1. Tom works as a network administrator for the TIS company. The primary adaptive security appliance in an

　　active/standby failover configuration failed, so the secondary adaptive security appliance was automatically

　　activated. Tom then fixed the problem. Now he would like to restore the primary to active status. Which one of the

　　following commands can reactivate the primary adaptive security appliance and restore it to active status while

　　issued on the primary adaptive security appliance?

　　A. failover reset

　　B. failover primary active

　　C. failover active

　　D. failover exec standby

　　Answer: C

　　2. For the following commands, which one enables the DHCP server on the DMZ interface of the Cisco ASA with

　　an address pool of 10.0.1.100-10.0.1.108 and a DNS server of 192.168.1.2?

　　A. dhcpd address 10.0.1.100-10.0.1.108 DMZ

　　dhcpd dns 192.168.1.2 dhcpd enable DMZ

　　B. dhcpd address range 10.0.1.100-10.0.1.108

　　dhcpd dns server 192.168.1.2 dhcpd enable DMZ

　　C. dhcpd range 10.0.1.100-10.0.1.108 DMZ

　　dhcpd dns server 192.168.1.2 dhcpd DMZ

　　D. dhcpd address range 10.0.1.100-10.0.1.108

　　dhcpd dns 192.168.1.2 dhcpd enable

　　Answer: A

　　3. Look at the following exhibit carefully, which one of the four diagrams displays a correctly configured network

　　for a transparent firewall?

　　TestInside Cisco 642-524

　　A. 1

　　B. 2

　　C. 3

　　D. 4

　　Answer: D

　　4. What is the effect of the per-user-override option when applied to the access-group command syntax?

　　TestInside Cisco 642-524

　　A. The log option in the per-user access list overrides existing interface log options.

　　B. It allows for extended authentication on a per-user basis.

　　C. It allows downloadable user access lists to override the access list applied to the interface.

　　D. It increases security by building upon the existing access list applied to the interface. All subsequent users are

　　also subject to the additional access list entries.

　　Answer: C

　　5. John works as a network administrator for the TIS company. According to the exhibit, the only traffic that John

　　would like to allow through the corporate Cisco ASA adaptive security appliance is inbound HTTP to the DMZ

　　network and all traffic from the inside network to the outside network. John also has configured the Cisco ASA

　　adaptive security appliance, and access through it is now working as expected with one exception: contractors

　　working on the DMZ servers have been surfing the Internet from the DMZ servers, which (unlike other Company

　　XYZ hosts) are using public, routable IP addresses. Neither NAT statements nor access lists have been configured

　　for the DMZ interface.

　　What is the reason that the contractors are able to surf the Internet from the DMZ servers?

　　(Note: The 192.168.X.X IP addresses are used to represent routable public IP addresses even though the

　　192.168.1.0 network is not actually a public routable network.)

　　A. An access list on the outside interface permits this traffic.

　　B. NAT control is not enabled.

　　C. The DMZ servers are using the same global pool of addresses that is being used by the inside hosts.

　　TestInside Cisco 642-524

　　D. HTTP inspection is not enabled.

　　Answer: B

　　6. In order to recover the Cisco ASA password, which operation mode should you enter?

　　A. configure

　　B. unprivileged

　　C. privileged

　　D. monitor

　　Answer: D

　　7. Which three statements correctly describe protocol inspection on the Cisco ASA adaptive security appliance?

　　(Choose three.)

　　A. For the security appliance to inspect packets for signs of malicious application misuse, you must enable

　　advanced (application layer) protocol inspection.

　　B. If you want to enable inspection globally for a protocol that is not inspected by default or if you want to

　　globally disable inspection for a protocol, you can edit the default global policy.

　　C. The protocol inspection feature of the security appliance securely opens and closes negotiated ports and IP

　　addresses for legitimate client-server connections through the security appliance.

　　D. If inspection for a protocol is not enabled, traffic for that protocol may be blocked.

　　Answer: BCD

　　8. Observe the following commands, which one verifies that NAT is working normally and displays active NAT

　　translations?

　　A. show ip nat all

　　B. show running-configuration nat

　　C. show xlate

　　D. show nat translation

　　Answer: C

　　9. Multimedia applications transmit requests on TCP, get responses on UDP or TCP, use dynamic ports, and use

　　the same port for source and destination, so they can pose challenges to a firewall. Which three items are true

　　TestInside Cisco 642-524

　　about how the Cisco ASA adaptive security appliance handles multimedia applications? (Choose three.)

　　A. It dynamically opens and closes UDP ports for secure multimedia connections, so you do not need to open a

　　large range of ports.

　　B. It supports SIP with NAT but not with PAT.

　　C. It supports multimedia with or without NAT.

　　D. It supports RTSP, H.323, Skinny, and CTIQBE.

　　Answer: ACD

　　10. What is the result if the WebVPN url-entry parameter is disabled?

　　A. The end user is unable to access pre-defined URLs.

　　B. The end user is unable to access any CIFS shares or URLs.

　　C. The end user is able to access CIFS shares but not URLs.

　　D. The end user is able to access pre-defined URLs.

　　Answer: D

　　11. You work as a network engineer at TestInside.com, you are asked to examine the current Modular Policy

　　Framework configurations on the LA-ASA Adaptive Security Appliances using the Cisco Adaptive Security

　　Device Manager (ASDM) utility. You need to answer the multiple-choice questions in this simulation by use of

　　the appropriate Cisco ASDM configuration screens.

　　A host on the partnernet network attempts to use FTP to download a file from InsideHost,which resides on the

　　inside interface of the security appliance.What does the security appliance do with the traffic from the partnernet

　　host?

　　TestInside Cisco 642-524

　　A. Sends it to the Cisco ASA Advanced Inspection and Prevention(AIP)-Security Services Module(SSM)for

　　inspection before forwarding it to its destination

　　TestInside Cisco 642-524

　　B. Sends it to the Cisco ASA 5500 Series Content Security and Control(CSC)SSM for inspection before

　　forwarding it to its destination

　　C. Forwards it directly to its destination

　　D. Forwards it directly to its destination unless the connection limit is already met

　　Answer: D

　　12. You work as a network engineer at TestInside.com, you are asked to examine the current Modular Policy

　　Framework configurations on the LA-ASA Adaptive Security Appliances using the Cisco Adaptive Security

　　Device Manager (ASDM) utility. You need to answer the multiple-choice questions in this simulation by use of

　　the appropriate Cisco ASDM configuration screens.

　　Which traffic does the security appliance inspect globally(regardless of the interface on which the traffic enters the

　　security appliance)?(Choose 3)

　　TestInside Cisco 642-524

　　A. HTTP

　　B. DNS

　　TestInside Cisco 642-524

　　C. GTP

　　D. H.323 H.225

　　Answer: ABD

　　13. You work as a network engineer at TestInside.com, you are asked to examine the current Modular Policy

　　Framework configurations on the LA-ASA Adaptive Security Appliances using the Cisco Adaptive Security

　　Device Manager (ASDM) utility. You need to answer the multiple-choice questions in this simulation by use of

　　the appropriate Cisco ASDM configuration screens.

　　A host on the partnernet network makes a VoIP call to 172.20.1.15,which is statically mapped to an IP phone on

　　the inside network.What does the security appliance do with the VoIP traffic between host 172.20.1.15 and the

　　host on the partnernet network?

