Flydumps 100% New Updated Cisco 642-648 Practice Tests Questions Helps Pass Cisco 642-648 Exam Quickly

Passed with high score today for Cisco https://www.pass4itsure.com/642-648.html Exam. Windows 8.1 new questions will be added so I’m lucky to pass today.Almost all questions were the same includes the new question, DirectAccess, EFS, AD CS..Only used Flydumps premium vce file.

QUESTION 1
Authorization of a clientless SSL VPN defines the actions that a user may perform within a clientless SSL VPN session. Which statement is correct concerning the SSL VPN authorization process?
A. Remote clients can be authorized by applying a dynamic access policy, which is configured on an external AAA server.
B. Remote clients can be authorized externally by applying group parameters from an external database.
C. Remote client authorization is supported by RADIUS and TACACS+ protocols.
D. To configure external authorization, you must configure the Cisco ASA for cut-through proxy.
Correct Answer: B Section: (none) Explanation
QUESTION 2
After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune the IPsec policy parameters. Where is the correct place to tune the IPsec policy parameters in Cisco ASDM?
A. IPsec user profile
B. Crypto Map
C. Group Policy
D. IPsec Policy
E. IKE Policy
Correct Answer: B Section: (none) Explanation
QUESTION 3
Refer to the exhibit. While troubleshooting a remote-access application, a new NOC engineer received the
logging message that is shown in the exhibit.
Which configuration is most likely to be mismatched?
A. IKE configuration
B. extended authentication configuration
C. IPsec configuration
D. digital certificate configuration
Correct Answer: C Section: (none) Explanation
QUESTION 4
Refer to the exhibit. The ABC Corporation is changing remote-user authentication from pre-shared keys to certificate- based authentication. For most employee authentication, its group membership (the employees) governs corporate access. Certain management personnel need access to more confidential servers. Access is based on the group and name, such as finance and level_2. When it is time to pilot the new authentication policy, a finance manager is able to access the department-assigned servers but cannot access the restricted servers. As the network engineer, where would you look for the problem?
“First Test, First Pass” – www.lead2pass.com 4 Cisco 642-648 Exam A. Check the validity of the identity and root certificate on the PC of the finance manager.

B. Change the Management Certificate to Connection Profile Maps > Rule Priority to a number that is greater than 10.
C. Check if the Management Certificate to Connection Profile Maps > Rules is configured correctly.
D. Check if the Certificate to Connection Profile Maps > Policy is set correctly.
Correct Answer: D Section: (none) Explanation
QUESTION 5
Refer to the exhibit. The user “contractor” inherits which VPN group policy?

A. employee
B. management
C. DefaultWEBVPNGroup “First Test, First Pass” – www.lead2pass.com 5 Cisco 642-648 Exam
D. DfltGrpPolicy
E. new_hire

Correct Answer: D Section: (none) Explanation
QUESTION 6
Refer to the exhibit. In the CLI snippet that is shown, what is the function of the deny option in the access list?

A. When set in conjunction with outbound connection-type bidirectional, its function is to prevent the specified traffic from being protected by the crypto map entry.
B. When set in conjunction with connection-type originate-only, its function is to instruct the Cisco ASA to deny specific inbound traffic if it is not encrypted.
C. When set in conjunction with outbound connection-type answer-only, its function is to instruct the Cisco ASA to deny specific outbound traffic if it is not encrypted.
D. When set in conjunction with connection-type originate-only, its function is to cause all IP traffic that matches the specified conditions to be protected by the crypto map.
Correct Answer: A Section: (none) Explanation
QUESTION 7
Refer to the exhibit. A new NOC engineer, while viewing a real-time log from an SSL VPN tunnel, has a
question about a line in the log.
The IP address 172.26.26.30 is attached to which interface in the network?
A. the Cisco ASA physical interface
B. the physical interface of the end user
C. the Cisco ASA SSL VPN tunnel interface
D. the SSL VPN tunnel interface of the end user “First Test, First Pass” – www.lead2pass.com 6 Cisco 642-648 Exam
Correct Answer: B Section: (none) Explanation
QUESTION 8
Refer to the exhibit. When the user “contractor” Cisco AnyConnect tunnel is established, what type of Cisco ASA user restrictions are applied to the tunnel?

