http://www.TwPass.com
642-647
Cisco
Deploying Cisco ASA VPN Solutions (VPN v1.0)
http://www.twpass.com/twpass.com/exam.aspx?eCode= 642-647
The 642-647 practice exam is written and formatted by Certified Senior IT Professionals working in
today's prospering companies and data centers all over the world! The 642-647 Practice Test covers all
the exam topics and objectives and will prepare you for success quickly and efficiently.
The 642-647 exam is very challenging, but with our 642-647 questions and answers practice exam,
you can feel confident in obtaining your success on the 642-647 exam on your FIRST TRY!
Cisco 642-647 Exam Features
- Detailed questions and answers for 642-647 exam
- Try a demo before buying any Cisco exam
- 642-647 questions and answers, updated regularly
- Verified 642-647 answers by Experts and bear almost 100% accuracy
- 642-647 tested and verified before publishing
- 642-647 exam questions with exhibits
- 642-647 same questions as real exam with multiple choice options
Acquiring Cisco certifications are becoming a huge task in the field of I.T. More over these
exams like 642-647 exam are now continuously updating and accepting this challenge is itself a task.
This 642-647 test is an important part of Cisco certifications. We have the resources to
prepare you for this. The 642-647 exam is essential and core part of Cisco certifications and
once you clear the exam you will be able to solve the real life problems yourself.Want to take
advantage of the Real 642-647 Test and save time and money while developing your skills to pass
your Cisco 642-647 Exam? Let us help you climb that ladder of success and pass your 642-647 now!
642-647
QUESTION: 1
An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation
headquarters, tried to access the XYZ sales demonstration folder to transfer a demonstration via
FTP from an ABC conference room behind the firewall. The engineer could not reach XYZ
through the remote-access VPN tunnel. From home the previous day, however, the engineer
connected to the XYZ sales demonstration folder and transferred the demonstration via IPsec
over DSL. To get the connection to work and transfer the demonstration, what can you
suggest? A. Change the MTU size on the IPsec client to account for the change from DSL to
cable transmission. B. Enable the local LAN access option on the IPsec client. C. Enable the
IPsec over TCP option on the IPsec client. D. Enable the clientless SSL VPN option on the PC
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=1
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 2
cisco&c=642-647&q=1 Refer to the exhibit. For the ABC Corporation, members of the NOC
need the ability to select tunnel groups from a drop-down menu on the Cisco IOS WebVPN
login page. As the Cisco ASA administrator, how would you accomplish this task?
A. Define a special identity certificate with multiple groups that are defined in the
certificate OU field that will grant the certificate holder access to the named groups on
the login page.
B. Under Group Policies, define a default group that encompasses the required
individual groups that would appear on the login page.
C. Under Connection Profiles, define a NOC profile that encompasses the required
individual profiles that would appear on the login page.
D. Under Connection Profiles, enable group selection from the login page.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=2
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 3
Which four parameters must be defined in an ISAKMP policy when creating an IPsec site-tosite VPN using the Cisco ASDM? (Choose four.) cisco&c=642-647&q=1
A. encryption algorithm
B. hash algorithm
C. authentication method
D. IP address of remote IPsec peer
E. D-H group
F. perfect forward secrecy
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=3
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 4
An administrator has preconfigured the Cisco ASA 5505 user settings with a username and a
password. When the telecommuter first turns on the Cisco ASA 5505 and attempts to establish
a VPN tunnel, the user is prompted for a username and password. Which two Cisco ASA 5505
Group Policy features require this extra level of authentication? (Choose two.) A. New Unit
Authentication B. Extended Group Authentication C. Secure Unit Authentication D. RoleBased Access Control Authentication E. Compartmented Mode Authentication F. Individual
User Authentication
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=4
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 5
cisco&c=642-647&q=1 Refer to the exhibit. Which two statements are correct regarding these
two Cisco ASA clientless SSL VPN bookmarks? (Choose two.)
A. CSCO_WEBVPN_USERNAME is a user attribute.
B. CSCO_WEBVPN_USERNAME is a Cisco predefined variable that is used for
macro substitution.
C. The CSCO_WEBVPN_USERNAME variable is enabled by using the Post SSO
plug-in.
D. CSCO_SSO is a Cisco predefined variable that is used for macro substitution.
E. The CSCO_SSO=1 parameter enables SSO for the SSH plug-in.
F. The CSCO_SSO variable is enabled by using the Post SSO plug-in.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=5
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 6
Which Cisco ASA SSL VPN feature provides support for PCI compliance by allowing for the
validation of two sets of username and password credentials on the SSL VPN login page? A.