　　TestInside Cisco 642-524

　　A. Sends it to the AIP-SSM for inspection before forwarding it to its destination

　　B. Sends it to the CSC-SSM for inspection before forwarding it to its destination

　　TestInside Cisco 642-524

　　C. Forwards it directly to its destination unless the connection limit is already met

　　D. Applies low latency queuing as it exits the partnernet interface

　　Answer: D

　　14. You work as a network engineer at TestInside.com, you are asked to examine the current Modular Policy

　　Framework configurations on the LA-ASA Adaptive Security Appliances using the Cisco Adaptive Security

　　Device Manager (ASDM) utility. You need to answer the multiple-choice questions in this simulation by use of

　　the appropriate Cisco ASDM configuration screens.

　　A host on the outside network sends e-mail to the public e-mail server.What does the security appliance do with

　　the traffic from the outside host?

　　TestInside Cisco 642-524

　　A. Sends it to the AIP-SSM for inspection before forwarding it to its destination

　　B. Sends it to the CSC-SSM for inspection before forwarding it to its destination

　　TestInside Cisco 642-524

　　C. Forwards it directly to its destination

　　D. Forwards it directly to its destination unless the connection limit is already met

　　Answer: A

　　15. You work as a network engineer at TestInside.com, you are asked to examine the current Modular Policy

　　Framework configurations on the LA-ASA Adaptive Security Appliances using the Cisco Adaptive Security

　　Device Manager (ASDM) utility. You need to answer the multiple-choice questions in this simulation by use of

　　the appropriate Cisco ASDM configuration screens.

　　A host on the partnernet network attempts to access the public web server via HTTP.What does the security

　　appliance do with traffic from the partnernet?

　　TestInside Cisco 642-524

　　A. Sends it to the AIP-SSM for inspection before forwarding it to its destination

　　B. Sends it to the CSC-SSM for inspection before forwarding it to its destination

　　TestInside Cisco 642-524

　　C. Forwards it directly to its destination

　　D. Forwards it directly to its destination unless the connection limit is already met

　　Answer: C

　　16. You work as a network engineer at TestInside.com, you are asked to examine the current Modular Policy

　　Framework configurations on the LA-ASA Adaptive Security Appliances using the Cisco Adaptive Security

　　Device Manager (ASDM) utility. You need to answer the multiple-choice questions in this simulation by use of

　　the appropriate Cisco ASDM configuration screens.

　　A host on the outside network makes a VoIP call to a host on the inside network.What does the security appliance

　　do with the traffic from the host on the outside network?

　　TestInside Cisco 642-524

　　A. Sends it to the AIP-SSM for inspection before forwarding it to its destination

　　B. Sends it to the CSC-SSM for inspection before forwarding it to its destination

　　TestInside Cisco 642-524

　　C. Forwards it directly to its destination

　　D. Drops it

　　Answer: D

　　17. Which three tunneling protocols and methods are supported by the Cisco VPN Client? (Choose three.)

　　A. IPsec over TCP

　　B. IPsec over UDP

　　C. ESP

　　D. AH

　　Answer: ABC

　　18. Which two options are correct about the impacts of this configuration? (Choose two.)

　　class-map INBOUND_HTTP_TRAFFIC

　　match access-list TOINSIDEHOST

　　class-map OUTBOUND_HTTP_TRAFFIC

　　match access-list TOOUTSIDEHOST

　　policy-map MYPOLICY

　　class INBOUND_HTTP_TRAFFIC

　　inspect http

　　set connection conn-max 100

　　policy-map MYOTHERPOLICY

　　class OUTBOUND_HTTP_TRAFFIC

　　inspect http

　　service-policy MYOTHERPOLICY interface inside

　　service-policy MYPOLICY interface outside

　　A. Traffic that matches access control list TOINSIDEHOST is subject to HTTP inspection and maximum

　　connection limits.

　　B. Traffic that enters the security appliance through the inside interface is subject to HTTP inspection.

　　C. Traffic that enters the security appliance through the outside interface and matches access control list

　　TOINSIDEHOST is subject to HTTP inspection and maximum connection limits.

　　TestInside Cisco 642-524

　　D. Traffic that enters the security appliance through the inside interface and matches access control list

　　TOOUTSIDEHOST is subject to HTTP inspection.

