Cisco 642-515 CISCO 642-515 Securing Networks with ASA Advanced Practice Test Version 3.1
Cisco 642-515
CISCO 642-515 Securing Networks with ASA
Advanced
Practice TestVersion 3.1
Actu
alTe
sts.
com
QUESTION NO: 1
Which two statements correctly describe configuring active/active failover? (Choose two.)
A. You must assign contexts to failover groups from the admin context.
B. Both units must be in multiplemode.
C. You must configure two failover groups: group 1 and group 2.
D. You must use a crossover cable to connect the failover links on the two failover peers.
Answer: B,C
QUESTION NO: 2
Observe the following exhibit carefully. When TCP connections are tunneled over another TCP
connection and latency exists between the two endpoints, each TCP session would trigger a
retransmission, which can quickly spiral out of control when the latency issues persist. This issue
is often called TCP-over-TCP meltdown. According to the presented Cisco ASDM configuration,
which Cisco ASA security appliance configuration will most likely solve this problem?
A. Compression
B. MTU size of 500
C. Keepalive Messages
D. Datagram TLS
Answer: D
QUESTION NO: 3
The IT department of your company must perform a custom-built TCP application within the
clientless SSL VPN portal configured on your Cisco ASA security appliance. The application
should be run by users who have either guest or normal user mode privileges. In order to allow
this application to run, how to configure the clientless SSL VPN portal?
A. configure a smart tunnel for the application
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 2
Actu
alTe
sts.
com
B. configure a bookmark for the application
C. configure the plug-in that best fits the application
D. configure port forwarding for the application
Answer: A
QUESTION NO: 4
According to the following exhibit. When a host on the inside network attempted an HTTP
connection to a host at IP address 172.26.10.100, which address pool will be used by the Cisco
ASA security appliance for the NAT?
A. 192.168.8.101 - 192.168.8.105
B. 192.168.8.20 - 192.168.8.100
C. 192.168.8.106 - 192.168.8.110
D. 192.168.8.20 - 192.168.8.110
Answer: B
QUESTION NO: 5
Study the following exhibit carefully. You are asked to configure the Cisco ASA security appliance
with a connection profile and group policy for full network access SSL VPNs. During a test of the
configuration using the Cisco AnyConnect VPN Client, the connection times out. In the process of
troubleshooting, you determine to make configuration changes. According to the provided Cisco
ASDM configuration, which configuration change will you begin with?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 3
Actu
alTe
sts.
com
A. Require a client certificate on the interface.
B. Enable an SSL VPN client type on the interface.
C. Enable DTLS on the interface.
D. Enable a different access port that doesn't conflict with Cisco ASDM.
Answer: B
QUESTION NO: 6
You are the network security administrator for the P4S company. You create an FTP inspection
policy including the strict option, and it is applied to the outside interface of the corporate adaptive
security appliance. How to handle FTP on the security appliance after this policy is applied?
(Choose three.)
A. FTP inspection is applied to traffic entering the inside interface.
B. Strict FTP inspection is applied to traffic entering the outside interface.
C. FTP inspection is applied to traffic exiting the inside interface.
D. Strict FTP inspection is applied to traffic exiting the outside interface.
Answer: A,B,D
QUESTION NO: 7
Which three statements correctly describe protocol inspection on the Cisco ASA adaptive security
appliance? (Choose three.)
A. The protocol inspection feature of the security appliance securely opens and closes negotiated
ports and IP addresses for legitimate client-server connections through the security appliance.
B. For the security appliance to inspect packets for signs of malicious application misuse, you
must enable advanced (application layer) protocol inspection.
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 4
Actu
alTe
sts.
com
C. If inspection for a protocol is notenabled, traffic for that protocol may be blocked.
D. If you want to enable inspection globally for a protocol that is not inspected by default or if you
want to globally disable inspection for a protocol, you can edit the default global policy.
Answer: A,C,D
QUESTION NO: 8
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used
with a standard Web browser. After configuring port forwarding for a clientless SSL VPN
connection, if port forwarding is to work, which end user privilege level is required at the endpoint?
A. system level
B. guest level
C. user level
D. administrator level
Answer: D
QUESTION NO: 9
Which two methods can be used to decrease the amount of time it takes for an active Cisco ASA
adaptive security appliance to fail over to its standby failover peer in an active/active failover
configuration? (Choose two.)
A. decrease the interface failover poll time
B. decrease the unit failover poll time
C. use the special serial failover cable to connect the security appliances
D. use single mode
Answer: A,B
QUESTION NO: 10
Multimedia applications transmit requests on TCP, get responses on UDP or TCP, use dynamic
ports, and use the same port for source and destination, so they can pose challenges to a firewall.
Which three items are true about how the Cisco ASA adaptive security appliance handles
multimedia applications? (Choose three.)
A. It dynamically opens and closes UDP ports for secure multimedia connections, so you do not
need to open a large range of ports.
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 5
Actu
alTe
sts.
com
B. It supports SIP with NAT but not with PAT.
C. It supports multimedia with or without NAT.
D. It supports RTSP, H.323, Skinny, and CTIQBE.
Answer: A,C,D
QUESTION NO: 11
Which options can a clientless SSL VPN user access from a web browser without port forwarding,
smart tunnels, or browser plug-ins?
A. web-enabled applications
B. Microsoft Outlook Web Access
C. files on the network, via FTP or the CIFS protocol
D. internal websites
Answer: A,B,C,D
QUESTION NO: 12
Cisco ASA 5505 Adaptive Security Appliance is designed for providing high-performance security
services. Study the following exhibit carefully. You are asked to configure a Cisco ASA 5505
Adaptive Security Appliance as an Easy VPN hardware client. When the telecommuter using the
ASA 5505 Adaptive Security Appliance for remote access first tries to connect to resources on the
corporate network, he is prompted for authentication. Which two group policy features will require
authentication, even if a username and password are configured on the Easy VPN hardware
client? (Select two.)
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 6
Actu
alTe
sts.
com
A. Individual User Authentication
B. Certificate Authentication
C. Secure Unit Authentication
D. Extended Authentication
Answer: A,C
QUESTION NO: 13
Study the following exhibit carefully. You work as the network administrator of a corporate Cisco
ASA security appliance with a Cisco ASA AIP-SSM. You are asked to use the AIP-SSM to protect
corporate DMZ web servers. The AIP-SSM has been configured, and a service policy has been
configured to identify the traffic to be passed to the AIP-SSM.
