Cisco 642-524 Exam - CertifySky.com
Free 642-524 Sample Questions:
Q: 1 Tom works as a network administrator for the XYI company. The primary
adaptive security appliance in an active/standby failover configuration failed, so the secondary adaptive
security appliance was automatically activated. Tom then fixed the problem. Now he would like to
restore the primary to active status. Which one of the following commands can reactivate the primary
adaptive security appliance and restore it to active status while issued on the primary adaptive security
A. failover reset
B. failover primary active
C. failover active
D. failover exec standby
Q: 2 For the following commands, which one enables the DHCP server on the
DMZ interface of the Cisco ASA with an address pool of 10.0.1.100-10.0.1.108 and a DNS server of
A. dhcpd address 10.0.1.100-10.0.1.108 DMZ
dhcpd dns 192.168.1.2 dhcpd enable DMZ
B. dhcpd address range 10.0.1.100-10.0.1.108
dhcpd dns server 192.168.1.2 dhcpd enable DMZ
C. dhcpd range 10.0.1.100-10.0.1.108 DMZ
dhcpd dns server 192.168.1.2 dhcpd DMZ
D. dhcpd address range 10.0.1.100-10.0.1.108
dhcpd dns 192.168.1.2 dhcpd enable
Q: 3 Which one of the following commands will prevent all SIP INVITE packets,
such as calling-party and request-method, from specific SIP endpoints?
A. Use the match calling-party command in a class map. Apply the class map to a policy map that contains the
match request-methods command.
B. Group the match commands in a SIP inspection class map.
C. Use the match request-methods command in an inspection class map. Apply the inspection class map to an
inspection policy map that contains the match calling-party command.
D. Group the match commands in a SIP inspection policy map.
Q: 4 Which two statements are true about multiple context mode? (Choose two.)
A. Multiple context mode does not support IPS, IPsec, and SSL VPNs, or dynamic routing protocols.
B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security
policies and interfaces.
C. Multiple context mode enables you to add to the security appliance a hardware module that supports up to
four independent virtual firewalls.
D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry
for the admin context to the system configuration with the name "admin."
Answer: B, D
Q: 5 What is the effect of the per-user-override option when applied to the
access-group command syntax?
A. The log option in the per-user access list overrides existing interface log options.
B. It allows for extended authentication on a per-user basis.
C. It allows downloadable user access lists to override the access list applied to the interface.
D. It increases security by building upon the existing access list applied to the interface. All subsequent users
are also subject to the additional access list entries.
Q: 6 In order to recover the Cisco ASA password, which operation mode should
Q: 7 Which three statements correctly describe protocol inspection on the Cisco
ASA adaptive security appliance? (Choose three.)
A. For the security appliance to inspect packets for signs of malicious application misuse, you must enable
advanced (application layer) protocol inspection.
B. If you want to enable inspection globally for a protocol that is not inspected by default or if you want to
globally disable inspection for a protocol, you can edit the default global policy.
C. The protocol inspection feature of the security appliance securely opens and closes negotiated ports and IP
addresses for legitimate client-server connections through the security appliance.
D. If inspection for a protocol is not enabled, traffic for that protocol may be blocked.
Answer: B, C, D
Q: 8 Observe the following commands, which one verifies that NAT is working
normally and displays active NAT translations?
A. show ip nat all
B. show running-configuration nat
C. show xlate
D. show nat translation
Q: 9 Multimedia applications transmit requests on TCP, get responses on UDP or
TCP, use dynamic ports, and use the same port for source and destination, so they can pose challenges to
a firewall. Which three items are true about how the Cisco ASA adaptive security appliance handles
multimedia applications? (Choose three.)
A. It dynamically opens and closes UDP ports for secure multimedia connections, so you do not need to open
a large range of ports.
B. It supports SIP with NAT but not with PAT.
C. It supports multimedia with or without NAT.
D. It supports RTSP, H.323, Skinny, and CTIQBE.
Answer: A, C, D
Q: 10 What is the result if the WebVPN url-entry parameter is disabled?