　　Answer: CD

　　19. Take the following configuration shown in the exhibit carefully, what traffic will be logged to the AAA server?

　　A. Only authenticated and authorized console connection information will be logged in the accounting database.

　　B. All outbound TCP connection information will be logged in the accounting database.

　　C. No information will be logged. This is not a valid configuration because TACACS+ connection information

　　cannot be captured and logged.

　　D. All connection information will be logged in the accounting database.

　　Answer: B

　　20. What are the two purposes of the same-security-traffic permit intra-interface command? (Choose two.)

　　A. It allows all of the VPN spokes in a hub-and-spoke configuration to be terminated on a single interface.

　　B. It enables Dynamic Multipoint VPN.

　　C. It permits communication in and out of the same interface when the traffic is IPSec protected.

　　TestInside Cisco 642-524

　　D. It allows communication between different interfaces that have the same security level

　　Answer: AC

　　21. How many unique transforms will included in a single transform set while configuring a crypto ipsec

　　transform-set command?

　　A. three

　　B. two

　　C. four

　　D. one

　　Answer: B

　　22. Study the following exhibit carefully, the Cisco ASA adaptive security appliance is using software version 8.0

　　with the default configuration. Configure the interfaces displayed in the exhibit with the security levels that are

　　shown, and enable the interfaces. Management-only mode is disabled on m0/0. Which two statements correctly

　　describe these interfaces? (Choose two.)

　　A. Interface m0/0 can access interface g0/2, but interface g0/2 cannot access interface m0/0 unless it is given

　　permission.

　　B. Interface g0/1 can access interface m0/0, and interface m0/0 can access interface g0/1.

　　C. Interface g0/1 cannot access interface m0/0 unless it is given permission, and interface m0/0 cannot access

　　interface g0/1 unless it is given permission.

　　TestInside Cisco 642-524

　　D. No traffic can flow between the g0/2 and g0/3 interfaces.

　　Answer: AD

　　23. John works as a network administrator , according to the following exhibit. Descriptions are added to class

　　maps for each part of the modular policy framework. Which text should John add to the description command to

　　describe the TO_SERVER class map?

　　TIS-asa1(config)#access-list UDP permit udp any any

　　TIS-asa1(config)#access-list TCP permit tcp any any

　　TIS-asa1(config)#access-list PUBLIC_WEB permit ip any 10.10.10.100 255.255.255.255

　　TIS-asa1(config)#class-map ALL_VDP

　　TIS-asa1(config-cmap)#description "This class-map matches all UDP traffic"

　　TIS-asa1(config-cmap)#match access-list VDP

　　TIS-asa1(config-cmap)#class-map ALL_TCP

　　TIS-asa1(config-cmap)#description "This class-map matches all TCP traffic"

　　TIS-asa1(config-cmap)#match access-list TCP

　　TIS-asa1(config-cmap)#class-map ALL_WEB_SERVER

　　TIS-asa1(config-cmap)#description "This class-map matches all HTTP traffic"

　　TIS-asa1(config-cmap)#match port tcp eq http

　　TIS-asa1(config-cmap)#class-map TO_SERVER

　　TIS-asa1(config-cmap)#match access-list PUBLIC_WEB

　　A. description "This class-map matches all TCP traffic for the public web server."

　　B. description "This class-map matches all HTTP traffic for the public web server."

　　C. description "This class-map matches all HTTPS traffic for the public web server."

　　D. description "This class-map matches all IP traffic for the public web server."

　　Answer: D

　　TestInside Cisco 642-524

　　24. What is the reason that you want to configure VLANs on a security appliance interface?

　　A. for use in conjunction with device-level failover to increase the reliability of your security appliance

　　B. for use in transparent firewall mode, where only VLAN interfaces are used

　　C. to increase the number of interfaces available to the network without adding additional physical interfaces or

　　security appliances

　　D. for use in multiple context mode, where you can map only VLAN interfaces to contexts

　　Answer: C

　　25. By default, the AIP-SSM IPS software is accessible from the management port at IP address 10.1.9.201/24.

　　Which CLI command should an administrator use to change the default AIP-SSM management port IP address?

