Cisco 642-617

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)
Version: 4.8

Cisco 642-617 Exam QUESTION NO: 1 Which Cisco ASA feature enables the ASA to do these two things? 1) Act as a proxy for the server and generate a SYN-ACK response to the client SYN request. 2) When the Cisco ASA receives an ACK back from the client, the Cisco ASA authenticates the client and allows the connection to the server. A. TCP normalizer B. TCP state bypass C. TCP intercept D. basic threat detection E. advanced threat detection F. botnet traffic filter Answer: C

QUESTION NO: 2 By default, which traffic can pass through a Cisco ASA that is operating in transparent mode without explicitly allowing it using an ACL? A. ARP B. BPDU C. CDP D. OSPF multicasts E. DHCP Answer: A

QUESTION NO: 3

Referto the exhibit. Which Cisco ASA feature can be configured using this Cisco ASDM screen? A. Cisco ASA command authorization using TACACS+ B. AAA accounting to track serial, ssh, and telnet connections to the Cisco ASA "Pass Any Exam. Any Time." - www.actualtests.com 2

Cisco 642-617 Exam C. Exec Shell access authorization using AAA D. cut-thru proxy E. AAA authentication policy for Cisco ASDM access Answer: D

QUESTION NO: 4

Refer to the exhibit. The Cisco ASA is dropping all the traffic that is sourced from the internet and is destined to any security context inside interface. Which configuration should be verified on the Cisco ASA to solve this problem? A. The Cisco ASA has NAT control disabled on each security context. B. The Cisco ASA is using inside dynamic NAT on each security context. C. The Cisco ASA is using a unique MAC address on each security context outside interface. D. The Cisco ASA is using a unique dynamic routing protocol process on each security context. E. The Cisco ASA packet classifier is configured to use the outside physical interface to assign the packets to each security context. Answer: C

QUESTION NO: 5 Which four types of ACL object group are supported on the Cisco ASA (release 8.2)? (Choose four.) A. protocol B. network C. port "Pass Any Exam. Any Time." - www.actualtests.com 3

"Pass Any Exam. aaa authorization network default authentication-server LOCAL C. aaa authorization command LOCAL D. aaa authorization exec authentication-server LOCAL F. aaa authorization exec LOCAL E. Which two CLI commands will result? (Choose two.com 4 . aaa authorization network LOCAL B. service E.Cisco 642-617 Exam D.D QUESTION NO: 7 Refer to the exhibit." . ) A.actualtests.www. Any Time. host Answer: A. icmp-type F.D.B. aaa authorization exec authentication-server Answer: C.E QUESTION NO: 6 Refer to the exhibit.

These class maps classify traffic using regular expressions.Cisco 642-617 Exam Which two statements about the class maps are true? (Choose two. These class maps are Layer 3/4 class maps. Answer: B.www. C. static ARP mapping E.E QUESTION NO: 8 Refer to the exhibit. EtherType ACL on the outside and inside interface to permit the multicast traffic C. These class maps are all type inspect http class maps. stateful packet inspection D. Any Time. These class maps are used within the inspection_default class map for matching the default inspection traffic." . These class maps are referenced within the global policy by default for HTTP inspection.actualtests. A Cisco ASA in transparent firewall mode generates the log messages seen in the exhibit. B. E. extended ACL on the outside and inside interface to permit the multicast traffic B.com 5 . D. What should be configured on the Cisco ASA to allow the denied traffic? A.) A. static MAC address mapping Answer: A "Pass Any Exam.

outside) 192. multiple context mode C.255. routed mode F.168.0. 172.) A.D QUESTION NO: 10 Refer to the exhibits.0 static (dmz. no NAT-control Answer: A. active/active failover mode E. Which three Cisco ASA options will not support these requirements? (Choose three. active/standby failover mode D.B.10 = Original Source "Pass Any Exam. transparent mode B." . Which five options should be entered into the five fields in the Cisco ASDM Add Static Policy NAT Rule screen? (Choose five.1.www.0.2. dmz = Original Interface B.16. outside = Original Interface C.actualtests.255. Any Time.com 6 .0.) access-list POLICY_NAT_ACL extended permit ip host 172.10 access-list POLICY_NAT_ACL A.16.0 255.Cisco 642-617 Exam QUESTION NO: 9 The Cisco ASA must support dynamic routing and terminating VPN traffic.10 10.

All IP traffic is permitted. 5540 B. 5580-20 D. Any Time. BGP peering through the Cisco ASA D.actualtests.168. which access rule is applied inbound to the inside interface? A. asymmetric traffic flow E.E.C." . 172.I QUESTION NO: 11 By default. 192. outside = Translated Interface I. and traffic shaping? A.2. 5550 C. WCCP C.10 = Original Destination G.2.10 = Translated Use IP Address J.0. All IP traffic sourced from any source to any more secure network destinations is permitted Answer: C QUESTION NO: 12 In which type of environment is the Cisco ASA MPF set connection advanced-options tcp-statebypass option the most useful? A. dmz = Translated Interface H. 10.168. 192.10 = Original Source E.com 7 .www. C.2. 5580-40 "Pass Any Exam.1. SIP proxy B.16.Cisco 642-617 Exam D. transparent firewall Answer: D QUESTION NO: 13 Which Cisco ASA platform should be selected if the requirements are to support 35.10 = Translated Use IP Address Answer: A.0/24 = Original Destination F. 600. 192. All IP traffic sourced from any source to any less secure network destinations is permitted.000 connections per second. D. All IP traffic is denied.000 maximum connections.H.0.168. B.

