Important Info — Cisco 642-618 new study guides are designed to help you pass the exam in a short time.Everything you need can be found in the new version of Cisco 642-618 exam dumps. Visit Flydumps.com to get more valid information.
Exam A
QUESTION 1
Where in the Cisco ASA appliance CLI are Active/Active Failover configuration parameters configured?
A. admin context
B. customer context
C. system execution space
D. within the system execution space and admin context
E. within each customer context and admin context
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 2
With Cisco ASA active/active or active/standby stateful failover, which state information or table is not passed between the active and standby Cisco ASA by default?
A. NAT translation table
B. TCP connection states
C. UDP connection states
D. ARP table
E. HTTP connection table
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 3
Which Cisco ASA object group type offers the most flexibility for grouping different services together based on arbitrary protocols?
A. network
B. ICMP
C. protocol
D. TCP-UDP
E. service
Correct Answer: E Section: (none) Explanation
Explanation/Reference: QUESTION 4
Using the default modular policy framework global configuration on the Cisco ASA, how does the Cisco ASA process outbound HTTP traffic?
A. HTTP flows are not permitted through the Cisco ASA, because HTTP is not inspected by default.
B. HTTP flows match the inspection_default traffic class and are inspected using HTTP inspection.
C. HTTP outbound traffic is permitted, but all return HTTP traffic is denied.
D. HTTP flows are statefully inspected using TCP stateful inspection
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 5
Which flags should the show conn command normally show after a TCP connection has successfully been established from an inside host to an outside host?
A. aB
B. saA
C. sIO
D. AIO
E. UIO
F. F
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 6
Which Cisco ASA show command groups the xlates and connections information together in its output?
A. show conn
B. show conn detail
C. show xlate
D. show asp
E. show local-host
Correct Answer: E Section: (none) Explanation
Explanation/Reference: QUESTION 7
When a Cisco ASA is configured in multiple context mode, within which configuration are the interfaces allocated to the security contexts?
A. each security context
B. system configuration
C. admin context (context with the “admin” role)
D. context startup configuration file (.cfg file)
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 8
When troubleshooting redundant interface operations on the Cisco ASA, which configuration should be verified?
A. The nameif configuration on the member physical interfaces are identical.
B. The MAC address configuration on the member physical interfaces are identical.
C. The active interface is sending periodic hellos to the standby interface.
D. The IP address configuration on the logical redundant interface is correct.
E. The duplex and speed configuration on the logical redundant interface are correct.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 9
Which statement about the Cisco ASA 5505 configuration is true?
A. The IP address is configured under the physical interface (ethernet 0/0 to ethernet 0/7).
B. With the default factory configuration, the management interface (management 0/0) is configured with the 192.168.1.1/24 IP address.
C. With the default factory configuration, Cisco ASDM access is not enabled.
D. The switchport access vlan command can be used to assign the VLAN to each physical interface (ethernet 0/0 to ethernet 0/7).
E. With the default factory configuration, both the inside and outside interface will use DHCP to acquire its IP address.
Correct Answer: D Section: (none) Explanation Explanation/Reference:
QUESTION 10
What is the correct regular expression to match HTTP requests whose URI is / welcome.jpg?
A. ^/welcome.jpg
B. ^/welcome\.jpg
C. ^*/welcome\.jpg
D. ^\/welcome\.jpg
E. ^\*/welcome\.jpg
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 11
Refer to the exhibit.
A Cisco ASA in transparent firewall mode generates the log messages seen in the exhibit. What should be configured on the Cisco ASA to allow the denied traffic?
A. extended ACL on the outside and inside interface to permit the multicast traffic
B. EtherType ACL on the outside and inside interface to permit the multicast traffic
C. stateful packet inspection
D. static ARP mapping
E. static MAC address mapping
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 12
With active/standby failover, what happens if the standby Cisco ASA does not receive three consecutive hello messages from the active Cisco ASA on the LAN failover interface?
