Cisco 642-511 Certification Exams, Prompt Updates Cisco 642-511 Preparation Materials For Download

Flydumps just published the newest  Cisco 642-511 brain dumps with all the new updated exam questions and answers. We provide the latest version of  Cisco 642-511 PDF and VCE files with up-to-date questions and answers to ensure your exam 100% pass,on our website you will get the Cisco 642-511 free new version VCE Player along with your VCE dumps

QUESTION 101
In which location can the Cisco VPN Concentrator find the CRL in an environment where CRL checking is enabled on the Cisco VPN Concentrator?
A. The Cisco VPN Concentrator polls the CA for an updated list at a pre-defined rate.
B. The CA sends a CRL to the Cisco VPN Concentrator directly at least once a week.
C. The CRL distribution point is listed on the identity certificate.
D. The CRL is sent, out-of-band, to the administrator biweekly.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 102
How do you configure your Concentrator to use a digital certificate for authentication?
A. configuration, system, management protocols
B. configuration, system, general, sessions
C. configuration, policy management, traffic management, rules
D. configuration, policy management, traffic management, security associations

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
When authenticating IPSEC on your 3000 series
Concentrator, you can use a digital certificate by configuring it from the configuration, policy management,
traffic management, security associations screen.

QUESTION 103
How are IKE policies modified on a 3000 series Concentrator?
A. configuration, system, tunneling protocols, ipsec, ike proposals
B. configuration, system, ip routing, ipsec, ike proposals
C. configuration, system, events, ipsec, ike proposals
D. configuration, system, management protocols, ipsec, ike proposals

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
3000 series Concentrator IPSEC IKE proposals are created from configuration, system, tunneling
protocols, ipsec, ike proposals.

QUESTION 104
What does a Certificate Authority (CA) issue that invalidates digital certificates?
A. CDP
B. CRL
C. CMA
D. CSY

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
A Certificate Authority (CA) will issue a Certificate Revocation List (CRL) which identifies the digital
certificates it has issued that are no longer valid. They are invalidated for usually one of two reasons: They
have expired, or the key is thought to be compromised.

QUESTION 105
Kathy the security administrator at Certkiller Inc. is working on IPSec. She has to know what is true about IPSec SA, when the IPSec client-to-LAN applications are changed from pre-shared keys to digital certificates.
A. Kathy must make sure the SA IKE authentication method should be changed.
B. SA IPSec authentication method should be changed.
C. When the digital certificate is validated, the IPSec SA template automatically is updated.
D. When the digital certificates are activated, the IPSec SA template is automatically updated.

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: Using digital certificates, clients establish a secure tunnel over the Internet to the enterprise. A certification authority (CA) issues a digital certificate to each client for device authentication. VPN Clients may either use static IP addressing with manual configuration or dynamic IP addressing with IKE Mode Configuration. The CA server checks the identity of remote users, then authorizes remote users to access information relevant to their function. Extranet VPNs with the Cisco Secure VPN Client are addressed in “Configuring Digital Certification.” Static and dynamic IP addressing is addressed in “Configuring Dynamic IP Addressing.”
QUESTION 106
Jacob is the security administrator at Certkiller Inc. is working on the Cisco VPN concentrator. The VPN Concentrator authenticates a remote peer during IKE negotiations by extracting the group information from a certificate. Prior to VPN Concentrator release 3.6, which certificate field had to match the VPN Concentrator’s group name?
A. Is it the CN field
B. It is the OU field
C. Is it the O field
D. Is it the L field

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Enter a unique name for this specific group. The maximum name length is 64 characters. Entries are case-sensitive. Changing a group name automatically updates the group name for all users in the group. If you are setting up a group for remote access users connecting with digital certificates, first find out the value of the Organizational Unit (OU) field of the user’s identity certificate. (Ask your certificate administrator for this information.) The group name you assign must match this value exactly. If some users in the group have different OU values, set up a different group for each of these users. If the Group Name field configured here and the OU field of the user’s identity certificate do not match, when the user attempts to connect, the VPN Concentrator considers the user to be a member of the base group. The base group parameter definitions might be configured differently than the user wants or expects. If the base group does not support digital certificates, the connection fails. Reference: VPN 3000 Concentrator Ref Volume 1. Config 3.5.pdf
QUESTION 107
Which of the following certificates are needed by the Cisco VPN Concentrator and the PC when configuring IPSec client-to-LAN? Choose two.
A. CA
B. identity certificate
C. public certificate
D. Private certificate
E. Root certificate
F. DSA certificate

