Latest CCNP Security 642-618 Real Exam Download 51-60

Ensurepass

QUESTION 51

Which option lists the main tasks in the correct order to configure a new Layer 3 and 4 inspection policy on the Cisco ASA appliance using the Cisco ASDM Configuration > Firewall > Service Policy Rules pane?

 

A.        1. Create a class map to identify which traffic to match.

2. Create a policy map and apply action(s) to the traffic class(es).

3. Apply the policy map to an interface or globally using a service policy.

 

B.        1. Create a service policy rule.

2.Identify which traffic to match.

3.Apply action(s) to the traffic.

 

C.        1. Create a Layer 3 and 4 type inspect policy map.

2.Create class map(s) within the policy map to identify which traffic to match.

3.Apply the policy map to an interface or globally using a service policy.

 

D.       1. Identify which traffic to match.

2.Apply action(s) to the traffic.

3.Create a policy map.

4.Apply the policy map to an interface or globally using a service policy.

 

Answer: B

 

 

QUESTION 52

By default, how does a Cisco ASA appliance process IP fragments?

 

A.      Each fragment passes through the Cisco ASA appliance without any inspections.

B.      Each fragment is blocked by the Cisco ASA appliance.

C.      The Cisco ASA appliance verifies each fragment and performs virtual IP re-assembly before the full IP packet is forwarded out.

D.      The Cisco ASA appliance forwards the packet out as soon as all of the fragments of the packet have been received.

 

Answer: C

 

 

QUESTION 53

Which additional active/standby failover feature was introduced in Cisco ASA Software Version 8.4?

 

A.      HTTP stateful failover

B.      OSPF and EIGRP routing protocol stateful failover

C.      SSL VPN stateful failover

D.      IPsec VPN stateful failover

E.       NAT stateful failover

 

Answer: B

 

 

QUESTION 54

Which other match command is used with the match flow ip destination-address command within the class map configurations of the Cisco ASA MPF?

 

A.      match tunnel-group

B.      match access-list

C.      match default-inspection-traffic

D.      match port

E.       match dscp

 

Answer: A

 

 

QUESTION 55

Which Cisco ASA configuration is used to configure the TCP intercept feature?

 

A.      a TCP map

B.      an access list

C.      the established command

D.      the set connection command with the embryonic-conn-max option

E.       a type inspect policy map

 

Answer: D

 

 

QUESTION 56

Which configuration step (if any) is necessary to enable FTP inspection on TCP port 2121?

 

A.      None. FTP inspection is enabled by default using the global policy.

B.      Create a new class map to match TCP port 2121, then edit the global policy to inspect FTP for traffic matched by the new class map.

C.      Edit default-inspection-traffic to match FTP on port 2121.

D.      Add a new traffic class using the match protocol FTP option within the inspect_default class map.

 

Answer: B

 

 

QUESTION 57

When the Cisco ASA appliance is processing packets, which action is performed first?

 

A.      Check if the packet is permitted or denied by the inbound interface ACL.

B.      Check if the packet is permitted or denied by the outbound interface ACL.

C.      Check if the packet is permitted or denied by the global ACL.

D.      Check if the packet matches an existing connection in the connection table.

E.       Check if the packet matches an inspection policy.

F.       Check if the packet matches a NAT rule.

 

Answer: D

 

 

QUESTION 58

Which Cisco ASA (8.4.1 and later) CLI command is the best command to use for troubleshooting SSH connectivity from the Cisco ASA appliance to the outside 192.168.1.1 server?

 

A.      telnet 192.168.1.1 22

B.      ssh -l username 192.168.1.1

C.      traceroute 192.168.1.1 22

D.      ping tcp 192.168.1.1 22

E.       packet-tracer input inside tcp 10.0.1.1 2043 192.168.4.1 ssh

 

Answer: D

 

 

QUESTION 59

Refer to the exhibit.

clip_image002

Which reason explains why the Cisco ASA appliance cannot establish an authenticated NTP session to the inside 192.168.1.1 NTP server?

 

A.      The ntp server 192.168.1.1 command is incomplete.

B.      The ntp source inside command is missing.

C.      The ntp access-group peer command and the ACL to permit 192.168.1.1 are missing.

D.      The trusted-key number should be 1 not 2.

 

Answer: A

 

 

QUESTION 60

On which type of encrypted traffic can a Cisco ASA appliance running software version 8.4.1 perform application inspection and control?

 

A.      IPsec

B.      SSL

C.      IPsec or SSL

D.      Cisco Unified Communications

E.       Secure FTP

 

Answer: D

 

 

Download Latest CCNP 642-618 Real Free Tests , help you to pass exam 100%.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.