Single Sign-On B. Certificate to Profile Mapping C. Double Authentication D. RSA OTP
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=6
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 7
Which two types of digital certificate enrollment processes are available for the Cisco ASA
security appliance? (Choose two.) A. LDAP B. FTP C. TFTP D. HTTP E. SCEP F.
Manual
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=7
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 8
Your corporate finance department purchased a new non-web-based TCP application tool to
run on one of its servers. The finance employees need remote access to the software during
nonbusiness hours. The employees do not have "admin" privileges to their PCs. How would
you configure the SSL VPN tunnel to allow this application to run?
A. Configure a smart tunnel for the application.
B. Configure a "finance tool" VNC bookmark on the employee clientless SSL VPN
portal.
C. Configure the plug-in that best fits the application.
D. Configure the Cisco ASA appliance to download the Cisco AnyConnect SSL VPN
client to the finance employee each time an SSL VPN tunnel is established.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=8
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 9
cisco&c=642-647&q=1 Refer to the exhibit. A new network engineer configured the ABC
adaptive security appliance with two bookmarks for a new temporary employee. The
temporary worker can connect to the administrator server via the temp_worker_admin
bookmark but cannot connect to the project server via the temp_worker_projects (greyed-out)
bookmark. It was determined that the URL and IP addressing information in the GUI screens
is correct. What is wrong with the configuration?
A. URL Entry should be enabled.
B. The File Server Entry Inherit parameter should be overwritten and set for enabled.
C. The DNS server information is incorrect.
D. File Server Browsing should be enabled
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=9
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 10
cisco&c=642-647&q=1 Refer to the exhibit. When an SSL VPN user, contractor1, enters
https://192.168.4.2 (the outside address of the Cisco ASA appliance) into the browser, an SSL
VPN Login screen appears. Along with the information that is contained in the Cisco ASDM
configuration screens, what can an administrator determine about the state of the connection
after the user clicks the Login button?
A. The user login will succeed and an IP address of 10.0.4.120 will be assigned.
B. The user will be presented with a clientless VPN portal page.
C. The user login will succeed but the user will be connected to the "contractor" tunnel
group.
D. The login will fail.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=10
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 11
Which two statements about the Cisco ASA load balancing feature are correct? (Choose two.)
A. The Cisco ASA load balances both site-to-site and remote-access VPN tunnels. B. The
Cisco ASA load balances remote-access VPN tunnels only. C. The Cisco ASA load balances
IPsec VPN tunnels only. D. The Cisco ASA load balances IPsec VPN and Cisco AnyConnect
SSL VPN tunnels only. E. The Cisco ASA load balances IPsec VPN, clientless, and Cisco
AnyConnect SSL VPN tunnels
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=11
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 12
DRAG DROP cisco&c=642-647&q=1
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=12
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 13
DRAG DROP cisco&c=642-647&q=1
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=13
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 14
A Cisco AnyConnect user profile can be pushed to the PC of a remote user from a Cisco ASA.
Which three user profile parameters are configurable? (Choose three.) A. Backup Server list
B. DTLS Override C. Auto Reconnect D. Simultaneous Tunnels E. Connection Profile Lock
F. Auto Update
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=14
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 15
cisco&c=642-647&q=1 Refer to the exhibit. Today was the first day on a new project for an
offsite temporary worker at the XYZ Corporation. The worker was told to launch the SSL
VPN session and then use the smarttunnel application to start a remote desktop application on
the project server, projects_server.xyz.com. The worker looked at the portal screen that was
provided but did not know how to access the smart-tunnel application. As the help desk
person, what can you recommend that the temporary worker do?
A. Click the Web Applications button.
B. Click the Applications Access button.
C. Click the Browse Networks button.
D. On the Home page, click the Address drop-down menu, choose RDP://, and fill in
the destination host name, projects_server.abc.com.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=15
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 16
ABC Corporation hired a temporary worker to help out with a new project. The network
administrator tasked you with restricting the internal clientless SSL VPN network access of the
temporary worker to one server with the IP address of 172.26.26.50 via HTTP. Which two
statements would complete the assignment? (Choose two.) A. Configure access-list temp_acl
webtype permit url http://172.26.26.50. B. Configure access-list temp_acl_stand_ACL
standard permit host 172.26.26.50. C. Configure access-list temp_acl_extended extended
permit http any host 172.26.26.50. D. Apply the access list to the temporary worker Group
Policy. E. Apply the access list to the temporary worker Connection Profile. F. Apply the
access list to the outside interface in the inbound direction
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=16
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 17
In clientless SSL VPN, administrators can control user access to the internal network or
resources of a company, based on what? A. interface ACLs B. webtype ACLs C. per-user or
per-group ACLs D. MPF-configured service policies
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=17
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 18
When attempting to tunnel FTP traffic through a stateful firewall that may be performing NAT
or PAT, which type of VPN tunneling should be used to allow the VPN traffic through the
stateful firewall? A. clientless SSL VPN B. IPsec over TCP C. Smart Tunnel D. SSL VPN
plug-ins
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=18
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 19
cisco&c=642-647&q=1 Refer to the exhibit. When testing SSL VPN in a nonproduction
environment, certain variables in the Cisco ASDM session details can be viewed or changed
under Configuration > AnyConnect Connection Profiles. Which parameter can be viewed or
changed in the AnyConnect Connection Profiles?
