[Free] Download New Updated (December) Cisco 640-554 Exam Questions 181-190

Ensurepass

QUESTION 181

Which two IPsec protocols are used to protect data in motion? (Choose two.)

 

A.

Encapsulating Security Payload Protocol

B.

Transport Layer Security Protocol

C.

Secure Shell Protocol

D.

Authentication Header Protocol

 

Correct Answer: AD

Explanation:

IPsec provides three main facilities:

An authentication-only function, referred to as Authentication Header (AH)

A combined authentication/ encryption function called Encapsulating Security Payload (ESP)

A key exchange function. For virtual private networks, both authentication and encryption are generally desired, because it is important both to a) assure that unauthorized users do not penetrate the virtual private network, and b) assure that eavesdroppers on the Internet cannot read messages sent over the virtual private network.

Because both features are generally desirable, most implementations are likely to use ESP rather than AH. The key exchange function allows for manual exchange of keys as well as an automated scheme.

Reference: http://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/IPsecPG1.html

 

 

QUESTION 182

On which protocol number does Encapsulating Security Payload operate?

 

A.

06

B.

47

C.

50

D.


51

 

Correct Answer: C

Explanation:

Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec it provides origin authenticity, integrity and confidentiality protection of packets. ESP also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure. Unlike Authentication Header (AH), ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, in Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. ESP operates directly on top of IP, using IP protocol number 50.

Reference: http://en.wikipedia.org/wiki/IPsec

 

 

 

 

 

 

QUESTION 183

On which protocol number does the authentication header operate?

 

A.

06

B.

47

C.

50

D.

51

 

Correct Answer: D

Explanation:

Authentication Header (AH) is a member of the IPsec protocol suite. AH guarantees connectionless integrity and data origin authentication of IP packets. Further, it can optionally protect against replay attacks by using the sliding window technique and discarding old packets (see below).

AH operates directly on top of IP, using IP protocol number 51.

Reference: http://en.wikipedia.org/wiki/IPsec

 

 

QUESTION 184

Refer to the exhibit. Which two changes must you make to the given IOS site-to-site VPN configuration to enable the routers to form a connection? (Choose two.)

 

clip_image002

 

A.

Configure a valid route on Router A.

B.

Configure the access list on Router B to mirror Router A.

C.

Configure Router B’s ISAKMP policy to match the policy on Router A.

D.

Configure the tunnel modes on the two routers to match.

 

Correct Answer: BD

Explanation:

You must configure symmetric crypto ACLs for use by IPsec. Both inbound and outbound traffic are evaluated against the same outbound IPsec ACL. The ACL criteria are applied in the forward direction to traffic exiting your router, and the reverse direction to traffic entering your router. When a router receives encrypted packets back from an IPsec peer, it uses the same ACL to determine which inbound packets to decrypt by viewing the source and destination addresses in the ACL in reverse order.

Note Important:

The crypto ACLs used by IPsec must mirror-image ACLs because both inbound and outbound traffic is evaluated against the same outbound IPsec ACL. Also, the tunnel modes must match on each end. Here we see that Router A is using transport mode while Router B is configured for tunnel mode.

Reference: http://lonetsec.blogspot.com/2011/02/cisco-cli-site-to-site-ipsec-vpn.html


 

 

QUESTION 185

In an IPsec VPN, what determination does the access list make about VPN traffic?

 

A.

whether the traffic should be blocked

B.

whether the traffic should be permitted

C.

whether the traffic should be encrypted

D.

the peer to which traffic should be sent

 

Correct Answer: C

Explanation:

Crypto access lists are used to define which IP traffic will be protected by crypto and which traffic will not be protected by crypto (encrypted). These access lists are not the same as regular access lists, which determine what traffic to forward or block a
t an interface. For example, access lists can be created to protect all IP traffic between Subnet A and Subnet Y or Telnet traffic between Host A and Host B.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfipsec.html# wp1001139

 

 

QUESTION 186

Which command verifies phase 2 of an IPsec VPN on a Cisco router?

 

A.

show crypto map

B.

show crypto ipsec sa

C.

show crypto isakmp sa

D.

show crypto engine connection active

 

Correct Answer: B

Explanation:

Reference: https://sites.google.com/site/networkexams/tccnp-icsw1

 

 

QUESTION 187

You are troubleshooting a Cisco AnyConnect VPN on a firewall and issue the command “show webvpn anyconnect.” The output shows the message “SSL VPN is not enabled” instead of showing the AnyConnect package. Which action can you take to resolve the problem?

 

A.

Issue the enable outside command.

B.

Issue the anyconnect enable command.

C.

Issue the enable inside command.

D.

Reinstall the AnyConnect image.

 

Correct Answer: B

Explanation:

Configuring the ASA to Web-Deploy the Client

The section describes the steps to configure the ASA to web-deploy the AnyConnect client.

Detailed Steps

 

Command

Purpose

Step 1

anyconnect image filename order

 

Example:

hostname(config-webvpn)#anyconnect image

anyconnect-win-2.3.0254-k9.pkg 1

hostname(config-webvpn)#anyconnect image

anyconnect-macosx-i386-2.3.0254-k9.pkg 2

hostname(config-webvpn)#anyconnect image

anyconnect-linux-2.3.0254-k9.pkg 3

 

Identifies a file on flash as an AnyConnect client package file.

The ASA expands the file in cache memory for downloading to remote PCs. If you have multiple clients, assign an order to the client images with the order argument.

The ASA downloads portions of each client in the order you specify until it matches the operating system of the remote PC. Therefore, assign the lowest number to the image used by the most commonly-encountered operating system.

 

clip_image004

You must issue the anyconnect enable command after configuring the AnyConnect images with the anyconnect image xyz command. If you do not enable the anyconnect enable command, AnyConnect will not operate as expected, and show webvpn anyconnect considers the SSL VPN client as not enabled rather than listing the installed AnyConnect packages.

Step 2

enable interface

Example:

hostname(config)# webvpn

hostname(config-webvpn)# enable outside

Enables SSL on an interface for clientless or AnyConnect SSL connections.

 

Step 3

anyconnect enable

Without issuing this command, AnyConnect does not function as expected, and a show webvpn anyconnect command returns that the “SSL VPN is not enabled,” instead of listing the installed AnyConnect packages.

 

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html

 

 

QUESTION 188

Which statement about the role-based CLI access views on a Cisco router is true?

 

A.

The maximum number of configurable CLI access views is 10, including one lawful intercept view and excluding the root view.

B.

The maximum number of configurable CLI access views is 10, including one superview.

C.

The maximum number of configurable CLI access views is 15, including one lawful intercept view and excluding the root view.

D.

The maximum number of configurable CLI access views is 15, including one lawful intercept view.

 

Correct Answer: C

 

 

QUESTION 189

Which three protocols are supported by management plane protection? (Choose three.)

 

A.

SNMP

B.

SMTP

C.

SSH

D.

OSPF

E.

HTTPS

F.

EIGRP

 

Correct Answer: ACE

 

 

QUESTION 190

Which statement about rule-based policies in Cisco Security Manager is true?

 

A.

Rule-based policies contain one or more rules that are related to a device’s security and operations parameters.

B.

Rule-based policies contain one or more rules that control how traffic is filtered and inspected on a device.

C.

Rule-based policies contain one or more user roles that are related to a device’s security and operations parameters.

D.

Rule-based policies contain one or more user roles that control how user traffic is filtered and inspected on a device.

 

Correct Answer: B

 

Free VCE & PDF File for Cisco 640-554 Exam Questions

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …