Cisco 642-647 Online Practice
Questions and Exam Preparation
642-647 Exam Details
Exam Code
:642-647
Exam Name
:Deploying Cisco ASA VPN Solutions (VPN v1.0)
Certification
:Cisco Certifications
Vendor
:Cisco
Total Questions
:121 Q&As
Last Updated
:Dec 09, 2021
Cisco 642-647 Online Questions &
Answers
Question 11:
Upon receiving a digital certificate, what are three steps that a Cisco ASA performs to authenticate the digital certificate? (Choose three.)
A. The identity certificate validity period is verified against the system clock of the Cisco ASA. B. The identity certificate thumbprint is validated using the private key of the stored CA. C. The identity certificate signature is validated by using the stored root certificate. D. The signature is validated by using the stored identity certificate. E. If enabled, the Cisco ASA locates the CRL and validates the identity certificate.
A. The identity certificate validity period is verified against the system clock of the Cisco ASA. C. The identity certificate signature is validated by using the stored root certificate. E. If enabled, the Cisco ASA locates the CRL and validates the identity certificate.
Certificate Revocation Lists provide the security appliance with one means of determining whether a certificate that is within its valid time range has been revoked by its issuing CA. CRL configuration is a part of the configuration of a trustpoint. You can configure the security appliance to make CRL checks mandatory when authenticating a certificate (revocation-check crl command). You can also make the CRL check optional by adding the none argument (revocationcheck crl none command), which allows the certificate authentication to succeed when the CA is unavailable to provide updated CRL data. The security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a length of time configurable for each trustpoint. When the security appliance has cached a CRL for more than the length of time it is configured to cache CRLs, the security appliance considers the CRL too old to be reliable, or "stale". The security appliance attempts to retrieve a newer version of the CRL the next time a certificate authentication requires checking the stale CRL. The security appliance caches CRLs for a length of time determined by the following two factors:稵he number of minutes specified with the cache-time command. The default value is 60 minutes. 稵he NextUpdate field in the CRLs retrieved, which may be absent from CRLs. You control whether the security appliance requires and uses the NextUpdate field with the enforcenextupdate command. The security appliance uses these two factors as follows:稩f the NextUpdate field is not required, the security appliance marks CRLs as stale after the length of time defined by the cache-time command. 稩f the NextUpdate field is required, the security appliance marks CRLs as stale at the sooner of the two times specified by the cache-time command and the NextUpdate field. For example, if the cache-time command is set to 100 minutes and the NextUpdate field specifies that the next update is 70 minutes away, the security appliance marks CRLs as stale in 70 minutes.
Question 12:
Refer to the exhibit.
Given the example that is shown, what can you determine?
A. Users are required to perform RADIUS or LDAP authentication when connecting with the Cisco AnyConnect client. B. Users are required to perform AAA authentication when connecting via WebVPN. C. Users are required to perform double AAA authentication. D. The user access identity is prefilled at login, requiring users to enter only their password.
C. Users are required to perform double AAA authentication.
Question 13:
Match the Diffie-Hellman group on the left with the correct application on the right. (Not all items will be used.)
Select and Place:
Question 14:
Datagram Transport Layer Security (DTLS) was introduced to solve performance issues. Choose three characteristics of DTLS. (Choose three.)
A. It uses TLS to negotiate and establish DTLS connections. B. It uses DTLS to transmit datagrams. C. It is disabled by default. D. It uses TLS for data packet retransmission. E. It replaces underlying transport layer with UDP 443. F. It uses TLS to provide low-latency video application tunneling.
A. It uses TLS to negotiate and establish DTLS connections. B. It uses DTLS to transmit datagrams. E. It replaces underlying transport layer with UDP 443.
Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections Datagram Transport Layer Security avoids latency and bandwidth problems associated with some SSL-only connections, including AnyConnect connections, and improves the performance of real-time applications that are sensitive to packet delays. DTLS is a standards-based SSL protocol that provides a low-latency data path using UDP. For detailed information about DTLS, see RFC 4347 (http://www.ietf.org/rfc/rfc4347.txt). Datagram Transport Layer Security (DTLS) allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnels--an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. If you do not enable DTLS, AnyConnect/SSL VPN connections connect with an SSL VPN tunnel only. You cannot enable DTLS globally with ASDM. The following section describes how to enable DTLS for any specific interface. To enable DTLS for a specific interface, select Configuration > Remote Access VPN > Network (Client) Access > Advanced > SSL VPN Connection profiles. The SSL VPN Connection Profiles dialog box opens (Figure 2-3).Figure 2-3 Enable DTLS Check Box
Enabling Datagram Transport Layer Security (DTLS) allows the AnyConnect VPN Client establishing an SSL VPN connection to use two simultaneous tunnels--an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of realtime applications that are sensitive to packet delays. If you do not enable DTLS, AnyConnect client users establishing SSL VPN connections connect with an SSL VPN tunnel only. Fields ?Interface--Displays a list of interfaces on the security appliance. ?DTLS Enabled--Check to enable DTLS connections with the AnyConnect client on the interfaces. ?UDP Port (default 443)--(Optional) Specify a separate UDP port for DTLS connections.
