security contexts share the same outside physicalinterface. Which two packet classification methods can be used by the Cisco ASA to determine whichsecurity context to forward the incoming traffic from the outside interface? (Choose two.)

A. unique interface IP address

B. unique interface MAC address

C. routing table lookup

D. MAC address table lookup

E. unique global mapped IP addresses

Answer: BESection: Complex Operations


QUESTION 16With Cisco ASA active/active or active/standby stateful failover, which state information or table is notpassed between the active and standby Cisco ASA by default?

A. NAT translation table

B. TCP connection states

C. UDP connection states

D. ARP table

E. HTTP connection table



QUESTION 17Refer to the exhibit. What requirement is mandatory when configuring a Cisco ASA to operate intransparent firewall mode?

A. IP routing must be disabled on the Cisco ASA using the no ip routing global configuration command.

B. The Cisco ASA must be configured to use the same MAC address on its outside and inside interfaces.

C. ARP inspection must be enabled on both the inside and outside interfaces using the arp inspectioninterface-name enable flood command.

D. Both the inside and outside interfaces must be configured with the same security level.

E. An inbound EtherType ACL is required on the inside and outside interfaces to permit ARP traffic.

F. The management IP address of the Cisco ASA configured with the ip address global configurationcommand must belong in the 10.0.1.0/24 subnet.

Answer: FSection: Pre-Production Design


QUESTION 18Refer to the exhibit. Which two statements are true? (Choose two.)

A. The connection is awaiting outside ACK to SYN.

B. The connection is initiated from the inside.

C. The connection is active and has received inbound and outbound data.

D. The connection is an incomplete TCP connection.

E. The connection is a DNS connection.

Answer: BCSection: Advanced Troubleshooting


QUESTION 19Which five options are valid logging destinations for the Cisco ASA? (Choose five.)

A. AAA server

B. Cisco ASDM

C. buffer

D. SNMP traps

E. LDAP server

F. email

G. TCP-based secure syslog server

Answer: BCDFGSection: Advanced Troubleshooting


QUESTION 20When troubleshooting redundant interface operations on the Cisco ASA, which configuration should beverified?

A. The nameif configuration on the member physical interfaces are identical.

B. The MAC address configuration on the member physical interfaces are identical.

C. The active interface is sending periodic hellos to the standby interface.

D. The IP address configuration on the logical redundant interface is correct.

E. The duplex and speed configuration on the logical redundant interface are correct.



QUESTION 21What mechanism is used on the Cisco ASA to map IP addresses to domain names that are contained inthe botnet traffic filter dynamic database or local blacklist?

A. HTTP inspection

B. DNS inspection and snooping

C. Web ACL

D. dynamic botnet database fetches (updates)

E. static black list

F. static white list

Answer: BSection: Complex Operations


QUESTION 22Which three statements about traffic shaping capability on the Cisco ASA are true? (Choose three.)

A. Traffic shaping can be applied to all outgoing traffic on a physical interface or in the case of the CiscoASA 5505, on a VLAN

B. Traffic shaping can be applied in the input or output direction.

C. Traffic shaping can cause jitter and delay.

D. You can configure both traffic shaping and priority queueing on the same interface.

E. Traffic shaping is not supported on the Cisco ASA 5580.

Answer: ACESection: Complex Operations


QUESTION 23Refer to the exhibit. Which statement about the policy map named test is true?

A. Only HTTP inspection will be applied to the TCP port 21 traffic.

B. Only FTP inspection will be applied to the TCP port 21 traffic.

C. Both HTTP and FTP inspections will be applied to the TCP port 21 traffic.

D. No inspection will be applied to the TCP port 21 traffic, because the http class map configurationconflicts with the ftp class map

E. All FTP traffic will be denied, because the FTP traffic will fail the HTTP inspection.



QUESTION 24When troubleshooting a Cisco ASA (running 8.2.2) that is operating in transparent firewall mode, whatshould you verify to ensure proper operation?

