Cisco 642-648 Exam, Most Popular Cisco 642-648 PDF Download Is What You Need To Take
Flydumps Cisco 642-648 practice tests hold the key importance and provide a considerable gain for your knowledge base. You can rely on our products with unwavering confidence; Get the profound knowledge and become a pro with Flydumps assistance.
QUESTION 26
When attempting to tunnel FTP traffic through a stateful firewall that might be performing NAT or PAT, which type of VPN tunneling should you use to allow the VPN traffic through the stateful firewall?
A. clientless SSL VPN
B. IPsec over TCP
C. smart tunnel
D. SSL VPN plug-ins
Correct Answer: B Explanation
Explanation/Reference:
Explanation: IP Security (IPSec) over Transmission Control Protocol (TCP) enables a VPN Client to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, User Datagram Protocol (UDP) 500) cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and it enables secure tunneling through both Network Address Translation (NAT) and Port Address Translation (PAT) devices and firewalls
QUESTION 27
Refer to the exhibit.
While troubleshooting on a remote-access VPN application, a new NOC engineer received the message that is shown. What is the most likely cause of the problem?
A. The IP address that is assigned to the PC of the VPN user is not within the range of addresses that are assigned to the SVC connection.
B. The IP address that is assigned to the PC of the VPN user is in use. The remote user needs to select a different host address within the range.
C. The IP address that is assigned to the PC of the VPN user is in the wrong subnet. The remote user needs to select a different host number within the correct subnet.
D. The IP address pool for contractors was not applied to their connection profile. Correct Answer: D
Explanation Explanation/Reference:
Explanation:
%ASA-5-722006: Group group User user-name IP IP_address Invalid address IP_address assigned to SVC connection.
Explanation An invalid address was assigned to the user. Recommended Action Verify and correct the address assignment, if possible.
QUESTION 28
What is a valid reason for configuring a list of backup servers on the Cisco AnyConnect VPN Client profile?
A. to access a backup authentication server
B. to access a backup DHCP server
C. to access a backup VPN server
D. to access a backup CA server Correct Answer: C
Explanation Explanation/Reference:
QUESTION 29
Which statement about CRL configuration is correct?
A. CRL checking is enabled by default.
B. The Cisco ASA relies on HTTPS access to procure the CRL list.
C. The Cisco ASA relies on LDAP access to procure the CRL list.
D. The Cisco Secure ACS can be configured as the CRL server.
Correct Answer: C Explanation
Explanation/Reference:
Explanation:
ASA SSLVPN deployment guide:
The security appliance supports various authentication methods: RSA one-time passwords, Radius,
Kerberos, LDAP, NT Domain, TACACS, Local/Internal, digital certificates, and a combination of both authentication and certificates.
QUESTION 30
You have been using pre-shared keys for IKE authentication on your VPN. Your network has grown rapidly, and now you need to create VPNs with numerous IPsec peers. How can you enable scaling to numerous IPsec peers?
A. Migrate to external CA-based digital certificate authentication.
B. Migrate to a load-balancing server.
C. Migrate to a shared license server.
D. Migrate from IPsec to SSL VPN client extended authentication. Correct Answer: A
Explanation Explanation/Reference:
QUESTION 31
When preconfiguring a Cisco AnyConnect profile for the user group, which file is output by the Cisco AnyConnect profile editor?
A. user.ini
B. user.html
C. user.pcf
D. user.xml Correct Answer: D
Explanation Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac 02asaconfig.html
QUESTION 32
Which Cisco ASA SSL VPN feature provides support for PCI compliance by allowing for the validation of two sets of username and password credentials on the SSL VPN login page?
A. Single Sign-On
B. Certificate to Profile Mapping
C. Double Authentication
D. RSA OTP Correct Answer: C
Explanation Explanation/Reference:
QUESTION 33
Refer to the exhibit.
In the Edit Certificate Matching Rule Criterion window, you want to change the Mapped to Connection Profile. However, you cannot perform that action from this window.
Where should you navigate to and what should you do, in order to perform this change?
A. Edit the entry in the Certificate Management window.
B. Edit the entry in the Connection Profiles window.
C. Edit the entry in the Certificate to Connection Profile Maps window.
D. Edit the entry in IKE Policies window.
E. Delete this entry in the Mapping Criteria window, and add a new entry in the same location.
Correct Answer: C Explanation
Explanation/Reference:
QUESTION 34
Which statement is correct regarding IKEv2 when implementing IPsec site-to-site VPNs?
A. IKEv2 should be configured with a higher priority over IKEv1 policies within the same tunnel group.
B. IKEv2 crypto maps can be configured to inherit IKEv1 parameters, if configured.
C. IKE v1 and IKEv2 can coexist in the same tunnel group, with fallback to IKEv1 if the remote endpoint does not support IKEv2.