On which two interfaces would application of the service policy for the AIP-SSM be most effective
while causing the least amount of impact to Cisco ASA security appliance performance? (Choose
two.)
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 7
Actu
alTe
sts.
com
A. dmz interface
B. outside interface
C. globally on all interfaces
D. Internet interface
Answer: A,B
QUESTION NO: 14
You work as the network administrator for your company. Now, you are asked to configure the
Cisco ASA security appliance, using Modular Policy Framework to prevent executables with the
.exe file extension from being downloaded. Which regular expression should be created to match
the .exe file extension?
A. *.exe
B. .+\.[Ee][Xx][Ee]
C. .+.[Ee][Xx][Ee]
D. .*\.[Ee][Xx][Ee.
Answer: B
QUESTION NO: 15
For the following commands, which one causes the Cisco CSC-SSM to load a new software
image from a remote TFTP server, via the CLI?
A. hw module 1 recover reload
B. copytftp hardware:module1
C. hw module 1 recover config
D. hw module 1 recover boot
Answer: D
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 8
Actu
alTe
sts.
com
QUESTION NO: 16
You work as a network administrator for your company. Study the exhibit carefully. ASDM is short
for Adaptive Security Device Manager. You are responsible for multiple remote Cisco ASA security
appliances administered through Cisco ASDM. Recently, you have been tasked to configure one
of these Cisco ASA security appliances for SSL VPNs and are requiring a client certificate, as
shown. How will this configuration affect your next ASDM connection to this Cisco ASA security
appliance?
A. You would be asked to present an identity certificate. If you did not have one, the Cisco ASA
security appliance would prompt you for authentication credentials, consisting of a username and
password.
B. Your connection would be handled the way it is always handled by this Cisco ASA security
appliance.
C. You would be required to have an identity certificate that the Cisco ASA security appliance can
use for authentication.
D. You would be required to download the identity certificate of the remote Cisco ASA security
appliance.
Answer: C
QUESTION NO: 17
You are a new employee of your company. Recently, you have been tasked to configure Cisco
ASA security appliance for multiple VLANs that use one physical interface. The switch to which the
physical Cisco ASA security appliance interface is connected should be configured for the
appropriate VLAN tagging protocol. In order to achieve this goal, which VLAN tagging protocol will
the Cisco ASA security appliance use to communicate with this switch?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 9
Actu
alTe
sts.
com
A. ISL
B. IEEE 802.1Q
C. IEEE 802.1AE
D. IEEE 802.3
Answer: B
QUESTION NO: 18
In an active/active failover configuration, which event triggers failover at the failover group level?
A. The no failover active groupgroup_id command is entered in the system configuration.
B. The no failover active command is entered in the system configuration.
C. The unit has a software failure.
D. Two monitored interfaces in the group fail.
Answer: A
QUESTION NO: 19
Cisco ASA 5500 Series Adaptive Security Appliances are easy-to-deploy solutions that integrate
world-class firewall, Unified Communications (voice/video) security, SSL and IPsec VPN, intrusion
prevention (IPS), and content security services in a flexible, modular product family. You are
asked to configure a Cisco ASA 5505 Adaptive Security Appliance as an Easy VPN hardware
client. In the process of configuration, you defined a list of backup servers for the security
appliance to use. After several hours of being connected to the primary VPN server, the security
appliance fails. You notice that your Easy VPN hardware client has now connected to a backup
server that is not defined within the configuration of the client. Where did your Easy VPN hardware
client get this backup server?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 10
Actu
alTe
sts.
com
A. The backup servers that you listed were no longer available, so the Easy VPN hardware client
used the list of backup servers that it retrieved from the primary server.
B. The connection profile that was configured on the primary VPN server was pushed to your Easy
VPN hardware client and overwrote the list of backup servers that you had configured.
C. The backup servers that you listed were not configured as VPN servers, so the Easy VPN
hardware client used the list of backup servers retrieved from the primary server.
D. The group policy that was configured on the primary VPN server was pushed to your Easy VPN
client and overwrote the list of backup servers that you had configured.
Answer: D
QUESTION NO: 20
Refer to the exhibit. You have configured a Layer 7 policy map to match the size of HTTP header
fields that are traversing the network. Based on this configuration, will HTTP headers that are
greater than 200 bytes be logged?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 11
Actu
alTe
sts.
com
A. No, because the reset action for headers greater than 100 bytes would be the first match.
B. Yes, because the log action for headers greater than 200 bytes would be the last match.
C. Yes, because the reset action for headers greater than 100 bytes and the log action for headers
greater than 200 bytes would both be applied.
D. No, because reset or log actions are a part of the service policy and the Layer 7 policy map.
Answer: A
QUESTION NO: 21
Annie is a network administrator of her company. She is responsible for a Cisco ASA security
appliance. Using a valid identity certificate from her certificate authority, she has created the
necessary configuration for remote-access VPN tunnels by use of the IPsec VPN Wizard. When
she tests the remote-access VPN, the VPN tunnel does not come up. If the remote-access VPN
configuration created by the wizard is correct and valid certificates are being used by the Cisco
ASA security appliance and Cisco VPN Client, which corrective action should be configured or
corrected for the VPN tunnel to come up properly?
A. The IKE phase two configuration is not part of the IPsec VPN Wizard configuration and must be
configured.
B. NAT-Transparency configuration is not part of theIPsec VPN Wizard configuration and must be
configured.
C. The IKE phase one configuration is not part of the IPsec VPN Wizard configuration and must be
configured.
D. The mapping of digital certificates to connection profile is not part of theIPsec VPN Wizard
configuration and must be configured.
Answer: D
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 12
Actu
alTe
sts.
com
QUESTION NO: 22
Reverse route injection (RRI) is the ability for static routes to be automatically inserted into the
routing process for those networks and hosts protected by a remote tunnel endpoint. These
protected hosts and networks are known as remote proxy identities. Study the following exhibit
carefully. What does Reverse Route Injection enable in this configuration?
A. The Cisco ASA security appliance will advertise its default routes to the distant end of the site-
to-site VPN tunnel.
B. The Cisco ASA security appliance will advertise routes that are at the distant end of the site-to-
site VPN tunnel.
C. The Cisco ASA security appliance will advertise routes that are on its side of the site-to-site
VPN tunnel to the distant end of the site-to-site VPN tunnel.
D. The Cisco ASA security appliance will advertise routes from the dynamic routing protocol that is
running on the Cisco ASA security appliance to the distant end of the site-to-site VPN tunnel.
Answer: B
QUESTION NO: 23
Alex is tasked with installing a digital certificate for a Cisco VPN Client on a laptop for a user. What
is the reason that the certificate is in an "invalid:not active" state?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 13
Actu
alTe
sts.
comA. The certificate passphrase must be sent to the CA for validation.
B. The time on the CA server and the time on the laptop are out of sync.
C. The certificate number of "0" indicates that the certificate has expired.
D. The user has not clicked the Verify button within the Cisco VPN Client.
Answer: B
QUESTION NO: 24
You are a network engineer of your company. Recently, you have been tasked to configure Cisco
ASA security appliance for EIGRP routing. Which two Cisco ASDM configurations will add these
networks to the configuration of EIGRP according to the information displayed in the exhibit?
(Choose two.)
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 14
Actu
alTe
sts.
com
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 15
Actu
alTe
sts.
com
A. Configuration 1
B. Configuration 2
C. Configuration 3
D. Configuration 4
E. Configuration 5
F. Configuration 6
Answer: A,E
QUESTION NO: 25
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 16
Actu
alTe
sts.
com
During a stateful active/standby failover, which two events will happen? (Choose two.)
A. The user authentication (uauth) table is passed to the standby unit.
B. The secondary unit inherits the IP addresses of the primary unit.
C. SIP signaling sessions are lost.
D. The standby unit becomes the active unit.
Answer: B,D
QUESTION NO: 26
Cisco Secure Desktop, an innovative feature found in Cisco's WebVPN solutions, can help
organizations respond to government regulations for data protection by safeguarding the privacy
and security of confidential information. Afer configuring Cisco Secure Desktop on your Cisco ASA
security appliance, you should configure Cisco Secure Desktop to run Host Scan checks on the
remote endpoint. Which three available Basic Host Scan checks can be configured? (Choose
three.)
A. process
B. file
C. groups
D. registry
Answer: A,B,D
QUESTION NO: 27
Which two options are correct about the impacts of this configuration? (Choose two.)
class-map INBOUND_HTTP_TRAFFIC
match access-list TOINSIDEHOST
class-map OUTBOUND_HTTP_TRAFFIC
match access-list TOOUTSIDEHOST
policy-map MYPOLICY
class INBOUND_HTTP_TRAFFIC
inspect http
set connection conn-max 100
policy-map MYOTHERPOLICY
class OUTBOUND_HTTP_TRAFFIC
inspect http
service-policy MYOTHERPOLICY interface inside
service-policy MYPOLICY interface outside
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 17
Actu
alTe
sts.
com
A. Traffic that matches access control list TOINSIDEHOST is subject to HTTP inspection and
maximum connection limits.
B. Traffic that enters the security appliance through the inside interface is subject to HTTP
inspection.
C. Traffic that enters the security appliance through the outside interface and matches access
control list TOINSIDEHOST is subject to HTTP inspection and maximum connection limits.
D. Traffic that enters the security appliance through the insideinterface and matches access
control list TOOUTSIDEHOST is subject to HTTP inspection.
Answer: C,D
QUESTION NO: 28
Modular Policy Framework provides a consistent and flexible way to configure security appliance
features in a manner similar to Cisco IOS software QoS CLI. Which three Cisco Modular Policy
Framework features are bidirectional? (Choose three.)
A. CSC policy
B. AIP policy
C. QoS priority queue
D. application inspection
Answer: A,B,D
QUESTION NO: 29
Which three encapsulation types will be supported by the Cisco ASA security appliance for IPsec
NAT transparency? (Choose three.)
A. NAT-T
B. IPsec over TCP
C. IPsec over UDP
D. IPsec over PPTP
Answer: A,B,C
QUESTION NO: 30
Which two options are correct about the threat detection feature of the Cisco ASA adaptive
security appliance? (Choose two.)
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 18
Actu
alTe
sts.
com
A. The security appliance scanning threat detection feature is based on traffic signatures.
B. The threat detection feature can help you determine the level of severity for packets that are
detected and dropped by the security appliance inspection engines.
C. Because of their impact on performance, both basic threat detection and scanning threat
detection are disabled by default.
D. Scanning threat detection detects network sweeps and scans and optionally takes appropriate
preventative action.
Answer: B,D
QUESTION NO: 31
Refer to the following internal channels , which two can be used for communication between the
Cisco ASA AIP-SSM and the Cisco ASA security appliance? (Choose two.)
A. control channel
B. promiscuous channel
C. inline channel
D. data channel
Answer: A,D
QUESTION NO: 32
For creating and configuring a security context, which three tasks are mandatory? (Choose three.)
A. allocating interfaces to the context
B. assigning MAC addresses to context interfaces
C. specifying the location of the context startup configuration
D. creating a context name
Answer: A,C,D
QUESTION NO: 33
For configuring VLAN trunking on a security appliance interface, which three actions are
mandatory? (Choose three.)
A. associating a logical interface with a physical interface
B. specifying a VLAN ID for asubinterface
C. specifying a name for asubinterface
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 19
Actu
alTe
sts.
com
D. specifying the maximum transmission unit for asubinterface
Answer: A,B,C
QUESTION NO: 34
Which three features can the Cisco ASA adaptive security appliance support? (Choose three.)
A. 802.1Q VLANs
B. OSPF dynamic routing
C. static routes
D. BGP dynamic routing
Answer: A,B,C
QUESTION NO: 35
Modular Policy Framework provides a consistent and flexible way to configure security appliance
features in a manner similar to Cisco IOS software QoS CLI. Your company asked you to examine
the current Cisco Modular Policy Framework configurations on the LA-ASA Cisco Adaptive
Security Appliance (ASA) by use of the Cisco Adaptive Security Device Manager (ASDM).
Which two impacts are of the policy map named PARTNERNET-POLICY on FTP traffic entering
the partnernet interface?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 20
Actu
alTe
sts.
comA. Prevents all users except "root" from accessing the path /root.
B. Logs all attempts to download files from the FTP server on the inside interface.
C. Blocks the FTP request commands DELE, MKD, PUT, RMD, RNFR, and RNTO.
D. Resets connections that send embedded commands.
Answer: C,D
QUESTION NO: 36
What is the reason that you want to configure VLANs on a security appliance interface?
