null  null
http://www.TwPass.com
642-618
Cisco
Deploying Cisco ASA Firewall Solutions (FIREWALL v2.0)
http://www.twpass.com/twpass.com/exam.aspx?eCode= 642-618
The 642-618 practice exam is written and formatted by Certified Senior IT Professionals working in
today's prospering companies and data centers all over the world! The 642-618 Practice Test covers all
the exam topics and objectives and will prepare you for success quickly and efficiently.
The 642-618 exam is very challenging, but with our 642-618 questions and answers practice exam,
you can feel confident in obtaining your success on the 642-618 exam on your FIRST TRY!
Cisco 642-618 Exam Features
- Detailed questions and answers for 642-618 exam
- Try a demo before buying any Cisco exam
- 642-618 questions and answers, updated regularly
- Verified 642-618 answers by Experts and bear almost 100% accuracy
- 642-618 tested and verified before publishing
- 642-618 exam questions with exhibits
- 642-618 same questions as real exam with multiple choice options
Acquiring Cisco certifications are becoming a huge task in the field of I.T. More over these
exams like 642-618 exam are now continuously updating and accepting this challenge is itself a task.
This 642-618 test is an important part of Cisco certifications. We have the resources to
prepare you for this. The 642-618 exam is essential and core part of Cisco certifications and
once you clear the exam you will be able to solve the real life problems yourself.Want to take
advantage of the Real 642-618 Test and save time and money while developing your skills to pass
your Cisco 642-618 Exam? Let us help you climb that ladder of success and pass your 642-618 now!
642-618
QUESTION: 1
By default, which traffic can pass through a Cisco ASA that is operating in transparent mode
without explicitly allowing it using an ACL?
A. ARP
B. BPDU
C. CDP
D. OSPF multicasts
E. DHCP
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=1
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 2
Which three Cisco ASA configuration commands are used to enable the Cisco ASA to log only
the debug output to syslog? (Choose three.)
A. logging list test message 711001
B. logging debug-trace
C. logging trap debugging
D. logging message 711001 level 7
E. logging trap test
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=2
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 3
By default, how does the Cisco ASA authenticate itself to the Cisco ASDM users?
A. The administrator validates the Cisco ASA by examining the factory built-in identity
certificate thumbprint of the Cisco ASA.
B. The Cisco ASA automatically creates and uses a persistent self-signed X.509
certificate to authenticate itself to the administrator.
C. The Cisco ASA automatically creates a self-signed X.509 certificate on each reboot
to authenticate itself to the administrator.
D. The Cisco ASA and the administrator use a mutual password to authenticate each
other.
E. The Cisco ASA authenticates itself to the administrator using a one-time password.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=3
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 4
When will a Cisco ASA that is operating in transparent firewall mode perform a routing table
lookup instead of a MAC address table lookup to determine the outgoing interface of a packet?
A. if multiple context mode is configured
B. if the destination MAC address is unknown
C. if the destination is more than a hop away from the Cisco ASA
D. if NAT is configured
E. if dynamic ARP inspection is configured
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=4
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 5
Which Cisco ASA feature is implemented by the ip verify reverse-path interface
interface_name command?
A. uRPF
B. TCP intercept
C. botnet traffic filter
D. scanning threat detection
E. IPS (IP audit)
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=5
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 6
In one custom dynamic application, the inside client connects to an outside server using TCP
port 4444 and negotiates return client traffic in the port range of 5000 to 5500. The server then
starts streaming UDP data to the client on the negotiated port in the specified range. Which
Cisco ASA feature or command supports this custom dynamic application?
A. TCP normalizer
B. TCP intercept
C. ip verify command
D. established command
E. tcp-map and tcp-options commands
F. set connection advanced-options command
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=6
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 7
Refer to the exhibit. cisco&c=642-618&q=1 Which statement about the Telnet session from
10.0.0.1 to 172.26.1.200 is true?
A. The Telnet session should be successful.
B. The Telnet session should fail because the route lookup to the destination fails.
C. The Telnet session should fail because the inside interface inbound access list will
block it.
D. The Telnet session should fail because no matching flow was found.
E. The Telnet session should fail because inside NAT has not been configured.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=7
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 8
Refer to the exhibit. cisco&c=642-618&q=1 On Cisco ASA Software Version 8.3 and later,
which two sets of CLI configuration commands result from this Cisco ASDM configuration?
(Choose two.)
A. nat (inside) 1 10.1.1.10 global (outside) 1 192.168.1.1
B. nat (outside) 1 192.168.1.1 global (inside 1 10.1.1.10
C. static(inside,outside) 192.168.1.1 10.1.1.10 netmask 255.255.255.255 tcp 0 0 udp 0
D. static(inside,outside) tcp 192.168.1.1 80 10.1.1.10 80
E. object network 192.168.1.1 nat (inside,outside) static 10.1.1.10
F. object network 10.1.1.10 nat (inside,outside) static 192.168.1.1
G. access-list outside_access_in line 1 extended permit tcp any object 10.1.1.10 eq http
access-group outside_access_in in interface outside
H. access-list outside_access_in line 1 extended permit tcp any object 192.168.1.1 eq
http access-group outside_access_in in interface outside
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=8
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 9
Refer to the exhibit. cisco&c=642-618&q=1 Which corresponding Cisco ASA Software
Version 8.3 command accomplishes the same Cisco ASA Software Version 8.2 NAT
configuration?
A. nat (any,any) dynamic interface
B. nat (any,any) static interface
C. nat (inside,outside) dynamic interface
D. nat (inside,outside) static interface
E. nat (outside,inside) dynamic interface
F. nat (outside,inside) static interface
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=9
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 10
Refer to the exhibit. cisco&c=642-618&q=1 Which traffic is permitted on the inside interface
without any interface ACLs configured?
A. any IP traffic input to the inside interface
B. any IP traffic input to the inside interface destined to any lower security level
interfaces
C. only HTTP traffic input to the inside interface
D. only HTTP traffic output from the inside interface
E. No input traffic is permitted on the inside interface.
F. No output traffic is permitted on the inside interface.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=10
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 11
On Cisco ASA Software Version 8.4.1 and later, when you configure the Cisco ASA appliance
in transparent firewall mode, how is the Cisco ASA management IP address configured?
A. using the IP address global configuration command
B. using the IP address GigabitEthernet 0/x interface configuration command
C. using the IP address BVI x interface configuration command
D. using the bridge-group global configuration command
E. using the bridge-group GigabitEthernet 0/x interface configuration command
F. using the bridge-group BVI x interface configuration command
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=11
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 12
Refer to the exhibit. cisco&c=642-618&q=1 Which Cisco ASA CLI nat command is
generated based on this Cisco ASDM NAT configuration?
A. nat (dmz, outside) 1 source static any any
B. nat (dmz, outside) 1 source static any outside
C. nat (dmz,outside) 1 source dynamic any interface
D. nat (dmz, outside) 1 source static any interface destination static any any
E. nat (dmz, outside) 1 source dynamic any outside destination static any any
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=12
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 13
Refer to the exhibit. cisco&c=642-618&q=1 Which additional Cisco ASA Software Version
8.3 NAT configuration is needed to meet the following requirements? When any host in the
192.168.1.0/24 subnet behind the inside interface accesses any destinations in the 10.10.1.0/24
subnet behind the outside interface, PAT them to the outside interface. Do not change the
destination IP in the packet.