Correct Answer: BE Section: (none) Explanation
Explanation/Reference:
Explanation:
Source: Cisco Press CCSP Cisco Secure VPN (Roland, Newcomb) p.241

QUESTION 108
Kathy is the security administrator at Certkiller Inc. and is working with the Cisco VPN Client. Her job today is to know which firewall is supported by the Cisco VPN Client are you there feature.
A. Supported by Zone Labs
B. Supported by Cisco Integrated Client firewall
C. Supported by Cyberguard
D. Supported by Symantec

Correct Answer: A Section: (none) Explanation Explanation/Reference:
Explanation: The VPN Client on the Windows platform includes a stateful firewall that incorporates Zone Labs technology. This firewall is used for both the Stateful Firewall (Always On) feature and the Centralized Protection Policy (see “Centralized Protection Policy (CPP)”). Reference:VPN Client Administrator Guide 4.0
QUESTION 109
Fred the security manager is working on Cisco VPN 3000. He is looking to in Cisco VPN 3000, release 3.6, where the AES encryption on the VPN Concentrator is performed.
A. It is performed in an AIM-VP module.
B. It is performed in a VAM module.
C. It is performed in a SEP module.
D. It is performed in VPN Concentrator software.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Note AES encryption algorithms work only with VPN Concentrator software versions 3.6 and later.
Note: AES can be performed in software or SEP-E Modules. SEP modules (listed in the question) only
support DES and 3DES Reference:VPN 3000 Series Concentrator Reference Volume I: Configuration

QUESTION 110
Greg the security administrator for Certkiller Inc. is working on the Cisco VPN Client to interoperate with the Cisco VPN 3000. What is the minimum version of the Cisco VPN 3000 for the Cisco VPN Client to interoperate with the Cisco VPN 3000?
A. Must be running 2.5 or later
B. Must be running 2.6 or later
C. Must be running 3.0 or later
D. Must be running 3.1 or later

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
To interoperate with a VPN 3002, the VPN 3000 Series Concentrator to which it connects must:
Be running software version 3.0 or later.
Configure IPSec group and user names and passwords for this VPN 3002. For a VPN 3002 running in PAT
mode, enable a method of address assignment:
DHCP, address pools, per user, or authentication server address. For a VPN 3002 running in Network
Extension mode, configure either a default gateway or a static route to the private network of the VPN
3002. Reference: Release Notes for Cisco VPN 3002 Hardware Client Release 3.1

QUESTION 111
Which four of the following DH-Groups are supported by the 3000 series concentrators? (Select four.)
A. 1
B. 2
C. 3
D. 4
E. 5
F. 6
G. 7
H. 8

Correct Answer: ABEG Section: (none) Explanation
Explanation/Reference:
Explanation:
Groups 1, 2, 5 and 7 are selectable -> supported!

QUESTION 112
Which two DH groups does the VNP3000 Concentrator support for key exchange? (Select two options.)
A. 2
B. 3
C. 4
D. 5
E. 6

Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation: , the 3000 concentrator support DH group 1,2,5 and 7 for key exchange,.Group 5 and 7 are the defaults in the IPSec SA
QUESTION 113
Which two DH groups for the purposes of key exchange are supported by the Cisco VPN3000 Concentrator? (Select two options.)
A. 3
B. 4
C. 5
D. 6
E. 7

Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
Explanation:
This question must be wrong, the 3000 concentrator support DH group 1,2,5 and 7 for key exchange.

QUESTION 114
Where do you enable or disable the VPN software client Stateful firewall?
A. options, settings, firewall
B. options, settings, stateful firewall
C. options, firewall
D. options, stateful firewall

Correct Answer: D Section: (none) Explanation Explanation/Reference:
Explanation:
From your VPN client software main screen, choose the options tab, then stateful firewall, to toggle the
feature on and off.

QUESTION 115
What are the three tabs of the VPN software client?
A. setup
B. firewall
C. monitoring
D. statistics
E. general

Correct Answer: BDE Section: (none) Explanation
Explanation/Reference:
Explanation:
While connected to a Concentrator, you can open the VPN status screen, which has three mains tabs,
Firewall, Statistics, and General.

