The Cisco contains more than 400 practice questions for the Cisco 642-618 exams,including simulation-based questions.Also contains hands-on exercises and a customized copy of the Cisco 642-618 exams network simulation software.
QUESTION 51
On Cisco ASA Software Version 8.4.1 and later, which three EtherChannel modes are supported? (Choose three.)
A. active mode, which initiates LACP negotiation
B. passive mode, which responds to LACP negotiation from the peer
C. auto mode, which automatically responds to either PAgP or LACP negotiation from the peer
D. on mode, which enables static port-channel mode
E. off mode, which disables dynamic negotiation
Correct Answer: ABD Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 52
On Cisco ASA Software Version 8.4 and later, which two options show the maximum number of active and standby ports that an EtherChannel can have? (Choose two.)
A. 2 active ports
B. 4 active ports
C. 6 active ports
D. 8 active ports
E. 2 standby ports
F. 4 standby ports
G. 6 standby ports
H. 8 standby ports
Correct Answer: DH Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 53
Which additional active/standby failover feature was introduced in Cisco ASA Software Version 8.4?
A. HTTP stateful failover
B. OSPF and EIGRP routing protocol stateful failover
C. SSL VPN stateful failover
D. IPsec VPN stateful failover
E. NAT stateful failover
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 54
Where in the Cisco ASA appliance CLI are Active/Active Failover configuration parameters configured?
A. admin context
B. customer context
C. system execution space
D. within the system execution space and admin context
E. within each customer context and admin context
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 55
When enabling a Cisco ASA to send syslog messages to a syslog server, which syslog level will produce the most messages?
A. notifications
B. informational
C. alerts
D. emergencies
E. errors
F. debugging
Correct Answer: F Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 56
Refer to the exhibit.
Which two configurations are required on the Cisco ASAs so that the return traffic from the
10.10.10.100 outside server back to the 10.20.10.100 inside client can be rerouted from the Active Ctx B context in ASA Two to the Active Ctx A context in ASA One? (Choose two.)
A. stateful active/active failover
B. dynamic routing (EIGRP or OSPF or RIP)
C. ASR-group
D. no NAT-control
E. policy-based routing
F. TCP/UDP connections replication
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 57
Refer to the exhibit.
Which Cisco ASA feature can be configured using this Cisco ASDM screen?
A. Cisco ASA command authorization using TACACS+
B. AAA accounting to track serial, ssh, and telnet connections to the Cisco ASA
C. Exec Shell access authorization using AAA
D. cut-thru proxy
E. AAA authentication policy for Cisco ASDM access
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 58
Refer to the exhibit.
A. These class maps are referenced within the global policy by default for HTTP inspection.
B. These class maps are all type inspect http class maps.
C. These class maps classify traffic using regular expressions.
D. These class maps are Layer 3/4 class maps.
E. These class maps are used within the inspection_default class map for matching the default
inspection traffic.
Correct Answer: BC Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 59
Refer to the exhibit.
***Exhibit is Missing***
Which statement about the MPF configuration is true?
A. Any non-RFC complaint FTP traffic will go through additional deep FTP packet inspections.
B. FTP traffic must conform to the FTP RFC, and the FTP connection will be dropped if the PUT command is used.
C. Deep FTP packet inspections will be performed on all TCP inbound and outbound traffic on the outside interface.
D. The ftp-pm policy-map type should be type inspect.
E. Due to a configuration error, all FTP connections through the outside interface will not be permitted.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 60
Refer to the exhibit.
What is a reasonable conclusion?
A. The maximum number of TCP connections that the 10.1.1.99 host can establish will be 146608.
B. All the connections from the 10.1.1.99 have completed the TCP three-way handshake.
C. The 10.1.1.99 hosts are generating a vast number of outgoing connections, probably due to a virus.
D. The 10.1.1.99 host on the inside is under a SYN flood attack.
E. The 10.1.1.99 host operations on the inside look normal.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 61
Which five options are valid logging destinations for the Cisco ASA? (Choose five.)
A. AAA server
B. Cisco ASDM
C. buffer
D. SNMP traps
E. LDAP server
F. email
G. TCP-based secure syslog server
Correct Answer: BCDFG Section: (none) Explanation
Explanation/Reference:
QUESTION 62
Which flag shown in the output of the show conn command is used to indicate that an initial SYN packet is from the outside (lower security-level interface)?
A. B
B. D
C. b
D. A
E. a
F. i
G. I
H. O
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 63
Which statement about the default ACL logging behavior of the Cisco ASA is true?
A. The Cisco ASA generates system message 106023 for each denied packet when a deny ACE
is configured.