A. Assigned IP address 10.0.4.120
B. Client Type: SSL VPN Client
C. Authentication Mode: Certificate and User Password
D. Client Ver: Cisco AnyConnect VPN Agent for Windows
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=19
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 20
An IT manager and a security manager are discussing the deployment options for clientless
SSL VPN. They are trying to decide which groups are best suited for this new deployment
option. Which two groups are the best candidates for the upcoming clientless SSL VPN
rollout? (Choose two.) A. IT administrator who needs to manage servers from a corporate
laptop B. employees who need occasional access to check their mail accounts C. vendor who
needs access to confidential corporate presentations via Secure FTP D. customers who need
interactive access to your corporate invoice server
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=20
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 21
cisco&c=642-647&q=1 Refer to the exhibit. You are configuring a laptop with the Cisco
VPN Client, which will use digital certificates for authentication. Which protocol will the
Cisco VPN Client use to retrieve the digital certificate from the CA server?
A. FTP
B. LDAP
C. HTTPS
D. SCEP
E. OCSP
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=21
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 22
Upon receiving a digital certificate, what are three steps that a Cisco ASA will perform to
authenticate the digital certificate? (Choose three.) A. The identity certificate validity period is
verified against the system clock of the Cisco ASA. B. Identity certificates are exchanged
during IPsec negotiations. C. The identity certificate signature is validated by using the stored
root certificate. D. The signature is validated by using the stored identity certificate. E. If
enabled, the Cisco ASA locates the CRL and validates the identity certificate.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=22
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 23
You have been using pre-shared keys for IKE authentication on your VPN. Your network has
grown rapidly, and now you need to create VPNs with numerous IPsec peers. How can you
enable scaling to numerous IPsec peers? A. Migrate to external CA-based digital certificates
authentication B. Migrate to a load balancing server. C. Migrate to a shared license server. D.
Migrate from IPsec to SSL VPN client extended authentication
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=23
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 24
cisco&c=642-647&q=1 Refer to the exhibit. A junior network engineer configured the
corporate Cisco ASA appliance to accommodate a new temporary worker. For security
reasons, the IT department wants to restrict the internal network access of the new temporary
worker to the corporate server with an IP address of 10.0.4.10. After the junior network
engineer finished the configuration, the IT security specialist tested the account of the
temporary worker. The tester was able to access the URLs of additional secure servers from
the Cisco IOS WebVPN user account of the temporary worker. What did the junior network
engineer configure incorrectly?
A. The ACL was configured incorrectly.
B. The ACL was applied incorrectly, or not applied.
C. Network browsing was not restricted on the temporary worker group policy.
D. Network browsing was not restricted on the temporary worker user policy
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=24
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 25
After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune
the IKE policy parameters. Where is the correct place to tune IKE policy parameters? A.
Cisco IPsec VPN SW Client > Client Profile B. IPsec User Profile C. Group Policy D. IKE
Policy E. Crypto Map
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=25
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 26
To enable the Cisco ASA Host Scan with remediation capabilities, an administrator must have
which two Cisco ASA licenses enabled on its security appliance? (Choose two.) A. Cisco
AnyConnect Premium license B. Cisco AnyConnect Essentials license C. Cisco AnyConnect
Mobile license D. Host Scan license E. Advanced Endpoint Assessment license F. Cisco
Security Agent license
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=26
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 27
After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune
the IPsec policy parameters. Where is the correct place to tune the IPsec policy parameters in
Cisco ASDM? A. IPsec user profile B. Crypto Map C. Group Policy D. IPsec policy E. IKE
policy
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=27
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 28
DRAG DROP cisco&c=642-647&q=1
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=28
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 29
Which three statements are Cisco AnyConnect VPN Client deployment options? (Choose
three.) A. Configure the Cisco AnyConnect profile to automatically launch client or clientless
SSL VPN upon discovering a trusted network. B. Automatically download the Cisco
AnyConnect VPN Client upon Cisco IOS WebVPN login. C. Prompt user upon Cisco IOS
WebVPN login to select client or clientless SSL VPN within X seconds. D. Configure the
Cisco AnyConnect profile to automatically disconnect the client or clientless SSL VPN tunnel
upon discovering an untrusted network. E. User manually launches client from SSL VPN
clientless portal.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=29
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 30
An on-screen keyboard is a programmable SSL VPN option. Which three options are
keyboardconfigurable parameters that the administrator can enable or disable? (Choose three.)