A. The standby ASA immediately becomes the active ASA.
B. The standby ASA eventually becomes the active ASA after three times the hold-down timer interval expires.
C. The standby ASA runs network activity tests, including ARP and ping, to determine if the active ASA has failed.
D. The standby ASA sends additional hellos packets on all monitored interfaces, including the LAN failover interface, to determine if the active ASA has failed.
E. Both ASAs go to the “unknown” state until the LAN interface becomes operational again.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 13
Refer to the exhibit.
The Cisco ASA is dropping all the traffic that is sourced from the internet and is destined to any security context inside interface. Which configuration should be verified on the Cisco ASA to solve this problem?
A. The Cisco ASA has NAT control disabled on each security context.
B. The Cisco ASA is using inside dynamic NAT on each security context.
C. The Cisco ASA is using a unique MAC address on each security context outside interface.
D. The Cisco ASA is using a unique dynamic routing protocol process on each security context
E. The Cisco ASA packet classifier is configured to use the outside physical interface to assign the packets to each security context.
Correct Answer: C Section: (none) Explanation
Explanation/Reference: QUESTION 14
Refer to the exhibit.
The Cisco ASA is operating in transparent mode. What is required on the Cisco ASA so that R1 and R2 can form OSPF neighbor adjacency?
A. Map the R1 and R2 MAC address in the Cisco ASA MAC address table using the mac-addresstable static if_name MAC_address command.
B. Configure OSPF stateful packet inspection using MPF.
C. Apply an EtherType ACL to the inside and outside interfaces to permit OSPF multicast traffic.
D. Apply an extended ACL to the inside and outside interfaces to permit OSPF multicast traffic.
E. Enable Advanced Application Inspection using MPF.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 15
On the Cisco ASA, where are the Layer 5-7 policy maps applied?
A. inside the Layer 3-4 policy map
B. inside the Layer 3-4 class map
C. inside the Layer 5-7 class map
D. inside the Layer 3-4 service policy
E. inside the Layer 5-7 service policy
Correct Answer: A Section: (none) Explanation
Explanation/Reference: QUESTION 16
A Cisco ASA requires an additional feature license to enable which feature?
A. transparent firewall
B. cut-thru proxy
C. threat detection
D. botnet traffic filtering
E. TCP normalizer
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 17
With Cisco ASA active/standby failover, what is needed to enable subsecond failover?
A. Use redundant interfaces.
B. Enable the stateful failover interface between the primary and secondary Cisco ASA.
C. Decrease the default unit failover polltime to 300 msec and the unit failover holdtime to 900 msec.
D. Decrease the default number of monitored interfaces to 1.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 18
Refer to the exhibit.
Which command options represent the inside local address, inside global address,
outside local
address, and outside global address?
A. 1 = outside local, 2 = outside global, 3 = inside global, 4 = inside local
B. 1 = outside local, 2 = outside global, 3 = inside local, 4 = inside global
C. 1 = outside global, 2 = outside local, 3 = inside global, 4 = inside local
D. 1 = inside local, 2 = inside global, 3 = outside global, 4 = outside local
E. 1 = inside local, 2 = inside global, 3 = outside local, 4 = outside global
Correct Answer: D Section: (none) Explanation Explanation/Reference:
QUESTION 19
On Cisco ASA Software Version 8.4.1 and later, when you configure the Cisco ASA appliance in transparent firewall mode, which configuration is mandatory?
A. NAT
B. static routes
C. ARP inspections
D. EtherType access-list
E. bridge group(s)
F. dynamic MAC address learning
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 20
Which access rule is disabled automatically after the global access list has been defined and applied?
A. the implicit global deny ip any any access rule
B. the implicit interface access rule that permits all IP traffic from high security level to low security level interfaces
C. the implicit global access rule that permits all IP traffic from high security level to low security level interfaces
D. the implicit deny ip any any rule on the global and interface access lists
E. the implicit permit all IP traffic from high security level to low security level access rule on the global and interface access lists
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 21
Which option can cause the interactive setup script not to work on a Cisco ASA 5520 appliance running software version 8.4.1?
