642-524 Securing Networks with ASA Foundation

Page 1   
Question 1

Take the following configuration shown in the exhibit carefully, what traffic will be logged to
the AAA server?


  • A. Only authenticated and authorized console connection information will be logged in the accounting database.
  • B. All outbound TCP connection information will be logged in the accounting database.
  • C. No information will be logged. This is not a valid configuration because TACACS+ connection information cannot be captured and logged.
  • D. All connection information will be logged in the accounting database.


Answer : B

Question 2

Tom works as a network administrator for the P4S company. The primary adaptive security
appliance in an active/standby failover configuration failed, so the secondary adaptive
security appliance was automatically activated. Tom then fixed the problem. Now he would
like to restore the primary to active status. Which one of the following commands can
reactivate the primary adaptive security appliance and restore it to active status while
issued on the primary adaptive security appliance?

  • A. failover reset
  • B. failover primary active
  • C. failover active
  • D. failover exec standby


Answer : C

Question 3

Can you tell me which command enables IKE on the outside interface?

  • A. int g0/0 ike enable (outbound)
  • B. ike enable outside
  • C. isakmp enable outside
  • D. nameif outside isakmp enable


Answer : C

Question 4

Which three potential groups are of users for WebVPN? (Choose three.)

  • A. employees accessing specific internal applications from desktops and laptops not managed by IT
  • B. administrators who need to manage servers and networking equipment
  • C. employees that only need occasional corporate access to a few applications
  • D. users of a customer service kiosk placed in a retail store


Answer : A,C,D

Question 5

Study the exhibit carefully. Which two types of failover is this adaptive security appliance
configured for? (Choose two.)
P4S-asa1# show failover
Failover On
Cable status: N/A-LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: Ianfail GigabitEthernet0/2 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Group 1 last failover at: 15:54:49 UTC Sept 17 2006
Group 2 last failover at: 15:55:00 UTC Sept 17 2006

  • A. stateful failover
  • B. LAN-based failover
  • C. cable-based failover
  • D. Active/Active failover


Answer : B,D

Question 6

You work as a network engineer at Pass4sure.com, you are asked to examine the current
Modular Policy Framework configurations on the LA-ASA Adaptive Security Appliances
using the Cisco Adaptive Security Device Manager (ASDM) utility. You need to answer the
multiple-choice questions in this simulation by use of the appropriate Cisco ASDM
configuration screens.
A host on the partnernet network makes a VoIP call to 172.20.1.15,which is statically
mapped to an IP phone on the inside network.What does the security appliance do with the
VoIP traffic between host 172.20.1.15 and the host on the partnernet network?


  • A. Sends it to the AIP-SSM for inspection before forwarding it to its destination
  • B. Sends it to the CSC-SSM for inspection before forwarding it to its destination
  • C. Forwards it directly to its destination unless the connection limit is already met
  • D. Applies low latency queuing as it exits the partnernet interface


Answer : D

Question 7

Which option correctly describes the order to upgrade the license (activation key) for your
security appliance from Cisco ASDM?

  • A. Step 1 Obtain an activation key from http://www.cisco.com/go/license by providing the serial number for the security appliance as it appears on the chassis of the security appliance. Step 2 Reboot the security appliance to ensure that the image in flash and the running image are the same. Step 3 Go to Configuration > Device Management > System Image/Configuration > Activation Key in Cisco ASDM and enter the activation key as a four- or five-element hexadecimal string with no spaces. Step 4 Click
  • B. Step 1 Obtain an activation key from http://www.cisco.com/go/license by providing the serial number for the security appliance as it appears in the show version command output. Step 2 Reboot the security appliance to ensure that the image in flash and the running image are the same. Step 3 Go to Configuration > Device Management > System Image/Configuration > Activation Key in Cisco ASDM and enter the activation key as a four- or five-element hexadecimal string with one space between each elemen
  • C. Step 1 Obtain an activation key from http://www.cisco.com/go/license by providing the serial number for the security appliance as it appears in the show version command output. Step 2 Go to Configuration > Device Management > System Image/Configuration > Activation Key in Cisco ASDM and enter the activation key as a three- or four-element hexadecimal string with one space between each element. Step 3 Click Update Activation Key in the Activation Key panel. Step 4 Click Save in the Cisco ASDM too
  • D. Step 1 Obtain an activation key from http://www.cisco.com/go/license by providing the serial number for the security appliance as it appears on the chassis of the security appliance. Step 2 Go to Configuration > Device Management > System Image/Configuration > Activation Key in Cisco ASDM and enter the activation key as a four- or five-element hexadecimal string with no spaces. Step 3 Click Update Activation Key in the Activation Key panel. tep 4 Click Save in the Cisco ASDM toolbar.


Answer : B

Question 8

What is the result if the WebVPN url-entry parameter is disabled?

  • A. The end user is unable to access pre-defined URLs.
  • B. The end user is unable to access any CIFS shares or URLs.
  • C. The end user is able to access CIFS shares but not URLs.
  • D. The end user is able to access pre-defined URLs.


Answer : D

Question 9

Which two scenarios correctly describe the impact of the configuration shown in the
exhibit? (Choose two.)


  • A. User addison enters the login command at the > prompt and logs in with the correct username and password when prompted. User addison can then enter the global configuration mode on the security appliance.
  • B. User carter enters the enable command at the > prompt and logs in with the correct username and password when prompted. User carter can then enter the global configuration mode.
  • C. User carter enters the login command at the > prompt and logs in with the correct username and password when prompted. User carter can then enter the global configuration mode on the security appliance.
  • D. User kenny enters the enable command at the > prompt and logs in with the correct username and password when prompted. User kenny can then enter the global configuration mode.


Answer : A,D

Question 10

Which one of the following commands can provide detailed information about the crypto
map configurations of a Cisco ASA adaptive security appliance?

  • A. show ipsec sa
  • B. show crypto map
  • C. show run ipsec sa
  • D. show run crypto map


Answer : D

Question 11

Which two options are correct about the impacts of this configuration? (Choose two.)
class-map INBOUND_HTTP_TRAFFIC
match access-list TOINSIDEHOST
class-map OUTBOUND_HTTP_TRAFFIC
match access-list TOOUTSIDEHOST
policy-map MYPOLICY
class INBOUND_HTTP_TRAFFIC
inspect http
set connection conn-max 100
policy-map MYOTHERPOLICY
class OUTBOUND_HTTP_TRAFFIC
inspect http
service-policy MYOTHERPOLICY interface inside
service-policy MYPOLICY interface outside

  • A. Traffic that matches access control list TOINSIDEHOST is subject to HTTP inspection and maximum connection limits.
  • B. Traffic that enters the security appliance through the inside interface is subject to HTTP inspection.
  • C. Traffic that enters the security appliance through the outside interface and matches access control list TOINSIDEHOST is subject to HTTP inspection and maximum connection limits.
  • D. Traffic that enters the security appliance through the inside interface and matches access control list TOOUTSIDEHOST is subject to HTTP inspection.


Answer : C,D

Question 12

For the following commands, which one would set the default route for an adaptive security
appliance to the IP address 10.10.10.1?

  • A. route 0 0 10.10.10.1 1
  • B. route add default 0 10.10.10.1
  • C. route management 10.10.10.0 0.0.0.255 10.10.10.1 1
  • D. route outside 0 0 10.10.10.1 1


Answer : D

Question 13

By default, the AIP-SSM IPS software is accessible from the management port at IP
address 10.1.9.201/24. Which CLI command should an administrator use to change the
default AIP-SSM management port IP address?

  • A. interface
  • B. hw module 1 recover
  • C. setup
  • D. hw module 1 setup


Answer : C

Question 14

Which two descriptions are correct according to the exhibit? (Choose two.)


  • A. Any host can ping the bastionhost.
  • B. Any host on the 192.168.6.0 network can initiate connections to host 192.168.1.9 via HTTP.
  • C. Host 192.168.6.10 can initiate connections to host 192.168.1.11 via HTTP.
  • D. Host 192.168.1.11 can initiate connections to host 192.168.6.10 via FTP.


Answer : B,C

Question 15

For creating and configuring a security context, which three tasks are mandatory? (Choose
three.)

  • A. allocating interfaces to the context
  • B. assigning MAC addresses to context interfaces
  • C. creating a context name
  • D. specifying the location of the context startup configuration


Answer : A,C,D

Page 1