Deploying Cisco ASA VPN Solutions (VPN v1.0): 642-647 Exam
642-647 Questions & Answers
Exam Code: 642-647
Exam Name: Deploying Cisco ASA VPN Solutions (VPN v1.0)
Q & A: 95 Q&As
An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation
headquarters, tried to access the XYZ sales demonstration folder to transfer a demonstration via
FTP from an ABC conference room behind the firewall. The engineer could not reach XYZ
through the remote-access VPN tunnel. From home the previous day, however, the engineer
connected to the XYZ sales demonstration folder and transferred the demonstration via IPsec
over DSL.To get the connection to work and transfer the demonstration, what can you suggest?
A. Change the MTU size on theIPsec client to account for the change from DSL to cable transmission.
B. Enable the local LAN access option on theIPsec client.
C. Enable theIPsec over TCP option on the IPsec client.
D. Enable the clientless SSL VPN option on the PC.
Refer to the exhibit. For the ABC Corporation, members of the NOC need the ability to select
tunnel groups from a drop-down menu on the Cisco IOS WebVPN login page. As the Cisco ASA
administrator, how would you accomplish this task?
A. Define a special identity certificate with multiple groups that are defined in the certificate OU field
that will grant the certificate holder access to the named groups on the login page.
B. Under Group Policies, define a default group that encompasses the required individual groups that
would appear on the login page.
C. Under Connection Profiles, define a NOC profile that encompasses the required individual profiles
that would appear on the login page.
D. Under Connection Profiles, enable group selection from the login page.
Which four parameters must be defined in an ISAKMP policy when creating an IPsec site-to-site
VPN using the Cisco ASDM? (Choose four.)
A. encryption algorithm
B. hash algorithmC. authentication method
D. IP address of remote IPsec peer
E. D-H group
F. perfect forward secrecy
An administrator has preconfigured the Cisco ASA 5505 user settings with a username and a
password. When the telecommuter first turns on the Cisco ASA 5505 and attempts to establish a
VPN tunnel, the user is prompted for a username and password. Which two Cisco ASA 5505
Group Policy features require this extra level of authentication? (Choose two.)
A. New Unit Authentication
B. Extended Group Authentication
C. Secure Unit Authentication
D. Role-Based Access Control Authentication
E. Compartmented Mode Authentication
F. Individual User Authentication
Refer to the exhibit. Which two statements are correct regarding these two Cisco ASA clientless
SSL VPN bookmarks? (Choose two.)
A. CSCO_WEBVPN_USERNAME is a user attribute.
B. CSCO_WEBVPN_USERNAME is a Cisco predefined variable that is used for macro substitution.
C. The CSCO_WEBVPN_USERNAME variable is enabled by using the Post SSO plug-in.
D. CSCO_SSO is a Cisco predefined variable that is used for macro substitution.
E. The CSCO_SSO=1 parameter enables SSO for the SSH plug-in.
F. The CSCO_SSO variable is enabled by using the Post SSO plug-in.
Which Cisco ASA SSL VPN feature provides support for PCI compliance by allowing for the
validation of two sets of username and password credentials on the SSL VPN login page?
A. Single Sign-On
B. Certificate to Profile Mapping
C. Double Authentication
D. RSA OTP
Which two types of digital certificate enrollment processes are available for the Cisco ASA
security appliance? (Choose two.)
Your corporate finance department purchased a new non-web-based TCP application tool to run
on one of its servers. The finance employees need remote access to the software during nonbusiness hours. The employees do not have “admin” privileges to their PCs. How would you
configure the SSL VPN tunnel to allow this application to run?
A. Configure a smart tunnel for the application.
B. Configure a “finance tool” VNC bookmark on the employee clientless SSL VPN portal.
C. Configure the plug-in that best fits the application.
D. Configure the Cisco ASA appliance to download the CiscoAnyConnect SSL VPN client to the
finance employee each time an SSL VPN tunnel is established.
Which two statements about the Cisco ASA load balancing feature are correct? (Choose two.)
A. The Cisco ASA load balances both site-to-site and remote-access VPN tunnels.
B. The Cisco ASA load balances remote-access VPN tunnels only.
C. The Cisco ASA load balances IPsec VPN tunnels only.
D. The Cisco ASA load balances IPsec VPN and Cisco AnyConnect SSL VPN tunnels only.
E. The Cisco ASA load balances IPsec VPN, clientless, and Cisco AnyConnect SSL VPN tunnels
A Cisco AnyConnect user profile can be pushed to the PC of a remote user from a Cisco ASA.
Which three user profile parameters are configurable? (Choose three.)
A. Backup Server list
B. DTLS Override
C. Auto Reconnect
D. Simultaneous Tunnels
E. Connection Profile Lock
F. Auto Update
QUESTION 11Refer to the exhibit. Today was the first day on a new project for an offsite temporary worker at
the XYZ Corporation. The worker was told to launch the SSL VPN session and then use the
smart- tunnel application to start a remote desktop application on the project server,
projects_server.xyz.com. The worker looked at the portal screen that was provided but did not
know how to access the smart-tunnel application.
As the help desk person, what can you recommend that the temporary worker do?
A. Click the Web Applications button.
B. Click the Applications Access button.
C. Click the Browse Networks button.
D. On the Home page, click the Address drop-down menu, choose RDP://, and fill in the destination host
ABC Corporation hired a temporary worker to help out with a new project. The network
administrator tasked you with restricting the internal clientless SSL VPN network access of the
temporary worker to one server with the IP address of 172.26.26.50 via HTTP. Which two
statements would complete the assignment? (Choose two.)
A. Configure access-list temp_acl webtype permit url http://172.26.26.50.
B. Configure access-list temp_acl_stand_ACL standard permit host 172.26.26.50.
C. Configure access-list temp_acl_extended extended permit http any host 172.26.26.50.
D. Apply the access list to the temporary worker Group Policy.
E. Apply the access list to the temporary worker Connection Profile.
F. Apply the access list to the outside interface in the inbound direction
In clientless SSL VPN, administrators can control user access to the internal network or
resources of a company, based on what?
A. interface ACLs
B. webtype ACLs
C. per-user or per-group ACLs
D. MPF-configured service policies
When attempting to tunnel FTP traffic through a stateful firewall that may be performing NAT or
PAT, which type of VPN tunneling should be used to allow the VPN traffic through the stateful
A. Clientless SSL VPN
B. IPsec over TCP
C. Smart Tunnel
D. SSL VPN plug-ins
An IT manager and a security manager are discussing the deployment options for clientless SSL
VPN. They are trying to decide which groups are best suited for this new deployment option.
Which two groups are the best candidates for the upcoming clientless SSL VPN rollout? (Choose
A. IT administrator who needs to manage servers from a corporate laptop
B. employees who need occasional access to check their mail accounts
C. vendor who needs access to confidential corporate presentations via Secure FTP
D. customers who need interactive access to your corporate invoice server
…go to http://www.lead2pass.com/642-647.html to download the full version Q&As.
Lead2Pass CCNP Security 642-647 exam questions which contain almost 100% correct answers are tested and approved by senior Cisco lecturers and experts. They have been devoting themselves to providing candidates with the best study materials to make sure what they get are valuable. 642-647 practice tests are written to the highest standards of technical accuracy which can make you succeed in the exam.