A. Show only if Secure Desktop Vault is disabled. B. Do not show onscreen keyboard. C.
Show only for the login page. D. Show for all user input fields. E. Show for all portal pages
that require authentication. F. Show for all plug-in pages.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=30
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 31
Which three statements concerning keystroke logger detection are correct? (Choose three.) A.
requires administrative privileges in order to run B. runs on Windows and MAC OS X systems
C. detects loggers that run as a process or kernel module D. detects both hardware- and
software-based keystroke loggers E. allows the administrator to define "safe" keystroke logger
applications
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=31
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 32
Which statement is correct concerning the trusted network detection (TND) feature? A. The
Cisco AnyConnect VPN Client v2.4 supports TND on Windows, Mac, and Linux platforms.
B. With TND, one result of a Cisco Secure Desktop basic scan on an endpoint is to determine
whether a device is a member of a trusted or an untrusted network. C. If enabled and a Cisco
Secure Desktop advanced endpoint scan determines that a host is a member of an untrusted
network, an administrator can configure the TND feature to prohibit an end user from
launching the Cisco AnyConnect VPN Client. D. When the user is inside the corporate
network, TND can be configured to automatically disconnect a Cisco AnyConnect session.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=32
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 33
cisco&c=642-647&q=1 Refer to the exhibit. When the user a€cecontractora€ Cisco
AnyConnect tunnel is established, what type of Cisco ASA user restrictions are applied to the
tunnel?
A. full restrictions (no Cisco ASDM, no CLI, no console access)
B. full restrictions (no read, no write, no execute permissions)
C. full restrictions (CLI show commands and Cisco ASDM monitoring permissions
only)
D. full access with no restrictions
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=33
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 34
For clientless SSL VPN users, bookmarks can be assigned to their portal. What are three
methods for assigning bookmarks? (Choose three.) A. Connection Profiles B. Group Policies
C. XML profiles D. LDAP or RADIUS attributes E. the portal customization tool F. User
Policies
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=34
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 35
While a Cisco AnyConnect SSL VPN tunnel is established, a system administrator wants to
restrict remote home office users to either print to their local printer or send the remaining
traffic down the Cisco AnyConnect SSL VPN tunnel (with restricted Internet access). Choose
both a tunnel policy option and an ACL type to accomplish this design goal. (Choose two.) A.
Tunnel all networks B. Tunnel network list below C. Exclude network list from the tunnel D.
Standard ACL E. Web ACL F. Extended ACL
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=35
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 36
Which three webtype ACL statements are correct? (Choose three.) A. are assigned perConnection Profile B. are assigned per-user or per-Group Policy C. can be defined in the
Cisco AnyConnect Profile Editor D. supports URL pattern matching E. supports implicit deny
all at the end of the ACL F. supports standard and extended webtype ACLs
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=36
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 37
The LAN-to-LAN tunnel is not established, but an administrator can ping the remote Cisco
ASA. Which three IPsec LAN-to-LAN configuration parameters should the administrator
verify at both ends of the tunnel? (Choose three.) A. Pre-shared key B. Extended
Authentication password C. Extended Authentication username D. Crypto ACL source IP
address E. Crypto ACL destination IP address F. Tunnel connection type-originate or answer
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=37
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 38
Refer to the exhibit. The ABC Corporation has a Cisco ASA in its test bed. A new network
administrator is tasked with adding a smart-tunnel application to the existing configuration. The
configuration will enable a "temp_worker" who is using Microsoft native RDP to have RDP
access to server 10.0.4.4 only. Which statement is correct concerning the smart-tunnel
configuration? cisco&c=642-647&q=1
A. The webtype access list is misconfigured.
B. The smart-tunnel list parameter is misconfigured.
C. The smart-tunnel group-policy parameters are misconfigured.
D. The smart-tunnel configuration is configured correctly
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=38
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 39
DRAG DROP cisco&c=642-647&q=1
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=39
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 40
Your corporation has contractors that need remote access to server desktops to diagnose issues
and load software during nonbusiness hours. Which three clientless SSL VPN configurations
would enable these contractors to access the desktop of remote servers? (Choose three.) A.
