Cisco 642-648 Online Practice
Questions and Exam Preparation
642-648 Exam Details
Exam Code
:642-648
Exam Name
:Deploying Cisco ASA VPN Solutions (VPN v2.0)
Certification
:Cisco Certifications
Vendor
:Cisco
Total Questions
:121 Q&As
Last Updated
:Nov 22, 2021
Cisco 642-648 Online Questions &
Answers
Question 81:
Refer to the exhibit.
In the Edit Certificate Matching Rule Criterion window, you want to change the Mapped to Connection Profile. However, you cannot perform that action from this window.
Where should you navigate to and what should you do, in order to perform this change?
A. Edit the entry in the Certificate Management window. B. Edit the entry in the Connection Profiles window. C. Edit the entry in the Certificate to Connection Profile Maps window. D. Edit the entry in IKE Policies window. E. Delete this entry in the Mapping Criteria window, and add a new entry in the same location.
C. Edit the entry in the Certificate to Connection Profile Maps window.
Question 82:
Upon receiving a digital certificate, what are three steps that a Cisco ASA performs to authenticate the digital certificate? (Choose three.)
A. The identity certificate validity period is verified against the system clock of the Cisco ASA. B. The identity certificate thumbprint is validated using the private key of the stored CA. C. The identity certificate signature is validated by using the stored root certificate. D. The signature is validated by using the stored identity certificate. E. If enabled, the Cisco ASA locates the CRL and validates the identity certificate.
A. The identity certificate validity period is verified against the system clock of the Cisco ASA. C. The identity certificate signature is validated by using the stored root certificate. E. If enabled, the Cisco ASA locates the CRL and validates the identity certificate.
Certificate Revocation Lists provide the security appliance with one means of determining whether a certificate that is within its valid time range has been revoked by its issuing CA. CRL configuration is a part of the configuration of a trustpoint. You can configure the security appliance to make CRL checks mandatory when authenticating a certificate (revocation-check crl command). You can also make the CRL check optional by adding the none argument (revocationcheck crl none command), which allows the certificate authentication to succeed when the CA is unavailable to provide updated CRL data. The security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a length of time configurable for each trustpoint. When the security appliance has cached a CRL for more than the length of time it is configured to cache CRLs, the security appliance considers the CRL too old to be reliable, or "stale". The security appliance attempts to retrieve a newer version of the CRL the next time a certificate authentication requires checking the stale CRL. The security appliance caches CRLs for a length of time determined by the following two factors:稵he number of minutes specified with the cache-time command. The default value is 60 minutes. 稵he NextUpdate field in the CRLs retrieved, which may be absent from CRLs. You control whether the security appliance requires and uses the NextUpdate field with the enforcenextupdate command. The security appliance uses these two factors as follows:稩f the NextUpdate field is not required, the security appliance marks CRLs as stale after the length of time defined by the cache-time command. 稩f the NextUpdate field is required, the security appliance marks CRLs as stale at the sooner of the two times specified by the cache-time command and the NextUpdate field. For example, if the cache-time command is set to 100 minutes and the NextUpdate field specifies that the next update is 70 minutes away, the security appliance marks CRLs as stale in 70 minutes.
Question 83:
Refer to the exhibit.
A junior network engineer configured the corporate Cisco ASA appliance to accommodate a new temporary worker. For security reasons, the IT department wants to restrict the internal network access of the new temporary worker to the corporate server, with an IP address of 10.0.4.10. After the junior network engineer finished the configuration, an IT security specialist tested the account of the temporary worker. The tester was able to access the URLs of additional secure servers from the WebVPN user account of the temporary worker.
What did the junior network engineer configure incorrectly?
A. The ACL was configured incorrectly. B. The ACL was applied incorrectly or was not applied. C. Network browsing was not restricted on the temporary worker group policy. D. Network browsing was not restricted on the temporary worker user policy.
B. The ACL was applied incorrectly or was not applied.
Question 84:
Which feature is supported when implementing an IPsec VPN configuration using IKEv2?
