We are committed on providing you with the latest and most Cisco 642-618 exam preparation products.If you want to pass Cisco 642-618 exam successfully, do not miss to read latest Cisco 642-618 on Flydumps.
QUESTION 86
Which option lists the main tasks in the correct order to configure a new Layer 3 and 4 inspection policy on the Cisco ASA appliance using the Cisco ASDM Configuration > Firewall > Service Policy Rules pane?
A. 1. Create a class map to identify which traffic to match.
2.
Create a policy map and apply action(s) to the traffic class(es).
3.
Apply the policy map to an interface or globally using a service policy.
B. 1. Create a service policy rule.
2.
Identify which traffic to match.
3.
Apply action(s) to the traffic.
C. 1. Create a Layer 3 and 4 type inspect policy map.
2.
Create class map(s) within the policy map to identify which traffic to match.
3.
Apply the policy map to an interface or globally using a service policy.
D. 1. Identify which traffic to match.
2.
Apply action(s) to the traffic.
3.
Create a policy map.
4.
Apply the policy map to an interface or globally using a service policy.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 87
Which other match command is used with the match flow ip destination-address command within
A. match tunnel-group
B. match access-list
C. match default-inspection-traffic
D. match port
E. match dscp
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 88
Which configuration step (if any) is necessary to enable FTP inspection on TCP port 2121?
A. None. FTP inspection is enabled by default using the global policy.
B. Create a new class map to match TCP port 2121, then edit the global policy to inspect FTP for traffic matched by the new class map.
C. Edit default-inspection-traffic to match FTP on port 2121.
D. Add a new traffic class using the match protocol FTP option within the inspect_default class map.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 89
With Cisco ASA active/active or active/standby stateful failover, which state information or table is not passed between the active and standby Cisco ASA by default?
A. NAT translation table B. TCP connection states C. UDP connection states D. ARP table
B. HTTP connection table
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 90
Which Cisco ASA object group type offers the most flexibility for grouping different services together based on arbitrary protocols?
A. network
B. ICMP
C. protocol
D. TCP-UDP
E. service
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 91
Using the default modular policy framework global configuration on the Cisco ASA, how does the Cisco ASA process outbound HTTP traffic?
A. HTTP flows are not permitted through the Cisco ASA, because HTTP is not inspected by default.
B. HTTP flows match the inspection_default traffic class and are inspected using HTTP inspection.
C. HTTP outbound traffic is permitted, but all return HTTP traffic is denied.
D. HTTP flows are statefully inspected using TCP stateful inspection.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 92
In which two directions are the Cisco ASA modular policy framework inspection policies applied? (Choose two.)
A. in the ingress direction only when applied globally
B. in the ingress direction only when applied on an interface
C. in the egress direction only when applied globally
D. in the egress direction only when applied on an interface
E. bi-directionally when applied globally
F. bi-directionally when applied on an interface
Correct Answer: AF Section: (none) Explanation
Explanation/Reference:
QUESTION 93
Which flags should the show conn command normally show after a TCP connection has successfully been established from an inside host to an outside host?
A. aB
B. saA
C. sIO
D. AIO
E. UIO
F. F
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 94
Which three configurations are needed to enable SNMPv3 support on the Cisco ASA? (Choose three.)
A. SNMPv3 Local EngineID
B. SNMPv3 Remote EngineID
C. SNMP Users
D. SNMP Groups
E. SNMP Community Strings
F. SNMP Hosts
Correct Answer: CDF Section: (none) Explanation Explanation/Reference:
Explanation:
QUESTION 95
A customer is ordering a number of Cisco ASAs for their network. For the remote or home office, they are purchasing the Cisco ASA 5505. When ordering the licenses for their Cisco ASAs, which two licenses must they order that are “platform specific” to the Cisco ASA 5505? (Choose two.)
A. AnyConnect Essentials license
B. per-user Premium SSL VPN license
C. VPN shared license
D. internal user licenses
E. Security Plus license
Correct Answer: DE Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 96
Refer to the exhibit.
Which two statements are true? (Choose two.)
A. The connection is awaiting outside ACK to SYN.
B. The connection is initiated from the inside.
C. The connection is active and has received inbound and outbound data.
D. The connection is an incomplete TCP connection.
E. The connection is a DNS connection.
Correct Answer: BC Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 97
Which Cisco ASA show command groups the xlates and connections information together in its output?
A. show conn
B. show conn detail
C. show xlate
D. show asp
E. show local-host
Correct Answer: E Section: (none) Explanation Explanation/Reference:
Explanation:
QUESTION 98
The Cisco ASA is configured in multiple mode and the security contexts share the same outside physical interface. Which two packet classification methods can be used by the Cisco ASA to determine which security context to forward the incoming traffic from the outside interface? (Choose two.)
A. unique interface IP address
B. unique interface MAC address
C. routing table lookup
D. MAC address table lookup
E. unique global mapped IP addresses
Correct Answer: BE Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 99
When a Cisco ASA is configured in multiple context mode, within which configuration are the interfaces allocated to the security contexts?
A. each security context
B. system configuration
C. admin context (context with the “admin” role)
D. context startup configuration file (.cfg file)
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 100
When troubleshooting redundant interface operations on the Cisco ASA, which configuration should be verified?
A. The nameif configuration on the member physical interfaces are identical.
B. The MAC address configuration on the member physical interfaces are identical.
C. The active interface is sending periodic hellos to the standby interface.
D. The IP address configuration on the logical redundant interface is correct.
E. The duplex and speed configuration on the logical redundant interface are correct.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 101
Which statement about the Cisco ASA 5505 configuration is true?
A. The IP address is configured under the physical interface (ethernet 0/0 to ethernet 0/7).
B. With the default factory configuration, the management interface (management 0/0) is configured with the 192.168.1.1/24 IP address.
C. With the default factory configuration, Cisco ASDM access is not enabled.
D. The switchport access vlan command can be used to assign the VLAN to each physical interface (ethernet 0/0 to ethernet 0/7).
E. With the default factory configuration, both the inside and outside interface will use DHCP to acquire its IP address.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 102
What is the correct regular expression to match HTTP requests whose URI is /welcome.jpg?
A. ^/welcome.jpg B. ^/welcome\.jpg C. ^*/welcome\.jpg D. ^\/welcome\.jpg E. ^\*/welcome\.jpg
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 103
Refer to the exhibit.
A Cisco ASA in transparent firewall mode generates the log messages seen in the exhibit. What should be configured on the Cisco ASA to allow the denied traffic?
A. extended ACL on the outside and inside interface to permit the multicast traffic
B. EtherType ACL on the outside and inside interface to permit the multicast traffic
C. stateful packet inspection
D. static ARP mapping
E. static MAC address mapping
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 104
With active/standby failover, what happens if the standby Cisco ASA does not receive three consecutive hello messages from the active Cisco ASA on the LAN failover interface?
A. The standby ASA immediately becomes the active ASA.
B. The standby ASA eventually becomes the active ASA after three times the hold-down timer interval expires.
C. The standby ASA runs network activity tests, including ARP and ping, to determine if the active ASA has failed.
D. The standby ASA sends additional hellos packets on all monitored interfaces, including the LAN failover interface, to determine if the active ASA has failed.
E. Both ASAs go to the “unknown” state until the LAN interface becomes operational again.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 105
Refer to the exhibit.
The Cisco ASA is dropping all the traffic that is sourced from the internet and is destined to any security context inside interface. Which configuration should be verified on the Cisco ASA to solve this problem?
A. The Cisco ASA has NAT control disabled on each security context.
B. The Cisco ASA is using inside dynamic NAT on each security context.
C. The Cisco ASA is using a unique MAC address on each security context outside interface.
D. The Cisco ASA is using a unique dynamic routing protocol process on each security context.
E. The Cisco ASA packet classifier is configured to use the outside physical interface to assign the packets to each security context.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 106
Refer to the exhibit.
***Exhibit is Missing***
The Cisco ASA is operating in transparent mode. What is required on the Cisco ASA so that R1 and R2 can form OSPF neighbor adjacency?
A. Map the R1 and R2 MAC address in the Cisco ASA MAC address table using the mac-address-table static if_name MAC_address command.
B. Configure OSPF stateful packet inspection using MPF.
C. Apply an EtherType ACL to the inside and outside interfaces to permit OSPF multicast traffic.
D. Apply an extended ACL to the inside and outside interfaces to permit OSPF multicast traffic.
E. Enable Advanced Application Inspection using MPF.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 107
On the Cisco ASA, where are the Layer 5-7 policy maps applied?
A. inside the Layer 3-4 policy map
B. inside the Layer 3-4 class map
C. inside the Layer 5-7 class map
D. inside the Layer 3-4 service policy
E. inside the Layer 5-7 service policy
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 108
A Cisco ASA requires an additional feature license to enable which feature?
A. transparent firewall
B. cut-thru proxy
C. threat detection
D. botnet traffic filtering
E. TCP normalizer
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 109
With Cisco ASA active/standby failover, what is needed to enable subsecond failover?
A. Use redundant interfaces.
B. Enable the stateful failover interface between the primary and secondary Cisco ASA.
C. Decrease the default unit failover polltime to 300 msec and the unit failover holdtime to 900 msec.
D. Decrease the default number of monitored interfaces to 1.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
QUESTION 110
Refer to the exhibit.
Which two CLI commands result from this configuration? (Choose two.)
A. aaa authorization network LOCAL
B. aaa authorization network default authentication-server LOCAL
C. aaa authorization command LOCAL
D. aaa authorization exec LOCAL
E. aaa authorization exec authentication-server LOCAL
F. aaa authorization exec authentication-server
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation:
CCNA Exam Certification Guide is a best-of-breed Cisco 642-618 exam study guide that has been completely updated to focus specifically on the objectives.Senior instructor and best-selling author Wendell Odom shares preparation hints and Cisco 642-618 tips to help you identify areas of weakness and improve both your conceptual and hands-on knowledge.Cisco 642-618 Material is presented in a concise manner,focusing on increasing your understanding and retention of exam topics.