New VCE and PDF– You can prepare Cisco https://www.pass4itsure.com/642-503.html exam in an easy way with Cisco 642-503 questions and answers.By training our Cisco 642-503 vce dumps with all the latest questions, you can pass the Cisco 642-503 exam in the first attempt.
QUESTION 40
Refer to the partial classic Cisco IOS Firewall configuration shown in the exhibit. Which three are the correct missing configuration commands? (Choose three.)
A. 1=ip inspect myfw in
B. 1=ip access-group 51 in
C. 2=ip access-group 101 in
D. 2=ip inspect myfw out
E. 3=ip access-group 111 in
F. 3=ip inspect myfw in
Correct Answer: ACE Section: (none) Explanation
Explanation/Reference:
QUESTION 41
IFEE S. IHEDORO Securing Networks with Cisco Routers and Switches 00:54:24Question of Question 41 of 53 A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 42
Refer to the exhibit. Which two statements are true about the configurations shown? (Choose two.)
A. The clickable links will have a heading entitled “MYLINKS”.
B. The home page will have three clickable links on it.
C. ACS will be used for remote-user authentication by default.
D. This is an example of a clientless configuration.
E. Thin client (port forwarding) has been enabled using the url-text command.
Correct Answer: BD Section: (none) Explanation
Explanation/Reference:
QUESTION 43
Refer to the exhibit. Why is auth-proxy not working?
A. The AAA authentication method-list is not configured.
B. HTTPS is not enabled on the router.
C. The local username and password database is not configured.
D. The aaa authorization command is not correct.
E. The ip auth-proxy HQU interface configuration command is missing the in direction option.
F. AAA accounting is not enabled.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 44
Refer to the exhibits. Why is the IPsec site-to-site VPN between Router A and Router B not working?
A. The crypto ACLs of the two routers do not match.
B. Neither router has a route in its routing table to reach the other protected subnet.
C. The IPsec SA lifetime has not been configured.
D. The crypto maps default to transport mode, need to specify tunnel mode in the crypto maps.
E. The crypto maps are missing the authentication method configuration.
F. The crypto ACLs are not permitting the routing protocol traffic between Router A and Router B.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 45
When you implement 802.1x authentication on the ACS, which two configurations are performed under the ACS System Configuration? (Choose two.)
A. Users
B. Groups
C. Global Authentication Setup
D. RACs
E. Logging
F. NAPs
Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
QUESTION 46
Which three of these statements are correct regarding DMVPN configuration? (Choose three.)
A. If running EIGRP over DMVPN, the hub router tunnel interface must have “next hop self” enabled: ip next-hop-self eigrp AS-Number
B. If running EIGRP over DMVPN, the hub router tunnel interface must have split horizon disabled: no ip split-horizon eigrp AS-Number
C. The spoke routers must be configured as the NHRP servers: ip nhrp nhs spoke-tunnel-ip-address
D. At the spoke routers, static NHRP mapping to the hub router is required: ip nhrp map hub-tunnel-ip-address hub-physical-ip-address
E. The GRE tunnel mode must be set to point-to-point mode: tunnel mode gre point-to-point
F. The GRE tunnel must be associated with an IPsec profile: tunnel protection ipsec profile profile-name
Correct Answer: BDF Section: (none) Explanation
Explanation/Reference:
QUESTION 47
Refer to the exhibit. What will result from this zone-based firewall configuration?
A. All traffic from the private zone to the public zone will be dropped.
B. All traffic from the private zone to the public zone will be permitted but not inspected.
C. All traffic from the private zone to the public zone will be permitted and inspected.
D. All traffic from the public zone to the private zone will be permitted but not inspected.
E. Only HTTP and DNS traffic from the private zone to the public zone will be permitted and inspected.
F. Only HTTP and DNS traffic from the public zone to the private zone will be permitted and inspected.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 48
Drop
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 49
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
QUESTION 50
When you add NADs as AAA clients in the ACS, which three parameters are configured for each AAA client? (Choose three.)
A. the NAD IP address
B. the AAA server IP address
C. the EAP type
D. the shared secret key
E. the AAA protocol to use for communications with the NADs
F. the UDP ports to use for communications with the NADs
Correct Answer: ADE Section: (none) Explanation
Explanation/Reference:
QUESTION 51
Which two statements are true regarding classic Cisco IOS Firewall configurations? (Choose two.)