which two licenses must they order that are "platform specific" to the Cisco ASA 5505? (Choose two.Cisco 642-617 Exam Answer: B QUESTION NO: 14 Refer to the exhibit.actualtests.com 8 . match request uri regex _default_GoToMyPC-tunnel drop-connection log B." . Any Time.) "Pass Any Exam. match regex _default_GoToMyPC-tunnel drop-connection log C.www. match class-map _default_GoToMyPC-tunnel drop-connection log Answer: C QUESTION NO: 15 A customer is ordering a number of Cisco ASAs for their network. For the remote or home office. What is the resulting CLI command? A. they are purchasing the Cisco ASA 5505. class _default_GoToMyPC-tunnel drop-connection log D. When ordering the licenses for their Cisco ASAs.

scanning threat detection E. botnet traffic filter D. Decrease the default unitfailover polltime to 300 msec and the unitfailover holdtime to 900 msec D. TCP intercept C.E QUESTION NO: 16 With Cisco ASA active/standby failover. Any Time.actualtests. which syslog level will produce the most messages? A. per-user Premium SSL VPN license C. debugging Answer: F QUESTION NO: 18 Which Cisco ASA feature is implemented by the ip verify reverse-path interface interface_name command? A. informational C. alerts D. uRPF B. Answer: C QUESTION NO: 17 When enabling a Cisco ASA to send syslog messages to a syslog server. internal user licenses E. emergencies E. Security Plus license Answer: D. IPS (IP audit) "Pass Any Exam. AnyConnect Essentials license B.com 9 . notifications B.www. B. what is needed to enable subsecond failover? A. errors F. Decrease the default number of monitored interfaces to 1. VPN shared license D. C.Cisco 642-617 Exam A. Enable the stateful failover interface between the primary and secondary Cisco ASA." . Use redundant interfaces.

Many embryonic connections are made from random sources to the 10.50 web server." . botnet traffic filtering E.1.1.1.actualtests.50 web server is terminating all the incoming HTTP connections. B.1. The 10.1.1.1.1. Many HTTP connections to the 10. cut-thru proxy C. threat detection D. D.50 host is triggering SYN flood attacks against random hosts on the outside.1.1. E.com 10 .50 web server. transparent firewall B. TCP normalizer Answer: D QUESTION NO: 20 Refer to the exhibit. What can be determined about the connection status? A.50 web server have successfully completed the threeway TCP handshake C.www. The output is showing normal activity to the inside 10. The 10. Answer: C "Pass Any Exam.Cisco 642-617 Exam Answer: A QUESTION NO: 19 A Cisco ASA requires an additional feature license to enable which feature? A. Any Time.

No ACL logging is enabled by default. Any Time. D. Answer: A QUESTION NO: 23 When will a Cisco ASA that is operating in transparent firewall mode perform a routing table lookup instead of a MAC address table lookup to determine the outgoing interface of a packet? A. if multiple context mode is configured B.) A. The Cisco ASA generates system message 106023 for each denied packet when a deny ACE is configured B.www. E. The Cisco ASA generates system message 106100 only for the first packet that matched an ACE. Verify the mac-address-table on the Cisco ASA.com 11 . C. if the destination is more than a hop away from the Cisco ASA D." .D QUESTION NO: 22 Which statement about the default ACL logging behavior of the Cisco ASA is true? A. The Cisco ASA generates system message 106023 for each packet that matched an ACE. Verify that unique MAC addresses are configured if the contexts are using nonshared interfaces. E.Cisco 642-617 Exam QUESTION NO: 21 When troubleshooting a Cisco ASA that is operating in multiple context mode. Verify the resource classes configuration by accessing the admin context. if the destination MAC address is unknown C.actualtests. The Cisco ASA generates system message 106100 for each packet that matched an ACE. which two verification steps should be performed if a user context does not pass user traffic? (Choose two. if dynamic ARP inspection is configured Answer: D QUESTION NO: 24 Which flags should the show conn command normally show after a TCP connection has "Pass Any Exam. if NAT is configured E. D. Answer: A. B. Verify the interface status in the user context. Verify the interface status in the system execution space. C.

165.) A.255.202.3 IP address when accessing the DMZ? (Choose three.255 any C. nat (dmz) 1 209.224 any B. slO D. UIO F.Cisco 642-617 Exam successfully been established from an inside host to an outside host? A.3 255. F Answer: E QUESTION NO: 25 Refer to the exhibit.255.3.3.3. access-list client extended permit ip 209. aB B. nat (dmz) 1 access-list client Answer: A. nat (outside) 1 access-list client E." .3.3.3.actualtests. access-list client extended permit ip any 10. Which three configuration commands will enable the VPN client to get PATed to the 10. saA C. access-list client extended permit ip 10.128 255.3 255. Any Time. AIO E.www.com 12 .255.255 D.165.202.255.128 255.224 F.C.D QUESTION NO: 26 "Pass Any Exam.255.255.255.255.

every 12 hours F.99 have completed the TCP three-way handshake. every 5 minutes B.Cisco 642-617 Exam Refer to the exhibit. C." . probably due to a virus D.1.1.99 hosts are generating a vast number of outgoing connections. every 15 minutes C.1. every 24 hours Answer: D QUESTION NO: 28 "Pass Any Exam. Any Time.1. All the connections from the 10. every 1 hour E.1. The maximum number of TCP connections that the 10.1.com 13 .99 host on the inside is under a SYN flood attack.1.1.1.www.99 host operations on the inside look normal.99 host can establish will be 146608. B.1. The 10. every 30 minutes D. What is a reasonable conclusion? A. The 10. The 10.actualtests. E. Answer: C QUESTION NO: 27 What is the default interval for how often the dynamic database of the Cisco ASA botnet traffic filter is updated from Cisco/lronPort? A.