A. nat (inside,outside) source static inside-net interface destination static outhosts
outhosts
B. nat (inside,outside) source dynamic inside-net interface destination static outhosts
outhosts
C. nat (outside,inside) source dynamic inside-net interface destination static outhosts
outhosts
D. nat (outside,inside) source static inside-net interface destination static outhosts
outhosts
E. nat (any, any) source dynamic inside-net interface destination static outhosts outhosts
F. nat (any, any) source static inside-net interface destination static outhosts outhosts
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=13
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 14
On Cisco ASA Software Version 8.3 and later, which two statements correctly describe the
NAT table or NAT operations? (Choose two.)
A. The NAT table has four sections.
B. Manual NAT configurations are found in the first (top) and/or the last (bottom)
section(s) of the NAT table.
C. Auto NAT also is referred to as Object NAT.
D. Auto NAT configurations are found only in the first (top) section of the NAT table.
E. The order of the NAT entries in the NAT table is not relevant to how the packets are
matched against the NAT table.
F. Twice NAT is required for hosts on the inside to be accessible from the outside.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=14
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 15
The Cisco ASA software image has been erased from flash memory. Which two statements
about the process to recover the Cisco ASA software image are true? (Choose two.)
A. Access to the ROM monitor mode is required.
B. The Cisco ASA appliance must have connectivity to the TFTP server where the
Cisco ASA image is stored through the Management 0/0 interface.
C. The copy tftp flash command is necessary to start the TFTP file transfer.
D. The server command is necessary to set the TFTP server IP address.
E. Cisco ASA password recovery must be enabled.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=15
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 16
Which two Cisco ASA licensing features are correct with Cisco ASA Software Version 8.3 and
later? (Choose two.)
A. Identical licenses are not required on the primary and secondary Cisco ASA
appliance.
B. Cisco ASA appliances configured as failover pairs disregard the time-based
activation keys.
C. Time-based licenses are stackable in duration but not in capacity.
D. A time-based license completely overrides the permanent license, ignoring all
permanently licensed features until the time-based license is uninstalled.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=16
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 17
For which purpose is the Cisco ASA CLI command aaa authentication match used?
A. Enable authentication for SSH and Telnet connections to the Cisco ASA appliance.
B. Enable authentication for console connections to the Cisco ASA appliance.
C. Enable authentication for connections through the Cisco ASA appliance.
D. Enable authentication for IPsec VPN connections to the Cisco ASA appliance.
E. Enable authentication for SSL VPN connections to the Cisco ASA appliance.
F. Enable authentication for Cisco ASDM connections to the Cisco ASA appliance.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=17
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 18
Which option is one requirement before a Cisco ASA appliance can be upgraded from Cisco
ASA Software Version 8.2 to 8.3?
A. Remove all the pre 8.3 NAT configurations in the startup configuration.
B. Upgrade the memory on the Cisco ASA appliance to meet the memory requirement
of Cisco ASA Software Version 8.3.
C. Request new Cisco ASA licenses to meet the 8.3 licensing requirement.
D. Upgrade Cisco ASDM to version 6.2.
E. Migrate interface ACL configurations to include interface and global ACLs.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=18
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 19
Refer to the partial Cisco ASA configuration and the network topology shown in the exhibit.
cisco&c=642-618&q=1 Which two Cisco ASA configuration commands are required so that
any hosts on the Internet can HTTP to the WEBSERVER using the 192.168.1.100 IP address?
(Choose two.)
A. nat (inside,outside) static 192.168.1.100
B. nat (inside,outside) static 172.31.0.100
C. nat (inside,outside) static interface
D. access-list outside_access_in extended permit tcp any object 172.31.0.100 eq http
E. access-list outside_access_in extended permit tcp any object 192.168.1.100 eq http
F. access-list outside_access_in extended permit tcp any object 192.168.1.1 eq http
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=19
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 20
Which two statements about Cisco ASA 8.2 NAT configurations are true? (Choose two.)
A. NAT operations can be implemented using the NAT, global, and static commands.
B. If nat-control is enabled and a connection does not need a translation, then an identity
NAT configuration is required.
C. NAT configurations can use the any keyword as the input or output interface
definition.
D. The NAT table is read and processed from the top down until a translation rule is
matched.
E. Auto NAT links the translation to a network object.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=20
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 21
Which Cisco ASA (8.4.1 and later) CLI command is the best command to use for
troubleshooting SSH connectivity from the Cisco ASA appliance to the outside 192.168.1.1
server?
A. telnet 192.168.1.1 22
B. ssh -l username 192.168.1.1
C. traceroute 192.168.1.1 22
D. ping tcp 192.168.1.1 22
E. packet-tracer input inside tcp 10.0.1.1 2043 192.168.4.1 ssh
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=21
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 22
Refer to the exhibit. cisco&c=642-618&q=1 Which reason explains why the Cisco ASA
appliance cannot establish an authenticated NTP session to the inside 192.168.1.1 NTP server?
A. The ntp server 192.168.1.1 command is incomplete.
B. The ntp source inside command is missing.
C. The ntp access-group peer command and the ACL to permit 192.168.1.1 are missing.
D. The trusted-key number should be 1 not 2.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=22
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 23
Which Cisco ASA CLI command is used to enable HTTPS (Cisco ASDM) access from any
inside host on the 10.1.16.0/20 subnet?
A. http 10.1.16.0 0.0.0.0 inside
B. http 10.1.16.0 0.0.15.255 inside
C. http 10.1.16.0 255.255.240.0 inside
D. http 10.1.16.0 255.255.255.255
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=23
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 24
Which statement about Cisco ASA multicast routing support is true?
A. The Cisco ASA appliance supports PIM dense mode, sparse mode, and BIDIR-PIM.
B. The Cisco ASA appliance supports only stub multicast routing by forwarding IGMP
messages from multicast receivers to the upstream multicast router.
C. The Cisco ASA appliance supports DVMRP and PIM.
D. The Cisco ASA appliance supports either stub multicast routing or PIM, but both
cannot be enabled at the same time.
E. The Cisco ASA appliance supports only IGMP v1.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=24
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 25
Which four unicast or multicast routing protocols are supported by the Cisco ASA appliance?
(Choose four.)
A. RIP (v1 and v2)
B. OSPF
C. ISIS
D. BGP
E. EIGRP
F. Bidirectional PIM
G. MOSPF
H. PIM dense mode
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=25
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 26
Refer to the exhibit. cisco&c=642-618&q=1 Which Cisco ASA CLI commands configure
these static routes in the Cisco ASA routing table?
A. route dmz 10.2.2.0 0.0.0.255 172.16.1.10 route dmz 10.3.3.0 0.0.0.255 172.16.1.11
B. route dmz 10.2.2.0 0.0.0.255 172.16.1.10 1 route dmz 10.3.3.0 0.0.0.255 172.16.1.11
1
C. route dmz 10.2.2.0 0.0.0.255 172.16.1.10 route dmz 10.3.3.0 0.0.0.255 172.16.1.11 2
D. route dmz 10.2.2.0 255.255.255.0 172.16.1.10 route dmz 10.3.3.0 255.255.255.0
172.16.1.11
E. route dmz 10.2.2.0 255.255.255.0 172.16.1.10 1 route dmz 10.3.3.0 255.255.255.0
172.16.1.11 1
F. route dmz 10.2.2.0 255.255.255.0 172.16.1.10 route dmz 10.3.3.0 255.255.255.0
172.16.1.11 2
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=26
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 27
Which statement about static or default route on the Cisco ASA appliance is true?
A. The admin distance is 1 by default.
B. From the show route output, the [120/3] indicates an admin distance of 3.
C. A default route is specified using the 0.0.0.0 255.255.255.255 address/mask
combination.