A. for use in multiple contextmode, where you can map only VLAN interfaces to contexts
B. for use in conjunction with device-level failover to increase the reliability of your security
appliance
C. to increase the number of interfaces available to the network without adding additional physical
interfaces or security appliances
D. for use in transparent firewall mode, where only VLAN interfaces are used
Answer: C
QUESTION NO: 37
You are the network administrator for your company. Study the exhibit carefully. You are
responsible for a Cisco ASA security appliance configured with a local CA. According to the exhibit
below, what is the reason that the user student1 will use this password?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 21
Actu
alTe
sts.
com
A. retrieval of the digital certificate from the local CA on the Cisco ASA security appliance
B. authentication to the SSL VPN server
C. retrieval of the Cisco ASA security appliance identity certificate
D. the initial authentication to the SSL VPN server
Answer: A
QUESTION NO: 38
Modular Policy Framework provides a consistent and flexible way to configure security appliance
features in a manner similar to Cisco IOS software QoS CLI. Your company asked you to examine
the current Cisco Modular Policy Framework configurations on the LA-ASA Cisco Adaptive
Security Appliance (ASA) by use of the Cisco Adaptive Security Device Manager (ASDM).
Which two steps should the Cisco Adaptive Security Applicance take on HTTP traffic entering its
outside interface? (Choose two.)
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 22
Actu
alTe
sts.
comA. Drops HTTP request messages whose request method is post and whose user-agent field
contains either the string Some_New_P2P_Client1 or the string Some_New_P2P_Client2.
B. Forwards all HTTP request messages that are permitted by access control lists (ACLs) on the
outside interface.
C. Logs HTTP request messages whose request method is post and whose user-agent field
contains either the string Some_New_P2P_Client1 or the string Some_New_P2P_Client2.
D. Drops HTTP request messages whose user-agent field contains the string
Some_New_P2P_Client1 and the string Some_New_P2P_Client2.
Answer: A,C
QUESTION NO: 39
While setting up a remote access VPN, which three items does the Cisco ASDM IPsec VPN
Wizard require you to configure? (Choose three.)
A. tunnel group name
B. a pool of addresses to be assigned to remote users
C. IPsec encryption and authentication parameters
D. peer IP address
Answer: A,B,C
QUESTION NO: 40
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 23
Actu
alTe
sts.
com
On the basis of the Configuration > Device Setup > Interfaces pane displayed in the following
exhibit, which is the model number of this Cisco ASA security appliance?
A. Cisco ASA 5505 Adaptive Security Appliance
B. Cisco ASA 5550 Adaptive Security Appliance
C. Cisco ASA 5580 Adaptive Security Appliance
D. Cisco ASA 5540 Adaptive Security Appliance
Answer: A
QUESTION NO: 41
Which three items are main components of Cisco Modular Policy Framework? (Choose three.)
A. traffic policy
B. policy map
C. class map
D. service policy
Answer: B,C,D
QUESTION NO: 42
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 24
Actu
alTe
sts.
com
Study the exhibit carefully. Apply the HTTP inspection map named HTTP_POLICY to the
partnernet interface of the security appliance. Which step will be taken by the security appliance
as a result of its configuration for HTTP traffic that enters its partnernet interface?
A. drops HTTP request messages for which the request method is put, and logs HTTP request
messages for which the request header host field contains either the string example1.com or the
string example2.com
B. logs HTTP request messages for which the request method is put, and drops HTTP request
messages for which the request header host field contains either the string example1.com or the
string example2.com
C. drops and logs HTTP request messages for which the request method is put or the request
header host field contains the strings example1.com and example2.com
D. drops and logs HTTP request messages for which the request method is put and the request
header host field contains either the string example1.com or the string example2.com
Answer: D
QUESTION NO: 43
DAP is short for Dynamic Access Policies. You are configuring a DAP for SSL VPN connections to
your Cisco ASA security appliance. You add an Endpoint Attribute Type of "File" and select the
Endpoint ID of "10," according to the presented configuration. Within which area of the Cisco ASA
security appliance configuration is this endpoint attribute defined?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 25
Actu
alTe
sts.
comA. SSL VPN connection profile
B. SSL VPN group policy
C. user-specific policy
D. Cisco Secure Desktop
Answer: D
QUESTION NO: 44
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used
with a standard Web browser. SSL VPNs can provide increased flexibility over IPsec VPNs, on the
basis of the location of the client and ownership of the endpoint. But, security of the endpoint is a
potential problem. Which three potential security issues could the Cisco ASA security appliance
address through SSL VPN policies or features? (Select three.)
A. phishing
B. spyware
C. viruses
D. malware
Answer: B,C,D
QUESTION NO: 45
While implementing QoS, which two types of queues are available on the Cisco ASA security
appliance? (Choose two.)
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 26
Actu
alTe
sts.
com
A. best effort queue
B. round robin queue
C. weighted fair
D. low latency queue
Answer: A,D
QUESTION NO: 46
The following exhibit shows a Cisco ASA security appliance configured to participate in a VPN
cluster. According to the exhibit, to which value will you set the priority to increase the chances of
this Cisco ASA security appliance becoming the cluster master?
A. 10
B. 100
C. 0
D. 1
Answer: A
QUESTION NO: 47
On the basis of the following information. Applying the HTTP inspection map named
MY_HTTP_MAP to the outside interface of the security appliance. Because of this configuration,
which action will be taken by the security appliance on HTTP traffic entering its outside interface?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 27
Actu
alTe
sts.
com
NOTE: The CLI version of this configuration is provided here.
regex URL_ABC ".+abc\.com"
regex URL_DEF ".+def\.com"
regex URL_XYZ ".+xyz\.com"
. . .
class-map OUTSIDE_CLASS
match any
class-map type regex match-any URLs
match regex URL_ABC
match regex URL_XYZ
class-map type inspect http match-all
RESTRICTED_HTTP
match request body length gt 1000
match not request uri regex class URLs
. . .
policy-map type inspect http MY_HTTP_MAP
parameters
protocol-violation action drop-connection
class RESTRICTED_HTTP
drop-connection
policy-map OUTSIDE_POLICY
class OUTSIDE_CLASS
inspect http MY_HTTP_MAP
. . .
service-policy OUTSIDE_POLICY interface outside
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 28
Actu
alTe
sts.
com
A. drops any HTTP request that is destined for xyz.com or has a header length greater than 1000
bytes
B. drops any HTTP request for def.com that has a body length greater than 1000 bytes
C. drops any HTTP packet that is destined for def.com and has a header length greater than 1000
bytes
D. drops any HTTP packet that is destined for abc.com or has a body length greater than 1000
bytes
Answer: B
QUESTION NO: 48
In your company, you are responsible for administrating a Cisco ASA security appliance with a
Cisco ASA CSC-SSM. You use a new version of software to upgrade the CSC-SSM. After
finishing the upgrade, you issue the show module 1 detail command; The following exhibit displays
the results of this command. What is the reason that the status of the CSC-SSM is "Up" when it is
not activated?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 29
Actu
alTe
sts.
comA. The software upgrade image has failed to load properly.
B. The CSC-SSM cannot communicate with the network and therefore cannot apply its
configuration to network traffic.
C. The CSC-SSM is in the administrative down state and is waiting to be changed to the
administrative up state.
D. The software upgrade image loaded successfully but the CSC-SSM has not had its license
applied.
Answer: D
QUESTION NO: 49
You work as a network administrator for your company. You are in charge of a Cisco ASA security
appliance for remote access IPsec VPNs, you are assisting a user who has a digital certificate
configured for the Cisco VPN Client. How to find the MD5 and SHA-1 thumb print of the certificate
on the basis of the following exhibit?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 30
Actu
alTe
sts.
com
A. Choose the certificate and then click the Certificate drop-down menu.
B. Choose the certificate and then click the Verify button.
C. Choose the certificate and then click Options > Properties.
D. Choose the certificate and then click the View button.
Answer: D
QUESTION NO: 50
Charles is a network administrator for his company. He has configured Cisco ASA security
appliance for SSL VPNs. What will happen when the remote user has successfully authenticated
according to the following exhibit?
A. The Cisco ASA security appliance will open the clientless SSL VPN portal if no Cisco
AnyConnect VPN Client is installed on the remote system.
B. The Cisco ASA security appliance will push the Cisco AnyConnect VPN Client down to the
remote system, install the client, and ask the user to authenticate again.
C. The Cisco ASA security appliance will wait indefinitely for the user to select clientless SSL VPN
portal or an SSL VPN client to use for the SSL VPN connection.
D. The Cisco ASA security appliance will push the Cisco AnyConnect VPN Client down to the
remote system, install the client, and use it to complete the SSL VPN connection.
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 31
Actu
alTe
sts.
com
Answer: D
QUESTION NO: 51
For the following items, which three types of information could be found in the syslog output for an
adaptive security appliance? (Choose three.)
A. hostname of the packet sender
B. time stamp and date
C. message text
D. logging level
Answer: B,C,D
QUESTION NO: 52
Observe the following items carefully, which two types of digital certificate enrollment processes
are available for the Cisco ASA security appliance? (Choose two.)
A. HTTP
B. manual
C. FTP
D. SCEP
Answer: B,D
QUESTION NO: 53
Observe the exhibit carefully. You are asked to review the configuration of the clientless SSL VPN
connection profile, which was created by a junior administrator. Which authentication method is
configured in the clientless profile?
A. The Cisco ASA security appliance requires AAA authenticate to the external AAA server
LOCAL if the remote user does not have an identity certificate for authentication.
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 32
Actu
alTe
sts.
com
B. The Cisco ASA security appliance requires a username and password if the remote user does
not have an identity certificate for authentication.
C. The Cisco ASA security appliance accepts an identity certificate or a username and password
for authentication of remote users, but not both.
D. The Cisco ASA security appliance requires both an identity certificate and username and
password for authentication of remote users.
Answer: D
QUESTION NO: 54
Study the following exhibit carefully. You have been tasked to administrate a new Cisco ASA
security appliance with a Cisco ASA CSC-SSM. You are using the CSC Setup Wizard from within
Cisco ASDM to configure the CSC-SSM for traffic selection. In the process of the configuration of
traffic selection, the CSC Setup Wizard asks If CSC card fails and provides two options. What will
each of these options do if chosen? (Choose two.)
A. The Close option does not allow any traffic that is traversing the Cisco ASA security appliance
to continue when the CSC card fails.
B. The Close option does not allow traffic that is configured for CSC inspection to continue when
the CSC card fails.
C. The Permit option allows traffic to continue to flow to the CSC for inspection, even when a
hardware failure has been detected.
D. The Permit option allows traffic that is configured for CSC inspection to continue through the
Cisco ASA security appliance, if the CSC card fails.
Answer: B,D
QUESTION NO: 55
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 33
Actu
alTe
sts.
com
You are the administrator for Cisco ASA security appliances that are used for site-to-site VPNs
between remote and corporate offices. You have used the Service Policy Rule Wizard within
ASDM to configure low-latency queuing for unified communications on all the appropriate ASAs.
Users are still having issues with unified communications between the remote and corporate
offices. Assuming that the Cisco Unified Communications equipment is functioning properly and
that the VPN configurations are correct, which of these choices is most likely the cause of the
problems?
A. The DSCP, expedite forward, ef (46), was used to determine unified communications traffic
within the Service Policy Rule Wizard.
B. The tunnel group and DSCP traffic matching criteria were configured within the Service Policy
Rule Wizard.
C. Both a policing and priority queue must be applied on the interface to expedite the voice and
control data flows.
D. A priority queue must be created on the interface where the site-to-site VPN tunnel is
terminated.
Answer: D
QUESTION NO: 56
The Cisco ASA 5520 Adaptive Security Appliance delivers a wide range of security services with
Active/Active high availability and Gigabit Ethernet connectivity for medium-sized enterprise
networks, in a modular, high performance appliance. You have configured a Cisco ASA 5520
Adaptive Security Appliance as a Easy VPN hardware client. But from within Cisco ASDM, you
cannot find the Easy VPN Remote configuration option within the Remote Access VPN menu.
What is the reason that you can not find this configuration option within Cisco ASDM on the ASA
5520 Adaptive Security Appliance?
A. The Easy VPN feature with the BIOS of the ASA 5520 Adaptive Security Appliance was not
enabled.
B. The version of Cisco ASDM software loaded on the Cisco ASA security appliance is corrupt.
C. The version of Cisco ASDM software loaded on the Cisco ASA security appliance does not
support the Easy VPN feature.
D. Only the Cisco ASA 5505 Adaptive Security Appliance can bea Easy VPN hardware client.
Answer: D
QUESTION NO: 57
Study the exhibit below carefully. Apply the FTP inspection map named L7FTPPOLICY to the
outside interface of the security appliance. Because of this configuration, which action will the
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 34
Actu
alTe
sts.
com
security appliance take on FTP traffic entering its outside interface?
A. resets and logs connections from abc.com users when they attempt to retrieve files via FTP;
resets all FTP connections from xyz.com users; resets any user connections that attempt to
deliver files via FTP
B. resets and logs connections from abc.com users only when they attempt to retrieve files via
FTP: resets connections from xyz.com users only when they attempt to deliver files via FTP
C. resets and logs connections from any user who attempts to retrieve files via FTP; resets
connections from xyz.com users who attempt to deliver files via FTP
D. resets connections from abc.com and xyz.com users when they attempt to retrieve files via
FTP; logs any user connections that attempt to deliver files via FTP
Answer: A
QUESTION NO: 58
The P4S security department would like to apply specific restrictions to one network user, Bob,
because he works from home and accesses the corporate network from the outside interface of
the security appliance. P4S decides to control network access for this user by using the
downloadable ACL feature of the security appliance. Authentication of inbound traffic is already
configured on the security appliance, and Bob already has a user account on the Cisco Secure
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 35
Actu
alTe
sts.
com
ACS. Which three tasks should be completed in order to achieve the goal of limiting network
access for Bob via downloadable ACLs? (Choose three.)
A. Configure the security appliance to use downloadable ACLs.
B. Configure the downloadable ACLs on the Cisco Secure ACS.
C. Attach the downloadable ACL to the user profile for Bob on the Cisco Secure ACS.
D. Configure the Cisco Secure ACS to use downloadable ACLs.
Answer: B,C,D
QUESTION NO: 59
Observe the exhibit below carefully. You have been tasked to configure the Cisco ASA security
appliance as the hub in a hub-and-spoke site-to-site VPN. Which configurations can enable traffic
to flow between spokes?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 36
Actu
alTe
sts.
com
A. Configuration 1
B. Configuration 2
C. Configuration 3
D. Configuration 4
Answer: D
QUESTION NO: 60
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 37
Actu
alTe
sts.
com
Alexander is a network engineer of his company. He is asked to configure split tunneling to use
the ACL split-tunnel for remote access IPsec VPNs. According to the exhibit below, which two
Cisco ASDM configurations would tunnel traffic to the inside network and allow connected users to
access their local network and the Internet? (Select two.)
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 38
Actu
alTe
sts.
com
A. Configuration 1
B. Configuration 2
C. Configuration 3
Answer: B,C
QUESTION NO: 61
Which three of these choices are potential groups of users for clientless SSL VPNs? (Choose
three.)
A. partners who access specific internal applications from desktops and laptops that are not
managed by IT
B. customers who use a customer service kiosk placed in a retail store
C. temporary or remote employees who only rarely need access to a few applications
D. employees who need access to a wide range of corporate applications
Answer: A,B,C
QUESTION NO: 62
Tom works as a network administrator for the P4S company. The primary adaptive security
appliance in an active/standby failover configuration failed, so the secondary adaptive security
appliance was automatically activated. Tom then fixed the problem. Now he would like to restore
the primary to active status. Which one of the following commands can reactivate the primary
adaptive security appliance and restore it to active status while issued on the primary adaptive
security appliance?
A. failover exec standby
B. failover reset
C. failover primary active
D. failover active
Answer: D
QUESTION NO: 63
The security department of the P4S company wants to configure cut-through proxy authentication
via RADIUS to require users to authenticate before accessing the corporate DMZ servers. Which
three tasks are needed to achieve this goal? (Choose three.)
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 39
Actu
alTe
sts.
com
A. Configure a rule that specifies which traffic flow to authenticate.
B. Designate an authentication server.
C. Specifya AAA server group.
D. Configure per-user override.
Answer: A,B,C
QUESTION NO: 64
Which two statements correctly describe the local user database in the security appliance?
(Choose two.)
A. You can create user accounts with or without passwords in the local database.
B. You cannot use the local database for network access authentication.
C. You can configure the security appliance to lock a user out after the user meets a configured
maximum number of failed authentication attempts.
D. The default privilege level for a new user is 15.
Answer: A,C
QUESTION NO: 65
John works as a network engineer for your company. Study the following exhibit carefully. John is
asked to configure Cisco ASA security appliance for port forwarding access to the internal e-mail
server running POP3 (TCP port 110) and SMTP (TCP port 25). Which two configurations of the
port forwarding list will allow remote users to access the internal email server through port
forwarding? (Choose two.)
A.
B.
Answer: A,B
QUESTION NO: 66
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 40
Actu
alTe
sts.
com
Modular Policy Framework provides a consistent and flexible way to configure security appliance
features in a manner similar to Cisco IOS software QoS CLI. Your company asked you to examine
the current Cisco Modular Policy Framework configurations on the LA-ASA Cisco Adaptive
Security Appliance (ASA) by use of the Cisco Adaptive Security Device Manager (ASDM).
Which step will be taken by the Cisco Adaptive Security Appliance on FTP traffic entering its
outside interface?
A. Masks the FTP greeting banner.
B. Translates embedded IP addresses.
C. Blocks the FTP request commands APPE, GET, RNFR, RNTO, DELE, MKD, and RMD.
D. Prevents all users except "root" from accessing the path/root.
Answer: B
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 41
Actu
alTe
sts.
com
QUESTION NO: 67
A Cisco ASA security appliance can obtain a certificate revocation list from a certificate authority in
which three ways? (Choose three.)
A. TFTP
B. SCEP
C. LDAP
D. HTTP
Answer: B,C,D
QUESTION NO: 68
You work as a network engineer for your company. Recently, you have been tasked with verifying
the Cisco ASA security appliance interfaces that are used for a web connection from the Internet
to a DMZ web server. According to the presented Configuration > Device Setup > Interfaces pane,
which two interfaces will a connection traverse when it is coming from the Internet and connecting
to the web server with the IP address 172.16.20.10? (Choose two.)
A. GigabitEthernet0/2.30
B. Management0/0
C. GigabitEthernet0/2.20
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 42
Actu
alTe
sts.
com
D. GigabitEthernet0/0
Answer: C,D
QUESTION NO: 69
Refer to the exhibit. You are configuring a laptop with the Cisco VPN Client, which will use digital
certificates for authentication. Which protocol will the Cisco VPN client use to retrieve the digital
certificate from the CA server?
A. HTTPS
B. TFTP
C. LDAP
D. SCEP
Answer: D
QUESTION NO: 70
Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a data stream. With Cisco
ASA Adaptive Security Appliance Software Version 7.x and later, which IPsec standard is not
supported on the Cisco ASA security appliance?
A. AH
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 43
Actu
alTe
sts.
com
B. ESP
C. MD5
D. DES
Answer: A
QUESTION NO: 71
You work as a network administrator for your company, you are responsible for a Cisco ASA
security appliance. Recently, you have been asked to configure SSL VPNs to require digital
certificates. Which four configuration options are available on the Cisco ASA security appliance for
digital certificate management for SSL VPNs ?
A. The Cisco ASA security appliance can be configured as a standalone local CA.
B. The Cisco ASA security appliance can generate a self-signed certificate to be used as its
identity certificate for SSL VPN connections.
C. The local CA on the Cisco ASA security appliance can issue certificates to users who require
certificates for SSL VPN connections.
D. The Cisco ASA security appliance can be configured to retrieve its identity certificate from an
external CA.
Answer: A,B,C,D
QUESTION NO: 72
Recently, a branch office of your company has upgraded its network by changing the network
topology of the branch, and the site-to-site VPN tunnel that runs between the branch and the
corporate office has been reconfigured to perform Reverse Route Injection to accommodate the
recent change. You are performing OSPF between the corporate Cisco ASA security appliance
and routers on the internal network. Assume that the VPN configuration is correct, which step will
be taken on the corporate Cisco ASA security appliance to make sure that these new routes are
visible to internal routers running OSPF?
A. Reverse Route Injection uses RIP, so you must add a RIP process and redistribute the learned
RIP routes into OSPF.
B. Reverse Route Injection requires that you configure a new OSPF process that will add these
routes to the Cisco ASA security appliance routing table.
C. Reverse Route Injection uses static routes, so you must configure OSPF to redistribute the
static routes.
D. Reverse Route Injection uses EIGRP, so you must add an EIGRP process and redistribute the
learned EIGRP routes into OSPF.
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 44
Actu
alTe
sts.
com
Answer: C
QUESTION NO: 73
Which one of the following commands can provide detailed information about the crypto map
configurations of a Cisco ASA adaptive security appliance?
A. show runipsec sa
B. show run crypto map
C. showipsec sa
D. show crypto map
Answer: B
QUESTION NO: 74
While using IPsec VPN tunnels, which primary benefit is provided by digital certificates?
A. scalability
B. obfuscation
C. resiliency
D. simplification
Answer: A
QUESTION NO: 75
Modular Policy Framework provides a consistent and flexible way to configure security appliance
features in a manner similar to Cisco IOS software QoS CLI. Your company asked you to examine
the current Cisco Modular Policy Framework configurations on the LA-ASA Cisco Adaptive
Security Appliance (ASA) by use of the Cisco Adaptive Security Device Manager (ASDM).
Which option is correct with regard to HTTP inspection on the Cisco Adaptive Security Appliance?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 45
Actu
alTe
sts.
com
A. HTTP traffic is inspected as it enters or exits the outside interface.
B. HTTP traffic is inspected only as it enters any interface.
C. Advanced HTTP inspection is applied to traffic entering the outside interface, and basic HTTP
inspection is applied to traffic entering any interface.
D. HTTP traffic is inspected as it enters or exits any interface.
Answer: A
QUESTION NO: 76
You are the network administrator of your company. You would like to add SSL VPN Cisco
AnyConnect VPN Client for use by remote users. After checking the Cisco software download site,
you discovered a number of different versions of Cisco AnyConnect VPN Client Software available
for download. If you know the Cisco ASA Adaptive Security Appliance Software version and the
remote user's PC operating system, how to determine the appropriate version of Cisco
AnyConnect VPN Client to download?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 46
Actu
alTe
sts.
com
A. The version of CiscoAnyConnect VPN Client Software must only be compatible with the
operating system.
B. Newer versions of the CiscoAnyConnect VPN Client Software are backward compatible with
earlier versions.
C. The version of CiscoAnyConnect VPN Client Software and the compatible version of Cisco
ASA Adaptive Security Appliance Software are based on release notes.
D. All versions of the CiscoAnyConnect VPN Client Software are compatible with all releases of
Cisco ASA Adaptive Security Appliance Software.
Answer: C
QUESTION NO: 77
Which two statements are true about multiple context mode? (Choose two.)
A. Multiple context mode enables you to add to the security appliance a hardware module that
supports up to four independent virtual firewalls.
B. Multiple contextmode does not support IPS, IPsec, and SSL VPNs, or dynamic routing
protocols.
C. When you convert from single mode to multiplemode, the security appliance automatically adds
an entry for the admin context to the system configuration with the name "admin."
D. Multiple contextmode enables you to create multiple independent virtual firewalls with their own
security policies and interfaces.
Answer: C,D
QUESTION NO: 78
You are a senior Cisco ASA security appliance administrator. Now, a new employee of your
company asks you to help to configure a Cisco ASA security appliance for an identity certificate to
be used for IPsec VPNs. Refer to the two Cisco ASDM configuration screens presented, which is
a requirement for configuring the Cisco ASA security appliance for an identity certificate?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 47
Actu
alTe
sts.
comA. To retrieve an identity certificate, the Cisco ASA security appliance must have the certificate of
the CA.
B. Because of the lack of a CA certificate, the administrator must import the identity certificate from
a file.
C. To retrieve an identity certificate, the common name must be an FQDN.
D. The Cisco ASA security appliance doesn't need to retrieve an identity certificate. It can use a
self-signed identity certificate for IPsec.
Answer: A
QUESTION NO: 79
Modular Policy Framework provides a consistent and flexible way to configure security appliance
features in a manner similar to Cisco IOS software QoS CLI. Your company asked you to examine
the current Cisco Modular Policy Framework configurations on the LA-ASA Cisco Adaptive
Security Appliance (ASA) by use of the Cisco Adaptive Security Device Manager (ASDM).
What is the impact of the FTP inspection policy named MY-FTP-MAP on FTP traffic entering the
partnernet interface?
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 48
Actu
alTe
sts.
com
A. Masks the FTP banner.
B. Tracks each FTP command and response sequence for certain anomalous activity.
C. Has no effect on the behavior of the Cisco Adaptive Security Appliance.
D. Prevents web browsers from sending embedded commands in FTP requests.
Answer: C
QUESTION NO: 80
You work as a network administrator for your company. Recently, you have been tasked to
configure access for development partners by use of the clientless SSL VPN portal on your Cisco
ASA security appliance. These partners want to access to the desktop of internal development
servers. Which three configurations for the clientless SSL VPN portal can achieve this goal?
(Choose three.)
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 49
Actu
alTe
sts.
com
A. RDP bookmark using the RDP plug-in
B. Citrixplugin using the Citrix plug-in
C. VNC bookmark using the VNC plug-in
D. SSH bookmark using the SSH plug-in
Answer: A,B,C
QUESTION NO: 81
You work as a network administrator for your company. You are asked to edit user-specific policy.
And you have configured a group policy for Sales to use the IP address pool defined by the pool
VPNPOOL and to allow as many as three simultaneous logins. According to the exhibit below,
when this user connects, what will be the IP address assigned to the connection and what will be
the number of simultaneous logins allowed for this user? (Choose two.)
A. The user will be allowed to make as many as three simultaneous connections.
B. The user will receive an IP address from the address pool that is defined in the default group
policy.
C. The user will be allowed to make only one connection.
D. The user will be assigned the IP address from the user-specific policy.
Answer: C,D
QUESTION NO: 82
You are the network security administrator for P4S Corporation. You are asked to configure
active/standby failover using Cisco ASDM between two Cisco ASA adaptive security appliances at
corporate headquarters. You deploy the Cisco ASDM High Availability and Scalability Wizard and
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 50
Actu
alTe
sts.
com
feels confident that the configuration is correct on both security appliances. But, the show failover
command output indicates that one interface remains constantly in the waiting state and never
normalizes. Which two troubleshooting steps should be taken? (Choose two.)
A. Verify thatPortFast is enabled on any switch port that connects to the security appliances.
B. Verify thatEtherChanneling is enabled on any switch port that connects to the security
appliances.
C. Verify that the line and protocol of the interface are up on the primary and secondary security
appliance interfaces.
D. Verify that the security appliances have the same feature licenses.
Answer: A,C
QUESTION NO: 83
Which three commands can display the contents of flash memory on the Cisco ASA adaptive
security appliance? (Choose three.)
A. show disk0:
B. dir
C. show flash:
D. show memory
Answer: A,B,C
QUESTION NO: 84
Which two statements about the downloadable ACL feature of the security appliance are correct?
(Choose two.)
A. Downloadable ACLs enable you to store full ACLs ona AAA server and download them to the
security appliance.
B. Downloadable ACLs are supported using TACACS+ or RADIUS.
C. The downloadable ACL must be attached to a user or group profile ona AAA server.
D. The security appliance supports only per-user ACL authorization.
Answer: A,C
QUESTION NO: 85
You have just cleared the configuration on your Cisco ASA adaptive security appliance, which
contains in its flash memory one ASA image file (asa802-k8.bin), one ASDM image file (asdm-
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 51
Actu
alTe
sts.
com
602.bin), and no configuration files. You would like to reconfigure the Cisco ASA adaptive security
appliance by use of Cisco ASDM, but you realize that you can't access Cisco ASDM. Which set of
commands offers the minimal configuration required to access Cisco ASDM?
A. interface,nameif, setup (followed by the setup command interactive prompts)
B. interface,nameif, ip address, hostname, domain-name, clock set, http server enable, asdm
image
C. interface,nameif, ip address, no shutdown, hostname, domain-name, clock set, http server
enable
D. setup (followed by the setup command interactive prompts)
Answer: A
QUESTION NO: 86
Clientless SSL VPN (WebVPN) allows a user to securely access resources on the corporate LAN
from anywhere with an SSL-enabled Web browser. You are asked to configure Telnet port
forwarding to a specific server on the clientless SSL VPN portal. A clientless SSL VPN user has
called to complain that after she starts the application helper, her attempts to establish a Telnet
connection to 10.0.4.3 time out. If the clientless SSL VPN configuration is correct, which type of
Telnet connection would you have the end user make?
A. to 127.0.0.1 on TCP port 2300
B. to 10.0.4.3 on TCP port 23
C. to 127.0.0.1 on TCP port 23
D. to 10.0.4.3 on TCP port 2300
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 52
Actu
alTe
sts.
com
Answer: A
QUESTION NO: 87
You work as a network security administrator for your company. Now, you are asked to configure
the corporate Cisco ASA security appliance to take the following steps on its outside interface:
--rate limit all IP traffic from telecommuting system engineers to the insidehost
--drop all HTTP requests from the Internet to the web server that have a body length greater than
1000 bytes
--prevent users on network 192.168.6.0/24 from using the FTP PUT command to store .exe files
on the FTP server
In order to achieve this objective, which set of Modular Policy Framework components will be
included?
A. one Layer 7 class map, one Layer 7 policy map, three Layer 3/4 class maps, one Layer 3/4
policy map
B. two Layer 7 class maps, one Layer 7 policy map, three Layer 3/4 class maps, one Layer 3/4
policy map
C. one Layer 7 class map, two Layer 7 policy maps, three Layer 3/4 class maps, one Layer 3/4
policy map
D. three Layer 7 policy maps, one Layer 3/4 class map, one Layer 3/4 policy map
Answer: C
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 53
Actu
alTe
sts.
com
QUESTION NO: 88
Tom wants to configure bookmarks for the clientless SSL VPN portal on his Cisco ASA security
appliance. Which items are supported bookmark types?
A. CIFS
B. HTTPS
C. HTTP
D. FTP
Answer: A,B,C,D
QUESTION NO: 89
In the default global policy, which three traffic types are inspected by default? (Choose three.)
A. TFTP
B. FTP
C. ESMTP
D. ICMP
Answer: A,B,C
QUESTION NO: 90
What does the redundant interface feature of the security appliance accomplish?
A. to increase the number of interfaces available to your network without requiring you to add
additional physical interfaces or security appliances
B. to increase the reliability of your security appliance
C. to allow a VPN client to sendIPsec-protected traffic to another VPN user by allowing such traffic
in and out of the same interface
D. to facilitate out-of-band management
Answer: B
Cisco 642-515: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 54