642-648 - Deploying Cisco ASA VPN Solutions (VPN v2.0)
Go back to
Cisco
Example Questions
In the CLI snippet that is shown, what is the function of the deny option in the access list?
When set in conjunction with outbound connection-type bidirectional, its function is to prevent the specified traffic from being protected by the crypto map entry.
You have been using pre-shared keys for IKE authentication on your VPN. Your network has grown rapidly, and now you need to create VPNs with numerous IPsec peers. How can you enable scaling to numerous IPsec peers?
Migrate to external CA-based digital certificate authentication.
A new NOC engineer is troubleshooting a VPN connection. Which statement about the fields within the Cisco VPN Client Statistics screen is correct?
The IP address of the security appliance to which the Cisco VPN Client is connected is 192.168.1.2.
Upon receiving a digital certificate, what are three steps that a Cisco ASA performs to authenticate the digital certificate? (Choose three.)
The identity certificate validity period is verified against the system clock of the Cisco ASA.
The identity certificate signature is validated by using the stored root certificate.
If enabled, the Cisco ASA locates the CRL and validates the identity certificate.
Which two statements about the Cisco ASA cluster load-balancing feature are correct? (Choose two.)
The Cisco ASA load-balances remote-access VPN tunnels only.
The Cisco ASA load-balances IPsec VPN, clientless, and Cisco AnyConnect SSL VPN tunnels.
When an SSL VPN user, contractor1, enters https://192.168.4.2 (the outside address of the Cisco ASA appliance) into the browser, an SSL VPN Login screen appears. In addition to the information that is contained in the Cisco ASDM configuration screens, what can an administrator determine about the state of the connection after the user clicks the Login button?
The login will fail.
Today was the first day on a new project for an offsite temporary worker at the XYZ Corporation. The worker was told to launch the SSL VPN session and then use the smart tunnel application to start a remote desktop application on the project server, projects_server.xyz.com. The worker looked at the portal screen that was provided, but she did not know how to access the smart tunnel application. As the help desk person, what should you instruct the temporary worker to do?
Click the Applications Access button.
When attempting to tunnel FTP traffic through a stateful firewall that might be performing NAT or PAT, which type of VPN tunneling should you use to allow the VPN traffic through the stateful firewall?
IPsec over TCP
Which two options are correct regarding IKE and IPv6 VPN support on the Cisco ASA using version 8.4? (Choose two.)
The Cisco ASA supports full IKEv2 IPv6 for site-to-site VPNs only.
The Cisco ASA supports IKEv1 and IKEv2 configuration on the same crypto map.
If CRL checking is enabled on the Cisco ASA, where can the Cisco ASA find the CRL?
The CRL distribution point is listed on the identity certificate.
A Unified Communications Certificate is used on the Cisco ASA appliance to support which option?
Cisco ASA VPN clustering load balancing
After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune the IPsec policy parameters. Where is the correct place to tune the IPsec policy parameters in Cisco ASDM?
Crypto Map
In clientless SSL VPN, administrators can control user access to the internal network or resources of a company. What is this control based on?
WebType ACLs
While troubleshooting on a remote-access VPN application, a new NOC engineer received the message that is shown. What is the most likely cause of the problem?
The IP address pool for contractors was not applied to their connection profile.
While configuring a new clientless SSL VPN group in Cisco ASDM, the administrator chooses to accept a number of the default parameter values. The administrator decides to view the actual value for the parameter, rather than just checking the inherit box. Under which default group can the administrator verify the default value for the group parameter?
DfltGrpPolicy
Your corporate finance department purchased a new non-web-based TCP application tool to run on one of its servers. Certain finance employees need remote access to the software during nonbusiness hours. These employees do not have "admin" privileges to their PCs. What is the correct way to configure the SSL VPN tunnel to allow this application to run?
Configure a smart tunnel for the application.
Which statement is true about configuring the Cisco ASA for Active/Standby failover?
VPN images, profiles, and plug-ins must be manually provisioned to both devices.
Which statement is true regarding Cisco ASA stateful failover?
Clientless features, such as smart tunnels and plug-ins, are not supported.
Authorization of a clientless SSL VPN defines the actions that a user may perform within a clientless SSL VPN session. Which statement is correct concerning the SSL VPN authorization process?
Remote clients can be authorized externally by applying group parameters from an external database.
Which option limits a clientless SSL VPN user to specific resources upon successful login?
user-defined bookmarks
The "level_2" digital certificate was installed on a laptop.What can cause an "invaliD. not active" status message?
The CA server and laptop PC clocks are out of sync.
Which statement is correct regarding IKEv2 when implementing IPsec site-to-site VPNs?
IKE v1 and IKEv2 can coexist in the same tunnel group, with fallback to IKEv1 if the remote endpoint does not support IKEv2.
What is a valid reason for configuring a list of backup servers on the Cisco AnyConnect VPN Client profile?
to access a backup VPN server
When initiating a new SSL or TLS session, the client receives the server SSL certificate and validates it. After validating the server certificate, what does the client use the certificate for?
The client generates a random session key, encrypts it with the server public key, and then sends it to the server.
Some users are having problems connecting via clientless SSL VPN, while other users are experiencing no problems. What is one possible cause of this issue?
SSL version checking is enabled, and clients are connecting with denied versions.
When deploying clientless SSL VPNs, what should you do to support external unmanaged VPN clients?
Implement a global PKI service.
What is the likely cause of the failure?
There are mismatched IKE policies.
You are the network security administrator. You receive a call from a user stating that he cannot log onto the network. In the process of troubleshooting, you determine that this user is accessing the network via certificate-based Cisco AnyConnect SSL VPN. What is a troubleshooting step that you should perform to determine the cause of the access problem?
Verify that a connection can be made without using certificates.
Which feature is supported when implementing an IPsec VPN configuration using IKEv2?
IKEv2 peer authentication can be implemented with asymmetric authentication methods.
When a VPN client that is using redundant peering and has obtained an IP address from the primary VPN gateway loses connection to that gateway, how is traffic rerouted?
The secondary VPN gateway issues the client a new IP address and routes traffic accordingly.
What are three methods for VPN address assignment? (Choose three.)
RADIUS authentication server
internal address pool
LDAP server
A new NOC engineer, while viewing a real-time log from an SSL VPN tunnel, has a question about a line in the log. The IP address 172.26.26.30 is attached to which interface in the network?
the physical interface of the end user
For the ABC Corporation, members of the NOC need the ability to select tunnel groups from a drop-down menu on the Cisco WebVPN login page. As the Cisco ASA administrator, how would you accomplish this task?
Under Connection Profiles, enable "Allow user to select connection profile."
The ABC Corporation is changing remote-user authentication from pre-shared keys to certificate-based authentication. For most employee authentication, its group membership (the employees) governs corporate access. Certain management personnel need access to more confidential servers. Access is based on the group and name, such as finance and level_2. When it is time to pilot the new authentication policy, a finance manager is able to access the department-assigned servers but cannot access the restricted servers. As the network engineer, where would you look for the problem?
Check if the Certificate to Connection Profile Maps > Policy is set correctly.
A temporary worker must use clientless SSL VPN with an SSH plug-in, in order to access the console of an internal corporate server, the projects.xyz.com server. For security reasons, the network security auditor insists that the temporary user is restricted to the one internal corporate server, 10.0.4.18. You are the network engineer who is responsible for the network access of the temporary user. What should you do to restrict SSH access to the one projects.xyz.com server?
Configure access-list temp_acl webtype permit url ssh://10.0.4.18.
A NOC engineer needs to tune some postlogin parameters on an SSL VPN tunnel. From the information shown, where should the engineer navigate to, in order to find all the postlogin session parameters?
"engineering" Group Policy
Which Cisco ASA SSL VPN feature provides support for PCI compliance by allowing for the validation of two sets of username and password credentials on the SSL VPN login page?
Double Authentication
In the Edit Certificate Matching Rule Criterion window, you want to change the Mapped to Connection Profile. However, you cannot perform that action from this window. Where should you navigate to and what should you do, in order to perform this change?
Edit the entry in the Certificate to Connection Profile Maps window.
You have just configured new clientless SSL VPN access parameters. However, when users connect, they are not getting the expected access that was configured. What is one possible reason this is occurring?
The correct Tunnel Group Lock is not properly set.
Which statement is correct concerning the trusted network detection (TND) feature?
When the user is inside the corporate network, TND can be configured to automatically disconnect a Cisco AnyConnect session.
You are the network security administrator. You have received calls from site-to-site IPsec VPN users saying that they cannot connect into the network. In troubleshooting this problem, you discover that some sites can connect, but other sites cannot. It is not always the same sites experiencing problems. You suspect that the permitted number of simultaneous logins has been reached and needs to be increased. In which configuration window or tab should you accomplish this task?
in the System Options window
Given the example that is shown, what can you determine?
Users are required to perform double AAA authentication.
When using clientless SSL VPN, you might not want some applications or web resources to go through the Cisco ASA appliance. For these application and web resources, as a Cisco ASA administrator, which configuration should you use?
Configure the Cisco ASA appliance to disable content rewriting.
When you are testing SSL VPN in a non-production environment, certain variables in the Cisco ASDM session details can be viewed or changed under Configuration > AnyConnect Connection Profiles. Which parameter can be viewed or changed in the AnyConnect Connection Profiles?
Authentication ModE. Certificate and User Password
The user "contractor" inherits which VPN group policy?
DfltGrpPolicy
An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation headquarters, tried to access the XYZ sales demonstration folder to transfer a demonstration via FTP from an ABC conference room behind the firewall. The engineer could not reach XYZ through the remote-access VPN tunnel. From home the previous day, however, the engineer did connect to the XYZ sales demonstration folder and transferred the demonstration via IPsec over DSL. To get the connection to work and transfer the demonstration, what should the engineer do?
Enable the IPsec over TCP option on the IPsec client.
When configuring dead peer detection for remote-access VPN, what does the confidence level parameter represent?
It specifies the number of seconds the adaptive security appliance should allow a peer to idle before beginning keepalive monitoring.
The software-based Cisco IPsec VPN Client solution uses bidirectional authentication, in which the client authenticates the Cisco ASA, and the Cisco ASA authenticates the user. Which three methods are software-based Cisco IPsec VPN Client to Cisco ASA authentication methods? (Choose three.)
Hybrid authentication
Certificate authentication
Group authentication
Which three statements concerning keystroke logger detection are correct? (Choose three.)
It requires administrative privileges in order to run.
It detects loggers that run as a process or kernel module.
It allows the administrator to define "safe" keystroke logger applications.
Which statement about CRL configuration is correct?
The Cisco ASA relies on LDAP access to procure the CRL list.
Study Guides