642-515

Cisco 642-515

CISCO 642-515 Securing Networks with ASA

Advanced

Practice TestVersion 3.1

Actu

alTe

sts.

com

QUESTION NO: 1

Which two statements correctly describe configuring active/active failover? (Choose two.)

A. You must assign contexts to failover groups from the admin context.

B. Both units must be in multiplemode.

C. You must configure two failover groups: group 1 and group 2.

D. You must use a crossover cable to connect the failover links on the two failover peers.

Answer: B,C

QUESTION NO: 2

Observe the following exhibit carefully. When TCP connections are tunneled over another TCP

connection and latency exists between the two endpoints, each TCP session would trigger a

retransmission, which can quickly spiral out of control when the latency issues persist. This issue

is often called TCP-over-TCP meltdown. According to the presented Cisco ASDM configuration,

which Cisco ASA security appliance configuration will most likely solve this problem?

A. Compression

B. MTU size of 500

C. Keepalive Messages

D. Datagram TLS

Answer: D

QUESTION NO: 3

The IT department of your company must perform a custom-built TCP application within the

clientless SSL VPN portal configured on your Cisco ASA security appliance. The application

should be run by users who have either guest or normal user mode privileges. In order to allow

this application to run, how to configure the clientless SSL VPN portal?

A. configure a smart tunnel for the application

Cisco 642-515: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 2

Actu

alTe

sts.

com

B. configure a bookmark for the application

C. configure the plug-in that best fits the application

D. configure port forwarding for the application

Answer: A

QUESTION NO: 4

According to the following exhibit. When a host on the inside network attempted an HTTP

connection to a host at IP address 172.26.10.100, which address pool will be used by the Cisco

ASA security appliance for the NAT?

A. 192.168.8.101 - 192.168.8.105

B. 192.168.8.20 - 192.168.8.100

C. 192.168.8.106 - 192.168.8.110

D. 192.168.8.20 - 192.168.8.110

Answer: B

QUESTION NO: 5

Study the following exhibit carefully. You are asked to configure the Cisco ASA security appliance

with a connection profile and group policy for full network access SSL VPNs. During a test of the

configuration using the Cisco AnyConnect VPN Client, the connection times out. In the process of

troubleshooting, you determine to make configuration changes. According to the provided Cisco

ASDM configuration, which configuration change will you begin with?



Actu

alTe

sts.

com

A. Require a client certificate on the interface.

B. Enable an SSL VPN client type on the interface.

C. Enable DTLS on the interface.

D. Enable a different access port that doesn't conflict with Cisco ASDM.

Answer: B

QUESTION NO: 6

You are the network security administrator for the P4S company. You create an FTP inspection

policy including the strict option, and it is applied to the outside interface of the corporate adaptive

security appliance. How to handle FTP on the security appliance after this policy is applied?

(Choose three.)

A. FTP inspection is applied to traffic entering the inside interface.

B. Strict FTP inspection is applied to traffic entering the outside interface.

C. FTP inspection is applied to traffic exiting the inside interface.

D. Strict FTP inspection is applied to traffic exiting the outside interface.

Answer: A,B,D

QUESTION NO: 7

Which three statements correctly describe protocol inspection on the Cisco ASA adaptive security

appliance? (Choose three.)

A. The protocol inspection feature of the security appliance securely opens and closes negotiated

ports and IP addresses for legitimate client-server connections through the security appliance.

B. For the security appliance to inspect packets for signs of malicious application misuse, you

must enable advanced (application layer) protocol inspection.



Actu

alTe

sts.

com

C. If inspection for a protocol is notenabled, traffic for that protocol may be blocked.

D. If you want to enable inspection globally for a protocol that is not inspected by default or if you

want to globally disable inspection for a protocol, you can edit the default global policy.

Answer: A,C,D

QUESTION NO: 8

An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used

with a standard Web browser. After configuring port forwarding for a clientless SSL VPN

connection, if port forwarding is to work, which end user privilege level is required at the endpoint?

A. system level

B. guest level

C. user level

D. administrator level

Answer: D

QUESTION NO: 9

Which two methods can be used to decrease the amount of time it takes for an active Cisco ASA

adaptive security appliance to fail over to its standby failover peer in an active/active failover

configuration? (Choose two.)

A. decrease the interface failover poll time

B. decrease the unit failover poll time

C. use the special serial failover cable to connect the security appliances

D. use single mode

Answer: A,B

QUESTION NO: 10

Multimedia applications transmit requests on TCP, get responses on UDP or TCP, use dynamic

ports, and use the same port for source and destination, so they can pose challenges to a firewall.

Which three items are true about how the Cisco ASA adaptive security appliance handles

multimedia applications? (Choose three.)

A. It dynamically opens and closes UDP ports for secure multimedia connections, so you do not

need to open a large range of ports.



Actu

alTe

sts.

com

B. It supports SIP with NAT but not with PAT.

C. It supports multimedia with or without NAT.

D. It supports RTSP, H.323, Skinny, and CTIQBE.

Answer: A,C,D

QUESTION NO: 11

Which options can a clientless SSL VPN user access from a web browser without port forwarding,

smart tunnels, or browser plug-ins?

A. web-enabled applications

B. Microsoft Outlook Web Access

C. files on the network, via FTP or the CIFS protocol

D. internal websites

Answer: A,B,C,D

QUESTION NO: 12

Cisco ASA 5505 Adaptive Security Appliance is designed for providing high-performance security

services. Study the following exhibit carefully. You are asked to configure a Cisco ASA 5505

Adaptive Security Appliance as an Easy VPN hardware client. When the telecommuter using the

ASA 5505 Adaptive Security Appliance for remote access first tries to connect to resources on the

corporate network, he is prompted for authentication. Which two group policy features will require

authentication, even if a username and password are configured on the Easy VPN hardware

client? (Select two.)



Actu

alTe

sts.

com

A. Individual User Authentication

B. Certificate Authentication

C. Secure Unit Authentication

D. Extended Authentication

Answer: A,C

QUESTION NO: 13

Study the following exhibit carefully. You work as the network administrator of a corporate Cisco

ASA security appliance with a Cisco ASA AIP-SSM. You are asked to use the AIP-SSM to protect

corporate DMZ web servers. The AIP-SSM has been configured, and a service policy has been

configured to identify the traffic to be passed to the AIP-SSM.