D. The tunneled command option is used to enable route tracking.
E. The interface-name parameter in the route command is an optional parameter if the
static route points to the next-hop router IP address.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=27
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 28
Refer to the exhibit. cisco&c=642-618&q=1 Which Cisco ASA configuration has the
minimum number of the required configuration commands to enable the Cisco ASA appliance
to establish EIGRP neighborship with its two neighboring routers?
A. router eigrp 1 network 10.0.0.0 255.0.0.0
B. router eigrp 1 network 10.0.0.0 255.0.0.0 network 192.168.1.0 255.255.255.0
network 192.168.2.0 255.255.255.0
C. router eigrp 1 network 10.1.1.0 255.255.255.0 network 10.2.2.0 255.255.255.0
D. router eigrp 1 network 10.1.1.0 255.255.255.0 network 10.2.2.0 255.255.255.0
network 192.168.1.0 255.255.255.0 network 192.168.2.0 255.255.255.0
E. router eigrp 1 network 0.0.0.0 255.255.255.255
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=28
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 29
Which configuration step is the first to enable PIM-SM on the Cisco ASA appliance?
A. Configure the static RP IP address.
B. Enable IGMP forwarding on the required interface(s).
C. Add the required static mroute(s).
D. Enable multicast routing globally on the Cisco ASA appliance.
E. Configure the Cisco ASA appliance to join the required multicast groups.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=29
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 30
On the Cisco ASA, tcp-map can be applied to a traffic class using which MPF CLI
configuration command?
A. inspect
B. sysopt connection
C. tcp-options
D. parameters
E. set connection advanced-options
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=30
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 31
Refer to the exhibit. cisco&c=642-618&q=1 What can be determined about the connection
status?
A. The output is showing normal activity to the inside 10.1.1.50 web server.
B. Many HTTP connections to the 10.1.1.50 web server have successfully completed
the threeway TCP handshake.
C. Many embryonic connections are made from random sources to the 10.1.1.50 web
server.
D. The 10.1.1.50 host is triggering SYN flood attacks against random hosts on the
outside.
E. The 10.1.1.50 web server is terminating all the incoming HTTP connections.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=31
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 32
Refer to the exhibit. cisco&c=642-618&q=1 Which statement about the policy map named
test is true?
A. Only HTTP inspection will be applied to the TCP port 21 traffic.
B. Only FTP inspection will be applied to the TCP port 21 traffic.
C. both HTTP and FTP inspections will be applied to the TCP port 21 traffic.
D. No inspection will be applied to the TCP port 21 traffic, because the http class map
configuration conflicts with the ftp class map.
E. All FTP traffic will be denied, because the FTP traffic will fail the HTTP inspection.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=32
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 33
In which type of environment is the Cisco ASA MPF set connection advanced-options tcpstate- bypass option the most useful?
A. SIP proxy
B. WCCP
C. BGP peering through the Cisco ASA
D. asymmetric traffic flow
E. transparent firewall
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=33
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 34
On the Cisco ASA Software Version 8.4.1, which three parameters can be configured using the
set connection command within a policy map? (Choose three.)
A. per-client TCP and/or UDP idle timeout
B. per-client TCP and/or UDP maximum session time
C. TCP sequence number randomization
D. maximum number of simultaneous embryonic connections
E. maximum number of simultaneous TCP and/or UDP connections
F. fragments reassembly options
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=34
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 35
In the default global policy, which traffic is matched for inspections by default?
A. match any
B. match default-inspection-traffic
C. match access-list
D. match port
E. match class-default
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=35
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 36
By default, how does a Cisco ASA appliance process IP fragments?
A. Each fragment passes through the Cisco ASA appliance without any inspections.
B. Each fragment is blocked by the Cisco ASA appliance.
C. The Cisco ASA appliance verifies each fragment and performs virtual IP reassembly before the full IP packet is forwarded out.
D. The Cisco ASA appliance forwards the packet out as soon as all of the fragments of
the packet have been received.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=36
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 37
Which two Cisco ASA configuration tasks are necessary to allow authenticated BGP sessions
to pass through the Cisco ASA appliance? (Choose two.)
A. Configure the Cisco ASA TCP normalizer to permit TCP option 19
B. Configure the Cisco ASA TCP Intercept to inspectthe BGP packets (TCP port 179)
C. Configure the Cisco ASA default global inspection policy to also statefully inspect
the BGP flows
D. Configure the Cisco ASA TCP normalizer to disable TCP ISNrandomization for the
BGP flows
E. Configure TCP state bypass to allow the BGP flows
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=37
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 38
Which two options show the required Cisco ASA command(s) to allow this scenario? (Choose
two.) An inside client on the 10.0.0.0/8 network connects to an outside server on the
172.16.0.0/16 network using TCP and the server port of 2001. The inside client negotiates a
client port in the range between UDP ports 5000 to 5500. The outside server then can start
sending UDP data to the inside client on the negotiated port within the specified UDP port
range.
A. access-list INSIDE line 1 permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 eq
2001 access-group INSIDE in interface inside
B. access-list INSIDE line 1 permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 eq
2001 access-list INSIDE line 2 permit udp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 eq
established access-group INSIDE in interface inside
C. access-list OUTSIDE line 1 permit tcp 172.16.0.0 255.255.0.0 eq 2001 10.0.0.0
255.0.0.0 access-list OUTSIDE line 2 permit udp 172.16.0.0 255.255.0.0 10.0.0.0
255.0.0.0 eq 5000-5500 access-group OUTSIDE in interface outside
D. access-list OUTSIDE line 1 permit tcp 172.16.0.0 255.255.0.0 eq 2001 10.0.0.0
255.0.0.0 access-list OUTSIDE line 2 permit udp 172.16.0.0 255.255.0.0 10.0.0.0
255.0.0.0 eq established access-group OUTSIDE in interface outside
E. established tcp 2001 permit udp 5000-5500
F. established tcp 2001 permit from udp 5000-5500
G. established tcp 2001 permit to udp 5000-5500
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=38
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 39
Which three actions can be applied to a traffic class within a type inspect policy map? (Choose
three.)
A. drop
B. priority
C. log
D. pass
E. inspect
F. reset
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=39
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 40
Which three types of class maps can be configured on the Cisco ASA appliance? (Choose
three.)
A. control-plane
B. regex
C. inspect
D. access-control
E. management
F. stack
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=40
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 41
Which Cisco ASA configuration is used to configure the TCP intercept feature?
A. a TCP map
B. an access list
C. the established command
D. the set connection command with the embryonic-conn-max option
E. a type inspect policy map
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=41
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 42
When the Cisco ASA appliance is processing packets, which action is performed first?
A. Check if the packet is permitted or denied by the inbound interface ACL.
B. Check if the packet is permitted or denied by the outbound interface ACL.
C. Check if the packet is permitted or denied by the global ACL.
D. Check if the packet matches an existing connection in the connection table.
E. Check if the packet matches an inspection policy.
F. Check if the packet matches a NAT rule.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=42
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 43
On which type of encrypted traffic can a Cisco ASA appliance running software version 8.4.1
perform application inspection and control?
A. IPsec
B. SSL
C. IPsec or SSL
D. Cisco Unified Communications
E. Secure FTP
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=43
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 44
What mechanism is used on the Cisco ASA to map IP addresses to domain names that are
contained in the botnet traffic filter dynamic database or local blacklist?
A. HTTP inspection
B. DNS inspection and snooping
C. WebACL
D. dynamic botnet database fetches (updates)
E. static blacklist
F. static whitelist
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=44
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 45
Which addresses are considered "ambiguous addresses" and are put on the greylist by the Cisco
ASA botnet traffic filter feature?
