CCNP Security 642-618 Practice Exam (36-40)

QUESTION NO: 36
By default, how does a Cisco ASA appliance process IP fragments?
A. Each fragment passes through the Cisco ASA appliance without any inspections.
B. Each fragment is blocked by the Cisco ASA appliance.
C. The Cisco ASA appliance verifies each fragment and performs virtual IP re-assembly before the full IP packet is forwarded out.
D. The Cisco ASA appliance forwards the packet out as soon as all of the fragments of the packet have been received.
Answer: C

QUESTION NO: 37
Which two Cisco ASA configuration tasks are necessary to allow authenticated BGP sessions to pass through the Cisco ASA appliance? (Choose two.)
A. Configure the Cisco ASA TCP normalizer to permit TCP option 19
B. Configure the Cisco ASA TCP Intercept to inspectthe BGP packets (TCP port 179)
C. Configure the Cisco ASA default global inspection policy to also statefully inspect the BGP flows
D. Configure the Cisco ASA TCP normalizer to disable TCP ISNrandomization for the BGP flows
E. Configure TCP state bypass to allow the BGP flows
Answer: A,D

QUESTION NO: 38
Which two options show the required Cisco ASA command(s) to allow this scenario? (Choose two.)
An inside client on the 10.0.0.0/8 network connects to an outside server on the 172.16.0.0/16 network using TCP and the server port of 2001. The inside client negotiates a client port in the range between UDP ports 5000 to 5500. The outside server then can start sending UDP data to the inside client on the negotiated port within the specified UDP port range.
A. access-list INSIDE line 1 permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 eq 2001 access-group INSIDE in interface inside
B. access-list INSIDE line 1 permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 eq 2001 access-list INSIDE line 2 permit udp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 eq established access-group INSIDE in interface inside
C. access-list OUTSIDE line 1 permit tcp 172.16.0.0 255.255.0.0 eq 2001 10.0.0.0 255.0.0.0 access-list OUTSIDE line 2 permit udp 172.16.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq 5000-5500 access-group OUTSIDE in interface outside
D. access-list OUTSIDE line 1 permit tcp 172.16.0.0 255.255.0.0 eq 2001 10.0.0.0 255.0.0.0 access-list OUTSIDE line 2 permit udp 172.16.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq established access-group OUTSIDE in interface outside
E. established tcp 2001 permit udp 5000-5500
F. established tcp 2001 permit from udp 5000-5500
G. established tcp 2001 permit to udp 5000-5500
Answer: A,G

QUESTION NO: 39
Which three actions can be applied to a traffic class within a type inspect policy map? (Choose three.)
A. drop
B. priority
C. log
D. pass
E. inspect
F. reset
Answer: A,C,F

QUESTION NO: 40
Which three types of class maps can be configured on the Cisco ASA appliance? (Choose three.)
A. control-plane
B. regex
C. inspect
D. access-control
E. management F. stack
Answer: B,C,E