A. full restrictions (no Cisco ASDM, no CLI, no console access)
B. full restrictions (no read, no write, no execute permissions)
C. full restrictions (CLI show commands and Cisco ASDM monitoring permissions only)
D. full access with no restrictions
Correct Answer: D Section: (none) Explanation
QUESTION 9
Which statement regarding hashing is correct?
A. MD5 produces a 64-bit message digest.
B. SHA-1 produces a 160-bit message digest.
C. MD5 takes more CPU cycles to compute than SHA-1.
D. Changing 1 bit of the input to SHA-1 can change up to 5 bits in the output.
Correct Answer: B Section: (none) Explanation
QUESTION 10
When initiating a new SSL or TLS session, the client receives the server SSL certificate and validates it. After validating the server certificate, what does the client use the certificate for?
A. The client and server use the server public key to encrypt the SSL session data.
B. The server creates a separate session key and sends it to the client. The client decrypts the session key by using the server public key.
C. The client and server switch to a DH key exchange to establish a session key.
D. The client generates a random session key, encrypts it with the server public key, and then sends it to the server.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
“First Test, First Pass” – www.lead2pass.com 7 Cisco 642-648 Exam
QUESTION 11
When attempting to tunnel FTP traffic through a stateful firewall that might be performing NAT or PAT, which type of VPN tunneling should you use to allow the VPN traffic through the stateful firewall?
A. clientless SSL VPN
B. IPsec over TCP
C. smart tunnel
D. SSL VPN plug-ins
Correct Answer: B Section: (none) Explanation
QUESTION 12
Refer to the exhibit. While troubleshooting on a remote-access VPN application, a new NOC engineer received the message that is shown. What is the most likely cause of the problem?

A. The IP address that is assigned to the PC of the VPN user is not within the range of addresses that are assigned to the SVC connection.
B. The IP address that is assigned to the PC of the VPN user is in use. The remote user needs to select a different host address within the range.
C. The IP address that is assigned to the PC of the VPN user is in the wrong subnet. The remote user needs to select a different host number within the correct subnet.
D. The IP address pool for contractors was not applied to their connection profile.
Correct Answer: D Section: (none) Explanation
QUESTION 13
What is a valid reason for configuring a list of backup servers on the Cisco AnyConnect VPN Client profile?
A. to access a backup authentication server
B. to access a backup DHCP server
C. to access a backup VPN server
D. to access a backup CA server

Correct Answer: C Section: (none) Explanation
QUESTION 14
Which statement about CRL configuration is correct?
A. CRL checking is enabled by default.
B. The Cisco ASA relies on HTTPS access to procure the CRL list.
C. The Cisco ASA relies on LDAP access to procure the CRL list.
D. The Cisco Secure ACS can be configured as the CRL server.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
“First Test, First Pass” – www.lead2pass.com 8 Cisco 642-648 Exam
QUESTION 15
You have been using pre-shared keys for IKE authentication on your VPN. Your network has grown rapidly, and now you need to create VPNs with numerous IPsec peers. How can you enable scaling to numerous IPsec peers?
A. Migrate to external CA-based digital certificate authentication.
B. Migrate to a load-balancing server.
C. Migrate to a shared license server.
D. Migrate from IPsec to SSL VPN client extended authentication.

Correct Answer: A Section: (none) Explanation QUESTION 16
Refer to the exhibit. In the Edit Certificate Matching Rule Criterion window, you want to change the Mapped to Connection Profile. However, you cannot perform that action from this window. Where should you navigate to and what should you do, in order to perform this change?

A. Edit the entry in the Certificate Management window.
B. Edit the entry in the Connection Profiles window.
C. Edit the entry in the Certificate to Connection Profile Maps window.
D. Edit the entry in IKE Policies window.
E. Delete this entry in the Mapping Criteria window, and add a new entry in the same location.

Correct Answer: C Section: (none) Explanation QUESTION 17
“First Test, First Pass” – www.lead2pass.com 9 Cisco 642-648 Exam
When preconfiguring a Cisco AnyConnect profile for the user group, which file is output by the Cisco AnyConnect profile editor?
A. user.ini
B. user.html
C. user.pcf
D. user.xml

Correct Answer: D Section: (none) Explanation
QUESTION 18
Which Cisco ASA SSL VPN feature provides support for PCI compliance by allowing for the validation of two sets of username and password credentials on the SSL VPN login page?
A. Single Sign-On
B. Certificate to Profile Mapping
C. Double Authentication
D. RSA OTP

Correct Answer: C Section: (none) Explanation
QUESTION 19
Which statement is correct regarding IKEv2 when implementing IPsec site-to-site VPNs?
A. IKEv2 should be configured with a higher priority over IKEv1 policies within the same tunnel group.
B. IKEv2 crypto maps can be configured to inherit IKEv1 parameters, if configured.
C. IKE v1 and IKEv2 can coexist in the same tunnel group, with fallback to IKEv1 if the remote endpoint does not support IKEv2.
D. IKEv2 can be configured to support multiple peers.

Correct Answer: C Section: (none) Explanation
QUESTION 20
Refer to the exhibit. What is the likely cause of the failure?

A. A msgid of 0 signifies a zero payload, indicating that the peer did not send any IKE proposals.
B. The remote peer did not respond to the 11 notifications that were sent by the originating IPsec endpoint.
C. There are mismatched IKE policies.
D. There are mismatched tunnel groups.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
“First Test, First Pass” – www.lead2pass.com 10 Cisco 642-648 Exam

Get certified Cisco 642-648 is a guaranteed way to succeed with IT careers.We help you do exactly that with our high quality Cisco https://www.pass4itsure.com/642-648.html Certification Certified Information Systems Security Professional training materials.

Continue Reading