A. The clock has not been set on the Cisco ASA appliance using the clock set command.
B. The HTTP server has not been enabled using the http server enable command.
C. The domain name has not been configured using the domain-name command.
D. The inside interface IP address has not been configured using the ip address command.
E. The management 0/0 interface has not been configured as management-only and assigned a name using the nameif command.
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 22
Which statement about the Cisco ASA 5585-X appliance is true?
A. The IPS SSP must be installed in slot 0 (bottom slot) and the firewall/VPN SSP must be installed in slot 1 (top slot).
B. The IPS SSP operates independently. The firewall/VPN SSP is not necessary to support the IPS SSP.
C. The ASA 5585-X appliance supports three types of SSP (the firewall/VPN SSP, the IPS SSP,and the CSC SSP).
D. The ASA 5585-X appliance with the firewall/VPN SSP-60 has a maximum firewall throughput of 10 Gb/s.
E. All IPS traffic (except the IPS management interface traffic) must flow through the firewall/VPN SSP first before it can be redirected to the IPS SSP.
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 23
Which logging mechanism is configured using MPF and allows high-volume traffic-related events to be exported from the Cisco ASA appliance in a more efficient and scalable manner compared to classic syslog logging?
A. SDEE
B. Secure SYSLOG
C. XML
D. NSEL
E. SNMPv3
Correct Answer: D Section: (none)
Explanation Explanation/Reference:
QUESTION 24
Refer to the exhibit.
Which option completes the CLI NAT configuration command to match the Cisco ASDM NAT configuration?
object network insidenatted range 10.1.2.10 10.1.2.20 ! object network insidenet range 172.16.1.10 172.16.1.100 ! object network outnatted range 192.168.3.100 192.168.3.150 ! nat (inside,outside) after-auto 1 _______________?________________
A. source dynamic insidenet insidenatted destination static Partner-internal-subnets outnatted
B. source dynamic insidenet insidenatted interface destination static Partner-internal-subnets outnatted
C. source dynamic insidenet insidenatted destination static Partner-internal-subnets outnatted interface
D. source dynamic insidenet interface destination static Partner-internal-subnets outnatted
E. source dynamic insidenatted insidenet destination static Partner-internal-subnets outnatted
F. source dynamic insidenatted interface destination static Partner-internal-subnets outnatted
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 25
By default, not all services in the default inspection class are inspected. Which Cisco ASA CLI command do you use to determine which inspect actions are applied to the default inspection class?
A. show policy-map global_policy
B. show policy-map inspection_default
C. show class-map inspection_default
D. show class-map default-inspection-traffic
E. show service-policy global
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 26
Which Cisco ASDM 6.4.1 pane is used to enable the Cisco ASA appliance to perform TCP checksum verifications?
A. Configuration > Firewall > Service Policy Rules
B. Configuration > Firewall > Advanced > IP Audit > IP Audit Policy
C. Configuration > Firewall > Advanced > IP Audit > IP Audit Signatures
D. Configuration > Firewall > Advanced > TCP options
E. Configuration > Firewall > Objects > TCP Maps
F. Configuration > Firewall > Objects > Inspect Maps
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 27
Refer to the exhibit.
Which two configurations are required on the Cisco ASAs so that the return traffic from the
10.10.10.100 outside server back to the 10.20.10.100 inside client can be rerouted from the Active Ctx B context in ASA Two to the Active Ctx A context in ASA One? (Choose two.)
A. stateful active/active failover
B. dynamic routing (EIGRP or OSPF or RIP)
C. ASR-group
D. no NAT-control
E. policy-based routing
F. TCP/UDP connections replication
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
QUESTION 28
Refer to the exhibit.
Which two statements about the class maps are true? (Choose two.)
A. These class maps are referenced within the global policy by default for HTTP inspection.
B. These class maps are all type inspect http class maps.
C. These class maps classify traffic using regular expressions.
D. These class maps are Layer 3/4 class maps.
E. These class maps are used within the inspection_default class map for matching the default inspection traffic.
Correct Answer: BC Section: (none) Explanation
Explanation/Reference:
QUESTION 29
Which three Cisco ASA configuration commands are used to enable the Cisco ASA to log only the debug output to syslog? (Choose three.)