A. addresses that are unknown
B. addresses that are on the greylist identified by the dynamic database
C. addresses that are blacklisted by the dynamic database but also are identified by the
static whitelist
D. addresses that are associated with multiple domain names, but not all of these
domain names are on the blacklist
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=45
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 46
Which statement about the Cisco ASA botnet traffic filter is true?
A. The four threat levels are low, moderate, high, and very high.
B. By default, the dynamic-filter drop blacklist interface outside command drops traffic
with a threat level of high or very high.
C. Static blacklist entries always have a very high threat level.
D. A static or dynamic blacklist entry always takes precedence over the static whitelist
entry.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=46
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 47
Refer to the exhibit. cisco&c=642-618&q=1 Which command enables the stateful failover
option?
A. failover link MYFAILOVER GigabitEthernet0/2
B. failover lan interface MYFAILOVER GigabitEthernet0/2
C. failover interface ip MYFAILOVER 172.16.5.1 255.255.255.0 standby 172.16.5.10
D. preempt
E. failover group 1 primary
F. failover lan unit primary
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=47
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 48
When configuring security contexts on the Cisco ASA, which three resource class limits can be
set using a rate limit? (Choose three.)
A. address translation rate
B. Cisco ASDM session rate
C. connections rate
D. MAC-address learning rate (when in transparent mode)
E. syslog messages rate
F. stateful packet inspections rate
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=48
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 49
Refer to the exhibit. cisco&c=642-618&q=1 What does the * next to the CTX security
context indicate?
A. The CTX context is the active context on the Cisco ASA.
B. The CTX context is the standby context on the Cisco ASA.
C. The CTX context contains the system configurations.
D. The CTX context has the admin role.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=49
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 50
With Cisco ASA active/standby failover, by default, how many monitored interface failures
will cause failover to occur?
A. 1
B. 2
C. 3
D. 4
E. 5
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=50
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 51
On Cisco ASA Software Version 8.4.1 and later, which three EtherChannel modes are
supported? (Choose three.)
A. active mode, which initiates LACP negotiation
B. passive mode, which responds to LACP negotiation from the peer
C. auto mode, which automatically responds to either PAgP or LACP negotiation from
the peer
D. on mode, which enables static port-channel mode
E. off mode, which disables dynamic negotiation
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=51
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 52
On Cisco ASA Software Version 8.4 and later, which two options show the maximum number
of active and standby ports that an EtherChannel can have? (Choose two.)
A. 2 active ports
B. 4 active ports
C. 6 active ports
D. 8 active ports
E. 2 standby ports
F. 4 standby ports
G. 6 standby ports
H. 8 standby ports
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=52
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 53
Which additional active/standby failover feature was introduced in Cisco ASA Software
Version 8.4?
A. HTTP stateful failover
B. OSPF and EIGRP routing protocol stateful failover
C. SSL VPN stateful failover
D. IPsec VPN stateful failover
E. NAT stateful failover
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=53
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 54
Where in the Cisco ASA appliance CLI are Active/Active Failover configuration parameters
configured?
A. admin context
B. customer context
C. system execution space
D. within the system execution space and admin context
E. within each customer context and admin context
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=54
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 55
When enabling a Cisco ASA to send syslog messages to a syslog server, which syslog level
will produce the most messages?
A. notifications
B. informational
C. alerts
D. emergencies
E. errors
F. debugging
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=55
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 56
Refer to the exhibit. cisco&c=642-618&q=1 Which two configurations are required on the
Cisco ASAs so that the return traffic from the 10.10.10.100 outside server back to the
10.20.10.100 inside client can be rerouted from the Active Ctx B context in ASA Two to the
Active Ctx A context in ASA One? (Choose two.)
A. stateful active/active failover
B. dynamic routing (EIGRP or OSPF or RIP)
C. ASR-group
D. no NAT-control
E. policy-based routing
F. TCP/UDP connections replication
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=56
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 57
Refer to the exhibit. cisco&c=642-618&q=1 Which Cisco ASA feature can be configured
using this Cisco ASDM screen?
A. Cisco ASA command authorization using TACACS+
B. AAA accounting to track serial, ssh, and telnet connections to the Cisco ASA
C. Exec Shell access authorization using AAA
D. cut-thru proxy
E. AAA authentication policy for Cisco ASDM access
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=57
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 58
Refer to the exhibit. cisco&c=642-618&q=1 Which two statements about the class maps are
true? (Choose two.)
A. These class maps are referenced within the global policy by default for HTTP
inspection.
B. These class maps are all type inspect http class maps.
C. These class maps classify traffic using regular expressions.
D. These class maps are Layer 3/4 class maps.
E. These class maps are used within the inspection_default class map for matching the
default inspection traffic.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=58
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 59
Refer to the exhibit. ***Exhibit is Missing*** Which statement about the MPF configuration
is true?
A. Any non-RFC complaint FTP traffic will go through additional deep FTP packet
inspections.
B. FTP traffic must conform to the FTP RFC, and the FTP connection will be dropped
if the PUT command is used.
C. Deep FTP packet inspections will be performed on all TCP inbound and outbound
traffic on the outside interface.
D. The ftp-pm policy-map type should be type inspect.
E. Due to a configuration error, all FTP connections through the outside interface will
not be permitted.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=59
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 60
Refer to the exhibit. cisco&c=642-618&q=1 What is a reasonable conclusion?
A. The maximum number of TCP connections that the 10.1.1.99 host can establish will
be 146608.
B. All the connections from the 10.1.1.99 have completed the TCP three-way
handshake.
C. The 10.1.1.99 hosts are generating a vast number of outgoing connections, probably
due to a virus.
D. The 10.1.1.99 host on the inside is under a SYN flood attack.
E. The 10.1.1.99 host operations on the inside look normal.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=60
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 61
Which five options are valid logging destinations for the Cisco ASA? (Choose five.)
A. AAA server
B. Cisco ASDM
C. buffer
D. SNMP traps
E. LDAP server
F. email
G. TCP-based secure syslog server
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=61
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 62
Which flag shown in the output of the show conn command is used to indicate that an initial
SYN packet is from the outside (lower security-level interface)?
A. B
B. D
C. b
D. A
E. a
F. i
G. I
H. O
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=62
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 63
Which statement about the default ACL logging behavior of the Cisco ASA is true?
A. The Cisco ASA generates system message 106023 for each denied packet when a
deny ACE is configured.
B. The Cisco ASA generates system message 106023 for each packet that matched an
AC
E.
C. The Cisco ASA generates system message 106100 only for the first packet that
matched an AC
E.
D. The Cisco ASA generates system message 106100 for each packet that matched an
AC
E.
E. No ACL logging is enabled by default.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=63
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 64
Which Cisco ASA feature enables the ASA to do these two things? 1) Act as a proxy for the
server and generate a SYN-ACK response to the client SYN request. 2) When the Cisco ASA
receives an ACK back from the client, the Cisco ASA authenticates the client and allows the
connection to the server.
A. TCP normalizer
B. TCP state bypass
C. TCP intercept
D. basic threat detection
E. advanced threat detection
F. botnet traffic filter
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=64
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 65
Which option is not supported when the Cisco ASA is operating in transparent mode and also
is using multiple security contexts?
A. NAT
B. shared interface
C. security context resource management
D. Layer 7 inspections
E. failover
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=65
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 66
Which two statements about Cisco ASA redundant interface configuration are true? (Choose
two.)
