642-515 - Securing Networks with ASA Advanced
Go back to Cisco
Which three features can the Cisco ASA adaptive security appliance support? (Choose three.)
OSPF dynamic routing
Which three commands can display the contents of flash memory on the Cisco ASA adaptive security appliance? (Choose three.)
Which two statements about the downloadable ACL feature of the security appliance are correct? (Choose two.)
Downloadable ACLs enable you to store full ACLs on a AAA server and download them to the security appliance.
The downloadable ACL must be attached to a user or group profile on a AAA server.
Recently, a branch office of your company has upgraded its network by changing the network topology of the branch, and the site-to-site VPN tunnel that runs between the branch and the corporate office has been reconfigured to perform Reverse Route Injection to accommodate the recent change. You are performing OSPF between the corporate Cisco ASA security appliance and routers on the internal network. Assume that the VPN configuration is correct, which step will be taken on the corporate Cisco ASA security appliance to make sure that these new routes are visible to internal routers running OSPF?
Reverse Route Injection uses static routes, so you must configure OSPF to redistribute the static routes.
The security department of the P4S company wants to configure cut-through proxy authentication via RADIUS to require users to authenticate before accessing the corporate DMZ servers. Which three tasks are needed to achieve this goal? (Choose three.)
Configure a rule that specifies which traffic flow to authenticate.
Designate an authentication server.
Specifya AAA server group.
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. After configuring port forwarding for a clientless SSL VPN connection, if port forwarding is to work, which end user privilege level is required at the endpoint?
While implementing QoS, which two types of queues are available on the Cisco ASA security appliance? (Choose two.)
best effort queue
low latency queue
In the default global policy, which three traffic types are inspected by default? (Choose three.)
For the following commands, which one causes the Cisco CSC-SSM to load a new software image from a remote TFTP server, via the CLI?
hw module 1 recover boot
For configuring VLAN trunking on a security appliance interface, which three actions are mandatory? (Choose three.)
associating a logical interface with a physical interface
specifying a VLAN ID for asubinterface
specifying a name for asubinterface
The P4S security department would like to apply specific restrictions to one network user, Bob, because he works from home and accesses the corporate network from the outside interface of the security appliance. P4S decides to control network access for this user by using the downloadable ACL feature of the security appliance. Authentication of inbound traffic is already configured on the security appliance, and Bob already has a user account on the Cisco Secure ACS. Which three tasks should be completed in order to achieve the goal of limiting network access for Bob via downloadable ACLs? (Choose three.)
Configure the downloadable ACLs on the Cisco Secure ACS.
Attach the downloadable ACL to the user profile for Bob on the Cisco Secure ACS.
Configure the Cisco Secure ACS to use downloadable ACLs.
You are the administrator for Cisco ASA security appliances that are used for site-to-site VPNs between remote and corporate offices. You have used the Service Policy Rule Wizard within ASDM to configure low-latency queuing for unified communications on all the appropriate ASAs. Users are still having issues with unified communications between the remote and corporate offices. Assuming that the Cisco Unified Communications equipment is functioning properly and that the VPN configurations are correct, which of these choices is most likely the cause of the problems?
A priority queue must be created on the interface where the site-to-site VPN tunnel is terminated.
Annie is a network administrator of her company. She is responsible for a Cisco ASA security appliance. Using a valid identity certificate from her certificate authority, she has created the necessary configuration for remote-access VPN tunnels by use of the IPsec VPN Wizard. When she tests the remote-access VPN, the VPN tunnel does not come up. If the remote-access VPN configuration created by the wizard is correct and valid certificates are being used by the Cisco ASA security appliance and Cisco VPN Client, which corrective action should be configured or corrected for the VPN tunnel to come up properly?
The mapping of digital certificates to connection profile is not part of the IPsec VPN Wizard configuration and must be configured.
Multimedia applications transmit requests on TCP, get responses on UDP or TCP, use dynamic ports, and use the same port for source and destination, so they can pose challenges to a firewall. Which three items are true about how the Cisco ASA adaptive security appliance handles multimedia applications? (Choose three.)
It dynamically opens and closes UDP ports for secure multimedia connections, so you do not need to open a large range of ports.
It supports multimedia with or without NAT.
It supports RTSP, H.323, Skinny, and CTIQBE.
You are the network administrator of your company. You would like to add SSL VPN Cisco AnyConnect VPN Client for use by remote users. After checking the Cisco software download site, you discovered a number of different versions of Cisco AnyConnect VPN Client Software available for download. If you know the Cisco ASA Adaptive Security Appliance Software version and the remote user's PC operating system, how to determine the appropriate version of Cisco AnyConnect VPN Client to download?
The version of CiscoAnyConnect VPN Client Software and the compatible version of Cisco ASA Adaptive Security Appliance Software are based on release notes.
The IT department of your company must perform a custom-built TCP application within the clientless SSL VPN portal configured on your Cisco ASA security appliance. The application should be run by users who have either guest or normal user mode privileges. In order to allow this application to run, how to configure the clientless SSL VPN portal?
configure a smart tunnel for the application
Which one of the following commands can provide detailed information about the crypto map configurations of a Cisco ASA adaptive security appliance?
show run crypto map
Which two statements correctly describe the local user database in the security appliance? (Choose two.)
You can create user accounts with or without passwords in the local database.
You can configure the security appliance to lock a user out after the user meets a configured maximum number of failed authentication attempts.
While using IPsec VPN tunnels, which primary benefit is provided by digital certificates?
Which options can a clientless SSL VPN user access from a web browser without port forwarding, smart tunnels, or browser plug-ins?
Microsoft Outlook Web Access
files on the network, via FTP or the CIFS protocol
The Cisco ASA 5520 Adaptive Security Appliance delivers a wide range of security services with Active/Active high availability and Gigabit Ethernet connectivity for medium-sized enterprise networks, in a modular, high performance appliance. You have configured a Cisco ASA 5520 Adaptive Security Appliance as a Easy VPN hardware client. But from within Cisco ASDM, you cannot find the Easy VPN Remote configuration option within the Remote Access VPN menu. What is the reason that you can not find this configuration option within Cisco ASDM on the ASA 5520 Adaptive Security Appliance?
Only the Cisco ASA 5505 Adaptive Security Appliance can be a Easy VPN hardware client.
What does the redundant interface feature of the security appliance accomplish?
to increase the reliability of your security appliance
What is the reason that you want to configure VLANs on a security appliance interface?
to increase the number of interfaces available to the network without adding additional physical interfaces or security appliances
Cisco Secure Desktop, an innovative feature found in Cisco's WebVPN solutions, can help organizations respond to government regulations for data protection by safeguarding the privacy and security of confidential information. After configuring Cisco Secure Desktop on your Cisco ASA security appliance, you should configure Cisco Secure Desktop to run Host Scan checks on the remote endpoint. Which three available Basic Host Scan checks can be configured? (Choose three.)
Which two options are correct about the threat detection feature of the Cisco ASA adaptive security appliance? (Choose two.)
The threat detection feature can help you determine the level of severity for packets that are detected and dropped by the security appliance inspection engines.
Scanning threat detection detects network sweeps and scans and optionally takes appropriate preventative action.
Which three statements correctly describe protocol inspection on the Cisco ASA adaptive security appliance? (Choose three.)
The protocol inspection feature of the security appliance securely opens and closes negotiated ports and IP addresses for legitimate client-server connections through the security appliance.
If inspection for a protocol is notenabled, traffic for that protocol may be blocked.
If you want to enable inspection globally for a protocol that is not inspected by default or if you want to globally disable inspection for a protocol, you can edit the default global policy.
You have been tasked to configure your Cisco ASA security appliance for multiple VLANs that use one physical interface. You must make sure that the switch in which the physical Cisco ASA security appliance interface is connected has been configured for the appropriate VLAN tagging protocol. Which VLAN tagging protocol will the Cisco ASA security appliance use to communicate with this switch?