Free Cheat-test Samples and Demo Questions Download
Adobe exams Adobe
Apple exams Apple
Avaya exams Avaya
Check Point exams Check Point
Cisco exams Cisco
Citrix exams Citrix
CIW exams CIW
CompTIA exams CompTIA
EC-Council exams EC-Council
EMC exams EMC
Exin exams Exin
Fortinet exams Fortinet
Hitachi exams Hitachi
HP exams HP
IBM exams IBM
Isaca exams Isaca
ISC exams ISC
Juniper exams Juniper
LPI exams LPI
McAfee exams McAfee
Microsoft exams Microsoft
Oracle exams Oracle
PMI exams PMI
Riverbed exams Riverbed
SNIA exams SAP
Sun exams SAS
Symantec exams Symantec
VMware exams VMware
All certification exams

Cisco 642-648 Exam -

Free 642-648 Sample Questions:

Q: 1
An engineer, while working at a home office, wants to launch the Cisco AnyConnect Client to the corporate offices while simultaneously printing network designs on the home network.
Without allowing access to the Internet, what are the two best ways for the administrator to configure this application? (Choose two.)
A. Select the Tunnel All Networks policy.
B. Select the Tunnel Network List Below policy.
C. Select the Exclude Network List Below policy.
D. Configure an exempted network list.
E. Configure a standard access list and apply it to the network list.
F. Configure an extended access list and apply it to the network list.
Answer: C,E products_configuration_example09186a0080702992.shtml

Q: 2
ABC Corporation has hired a temporary worker to help out with a new project. The network administrator gives you the task of restricting the internal clientless SSL VPN network access of the temporary worker to one server with the IP address of via HTTP.
Which two actions should you take to complete the assignment? (Choose two.)
A. Configure access-list temp_acl webtype permit url
B. Configure access-list temp_acl_stand_ACL standard permit host
C. Configure access-list temp_acl_extended extended permit http any host
D. Apply the access list to the temporary worker Group Policy.
E. Apply the access list to the temporary worker Connection Profile.
F. Apply the access list to the outside interface in the inbound direction.
Answer: A,D
Web ACLs
The Web ACLs table displays the filters configured on the security appliance applicable to Clientless SSL VPNtraffic. The table shows the name of each access control list (ACL), and below and indented to the right of theACL name, the access control entries (ACEs) assigned to the ACL.
Each ACL permits or denies accesspermits or denies access to specific networks, subnets, hosts, and web servers. Each ACE specifies one rulethat serves the function of the ACL. You can configure ACLs to apply to Clientless SSL VPN traffic. Thefollowing rules apply: • If you do not configure any filters, all connections are permitted. • The security appliancesupports only an inbound ACL on an interface. • At the end of each ACL, an implicit, unwritten rule denies alltraffic that is not explicitly permitted. You can use the following wildcard characters to define more than onewildcard in the Webtype access list entry: • Enter an asterisk "*" to match no characters or any number ofcharacters. • Enter a question mark "?" to match any one character exactly. • Enter square brackets "[)" tocreate a range operator that matches any one character in a range. The following examples show how to usewildcards inWebtype access lists. • The following example matches URLs such as and access-list test webtype permit url http://ww?.c*co*/

Q: 3
In which three ways can a Cisco ASA security appliance obtain a certificate revocation list? (Choose three.)
Answer: B,D,E
CRLs provide the ASA with one way of determining whether a certificate that is within its valid time range hasbeen revoked by the issuing CA. CRL configuration is part of configuration of a trustpoint.
You can configure the ASA to make CRL checks mandatory when authenticating a certificate by using therevocation-check crl command. You can also make the CRL check optional by using the revocation-check crlnone command, which allows the certificate authentication to succeed when the CA is unavailable to provideupdated CRL data.
The ASA can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint arecached for a configurable amount of time for each trustpoint.
When the ASA has cached a CRL for longer than the amount of time it is configured to cache CRLs, the ASA considers the CRL too old to be reliable, or "stale." The ASA tries to retrieve a newer version of the CRL thenext time that a certificate authentication requires a check of the stale CRL.
The ASA caches CRLs for an amount of time determined by the following two factors:
• The number of minutes specified with the cache-time command. The default value is 60 minutes.
• The NextUpdate field in the CRLs retrieved, which may be absent from CRLs. You control whether the ASA requires and uses the NextUpdate field with the enforcenextupdate command.
The ASA uses these two factors in the following ways:
• If the NextUpdate field is not required, the ASA marks CRLs as stale after the length of time defined by thecache-time command.
• If the NextUpdate field is required, the ASA marks CRLs as stale at the sooner of the two times specified bythe cache-time command and the NextUpdate field. For example, if the cache-time command is set to 100 minutes and the NextUpdate field specifies that the next update is 70 minutes away, the ASA marks CRLs asstale in 70 minutes.