Question 15:
Refer to following Exhibit and answer the following question below:
The user, contractor1, receives an IP address when the VPN connection is established. Which statement regarding the IP address is true?
A. it is sourced from the contractor pool. B. it is sourced from the employee pool. C. it is sourced from the engineering pool. D. it is sourced from the management pool. E. it is dedicated address (10.0.4.120)
C. it is sourced from the engineering pool.
First see username in device management >> see its group policy then go to remote access VPN >> connection profiles >> client address pools >> contractor >> select to see the address pool Through MonitoringVPN statistics > session >> see username and its assigned ip address >> then find it out in configuration tab above procedure old DD download contained Exam question 30 (As Q29) that had answer of contractor not engineering like for this question35.
Question 16:
With SCEP enabled in a Cisco AnyConnect Connection Profile, what additional configuration step must you do when using Cisco ASA 8.4 software?
A. Configure local authentication prior to the enrollment process. B. Configure the client to poll the CA for a response to the certificate request. C. Configure the location of the CA server. D. Configure the profile to inherit the SCEP forwarding URL.
When you are testing SSL VPN in a non-production environment, certain variables in the Cisco ASDM session details can be viewed or changed under Configuration > AnyConnect Connection Profiles.
Which parameter can be viewed or changed in the AnyConnect Connection Profiles?
A. Assigned IP address 10.0.1.50 B. Client TypE. SSL VPN Client C. Authentication ModE. Certificate and User Password D. Client Ver: Cisco AnyConnect VPN Agent for Windows
C. Authentication ModE. Certificate and User Password
Question 18:
Refer to the exhibit.
After a remote user established a Cisco AnyConnect session from a wireless card through the Cisco ASA appliance of a partner to a remote server, the user opened the Cisco AnyConnect VPN Client Statistics Details screen.
What are the two sources of the IP addresses that are marked A and B? (Choose two.)
A. IP address that is assigned to the wireless Ethernet adapter of the remote user B. IP address that is assigned to the remote user from the Cisco ASA address pool C. IP address of the Cisco ASA physical interface of the partner D. IP address of the Cisco ASA virtual HTTP server of the partner E. IP address of the default gateway router of the remote user F. IP address of the default gateway router of the partner
B. IP address that is assigned to the remote user from the Cisco ASA address pool C. IP address of the Cisco ASA physical interface of the partner
Question 19:
Refer to the exhibit.
You have configured two SSL VPN Certificate to Connection Profile Maps for all employee and management users. The Connection Profiles for the management users are not being applied when the "management" users connect.
Based on the configuration that is shown, what is the most likely cause of this issue?
A. The rule priority of the employee mapping is not low enough, and it needs to be lowered to 1. B. The priority of the employee mapping is too low, and it needs to be increased, but not higher than the rule priority of the management mapping. C. The priority of the management mapping is too high, and it needs to be lower than the rule priority of the employee mapping. D. The matching criteria for the management mapping is too specific, and the CN matching parameter should be removed.
C. The priority of the management mapping is too high, and it needs to be lower than the rule priority of the employee mapping.
ASDM user guide p[age 35 52 Use the Add/Edit Certificate Matching Rule dialog box to assign the name of a list (map) to a connection profile. Fields ?Map--Choose one of the following: - Existing--Select the name of the map to include the rule. New--Enter a new map name for a rule. ?Rule Priority--Type a decimal to specify the sequence with which the security appliance evaluates the map when it receives a connection request. For the first rule defined, the default priority is 10. The security appliance evaluates each connection against the map with the lowest priority number first. ?Mapped to Connection Profile--Select the connection profile, formerly called a "tunnel group," to map to this rule. If you do not assign a rule criterion to the map, as described in the next section, the security appliance ignores the map entry.
Question 20:
You have just configured new clientless SSL VPN access parameters.
However, when users connect, they are not getting the expected access that was configured.
What is one possible reason this is occurring?
A. The correct Tunnel Group Lock is not properly set. B. The corresponding Cisco ASA interface is not enabled for SSL VPN access. C. The Connection Alias is not enabled. D. Portal features are disabled.
A. The correct Tunnel Group Lock is not properly set.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Cisco exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your 642-647 exam preparations
and Cisco certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.