Xwindows bookmark by using the Xwindows plug-in B. RDP bookmark by using the RDP
plug-in C. SCP bookmark by using SCP plug-in D. VNC bookmark by using the VNC plug-in
E. SSH bookmark by using the SSH plug-in F. Citrix plug-in by using the Citrix plug-in
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=40
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 41
Which four advanced endpoint assessment statements are correct? (Choose four.) A. examines
the remote computer for personnel firewalls applications B. examines the remote computer for
antivirus applications C. examines the remote computer for antispyware applications D.
examines the remote computer for malware applications E. does not perform any remediation
but provides input that can be evaluated by DAP records F. performs active remediation by
applying rules, activating modules, and providing updates where applicable
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=41
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 42
A Unified Client Certificate will be used on the Cisco ASA to support what? A. certificate +
double AAA authentication B. certificate + AAA authentication C. certificate maps D. Cisco
ASA VPN clustering
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=42
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 43
Refer to the exhibit. After a remote user established a Cisco AnyConnect session from a
wireless card through the Cisco ASA appliance of a partner to a remote server, the user
opened the Cisco AnyConnect VPN Client Statistics Details screen. Identify the two sources
of the two IP addresses. (Choose two.) cisco&c=642-647&q=1
A. IP address that is assigned to the wireless Ethernet adapter of the remote user
B. IP address that is assigned to the remote user from the Cisco ASA address pool
C. IP address of the Cisco ASA physical interface of the partner
D. IP address of the Cisco ASA virtual http server of the partner
E. IP address of the default gateway router of the remote user
F. IP address of the default gateway router of the partner
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=43
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 44
Which statement about plug-ins is false? A. Plug-ins do not require any installation on the
remote system. B. Plug-ins require administrator privileges on the remote system C. Plug-ins
support interactive terminal access. D. Plug-ins are not supported on the Windows Mobile
platform.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=44
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 45
DRAG DROP cisco&c=642-647&q=1
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=45
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 46
Authorization of a clientless SSL VPN defines the actions that a user may perform within a
clientless SSLVPN session. Which statement is correct concerning the SSLVPN authorization
process? A. Remote clients can be authorized by applying a dynamic access policy, which is
configured on an external AAA server. B. Remote clients can be authorized externally by
applying group parameters from an external database. C. Remote client authorization is
supported by RADIUS and TACACS+ protocols. D. Remote clients can be authorized by
selecting a clientless SSLVPN profile-based Group Policy name and applying the parameters
of the named group from a local database.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=46
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 47
Cisco AnyConnect Essentials is a separately licensed SSL VPN client feature set. When
compared to the Cisco AnyConnect Premium license, Cisco AnyConnect Essentials does not
provide all of the same feature functionality. Which three AnyConnect Essentials functionality
statements are correct? (Choose three.) A. Cisco AnyConnect Essentials supports Cisco Secure
Desktop. B. Cisco AnyConnect Essentials does not support Cisco Secure Desktop. C. Cisco
AnyConnect Essentials supports clientless SSL VPN. D. Cisco AnyConnect Essentials does
not support clientless SSL VPN. E. Cisco AnyConnect Essentials optionally supports
Windows Mobile. F. Cisco AnyConnect Essentials does not support Windows Mobile
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=47
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 48
Refer to the exhibit. The "level_2" digital certificate was installed on a laptop. What can cause
an "invalid:not active" status message? cisco&c=642-647&q=1
A. On first use, a CA server-supplied passphrase is entered to validate the certificate.
B. A "newly installed" digital certificate does not become active until it is validated by
the peer device upon its first usage.
C. The user has not clicked the Verify button within the Cisco VPN Client.
D. The CA server and laptop PC clocks are out of sync.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=48
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 49
DRAG DROP cisco&c=642-647&q=1
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=49
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 50
A temporary worker must use clientless SSL VPN with an SSH plug-in to access the console of
an internal corporate server, the projects.xyz.com server. For security reasons, the network
security auditor insists that the temporary user be restricted to the one internal corporate server,
10.0.4.18. As the network engineer that is responsible for the network access of the temporary
user, how can you restrict SSH access to the one projects.xyz.com server? A. Configure
access-list temp_user_acl extended permit TCP any host 10.0.4.18 eq22. B. Configure accesslist temp_user_acl standard permit host 10.0.4.18 eq 22 C. Configure access-list temp_acl
webtype permit url ssh://10.0.4.18. D. Configure a plug-in SSH bookmark for host 10.0.4.18
and disable network browsing on the clientless SSL VPN portal of the temporary worker.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=50
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 51
DRAG DROP cisco&c=642-647&q=1
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=51
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 52
While troubleshooting on a remote-access application, a new NOC engineer received the
logging message shown in the exhibit. Which configuration is most likely mismatched?