On which two interfaces would application of the service policy for the AIP-SSM be most effective

while causing the least amount of impact to Cisco ASA security appliance performance? (Choose

two.)



Actu

alTe

sts.

com

A. dmz interface

B. outside interface

C. globally on all interfaces

D. Internet interface

Answer: A,B

QUESTION NO: 14

You work as the network administrator for your company. Now, you are asked to configure the

Cisco ASA security appliance, using Modular Policy Framework to prevent executables with the

.exe file extension from being downloaded. Which regular expression should be created to match

the .exe file extension?

A. *.exe

B. .+\.[Ee][Xx][Ee]

C. .+.[Ee][Xx][Ee]

D. .*\.[Ee][Xx][Ee.

Answer: B

QUESTION NO: 15

For the following commands, which one causes the Cisco CSC-SSM to load a new software

image from a remote TFTP server, via the CLI?

A. hw module 1 recover reload

B. copytftp hardware:module1

C. hw module 1 recover config

D. hw module 1 recover boot

Answer: D



Actu

alTe

sts.

com

QUESTION NO: 16

You work as a network administrator for your company. Study the exhibit carefully. ASDM is short

for Adaptive Security Device Manager. You are responsible for multiple remote Cisco ASA security

appliances administered through Cisco ASDM. Recently, you have been tasked to configure one

of these Cisco ASA security appliances for SSL VPNs and are requiring a client certificate, as

shown. How will this configuration affect your next ASDM connection to this Cisco ASA security

appliance?

A. You would be asked to present an identity certificate. If you did not have one, the Cisco ASA

security appliance would prompt you for authentication credentials, consisting of a username and

password.

B. Your connection would be handled the way it is always handled by this Cisco ASA security

appliance.

C. You would be required to have an identity certificate that the Cisco ASA security appliance can

use for authentication.

D. You would be required to download the identity certificate of the remote Cisco ASA security

appliance.

Answer: C

QUESTION NO: 17

You are a new employee of your company. Recently, you have been tasked to configure Cisco

ASA security appliance for multiple VLANs that use one physical interface. The switch to which the

physical Cisco ASA security appliance interface is connected should be configured for the

appropriate VLAN tagging protocol. In order to achieve this goal, which VLAN tagging protocol will

the Cisco ASA security appliance use to communicate with this switch?



Actu

alTe

sts.

com

A. ISL

B. IEEE 802.1Q

C. IEEE 802.1AE

D. IEEE 802.3

Answer: B

QUESTION NO: 18

In an active/active failover configuration, which event triggers failover at the failover group level?

A. The no failover active groupgroup_id command is entered in the system configuration.

B. The no failover active command is entered in the system configuration.

C. The unit has a software failure.

D. Two monitored interfaces in the group fail.

Answer: A

QUESTION NO: 19

Cisco ASA 5500 Series Adaptive Security Appliances are easy-to-deploy solutions that integrate

world-class firewall, Unified Communications (voice/video) security, SSL and IPsec VPN, intrusion

prevention (IPS), and content security services in a flexible, modular product family. You are

asked to configure a Cisco ASA 5505 Adaptive Security Appliance as an Easy VPN hardware

client. In the process of configuration, you defined a list of backup servers for the security

appliance to use. After several hours of being connected to the primary VPN server, the security

appliance fails. You notice that your Easy VPN hardware client has now connected to a backup

server that is not defined within the configuration of the client. Where did your Easy VPN hardware

client get this backup server?



Actu

alTe

sts.

com

A. The backup servers that you listed were no longer available, so the Easy VPN hardware client

used the list of backup servers that it retrieved from the primary server.

B. The connection profile that was configured on the primary VPN server was pushed to your Easy

VPN hardware client and overwrote the list of backup servers that you had configured.

C. The backup servers that you listed were not configured as VPN servers, so the Easy VPN

hardware client used the list of backup servers retrieved from the primary server.

D. The group policy that was configured on the primary VPN server was pushed to your Easy VPN

client and overwrote the list of backup servers that you had configured.

Answer: D

QUESTION NO: 20

Refer to the exhibit. You have configured a Layer 7 policy map to match the size of HTTP header

fields that are traversing the network. Based on this configuration, will HTTP headers that are

greater than 200 bytes be logged?



Actu

alTe

sts.

com

A. No, because the reset action for headers greater than 100 bytes would be the first match.

B. Yes, because the log action for headers greater than 200 bytes would be the last match.

C. Yes, because the reset action for headers greater than 100 bytes and the log action for headers

greater than 200 bytes would both be applied.

D. No, because reset or log actions are a part of the service policy and the Layer 7 policy map.

Answer: A

QUESTION NO: 21

Annie is a network administrator of her company. She is responsible for a Cisco ASA security

appliance. Using a valid identity certificate from her certificate authority, she has created the

necessary configuration for remote-access VPN tunnels by use of the IPsec VPN Wizard. When

she tests the remote-access VPN, the VPN tunnel does not come up. If the remote-access VPN

configuration created by the wizard is correct and valid certificates are being used by the Cisco

ASA security appliance and Cisco VPN Client, which corrective action should be configured or

corrected for the VPN tunnel to come up properly?

A. The IKE phase two configuration is not part of the IPsec VPN Wizard configuration and must be

configured.

B. NAT-Transparency configuration is not part of theIPsec VPN Wizard configuration and must be

configured.

C. The IKE phase one configuration is not part of the IPsec VPN Wizard configuration and must be

configured.

D. The mapping of digital certificates to connection profile is not part of theIPsec VPN Wizard

configuration and must be configured.

Answer: D



Actu

alTe

sts.

com

QUESTION NO: 22

Reverse route injection (RRI) is the ability for static routes to be automatically inserted into the

routing process for those networks and hosts protected by a remote tunnel endpoint. These

protected hosts and networks are known as remote proxy identities. Study the following exhibit

carefully. What does Reverse Route Injection enable in this configuration?

A. The Cisco ASA security appliance will advertise its default routes to the distant end of the site-

to-site VPN tunnel.