　　A. interface

　　B. hw module 1 recover

　　C. setup

　　D. hw module 1 setup

　　Answer: C

　　26. Which one of the following commands can provide detailed information about the crypto map configurations

　　of a Cisco ASA adaptive security appliance?

　　A. show ipsec sa

　　B. show crypto map

　　C. show run ipsec sa

　　D. show run crypto map

　　Answer: D

　　27. Which three potential groups are of users for WebVPN? (Choose three.)

　　A. employees accessing specific internal applications from desktops and laptops not managed by IT

　　B. administrators who need to manage servers and networking equipment

　　C. employees that only need occasional corporate access to a few applications

　　D. users of a customer service kiosk placed in a retail store

　　Answer: ACD

　　TestInside Cisco 642-524

　　28. Which three features can the Cisco ASA adaptive security appliance support? (Choose three.)

　　A. BGP dynamic routing

　　B. 802.1Q VLANs

　　C. OSPF dynamic routing

　　D. static routes

　　Answer: BCD

　　29. Which one of the following commands will prevent all SIP INVITE packets, such as calling-party and

　　request-method, from specific SIP endpoints?

　　A. Use the match calling-party command in a class map. Apply the class map to a policy map that contains the

　　match request-methods command.

　　B. Group the match commands in a SIP inspection class map.

　　C. Use the match request-methods command in an inspection class map. Apply the inspection class map to an

　　inspection policy map that contains the match calling-party command.

　　D. Group the match commands in a SIP inspection policy map.

　　Answer: B

　　30. Which two statements are true about multiple context mode? (Choose two.)

　　A. Multiple context mode does not support IPS, IPsec, and SSL VPNs, or dynamic routing protocols.

　　B. Multiple context mode enables you to create multiple independent virtual firewalls with their own security

　　policies and interfaces.

　　C. Multiple context mode enables you to add to the security appliance a hardware module that supports up to four

　　independent virtual firewalls.

　　D. When you convert from single mode to multiple mode, the security appliance automatically adds an entry for

　　the admin context to the system configuration with the name "admin."

　　Answer: BD

　　31. How do you ensure that the main interface does not pass untagged traffic when using subinterfaces?

　　A. Use the vlan command on the main interface.

　　B. Use the shutdown command on the main interface

　　C. Omit the nameif command on the subinterface

　　TestInside Cisco 642-524

　　D. Omit the nameif command on the main interface.

　　Answer: D

　　32. For creating and configuring a security context, which three tasks are mandatory? (Choose three.)

　　A. allocating interfaces to the context

　　B. assigning MAC addresses to context interfaces

　　C. creating a context name

　　D. specifying the location of the context startup configuration

　　Answer: ACD

　　33. Study the exhibit carefully. Which two types of failover is this adaptive security appliance configured for?

　　(Choose two.)

　　TIS-asa1# show failover

　　Failover On

　　Cable status: N/A-LAN-based failover enabled

　　Failover unit Primary

　　Failover LAN Interface: Ianfail GigabitEthernet0/2 (up)

　　Unit Poll frequency 15 seconds, holdtime 45 seconds

　　Interface Poll frequency 15 seconds

　　Interface Policy 1

　　Monitored Interfaces 4 of 250 maximum

　　Group 1 last failover at: 15:54:49 UTC Sept 17 2006

　　Group 2 last failover at: 15:55:00 UTC Sept 17 2006

　　A. stateful failover

　　B. LAN-based failover

　　C. cable-based failover

　　D. Active/Active failover

　　Answer: BD

　　34. Which two descriptions are correct about configuring passive RIP on the security appliance based on the

　　following exhibit? (Choose two.)

　　TestInside Cisco 642-524

　　A. You must specify a classful network IP address to define a network for the RIP routing process.

　　B. If you enable passive RIP, all interfaces must operate in passive mode.

　　C. There is no limit to the number of networks you can specify for the RIP routing process.

　　D. Enabling passive RIP mode causes the security appliance to receive all RIP routing updates but send only a

　　default route to neighboring routers.

　　Answer: AC

　　35. Which of these identifies basic settings for the security appliance, including a list of contexts?

　　A. network configuration

　　B. admin configuration

　　C. system configuration

　　D. primary configuration

　　TestInside Cisco 642-524

　　Answer: C

　　36. Study the exhibit carefully. The security policy for TIS Corporation allows only the following traffic through

　　the corporate adaptive security appliance:

　　--outbound NTP traffic from the inside network to any outside destination

　　--FTP traffic from the inside network to the FTP server on the DMZ

　　--outbound HTTP traffic from the inside network to any outside destination

　　--FTP traffic from the outside 192.168.6.0/24 network to the FTP server on the DMZ

　　--any HTTP traffic from the outside to the web server on the DMZ

　　The network administrator configured access rules according to the security policy requirements but made two

　　mistakes. Which are two mistakes? (Choose two.)

　　A. missing ACE

　　B. incorrect destination address

　　C. missing ACL

　　D. incorrect order of ACLs

　　TestInside Cisco 642-524

　　Answer: BD

　　37. An administrator wants to protect a DMZ web server from SYN flood attacks. Which command does not

　　allow the administrator to place limits on the number of embryonic connections?

　　A. set connection

　　B. nat

　　C. static

　　D. HTTP-map

　　Answer: D

　　38. Which option correctly describes the order to upgrade the license (activation key) for your security appliance

　　from Cisco ASDM?

　　A. Step 1 Obtain an activation key from http://www.cisco.com/go/license by providing the serial number for the

　　security appliance as it appears on the chassis of the security appliance.

　　Step 2 Reboot the security appliance to ensure that the image in flash and the running image are the same.

　　Step 3 Go to Configuration > Device Management > System Image/Configuration > Activation Key in Cisco

　　ASDM and enter the activation key as a four- or five-element hexadecimal string with no spaces.

　　Step 4 Click Update Activation Key in the Activation Key panel.

　　Step 5 Reload the security appliance to activate the flash activation key.

　　B. Step 1 Obtain an activation key from http://www.cisco.com/go/license by providing the serial number for the

　　security appliance as it appears in the show version command output.

　　Step 2 Reboot the security appliance to ensure that the image in flash and the running image are the same.

　　Step 3 Go to Configuration > Device Management > System Image/Configuration > Activation Key in Cisco

　　ASDM and enter the activation key as a four- or five-element hexadecimal string with one space between each

　　element.

　　Step 4 Click Update Activation Key in the Activation Key panel.

　　Step 5 Reload the security appliance to activate the flash activation key.

　　C. Step 1 Obtain an activation key from http://www.cisco.com/go/license by providing the serial number for the

　　security appliance as it appears in the show version command output.

　　Step 2 Go to Configuration > Device Management > System Image/Configuration > Activation Key in Cisco

　　ASDM and enter the activation key as a three- or four-element hexadecimal string with one space between each

　　TestInside Cisco 642-524

　　element.

　　Step 3 Click Update Activation Key in the Activation Key panel.

　　Step 4 Click Save in the Cisco ASDM toolbar.

　　D. Step 1 Obtain an activation key from http://www.cisco.com/go/license by providing the serial number for the

　　security appliance as it appears on the chassis of the security appliance.

　　Step 2 Go to Configuration > Device Management > System Image/Configuration > Activation Key in Cisco

　　ASDM and enter the activation key as a four- or five-element hexadecimal string with no spaces.