D. IKEv2 can be configured to support multiple peers.
Correct Answer: C Explanation
Explanation/Reference:
QUESTION 35
Which feature is supported when implementing an IPsec VPN configuration using IKEv2?
A. IKEv2 authentication can be configured to negotiate authentication modes within the IKE policy when using Cisco ASDM.
B. IKEv2 proposals are identical to IKEv1 policies.
C. When implementing IKEv2 with a site-to-site VPN, authentication parameters should contain a fallback to to PSKs, in case certificate-based authentication fails.
D. IKEv2 peer authentication can be implemented with asymmetric authentication methods.
Correct Answer: D Explanation
Explanation/Reference:
QUESTION 36
Refer to the exhibit.
What is the likely cause of the failure?
A. A msgid of 0 signifies a zero payload, indicating that the peer did not send any IKE proposals.
B. The remote peer did not respond to the 11 notifications that were sent by the originating IPsec endpoint.
C. There are mismatched IKE policies.
D. There are mismatched tunnel groups.
Correct Answer: C Explanation
Explanation/Reference:
Explanation:
%ASA-5-713257: Phase var1 failure: Mismatched attribute types for class var2: Rcv’d: var3 Cfg’d: var4
Explanation An adaptive security appliance has acted as the responder in a LAN-to-LAN connection. It indicates that the adaptive security appliance crypto
configuration does not match the configuration of the initiator. The message specifies during which phase the mismatch occurred, and which attributes both the
responder and the initiator had that were different.
·var1–The phase during which the mismatch occurred
·var2–The class to which the attributes that do not match belong ·var3–The attribute received from the initiator
·var4–The attribute configured
QUESTION 37
When troubleshooting a site-to-site IPsec VPN deployment, you see a QM FSM message. What is the most likely cause of this message?
A. The Quick Mode timers have expired.
B. There are mismatched proxy identities.
C. Forward Secrecy Mode has failed.
D. IKE Phase 1 has failed authentication due to mismatched DH groups.
Correct Answer: B Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#qms
QM FSM Error
The IPsec L2L VPN tunnel does not come up on the PIX firewall or ASA, and the QM FSM error message appears.
One possible reason is the proxy identities, such as interesting traffic, access control list (ACL) or crypto ACL, do not match on both the ends. Check the
configuration on both the devices, and make sure that the crypto ACLs match.
Another possible reason is mismatching of the transform set parameters. Make sure that at both ends, VPN gateways use the same transform set with the exact
same parameters.
QUESTION 38
Refer to the exhibit.
You are the network security administrator. You have received calls from site-to-site IPsec VPN users saying that they cannot connect into the network. In troubleshooting this problem, you discover that some sites can connect, but other sites cannot. It is not always the same sites experiencing problems. You suspect that the permitted number of simultaneous logins has been reached and needs to be increased.
In which configuration window or tab should you accomplish this task?
A. in the IKE Policies window
B. in the IKE Parameters window
C. in the System Options window
D. in the Device Management tab Correct Answer: C
Explanation Explanation/Reference:
Explanation:
Limit the maximum number of active IPSec VPN sessions
–Enables or disables limiting the maximum number of active IPSec VPN sessions. The range depends on the hardware platform and the software license.
Maximum Active IPSec VPN Sessions–Specifies the maximum number of active IPSec VPN sessions allowed. This field is active only when you select the
preceding check box to limit the maximum number of active IPSec VPN sessions.
QUESTION 39
Refer to the exhibit.
Given the example that is shown, what can you determine?
A. Users are required to perform RADIUS or LDAP authentication when connecting with the Cisco AnyConnect client.
B. Users are required to perform AAA authentication when connecting via WebVPN.
C. Users are required to perform double AAA authentication.
D. The user access identity is prefilled at login, requiring users to enter only their password.
Correct Answer: C Explanation
Explanation/Reference:
QUESTION 40
You are the network security administrator. You receive a call from a user stating that he cannot log onto the network. In the process of troubleshooting, you determine that this user is accessing the network via certificate-based Cisco AnyConnect SSL VPN.
What is a troubleshooting step that you should perform to determine the cause of the access problem?
A. Revoke and reissue the certificate, and have the user try again.
B. Verify that a connection can be made without using certificates.
C. Ask the user to use IPsec, and test the connection attempts.
D. Check the WebACLs on the Cisco ASA.
Correct Answer: B Explanation
Explanation/Reference:
QUESTION 41
When deploying clientless SSL VPNs, what should you do to support external unmanaged VPN clients?
A. Deploy a private PKI service.
B. Issue self-signed identity certificates for the external clients that you wish to provide with access to your enterprise.
C. Configure policies specifically for the clients that have a group userID and password.
D. Implement a global PKI service.
Correct Answer: D Explanation
Explanation/Reference:
QUESTION 42
Which option limits a clientless SSL VPN user to specific resources upon successful login?