cisco&c=642-647&q=1
A. IKE configuration
B. extended authentication configuration
C. IPsec configuration
D. digital certificate configuration
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=52
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 53
Cisco AnyConnect profiles can be used to set which three options? (Choose three.)
cisco&c=642-647&q=1
A. define a list of VPN gateways that are presented to users upon login
B. define a quarantine VLAN for remote devices that fail a host scan
C. define a guest VLAN to all "noncompany" Cisco IOS WebVPN users
D. define a list of backup servers if primary gateways are unavailable
E. activate the SSL VPN tunnel as part of the Windows login sequence
F. configure the Cisco Secure Desktop vault
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=53
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 54
The software-based Cisco IPsec VPN Client solution uses bidirectional authentication in which
the client authenticates the Cisco ASA, and the Cisco ASA authenticates the user. Which three
methods are software-based IPsec VPN Client to Cisco ASA authentication methods? (Choose
three.) A. Unified Client Certificate authentication B. Secure Unit authentication C. Hybrid
authentication D. Certificate authentication E. Group authentication
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=54
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 55
Refer to the exhibit. A new NOC engineer is troubleshooting a VPN connection. Which
statement about the fields within the VPN Client Statistics screen is correct? cisco&c=642647&q=1
A. The ISP-assigned IP address of 10.0.21.1 is assigned to the VPN adapter of the P
C.
B. The IP address of the security appliance to which the VPN client is connected is
192.168.1.2.
C. CorpNet is the name of the Cisco ASA group policy whose tunnel parameters the
connection is using.
D. The ability of the client to send packets transparently, unencrypted, through the
tunnel for test purposes is turned off.
E. With split tunneling enabled, the VPN client registers no decrypted packets.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=55
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 56
In Cisco ASA 5505 Software Release 8.2.2, which three plug-ins are supported by the Cisco
ASA? (Choose three.) A. SSH B. TN3270 C. SCP D. RDP E. ICA F. ARAP
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=56
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 57
When initiating a new SSL or TLS session, the client receives the server SSL certificate and
validates it. After validating the server certificate, what does the client use the certificate for?
A. The client and server use the server public key to encrypt the SSL session data. B. The
server creates a separate session key and sends it to the client. The client decrypts the session
key by using the server public key. C. The client and server switch to a DH key exchange to
establish a session key. D. The client generates a random session key, encrypts it with the
server public key, and then sends it to the server.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=57
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 58
An engineer, while working at the home office, wants to launch the Cisco AnyConnect VPN
Client to the corporate offices while simultaneously printing network designs on the home
network. Without allowing access to the Internet, what are the two best ways for the
administrator to configure this application to make it happen? (Choose two.) A. Select the
tunnel all networks policy. B. Select the tunnel network list below policy. C. Select the
exclude network list below policy. D. Configure an exempted network list. E. Configure a
standard access list and apply it to the network list. F. Configure an extended access list and
apply it to the network list
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=58
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 59
A remote user who establishes a clientless SSL VPN session is presented with a web page. The
administrator has the option to customize the "look and feel" of the page. What are three
components of the VPN Customization Editor? (Choose three.) A. Application page B. Logon
page C. Networking page D. Logout page E. Home page F. Portal page
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=59
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 60
Refer to the exhibit. A network administrator is duplicating a VPN client profile to send out to
all members of the finance group. Three parameters might have been configured incorrectly.
For each three letters, choose the correct answer. (Choose three.) cisco&c=642-647&q=1
A. A-Remote Client IP Address
B. A-ASA Outside Interface IP Address
C. B-Pre-Shared Keys Authentication Type
D. B-Digital Certificate Authentication Type
E. C-Save Password enabled
F. C-Save Password disabled
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=60
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 61
cisco&c=642-647&q=1 Refer to the exhibit. An administrator configured the employee and
new hire SSL VPN client profiles to automatically establish an SSL VPN client session when
they log on. The administrator also configured the contractor SSL VPN client profile to
disable the Auto Connect feature and force all contractors to manually establish SSL VPN
sessions when needed. Unfortunately, when user contractor1 logged in, the SSL VPN tunnel
of contractor1 was automatically established. Why did the contractor1 SSL VPN become
established automatically?
A. The defaultRAGroup policy is set to launch all SSL VPN clients automatically.
B. The contractor connection profile parameters are set incorrectly to allow Auto
Connect.
C. The contractor group parameters are set incorrectly to allow Auto Connect.
D. The contractor1 user parameters are set incorrectly to allow Auto Connect
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=61
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 62
DRAG DROP cisco&c=642-647&q=1
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=62
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 63
Your IT department needs to run a custom-built TCP application within the clientless SSL
VPN tunnel. The network administrator suggested running the smart-tunnel application.
Which three statements concerning smart-tunnel applications are true? (Choose three.) A.
support active FTP and other RTSP-based applications B. do not require administrator
privileges on the remote system C. require the enabling of port forwarding D. are supported
on Windows and MAC OS X platforms E. support native client applications over SSL VPN F.
require the modification of the Host file on the end-user PC
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=63
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 64
While configuring a new clientless SSL VPN group in Cisco ASDM, the administrator chooses
to accept a number of the default parameter values. If the administrator decides to view the
actual value for the parameter, rather than just checking the inherit box, the administrator can
verify the default value for the group parameter under which default group? A.
DefaultRAGroup B. DefaultWEBVPNGroup C. DfltGrpPolicy D. DefaultSVCGroup
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=64
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 65
Datagram Transport Layer Security (DTLS) was introduced to solve performance issues.
Which three statements are characteristics of DTLS? (Choose three.) A. uses TLS to negotiate
and establish DTLS connections B. uses DTLS to transmit datagrams C. disabled by default
D. uses TLS for data packet retransmission E. replaces underlying transport layer with UDP
443 F. uses TLS to provide low-latency video application tunneling
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=65
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 66
The administrator configured a Cisco ASA 5505 as a Cisco Easy VPN hardware client and also
defined a list of Cisco Easy VPN backup servers in the Cisco ASA 5505. After an outage of the
primary VPN server, you notice that your Cisco Easy VPN hardware client has now
reconnected via a backup server that was not defined within the original Cisco Easy VPN
backup servers list. Where did your Cisco Easy VPN hardware client get this backup server?
A. The backup servers that you listed were no longer available, so the Cisco Easy VPN
hardware client queried the load balance server for a "new" backup server address. B. The
backup servers that you listed were no longer available, so a Group Policy that was configured
on the primary VPN server pushed "new" backup server addresses to your client. C. The
backup servers that you listed were no longer available, so the Cisco Easy VPN hardware
client queried the primary VPN server via RADIUS protocol for a "new" backup server
address. D. The backup servers that you listed were no longer available, so the Cisco Easy
VPN hardware client queried and received from a predefined LDAP server a "new" backup
server address.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=66
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 67
.”ASA-5-722006: Group (contractor) User (vpnuser) IP (172.16.1.20) Invalid address
(0.0.0.0)” assigned to SVC connection. While troubleshooting on a remote-access VPN
application, a new OC engineer received the message shown in the exhibit. What could be
causing the problem? A. The IP address that is assigned to the PC of the VPN is not within the
range of addresses that are assigned to the SVC connection. B. The IP address that is assigned
to the PC of the VPN is in use. The remote user needs to select a different host address within
the range. C. The IP address that is assigned to the PC of the VPN is in the wrong subnet. The
remote user needs to select a different host number. D. The IP address pool for contractor was
not applied to the connection profile.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=67
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 68
Which statement regarding hashing is correct? A. MD5 produces a 64-bit message digest B.
SHA-1 produces a 160-bit message digest C. MD5 takes more CPU cycles to compute than
SHA-1. D. Changing 1 bit of the input to SHA-1 can change up to 5 bits in the output.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=68
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 69
When deploying clientless SSL VPN advanced application access, the administrator needs to
collect information on the end-user systems. Which three input parameters about an end-user
system are of major concern for the administrator? A. Types of applications and application
protocols that are supported B. Types of encryption that are supported on the end-user system
C. The local privilege level of the remote user D. Types of wireless security that are applied to
the end-user tunnel interface E. Types of operating systems that are supported on the end-user
system F. Type of antivirus software that is supported on the end-user system
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=69
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 70
Which three Host Scan checks on a remote endpoint can Cisco Secure Desktop be configured
to perform? (Choose three) A. Registry checks. B. User rights checks C. Group Policy
Objects checks D. File checks E. Virus Software checks F. Process checks
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=70
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 71
Refer to the exhibit. While configuring a site to site VPN tunnel, a new NOC engineer
encounters the Reverse Route Injection parameter. Assuming that static are redistributed by
the Cisco ASA to the IGP, what effect does enabling Reverse Route Injection on the local
Cisco ASA have on a configuration?
A. The local Cisco ASA will advertise its default routes to the distant end of the site-tosite VPN tunnel.
B. The local Cisco ASA will advertise routes from the dynamic routing protocol that is
running on the local Cisco ASA to the distant end of the site-to-site VPN tunnel.
