642-647 Deploying Cisco ASA VPN Solutions (VPN v1.0)

Page 1   
Question 1




Answer :

Question 2


Refer to the exhibit. A new NOC engineer is troubleshooting a VPN connection. Which
statement about the fields within the VPN Client Statistics screen is correct?

  • A. The ISP-assigned IP address of 10.0.21.1 is assigned to the VPN adapter of the PC.
  • B. The IP address of the security appliance to which the VPN client is connected is 192.168.1.2.
  • C. CorpNet is the name of the Cisco ASA group policy whose tunnel parameters the connection is using.
  • D. The ability of the client to send packets transparently, unencrypted, through the tunnel for test purposes is turned off.
  • E. With split tunneling enabled, the VPN client registers no decrypted packets.


Answer : B

Question 3

Datagram Transport Layer Security (DTLS) was introduced to solve performance issues.
Which three statements are characteristics of DTLS? (Choose three.)

  • A. uses TLS to negotiate and establish DTLS connections
  • B. uses DTLS to transmit datagrams
  • C. disabled by default
  • D. uses TLS for data packet retransmission
  • E. replaces underlying transport layer with UDP 443
  • F. uses TLS to provide low-latency video application tunneling


Answer : A,B,E

Question 4


Refer to the exhibit. The "level_2" digital certificate was installed on a laptop. What can
cause an "invalid:not active" status message?

  • A. On first use, a CA server-supplied passphrase is entered to validate the certificate.
  • B. A "newly installed" digital certificate does not become active until it is validated by the peer device upon its first usage.
  • C. The user has not clicked the Verify button within the Cisco VPN Client.
  • D. The CA server and laptop PC clocks are out of sync.


Answer : D

Question 5

An administrator has preconfigured the Cisco ASA 5505 user settings with a username and
a password. When the telecommuter first turns on the Cisco ASA 5505 and attempts to
establish a VPN tunnel, the user is prompted for a username and password. Which two
Cisco ASA 5505 Group Policy features require this extra level of authentication? (Choose
two.)

  • A. New Unit Authentication
  • B. Extended Group Authentication
  • C. Secure Unit Authentication
  • D. Role-Based Access Control Authentication
  • E. Compartmented Mode Authentication
  • F. Individual User Authentication


Answer : C,F

Question 6

Refer to following Exhibit and answer the following question below:


Upon logging in, user, emploeyee1, has two privileges: (Choose two)

  • A. Cisco ASDM, SSH, Telnet, and console access
  • B. CLI login prompt for SSH, Telnet, and console only
  • C. No Cisco ASDM, SSH, or console access
  • D. Level 15
  • E. Level 2
  • F. Level 3


Answer : D,E

Question 7


Which four parameters must be defined in an ISAKMP policy when creating an IPsec site-
to-site VPN using the Cisco ASDM? (Choose four.)

  • A. encryption algorithm
  • B. hash algorithm
  • C. authentication method
  • D. IP address of remote IPsec peer
  • E. D-H group
  • F. perfect forward secrecy


Answer : A,B,C,E

Question 8

A temporary worker must use clientless SSL VPN with an SSH plug-in to access the
console of an internal corporate server, the projects.xyz.com server. For security reasons,
the network security auditor insists that the temporary user be restricted to the one internal
corporate server, 10.0.4.18. As the network engineer that is responsible for the network
access of the temporary user, how can you restrict SSH access to the one
projects.xyz.com server?

  • A. Configure access-list temp_user_acl extended permit TCP any host 10.0.4.18 eq22.
  • B. Configure access-list temp_user_acl standard permit host 10.0.4.18 eq 22
  • C. Configure access-list temp_acl webtype permit url ssh://10.0.4.18.
  • D. Configure a plug-in SSH bookmark for host 10.0.4.18 and disable network browsing on the clientless SSL VPN portal of the temporary worker.


Answer : C

Question 9


Refer to the exhibit. Which two statements are correct regarding these two Cisco ASA
clientless SSL VPN bookmarks? (Choose two.)

  • A. CSCO_WEBVPN_USERNAME is a user attribute.
  • B. CSCO_WEBVPN_USERNAME is a Cisco predefined variable that is used for macro substitution.
  • C. The CSCO_WEBVPN_USERNAME variable is enabled by using the Post SSO plug-in.
  • D. CSCO_SSO is a Cisco predefined variable that is used for macro substitution.
  • E. The CSCO_SSO=1 parameter enables SSO for the SSH plug-in.
  • F. The CSCO_SSO variable is enabled by using the Post SSO plug-in.


Answer : B,E

Question 10

The administrator configured a Cisco ASA 5505 as a Cisco Easy VPN hardware client and
also defined a list of Cisco Easy VPN backup servers in the Cisco ASA 5505. After an
outage of the primary VPN server, you notice that your Cisco Easy VPN hardware client
has now reconnected via a backup server that was not defined within the original Cisco
Easy VPN backup servers list. Where did your Cisco Easy VPN hardware client get this
backup server?

  • A. The backup servers that you listed were no longer available, so the Cisco Easy VPN hardware client queried the load balance server for a "new" backup server address.
  • B. The backup servers that you listed were no longer available, so a Group Policy that was configured on the primary VPN server pushed "new" backup server addresses to your client.
  • C. The backup servers that you listed were no longer available, so the Cisco Easy VPN hardware client queried the primary VPN server via RADIUS protocol for a "new" backup server address.
  • D. The backup servers that you listed were no longer available, so the Cisco Easy VPN hardware client queried and received from a predefined LDAP server a "new" backup server address.


Answer : B

Question 11

Refer to following Exhibit and answer the following question below:


The user, contractor1, will receive an IP address when the VPN connection is established.
Which statement regarding the IP address is true?

  • A. Is sourced from the contractor pool
  • B. Is sourced from the employee pool
  • C. Is sourced from the engineering pool
  • D. Is sourced from the management pool
  • E. Is a dedicated address (10.0.4.1 20)


Answer : A

Explanation:

Through configuration first see username in device management >> see its group policythen go to remote access VPN >> connection profiles >> client address pools >> contractor >> select t see the address pool Through MonitoringVPN statistics > session >> see username and its assigned ip address >> then find it out in configuration tab above procedure

Question 12

Which three Host Scan checks on a remote endpoint can Cisco Secure Desktop be
configured to perform? (Choose three)

  • A. Registry checks.
  • B. User rights checks
  • C. Group Policy Objects checks
  • D. File checks
  • E. Virus Software checks
  • F. Process checks


Answer : A,D,F

Explanation: Source: http://www.cisco.com/en/US/docs/security/csd/csd341/configuration/guide/CSDhscan.html

Question 13

Which two types of digital certificate enrollment processes are available for the Cisco ASA
security appliance? (Choose two.)

  • A. LDAP
  • B. FTP
  • C. TFTP
  • D. HTTP
  • E. SCEP
  • F. Manual


Answer : E,F

Question 14

A remote user who establishes a clientless SSL VPN session is presented with a web
page. The administrator has the option to customize the "look and feel" of the page. What
are three components of the VPN Customization Editor? (Choose three.)

  • A. Application page
  • B. Logon page
  • C. Networking page
  • D. Logout page
  • E. Home page
  • F. Portal page


Answer : B,E,F

Question 15


Refer to the exhibit. After a remote user established a Cisco AnyConnect session from a
wireless card through the Cisco ASA appliance of a partner to a remote server, the user
opened the Cisco AnyConnect VPN Client Statistics Details screen. Identify the two
sources of the two IP addresses. (Choose two.)

  • A. IP address that is assigned to the wireless Ethernet adapter of the remote user
  • B. IP address that is assigned to the remote user from the Cisco ASA address pool
  • C. IP address of the Cisco ASA physical interface of the partner
  • D. IP address of the Cisco ASA virtual http server of the partner
  • E. IP address of the default gateway router of the remote user
  • F. IP address of the default gateway router of the partner


Answer : B,C

Page 1