Each Answers in Cisco https://www.pass4itsure.com/642-647.html study guides are checked by the concerned professional to provide you the best quality dumps. If you are looking to get certified in short possible time, you will never find quality product than Flydumps.
Exam A QUESTION 1
An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation headquarters, tried to access the XYZ sales demonstration folder to transfer a demonstration via FTP from an ABC conference room behind the firewall. The engineer could not reach XYZ through the remote-access VPN tunnel. From home the previous day, however, the engineer connected to the XYZ sales demonstration folder and transferred the demonstration via IPsec over DSL.
To get the connection to work and transfer the demonstration, what can you suggest?
A. Change the MTU size on theIPsec client to account for the change from DSL to cable transmission.
B. Enable the local LAN access option on theIPsec client.
C. Enable theIPsec over TCP option on the IPsec client.
D. Enable the clientless SSL VPN option on the PC
Correct Answer: A Explanation Explanation/Reference:
QUESTION 2
Refer to the exhibit. For the ABC Corporation, members of the NOC need the ability to select tunnel groups from a drop-down menu on the Cisco IOS WebVPN login page. As the Cisco ASA administrator, how would you accomplish this task?
A. Define a special identity certificate with multiple groups that are defined in the certificate OU field that will grant the certificate holder access to the named groups on the login page.
B. Under Group Policies, define a default group that encompasses the required individual groups that would appear on the login page.
C. Under Connection Profiles, define a NOC profile that encompasses the required individual profiles that would appear on the login page.
D. Under Connection Profiles, enable group selection from the login page.
Correct Answer: D Explanation Explanation/Reference:
QUESTION 3
Which four parameters must be defined in an ISAKMP policy when creating an IPsec site-to-site VPN using the Cisco ASDM? (Choose four.)
A. encryption algorithm
B. hash algorithm
C. authentication method
D. IP address of remoteIPsec peer
E. D-H group
F. perfect forward secrecy
Correct Answer: ABCE Explanation
Explanation/Reference:
QUESTION 4
An administrator has preconfigured the Cisco ASA 5505 user settings with a username and a password. When the telecommuter first turns on the Cisco ASA 5505 and attempts to establish a VPN tunnel, the user is prompted for a username and password. Which two Cisco ASA 5505
Group Policy features require this extra level of authentication? (Choose two.)
A. New Unit Authentication
B. Extended Group Authentication
C. Secure Unit Authentication
D. Role-Based Access Control Authentication
E. Compartmented Mode Authentication
F. Individual User Authentication
Correct Answer: CF Explanation
Explanation/Reference:
QUESTION 5
Refer to the exhibit. Which two statements are correct regarding these two Cisco ASA clientless SSL VPN bookmarks? (Choose two.)
A. CSCO_WEBVPN_USERNAME is a user attribute.
B. CSCO_WEBVPN_USERNAME is a Cisco predefined variable that is used for macro substitution.
C. The CSCO_WEBVPN_USERNAME variable is enabled by using the Post SSO plug-in.
D. CSCO_SSO is a Cisco predefined variable that is used for macro substitution.
E. The CSCO_SSO=1 parameter enables SSO for the SSH plug-in.
F. The CSCO_SSO variable is enabled by using the Post SSO plug-in.
Correct Answer: BE Explanation
Explanation/Reference:
QUESTION 6
Which Cisco ASA SSL VPN feature provides support for PCI compliance by allowing for the validation of two sets of username and password credentials on the SSL VPN login page?
A. Single Sign-On
B. Certificate to Profile Mapping
C. Double Authentication
D. RSA OTP
Correct Answer: D Explanation
Explanation/Reference:
QUESTION 7
Which two types of digital certificate enrollment processes are available for the Cisco ASA security appliance? (Choose two.)
A. LDAP
B. FTP
C. TFTP
D. HTTP
E. SCEP
F. Manual
Correct Answer: EF Explanation
Explanation/Reference:
QUESTION 8
Your corporate finance department purchased a new non-web-based TCP application tool to run on one of its servers. The finance employees need remote access to the software during non- business hours. The employees do not have “admin” privileges to their PCs. How would you configure the SSL VPN tunnel to allow this application to run?
A. Configure a smart tunnel for the application.
B. Configure a “finance tool” VNC bookmark on the employee clientless SSL VPN portal.
C. Configure the plug-in that best fits the application.
D. Configure the Cisco ASA appliance to download the CiscoAnyConnect SSL VPN client to the finance employee each time an SSL VPN tunnel is established.