A. Each redundant interface can have up to four physical interfaces as its member.
B. When the standby interface becomes active, the Cisco ASA sends gratuitous ARP
out on the standby interface.
C. Interface duplex and speed configurations are configured under the redundant
interface.
D. Redundant interfaces use MAC address-based load balancing to load share traffic
across multiple physical interfaces.
E. Each Cisco ASA supports up to eight redundant interfaces.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=66
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 67
The Cisco ASA must support dynamic routing and terminating VPN traffic. Which three Cisco
ASA options will not support these requirements? (Choose three.)
A. transparent mode
B. multiple context mode
C. active/standby failover mode
D. active/active failover mode
E. routed mode
F. no NAT-control
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=67
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 68
Refer to the exhibit. cisco&c=642-618&q=1 Which two functions will the Set ASDM
Defined User Roles perform? (Choose two.)
A. enables role based privilege levels to most Cisco ASA commands
B. enables the Cisco ASDM user to assign privilege levels manually to individual
commands or groups of commands
C. enables command authorization with a remote TACACS+ server
D. enables three predefined user account privileges (Admin=Priv 15, Read Only=Priv 5,
Monitor Only=Priv 3)
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=68
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 69
Which two statements about Cisco ASA failover troubleshooting are true? (Choose two.)
A. With active/active failover, failover link troubleshooting should be done in the
system execution space.
B. With active/active failover, ASR groups must be enabled.
C. With active/active failover, user data passing interfaces troubleshooting should be
done within the context execution space.
D. The failed interface threshold is set to 1. Using the show monitor-interface
command, if one of the monitored interfaces on both the primary and secondary Cisco
ASA appliances is in the unknown state, a failover should occur.
E. Syslog level 1 messages will be generated on the standby unit only if the logging
standby command is used.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=69
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 70
A Cisco ASA is operating in transparent firewall mode, but the MAC address table of the Cisco
ASA is always empty, which causes connectivity issues. What should you verify to
troubleshoot this issue?
A. if ARP inspection has been disabled
B. if MAC learning has been disabled
C. if NAT has been disabled
D. if ARP traffic is explicitly allowed using EtherType ACL
E. if BPDU traffic is explicitly allowed using EtherType ACL
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=70
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 71
When active/active failover is implemented on the Cisco ASA, how many failover groups are
supported on the Cisco ASA?
A. 1
B. 2
C. 1 failover group per configured security context
D. 2 failover groups per configured security context
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=71
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 72
Refer to the exhibit. cisco&c=642-618&q=1 What is the resulting CLI command?
A. match request uri regex _default_GoToMyPC-tunnel
B. drop-connection log
C. match regex _default_GoToMyPC-tunnel
D. drop-connection log
E. class _default_GoToMyPC-tunnel
F. drop-connection log
G. match class-map _default_GoToMyPC-tunnel
H. drop-connection log
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=72
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 73
When troubleshooting a Cisco ASA that is operating in multiple context mode, which two
verification steps should be performed if a user context does not pass user traffic? (Choose
two.)
A. Verify the interface status in the system execution space.
B. Verify the mac-address-table on the Cisco ASA.
C. Verify that unique MAC addresses are configured if the contexts are using nonshared
interfaces.
D. Verify the interface status in the user context.
E. Verify the resource classes configuration by accessing the admin context.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=73
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 74
What is the first configuration step when using Cisco ASDM to configure a new Layer 3/4
inspection policy on the Cisco ASA?
A. Create a new class map.
B. Create a new policy map and apply actions to the traffic classes.
C. Create a new service policy rule.
D. Create the ACLs to be referenced by any of the new class maps.
E. Disable the default global inspection policy.
F. Create a new firewall access rule.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=74
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 75
Which feature is not supported on the Cisco ASA 5505 with the Security Plus license?
A. security contexts
B. stateless active/standby failover
C. transparent firewall
D. threat detection
E. traffic shaping
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=75
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 76
Which statement about SNMP support on the Cisco ASA appliance is true?
A. The Cisco ASA appliance supports only SNMPv1 or SNMPv2c.
B. The Cisco ASA appliance supports read-only and read-write access.
C. The Cisco ASA appliance supports three built-in SNMPv3 groups in Cisco ASDM:
Authentication and Encryption, Authentication Only, and No Authentication, No
Encryption.
D. The Cisco ASA appliance can send SNMP traps to the network management station
only using SNMPv2.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=76
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 77
On Cisco ASA Software Version 8.4.1, which four inspections are enabled by default in the
global policy? (Choose four.)
A. HTTP
B. ESMTP
C. SKINNY
D. ICMP
E. TFTP
F. SIP
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=77
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 78
Which two statements about traffic shaping capability on the Cisco ASA appliance are true?
(Choose two.)
A. Traffic shaping can be applied to all outgoing traffic on a physical interface or, in the
case of the Cisco ASA 5505 appliance, on a VLAN.
B. Traffic shaping can be applied in the input or output direction.
C. Traffic shaping can cause jitter and delay.
D. You can configure traffic shaping and priority queuing on the same interface.
E. With traffic shaping, when traffic exceeds the maximum rate, the security appliance
drops the excess traffic.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=78
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 79
Which command option/keyword in Cisco ASA 8.3 NAT configurations makes the NAT
policy interface independent?
A. interface
B. all
C. auto
D. global
E. any
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=79
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 80
Which statement about access list operations on Cisco ASA Software Version 8.3 and later is
true?
A. If the global and interface access lists are both configured, the global access list is
matched first before the interface access lists.
B. Interface and global access lists can be applied in the input or output direction.
C. In the inbound access list on the outside interface that permits traffic to the inside
interface, the destination IP address referenced is always the "mapped-ip" (translated) IP
address of the inside host.
D. When adding an access list entry in the global access list using the Cisco ASDM
Add Access Rule window, choosing "any" for Interface applies the access list entry
globally.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=80
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 81
Refer to the exhibit. ***Exhibit is Missing*** Which three CLI commands are generated by
these Cisco ASDM configurations? (Choose three.)
A. object-group network testobj
B. object network testobj
C. ip address 10.1.1.0 255.255.255.0
D. subnet 10.1.1.0 255.255.255.0
E. nat (any,any) static 192.168.1.0 dns nat (outside,inside) static 192.168.1.0 dns
F. nat (inside,outside) static 192.168.1.0 dns nat (inside,any) static 192.168.1.0 dns
G. nat (any,inside) static 192.168.1.0 dns
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=81
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 82
A Cisco ASA appliance running software version 8.4.1 has an active botnet traffic filter license
with 1 month left on the time-based license. Which option describes the result if a new botnet
traffic filter with a 1 year time-based license is activated also?
A. The time-based license for the botnet traffic filter is valid only for another month.
B. The time-based license for the botnet traffic filter is valid for another 12 months.
C. The time-based license for the botnet traffic filter is valid for another 13 months.
D. The new 1 year time-based license for the botnet traffic filter cannot be activated
until the current botnet traffic filter license expires in a month.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=82
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 83
How many interfaces can a Cisco ASA bridge group support and how many bridge groups can
a Cisco ASA appliance support?
A. up to 2 interfaces per bridge group and up to 4 bridge groups per Cisco ASA
appliance
B. up to 2 interfaces per bridge group and up to 8 bridge groups per Cisco ASA
appliance
C. up to 4 interfaces per bridge group and up to 4 bridge groups per Cisco ASA
appliance
D. up to 4 interfaces per bridge group and up to 8 bridge groups per Cisco ASA
appliance
E. up to 8 interfaces per bridge group and up to 4 bridge groups per Cisco ASA
appliance
F. up to 8 interfaces per bridge group and up to 8 bridge groups per Cisco ASA
appliance
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=83
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 84
On the Cisco ASA Software Version 8.3 and later, which type of NAT configuration can be
used to translate the source and destination IP addresses of the packet?