E. Syslog level 1 messages will be generated on the standby unit only if the logging standby command is used. but the MAC address table of the Cisco ASA is always empty." . Any Time. ip verify command D. With active/active failover.Cisco 642-617 Exam In one custom dynamic application. established command E. B. ASR groups must be enabled.com 14 .) A. The failed interface threshold is set to 1.C QUESTION NO: 30 A Cisco ASA is operating in transparent firewall mode.actualtests. tcp-map and tcp-options commands F. What should you verify to troubleshoot this issue? A.www. which causes connectivity issues. The server then starts streaming UDP data to the client on the negotiated port in the specified range. TCP intercept C. if ARP traffic is explicitly allowed using EtherType ACL E. Which Cisco ASA feature or command supports this custom dynamic application? A. if one of the monitored interfaces on both the primary and secondary Cisco ASA appliances is in the unknown state. With active/active failover. user data passing interfaces troubleshooting should be done within the context execution space. With active/active failover. if ARP inspection has been disabled B. D. if MAC learning has been disabled C. the inside client connects to an outside server using TCP port 4444 and negotiates return client traffic in the port range of 5000 to 5500. if BPDU traffic is explicitly allowed using EtherType ACL Answer: B "Pass Any Exam. C. Answer: A. if NAT has been disabled D. a failover should occur. failover link troubleshooting should be done in the system execution space. TCP normalizer B. Using the show monitor-interface command. set connection advanced-options command Answer: D QUESTION NO: 29 Which two statements about Cisco ASA failover troubleshooting are true? (Choose two.

stateful packet inspections rate Answer: C. connections rate D. syslog messages rate F. which three resource class limits can be set using a rate limit? (Choose three.www. address translation rate B.) A.E.com 15 .F QUESTION NO: 32 "Pass Any Exam. Any Time.Cisco 642-617 Exam QUESTION NO: 31 When configuring security contexts on the Cisco ASA. MAC-address learning rate (when in transparent mode) E.actualtests. Cisco ASDM session rate C." .

Any Time.0.0.1 to 172. The Telnet session should fail because inside NAT has not been configured. The Telnet session should fail because the inside interface inbound access list will block it D. The Telnet session should fail because no matching flow was found. B. The Telnet session should be successful.200 is true? A. Answer: C "Pass Any Exam.com 16 . The Telnet session should fail because the route lookup to the destination fails." .26.www. E. C.Cisco 642-617 Exam Refer to the exhibit.1. Which statement about the Telnet session from 10.actualtests.

The administrator validates the Cisco ASA by examining the factory built-in identity certificate thumbprint of the Cisco ASA. Any Time. show xlate D.509 certificate to authenticate itself to the administrator C. The Cisco ASA and the administrator use a mutual password to authenticate each other. bi-directionally when applied globally F.com 17 . The Cisco ASA automatically creates a self-signed X. The Cisco ASA authenticates itself to the administrator using a one-time password. The Cisco ASA automatically creates and uses a persistent self-signed X.509 certificate on each reboot to authenticate itself to the administrator. show conn detail C.F QUESTION NO: 34 Which Cisco ASA show command groups the xiates and connections information together in its output? A.actualtests. D. show asp E.www. how does the Cisco ASA authenticate itself to the Cisco ASDM users? A.) A. in the ingress direction only when applied on an interface C. show local-host Answer: E QUESTION NO: 35 By default. B. show conn B. in the ingress direction only when applied globally B. Answer: C "Pass Any Exam.Cisco 642-617 Exam QUESTION NO: 33 In which two directions are the Cisco ASA modular policy framework inspection policies applied? (Choose two. E." . bi-directionally when applied on an interface Answer: A. in the egress direction only when applied on an interface E. in the egress direction only when applied globally D.

255. Which command enables the stateful failover option? A.10 C. preempt D. B "Pass Any Exam. failover Ian unit primary Answer: A QUESTION NO: 37 On Cisco ASA version 8. SIP Answer: B.5.www. failover group 1 primary E. ICMP E. TFTP F. Any Time.) A.16.0 standby 172.2.255.com 18 .5. which four inspections are enabled by default in the global_policy? (Choose four.actualtests.C. failover Ian interface MYFAILOVER GigabitEthernetO/2 C failover interface ip MYFAILOVER 172.Cisco 642-617 Exam QUESTION NO: 36 Refer to the exhibit.E.16. ESMTP C. failover link MYFAILOVER GigabitEthernetO/2 B. HTTP B. SKINNY D.1 255.F QUESTION NO: 38 Which flag shown in the output of the show conn command is used to indicate that an initial SYN packet is from the outside (lower security-level interface)? A." .