Correct Answer: A Explanation Explanation/Reference:
QUESTION 9
“Pass Any Exam. Any Time.” – www.actualtests.com 5 Cisco 642-647: Practice Exam
Refer to the exhibit. A new network engineer configured the ABC adaptive security appliance with two bookmarks for a new temporary employee. The temporary worker can connect to the administrator server via the temp_worker_admin bookmark but cannot connect to the project server via the temp_worker_projects (greyed-out) bookmark. It was determined that the URL and IP addressing information in the GUI screens is correct.
What is wrong with the configuration?
A. URL Entry should be enabled.
B. The File Server Entry Inherit parameter should be overwritten and set for enabled.
C. The DNS server information is incorrect.
D. File Server Browsing should be enabled
Correct Answer: C Explanation
Explanation/Reference:
QUESTION 10
“Pass Any Exam. Any Time.” – www.actualtests.com 6 Cisco 642-647: Practice Exam Refer to the exhibit. When an SSL VPN user, contractor1, enters https://192.168.4.2 (the outside address of the Cisco ASA appliance) into the browser, an SSL VPN Login screen appears. Along with the information that is contained in the Cisco ASDM configuration screens, what can an administrator determine about the state of the connection after the user clicks the Login button?
A. The user login will succeed and an IP address of 10.0.4.120 will be assigned.
B. The user will be presented with a clientless VPN portal page.
C. The user login will succeed but the user will be connected to the “contractor” tunnel group.
D. The login will fail.
Correct Answer: D Explanation
Explanation/Reference:
QUESTION 11
Which two statements about the Cisco ASA load balancing feature are correct? (Choose two.)
A. The Cisco ASA load balances both site-to-site and remote-access VPN tunnels.
B. The Cisco ASA load balances remote-access VPN tunnels only.
C. The Cisco ASA load balances IPsec VPN tunnels only.
D. The Cisco ASA load balances IPsec VPN and Cisco AnyConnect SSL VPN tunnels only.
E. The Cisco ASA load balances IPsec VPN, clientless, and Cisco AnyConnect SSL VPN tunnels
Correct Answer: B Explanation
Explanation/Reference:
QUESTION 12
A Cisco AnyConnect user profile can be pushed to the PC of a remote user from a Cisco ASA. Which three user profile parameters are configurable? (Choose three.)
A. Backup Server list
B. DTLS Override
C. Auto Reconnect
D. Simultaneous Tunnels
E. Connection Profile Lock
F. Auto Update
Correct Answer: ACF Explanation
Explanation/Reference:
QUESTION 13
Refer to the exhibit. Today was the first day on a new project for an offsite temporary worker at the XYZ Corporation. The worker was told to launch the SSL VPN session and then use the smart- tunnel application to start a remote desktop application on the project server, projects_server.xyz.com. The worker looked at the portal screen that was provided but did not know how to access the smart-tunnel application.
As the help desk person, what can you recommend that the temporary worker do?
A. Click the Web Applications button.
B. Click the Applications Access button.
C. Click the Browse Networks button.
D. On the Home page, click the Address drop-down menu, choose RDP://, and fill in the destination host name, projects_server.abc.com.
Correct Answer: B Explanation
Explanation/Reference:
QUESTION 14
ABC Corporation hired a temporary worker to help out with a new project. The network administrator tasked you with restricting the internal clientless SSL VPN network access of the temporary worker to one server with the IP address of 172.26.26.50 via HTTP. Which two statements would complete the assignment? (Choose two.)
A. Configure access-listtemp_acl webtype permit url http://172.26.26.50.
B. Configure access-listtemp_acl_stand_ACL standard permit host 172.26.26.50.
C. Configure access-listtemp_acl_extended extended permit http any host 172.26.26.50.
D. Apply the access list to the temporary worker Group Policy.
E. Apply the access list to the temporary worker Connection Profile.
F. Apply the access list to the outside interface in the inbound direction
Correct Answer: AD Explanation
Explanation/Reference:
QUESTION 15
In clientless SSL VPN, administrators can control user access to the internal network or resources of a company, based on what?
A. interface ACLs
B. webtype ACLs
C. per-user or per-group ACLs
D. MPF-configured service policies
Correct Answer: B Explanation
Explanation/Reference:
QUESTION 16
When attempting to tunnel FTP traffic through a stateful firewall that may be performing NAT or PAT, which type of VPN tunneling should be used to allow the VPN traffic through the stateful firewall?
A. clientless SSL VPN
B. IPsec over TCP
C. Smart Tunnel
D. SSL VPN plug-ins
Correct Answer: B Explanation
Explanation/Reference:
QUESTION 17
“Pass Any Exam. Any Time.” – www.actualtests.com 11 Cisco 642-647: Practice Exam
Refer to the exhibit. When testing SSL VPN in a nonproduction environment, certain variables in the Cisco ASDM session details can be viewed or changed under Configuration > AnyConnect Connection Profiles. Which parameter can be viewed or changed in the AnyConnect Connection Profiles?
A. Assigned IP address 10.0.4.120
B. Client Type: SSL VPN Client
C. Authentication Mode: Certificate and User Password
D. ClientVer: Cisco AnyConnect VPN Agent for Windows
Correct Answer: C Explanation
Explanation/Reference:
QUESTION 18
An IT manager and a security manager are discussing the deployment options for clientless SSL ActualTests.com VPN. They are trying to decide which groups are best suited for this new deployment option. Which two groups are the best candidates for the upcoming clientless SSL VPN rollout? (Choose two.)
A. IT administrator who needs to manage servers from a corporate laptop
B. employees who need occasional access to check their mail accounts
C. vendor who needs access to confidential corporate presentations via Secure FTP
D. customers who need interactive access to your corporate invoice server
Correct Answer: BC Explanation
Explanation/Reference:
QUESTION 19
Refer to the exhibit. You are configuring a laptop with the Cisco VPN Client, which will use digital certificates for authentication. Which protocol will the Cisco VPN Client use to retrieve the digital certificate from the CA server?
A. FTP
B. LDAP
C. HTTPS
D. SCEP
E. OCSP
Correct Answer: D Explanation
Explanation/Reference:
QUESTION 20
Upon receiving a digital certificate, what are three steps that a Cisco ASA will perform to authenticate the digital certificate? (Choose three.)
A. The identity certificate validity period is verified against the system clock of the Cisco ASA.
B. Identity certificates are exchanged duringIPsec negotiations.
C. The identity certificate signature is validated by using the stored root certificate.
D. The signature is validated by using the stored identity certificate.
E. If enabled, the Cisco ASA locates the CRL and validates the identity certificate.
Correct Answer: ACE Explanation
Explanation/Reference:
QUESTION 21
You have been using pre-shared keys for IKE authentication on your VPN. Your network has grown rapidly, and now you need to create VPNs with numerous IPsec peers. How can you enable scaling to numerous IPsec peers?
A. Migrate to external CA-based digital certificates authentication
B. Migrate to a load balancing server.
C. Migrate to a shared license server.
D. Migrate fromIPsec to SSL VPN client extended authentication
Correct Answer: A Explanation
Explanation/Reference:
QUESTION 22
Refer to the exhibit. A junior network engineer configured the corporate Cisco ASA appliance to accommodate a new temporary worker. For security reasons,
the IT department wants to restrict the internal network access of the new temporary worker to the corporate server with an IP ActualTests.com
address of 10.0.4.10. After the junior network engineer finished the configuration, the IT security specialist tested the account of the temporary worker. The tester
was able to access the URLs of additional secure servers from the Cisco IOS WebVPN user account of the temporary worker.
What did the junior network engineer configure incorrectly?
A. The ACL was configured incorrectly.
B. The ACL was applied incorrectly, or not applied.
C. Network browsing was not restricted on the temporary worker group policy.
D. Network browsing was not restricted on the temporary worker user policy
Correct Answer: B Explanation
Explanation/Reference:
QUESTION 23
After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune the IKE policy parameters. Where is the correct place to tune IKE policy parameters?
A. CiscoIPsec VPN SW Client > Client Profile
B. IPsec User Profile
C. Group Policy
D. IKE Policy
E. Crypto Map
Correct Answer: D Explanation
Explanation/Reference:
QUESTION 24
To enable the Cisco ASA Host Scan with remediation capabilities, an administrator must have which two Cisco ASA licenses enabled on its security appliance? (Choose two.)
A. CiscoAnyConnect Premium license
B. CiscoAnyConnect Essentials license
C. CiscoAnyConnect Mobile license
D. Host Scan license
E. Advanced Endpoint Assessment license
F. Cisco Security Agent license
Correct Answer: AE Explanation
Explanation/Reference:
QUESTION 25
After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune the IPsec policy parameters. Where is the correct place to tune the IPsec policy parameters in Cisco ASDM?
A. IPsec user profile
B. Crypto Map
C. Group Policy
D. IPsec policy
E. IKE policy
Correct Answer: D Explanation
Explanation/Reference:
Get yourself composed for Microsoft actual exam and upgrade your skills with Flydumps Cisco 642-647 practice test products. Once you have practiced through our assessment material, familiarity on Cisco https://www.pass4itsure.com/642-647.html exam domains get a significant boost. Flydumps.com practice tests enable you to raise your performance level and assure the guaranteed success for Cisco 642-647 exam.