A. IKEv2 authentication can be configured to negotiate authentication modes within the IKE policy when using Cisco ASDM. B. IKEv2 proposals are identical to IKEv1 policies. C. When implementing IKEv2 with a site-to-site VPN, authentication parameters should contain a fallback to to PSKs, in case certificate-based authentication fails. D. IKEv2 peer authentication can be implemented with asymmetric authentication methods.
D. IKEv2 peer authentication can be implemented with asymmetric authentication methods.
Question 85:
You have been using pre-shared keys for IKE authentication on your VPN. Your network has grown rapidly, and now you need to create VPNs with numerous IPsec peers. How can you enable scaling to numerous IPsec peers?
A. Migrate to external CA-based digital certificate authentication. B. Migrate to a load-balancing server. C. Migrate to a shared license server. D. Migrate from IPsec to SSL VPN client extended authentication.
A. Migrate to external CA-based digital certificate authentication.
Question 86:
Refer to the exhibit.
When the user "contractor" Cisco AnyConnect tunnel is established, what type of Cisco ASA user restrictions are applied to the tunnel?
A. full restrictions (no Cisco ASDM, no CLI, no console access) B. full restrictions (no read, no write, no execute permissions) C. full restrictions (CLI show commands and Cisco ASDM monitoring permissions only) D. full access with no restrictions
D. full access with no restrictions
Question 87:
Match the characteristic on the left with the correct IKE Mode on the right.
Select and Place:
Question 88:
Refer to the exhibit.
In the CLI snippet that is shown, what is the function of the deny option in the access list?
A. When set in conjunction with outbound connection-type bidirectional, its function is to prevent the specified traffic from being protected by the crypto map entry. B. When set in conjunction with connection-type originate-only, its function is to instruct the Cisco ASA to deny specific inbound traffic if it is not encrypted. C. When set in conjunction with outbound connection-type answer-only, its function is to instruct the Cisco ASA to deny specific outbound traffic if it is not encrypted. D. When set in conjunction with connection-type originate-only, its function is to cause all IP traffic that matches the specified conditions to be protected by the crypto map.
A. When set in conjunction with outbound connection-type bidirectional, its function is to prevent the specified traffic from being protected by the crypto map entry.
Question 89:
A network architect designed a redundant site-to-site IPsec VPN. In this site-to-site IPsec VPN solution are two standalone Cisco ASA appliances that are deployed at the headquarters office site. A site-to-site VPN tunnel is established between the remote office and online peer (192.168.4.1).
To enable the remote office devices to be advertised correctly at headquarters, select the three Cisco ASA parameters and the ends in which they should be applied. R=remote end; H=headquarters end. (Choose three)
A. R-Configure Originate-Only B. H-Configure Originate-Only C. R-Configure Answer-Only D. H-Configure Answer-Only E. R-Enable RRI F. H-Enable RRI
A. R-Configure Originate-Only D. H-Configure Answer-Only F. H-Enable RRI
Connection Type The Cisco ASA in the site-to-site tunnel can respond and initiate a VPN connection. This bidirectional default behavior can be changed to answer-only or originate- only mode. For example, if you want to limit the security Cisco ASA to just initiate IKE tunnels, you can set the connection type to originate-only. This way, if the remote VPN peer tries to initiate the connection, the local Cisco ASA will not honor the request. Similarly, if you want the security Cisco ASA to accept IKE tunnels only from the peer, then you can set the connection type to answer-only. The command syntax to set the connection type is Crypto map map-name seq-num set connection-type {answer-only | bidirectional |
Question 90:
Refer to the exhibit.
A NOC engineer needs to tune some prelogin parameters on an SSL VPN tunnel.
From the information that is shown, where should the engineer navigate to find the prelogin session attributes?
A. "engineering" Group Policy B. "contractor" Connection Profile C. "engineer1" AAA/Local Users D. DfltGrpPolicy Group Policy
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Cisco exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your 642-648 exam preparations
and Cisco certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.