642-648 - Deploying Cisco ASA VPN Solutions (VPN v2.0)

Go back to Cisco

Example Questions

In the CLI snippet that is shown, what is the function of the deny option in the access list? You have been using pre-shared keys for IKE authentication on your VPN. Your network has grown rapidly, and now you need to create VPNs with numerous IPsec peers. How can you enable scaling to numerous IPsec peers? A new NOC engineer is troubleshooting a VPN connection. Which statement about the fields within the Cisco VPN Client Statistics screen is correct? Upon receiving a digital certificate, what are three steps that a Cisco ASA performs to authenticate the digital certificate? (Choose three.) Which two statements about the Cisco ASA cluster load-balancing feature are correct? (Choose two.) When an SSL VPN user, contractor1, enters https://192.168.4.2 (the outside address of the Cisco ASA appliance) into the browser, an SSL VPN Login screen appears. In addition to the information that is contained in the Cisco ASDM configuration screens, what can an administrator determine about the state of the connection after the user clicks the Login button? Today was the first day on a new project for an offsite temporary worker at the XYZ Corporation. The worker was told to launch the SSL VPN session and then use the smart tunnel application to start a remote desktop application on the project server, projects_server.xyz.com. The worker looked at the portal screen that was provided, but she did not know how to access the smart tunnel application. As the help desk person, what should you instruct the temporary worker to do? When attempting to tunnel FTP traffic through a stateful firewall that might be performing NAT or PAT, which type of VPN tunneling should you use to allow the VPN traffic through the stateful firewall? Which two options are correct regarding IKE and IPv6 VPN support on the Cisco ASA using version 8.4? (Choose two.) If CRL checking is enabled on the Cisco ASA, where can the Cisco ASA find the CRL? A Unified Communications Certificate is used on the Cisco ASA appliance to support which option? After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune the IPsec policy parameters. Where is the correct place to tune the IPsec policy parameters in Cisco ASDM? In clientless SSL VPN, administrators can control user access to the internal network or resources of a company. What is this control based on? While troubleshooting on a remote-access VPN application, a new NOC engineer received the message that is shown. What is the most likely cause of the problem? While configuring a new clientless SSL VPN group in Cisco ASDM, the administrator chooses to accept a number of the default parameter values. The administrator decides to view the actual value for the parameter, rather than just checking the inherit box. Under which default group can the administrator verify the default value for the group parameter? Your corporate finance department purchased a new non-web-based TCP application tool to run on one of its servers. Certain finance employees need remote access to the software during nonbusiness hours. These employees do not have "admin" privileges to their PCs. What is the correct way to configure the SSL VPN tunnel to allow this application to run? Which statement is true about configuring the Cisco ASA for Active/Standby failover? Which statement is true regarding Cisco ASA stateful failover? Authorization of a clientless SSL VPN defines the actions that a user may perform within a clientless SSL VPN session. Which statement is correct concerning the SSL VPN authorization process? Which option limits a clientless SSL VPN user to specific resources upon successful login? The "level_2" digital certificate was installed on a laptop.What can cause an "invaliD. not active" status message? Which statement is correct regarding IKEv2 when implementing IPsec site-to-site VPNs? What is a valid reason for configuring a list of backup servers on the Cisco AnyConnect VPN Client profile? When initiating a new SSL or TLS session, the client receives the server SSL certificate and validates it. After validating the server certificate, what does the client use the certificate for? Some users are having problems connecting via clientless SSL VPN, while other users are experiencing no problems. What is one possible cause of this issue? When deploying clientless SSL VPNs, what should you do to support external unmanaged VPN clients? What is the likely cause of the failure? You are the network security administrator. You receive a call from a user stating that he cannot log onto the network. In the process of troubleshooting, you determine that this user is accessing the network via certificate-based Cisco AnyConnect SSL VPN. What is a troubleshooting step that you should perform to determine the cause of the access problem? Which feature is supported when implementing an IPsec VPN configuration using IKEv2? When a VPN client that is using redundant peering and has obtained an IP address from the primary VPN gateway loses connection to that gateway, how is traffic rerouted? What are three methods for VPN address assignment? (Choose three.) A new NOC engineer, while viewing a real-time log from an SSL VPN tunnel, has a question about a line in the log. The IP address 172.26.26.30 is attached to which interface in the network? For the ABC Corporation, members of the NOC need the ability to select tunnel groups from a drop-down menu on the Cisco WebVPN login page. As the Cisco ASA administrator, how would you accomplish this task? The ABC Corporation is changing remote-user authentication from pre-shared keys to certificate-based authentication. For most employee authentication, its group membership (the employees) governs corporate access. Certain management personnel need access to more confidential servers. Access is based on the group and name, such as finance and level_2. When it is time to pilot the new authentication policy, a finance manager is able to access the department-assigned servers but cannot access the restricted servers. As the network engineer, where would you look for the problem? A temporary worker must use clientless SSL VPN with an SSH plug-in, in order to access the console of an internal corporate server, the projects.xyz.com server. For security reasons, the network security auditor insists that the temporary user is restricted to the one internal corporate server, 10.0.4.18. You are the network engineer who is responsible for the network access of the temporary user. What should you do to restrict SSH access to the one projects.xyz.com server? A NOC engineer needs to tune some postlogin parameters on an SSL VPN tunnel. From the information shown, where should the engineer navigate to, in order to find all the postlogin session parameters? Which Cisco ASA SSL VPN feature provides support for PCI compliance by allowing for the validation of two sets of username and password credentials on the SSL VPN login page? In the Edit Certificate Matching Rule Criterion window, you want to change the Mapped to Connection Profile. However, you cannot perform that action from this window. Where should you navigate to and what should you do, in order to perform this change? You have just configured new clientless SSL VPN access parameters. However, when users connect, they are not getting the expected access that was configured. What is one possible reason this is occurring? Which statement is correct concerning the trusted network detection (TND) feature? You are the network security administrator. You have received calls from site-to-site IPsec VPN users saying that they cannot connect into the network. In troubleshooting this problem, you discover that some sites can connect, but other sites cannot. It is not always the same sites experiencing problems. You suspect that the permitted number of simultaneous logins has been reached and needs to be increased. In which configuration window or tab should you accomplish this task? Given the example that is shown, what can you determine? When using clientless SSL VPN, you might not want some applications or web resources to go through the Cisco ASA appliance. For these application and web resources, as a Cisco ASA administrator, which configuration should you use? When you are testing SSL VPN in a non-production environment, certain variables in the Cisco ASDM session details can be viewed or changed under Configuration > AnyConnect Connection Profiles. Which parameter can be viewed or changed in the AnyConnect Connection Profiles? The user "contractor" inherits which VPN group policy? An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation headquarters, tried to access the XYZ sales demonstration folder to transfer a demonstration via FTP from an ABC conference room behind the firewall. The engineer could not reach XYZ through the remote-access VPN tunnel. From home the previous day, however, the engineer did connect to the XYZ sales demonstration folder and transferred the demonstration via IPsec over DSL. To get the connection to work and transfer the demonstration, what should the engineer do? When configuring dead peer detection for remote-access VPN, what does the confidence level parameter represent? The software-based Cisco IPsec VPN Client solution uses bidirectional authentication, in which the client authenticates the Cisco ASA, and the Cisco ASA authenticates the user. Which three methods are software-based Cisco IPsec VPN Client to Cisco ASA authentication methods? (Choose three.) Which three statements concerning keystroke logger detection are correct? (Choose three.) Which statement about CRL configuration is correct?

Study Guides

Ccnp Security Vpn 642-648 Offical Cert G by Howard Hooper (2013-07-31)