Q: 4
An IT manager and a Security manager are discussing the deployment options for clientless SSL VPN.
They are trying to decide which groups are best suited for this new deployment option.
Which two groups are the best candidates for the clientless SSL VPN rollout? (Choose two.)
A. an IT administrator who needs to manage servers from a corporate laptop
B. employees who need occasional access to check their email accounts
C. a vendor who needs access to confidential corporate presentations via Secure FTP
D. customers who need interactive access to the corporate invoice server
Answer: B,D

Q: 5
Your corporation has contractors that need remote access to server desktops, in order to diagnose issues and load software during nonbusiness hours. Which three clientless SSL VPN configurations allow these contractors to access the desktops of remote servers? (Choose three.)
A. XWindows bookmark by using the XWindows plug-in
B. RDP bookmark by using the RDP plug-in
C. SCP bookmark by using SCP plug-in
D. VNC bookmark by using the VNC plug-in
E. SSH bookmark by using the SSH plug-in
F. Citrix plug-in by using the Citrix plug-in
Answer: B,D,F

Q: 6
Which three Host Scan checks on a remote endpoint can you configure Cisco Secure Desktop to perform? (Choose three.)
A. registry checks
B. user rights checks
C. group policy objects checks
D. file checks
E. virus software checks
F. process checks
Answer: A,D,F configuration/guide/CSDhscan.html
You can specify a set of registry entries, filenames, and process names, which form a part of Basic Host Scan.
Host Scan, which includes Basic Host Scan and Endpoint Assessment, or Advanced Endpoint Assessment; occurs after the prelogin assessment but before the assignment of a DAP. Following the Basic Host Scan, thesecurity appliance uses the login credentials, the host scan results, prelogin policy, and other criteria youconfigure to assign a DAP.
See the sections that name the types of Basic Host Scan entries you would like to configure:
• Adding a File Check
• Adding a Registry Key Check
• Adding a Process Check

Q: 7
Which three statements about clientless SSL VPN are true? (Choose three.)
A. Users are not tied to a particular PC or workstation.
B. Users have full application access to internal corporate resources.
C. Minimal IT support is required.
D. Cisco AnyConnect SSL VPN software is automatically downloaded to the remote user at the start of the clientless session.
E. For security reasons, browser cookies are disabled for clientless SSL VPN sessions.
F. Clientless SSL VPN requires an SSL-enabled web browser.
Answer: A,C,F

Q: 8
A remote user who establishes a clientless SSL VPN session is presented with a web page. The administrator has the option to customize the "look and feel" of the page. What are three components of the VPN Customization Editor? (Choose three.)
A. Application page
B. Logon page
C. Networking page
D. Logout page
E. Home page
F. Portal page
Answer: B,D,F
GUI Enhancements
In Cisco IOS Release 12.4(15)T, ergonomic improvements were made to the GUI user interface of the Cisco IOS SSL VPN gateway. The improved customization of the user interface provides for greaterflexibility and the ability to tailor portal pages for individualized looks. Enhancements were made to thefollowing web screens:
• Login screen
• Portal page

Q: 9
When establishing a Cisco AnyConnect SSL VPN tunnel, a system administrator wants to restrict remote home office users to either print to their local printer or send the remaining traffic down the Cisco AnyConnect SSL VPN tunnel (with restricted Internet access).
Choose both a tunnel policy option and an ACL type to accomplish this design goal. (Choose two.)
A. tunnel all networks
B. tunnel network list below
C. exclude network list from the tunnel
D. standard ACL
E. web ACL
F. extended ACL
Answer: C,D products_configuration_example09186a008070299 2.shtml

Q: 10
The LAN-to-LAN tunnel is not established, but an administrator can ping the remote Cisco ASA.
Which three IPsec LAN-to-LAN configuration parameters should the administrator verify at both ends of the tunnel? (Choose three.)
A. pre-shared key
B. extended authentication password
C. extended authentication username
D. crypto ACL source IP address
E. crypto ACL destination IP address
F. tunnel connection-typE. originate or answer
Answer: A,D,E

© 2014, All Rights Reserved