QUESTION 116
What is this minimum software version needed to run AES encryption as your ESP protocol?
A. 2.9
B. 3.2
C. 3.6
D. 4.0

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
To use AES instead of DES encryption, you must be running software version 3.6 or later.

QUESTION 117
James the security administrator is working with Kathy from the security department. They are currently working on the Cisco VPN Client together. They need to know what the three steps in the Are You There feature configuration are. (Choose three)
A. One of the steps is to select the firewall.
B. One of the steps is to select the firewall setting.
C. One of the steps is to enable the firewall virtual interface.
D. One of the steps is to select you are there on the firewall.
E. One of the steps is to select are you there on the Cisco VPN Client.
F. One of the steps is to select are you there on the Cisco VPN Concentrator.

Correct Answer: ABF Section: (none) Explanation
Explanation/Reference:
Explanation: . Looking at the “Client FW” screen at the concentrator (where “Are You There” is configured), one must set up “Firewall Setting”, “Firewall”, “Custom Firewall” (optional) and “Firewall Policy”. So, the correct answer is A, B and F. Page 191 of “The Complete Cisco VPN Configuration Guide”, Richard Deal; Cisco Press.
QUESTION 118
When will a VPN software client send an AYT messages to the local firewall?
A. every 5 seconds
B. every 20 seconds
C. every 30 seconds
D. every 60 seconds
E. every 2 minutes

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
The Are You There (AYT) poll is sent from the VPN software client to the pc’s third party firewall every 30
seconds. If there is no response to the poll, the VPN client will drop the tunnel to the Head End
Concentrator.

QUESTION 119
When configuring CPP, which statement is true?
A. CPP is enabled in both the Cisco VPN Client and Cisco VPN Concentrator.
B. CPP is enabled in the Cisco VPN Client, Cisco VPN Concentrator, and firewall.
C. CPP is enabled on the Cisco VPN Concentrator only.
D. CPP is enabled in the Cisco VPN Concentrator and firewall.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Centralized Protection Policy (CPP)Centralized Protection Policy (CPP) also known as firewall push policy, lets a network administrator define a set of rules for allowing or dropping Internet traffic while the VPN Client is tunneled in to the VPN Concentrator. A network administrator defines this policy on the VPN Concentrator, and the policy is sent to the VPN Client during connection negotiation. The VPN Client passes the policy to the Cisco Integrated Client, which then enforces the policy. If the client user has already selected the “Always On” option, any more restrictive rules are enforced for Internet traffic while the tunnel is established. Since CIC includes a stateful firewall module, most configurations block all inbound traffic and permit either all outbound traffic or traffic through specific TCP and UDP ports outbound. Cisco Integrated Client, Zone Alarm, and Zone Alarm Pro firewalls can assign firewall rules. CPP rules are in effect during split tunneling and help protect the VPN Client PC from Internet attacks by preventing servers from running and by blocking any inbound connections unless they are associated with outbound connections. CPP provides more flexibility than the Stateful Firewall (Always On) feature, since with CPP, you can refine the ports and protocols that you want to permit. Reference:VPN Client Administrator Guide 4.0
QUESTION 120
Greg the security administrator for Certkiller Inc. is working on Cisco CPP custom policy. How does Greg activate a Cisco CPP custom policy?
A. Greg must enable custom CPP in the Cisco VPN Concentrator only.
B. Greg must enable custom CPP in the client and Cisco VPN Concentrator.
C. Greg must enable CPP in the Cisco VPN Concentrator and select the custom policy under policy management.
D. Greg must enable CPP in the Cisco VPN Concentrator and select the custom policy under the pushed policy drop-down menu.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Policy Pushed (CPP) = The VPN Concentrator enforces on the VPN clients in this group the traffic management rules defined by the filter you choose from the Policy Pushed (CPP) drop-down menu. The choices available on the menu are filters defined on this VPN Concentrator, including the default filters. Keep in mind that the VPN Concentrator pushes these rules down to the VPN client, so you should create and define these rules relative to the VPN client, not the VPN Concentrator. For example, “in” and “out” refer to traffic coming into the VPN Client or going outbound from the VPN Client. Reference: VPN 3000 Concentrator Ref Volume 1. Configuration 4.0.pdf
QUESTION 121
The new Certkiller trainee technician wants to know which of the following filters are part of the Cisco CPP default policy. What will your reply be?
A. The block all inbound tunnel traffic not related to an outbound session filter.
B. The block all inbound Internet traffic not related to an outbound session filter.
C. The block al outbound tunnel traffic filter.
D. The block all outbound Internet traffic filter.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: CPP lets an administrator define rules to enforce for inbound/outbound Internet traffic during split tunneling operation. Since tunnel everything already forces all traffic back through the tunnel, CPP is not used for tunnel everything. Centralized Protection Policy (CPP) Centralized Protection Policy (CPP) also known as firewall push policy, lets a network administrator define a set of rules for allowing or dropping Internet traffic while the VPN Client is tunneled in to the VPN Concentrator. A network administrator defines this policy on the VPN Concentrator, and the policy is sent to the VPN Client during connection negotiation. The VPN Client passes the policy to the Cisco Integrated Client, which then enforces the policy. If the client user has already selected the “Always On” option, any more restrictive rules are enforced for Internet traffic while the tunnel is established. Since CIC includes a stateful firewall module, most configurations block all inbound traffic and permit either all outbound traffic or traffic through specific TCP and UDP ports outbound. CIC, Zone Alarm, and Zone Alarm Pro firewalls can assign firewall rules. CPP rules are in effect during split tunneling and help protect the VPN Client PC from Internet attacks by preventing servers from running and by blocking any inbound connections unless they are associated with outbound connections. CPP provides more flexibility than the Stateful Firewall (Always On) feature, since with CPP, you can refine the ports and protocols that you want to permit.
QUESTION 122
Which of the following describes a consequence of transparent tunneling on the Cisco VPN Client?
A. Cisco VPN Client transmits traffic in clear text
B. data packets are wrapped in UDP
C. encryption is disabled on the Cisco VPN Client
D. Split tunneling is enabled on the Cisco VPN Client

Correct Answer: B Section: (none) Explanation Explanation/Reference:
Explanation: Enabling Transparent Tunneling Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall, which may also be performing Network Address Translation (NAT) or Port Address Translations (PAT). Transparent tunneling encapsulates Protocol 50 (ESP) traffic within UDP packets and can allow for both IKE (UDP 500) and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices and/or firewalls. The most common application for transparent tunneling is behind a home router performing PAT. The VPN Client also sends keepalives frequently, ensuring that the mappings on the devices are kept active C is wrong // Transparent tunneling is a method for VPN clients to pass encrypted IPsec traffic through firewalls and network/port address translation devices (nat/pat) which are commonly found on the network. If you are behind a firewall, or are not on the UF network and have a private IP address (10.x.x.x, 172.16-31.x.x, or 192.168.x.x) you will need to use transparent tunneling. Luckily, the UF distribution of the vpn client has it turned on by default.
QUESTION 123
The newly appointed Certkiller trainee technician wants to know which of the following features will enable the Concentrator administrator to centrally define a set of rules for the Cisco VPN Client firewall. What will your reply be?
A. AYT
B. CIC Firewall
C. CPP
D. Stateful Firewall

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Central Policy Protection (CPP) is a state full firewall policy that leverages the Cisco Integrated Client (CIC)
feature by letting the VPN concentrator manage the client firewall policies, the client firewall policies are
managed by the administrator CCSP: All in one exam guide page 404

QUESTION 124
Cisco Central Policy Protection is capable of supporting which of the firewalls?
A. Symantec
B. Zone Labs
C. Cyberguard
D. Network Ice BlackICE defender

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Symantec and Cyberguard is not an option, so we stand between Zone Labs and Network Ice BlackICE
defender. Zone Lab is the only one supporting CPP.
Symantec and Cyberguard is not an option, so we stand between Zone Labs and Network Ice BlackICE defender. Zone Lab is the only one supporting CPP.

QUESTION 125
Which of the following allows the Head End
Concentrator to push a security policy to a remote VPN client?

A. FTP
B. LMI
C. CPP
D. AYT

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
The Head End Concentrator can push a security policy to a remote client via Centralized Protection Policy
(CPP).

QUESTION 126
Jason the security administrator for Certkiller Inc. is working on the Cisco VPN Client. How can Jason monitor IPSec sessions on the Cisco VPN Client?
A. Jason can monitor IPSec sessions in the Monitor-screen | Encryption
B. Jason can monitor IPSec sessions in the Cisco VPN Client Connection Status window
C. Jason can monitor IPSec sessions in the Monitor-Sessions screen
D. Jason can monitor IPSec sessions in the Monitor-Routing table

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Sample VPN Client Window
QUESTION 127
Under which VPN client status tab will show the encryption type used on the tunnel to the Concentrator?
A. firewall
B. statistics
C. general
D. options

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
The VPN software client tab General will show the encryption type used to connect to the Concentrator

QUESTION 128
What is the system tray icon for a VPN software client?
A. chain
B. lock
C. key
D. a red C

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The system tray icon for a VPN software client is a padlock.