A. The end user is unable to access pre-defined URLs.
B. The end user is unable to access any CIFS shares or URLs.
C. The end user is able to access CIFS shares but not URLs.
D. The end user is able to access pre-defined URLs.
Q: 11 Which three tunneling protocols and methods are supported by the Cisco
VPN Client? (Choose three.)
A. IPsec over TCP
B. IPsec over UDP
Answer: A, B, C
Q: 12 Which two options are correct about the impacts of this configuration?
match access-list TOINSIDEHOST
match access-list TOOUTSIDEHOST
set connection conn-max 100
service-policy MYOTHERPOLICY interface inside
service-policy MYPOLICY interface outside
A. Traffic that matches access control list TOINSIDEHOST is subject to HTTP inspection and maximum
B. Traffic that enters the security appliance through the inside interface is subject to HTTP inspection.
C. Traffic that enters the security appliance through the outside interface and matches access control list
TOINSIDEHOST is subject to HTTP inspection and maximum connection limits.
D. Traffic that enters the security appliance through the inside interface and matches access control list
TOOUTSIDEHOST is subject to HTTP inspection.
Answer: C, D
Q: 13 What are the two purposes of the same-security-traffic permit
intra-interface command? (Choose two.)
A. It allows all of the VPN spokes in a hub-and-spoke configuration to be terminated on a single interface.
B. It enables Dynamic Multipoint VPN.
C. It permits communication in and out of the same interface when the traffic is IPSec protected.
D. It allows communication between different interfaces that have the same security level
Answer: A, C
Q: 14 How many unique transforms will included in a single transform set while
configuring a crypto ipsec transform-set command?
Q: 15 John works as a network administrator , according to the following exhibit.
Descriptions are added to class maps for each part of the modular policy framework. Which text should
John add to the description command to describe the TO_SERVER class map?
XYI-asa1(config)#access-list UDP permit udp any any
XYI-asa1(config)#access-list TCP permit tcp any any
XYI-asa1(config)#access-list PUBLIC_WEB permit ip any 10.10.10.100 255.255.255.255
XYI-asa1(config-cmap)#description "This class-map matches all UDP traffic"
XYI-asa1(config-cmap)#match access-list VDP
XYI-asa1(config-cmap)#description "This class-map matches all TCP traffic"
XYI-asa1(config-cmap)#match access-list TCP
XYI-asa1(config-cmap)#description "This class-map matches all HTTP traffic"
XYI-asa1(config-cmap)#match port tcp eq http
XYI-asa1(config-cmap)#match access-list PUBLIC_WEB
A. description "This class-map matches all TCP traffic for the public web server."
B. description "This class-map matches all HTTP traffic for the public web server."
C. description "This class-map matches all HTTPS traffic for the public web server."
D. description "This class-map matches all IP traffic for the public web server."
Q: 16 What is the reason that you want to configure VLANs on a security
A. for use in conjunction with device-level failover to increase the reliability of your security appliance
B. for use in transparent firewall mode, where only VLAN interfaces are used
C. to increase the number of interfaces available to the network without adding additional physical interfaces
or security appliances
D. for use in multiple context mode, where you can map only VLAN interfaces to contexts
Q: 17 By default, the AIP-SSM IPS software is accessible from the management
port at IP address 10.1.9.201/24. Which CLI command should an administrator use to change the default
AIP-SSM management port IP address?
B. hw module 1 recover
D. hw module 1 setup
Q: 18 Which one of the following commands can provide detailed information
about the crypto map configurations of a Cisco ASA adaptive security appliance?
A. show ipsec sa
B. show crypto map
C. show run ipsec sa
D. show run crypto map
Q: 19 Which three potential groups are of users for WebVPN? (Choose three.)
A. employees accessing specific internal applications from desktops and laptops not managed by IT
B. administrators who need to manage servers and networking equipment
C. employees that only need occasional corporate access to a few applications
D. users of a customer service kiosk placed in a retail store
Answer: A, C, D
Q: 20 Which three features can the Cisco ASA adaptive security appliance
support? (Choose three.)
A. BGP dynamic routing
B. 802.1Q VLANs
C. OSPF dynamic routing
D. static routes
Answer: B, C, D