how does the Cisco ASA process outbound HTTP traffic? A. security contexts B. Create the ACLs to be referenced by any of the new class maps.actualtests. but all return HTTP traffic is denied. Create a new service policy rule. 1 H. D.com 19 . O Answer: A QUESTION NO: 39 Using the default modular policy framework global configuration on the Cisco ASA. threat detection E. B.www. HTTP flows match the inspection_default traffic class and are inspected using HTTP inspection. A E. "Pass Any Exam. B. Create a new policy map and apply actions to the traffic classes. C." . HTTP flows are not permitted through the Cisco ASA. D C.Cisco 642-617 Exam B. Create a new class map. I G. HTTP flows are statefully inspected using TCP stateful inspection. traffic shaping Answer: A QUESTION NO: 41 What is the first configuration step when using Cisco ASDM to configure a new Layer 3/4 inspection policy on the Cisco ASA? A. Any Time. because HTTP is not inspected by default. Answer: D QUESTION NO: 40 Which feature is not supported on the Cisco ASA 5505 with the Security Plus license? A. a F. stateless active/standby failover C. D. b D. HTTP outbound traffic is permitted. C. transparent firewall D.

B. With the default factory configuration. The CTX context is the active context on the Cisco ASA. Answer: D QUESTION NO: 44 Which three Cisco ASA configuration commands are used to enable the Cisco ASA to log only the debug output to syslog? (Choose three. D. With the default factory configuration. F. the management interface (management 0/0) is configured with the 192.1/24 IP address C. Create a new firewall access rule." . Answer: C QUESTION NO: 43 Refer to the exhibit.Cisco 642-617 Exam E. The CTX context has the admin role. The IP address is configured under the physical interface (ethemet 0/0 to ethemet 0/7). The CTX context is the standby context on the Cisco ASA. With the default factory configuration.com 20 . Answer: C QUESTION NO: 42 Which statement about the Cisco ASA 5505 configuration is true? A. Cisco ASDM access is not enabled. What does the * next to the CTX security context indicate? A. The switchport access vlan command can be used to assign the VLAN to each physical interface (ethemet 0/0 to ethemet 0/7). The CTX context contains the system configurations.168. B.1. Disable the default global inspection policy. both the inside and outside interface will use DHCP to acquire its IP address.actualtests. D.) "Pass Any Exam.www. C. Any Time. E.

TCP/UDP connections replication Answer: A.Cisco 642-617 Exam A." . logging trap test Answer: B.com 21 .10.100 outside server back to the 10.C QUESTION NO: 46 Where in the ACS are the individual downloadable ACL statements configured to achieve the most "Pass Any Exam. Any Time.100 inside client can be rerouted from the Active CtxB context in ASA Two to the Active Ctx A context in ASA One? (Choose two.) A. logging debug-trace C. logging trap debugging D. dynamic routing (EIGRP or OSPF or RIP) C.C. stateful active/active failover B.10. ASR-group D.www.20.10.actualtests. logging message 711001 level 7 E. policy-based routing F. logging Hsttest message 711001 B.D QUESTION NO: 45 Refer to the exhibit. Which two configurations are required on the Cisco ASAs so that the return traffic from the 10. no NAT-control E.

Cisco 642-617 Exam scalable deployment? A. Group Setup B. User Setup C. Shared Profile Components D. Network Access Profiles E. Network Configuration F. Interface Configuration Answer: C

QUESTION NO: 47 Which two methods can be used to access the Cisco AIP-SSM CLI? (Choose two.) A. initiating an SSH connection to the Cisco AIP-SSM external management Ethernet port B. connecting to the console port on the Cisco AIP-SSM C. using the setup command on the Cisco ASA CLI D. using the session 1 command on the Cisco ASA CLI E. using the hw-module command on the Cisco ASA CLI Answer: A,D

QUESTION NO: 48

Refer to the exhibit. Which three CLI configuration commands result from this configuration? (Choose three. "Pass Any Exam. Any Time." - www.actualtests.com 22

Cisco 642-617 Exam A. global (outside) 1 192.168.11 B. nat (inside) 110.16.1.1 C. static(inside.outside) 192.168.1.1 10.16.1.1 netmask 255.255.255.255 tcp 0 0 udp 0 D. static(inside,outside) tcp 192.168.1.1 80 10.16.1.1 80 E. access-list outside_access_in line 1 extended permit tcp any host 192.168.1.1 eq http F. access-list outside_access_in line 1 extended permit tcp any host 10.16.1.1 eq http G. access-group outside_access_in outside in H. access-group outside_access_in inside in Answer: C,E,G Explanation:

QUESTION NO: 49 Which three configuration options are available when configuring static routes on the Cisco ASA? (Choose three.) A. Change the default metric (admin distance) from 1 to some other value. B. Enable route tracking. C. Specify the static route as the default tunnel gateway for VPN traffic. D. Specify that the static route will not be removed, even if the interface shuts down. E. Specify a tag value to the static route that can be used as a "match" value for controlling redistribution via route maps Answer: A,B,C

QUESTION NO: 50 On the Cisco ASA, what is the default access rule if no user-defined access lists are defined on the interfaces? A. All inbound connections from the lower-security interfaces to the higher-security interfaces are permitted. B. All outbound connections from the higher-security interfaces to the lower-security interfaces are permitted C. All IP traffic between interfaces with the same security level are permitted. D. All IP traffic in and out of the same interface is permitted. E. All IP traffic is denied. Answer: B

QUESTION NO: 51

"Pass Any Exam. Any Time." - www.actualtests.com

23

Cisco 642-617 Exam

When the Cisco ASA detects scanning attacks, how long is the attacker who is performing the scan shunned? A. 120 seconds B. 600 seconds C. 1200 seconds D. 3600 seconds E. 6000 seconds Answer: D Explanation:

QUESTION NO: 52

"Pass Any Exam. Any Time." - www.actualtests.com

24

com 25 . Enabling Botnet Traffic Filtering on at least one of the ASA interface C. Any Time.Cisco 642-617 Exam The ASA administrator wants to configure Botnet Traffic Filter using the dynamic database but it is not working properly after the initiate configuration has been entered.D Explanation: "Pass Any Exam.actualtests.www. Enabling DNS inspection globally E. Enabling DNS Snooping B. Enabling the ASA to periodically download the dynamic database from Cisco D." . What other configuration is missing? A. Configuring the manual white and black lists Answer: A.

actualtests.com 26 ." . .Cisco 642-617 Exam .If the “DNS Snooping Enabled” box is checked then “DNS Snooping” is enabled.www. Enabling Botnet Traffic Filtering on at least one of the ASA interface "Pass Any Exam. For answer B. Any Time.If the interface is global then DNS inspection is enabled globally.

" . For answer C. For answer E. Enabling the ASA to periodically download the dynamic database from Cisco Check if the “Use Botnet data dynamically downloaded from Update Server” is checked as shown above. Configuring the manual white and black lists "Pass Any Exam.com 27 .www.actualtests.Cisco 642-617 Exam If any of the boxes are checked then Botnet filtering is enabled on at least one of the Interfaces. Any Time.

Cisco 642-617 Exam Verify if White or Black lists are configured. QUESTION NO: 53 Which two statements about the Cisco ASA configuration is true? (Choose two.) "Pass Any Exam. Any Time." .com 28 .actualtests.www.

For answer B. All IP traffic is permitted from the inside host to the outside D. All hosts on the inside and on the outside can access Cisco ASDM E. Any Time." .com 29 . The ASA is using a persistent self-signed certificated so users can authenticate the Cisco ASA when accessing it via Cisco ASDM Answer: A. Access to the CLI in privileged mode will be authenticated using the LOCAL database on the Cisco ASA F. The Cisco ASA is setup as the DHCP server for hosts on the inside and outside interfaces "Pass Any Exam.www.Cisco 642-617 Exam A. The Cisco ASA is setup as the DHCP server for hosts on the inside and outside interfaces C.B Explanation: Verify each of the configuration options related to an answer option as shown below: For answer A.actualtests. NAT Control is enabled If the box is checked “NAT Control” is enabled. NAT Control is enabled B.

note that the access rule in the example above reflects the all traffic from the inside to any destination – but option C asks if there is "Pass Any Exam.com 30 ." .www. Any Time. For answer C. All IP traffic is permitted from the inside host to the outside Verify the access rules on the inside interface.Cisco 642-617 Exam Verify which “DHCP Enabled” field is enabled next to each interface.actualtests.

www. All hosts on the inside and on the outside can access Cisco ASDM Verify that access is permitted from the inside and outside for ASDM access. Any Time.com 31 . For answer E. Access to the CLI in privileged mode will be authenticated using the LOCAL database on the Cisco ASA "Pass Any Exam.Cisco 642-617 Exam access rule from the inside to outside specifically – so this does not satisfy option C." . For answer D.actualtests.

actualtests.www.Cisco 642-617 Exam Verify if the “Require authentication to allow use of privileged mode commands” is configured for local access.com 32 . Any Time. The ASA is using a persistent self-signed certificated so users can authenticate the Cisco ASA when accessing it via Cisco ASDM "Pass Any Exam." . For answer F.

tcp-map can be applied to a traffic class using which MPF CLI configuration command? A. parameters E. Any Time. inside the Layer 5-7 service policy Answer: A "Pass Any Exam. inside the Layer 3-4 policy map B. QUESTION NO: 54 On the Cisco ASA. tcp-options D. where are the Layer 5-7 policy maps applied? A. inside the Layer 5-7 class map D." . inside the Layer 3-4 class map C.Cisco 642-617 Exam Verify if a certificate has been configured. inspect B.www.com 33 . inside the Layer 3-4 service policy E. set connection advanced-options Answer: E QUESTION NO: 55 On the Cisco ASA. sysopt connection C.actualtests.

com 34 .Cisco 642-617 Exam QUESTION NO: 56 Refer to the exhibit. D. Which two packet classification methods can be used by the Cisco ASA to determine which security context to forward the incoming traffic from the outside interface? (Choose two.1 IP address to reach the web server on the inside network. routing table lookup D. The inside web client will use the 209.230 IP address to reach the web server and the Cisco ASA will translate the 209.100.168. unique interface IP address B.165.1 IP address.1).) A. unique global mapped IP addresses Answer: B.230 IP address to the 192. E.230. Which two options will result from the Cisco ASA configuration? (Choose two.E "Pass Any Exam. The web server will be reachable only from the inside. The global IP address of the web server is 209. F.165.165. MAC address table lookup E.200.100. Answer: B.) A.168. The web server will be reachable only from the outside. The Cisco ASA will translate the DNS A-Record reply from the DNS server to any inside client for the web server (web server IP =192.168.200. unique interface MAC address C. The outside hosts can use the 192. Any Time." .actualtests.200.www.100. B.D QUESTION NO: 57 The Cisco ASA is configured in multiple mode and the security contexts share the same outside physical interface. C.