A. auto NAT
B. object NAT
C. one-to-one NAT
D. many-to-one NAT
E. manual NAT
F. identity NAT
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=84
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 85
Refer to the exhibit. ***Exhibit is Missing*** Which option describes the problem with this
botnet traffic filter configuration on the Cisco ASA appliance?
A. The traffic classification ACL is not defined.
B. The use of the dynamic database is not enabled.
C. DNS snooping is not enabled.
D. The threat level range for the traffic to be dropped is not defined.
E. The static black and white list entries should use domain name instead of IP address.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=85
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 86
Which option lists the main tasks in the correct order to configure a new Layer 3 and 4
inspection policy on the Cisco ASA appliance using the Cisco ASDM Configuration >
Firewall > Service Policy Rules pane?
A. 1. Create a class map to identify which traffic to match. 2. Create a policy map and
apply action(s) to the traffic class(es). 3. Apply the policy map to an interface or
globally using a service policy.
B. 1. Create a service policy rule. 2. Identify which traffic to match. 3. Apply action(s)
to the traffic.
C. 1. Create a Layer 3 and 4 type inspect policy map. 2. Create class map(s) within the
policy map to identify which traffic to match. 3. Apply the policy map to an interface or
globally using a service policy.
D. 1. Identify which traffic to match. 2. Apply action(s) to the traffic. 3. Create a policy
map. 4. Apply the policy map to an interface or globally using a service policy.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=86
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 87
Which other match command is used with the match flow ip destination-address command
within the class map configurations of the Cisco ASA MPF?
A. match tunnel-group
B. match access-list
C. match default-inspection-traffic
D. match port
E. match dscp
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=87
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 88
Which configuration step (if any) is necessary to enable FTP inspection on TCP port 2121?
A. None. FTP inspection is enabled by default using the global policy.
B. Create a new class map to match TCP port 2121, then edit the global policy to
inspect FTP for traffic matched by the new class map.
C. Edit default-inspection-traffic to match FTP on port 2121.
D. Add a new traffic class using the match protocol FTP option within the
inspect_default class map.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=88
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 89
With Cisco ASA active/active or active/standby stateful failover, which state information or
table is not passed between the active and standby Cisco ASA by default?
A. NAT translation table
B. TCP connection states
C. UDP connection states
D. ARP table
E. HTTP connection table
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=89
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 90
Which Cisco ASA object group type offers the most flexibility for grouping different services
together based on arbitrary protocols?
A. network
B. ICMP
C. protocol
D. TCP-UDP
E. service
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=90
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 91
Using the default modular policy framework global configuration on the Cisco ASA, how does
the Cisco ASA process outbound HTTP traffic?
A. HTTP flows are not permitted through the Cisco ASA, because HTTP is not
inspected by default.
B. HTTP flows match the inspection_default traffic class and are inspected using HTTP
inspection.
C. HTTP outbound traffic is permitted, but all return HTTP traffic is denied.
D. HTTP flows are statefully inspected using TCP stateful inspection.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=91
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 92
In which two directions are the Cisco ASA modular policy framework inspection policies
applied? (Choose two.)
A. in the ingress direction only when applied globally
B. in the ingress direction only when applied on an interface
C. in the egress direction only when applied globally
D. in the egress direction only when applied on an interface
E. bi-directionally when applied globally
F. bi-directionally when applied on an interface
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=92
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 93
Which flags should the show conn command normally show after a TCP connection has
successfully been established from an inside host to an outside host?
A. aB
B. saA
C. sIO
D. AIO
E. UIO
F. F
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=93
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 94
Which three configurations are needed to enable SNMPv3 support on the Cisco ASA? (Choose
three.)
A. SNMPv3 Local EngineID
B. SNMPv3 Remote EngineID
C. SNMP Users
D. SNMP Groups
E. SNMP Community Strings
F. SNMP Hosts
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=94
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 95
A customer is ordering a number of Cisco ASAs for their network. For the remote or home
office, they are purchasing the Cisco ASA 5505. When ordering the licenses for their Cisco
ASAs, which two licenses must they order that are "platform specific" to the Cisco ASA 5505?
(Choose two.)
A. AnyConnect Essentials license
B. per-user Premium SSL VPN license
C. VPN shared license
D. internal user licenses
E. Security Plus license
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=95
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 96
Refer to the exhibit. cisco&c=642-618&q=1 Which two statements are true? (Choose two.)
A. The connection is awaiting outside ACK to SYN.
B. The connection is initiated from the inside.
C. The connection is active and has received inbound and outbound data.
D. The connection is an incomplete TCP connection.
E. The connection is a DNS connection.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=96
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 97
Which Cisco ASA show command groups the xlates and connections information together in
its output?
A. show conn
B. show conn detail
C. show xlate
D. show asp
E. show local-host
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=97
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 98
The Cisco ASA is configured in multiple mode and the security contexts share the same
outside physical interface. Which two packet classification methods can be used by the Cisco
ASA to determine which security context to forward the incoming traffic from the outside
interface? (Choose two.)
A. unique interface IP address
B. unique interface MAC address
C. routing table lookup
D. MAC address table lookup
E. unique global mapped IP addresses
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=98
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 99
When a Cisco ASA is configured in multiple context mode, within which configuration are the
interfaces allocated to the security contexts?
A. each security context
B. system configuration
C. admin context (context with the "admin" role)
D. context startup configuration file (.cfg file)
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=99
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 100
When troubleshooting redundant interface operations on the Cisco ASA, which configuration
should be verified?
A. The nameif configuration on the member physical interfaces are identical.
B. The MAC address configuration on the member physical interfaces are identical.
C. The active interface is sending periodic hellos to the standby interface.
D. The IP address configuration on the logical redundant interface is correct.
E. The duplex and speed configuration on the logical redundant interface are correct.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=100
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 101
Which statement about the Cisco ASA 5505 configuration is true?
A. The IP address is configured under the physical interface (ethernet 0/0 to ethernet
0/7).
B. With the default factory configuration, the management interface (management 0/0)
is configured with the 192.168.1.1/24 IP address.
C. With the default factory configuration, Cisco ASDM access is not enabled.
D. The switchport access vlan command can be used to assign the VLAN to each
physical interface (ethernet 0/0 to ethernet 0/7).
E. With the default factory configuration, both the inside and outside interface will use
DHCP to acquire its IP address.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=101
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 102
What is the correct regular expression to match HTTP requests whose URI is /welcome.jpg?
A. ^/welcome.jpg
B. ^/welcome\.jpg
C. ^*/welcome\.jpg
D. ^\/welcome\.jpg
E. ^\*/welcome\.jpg
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=102
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 103
Refer to the exhibit. cisco&c=642-618&q=1 A Cisco ASA in transparent firewall mode
generates the log messages seen in the exhibit. What should be configured on the Cisco ASA
to allow the denied traffic?
A. extended ACL on the outside and inside interface to permit the multicast traffic
B. EtherType ACL on the outside and inside interface to permit the multicast traffic
C. stateful packet inspection
D. static ARP mapping
E. static MAC address mapping
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=103
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 104
With active/standby failover, what happens if the standby Cisco ASA does not receive three
consecutive hello messages from the active Cisco ASA on the LAN failover interface?
A. The standby ASA immediately becomes the active ASA.
B. The standby ASA eventually becomes the active ASA after three times the holddown timer interval expires.
C. The standby ASA runs network activity tests, including ARP and ping, to determine
if the active ASA has failed.