A. The Cisco ASA has not been configured for inside static or dynamic NAT.

B. The Cisco ASA global IP address belongs to the same subnet as the directly connected interfaces.

C. The outside and inside interface are connected to different Layer 3 subnets.

D. The Cisco ASA is using a dedicated management interface for management access.

E. The Cisco ASA is configured for ARP inspection.

Answer: BSection: Advanced Troubleshooting


QUESTION 25Which Cisco ASA object group type offers the most flexibility for grouping different services together basedon arbitrary protocols?

A. network

B. ICMP

C. protocol

D. TCP-UDP

E. service



QUESTION 26Which three parameters are set using the set connection command within a policy map on the Cisco ASA8.2 release? (Choose three.)

A. per-client TCP and/or UDP idle timeout

B. per-client TCP and/or UDP maximum session time

C. TCP sequence number randomization

D. maximum number of simultaneous embryonic connections

E. maximum number of simultaneous TCP and/or UDP connections

F. fragments reassembly options

Answer: CDESection: Complex Operations


QUESTION 27With Cisco ASA active/standby failover, what is needed to enable sub-second failover?

A. Use redundant interfaces.

B. Enable thestateful failover interface between the primary and secondary Cisco ASA.

C. Decrease the default unit failover polltime to 300 msec and the unit failover holdtime to 900 msec

D. Decrease the default number of monitored interfaces to 1.



QUESTION 28A Cisco ASA requires an additional feature license to enable which feature?

A. transparent firewall

B. cut-thru proxy

C. threat detection

D. botnet traffic filtering

E. TCPnormalizer



QUESTION 29Refer to the exhibit. What can be determined about the connection status?

A. The output is showing normal activity to the inside 10.1.1.50 web server.

B. Many HTTP connections to the 10.1.1.50 web server have successfully completed the threeway TCPhandshake

C. Many embryonic connections are made from random sources to the 10.1.1.50 web server.

D. The 10.1.1.50 host is triggering SYN flood attacks against random hosts on the outside.

E. The 10.1.1.50 web server is terminating all the incoming HTTP connections.



QUESTION 30When troubleshooting a Cisco ASA that is operating in multiple context mode, which two verification stepsshould be performed if a user context does not pass user traffic? (Choose two.)

A. Verify the interface status in the system execution space.

B. Verify the mac-address-table on the Cisco ASA.

C. Verify that unique MAC addresses are configured if the contexts are using nonshared interfaces.

D. Verify the interface status in the user context.

E. Verify the resource classes configuration by accessing the admin context.

Answer: ADSection: Complex Operations


QUESTION 31What features are available by default with CSC-SSM base license (choose Three)

A. Antispam

B. Antivirus

C. Antispyware

D. HTTP & FTP file blocking

E. URL Blocking and Filtering

F. Antiphishing

G. email content control

Answer: BCDSection: Complex Operations


QUESTION 32If an ASA is configured with overlapping NAT/PAT rules, The ASA will apply the rules in a specific order.What rule will be applied first ?

A. Policy NAT

B. Static NAT

C. Static PAT

D. Dynamic PAT

E. Dynamic NAT

F. NAT Exemption

Answer: FSection: Pre-Production Design


QUESTION 33In which two directions are the Cisco ASA modular policy framework inspection policies applied? (Choosetwo.)

A. in the ingress direction only when applied globally

B. in the ingress direction only when applied on an interface

C. in the egress direction only when applied globally

D. in the egress direction only when applied on an interface

E. bi-directionally when applied globally

F. bi-directionally when applied on an interface

Answer: AFSection: Pre-Production Design


QUESTION 34A Cisco ASA requires an additional feature license to enable which feature?

A. transparent firewall

B. cut-thru proxy

C. threat detection

D. botnet traffic filtering

E. TCPnormalizer



QUESTION 35When enabling a Cisco ASA to send syslog messages to a syslog server, which syslog level will producethe most messages?

A. notifications

B. informational

C. alerts

D. emergencies

E. errors

F. debugging

Answer: FSection: Advanced Troubleshooting


QUESTION 36What is the default interval for how often the dynamic database of the Cisco ASA botnet traffic filter isupdated from Cisco/lronPort?