A. You can apply the IP inspection rule in the inbound direction on the trusted interface.
B. You can apply the IP inspection rule in the outbound direction on the untrusted interface.
C. For temporary openings to be created dynamically by Cisco IOS Firewall, the access list for the returning traffic must be a standard ACL.
D. For temporary openings to be created dynamically by Cisco IOS Firewall, you must apply the IP inspection rule to the trusted interface.
E. For temporary openings to be created dynamically by Cisco IOS Firewall, the inbound access list on the trusted interface must be an extended ACL.
Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
QUESTION 52
Refer to the exhibit. Which two configuration commands are used to apply an inspect policy map for traffic traversing from the E0 or E1 interface to the S3 interface? (Choose two.)
A. zone-pair security test source Z1 destination Z2
B. interface E0
C. policy-map myfwpolicy class class-default inspect
D. ip inspect myfwpolicy out
E. ip inspect myfwpolicy in
F. service-policy type inspect myfwpolicy
Correct Answer: AF Section: (none) Explanation
Explanation/Reference:
QUESTION 53
When you implement Cisco IOS WebVPN on a Cisco router using a self-signed certificate, you notice that the router is not generating a self-signed certificate. What should you check to troubleshoot this issue?
A. Verify the ip http secure-server configuration.
B. Verify the ip http server configuration.
C. Verify that the WebVPN gateway is inservice.
D. Verify the AAA authentication configuration.
E. Verify the WebVPN group policy configuration.
F. Verify the WebVPN context configuration.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 54
When configuring FPM, what should be the next step after the PHDFs have been loaded?
A. Define a stack of protocol headers.
B. Define a traffic policy.
C. Define a service policy.
D. Define a class map of type “access-control” for classifying packets.
E. Reload the router.
F. Save the PHDFs to startup-config.
Correct Answer: A Section: (none) Explanation
Explanation/Reference: QUESTION 55
What does this command do?
router(config)# ip port-map user-1 port tcp 4001
A. enables application firewall inspection on a user-defined application that is mapped to TCP port 4001
B. enables NBAR to recognize a user-defined application on TCP port 4001
C. enables the Cisco IOS Firewall to inspect TCP port 4001 as part of the ip inspect name xxx TCP inspection rule
D. defines a user application in the PAM table where the user-defined application is called “user-1” and that application is mapped to TCP port 4001
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 56
Which Cisco IOS command will trigger the router to request certificates from the CA for the router RSA key pair?
A. crypto pki authenticate CA-Name
B. enrollment url http://CA-Name:80
C. crypto pki trustpoint CA-Name
D. crypto key generate rsa
E. crypto key zeroize rsa
F. crypto pki enroll CA-Name
Correct Answer: F Section: (none) Explanation
Explanation/Reference:
QUESTION 57
ACS administrators use which TCP port to access the Cisco ACS web interface?
A. 22
B. 80
C. 127
D. 443
E. 2002
F. 8080
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
QUESTION 58
Refer to the partial classic Cisco IOS Firewall configuration shown in the exhibit. Which three are the correct missing configuration commands? (Choose three.)
A. 1=ip inspect myfw in
B. 1=ip access-group 51 in
C. 2=ip access-group 101 in
D. 2=ip inspect myfw out
E. 3=ip access-group 111 in
F. 3=ip inspect myfw in
Correct Answer: ACE Section: (none) Explanation
Explanation/Reference:
QUESTION 59
Refer to the exhibits. Why is the IPsec site-to-site VPN between Router A and Router B not working?
A. The crypto ACLs of the two routers do not match.
B. Neither router has a route in its routing table to reach the other protected subnet.
C. The IPsec SA lifetime has not been configured.
D. The crypto maps default to transport mode, need to specify tunnel mode in the crypto maps.
E. The crypto maps are missing the authentication method configuration.
F. The crypto ACLs are not permitting the routing protocol traffic between Router A and Router B.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 60
IFEE S. IHEDORO Securing Networks with Cisco Routers and Switches 00:52:52Question of Question 49 of 53 A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
Answer: Check certifyme eEngine, Download from Member Center
Cisco 642-503 Questions & Answers with explanations is all what you surely want to have before taking Cisco 642-503.Cisco https://www.pass4itsure.com/642-503.html Interactive Testing Engine is ready to help you to get your Cisco 642-503 by saving your time by preparing you quickly for the Cisco exam. If you are worried about getting your Cisco 642-503 certification passed and are in search of some best and useful material,Cisco 642-503 Q&A will surely serve you to enhance your Interconnecting Cisco Networking Devices Part 1 stydy.