D. The standby ASA sends additional hellos packets on all monitored interfaces,
including the LAN failover interface, to determine if the active ASA has failed.
E. Both ASAs go to the "unknown" state until the LAN interface becomes operational
again.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=104
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 105
Refer to the exhibit. cisco&c=642-618&q=1 The Cisco ASA is dropping all the traffic that is
sourced from the internet and is destined to any security context inside interface. Which
configuration should be verified on the Cisco ASA to solve this problem?
A. The Cisco ASA has NAT control disabled on each security context.
B. The Cisco ASA is using inside dynamic NAT on each security context.
C. The Cisco ASA is using a unique MAC address on each security context outside
interface.
D. The Cisco ASA is using a unique dynamic routing protocol process on each security
context.
E. The Cisco ASA packet classifier is configured to use the outside physical interface to
assign the packets to each security context.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=105
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 106
Refer to the exhibit. ***Exhibit is Missing*** The Cisco ASA is operating in transparent
mode. What is required on the Cisco ASA so that R1 and R2 can form OSPF neighbor
adjacency?
A. Map the R1 and R2 MAC address in the Cisco ASA MAC address table using the
mac-addresstable static if_name MAC_address command.
B. Configure OSPF stateful packet inspection using MP
F.
C. Apply an EtherType ACL to the inside and outside interfaces to permit OSPF
multicast traffic.
D. Apply an extended ACL to the inside and outside interfaces to permit OSPF
multicast traffic.
E. Enable Advanced Application Inspection using MPF.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=106
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 107
On the Cisco ASA, where are the Layer 5-7 policy maps applied?
A. inside the Layer 3-4 policy map
B. inside the Layer 3-4 class map
C. inside the Layer 5-7 class map
D. inside the Layer 3-4 service policy
E. inside the Layer 5-7 service policy
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=107
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 108
A Cisco ASA requires an additional feature license to enable which feature?
A. transparent firewall
B. cut-thru proxy
C. threat detection
D. botnet traffic filtering
E. TCP normalizer
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=108
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 109
With Cisco ASA active/standby failover, what is needed to enable subsecond failover?
A. Use redundant interfaces.
B. Enable the stateful failover interface between the primary and secondary Cisco ASA.
C. Decrease the default unit failover polltime to 300 msec and the unit failover holdtime
to 900 msec.
D. Decrease the default number of monitored interfaces to 1.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=109
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 110
Refer to the exhibit. cisco&c=642-618&q=1 Which two CLI commands result from this
configuration? (Choose two.)
A. aaa authorization network LOCAL
B. aaa authorization network default authentication-server LOCAL
C. aaa authorization command LOCAL
D. aaa authorization exec LOCAL
E. aaa authorization exec authentication-server LOCAL
F. aaa authorization exec authentication-server
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=110
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 111
Refer to the exhibit. ***Exhibit is Missing*** Which command options represent the inside
local address, inside global address, outside local address, and outside global address?
A. 1 = outside local, 2 = outside global, 3 = inside global, 4 = inside local
B. 1 = outside local, 2 = outside global, 3 = inside local, 4 = inside global
C. 1 = outside global, 2 = outside local, 3 = inside global, 4 = inside local
D. 1 = inside local, 2 = inside global, 3 = outside global, 4 = outside local
E. 1 = inside local, 2 = inside global, 3 = outside local, 4 = outside global
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=111
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 112
On Cisco ASA Software Version 8.4.1 and later, when you configure the Cisco ASA appliance
in transparent firewall mode, which configuration is mandatory?
A. NAT
B. static routes
C. ARP inspections
D. EtherType access-list
E. bridge group(s)
F. dynamic MAC address learning
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=112
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 113
Which access rule is disabled automatically after the global access list has been defined and
applied?
A. the implicit global deny ip any any access rule
B. the implicit interface access rule that permits all IP traffic from high security level to
low security level interfaces
C. the implicit global access rule that permits all IP traffic from high security level to
low security level interfaces
D. the implicit deny ip any any rule on the global and interface access lists
E. the implicit permit all IP traffic from high security level to low security level access
rule on the global and interface access lists
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=113
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 114
Which option can cause the interactive setup script not to work on a Cisco ASA 5520 appliance
running software version 8.4.1?
A. The clock has not been set on the Cisco ASA appliance using the clock set
command.
B. The HTTP server has not been enabled using the http server enable command.
C. The domain name has not been configured using the domain-name command.
D. The inside interface IP address has not been configured using the ip address
command.
E. The management 0/0 interface has not been configured as management-only and
assigned a name using the nameif command.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=114
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 115
Which three statements are the default security policy on a Cisco ASA appliance? (Choose
three.)
A. Traffic that goes from a high security level interface to a lower security level
interface is allowed.
B. Outbound TCP and UDP traffic is statefully inspected and returning traffic is
allowed to traverse the Cisco ASA appliance.
C. Traffic that goes from a low security level interface to a higher security level
interface is allowed.
D. Traffic between interfaces with the same security level is allowed by default.
E. Traffic can enter and exit the same interface by default.
F. When the Cisco ASA appliance is accessed for management purposes, the access
must be made to the nearest Cisco ASA interface.
G. Inbound TCP and UDP traffic is statefully inspected and returning traffic is allowed
to traverse the Cisco ASA appliance.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=115
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 116
Which statement about the Cisco ASA 5585-X appliance is true?
A. The IPS SSP must be installed in slot 0 (bottom slot) and the firewall/VPN SSP must
be installed in slot 1 (top slot).
B. The IPS SSP operates independently. The firewall/VPN SSP is not necessary to
support the IPS SSP.
C. The ASA 5585-X appliance supports three types of SSP (the firewall/VPN SSP, the
IPS SSP, and the CSC SSP).
D. The ASA 5585-X appliance with the firewall/VPN SSP-60 has a maximum firewall
throughput of 10 Gb/s.
E. All IPS traffic (except the IPS management interface traffic) must flow through the
firewall/VPN SSP first before it can be redirected to the IPS SSP.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=116
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 117
Which two configurations are the minimum needed to enable EIGRP on the Cisco ASA
appliance? (Choose two.)
A. Enable the EIGRP routing process and specify the AS number.
B. Define the EIGRP default-metric.
C. Configure the EIGRP router I
D.
D. Use the neighbor command(s) to specify the EIGRP neighbors.
E. Use the network command(s) to enable EIGRP on the Cisco ASA interface(s).
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=117
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 118
Which logging mechanism is configured using MPF and allows high-volume traffic-related
events to be exported from the Cisco ASA appliance in a more efficient and scalable manner
compared to classic syslog logging?
A. SDEE
B. Secure SYSLOG
C. XML
D. NSEL
E. SNMPv3
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=118
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 119
Refer to the exhibit. object network insidenatted range 10.1.2.10 10.1.2.20 ! object network
insidenet range 172.16.1.10 172.16.1.100 ! object network outnatted range 192.168.3.100
192.168.3.150 ! nat (inside,outside) after-auto 1 _______________?________________
Which option completes the CLI NAT configuration command to match the Cisco ASDM
NAT configuration?