A. modify the Cisco ASA Modular Policy Framework access control
B. user-defined bookmarks
C. RADIUS authorization
D. disable portal features
Correct Answer: B Explanation
Explanation/Reference:
Explanation:
Effective with Cisco IOS Release 12.4(15)T, users can bookmark URLs while connected through an SSL VPN tunnel. Users can access the bookmarked URLs by
clicking the URLs. User-level bookmarking is turned by default. There is no way to turn it off. To set the storage location, administrators can use the user-profile
location command. If the user-profile location command is not configured, the location flash:/webvpn/{context name}/ is used.
QUESTION 43
Some users are having problems connecting via clientless SSL VPN, while other users are experiencing no problems. What is one possible cause of this issue?
A. The Cisco ASA identity certificates have not been generated.
B. SSL version checking is enabled, and clients are connecting with denied versions.
C. SSL VPN termination is not enabled.
D. The Cisco ASA identity certificate is not bound to the SSL interface.
Correct Answer: B Explanation
Explanation/Reference:
Explanation: http://www.cisco.com/web/about/security/intelligence/05_08_SSL-VPN-Security.html
Host identity verification There is a difference between trusting a user (after passing strong user authentication) and trusting that user’s computer. While the former has traditionally been emphasized, only recently has the latter been given sufficient attention (see Trusted Platform Module – TPM). As discussed earlier, a Trojan-laden computer defeats strong user authentication. But a “company computer”, which is typically supported and managed according to corporate security policies, typically deserves more trust than a “non-company computer”. A secure SSL VPN infrastructure should allow you to verify a remote host’s identity by checking on predefined end device parameters. Examples include registry entries, special files in a specified location, or digital certificates (as a form of device authentication). The host identity information can be used to make your access permission decisions.
QUESTION 44
You have just configured new clientless SSL VPN access parameters.
However, when users connect, they are not getting the expected access that was configured.
What is one possible reason this is occurring?
A. The correct Tunnel Group Lock is not properly set.
B. The corresponding Cisco ASA interface is not enabled for SSL VPN access.
C. The Connection Alias is not enabled.
D. Portal features are disabled.
Correct Answer: A Explanation Explanation/Reference:
QUESTION 45
When a VPN client that is using redundant peering and has obtained an IP address from the primary VPN gateway loses connection to that gateway, how is traffic rerouted?
A. The secondary VPN gateway automatically routes the traffic back to the client using the same IP address.
B. Redundant Internet routing protocols reroute the traffic to and from the client and the gateway.
C. The secondary VPN gateway issues the client a new IP address and routes traffic accordingly.
D. Traffic flow stops, and the client must reestablish connection. Once connection is established, the same IP address is issued to the client and similarly routed. Correct Answer: C
Explanation Explanation/Reference:
QUESTION 46
When configuring dead peer detection for remote-access VPN, what does the confidence level parameter represent?
A. It specifies the number of seconds the adaptive security appliance should allow a peer to idle before beginning keepalive monitoring.
B. It specifies the number of seconds to wait between IKE keepalive retries.
C. The higher the number, the more reliable the link is.
D. It is determined dynamically based on reliability, uptime, and load. Correct Answer: A
Explanation Explanation/Reference:
Explanation:
QUESTION 47
Which statement is true regarding Cisco ASA stateful failover?
A. It is recommended to share the failover link with the inside interface for security purposes.
B. The failover link is encrypted by default to protect eavesdropping.
C. VPN users must reauthenticate, even though the connection remains established.
D. Clientless features, such as smart tunnels and plug-ins, are not supported. Correct Answer: D
Explanation Explanation/Reference:
QUESTION 48
Which statement is true about configuring the Cisco ASA for Active/Standby failover?
A. All versions of Cisco ASA software need to have the same licensing on both devices.
B. Both devices perform load sharing until a failure occurs.
C. All VPN-related configurations and files are automatically replicated.
D. VPN images, profiles, and plug-ins must be manually provisioned to both devices. Correct Answer: D
Explanation Explanation/Reference:
QUESTION 49
When configuring the Cisco ASA for VPN clustering, which IP address or addresses does the end-user device connect to?
In addition, the Cisco 642-648 exam sample questions from our support updates the real test paper promptly so as to make sure its high accuracy and validity. Once you choose FLYDUMPS Cisco 642-648 exam sample questions, you can enjoy free update for one year. So you should believe that, FLYDUMPS is the best provider for helping you study IT certifications. FLYDUMPS Cisco 642-648 exam sample questions give you detailed and logical coverage of Cisco 642-648 exam objectives and provide you with the real Cisco 642-648 exam environment as these products are built by IT examiners so you experience the real exam features in FLYDUMPS Adobe products.