NAT translation table B. C. IP routing must be disabled on the Cisco ASA using the no ip routing global configuration command. Any Time. "Pass Any Exam.com 35 . The Cisco ASA must be configured to use the same MAC address on its outside and inside interfaces." .www. HTTP connection table Answer: E QUESTION NO: 59 Refer to the exhibit.actualtests. What requirement is mandatory when configuring a Cisco ASA to operate in transparent firewall mode? A. which state information or table is not passed between the active and standby Cisco ASA by default? A. ARP table E. ARP inspection must be enabled on both the inside and outside interfaces using the arpinspection interface-name enable flood command. B. TCP connection states C.Cisco 642-617 Exam QUESTION NO: 58 With Cisco ASA active/active or active/standby stateful failover. UDP connection states D.

Answer: B. The connection is an incomplete TCP connection.www. TCP-based secure syslog server Answer: B. An inbound EtherType ACL is required on the inside and outside interfaces to permit ARP traffic.0. Answer: F QUESTION NO: 60 Refer to the exhibit. D. AAA server B. Which two statements are true? (Choose two. The management IP address of the Cisco ASA configured with the ip address global configuration command must belong in the 10.Cisco 642-617 Exam D. Cisco ASDM C.com 36 . Both the inside and outside interfaces must be configured with the same security level. C. B.C. Any Time. The connection is a DNS connection.) A.D. F. The connection is awaiting outside ACK to SYN." .C QUESTION NO: 61 Which five options are valid logging destinations for the Cisco ASA? (Choose five. The connection is active and has received inbound and outbound data. which configuration should be verified? "Pass Any Exam.) A. email G.actualtests.1.F.0/24 subnet. SNMP traps E.G QUESTION NO: 62 When troubleshooting redundant interface operations on the Cisco ASA. buffer D. E. E. LDAP server F. The connection is initiated from the inside.

D. static blacklist F.Cisco 642-617 Exam A. dynamic botnet database fetches (updates) E.C. The active interface is sending periodic hellos to the standby interface. Any Time. Traffic shaping is not supported on the Cisco ASA 5580. Traffic shaping can be applied in the input or output direction. The duplex and speed configuration on the logical redundant interface are correct. C. on a VLAN B.actualtests. The MAC address configuration on the member physical interfaces are identical. Answer: D QUESTION NO: 63 What mechanism is used on the Cisco ASA to map IP addresses to domain names that are contained in the botnet traffic filter dynamic database or local blacklist? A.com 37 .) A.www. The nameif configuration on the member physical interfaces are identical. DNS inspection and snooping C. The IP address configuration on the logical redundant interface is correct. E. E. static white list Answer: B QUESTION NO: 64 Which three statements about traffic shaping capability on the Cisco ASA are true? (Choose three. You can configure both traffic shaping and priority queueing on the same interface. HTTP inspection B. D. WebACL D.E QUESTION NO: 65 "Pass Any Exam. Traffic shaping can cause jitter and delay." . Traffic shaping can be applied to all outgoing traffic on a physical interface or in the case of the Cisco ASA 5505. C. B. Answer: A.

2. network B. because the http class map configuration conflicts with the ftp class map E. All FTP traffic will be denied. Which statement about the policy map named test is true? A. The Cisco ASA has not been configured for inside static or dynamic NAT. The Cisco ASA global IP address belongs to the same subnet as the directly connected interfaces. both HTTP and FTP inspections will be applied to the TCP port 21 traffic. Any Time.com 38 .2) that is operating in transparent firewall mode. C. Answer: B QUESTION NO: 67 Which Cisco ASA object group type offers the most flexibility for grouping different services together based on arbitrary protocols? A. C. ICMP "Pass Any Exam.Cisco 642-617 Exam Refer to the exhibit. because the FTP traffic will fail the HTTP inspection. Answer: A QUESTION NO: 66 When troubleshooting a Cisco ASA (running 8. E. The Cisco ASA is configured for ARP inspection. Only HTTP inspection will be applied to the TCP port 21 traffic. The outside and inside interface are connected to different Layer 3 subnets. what should you verify to ensure proper operation? A. No inspection will be applied to the TCP port 21 traffic.www. Only FTP inspection will be applied to the TCP port 21 traffic. B." . B. The Cisco ASA is using a dedicated management interface for management access. D.actualtests. D.

actualtests. service Answer: E QUESTION NO: 68 DRAG DROP Answer: Explanation: 5505 – contains eight FastEthernet Layer 2 switch ports 5510 – Security Plus license will support two GE interfaces 5520/5540 – contains four fixed 10/100/1000 Ethernet ports 5550 – contains two internal buses (Bus 0 and Bus 1) 5580 – contains two onboard GE ports for OOB mgmt access QUESTION NO: 69 Which three parameters are set using the set connection command within a policy map on the Cisco ASA 8.Cisco 642-617 Exam C.com 39 . per-client TCP and/or UDP maximum session time "Pass Any Exam. Any Time.2 release? (Choose three." . TCP-UDP E. per-client TCP and/or UDP idle timeout B. protocol D.www.) A.

" . maximum number of simultaneous TCP and/or UDP connections F. TCP sequence number randomization D. maximum number of simultaneous embryonic connections E.com 40 .www.D.Cisco 642-617 Exam C. fragments reassembly options Answer: C.E Explanation: QUESTION NO: 70 DRAG DROP Answer: Explanation: "Pass Any Exam.actualtests. Any Time.

actualtests.com 41 ." .Cisco 642-617 Exam QUESTION NO: 71 DRAG DROP Answer: "Pass Any Exam.www. Any Time.