A. every 5 minutes

B. every 15 minutes

C. every 30 minutes

D. every 1 hour

E. every 12 hours

F. every 24 hours



QUESTION 37What feature can have a major performance impact if enabled?

A. VPN termination

B. Advanced Threat Detection

C. uRPF

D. DNS snooping

E. Anti-spoofing


Explanation/Reference:http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html#wp1096812

QUESTION 38With ASA Redundant Interfaces - what happens When “Active” turns to “Standby”?

A. Send Hellos Packet

B. Does a broadcast ping to find active interface

C. Checks any of the 8 redundanct interface pairs for active connection

D. Changes the mac-address to that of the new Active interface

E. does ARP request to see if the mac address responds



QUESTION 39What feature is not supported with Security Context + Transparent mode?

A. mac address learning

B. shared interface

C. multiple context mode

D. http inspection


Explanation/Reference:http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146747

Note The management interface for transparent mode does not flood a packet out the interface whenthat packet is not in the MAC address table.You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent modedoes not allow shared interfaces.

QUESTION 40

What does the hw-module module 1 recover command do?

A. automatically goes into ROMMON mode so you can access the module

B. allows you to reconfigure the management interface froma reset

C. forces the module to reload the software without any configuration

D. allows you to load a new software image from a TFTP server

E. enables the password recovery reset


Explanation/Reference:Official Guide - Page 686

QUESTION 41How many failover group are supported by Active/Active failover?

A. 1

B. 2

C. 1 on each contect

D. 2 on each context



QUESTION 42With active/standby failover, what happens if the standby Cisco ASA does not recieve three consectivehello messages from the active Cisco ASA on the LAN failover interface?

A. The standby ASA immeditaley becomes the active ASA

B. The standby ASA eventually becomes the active ASA after three times the the hold-down times intervalexpires

C. The standby ASA runs network activity tests, including ARP and ping, to determine if the active ASAhas expired

D. The standby ASA sends additional hello packets on all monitored interfaces, including the LAN failoverinterface, to determine of the active ASA has failed

E. Both ASA's go into unknown state until the LAN interface becomes operational again


Explanation/Reference:Official Guide - page 610 onwards

QUESTION 43Which feature is not supported on the Cisco ASA 5505 with Security Plus license?

A. security contexts

B. stateless Active/Standby Failover

C. transparent firewall

D. threat detection

E. traffic shaping


Explanation/Reference:Official Guide Page 27 - Table 1-14

QUESTION 44Which two functions will the Set ASDM Defined User Roles perform? (Choose two)

A. enables role based privileges to most Cisco ASA commands

B. enable the Cisco ASDM user to assign user privileges manually to individual commands or group ofcommands

C. enables command authorization with a remote TACACS+ server

D. enables three pre-define user account privileges (Admin = Priv 15, Read-only = Priv 5, Monitor only =Priv 3)

Answer: ADSection: New Questions

Explanation/Reference:Official Guide Page 208 onwards

Configuring Local AAA Command AuthorizationTo enable AAA authorization using the LOCAL database, you can use a wizard functionin ASDM to quickly set up RBAC privilege levels to most commands, while still being ableto make manual customizations to each command. To do so, navigate to Configuration >Device Management > Users/AAA > AAA Access and click the Authorization tab,shown in the background in Figure 5-29.

Exam C

QUESTION 1Drag and Drop #1

Answer:

Section: Pre-Production Design



Answer:

Section: Complex Operations


Exam D

QUESTION 1LAB Question Intro - Scenario - TopoThis is a Hot Area - select the correct areas to click on-------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------------------------------

Answer:

Section: Lab


QUESTION 2LAB Question #1a - Scenario - TopoThis is a Hot Area - select the correct areas to click on-------------------------------------------------------------------------------Enable HTTP Inspect gloabally on the ASA

Answer:

Section: Lab


QUESTION 3LAB Question #1b - Scenario - TopoThis is a Hot Area - select the correct areas to click on-------------------------------------------------------------------------------Enable HTTP Inspect gloabally on the ASA

Answer:

Section: Lab


QUESTION 4LAB Question #1c - Scenario - TopoThis is a Hot Area - select the correct areas to click on-------------------------------------------------------------------------------Enable HTTP Inspect gloabally on the ASA

Answer:

Section: Lab


QUESTION 5LAB Question #2 - Scenario - TopoThis is a Hot Area - select the correct areas to click on-------------------------------------------------------------------------------Create a new HTTP Inspect map named: http-inspect-map

Answer:

Section: Lab


QUESTION 6LAB Question #2a - ParametersThis is a Hot Area - select the correct areas to click on-------------------------------------------------------------------------------Create a new HTTP Inspect map named: http-inspect-map > enable dropping and of any HTTP connections that encounter HTTP Violations

Answer:

Section: Lab

Explanation/Reference:1: Make sure you enter in the name exactly as written - http-inspect-map2: Leave Logging - disabled

QUESTION 7LAB Question #2b-a - InspectionsThis is a Hot Area - select the correct areas to click on-------------------------------------------------------------------------------Enable the dropping and logging of HTTP connections when the content type in the HTTP response does not matchone of the MIME types in the accept field HTTP request

Answer:

Section: Lab


QUESTION 8LAB Question #2b-b - Scenario - TopoThis is a Hot Area - select the correct areas to click on-------------------------------------------------------------------------------Enable the dropping and logging of HTTP connections when the content type in the HTTP response does not matchone of the MIME types in the accept field HTTP request

Answer:

Section: Lab


Make sure to click OK at the end and it will show you this

QUESTION 9LAB Question #2b-c - Scenario - TopoThis is a Hot Area - select the correct areas to click on-------------------------------------------------------------------------------Enable the dropping and logging of HTTP connections when the content type in the HTTP response does not matchone of the MIME types in the accept field HTTP request

Answer:

Section: Lab


Click OK all the way back to main screen and you should see this

QUESTION 10LAB Question FinishingThis is a Hot Area - select the correct areas to click on-------------------------------------------------------------------------------Make sure you save and exit properly

Answer:

Section: Lab

Explanation/Reference:Two ways to save - preference is to Save before Exit

Exam E

QUESTION 1Question 1#Which two statements about the Cisco ASA configuration is true? (Choose two.)

A. NAT Control is enabled

B. The Cisco ASA is setup as the DHCP server for hosts on the inside and outside interfaces

C. All IP traffic is permitted from the inside host to the outside

D. All hosts on the inside and on the outside can access Cisco ASDM

E. Access to the CLI in privileged mode will be authenticated using the LOCAL database on the CiscoASA

F. The ASA is using a persistent self-signed certificated so users can authenticate the Cisco ASA whenaccessing it via Cisco ASDM

Answer: ABSection: Pre-Production Design

Explanation/Reference:Have to check each and every setting -- expect different results for different exams

QUESTION 2The ASA administrator wants to configure Botnet Traffic Filter using the dynamic database but it is notworking properly after the initiate configuration has been entered. What other configuration is missing?

A. Enabling DNS Snooping

B. Enabling Botnet Traffic Filtering on at least one of the ASA interface

C. Enabling the ASA to periodically download the dynamic database from Cisco

D. Enabling DNS inspection globally

E. Configuring the manual white and black lists

Answer: ACSection: Complex Operations

Explanation/Reference:Just check all the following settings - certain they will change from time to time

####################################################

##############################################

QUESTION 3Question #3When the Cisco ASA detects scanning attacks, how long is the attacker who is performing the scanshunned?

A. 120 seconds

B. 600 seconds

C. 1200 seconds

D. 3600 seconds

E. 6000 seconds

Answer: BSection: Complex Operations

Explanation/Reference:From ASDM

Cisco.actualTests.642 617.v2011!12!02.by.chips

Documents

Transcript of Cisco.actualTests.642 617.v2011!12!02.by.chips