C. The local Cisco ASA will advertise routes that are at the distant end of the site-to-site
VPN tunnel
D. The local Cisco ASA will advertise routes that are on its side of the site-to-site VPN
tunnel to the distant end of the site-to-site VPN tunnel
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=71
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 72
Refer to the exhibit. cisco&c=642-647&q=1 You have configured two SSL VPN Certificate
to Connection Profile Maps for all employee and management users. The Connection Profiles
for the management users are not being applied when the “management” users connect. Based
on the configuration that is shown, what would cause this issue?
A. The rule priority of the employee mapping is not low enough, and it needs to be
lowered to 1.
B. The priority of the employee mapping is too low, and it needs to be increased but not
more than the rule priority of the management mapping.
C. The priority of the management mapping is too high and needs to be lower than the
rule priority of the employee mapping.<<<<<<<<<<<<<<<<<<<<
D. The matching criteria for the management mapping is too specific, and the CN
matching parameter should be removed.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=72
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 73
When configured in a remote-access VPN solution, on which device can Dead Peer Detection
be configured? A. Remote device B. Headend device C. Both headend and remote devices
D. Site-to-site VPN only
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=73
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 74
Which statement about CRL configuration is correct? A. CRL checking is enabled by default.
B. The cisco ASA relies on HTTPS access to procure the CRL list C. The CISCO ASA relies
on LDAP access to procure the CRL list D. The Cisco ACS can be configured as the CRL
server
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=74
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 75
A network architect designed a redundant site-to-site IPsec VPN. In this site-to-site IPsec VPN
solution are two standalone Cisco ASA appliances that are deployed at the headquarters office
site. A site-to-site VPN tunnel is established between the remote office and online peer
(192.168.4.1). To enable the remote office devices to be advertised correctly at headquarters,
select the three Cisco ASA parameters and the ends in which they should be applied.
R=remote end; H=headquarters end. (Choose three) A. R-Configure Originate-Only B. HConfigure Originate-Only C. R-Configure Answer-Only D. H-Configure Answer-Only E. REnable RRI F. H-Enable RRI
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=75
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 76
Refer to following Exhibit and answer the following question below: cisco&c=642-647&q=1
The user, contractor1, will receive an IP address when the VPN connection is established.
Which statement regarding the IP address is true?
A. Is sourced from the contractor pool
B. Is sourced from the employee pool
C. Is sourced from the engineering pool
D. Is sourced from the management pool
E. Is a dedicated address (10.0.4.1 20)
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=76
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 77
Refer to following Exhibit and answer the following question below: Which group policy
restricts the VPN user access to VLAN 100? cisco&c=642-647&q=1
A. Employee
B. Contractor
C. Management
D. Engineering
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=77
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 78
Refer to following Exhibit and answer the following question below: Which connection
profile supports SSL VPN Client access only. cisco&c=642-647&q=1
A. Employee
B. Contractor
C. Management
D. Engineering
E. New_hire
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=78
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 79
Refer to following Exhibit and answer the following question below: After providing the
correct VPN login credentials, user, contractor1, is enabled to use which VPN access type?
cisco&c=642-647&q=1
A. Cisco Any Connect VPN
B. Clientless VPN
C. Cisco Any Connect VPN and clientless VPN
D. Cisco Any Connect VPN, clientless VPN, and IPsec VPN
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=79
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 80
Refer to following Exhibit and answer the following question below: Upon logging in, user,
emploeyee1, has two privileges: (Choose two) cisco&c=642-647&q=1
A. Cisco ASDM, SSH, Telnet, and console access
B. CLI login prompt for SSH, Telnet, and console only
C. No Cisco ASDM, SSH, or console access
D. Level 15
E. Level 2
F. Level 3
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-647&qno=80
-------------------------------------------------------------------------------------------------------------------------------------
TwPass Certification Exam Features;
-
TwPass offers over 2500 Certification exams for professionals.
More than 98,800 Satisfied Customers Worldwide.
Average 99.8% Success Rate.
Over 120 Global Certification Vendors Covered.
Services of Professional & Certified Experts available via support.
Free 90 days updates to match real exam scenarios.
Instant Download Access! No Setup required.
Price as low as $19, which is 80% more cost effective than others.
Verified answers researched by industry experts.
Study Material updated on regular basis.
Questions / Answers are downloadable in PDF format.
Mobile Device Supported (Android, iPhone, iPod, iPad)
No authorization code required to open exam.
Portable anywhere.
Guaranteed Success.
Fast, helpful support 24x7.
View list of All Exams (AE);
http://www.twpass.com/twpass.com/vendors.aspx
Download Any Certication Exam DEMO.
http://www.twpass.com/twpass.com/vendors.aspx
To purchase Full version of exam click below;
http://www.TwPass.com/