B. The Cisco ASA security appliance will advertise routes that are at the distant end of the site-to-

site VPN tunnel.

C. The Cisco ASA security appliance will advertise routes that are on its side of the site-to-site

VPN tunnel to the distant end of the site-to-site VPN tunnel.

D. The Cisco ASA security appliance will advertise routes from the dynamic routing protocol that is

running on the Cisco ASA security appliance to the distant end of the site-to-site VPN tunnel.

Answer: B

QUESTION NO: 23

Alex is tasked with installing a digital certificate for a Cisco VPN Client on a laptop for a user. What

is the reason that the certificate is in an "invalid:not active" state?



Actu

alTe

sts.

comA. The certificate passphrase must be sent to the CA for validation.

B. The time on the CA server and the time on the laptop are out of sync.

C. The certificate number of "0" indicates that the certificate has expired.

D. The user has not clicked the Verify button within the Cisco VPN Client.

Answer: B

QUESTION NO: 24

You are a network engineer of your company. Recently, you have been tasked to configure Cisco

ASA security appliance for EIGRP routing. Which two Cisco ASDM configurations will add these

networks to the configuration of EIGRP according to the information displayed in the exhibit?

(Choose two.)



Actu

alTe

sts.

com



Actu

alTe

sts.

com

A. Configuration 1

B. Configuration 2

C. Configuration 3

D. Configuration 4

E. Configuration 5

F. Configuration 6

Answer: A,E

QUESTION NO: 25



Actu

alTe

sts.

com

During a stateful active/standby failover, which two events will happen? (Choose two.)

A. The user authentication (uauth) table is passed to the standby unit.

B. The secondary unit inherits the IP addresses of the primary unit.

C. SIP signaling sessions are lost.

D. The standby unit becomes the active unit.

Answer: B,D

QUESTION NO: 26

Cisco Secure Desktop, an innovative feature found in Cisco's WebVPN solutions, can help

organizations respond to government regulations for data protection by safeguarding the privacy

and security of confidential information. Afer configuring Cisco Secure Desktop on your Cisco ASA

security appliance, you should configure Cisco Secure Desktop to run Host Scan checks on the

remote endpoint. Which three available Basic Host Scan checks can be configured? (Choose

three.)

A. process

B. file

C. groups

D. registry

Answer: A,B,D

QUESTION NO: 27

Which two options are correct about the impacts of this configuration? (Choose two.)

class-map INBOUND_HTTP_TRAFFIC

match access-list TOINSIDEHOST

class-map OUTBOUND_HTTP_TRAFFIC

match access-list TOOUTSIDEHOST

policy-map MYPOLICY

class INBOUND_HTTP_TRAFFIC

inspect http

set connection conn-max 100

policy-map MYOTHERPOLICY

class OUTBOUND_HTTP_TRAFFIC

inspect http

service-policy MYOTHERPOLICY interface inside

service-policy MYPOLICY interface outside



Actu

alTe

sts.

com

A. Traffic that matches access control list TOINSIDEHOST is subject to HTTP inspection and

maximum connection limits.

B. Traffic that enters the security appliance through the inside interface is subject to HTTP

inspection.

C. Traffic that enters the security appliance through the outside interface and matches access

control list TOINSIDEHOST is subject to HTTP inspection and maximum connection limits.

D. Traffic that enters the security appliance through the insideinterface and matches access

control list TOOUTSIDEHOST is subject to HTTP inspection.

Answer: C,D

QUESTION NO: 28

Modular Policy Framework provides a consistent and flexible way to configure security appliance

features in a manner similar to Cisco IOS software QoS CLI. Which three Cisco Modular Policy

Framework features are bidirectional? (Choose three.)

A. CSC policy

B. AIP policy

C. QoS priority queue

D. application inspection

Answer: A,B,D

QUESTION NO: 29

Which three encapsulation types will be supported by the Cisco ASA security appliance for IPsec

NAT transparency? (Choose three.)

A. NAT-T

B. IPsec over TCP

C. IPsec over UDP

D. IPsec over PPTP

Answer: A,B,C

QUESTION NO: 30

Which two options are correct about the threat detection feature of the Cisco ASA adaptive

security appliance? (Choose two.)



Actu

alTe

sts.

com

A. The security appliance scanning threat detection feature is based on traffic signatures.

B. The threat detection feature can help you determine the level of severity for packets that are

detected and dropped by the security appliance inspection engines.

C. Because of their impact on performance, both basic threat detection and scanning threat

detection are disabled by default.

D. Scanning threat detection detects network sweeps and scans and optionally takes appropriate

preventative action.

Answer: B,D

QUESTION NO: 31

Refer to the following internal channels , which two can be used for communication between the

Cisco ASA AIP-SSM and the Cisco ASA security appliance? (Choose two.)

A. control channel

B. promiscuous channel

C. inline channel

D. data channel

Answer: A,D

QUESTION NO: 32

For creating and configuring a security context, which three tasks are mandatory? (Choose three.)

A. allocating interfaces to the context

B. assigning MAC addresses to context interfaces

C. specifying the location of the context startup configuration

D. creating a context name

Answer: A,C,D

QUESTION NO: 33

For configuring VLAN trunking on a security appliance interface, which three actions are

mandatory? (Choose three.)

A. associating a logical interface with a physical interface

B. specifying a VLAN ID for asubinterface

C. specifying a name for asubinterface



Actu

alTe

sts.

com

D. specifying the maximum transmission unit for asubinterface

Answer: A,B,C

QUESTION NO: 34

Which three features can the Cisco ASA adaptive security appliance support? (Choose three.)

A. 802.1Q VLANs

B. OSPF dynamic routing

C. static routes

D. BGP dynamic routing

Answer: A,B,C

QUESTION NO: 35


features in a manner similar to Cisco IOS software QoS CLI. Your company asked you to examine

the current Cisco Modular Policy Framework configurations on the LA-ASA Cisco Adaptive

Security Appliance (ASA) by use of the Cisco Adaptive Security Device Manager (ASDM).

Which two impacts are of the policy map named PARTNERNET-POLICY on FTP traffic entering

the partnernet interface?