"Pass Any Exam.actualtests. Any Time.Cisco 642-617 Exam Explanation: QUESTION NO: 72 Review the image below.www.com 42 ." .

Cisco 642-617 Exam What configuration would be accomplished by configuring the “Set ASDM Defined User Roles”? A.actualtests.www. ? D. Any Time. Allows the configuration of predefined user account privileges. ? C. ? Answer: A Explanation: QUESTION NO: 73 Examine the diagram below. ? E. ? F. "Pass Any Exam. B.com 43 ." .

Antispam B." . ? E.www. ? C. Antispyware D. Static NAT C. Policy NAT B.C. Static PAT D. What rule will be applied first? A. Antiphishing G. Antivirus C. Dynamic NAT E. email content control Answer: B.actualtests.D Explanation: "Pass Any Exam. ? D. Dynamic PAT F. ? Answer: A Explanation: QUESTION NO: 74 If an ASA is configured with overlapping NAT / PAT rules. Create an access list on the inside and outside interface to permit multicast traffic. Nat Exemption Answer: F QUESTION NO: 75 What features are available by default with CSC-SSM base License? (Choose Three) A. ? F. B.Cisco 642-617 Exam The ASA is configured as a transparent mode firewall. the ASA will apply the rules in a specific order.com 44 . What configuration would be needed to allow OSPF to function across the ASA in transparent mode firewall? A. URL Blocking and Filtering F. Any Time. HTTP & FTP file Blocking E.

both the inside and outside interface will use DHCP to "Pass Any Exam. C. The standby ASA runs network activity tests. D. B. With the default factory configuration. to determine if the active ASA has failed. E. The standby ASA sends additional hellos packets on all monitored interfaces. C. E.cfg file) Answer: B Explanation: QUESTION NO: 78 Which statement about the Cisco ASA 5505 configuration is true? A. the management interface (management 0/0) is configured with the 192. The standby ASA immediately becomes the active ASA.1. Both ASAs go to the “unknown” state until the LAN interface becomes operational again.1/24 IP address. to determine if the active ASA has expired.168. within which configuration are the interfaces allocated to the security contexts? A. The switchport access vlan command can be used to assign the VLAN to each physical interface (ethernet 0/0 to ethernet 0/7). Cisco ASDM access is not enabled. Answer: A Explanation: QUESTION NO: 77 When a Cisco ASA is configuration in multiple context mode. each security context B. context startup configuration file (. system configuration C. including the LAN failover interface. With the default factory configuration.com 45 . what happens if the standby Cisco ASA does not receive three consecutive hello messages from the active Cisco ASA on the LAN failover interface? A. D. The IP address is configured under the physical interface (ethernet 0/0 to ethernet 0/7).www.Cisco 642-617 Exam QUESTION NO: 76 With active/standby failover. The standby ASA eventually becomes the active ASA after three times the hold-down times interval expires. Any Time. With the default factory configuration. B." . including ARP and ping.actualtests. admin context (context with the “admin” role) D.

10 D. failover lan interface MYFAILOVER GigabitEthernet0/2 C.Cisco 642-617 Exam acquire its IP address. Which command enables the stateful failover option? A. Answer: B Explanation: QUESTION NO: 79 Refer to the exhibit.5.16. failover link MYFAILOVER GigabitEthernet0/2 B.com 46 .16. what is the default access rule if no user-defined access lists are defined on the interfaces? A. failover group 1 primary F.actualtests. Any Time. preempt E.0 standby 172." . failover lan unit primary Answer: A Explanation: QUESTION NO: 80 On the Cisco ASA. All inbound connections from the lower-security interfaces to the higher-security interface are permitted. failover interface ip MYFAILOVER 172. All outbound connections from the higher-security interfaces to the lower-security interface are permitted. All IP traffic between interfaces with the same security level are permitted "Pass Any Exam.www.5.255. C. B.1255.

Which two functions will the Set ASDM Defined User Roles perform? (Choose two) A.Cisco 642-617 Exam D. All IP traffic is denied. A. enables role based privilege levels to most Cisco ASA commands B. enable the Cisco ASDM user to assign privilege levels manually to individual commands or "Pass Any Exam." . Any Time.actualtests. TCP state bypass C. All IP traffic in and out of the same interface is permitted.www. TCP normalize B. basic threat detection E. the Cisco ASA authenticates the client and allows the connection to the server. Answer: B Explanation: QUESTION NO: 81 Which Cisco ASA feature enables the ASA to do these two things? 1) Act as a proxy for the server and generate a SYN-ACK response to the client SYN request. advanced threat detection F. botnet traffic filter Answer: C Explanation: QUESTION NO: 82 Refer to the exhibit.com 47 . E. TCP intercept D. 2) When the Cisco ASA receives an ACK back from the client.

enabled command authorization with a remote TACACS+ server D. You have access to a Cisco ASA 5505 via Cisco ASDM.actualtests. Create a new HTTP inspect Map named: http-inspect-map to: a. Enable the dropping and logging of any HTTP connections when the content type in the HTTP response does not match one of the MIME types in the accept filed of the HTTP request Note: In the simulation. Not all Cisco ASDM screens are fully functional. Any Time. Enable HTTP inspection globally on the Cisco ASA 2. Refer to the scenario and topology before you start. Read Only=Priv 5.com 48 . Scroll to view all parts of the Cisco ASDM screens. "Pass Any Exam. Enable the dropping of any HTTP connections that encounter HTTP protocol violations b. Monitor Only =Priv 3) Answer: C. When you are ready.www.Cisco 642-617 Exam group of commands C." . Scenario Click the PC icon to launch Cisco ASDM.D Explanation: QUESTION NO: 83 CORRECT TEXT Instructions This item contains a simulation task. you will not be able to test the HTTP inspection policy after you complete your configuration. open the Topology window and click the required device to open the GUI window on a virtual terminal. enables three predefined user account privileges (Admin=Priv 15. Use Cisco ASDM to edit the Cisco ASA 5505 configurations to enable Advanced HTTP Application inspection by completing the following tasks: 1.

actualtests.com 49 .Cisco 642-617 Exam "Pass Any Exam. Any Time.www." .

