642-618 - Deploying Cisco ASA Firewall Solutions (FIREWALL v2.0)
Go back to Cisco
Which two Cisco ASA configuration tasks are necessary to allow authenticated BGP sessions to pass through the Cisco ASA appliance? (Choose two.)
Configure the Cisco ASA TCP normalizer to permit TCP option 19.
Configure the Cisco ASA TCP normalizer to disable TCP ISN randomization for the BGP flows.
Which two Cisco ASA licensing features are correct with Cisco ASA Software Version 8.3 and later? (Choose two.)
Identical licenses are not required on the primary and secondary Cisco ASA appliance.
Time-based licenses are stackable in duration but not in capacity.
In the default global policy, which traffic is matched for inspections by default?
Which additional active/standby failover feature was introduced in Cisco ASA Software Version 8.4?
OSPF and EIGRP routing protocol stateful failover
Which Cisco ASA object group type offers the most flexibility for grouping different services together based on arbitrary protocols?
Which statement about Cisco ASA multicast routing support is true?
The Cisco ASA appliance supports either stub multicast routing or PIM, but both cannot be enabled at the same time.
Which Cisco ASA show command groups the xlates and connections information together in its output?
Using the default modular policy framework global configuration on the Cisco ASA, how does the Cisco ASA process outbound HTTP traffic?
HTTP flows are statefully inspected using TCP stateful inspection.
Which other match command is used with the match flow ip destination-address command within the class map configurations of the Cisco ASA MPF?
Which configuration step (if any) is necessary to enable FTP inspection on TCP port 2121?
Create a new class map to match TCP port 2121, then edit the global policy to inspect FTP for traffic matched by the new class map.
Which statement about the Cisco ASA 5585-X appliance is true?
All IPS traffic (except the IPS management interface traffic) must flow through the firewall/VPN SSP first before it can be redirected to the IPS SSP.
A Cisco ASA is operating in transparent firewall mode, but the MAC address table of the Cisco ASA is always empty, which causes connectivity issues. What should you verify to troubleshoot this issue?
if MAC learning has been disabled C. if NAT has been disabled
Which Cisco ASA CLI command is used to enable HTTPS (Cisco ASDM) access from any inside host on the 10.1.16.0/20 subnet?
http 10.1.16.0 255.255.240.0 inside
Which Cisco ASA (8.4.1 and later) CLI command is the best command to use for troubleshooting SSH connectivity from the Cisco ASA appliance to the outside 192.168.1.1 server?
ping tcp 192.168.1.1 22
A Cisco ASA requires an additional feature license to enable which feature?
botnet traffic filtering
The Cisco ASA is configured in multiple mode and the security contexts share the same outside physical interface. Which two packet classification methods can be used by the Cisco ASA to determine which security context to forward the incoming traffic from the outside interface? (Choose two.)
unique interface MAC address
unique global mapped IP addresses
Where in the Cisco ASA appliance CLI are Active/Active Failover configuration parameters configured?
system execution space
Which Cisco ASA configuration is used to configure the TCP intercept feature?
the set connection command with the embryonic-conn-max option
When troubleshooting a Cisco ASA that is operating in multiple context mode, which two verification steps should be performed if a user context does not pass user traffic? (Choose two.)
Verify the interface status in the system execution space.
Verify the interface status in the user context.
Which two statements about Cisco ASA failover troubleshooting are true? (Choose two.)
With active/active failover, failover link troubleshooting should be done in the system execution space.
With active/active failover, user data passing interfaces troubleshooting should be done within the context execution space.
Which access rule is disabled automatically after the global access list has been defined and applied?
the implicit interface access rule that permits all IP traffic from high security level to low security level interfaces
Which option can cause the interactive setup script not to work on a Cisco ASA 5520 appliance running software version 8.4.1?
The management 0/0 interface has not been configured as management-only and assigned a name using the nameif command.