QUESTION 129
Exhibit:

Connection Action Direction Source Destination Address Address 1 10 Inbound 10 Local
10 Outbound Local 10 2 11 Inbound 11 Local 11 Outbound Local 11 3 12 Outbound Local 12 4 13 Inbound 13 Local 13 Outbound Local 13
Johnthe security administrator for Certkiller must troubleshoot a problem on the network. For connection 1 of the firewall policy chart, choose the action and IP addresses.
A. Action forward, source and destination address, 192.168.1.5
B. Action drop, source and destination address, 192.168.1.5
C. Action forward, source and destination address, 182.168.1.0
D. Action drop, source and destination address, 192.168.1.0 Correct Answer: A

Section: (none) Explanation
Explanation/Reference:
Explanation:
A firewall rule includes the following fields:

* Action-The action taken if the data traffic matches the rule:
o Drop = Discard the session.

o Forward = Allow the session to go through.
* Direction-The direction of traffic to be affected by the firewall:
o Inbound = traffic coming into the PC, also called local machine.

o Outbound = traffic going out from the PC to all networks while the VPN Client is connected to a secure gateway.
* Source Address-The address of the traffic that this rule affects:
o Any = all traffic; for example, drop any inbound traffic. o This field can also contain a specific IP address and subnet mask.

o Local = the local machine; if the direction is Outbound then the Source Address is local.
* Destination Address-The packet’s destination address that this rule checks (the address of the recipient).
o Any = all traffic; for example, forward any outbound traffic.

o Local = The local machine; if the direction is Inbound, the Destination Address is local.
*
Protocol-The Internet Assigned Number Authority (IANA) number of the protocol that this rule concerns (6 for TCP; 17 for UDP and so on).

*
Source Port-Source port used by TCP or UDP.

*
Destination Port-Destination port used by TCP or UDP.
QUESTION 130
Exhibit:

Connection Action Direction Source Destination Address Address
1 10 Inbound 10 Local 10 Outbound Local 10 2 11 Inbound 11 Local 11 Outbound Local 11 3 12 Outbound Local 12 4 13 Inbound 13 Local 13 Outbound Local 13
Jason the security administrator for Certkiller Inc. is troubleshooting the network. For connection 2 of the firewall policy chart, Jason must choose the action and the IP addresses.
A. Action drop, source and destination address, 10.0.1.0
B. Action forward, source and destination address, 10.0.1.0
C. Action forward, source and destination address 10.0.1.10
D. Action drop, source and destination address, 10.0.1.10

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
A firewall rule includes the following fields:

* Action-The action taken if the data traffic matches the rule:
o Drop = Discard the session.

o Forward = Allow the session to go through.
* Direction-The direction of traffic to be affected by the firewall:
o Inbound = traffic coming into the PC, also called local machine.

o Outbound = traffic going out from the PC to all networks while the VPN Client is connected to a secure gateway.
* Source Address-The address of the traffic that this rule affects:
o Any = all traffic; for example, drop any inbound traffic. o This field can also contain a specific IP address and subnet mask.

o Local = the local machine; if the direction is Outbound then the Source Address is local.
* Destination Address-The packet’s destination address that this rule checks (the address of the recipient).
o Any = all traffic; for example, forward any outbound traffic.

o Local = The local machine; if the direction is Inbound, the Destination Address is local.
*
Protocol-The Internet Assigned Number Authority (IANA) number of the protocol that this rule concerns (6 for TCP; 17 for UDP and so on).

*
Source Port-Source port used by TCP or UDP.

*
Destination Port-Destination port used by TCP or UDP.

Cisco 642-511 Questions & Answers with explanations is all what you surely want to have before taking Cisco 642-511 exam.Cisco Cisco 642-511 Interactive Testing Engine is ready to help you to get your Cisco 642-511 by saving your time by preparing you quickly for the Cisco exam. If you are worried about getting your Cisco 642-511 certification passed and are in search of some best and useful material,Cisco 642-511 Q&A will surely serve you to enhance your Interconnecting Cisco Networking Devices study.