" . Any Time.www.com 50 .Cisco 642-617 Exam "Pass Any Exam.actualtests.

Action: Drop connection j. select "check for protocol violations" b. Criterion: response header field g. Click on Inspection: Click Add e. Log: Enable d." . value: Content type i. Action: Drop connection c. Select Single Match>>Match type: No Match f. Log: Enable h.com 51 .>Go to Configuration>>Firewall>>Objects>>Inspect Maps>>HTTP>>Add>>Add name "httpinspect-map">>click on detail>> a.Cisco 642-617 Exam Answer: Here are the step by step Solution for this: Explanation: 1.actualtests. ok>>>ok>>>Apply Through achieve this command line: policy-map type inspect http http-inspect-map parameters "Pass Any Exam. Any Time. Field: Predefined: Content type h.www.

D. and No Authentication. D.2 is true? A. E. B. Support three SNMPv3 groups: Authentication and Encryption. Only support running SNMP versions 1 and 2c simultaneously. Any Time. C. Dynamic NAT is used for any IP traffic that is sourced from the dmz_emailserver to the outside. Support both read-only and read-write access. C. Dynamic PAT is used for any IP traffic that is sourced from the dmz_emailserver to the outside. Answer: C Explanation: QUESTION NO: 85 Refer to the Exhibit. B. Authentication Only. Static PAT is used for any IP traffic that is sourced from the dmz_ emailserver to the outside. The Cisco ASA can send SNMP traps to the network management station only using SNMPv2.2. Dynamic NAT is used for any IP traffic that is sourced from any host on the guest network to the "Pass Any Exam. Static NAT is used for any IP traffic that is sourced from the dmz_webserver to the outside.www.com 52 .actualtests. Dynamic PAT is used for any IP traffic that is sourced from any host on the inside network to the outside. Which statement about the NAT/PAT configuration is true? A.Cisco 642-617 Exam protocol-violation action drop-connection log policy-map type inspect http http-inspect-map match not response header content-type application/msword drop-connection log QUESTION NO: 84 Which statement about SNMP support on the Cisco ASA running version 8. F." .

Any Time." .actualtests.com 53 .www.Cisco 642-617 Exam outside. Answer: B QUESTION NO: 86 CORRECT TEXT Answer: Here are step by Step Configuration: Explanation: "Pass Any Exam.

Any Time.www." .Cisco 642-617 Exam Click “Edit” Select the “Rule Actions” tab.actualtests.com 54 . ** This satisfies part 1 of the question to “Enables HTTP inspection globally on the Cisco ASA”. "Pass Any Exam. check HTTP.

com 55 ." . Any Time.Cisco 642-617 Exam Click the configure button next to the right of “HTTP” and click on radio button to the left of “Select an HTTP inspect map for fine control over inspection”. "Pass Any Exam.www.actualtests.

** This satisfies part 2 of the question to “Create a new Inspect Map named: http-inspect-map.Cisco 642-617 Exam Enter “http-inspect-map’ in the name field of the HTTP inspect map.com 56 .actualtests.” Click the “Details” button "Pass Any Exam. Any Time." .www.

actualtests.www. Any Time. Click “Add” "Pass Any Exam. ** This satisfies part 2a of the question to “Enable the dropping of any HTTP connections that encounter HTTP protocol violations”.com 57 .Cisco 642-617 Exam In the details window the “Check for protocol violations” is selected and the action “Drop Connection” is also selected by default. Click the “Inspections tab” in the “Add HTTP Inspect Map” window." .

Click “OK”.Log: Enable ** This satisfies part 2b of the question to “Enable the dropping and logging of any HTTP connections when the content type in the HTTP response does not match one of the MIME types in the accept field of the HTTP request.Criterion: Request/Response Content type mismatch .actualtests.www." .com 58 . Any Time.Actions: Drop Connection .Single match .Cisco 642-617 Exam The default settings of the “Add HTTP Inspect” window are . "Pass Any Exam.Match type: Match .

Any Time.com 59 .www.Cisco 642-617 Exam Click “OK” Click “OK” "Pass Any Exam.actualtests." .

Any Time." .Cisco 642-617 Exam Click “OK” Click “Apply” "Pass Any Exam.com 60 .actualtests.www.

www. Any Time." . Click “Send” "Pass Any Exam.com 61 .actualtests.Cisco 642-617 Exam If the “Preview commands” has been configured on the ASDM preferences the following window will appear showing the CLI commands that will be applied to the ASA.

Any Time.Cisco 642-617 Exam Select File > Exit Click “Save” Click “Yes” "Pass Any Exam.www." .com 62 .actualtests.

Sign up to vote on this title
UsefulNot useful