A. source dynamic insidenet insidenatted destination static Partner-internal-subnets
outnatted
B. source dynamic insidenet insidenatted interface destination static Partner-internalsubnets outnatted
C. source dynamic insidenet insidenatted destination static Partner-internal-subnets
outnatted interface
D. source dynamic insidenet interface destination static Partner-internal-subnets
outnatted
E. source dynamic insidenatted insidenet destination static Partner-internal-subnets
outnatted
F. source dynamic insidenatted interface destination static Partner-internal-subnets
outnatted
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=119
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 120
Refer to the exhibit and to the four HTTP inspection requirements and the Cisco ASA
configuration. Which two statements about why the Cisco ASA configuration is not meeting
the specified HTTP inspection requirements are true? (Choose two.) 1. All outside clients can
use only the HTTP GET method on the protected 10.10.10.10 web server. 2. All outside
clients can access only HTTP URIs starting with the "/myapp" string on the protected
10.10.10.10 web server. 3. The security appliance should drop all requests that contain basic
SQL injection attempts (the string "SELECT" followed by the string "FROM") inside HTTP
arguments. 4. The security appliance should drop all requests that do not conform to the HTTP
protocol.
A. Both instances of match not request should be changed to match request.
B. The policy-map type inspect http MY-HTTP-POLICY configuration is missing the
references to the class maps.
C. The BASIC-SQL-INJECTION regular expression is not configured correctly.
D. The MY-URI regular expression is not configured correctly.
E. The WEB-SERVER-ACL ACL is not configured correctly.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=120
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 121
By default, not all services in the default inspection class are inspected. Which Cisco ASA CLI
command do you use to determine which inspect actions are applied to the default inspection
class?
A. show policy-map global_policy
B. show policy-map inspection_default
C. show class-map inspection_default
D. show class-map default-inspection-traffic
E. show service-policy global
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=121
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 122
Which Cisco ASDM 6.4.1 pane is used to enable the Cisco ASA appliance to perform TCP
checksum verifications?
A. Configuration > Firewall > Service Policy Rules
B. Configuration > Firewall > Advanced > IP Audit > IP Audit Policy
C. Configuration > Firewall > Advanced > IP Audit > IP Audit Signatures
D. Configuration > Firewall > Advanced > TCP options
E. Configuration > Firewall > Objects > TCP Maps
F. Configuration > Firewall > Objects > Inspect Maps
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=122
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 123
DRAG DROP cisco&c=642-618&q=1
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=123
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 124
DRAG DROP cisco&c=642-618&q=1
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=124
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 125
DRAG DROP cisco&c=642-618&q=1
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=125
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 126
DRAG DROP cisco&c=642-618&q=1
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=126
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 127
Scenario: To access Cisco ASDM, click the PC icon in the Topology window, ASDM and
answer the following question as: cisco&c=642-618&q=1 <br> <img
src="http://www.TwPass.com/Exams/images/Cisco/642-618_MaskImg_1(27).png" /> <br>
<img src="http://www.TwPass.com/Exams/images/Cisco/642-618_MaskImg_2(6).png" />
"Which statement about the Cisco ASA configuration is true?
A. All input traffic on the inside interface is denied by the global ACL.
B. All input and output traffic on the outside interface is denied by the global ACL.
C. ICMP echo-request traffic is permitted from the inside to the outside, and ICMP
echo-reply will be permitted from the outside back to inside.
D. HTTP inspection is enabled in the global policy.
E. Traffic between two hosts connected to the same interface is permitted.
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=127
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 128
Scenario: To access Cisco ASDM, click the PC icon in the Topology window, ASDM and
answer the following question as: cisco&c=642-618&q=1 <br> <img
src="http://www.TwPass.com/Exams/images/Cisco/642-618_MaskImg_1(30).png" /> Which
two statements about the running configuration of the Cisco ASA are true? (Choose Two)
A. The auto NAT configuration causes all traffic arriving on the inside interface
destined to any outside destinations to be translated with dynamic port address
transmission using the outside interface IP address.
B. The Cisco ASA is using the Cisco ASDM image from disk1:/asdm-642.bin
C. The Cisco ASA is setup as the DHCP server for hosts that are on the inside and
outside interfaces.
D. SSH and Cisco ASDM access to the Cisco ASA requires AAA authentication using
the LOCAL user database.
E. The Cisco ASA is using a persistent self-signed certified so users can authenticate the
Cisco ASA when accessing it via ASDM
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=128
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 129
Scenario: To access Cisco ASDM, click the PC icon in the Topology window, ASDM and
answer the following question as cisco&c=642-618&q=1 <br> <img
src="http://www.TwPass.com/Exams/images/Cisco/642-618_MaskImg_1(32).png" /> <br>
<img src="http://www.TwPass.com/Exams/images/Cisco/642-618_MaskImg_1.png" /> The
Cisco ASA administration must enable the Cisco ASA to automatically drop suspicious botnet
traffic. After the Cisco ASA administrator entered the initial configuration, the Cisco ASA is
not automatically dropping the suspicious botnet traffic. What else must be enabled in order to
make it work?
A. DNS snooping
B. Botnet traffic filtering on atleast one of the Cisco ASA interface.
C. Periodic download of the dynamic botnet database from Cisco.
D. DNS inspection in the global policy.
E. Manual botnet black and white lists. The following question as:
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=129
-------------------------------------------------------------------------------------------------------------------------------------
QUESTION: 130
CORRECT TEXT Instructions This item contains a simulation task. Refer to the scenario and
topology before you start. When you are ready, open the Topology window and click the
required device to open the GUI window on a virtual terminal. Scroll to view all parts of the
Cisco ASDM screens. Scenario Click the PC icon to launch Cisco ASDM. You have access to
a Cisco ASA 5505 via Cisco ASDM. Use Cisco ASDM to edit the Cisco ASA 5505
configurations to enable Advanced HTTP Application inspection by completing the following
tasks: 1. Enable HTTP inspection globally on the Cisco ASA 2. Create a new HTTP inspect
Map named: http-inspect-map to: a. Enable the dropping of any HTTP connections that
encounter HTTP protocol violations b. Enable the dropping and logging of any HTTP
connections when the content type in the HTTP response does not match one of the MIME
types in the accept filed of the HTTP request Note: In the simulation, you will not be able to
test the HTTP inspection policy after you complete your configuration. Not all Cisco ASDM
screens are fully functional. After you complete the configuration, you do not need to save the
running configuration to the start-up config, you will not be able to test the HTTP inspection
policy that is created after you complete your configuration. Also not all the ASDM screens are
filly functional. cisco&c=642-618&q=1 <br> <img
src="http://www.TwPass.com/Exams/images/Cisco/642-618_MaskImg_1(35).png" /> <br>
<img src="http://www.TwPass.com/Exams/images/Cisco/642-618_MaskImg_1(36).png" />
Answer: http://www.twpass.com/twpass.com/exam.aspx?ecode=642-618&qno=130
-------------------------------------------------------------------------------------------------------------------------------------
TwPass Certification Exam Features;
-
TwPass offers over 2500 Certification exams for professionals.
More than 98,800 Satisfied Customers Worldwide.
Average 99.8% Success Rate.
Over 120 Global Certification Vendors Covered.
Services of Professional & Certified Experts available via support.
Free 90 days updates to match real exam scenarios.
Instant Download Access! No Setup required.
Price as low as $19, which is 80% more cost effective than others.
Verified answers researched by industry experts.
Study Material updated on regular basis.
Questions / Answers are downloadable in PDF format.
Mobile Device Supported (Android, iPhone, iPod, iPad)
No authorization code required to open exam.
Portable anywhere.
Guaranteed Success.
Fast, helpful support 24x7.
View list of All Exams (AE);
http://www.twpass.com/twpass.com/vendors.aspx
Download Any Certication Exam DEMO.
http://www.twpass.com/twpass.com/vendors.aspx
To purchase Full version of exam click below;
http://www.TwPass.com/
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement