Cisco CCNP Security 642-648 Training

Deploying Cisco ASA VPN Solutions (VPN) 642-648 exam is associated with the CCSP, CCNP Security, Cisco ASA Specialist and Cisco IPS Specialist  certifications. This exam tests a candidate’s knowledge and skills needed to deploy Cisco ASA-based VPN solutions. Successful candidates will be able to reduce risk to the IT infrastructure and applications using Cisco ASA VPN features, and provide detailed operations support for the Cisco ASA. Candidates can prepare for this exam by taking the Deploying Cisco ASA VPN Solutions (VPN) 642-468 course.

QUESTION NO: 1
Refer to the exhibit.
A new NOC engineer is troubleshooting a VPN connection.
Which statement about the fields within the Cisco VPN Client Statistics screen is correct?
A. The ISP-assigned IP address of 10.0.21.1 is assigned to the VPN adapter of the PC.
B. The IP address of the security appliance to which the Cisco VPN Client is connected is
192.168.1.2.
C. CorpNet is the name of the Cisco ASA group policy whose tunnel parameters the connection is using.
D. The ability of the client to send packets transparently and unencrypted through the tunnel for test purposes is turned off.
E. With split tunneling enabled, the Cisco VPN Client registers no decrypted packets.
Answer: B

QUESTION NO: 2
An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation
headquarters, tried to access the XYZ sales demonstration folder to transfer a demonstration via FTP from an ABC conference room behind the firewall. The engineer could not reach XYZ through the remote-access VPN tunnel. From home the previous day, however, the engineer did connect to the XYZ sales demonstration folder and transferred the demonstration via IPsec over DSL.
To get the connection to work and transfer the demonstration, what should the engineer do?
A. Change the MTU size on the IPsec client to account for the change from DSL to cable
transmission.
B. Enable the local LAN access option on the IPsec client.
C. Enable the IPsec over TCP option on the IPsec client.
D. Enable the clientless SSL VPN option on the PC.
Answer: C

QUESTION NO: 3
Refer to the exhibit.

While troubleshooting a remote-access application, a new NOC engineer received the logging message that is shown in the exhibit.
Which configuration is most likely to be mismatched?
A. IKE configuration
B. extended authentication configuration
C. IPsec configuration
D. digital certificate configuration
Answer: C

QUESTION NO: 4
When attempting to tunnel FTP traffic through a stateful firewall that might be performing NAT or PAT, which type of VPN tunneling should you use to allow the VPN traffic through the stateful firewall?
A. clientless SSL VPN
B. IPsec over TCP
C. smart tunnel
D. SSL VPN plug-ins
Answer: B

QUESTION NO: 5
Refer to the exhibit.
While troubleshooting on a remote-access VPN application, a new NOC engineer received the
message that is shown.
What is the most likely cause of the problem?
A. The IP address that is assigned to the PC of the VPN user is not within the range of addresses that are assigned to the SVC connection.
B. The IP address that is assigned to the PC of the VPN user is in use. The remote user needs to select a different host address within the range.
C. The IP address that is assigned to the PC of the VPN user is in the wrong subnet. The remote user needs to select a different host number within the correct subnet.
D. The IP address pool for contractors was not applied to their connection profile.
Answer: D

QUESTION NO: 6
The software-based Cisco IPsec VPN Client solution uses bidirectional authentication, in which the client authenticates the Cisco ASA, and the Cisco ASA authenticates the user. Which three methods are software-based Cisco IPsec VPN Client to Cisco ASA authentication methods? (Choose three.)
A. Unified Client Certificate authentication
B. Secure Unit authentication
C. Hybrid authentication
D. Certificate authentication
E. Group authentication
Answer: C,D,E

QUESTION NO: 7
Refer to the exhibit.
After a remote user established a Cisco AnyConnect session from a wireless card through the Cisco ASA appliance of a partner to a remote server, the user opened the Cisco AnyConnect VPN Client Statistics Details screen.
What are the two sources of the IP addresses that are marked A and B? (Choose two.)
A. IP address that is assigned to the wireless Ethernet adapter of the remote user
B. IP address that is assigned to the remote user from the Cisco ASA address pool
C. IP address of the Cisco ASA physical interface of the partner
D. IP address of the Cisco ASA virtual HTTP server of the partner
E. IP address of the default gateway router of the remote user
F. IP address of the default gateway router of the partner
Answer: B,C

QUESTION NO: 8
Refer to the exhibit. A new NOC engineer, while viewing a real-time log from an SSL VPN tunnel, has a question about a line in the log.
The IP address 172.26.26.30 is attached to which interface in the network?
A. the Cisco ASA physical interface
B. the physical interface of the end user
C. the Cisco ASA SSL VPN tunnel interface
D. the SSL VPN tunnel interface of the end user
Answer: B

QUESTION NO: 9
Refer to the exhibit.
When the user “contractor” Cisco AnyConnect tunnel is established, what type of Cisco ASA user restrictions are applied to the tunnel?
A. full restrictions (no Cisco ASDM, no CLI, no console access)
B. full restrictions (no read, no write, no execute permissions)
C. full restrictions (CLI show commands and Cisco ASDM monitoring permissions only)
D. full access with no restrictions
Answer: D

QUESTION NO: 10
When preconfiguring a Cisco AnyConnect profile for the user group, which file is output by the Cisco AnyConnect profile editor?
A. user.ini
B. user.html
C. user.pcf
D. user.xml
Answer: D

QUESTION NO: 11
Datagram Transport Layer Security (DTLS) was introduced to solve performance issues. Choose three characteristics of DTLS. (Choose three.)
A. It uses TLS to negotiate and establish DTLS connections.
B. It uses DTLS to transmit datagrams.
C. It is disabled by default.
D. It uses TLS for data packet retransmission.
E. It replaces underlying transport layer with UDP 443.
F. It uses TLS to provide low-latency video application tunneling.
Answer: A,B,E

QUESTION NO: 12
Refer to the exhibit. Given the example that is shown, what can you determine?
A. Users are required to perform RADIUS or LDAP authentication when connecting with the Cisco AnyConnect client.
B. Users are required to perform AAA authentication when connecting via WebVPN.
C. Users are required to perform double AAA authentication.
D. The user access identity is prefilled at login, requiring users to enter only their password.
Answer: C