When active/active failover is implemented on the Cisco ASA, how many failover groups are
Which other match command is used with the match flow ip destination-address command within
On the Cisco ASA, tcp-map can be applied to a traffic class using which MPF CLI configuration command?
set connection advanced-options
Which statement about the Cisco ASA botnet traffic filter is true?
Static blacklist entries always have a very high threat level.
Which option lists the main tasks in the correct order to configure a new Layer 3 and 4 inspection policy on the Cisco ASA appliance using the Cisco ASDM Configuration > Firewall > Service Policy Rules pane?
1. Create a service policy rule. 2. Identify which traffic to match. 3. Apply action(s) to the traffic.
On the Cisco ASA, where are the Layer 5-7 policy maps applied?
inside the Layer 3-4 policy map
By default, not all services in the default inspection class are inspected. Which Cisco ASA CLI command do you use to determine which inspect actions are applied to the default inspection class?
show service-policy global
With Cisco ASA active/active or active/standby stateful failover, which state information or table is not passed between the active and standby Cisco ASA by default?
HTTP connection table
With Cisco ASA active/standby failover, what is needed to enable subsecond failover?
Decrease the default unit failover polltime to 300 msec and the unit failover holdtime to 900 msec.
Which configuration step is the first to enable PIM-SM on the Cisco ASA appliance?
Enable multicast routing globally on the Cisco ASA appliance.
With Cisco ASA active/standby failover, by default, how many monitored interface failures will cause failover to occur?
When troubleshooting redundant interface operations on the Cisco ASA, which configuration should be verified?
The IP address configuration on the logical redundant interface is correct.
Which statement about the Cisco ASA 5505 configuration is true?
The switchport access vlan command can be used to assign the VLAN to each physical interface (ethernet 0/0 to ethernet 0/7).
By default, which traffic can pass through a Cisco ASA that is operating in transparent mode without explicitly allowing it using an ACL?
Which logging mechanism is configured using MPF and allows high-volume traffic-related events to be exported from the Cisco ASA appliance in a more efficient and scalable manner compared to classic syslog logging?
Which statement about the default ACL logging behavior of the Cisco ASA is true?
The Cisco ASA generates system message 106023 for each denied packet when a deny ACE is configured.
Which addresses are considered "ambiguous addresses" and are put on the greylist by the Cisco ASA botnet traffic filter feature?
addresses that are associated with multiple domain names, but not all of these domain names are on the blacklist
When active/active failover is implemented on the Cisco ASA, how many failover groups are supported on the Cisco ASA?
By default, how does the Cisco ASA authenticate itself to the Cisco ASDM users?
The Cisco ASA automatically creates a self-signed X.509 certificate on each reboot to authenticate itself to the administrator.
Which two statements about Cisco ASA redundant interface configuration are true? (Choose two.)
When the standby interface becomes active, the Cisco ASA sends gratuitous ARP out on the standby interface.
Each Cisco ASA supports up to eight redundant interfaces.
Which option is not supported when the Cisco ASA is operating in transparent mode and also is using multiple security contexts?
Which two methods can be used to access the Cisco AIP-SSM CLI? (Choose two.)
initiating an SSH connection to the Cisco AIP-SSM external management Ethernet port
using the session 1 command on the Cisco ASA CLI
Which feature is not supported on the Cisco ASA 5505 with the Security Plus license?
Which two configurations are the minimum needed to enable EIGRP on the Cisco ASA appliance? (Choose two.)
Enable the EIGRP routing process and specify the AS number.
Use the network command(s) to enable EIGRP on the Cisco ASA interface(s).
By default, which access rule is applied inbound to the inside interface?
All IP traffic sourced from any source to any less secure network destinations is permitted.
The Cisco ASA software image has been erased from flash memory. Which two statements about the process to recover the Cisco ASA software image are true? (Choose two.)
Access to the ROM monitor mode is required.
The server command is necessary to set the TFTP server IP address.
Which statement about SNMP support on the Cisco ASA appliance is true?
The Cisco ASA appliance supports three built-in SNMPv3 groups in Cisco ASDM: Authentication and Encryption, Authentication Only, and No Authentication, No Encryption.