B. The Cisco ASA generates system message 106023 for each packet that matched an ACE.
C. The Cisco ASA generates system message 106100 only for the first packet that matched an ACE.
D. The Cisco ASA generates system message 106100 for each packet that matched an ACE.
E. No ACL logging is enabled by default.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 64
Which Cisco ASA feature enables the ASA to do these two things?
1) Act as a proxy for the server and generate a SYN-ACK response to the client SYN request.
2) When the Cisco ASA receives an ACK back from the client, the Cisco ASA authenticates the client and allows the connection to the server.
A. TCP normalizer
B. TCP state bypass
C. TCP intercept
D. basic threat detection
E. advanced threat detection
F. botnet traffic filter
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 65
Which option is not supported when the Cisco ASA is operating in transparent mode and also is using multiple security contexts?
A. NAT
B. shared interface
C. security context resource management
D. Layer 7 inspections
E. failover
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 66
Which two statements about Cisco ASA redundant interface configuration are true? (Choose two.)
A. Each redundant interface can have up to four physical interfaces as its member.
B. When the standby interface becomes active, the Cisco ASA sends gratuitous ARP out on the standby interface.
C. Interface duplex and speed configurations are configured under the redundant interface.
D. Redundant interfaces use MAC address-based load balancing to load share traffic across multiple physical interfaces.
E. Each Cisco ASA supports up to eight redundant interfaces.
Correct Answer: BE Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 67
The Cisco ASA must support dynamic routing and terminating VPN traffic. Which three Cisco ASA options will not support these requirements? (Choose three.)
A. transparent mode
B. multiple context mode
C. active/standby failover mode
D. active/active failover mode
E. routed mode
F. no NAT-control
Correct Answer: ABD Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 68
Refer to the exhibit.
Which two functions will the Set ASDM Defined User Roles perform? (Choose two.)
A. enables role based privilege levels to most Cisco ASA commands
B. enables the Cisco ASDM user to assign privilege levels manually to individual commands or groups of commands
C. enables command authorization with a remote TACACS+ server
D. enables three predefined user account privileges (Admin=Priv 15, Read Only=Priv 5, Monitor Only=Priv 3)
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 69
Which two statements about Cisco ASA failover troubleshooting are true? (Choose two.)
A. With active/active failover, failover link troubleshooting should be done in the system execution space.
B. With active/active failover, ASR groups must be enabled.
C. With active/active failover, user data passing interfaces troubleshooting should be done within the context execution space.
D. The failed interface threshold is set to 1. Using the show monitor-interface command, if one of the monitored interfaces on both the primary and secondary Cisco ASA appliances is in the unknown state, a failover should occur.
E. Syslog level 1 messages will be generated on the standby unit only if the logging standby command is used.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 70
A Cisco ASA is operating in transparent firewall mode, but the MAC address table of the Cisco ASA is always empty, which causes connectivity issues. What should you verify to troubleshoot this issue?
A. if ARP inspection has been disabled
B. if MAC learning has been disabled C. if NAT has been disabled
C. if ARP traffic is explicitly allowed using EtherType ACL
D. if BPDU traffic is explicitly allowed using EtherType ACL
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 71
When active/active failover is implemented on the Cisco ASA, how many failover groups are
A. 1
B. 2
C. 1 failover group per configured security context
D. 2 failover groups per configured security context
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 72
Refer to the exhibit.
What is the resulting CLI command?
A. match request uri regex _default_GoToMyPC-tunnel
B. drop-connection log
C. match regex _default_GoToMyPC-tunnel
D. drop-connection log
E. class _default_GoToMyPC-tunnel
F. drop-connection log
G. match class-map _default_GoToMyPC-tunnel
H. drop-connection log
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 73
When troubleshooting a Cisco ASA that is operating in multiple context mode, which two verification steps should be performed if a user context does not pass user traffic? (Choose two.)
A. Verify the interface status in the system execution space.
B. Verify the mac-address-table on the Cisco ASA.
C. Verify that unique MAC addresses are configured if the contexts are using nonshared interfaces.
D. Verify the interface status in the user context.
E. Verify the resource classes configuration by accessing the admin context.
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 74
What is the first configuration step when using Cisco ASDM to configure a new Layer 3/4 inspection policy on the Cisco ASA?
A. Create a new class map.
B. Create a new policy map and apply actions to the traffic classes.
C. Create a new service policy rule.
D. Create the ACLs to be referenced by any of the new class maps.
E. Disable the default global inspection policy.
F. Create a new firewall access rule.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 75
A. security contexts
B. stateless active/standby failover
C. transparent firewall
D. threat detection
E. traffic shaping
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 76
Which statement about SNMP support on the Cisco ASA appliance is true?
A. The Cisco ASA appliance supports only SNMPv1 or SNMPv2c.
B. The Cisco ASA appliance supports read-only and read-write access.
C. The Cisco ASA appliance supports three built-in SNMPv3 groups in Cisco ASDM: Authentication and Encryption, Authentication Only, and No Authentication, No Encryption.
D. The Cisco ASA appliance can send SNMP traps to the network management station only using SNMPv2.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 77
On Cisco ASA Software Version 8.4.1, which four inspections are enabled by default in the global policy? (Choose four.)
A. HTTP
B. ESMTP
C. SKINNY
D. ICMP
E. TFTP
F. SIP
Correct Answer: BCEF Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 78
Which two statements about traffic shaping capability on the Cisco ASA appliance are true? (Choose two.)
A. Traffic shaping can be applied to all outgoing traffic on a physical interface or, in the case of the Cisco ASA 5505 appliance, on a VLAN.
B. Traffic shaping can be applied in the input or output direction.
C. Traffic shaping can cause jitter and delay.
D. You can configure traffic shaping and priority queuing on the same interface.
E. With traffic shaping, when traffic exceeds the maximum rate, the security appliance drops the excess traffic.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 79
Which command option/keyword in Cisco ASA 8.3 NAT configurations makes the NAT policy interface independent?
A. interface
B. all
C. auto
D. global
E. any
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 80
Which statement about access list operations on Cisco ASA Software Version 8.3 and later is true?
A. If the global and interface access lists are both configured, the global access list is matched first before the interface access lists.
B. Interface and global access lists can be applied in the input or output direction.
C. In the inbound access list on the outside interface that permits traffic to the inside interface, the destination IP address referenced is always the “mapped-ip” (translated) IP address of the inside host.
D. When adding an access list entry in the global access list using the Cisco ASDM Add Access Rule window, choosing “any” for Interface applies the access list entry globally.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 81
Refer to the exhibit.
***Exhibit is Missing***
Which three CLI commands are generated by these Cisco ASDM configurations? (Choose three.)
A. object-group network testobj
B. object network testobj
C. ip address 10.1.1.0 255.255.255.0
D. subnet 10.1.1.0 255.255.255.0
E. nat (any,any) static 192.168.1.0 dns nat (outside,inside) static 192.168.1.0 dns
F. nat (inside,outside) static 192.168.1.0 dns nat (inside,any) static 192.168.1.0 dns
G. nat (any,inside) static 192.168.1.0 dns
Correct Answer: BDE Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 82
A Cisco ASA appliance running software version 8.4.1 has an active botnet traffic filter license with 1 month left on the time-based license. Which option describes the result if a new botnet traffic filter with a 1 year time-based license is activated also?
A. The time-based license for the botnet traffic filter is valid only for another month.
B. The time-based license for the botnet traffic filter is valid for another 12 months.
C. The time-based license for the botnet traffic filter is valid for another 13 months.
D. The new 1 year time-based license for the botnet traffic filter cannot be activated until the current botnet traffic filter license expires in a month.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 83
How many interfaces can a Cisco ASA bridge group support and how many bridge groups can a Cisco ASA appliance support?
A. up to 2 interfaces per bridge group and up to 4 bridge groups per Cisco ASA appliance
B. up to 2 interfaces per bridge group and up to 8 bridge groups per Cisco ASA appliance
C. up to 4 interfaces per bridge group and up to 4 bridge groups per Cisco ASA appliance
D. up to 4 interfaces per bridge group and up to 8 bridge groups per Cisco ASA appliance
E. up to 8 interfaces per bridge group and up to 4 bridge groups per Cisco ASA appliance
F. up to 8 interfaces per bridge group and up to 8 bridge groups per Cisco ASA appliance
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 84
On the Cisco ASA Software Version 8.3 and later, which type of NAT configuration can be used to translate the source and destination IP addresses of the packet?
A. auto NAT
B. object NAT
C. one-to-one NAT D. many-to-one NAT E. manual NAT
D. identity NAT
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 85
Refer to the exhibit.
***Exhibit is Missing*** Which option describes the problem with this botnet traffic filter configuration on the Cisco ASA appliance?
A. The traffic classification ACL is not defined.
B. The use of the dynamic database is not enabled.
C. DNS snooping is not enabled.
D. The threat level range for the traffic to be dropped is not defined.
E. The static black and white list entries should use domain name instead of IP address.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
CCNA Exam Certification Guide is a best-of-breed Cisco 642-618 exam study guide that has been completely updated to focus specifically on the objectives.Senior instructor and best-selling author Wendell Odom shares preparation hints and Cisco 642-618 tips to help you identify areas of weakness and improve both your conceptual and hands-on knowledge.Cisco 642-618 Material is presented in a concise manner,focusing on increasing your understanding and retention of exam topics.