A. logging list test message 711001
B. logging debug-trace
C. logging trap debugging
D. logging message 711001 level 7
E. logging trap test
Correct Answer: ABE Section: (none) Explanation
Explanation/Reference: QUESTION 30
Which five options are valid logging destinations for the Cisco ASA? (Choose five.)
A. AAA server
B. Cisco ASDM
C. buffer
D. SNMP traps
E. LDAP server
F. email
G. TCP-based secure syslog server
Correct Answer: BCDFG Section: (none) Explanation
Explanation/Reference: Exam B
QUESTION 1
On the Cisco ASA, tcp-map can be applied to a traffic class using which MPF CLI configuration command?
A. inspect
B. sysopt connection
C. tcp-options
D. parameters
E. set connection advanced-options
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 2
By default, which traffic can pass through a Cisco ASA that is operating in transparent mode without explicitly allowing it using an ACL?
A. ARP
B. BPDU
C. CDP
D. OSPF multicasts
E. DHCP
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 3
When enabling a Cisco ASA to send syslog messages to a syslog server, which syslog level will produce the most messages?
A. notifications
B. informational
C. alerts
D. emergencies
E. errors
F. debugging
Correct Answer: F Section: (none) Explanation
Explanation/Reference:
QUESTION 4
Refer to the Exhibit: A. The output is showing normal activity to the inside 10.1.1.50 web server.
B. Many HTTP connections to the 10.1.1.50 web server have successfully completed the threeway TCP handshake.
C. Many embryonic connections are made from random sources to the 10.1.1.50 web server.
D. The 10.1.1.50 host is triggering SYN flood attacks against random hosts on the outside.
E. The 10.1.1.50 web server is terminating all the incoming HTTP connections.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 5
What mechanism is used on the Cisco ASA to map IP addresses to domain names that are contained in the botnet traffic filter dynamic database or local blacklist?
A. HTTP inspection
B. DNS inspection and snooping
C. WebACL
D. dynamic botnet database fetches (updates)
E. static blacklist
F. static whitelist
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 6
Refer to the exhibit:
Which statement about the policy map named test is true?
A. Only HTTP inspection will be applied to the TCP port 21 traffic.
B. Only FTP inspection will be applied to the TCP port 21 traffic.
C. both HTTP and FTP inspections will be applied to the TCP port 21 traffic.
D. No inspection will be applied to the TCP port 21 traffic, because the http class map configuration conflicts with the ftp class map.
E. All FTP traffic will be denied, because the FTP traffic will fail the HTTP inspection.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 7
Refer to the exhibit.
Which Cisco ASA feature can be configured using this Cisco ASDM screen?
A. Cisco ASA command authorization using TACACS+
B. AAA accounting to track serial, ssh, and telnet connections to the Cisco ASA
C. Exec Shell access authorization using AAA
D. cut-thru proxy
E. AAA authentication policy for Cisco ASDM access
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 8
Refer to the exhibit.
Which command enables the stateful failover option?
A. failover link MYFAILOVER GigabitEthernet0/2
B. failover lan interface MYFAILOVER GigabitEthernet0/2
C. failover interface ip MYFAILOVER 172.16.5.1 255.255.255.0 standby 172.16.5.10
D. preempt
E. failover group 1 primary
F. failover lan unit primary
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 9
In which type of environment is the Cisco ASA MPF set connection advanced-options tcp-statebypass option the most useful?
A. SIP proxy
B. WCCP
C. BGP peering through the Cisco ASA
D. asymmetric traffic flow
E. transparent firewall
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 10
Refer to the exhibit.
Which statement about the MPF configuration is true?
A. Any non-RFC complaint FTP traffic will go through additional deep FTP packet inspections.
B. FTP traffic must conform to the FTP RFC, and the FTP connection will be dropped if the PUT command is used.
C. Deep FTP packet inspections will be performed on all TCP inbound and outbound traffic on the outside interface.
D. The ftp-pm policy-map type should be type inspect.
E. Due to a configuration error, all FTP connections through the outside interface will not be permitted.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 11
Refer to the exhibit.
What is a reasonable conclusion?
A. The maximum number of TCP connections that the 10.1.1.99 host can establish will be 146608.
B. All the connections from the 10.1.1.99 have completed the TCP three-way handshake.
C. The 10.1.1.99 hosts are generating a vast number of outgoing connections, probably due to a virus.
D. The 10.1.1.99 host on the inside is under a SYN flood attack.
E. The 10.1.1.99 host operations on the inside look normal.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 12
By default, how does the Cisco ASA authenticate itself to the Cisco ASDM users?
A. The administrator validates the Cisco ASA by examining the factory built-in identity certificate thumbprint of the Cisco ASA.
B. The Cisco ASA automatically creates and uses a persistent self-signed X.509 certificate to authenticate itself to the administrator.
C. The Cisco ASA automatically creates a self-signed X.509 certificate on each reboot to authenticate itself to the administrator.
D. The Cisco ASA and the administrator use a mutual password to authenticate each other.
E. The Cisco ASA authenticates itself to the administrator using a one-time password.
Correct Answer: C Section: (none) Explanation Explanation/Reference:
QUESTION 13
When will a Cisco ASA that is operating in transparent firewall mode perform a routing table lookup instead of a MAC address table lookup to determine the outgoing interface of a packet?
A. if multiple context mode is configured
B. if the destination MAC address is unknown
C. if the destination is more than a hop away from the Cisco ASA
D. if NAT is configured
E. if dynamic ARP inspection is configured
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 14
Which flag shown in the output of the show conn command is used to indicate that an initial SYN packet is from the outside (lower security-level interface)?
A. B
B. D
C. b
D. A
E. a
F. i
G. I
H. O
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 15
Which statement about the default ACL logging behavior of the Cisco ASA is true?
A. The Cisco ASA generates system message 106023 for each denied packet when a deny ACE is configured.
B. The Cisco ASA generates system message 106023 for each packet that matched an ACE.
C. The Cisco ASA generates system message 106100 only for the first packet that matched an ACE.
D. The Cisco ASA generates system message 106100 for each packet that matched an ACE.
E. No ACL logging is enabled by default.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 16
Which Cisco ASA feature enables the ASA to do these two things? 1) Act as a proxy for the server and generate a SYN-ACK response to the client SYN request. 2) When the Cisco ASA receives an ACK back from the client, the Cisco ASA authenticates the client and allows the connection to the server.
A. TCP normalizer
B. TCP state bypass
C. TCP intercept
D. basic threat detection
E. advanced threat detection
F. botnet traffic filter
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 17
Which option is not supported when the Cisco ASA is operating in transparent mode and also is using multiple security contexts?
A. NAT
B. shared interface
C. security context resource management
D. Layer 7 inspections
E. failover
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 18
Refer to the exhibit.
What does the * next to the CTX security context indicate?
A. The CTX context is the active context on the Cisco ASA.
B. The CTX context is the standby context on the Cisco ASA.
C. The CTX context contains the system configurations.
D. The CTX context has the admin role.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 19
Which Cisco ASA feature is implemented by the ip verify reverse-path interface interface_name command?
A. uRPF
B. TCP intercept
C. botnet traffic filter
D. scanning threat detection
E. IPS (IP audit)
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 20
In one custom dynamic application, the inside client connects to an outside server using TCP port 4444 and negotiates return client traffic in the port range of 5000 to 5500. The server then starts streaming UDP data to the client on the negotiated port in the specified range. Which Cisco ASA feature or command supports this custom dynamic application?
A. TCP normalizer
B. TCP intercept
C. ip verify command
D. established command
E. tcp-map and tcp-options commands
F. set connection advanced-options command
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Whenever Cisco candidates take a tour of sample questions of Cisco 642-618 exam they find their training to be matchless to great extent. Passing the Cisco 642-618 on your own can be a difficult task,but with Cisco 642-618 preparation products, many candidates who appeared online passed Cisco 642-618 easily.