Actu

alTe

sts.

comA. Prevents all users except "root" from accessing the path /root.

B. Logs all attempts to download files from the FTP server on the inside interface.

C. Blocks the FTP request commands DELE, MKD, PUT, RMD, RNFR, and RNTO.

D. Resets connections that send embedded commands.

Answer: C,D

QUESTION NO: 36

What is the reason that you want to configure VLANs on a security appliance interface?

A. for use in multiple contextmode, where you can map only VLAN interfaces to contexts

B. for use in conjunction with device-level failover to increase the reliability of your security

appliance

C. to increase the number of interfaces available to the network without adding additional physical

interfaces or security appliances

D. for use in transparent firewall mode, where only VLAN interfaces are used

Answer: C

QUESTION NO: 37

You are the network administrator for your company. Study the exhibit carefully. You are

responsible for a Cisco ASA security appliance configured with a local CA. According to the exhibit

below, what is the reason that the user student1 will use this password?



Actu

alTe

sts.

com

A. retrieval of the digital certificate from the local CA on the Cisco ASA security appliance

B. authentication to the SSL VPN server

C. retrieval of the Cisco ASA security appliance identity certificate

D. the initial authentication to the SSL VPN server

Answer: A

QUESTION NO: 38





Which two steps should the Cisco Adaptive Security Applicance take on HTTP traffic entering its

outside interface? (Choose two.)



Actu

alTe

sts.

comA. Drops HTTP request messages whose request method is post and whose user-agent field

contains either the string Some_New_P2P_Client1 or the string Some_New_P2P_Client2.

B. Forwards all HTTP request messages that are permitted by access control lists (ACLs) on the

outside interface.

C. Logs HTTP request messages whose request method is post and whose user-agent field

contains either the string Some_New_P2P_Client1 or the string Some_New_P2P_Client2.

D. Drops HTTP request messages whose user-agent field contains the string

Some_New_P2P_Client1 and the string Some_New_P2P_Client2.

Answer: A,C

QUESTION NO: 39

While setting up a remote access VPN, which three items does the Cisco ASDM IPsec VPN

Wizard require you to configure? (Choose three.)

A. tunnel group name

B. a pool of addresses to be assigned to remote users

C. IPsec encryption and authentication parameters

D. peer IP address

Answer: A,B,C

QUESTION NO: 40



Actu

alTe

sts.

com

On the basis of the Configuration > Device Setup > Interfaces pane displayed in the following

exhibit, which is the model number of this Cisco ASA security appliance?

A. Cisco ASA 5505 Adaptive Security Appliance

B. Cisco ASA 5550 Adaptive Security Appliance

C. Cisco ASA 5580 Adaptive Security Appliance

D. Cisco ASA 5540 Adaptive Security Appliance

Answer: A

QUESTION NO: 41

Which three items are main components of Cisco Modular Policy Framework? (Choose three.)

A. traffic policy

B. policy map

C. class map

D. service policy

Answer: B,C,D

QUESTION NO: 42



Actu

alTe

sts.

com

Study the exhibit carefully. Apply the HTTP inspection map named HTTP_POLICY to the

partnernet interface of the security appliance. Which step will be taken by the security appliance

as a result of its configuration for HTTP traffic that enters its partnernet interface?

A. drops HTTP request messages for which the request method is put, and logs HTTP request

messages for which the request header host field contains either the string example1.com or the

string example2.com

B. logs HTTP request messages for which the request method is put, and drops HTTP request

messages for which the request header host field contains either the string example1.com or the

string example2.com

C. drops and logs HTTP request messages for which the request method is put or the request

header host field contains the strings example1.com and example2.com

D. drops and logs HTTP request messages for which the request method is put and the request

header host field contains either the string example1.com or the string example2.com

Answer: D

QUESTION NO: 43

DAP is short for Dynamic Access Policies. You are configuring a DAP for SSL VPN connections to

your Cisco ASA security appliance. You add an Endpoint Attribute Type of "File" and select the

Endpoint ID of "10," according to the presented configuration. Within which area of the Cisco ASA

security appliance configuration is this endpoint attribute defined?



Actu

alTe

sts.

comA. SSL VPN connection profile

B. SSL VPN group policy

C. user-specific policy

D. Cisco Secure Desktop

Answer: D

QUESTION NO: 44

An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used

with a standard Web browser. SSL VPNs can provide increased flexibility over IPsec VPNs, on the

basis of the location of the client and ownership of the endpoint. But, security of the endpoint is a

potential problem. Which three potential security issues could the Cisco ASA security appliance

address through SSL VPN policies or features? (Select three.)

A. phishing

B. spyware

C. viruses

D. malware

Answer: B,C,D

QUESTION NO: 45

While implementing QoS, which two types of queues are available on the Cisco ASA security

appliance? (Choose two.)



Actu

alTe

sts.

com

A. best effort queue

B. round robin queue

C. weighted fair

D. low latency queue

Answer: A,D

QUESTION NO: 46

The following exhibit shows a Cisco ASA security appliance configured to participate in a VPN

cluster. According to the exhibit, to which value will you set the priority to increase the chances of

this Cisco ASA security appliance becoming the cluster master?

A. 10

B. 100

C. 0

D. 1

Answer: A

QUESTION NO: 47

On the basis of the following information. Applying the HTTP inspection map named

MY_HTTP_MAP to the outside interface of the security appliance. Because of this configuration,

which action will be taken by the security appliance on HTTP traffic entering its outside interface?



Actu

alTe

sts.

com

NOTE: The CLI version of this configuration is provided here.

regex URL_ABC ".+abc\.com"

regex URL_DEF ".+def\.com"

regex URL_XYZ ".+xyz\.com"

. . .

class-map OUTSIDE_CLASS

match any

class-map type regex match-any URLs

match regex URL_ABC

match regex URL_XYZ

class-map type inspect http match-all

RESTRICTED_HTTP

match request body length gt 1000

match not request uri regex class URLs

. . .

policy-map type inspect http MY_HTTP_MAP

parameters

protocol-violation action drop-connection

class RESTRICTED_HTTP

drop-connection

policy-map OUTSIDE_POLICY

class OUTSIDE_CLASS

inspect http MY_HTTP_MAP

. . .

service-policy OUTSIDE_POLICY interface outside



Actu

alTe

sts.

com

A. drops any HTTP request that is destined for xyz.com or has a header length greater than 1000

bytes

B. drops any HTTP request for def.com that has a body length greater than 1000 bytes

C. drops any HTTP packet that is destined for def.com and has a header length greater than 1000

bytes

D. drops any HTTP packet that is destined for abc.com or has a body length greater than 1000

bytes

Answer: B

QUESTION NO: 48

In your company, you are responsible for administrating a Cisco ASA security appliance with a

Cisco ASA CSC-SSM. You use a new version of software to upgrade the CSC-SSM. After

finishing the upgrade, you issue the show module 1 detail command; The following exhibit displays

the results of this command. What is the reason that the status of the CSC-SSM is "Up" when it is

not activated?



Actu

alTe

sts.

comA. The software upgrade image has failed to load properly.

B. The CSC-SSM cannot communicate with the network and therefore cannot apply its

configuration to network traffic.

C. The CSC-SSM is in the administrative down state and is waiting to be changed to the

administrative up state.

D. The software upgrade image loaded successfully but the CSC-SSM has not had its license

applied.

Answer: D

QUESTION NO: 49

You work as a network administrator for your company. You are in charge of a Cisco ASA security

appliance for remote access IPsec VPNs, you are assisting a user who has a digital certificate

configured for the Cisco VPN Client. How to find the MD5 and SHA-1 thumb print of the certificate

on the basis of the following exhibit?



Actu

alTe

sts.

com

A. Choose the certificate and then click the Certificate drop-down menu.

B. Choose the certificate and then click the Verify button.

C. Choose the certificate and then click Options > Properties.

D. Choose the certificate and then click the View button.

Answer: D

QUESTION NO: 50

Charles is a network administrator for his company. He has configured Cisco ASA security

appliance for SSL VPNs. What will happen when the remote user has successfully authenticated

according to the following exhibit?

A. The Cisco ASA security appliance will open the clientless SSL VPN portal if no Cisco

AnyConnect VPN Client is installed on the remote system.

B. The Cisco ASA security appliance will push the Cisco AnyConnect VPN Client down to the

remote system, install the client, and ask the user to authenticate again.

C. The Cisco ASA security appliance will wait indefinitely for the user to select clientless SSL VPN

portal or an SSL VPN client to use for the SSL VPN connection.

D. The Cisco ASA security appliance will push the Cisco AnyConnect VPN Client down to the

remote system, install the client, and use it to complete the SSL VPN connection.



Actu

alTe

sts.

com

Answer: D

QUESTION NO: 51

For the following items, which three types of information could be found in the syslog output for an

adaptive security appliance? (Choose three.)

A. hostname of the packet sender

B. time stamp and date

C. message text

D. logging level

Answer: B,C,D

QUESTION NO: 52

Observe the following items carefully, which two types of digital certificate enrollment processes

are available for the Cisco ASA security appliance? (Choose two.)

A. HTTP

B. manual

C. FTP

D. SCEP

Answer: B,D

QUESTION NO: 53

Observe the exhibit carefully. You are asked to review the configuration of the clientless SSL VPN

connection profile, which was created by a junior administrator. Which authentication method is

configured in the clientless profile?

A. The Cisco ASA security appliance requires AAA authenticate to the external AAA server

LOCAL if the remote user does not have an identity certificate for authentication.



Actu

alTe

sts.

com

B. The Cisco ASA security appliance requires a username and password if the remote user does

not have an identity certificate for authentication.

C. The Cisco ASA security appliance accepts an identity certificate or a username and password

for authentication of remote users, but not both.

D. The Cisco ASA security appliance requires both an identity certificate and username and

password for authentication of remote users.

Answer: D

QUESTION NO: 54

Study the following exhibit carefully. You have been tasked to administrate a new Cisco ASA

security appliance with a Cisco ASA CSC-SSM. You are using the CSC Setup Wizard from within

Cisco ASDM to configure the CSC-SSM for traffic selection. In the process of the configuration of

traffic selection, the CSC Setup Wizard asks If CSC card fails and provides two options. What will

each of these options do if chosen? (Choose two.)

A. The Close option does not allow any traffic that is traversing the Cisco ASA security appliance

to continue when the CSC card fails.

B. The Close option does not allow traffic that is configured for CSC inspection to continue when

the CSC card fails.

C. The Permit option allows traffic to continue to flow to the CSC for inspection, even when a

hardware failure has been detected.

D. The Permit option allows traffic that is configured for CSC inspection to continue through the

Cisco ASA security appliance, if the CSC card fails.

Answer: B,D

QUESTION NO: 55



Actu

alTe

sts.

com

You are the administrator for Cisco ASA security appliances that are used for site-to-site VPNs

between remote and corporate offices. You have used the Service Policy Rule Wizard within

ASDM to configure low-latency queuing for unified communications on all the appropriate ASAs.

Users are still having issues with unified communications between the remote and corporate

offices. Assuming that the Cisco Unified Communications equipment is functioning properly and

that the VPN configurations are correct, which of these choices is most likely the cause of the

problems?

A. The DSCP, expedite forward, ef (46), was used to determine unified communications traffic

within the Service Policy Rule Wizard.

B. The tunnel group and DSCP traffic matching criteria were configured within the Service Policy

Rule Wizard.

C. Both a policing and priority queue must be applied on the interface to expedite the voice and

control data flows.

D. A priority queue must be created on the interface where the site-to-site VPN tunnel is

terminated.

Answer: D

QUESTION NO: 56

The Cisco ASA 5520 Adaptive Security Appliance delivers a wide range of security services with

Active/Active high availability and Gigabit Ethernet connectivity for medium-sized enterprise

networks, in a modular, high performance appliance. You have configured a Cisco ASA 5520

Adaptive Security Appliance as a Easy VPN hardware client. But from within Cisco ASDM, you

cannot find the Easy VPN Remote configuration option within the Remote Access VPN menu.

What is the reason that you can not find this configuration option within Cisco ASDM on the ASA

5520 Adaptive Security Appliance?

A. The Easy VPN feature with the BIOS of the ASA 5520 Adaptive Security Appliance was not

enabled.

B. The version of Cisco ASDM software loaded on the Cisco ASA security appliance is corrupt.

C. The version of Cisco ASDM software loaded on the Cisco ASA security appliance does not

support the Easy VPN feature.

D. Only the Cisco ASA 5505 Adaptive Security Appliance can bea Easy VPN hardware client.

Answer: D

QUESTION NO: 57

Study the exhibit below carefully. Apply the FTP inspection map named L7FTPPOLICY to the

outside interface of the security appliance. Because of this configuration, which action will the



Actu

alTe

sts.

com

security appliance take on FTP traffic entering its outside interface?

A. resets and logs connections from abc.com users when they attempt to retrieve files via FTP;

resets all FTP connections from xyz.com users; resets any user connections that attempt to

deliver files via FTP

B. resets and logs connections from abc.com users only when they attempt to retrieve files via

FTP: resets connections from xyz.com users only when they attempt to deliver files via FTP

C. resets and logs connections from any user who attempts to retrieve files via FTP; resets

connections from xyz.com users who attempt to deliver files via FTP

D. resets connections from abc.com and xyz.com users when they attempt to retrieve files via

FTP; logs any user connections that attempt to deliver files via FTP

Answer: A

QUESTION NO: 58

The P4S security department would like to apply specific restrictions to one network user, Bob,

because he works from home and accesses the corporate network from the outside interface of

the security appliance. P4S decides to control network access for this user by using the

downloadable ACL feature of the security appliance. Authentication of inbound traffic is already

configured on the security appliance, and Bob already has a user account on the Cisco Secure



Actu

alTe

sts.

com

ACS. Which three tasks should be completed in order to achieve the goal of limiting network

access for Bob via downloadable ACLs? (Choose three.)

A. Configure the security appliance to use downloadable ACLs.

B. Configure the downloadable ACLs on the Cisco Secure ACS.

C. Attach the downloadable ACL to the user profile for Bob on the Cisco Secure ACS.

D. Configure the Cisco Secure ACS to use downloadable ACLs.

Answer: B,C,D

QUESTION NO: 59

Observe the exhibit below carefully. You have been tasked to configure the Cisco ASA security

appliance as the hub in a hub-and-spoke site-to-site VPN. Which configurations can enable traffic

to flow between spokes?



Actu

alTe

sts.

com

A. Configuration 1

B. Configuration 2

C. Configuration 3

D. Configuration 4

Answer: D

QUESTION NO: 60



Actu

alTe

sts.

com

Alexander is a network engineer of his company. He is asked to configure split tunneling to use

the ACL split-tunnel for remote access IPsec VPNs. According to the exhibit below, which two

Cisco ASDM configurations would tunnel traffic to the inside network and allow connected users to

access their local network and the Internet? (Select two.)



Actu

alTe

sts.

com

A. Configuration 1

B. Configuration 2

C. Configuration 3

Answer: B,C

QUESTION NO: 61

Which three of these choices are potential groups of users for clientless SSL VPNs? (Choose

three.)

A. partners who access specific internal applications from desktops and laptops that are not

managed by IT

B. customers who use a customer service kiosk placed in a retail store

C. temporary or remote employees who only rarely need access to a few applications

D. employees who need access to a wide range of corporate applications

Answer: A,B,C

QUESTION NO: 62

Tom works as a network administrator for the P4S company. The primary adaptive security

appliance in an active/standby failover configuration failed, so the secondary adaptive security

appliance was automatically activated. Tom then fixed the problem. Now he would like to restore

the primary to active status. Which one of the following commands can reactivate the primary

adaptive security appliance and restore it to active status while issued on the primary adaptive

security appliance?

A. failover exec standby

B. failover reset

C. failover primary active

D. failover active

Answer: D

QUESTION NO: 63

The security department of the P4S company wants to configure cut-through proxy authentication

via RADIUS to require users to authenticate before accessing the corporate DMZ servers. Which

three tasks are needed to achieve this goal? (Choose three.)



Actu

alTe

sts.

com

A. Configure a rule that specifies which traffic flow to authenticate.

B. Designate an authentication server.

C. Specifya AAA server group.

D. Configure per-user override.

Answer: A,B,C

QUESTION NO: 64

Which two statements correctly describe the local user database in the security appliance?

(Choose two.)

A. You can create user accounts with or without passwords in the local database.

B. You cannot use the local database for network access authentication.

C. You can configure the security appliance to lock a user out after the user meets a configured

maximum number of failed authentication attempts.

D. The default privilege level for a new user is 15.

Answer: A,C

QUESTION NO: 65

John works as a network engineer for your company. Study the following exhibit carefully. John is

asked to configure Cisco ASA security appliance for port forwarding access to the internal e-mail

server running POP3 (TCP port 110) and SMTP (TCP port 25). Which two configurations of the

port forwarding list will allow remote users to access the internal email server through port

forwarding? (Choose two.)

A.

B.

Answer: A,B

QUESTION NO: 66



Actu

alTe

sts.

com





Which step will be taken by the Cisco Adaptive Security Appliance on FTP traffic entering its

outside interface?

A. Masks the FTP greeting banner.

B. Translates embedded IP addresses.

C. Blocks the FTP request commands APPE, GET, RNFR, RNTO, DELE, MKD, and RMD.

D. Prevents all users except "root" from accessing the path/root.

Answer: B



Actu

alTe

sts.

com

QUESTION NO: 67

A Cisco ASA security appliance can obtain a certificate revocation list from a certificate authority in

which three ways? (Choose three.)

A. TFTP

B. SCEP

C. LDAP

D. HTTP

Answer: B,C,D

QUESTION NO: 68

You work as a network engineer for your company. Recently, you have been tasked with verifying

the Cisco ASA security appliance interfaces that are used for a web connection from the Internet

to a DMZ web server. According to the presented Configuration > Device Setup > Interfaces pane,

which two interfaces will a connection traverse when it is coming from the Internet and connecting

to the web server with the IP address 172.16.20.10? (Choose two.)

A. GigabitEthernet0/2.30

B. Management0/0

C. GigabitEthernet0/2.20



Actu

alTe

sts.

com

D. GigabitEthernet0/0

Answer: C,D

QUESTION NO: 69

Refer to the exhibit. You are configuring a laptop with the Cisco VPN Client, which will use digital

certificates for authentication. Which protocol will the Cisco VPN client use to retrieve the digital

certificate from the CA server?

A. HTTPS

B. TFTP

C. LDAP

D. SCEP

Answer: D

QUESTION NO: 70

Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP)

communications by authenticating and encrypting each IP packet of a data stream. With Cisco

ASA Adaptive Security Appliance Software Version 7.x and later, which IPsec standard is not

supported on the Cisco ASA security appliance?

A. AH



Actu

alTe

sts.

com

B. ESP

C. MD5

D. DES

Answer: A

QUESTION NO: 71

You work as a network administrator for your company, you are responsible for a Cisco ASA

security appliance. Recently, you have been asked to configure SSL VPNs to require digital

certificates. Which four configuration options are available on the Cisco ASA security appliance for

digital certificate management for SSL VPNs ?

A. The Cisco ASA security appliance can be configured as a standalone local CA.

B. The Cisco ASA security appliance can generate a self-signed certificate to be used as its

identity certificate for SSL VPN connections.

C. The local CA on the Cisco ASA security appliance can issue certificates to users who require

certificates for SSL VPN connections.

D. The Cisco ASA security appliance can be configured to retrieve its identity certificate from an

external CA.

Answer: A,B,C,D

QUESTION NO: 72

Recently, a branch office of your company has upgraded its network by changing the network

topology of the branch, and the site-to-site VPN tunnel that runs between the branch and the

corporate office has been reconfigured to perform Reverse Route Injection to accommodate the

recent change. You are performing OSPF between the corporate Cisco ASA security appliance

and routers on the internal network. Assume that the VPN configuration is correct, which step will

be taken on the corporate Cisco ASA security appliance to make sure that these new routes are

visible to internal routers running OSPF?

A. Reverse Route Injection uses RIP, so you must add a RIP process and redistribute the learned

RIP routes into OSPF.

B. Reverse Route Injection requires that you configure a new OSPF process that will add these

routes to the Cisco ASA security appliance routing table.

C. Reverse Route Injection uses static routes, so you must configure OSPF to redistribute the

static routes.

D. Reverse Route Injection uses EIGRP, so you must add an EIGRP process and redistribute the

learned EIGRP routes into OSPF.



Actu

alTe

sts.

com

Answer: C

QUESTION NO: 73

Which one of the following commands can provide detailed information about the crypto map

configurations of a Cisco ASA adaptive security appliance?

A. show runipsec sa

B. show run crypto map

C. showipsec sa

D. show crypto map

Answer: B

QUESTION NO: 74

While using IPsec VPN tunnels, which primary benefit is provided by digital certificates?

A. scalability

B. obfuscation

C. resiliency

D. simplification

Answer: A

QUESTION NO: 75





Which option is correct with regard to HTTP inspection on the Cisco Adaptive Security Appliance?



Actu

alTe

sts.

com

A. HTTP traffic is inspected as it enters or exits the outside interface.

B. HTTP traffic is inspected only as it enters any interface.

C. Advanced HTTP inspection is applied to traffic entering the outside interface, and basic HTTP

inspection is applied to traffic entering any interface.

D. HTTP traffic is inspected as it enters or exits any interface.

Answer: A

QUESTION NO: 76

You are the network administrator of your company. You would like to add SSL VPN Cisco

AnyConnect VPN Client for use by remote users. After checking the Cisco software download site,

you discovered a number of different versions of Cisco AnyConnect VPN Client Software available

for download. If you know the Cisco ASA Adaptive Security Appliance Software version and the

remote user's PC operating system, how to determine the appropriate version of Cisco

AnyConnect VPN Client to download?



Actu

alTe

sts.

com

A. The version of CiscoAnyConnect VPN Client Software must only be compatible with the

operating system.

B. Newer versions of the CiscoAnyConnect VPN Client Software are backward compatible with

earlier versions.

C. The version of CiscoAnyConnect VPN Client Software and the compatible version of Cisco

ASA Adaptive Security Appliance Software are based on release notes.

D. All versions of the CiscoAnyConnect VPN Client Software are compatible with all releases of

Cisco ASA Adaptive Security Appliance Software.

Answer: C

QUESTION NO: 77

Which two statements are true about multiple context mode? (Choose two.)

A. Multiple context mode enables you to add to the security appliance a hardware module that

supports up to four independent virtual firewalls.

B. Multiple contextmode does not support IPS, IPsec, and SSL VPNs, or dynamic routing

protocols.

C. When you convert from single mode to multiplemode, the security appliance automatically adds

an entry for the admin context to the system configuration with the name "admin."

D. Multiple contextmode enables you to create multiple independent virtual firewalls with their own

security policies and interfaces.

Answer: C,D

QUESTION NO: 78

You are a senior Cisco ASA security appliance administrator. Now, a new employee of your

company asks you to help to configure a Cisco ASA security appliance for an identity certificate to

be used for IPsec VPNs. Refer to the two Cisco ASDM configuration screens presented, which is

a requirement for configuring the Cisco ASA security appliance for an identity certificate?



Actu

alTe

sts.

comA. To retrieve an identity certificate, the Cisco ASA security appliance must have the certificate of

the CA.

B. Because of the lack of a CA certificate, the administrator must import the identity certificate from

a file.

C. To retrieve an identity certificate, the common name must be an FQDN.

D. The Cisco ASA security appliance doesn't need to retrieve an identity certificate. It can use a

self-signed identity certificate for IPsec.

Answer: A

QUESTION NO: 79





What is the impact of the FTP inspection policy named MY-FTP-MAP on FTP traffic entering the

partnernet interface?



Actu

alTe

sts.

com

A. Masks the FTP banner.

B. Tracks each FTP command and response sequence for certain anomalous activity.

C. Has no effect on the behavior of the Cisco Adaptive Security Appliance.

D. Prevents web browsers from sending embedded commands in FTP requests.

Answer: C

QUESTION NO: 80

You work as a network administrator for your company. Recently, you have been tasked to

configure access for development partners by use of the clientless SSL VPN portal on your Cisco

ASA security appliance. These partners want to access to the desktop of internal development

servers. Which three configurations for the clientless SSL VPN portal can achieve this goal?

(Choose three.)



Actu

alTe

sts.

com

A. RDP bookmark using the RDP plug-in

B. Citrixplugin using the Citrix plug-in

C. VNC bookmark using the VNC plug-in

D. SSH bookmark using the SSH plug-in

Answer: A,B,C

QUESTION NO: 81

You work as a network administrator for your company. You are asked to edit user-specific policy.

And you have configured a group policy for Sales to use the IP address pool defined by the pool

VPNPOOL and to allow as many as three simultaneous logins. According to the exhibit below,

when this user connects, what will be the IP address assigned to the connection and what will be

the number of simultaneous logins allowed for this user? (Choose two.)

A. The user will be allowed to make as many as three simultaneous connections.

B. The user will receive an IP address from the address pool that is defined in the default group

policy.

C. The user will be allowed to make only one connection.

D. The user will be assigned the IP address from the user-specific policy.

Answer: C,D

QUESTION NO: 82

You are the network security administrator for P4S Corporation. You are asked to configure

active/standby failover using Cisco ASDM between two Cisco ASA adaptive security appliances at

corporate headquarters. You deploy the Cisco ASDM High Availability and Scalability Wizard and



Actu

alTe

sts.

com

feels confident that the configuration is correct on both security appliances. But, the show failover

command output indicates that one interface remains constantly in the waiting state and never

normalizes. Which two troubleshooting steps should be taken? (Choose two.)

A. Verify thatPortFast is enabled on any switch port that connects to the security appliances.

B. Verify thatEtherChanneling is enabled on any switch port that connects to the security

appliances.

C. Verify that the line and protocol of the interface are up on the primary and secondary security

appliance interfaces.

D. Verify that the security appliances have the same feature licenses.

Answer: A,C

QUESTION NO: 83

Which three commands can display the contents of flash memory on the Cisco ASA adaptive

security appliance? (Choose three.)

A. show disk0:

B. dir

C. show flash:

D. show memory

Answer: A,B,C

QUESTION NO: 84

Which two statements about the downloadable ACL feature of the security appliance are correct?

(Choose two.)

A. Downloadable ACLs enable you to store full ACLs ona AAA server and download them to the

security appliance.

B. Downloadable ACLs are supported using TACACS+ or RADIUS.

C. The downloadable ACL must be attached to a user or group profile ona AAA server.

D. The security appliance supports only per-user ACL authorization.

Answer: A,C

QUESTION NO: 85

You have just cleared the configuration on your Cisco ASA adaptive security appliance, which

contains in its flash memory one ASA image file (asa802-k8.bin), one ASDM image file (asdm-



Actu

alTe

sts.

com

602.bin), and no configuration files. You would like to reconfigure the Cisco ASA adaptive security

appliance by use of Cisco ASDM, but you realize that you can't access Cisco ASDM. Which set of

commands offers the minimal configuration required to access Cisco ASDM?

A. interface,nameif, setup (followed by the setup command interactive prompts)

B. interface,nameif, ip address, hostname, domain-name, clock set, http server enable, asdm

image

C. interface,nameif, ip address, no shutdown, hostname, domain-name, clock set, http server

enable

D. setup (followed by the setup command interactive prompts)

Answer: A

QUESTION NO: 86

Clientless SSL VPN (WebVPN) allows a user to securely access resources on the corporate LAN

from anywhere with an SSL-enabled Web browser. You are asked to configure Telnet port

forwarding to a specific server on the clientless SSL VPN portal. A clientless SSL VPN user has

called to complain that after she starts the application helper, her attempts to establish a Telnet

connection to 10.0.4.3 time out. If the clientless SSL VPN configuration is correct, which type of

Telnet connection would you have the end user make?

A. to 127.0.0.1 on TCP port 2300

B. to 10.0.4.3 on TCP port 23

C. to 127.0.0.1 on TCP port 23

D. to 10.0.4.3 on TCP port 2300



Actu

alTe

sts.

com

Answer: A

QUESTION NO: 87

You work as a network security administrator for your company. Now, you are asked to configure

the corporate Cisco ASA security appliance to take the following steps on its outside interface:

--rate limit all IP traffic from telecommuting system engineers to the insidehost

--drop all HTTP requests from the Internet to the web server that have a body length greater than

1000 bytes

--prevent users on network 192.168.6.0/24 from using the FTP PUT command to store .exe files

on the FTP server

In order to achieve this objective, which set of Modular Policy Framework components will be

included?

A. one Layer 7 class map, one Layer 7 policy map, three Layer 3/4 class maps, one Layer 3/4

policy map

B. two Layer 7 class maps, one Layer 7 policy map, three Layer 3/4 class maps, one Layer 3/4

policy map

C. one Layer 7 class map, two Layer 7 policy maps, three Layer 3/4 class maps, one Layer 3/4

policy map

D. three Layer 7 policy maps, one Layer 3/4 class map, one Layer 3/4 policy map

Answer: C



Actu

alTe

sts.

com

QUESTION NO: 88

Tom wants to configure bookmarks for the clientless SSL VPN portal on his Cisco ASA security

appliance. Which items are supported bookmark types?

A. CIFS

B. HTTPS

C. HTTP

D. FTP

Answer: A,B,C,D

QUESTION NO: 89

In the default global policy, which three traffic types are inspected by default? (Choose three.)

A. TFTP

B. FTP

C. ESMTP

D. ICMP

Answer: A,B,C

QUESTION NO: 90

What does the redundant interface feature of the security appliance accomplish?

A. to increase the number of interfaces available to your network without requiring you to add

additional physical interfaces or security appliances

B. to increase the reliability of your security appliance

C. to allow a VPN client to sendIPsec-protected traffic to another VPN user by allowing such traffic

in and out of the same interface

D. to facilitate out-of-band management

Answer: B



642-515

Documents

cisco anyconnect vpn

ciscoasa security appliance

application answer

b question

failover groups

network security administrator

ssl vpn client type

custombuilt tcp application