Cisco 642-647 Online Practice
Questions and Exam Preparation
642-647 Exam Details
Exam Code
:642-647
Exam Name
:Deploying Cisco ASA VPN Solutions (VPN v1.0)
Certification
:Cisco Certifications
Vendor
:Cisco
Total Questions
:121 Q&As
Last Updated
:Dec 09, 2021
Cisco 642-647 Online Questions &
Answers
Question 81:
A temporary worker must use clientless SSL VPN with an SSH plug-in, in order to access the console of an internal corporate server, the projects.xyz.com server. For security reasons, the network security auditor insists that the temporary user is restricted to the one internal corporate server, 10.0.4.18. You are the network engineer who is responsible for the network access of the temporary user.
What should you do to restrict SSH access to the one projects.xyz.com server?
A. Configure access-list temp_user_acl extended permit TCP any host 10.0.4.18 eq 22. B. Configure access-list temp_user_acl standard permit host 10.0.4.18 eq 22. C. Configure access-list temp_acl webtype permit url ssh://10.0.4.18. D. Configure a plug-in SSH bookmark for host 10.0.4.18, and disable network browsing on the clientless SSL VPN portal of the temporary worker.
C. Configure access-list temp_acl webtype permit url ssh://10.0.4.18.
Web ACLs The Web ACLs table displays the filters configured on the security appliance applicable to Clientless SSL VPN traffic. The table shows the name of each access control list (ACL), and below and indented to the right of the ACL name, the access control entries (ACEs) assigned to the ACL. Each ACL permits or denies access permits or denies access to specific networks, subnets, hosts, and web servers. Each ACE specifies one rule that serves the function of the ACL. You can configure ACLs to apply to Clientless SSL VPN traffic. The following rules apply: ?If you do not configure any filters, all connections are permitted. ?The security appliance supports only an inbound ACL on an interface. ?At the end of each ACL, an implicit, unwritten rule denies all traffic that is not explicitly permitted. You can use the following wildcard characters to define more than one wildcard in the Webtype access list entry: ?Enter an asterisk";"; to match no characters or any number of characters. ?Enter a question mark";"; to match any one character exactly. ?Enter square bracket"t;"t; to create a range operator that matches any one character in a range. The following examples show how to use wildcards in Webtype access lists. ?The following example matches URLs such as http:// www.cisco.com/ and http://wwz.caco.com/: access-list test webtype permit url http://ww?.c*co*/
Question 82:
When deploying clientless SSL VPNs, what should you do to support external unmanaged VPN clients?
A. Deploy a private PKI service. B. Issue self-signed identity certificates for the external clients that you wish to provide with access to your enterprise. C. Configure policies specifically for the clients that have a group userID and password. D. Implement a global PKI service.
D. Implement a global PKI service.
Question 83:
SSL server-side authentication is used for a client to verify the identity of a server. This type of authentication is commonly used for servers that require secured transactions to protect user data or account information for online purchases. Which one of these steps is not a step in the authentication process?
A. The client sends Hello to the server, listing all of its supported cipher suites. B. The server sends Hello to the client, listing all of its supported cipher suites. C. The server sends its certificate to the client. D. The client generates, encrypts, and sends a session key. E. The server sends Change Cipher Spec to indicate a shift to encrypted mode.
B. The server sends Hello to the client, listing all of its supported cipher suites.
Question 84:
Refer to the exhibit.
The "level_2" digital certificate was installed on a laptop. What can cause an "invalid not active" status message?
A. On first use, a CA server-supplied passphrase is entered to validate the certificate. B. A "newly installed" digital certificate does not become active until it is validated by the peer device upon its first usage. C. The user has not clicked the Verify button within the Cisco VPN Client. D. The CA server and laptop PC clocks are out of sync.
D. The CA server and laptop PC clocks are out of sync.
Certificates have a date and time that they become valid and that they expire. When the security appliance enrolls with a CA and gets a certificate, the security appliance checks that the current time is within the valid range for the certificate. If it is outside that range, enrollment fails. Same would apply to communication between ASA and PC
Question 85:
Refer to the exhibit.
You are configuring a laptop with the Cisco VPN Client, which uses digital certificates for authentication. Which protocol does the Cisco VPN Client use to retrieve the digital certificate from the CA server?
About CRLs Certificate Revocation Lists provide the security appliance with one means of determining whether a certificate that is within its valid time range has been revoked by its issuing CA. CRL configuration is a part of the configuration of a trustpoint.
You can configure the security appliance to make CRL checks mandatory when authenticating a certificate (revocation-check crl command). You can also make the CRL check optional by adding the none argument (revocation-check crl none command), which allows the certificate authentication to succeed when the CA is unavailable to provide updated CRL data. The security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a length of time configurable for each trustpoint. When the security appliance has cached a CRL for more than the length of time it is configured to cache CRLs, the security appliance considers the CRL too old to be reliable, or "stale". The security appliance attempts to retrieve a newer version of the CRL the next time a certificate authentication requires checking the stale CRL.
Question 86:
After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune the IPsec policy parameters. Where is the correct place to tune the IPsec policy parameters in Cisco ASDM?
A. IPsec user profile B. Crypto Map C. Group Policy D. IPsec Policy E. IKE Policy
B. Crypto Map
Question 87:
Refer to the exhibit.
In the Edit Certificate Matching Rule Criterion window, you want to change the Mapped to Connection Profile. However, you cannot perform that action from this window.
Where should you navigate to and what should you do, in order to perform this change?
A. Edit the entry in the Certificate Management window. B. Edit the entry in the Connection Profiles window. C. Edit the entry in the Certificate to Connection Profile Maps window. D. Edit the entry in IKE Policies window. E. Delete this entry in the Mapping Criteria window, and add a new entry in the same location.
C. Edit the entry in the Certificate to Connection Profile Maps window.
Question 88:
Refer to following Exhibit and answer the following question below:
Upon logging in, user, emploeyee1, gets two sets of privileges. Choose the two options that show the privileges that are held by employee1.(Choose two)
A. Cisco ASDM, SSH, Telnet, and console access B. CLI login prompt for SSH, Telnet, and console only C. No Cisco ASDM, SSH, or console access D. Level 15 E. Level 2 F. Level 3
D. Level 15 E. Level 2
Command authorization If you turn on command authorization using the local database, then the security appliance refers to the user privilege level to determine what commands are available. Otherwise, the privilege level is not generally used. By default, all commands are either privilege level 0 or level 15. ASDM allows you to enable three predefined privilege levels, with commands assigned to level 15 (Admin), level 5 (Read Only), and level 3 (Monitor Only). If you use the predefined levels, then assign users to one of these three privilege levels. This should show assigned levels for us:; on my demo version I could get the advanced tab to appear on aaa authorization to setup other commands but this shows how I setup contractor1
Question 89:
What is a valid reason for configuring a list of backup servers on the Cisco AnyConnect VPN Client profile?
A. to access a backup authentication server B. to access a backup DHCP server C. to access a backup VPN server D. to access a backup CA server
C. to access a backup VPN server
Question 90:
Match the characteristic on the left with the correct IKE Mode on the right.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Cisco exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your 642-647 exam preparations
and Cisco certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.