　　Step 3 Click Update Activation Key in the Activation Key panel.

　　tep 4 Click Save in the Cisco ASDM toolbar.

　　Answer: B

　　39. You are a network administrator for the TIS company. After the primary adaptive security appliance failed, the

　　secondary adaptive security appliance was automatically activated. You fixed the problem. Now you would like to

　　restore the primary to "active" status.

　　When issued on the primary adaptive security appliance, which command would reactivate the primary adaptive

　　security appliance and return it to "active" status?

　　A. failover secondary standby group 1

　　B. failover primary active

　　C. failover active group 1

　　D. failover secondary group 1

　　Answer: C

　　40. Which two scenarios correctly describe the impact of the configuration shown in the exhibit? (Choose two.)

　　TestInside Cisco 642-524

　　A. User addison enters the login command at the > prompt and logs in with the correct username and password

　　when prompted. User addison can then enter the global configuration mode on the security appliance.

　　B. User carter enters the enable command at the > prompt and logs in with the correct username and password

　　when prompted. User carter can then enter the global configuration mode.

　　C. User carter enters the login command at the > prompt and logs in with the correct username and password

　　when prompted. User carter can then enter the global configuration mode on the security appliance.

　　D. User kenny enters the enable command at the > prompt and logs in with the correct username and password

　　when prompted. User kenny can then enter the global configuration mode.

　　Answer: AD

　　41. While configuring a crypto map, which command will be used to specify the peer to which IPsec-protected

　　traffic could be forwarded?

　　A. crypto-map policy 10 set 192.168.7.2

　　B. crypto map set peer 192.168.7.2

　　C. crypto map 20 set-peer insidehost

　　D. crypto map peer7 10 set peer 192.168.7.2

　　Answer: D

　　TestInside Cisco 642-524

　　42. Which three commands can verify that the boot image is asa802-k8.bin according to the exhibit? (Choose

　　three.)

　　A. show asdm image

　　B. show bootvar

　　C. show startup-config

　　D. show version

　　Answer: BCD

　　43. Which feature prevents ARP spoofing?

　　A. MAC fixup

　　B. ARP inspection

　　C. MAC inspection

　　D. ARP fixup

　　Answer: B

　　44. Which two statements about the downloadable ACL feature of the security appliance are correct? (Choose

　　two.)

　　A. Downloadable ACLs are supported using TACACS+ or RADIUS.

　　B. Downloadable ACLs enable you to store full ACLs on a AAA server and download them to the security

　　appliance.

　　C. The security appliance supports only per-user ACL authorization.

　　D. The downloadable ACL must be attached to a user or group profile on a AAA server.

　　TestInside Cisco 642-524

　　Answer: BD

　　45. What is the purpose of the url-list command in global configuration mode?

　　A. Stop the end user from accessing pre-defined URLs.

　　B. Allow end users access to URLs.

　　C. Allow end users access to CIFS shares and URLs.

　　D. Configure a set of URLs for WebVPN users to access.

　　Answer: D

　　46. Which three commands can display the contents of flash memory on the Cisco ASA adaptive security

　　appliance? (Choose three.)

　　A. show disk0:

　　B. show memory

　　C. dir

　　D. show flash:

　　Answer: ACD

　　47. What does the following command used for?

　　TIS-fw1(config)# filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

　　A. to filter Java traffic on HTTP from any host and to any host

　　B. to filter ActiveX traffic on HTTP from any host and to any host

　　C. to filter ActiveX traffic once it has been applied to an interface

　　D. to filter ActiveX traffic from the default route

　　Answer: B

　　48. Which options can a clientless SSL VPN user access from a web browser without port forwarding, smart

　　tunnels, or browser plug-ins?

　　A. internal websites

　　B. Microsoft Outlook Web Access

　　C. files on the network, via FTP or the CIFS protocol

　　D. web-enabled applications

　　TestInside Cisco 642-524

　　Answer: ABCD