Cisco 642-637 Exam With Training Flydumps New Cisco 642-637 PDF And VCE Dumps

100% Valid Cisco 642-637 exam questions and answers are tested and approved by Microsoft experts. Furthermore, we are constantly updating our Cisco 642-637 exam dumps,100% guarantee in quality and reliability.

Exam A
Refer to the exhibit. Given the partial output of the debug command, what can be determined?

A. There is no ID payload in the packet, as indicated by the message ID = 0.
B. The peer has not matched any offered profiles.
C. This is an IKE quick mode negotiation.
D. This is normal output of a successful Phase 1 IKE exchange.

Correct Answer: B Section: (none) Explanation
Although the authentication of IKe phase 1 is authenticated, the exhibit question says “Given the partial
output of the “debug command”, what can be determined? 2 is best for the peer has not matched any
offered profiles.



Correct Answer: Section: (none) Explanation
“Pass Any Exam. Any Time.” – 2 Cisco 642-637 Exam Explanation:
Because 802.1X authentication requires several technologies to work together, up-front planning helps ensure the success of the deployment.
Part of this planning involves gathering important input information:
Refer to the exhibit.
“Pass Any Exam. Any Time.” – 3 Cisco 642-637 Exam

Which two Cisco IOS WebVPN features are enabled with the partial configuration shown? (Choose two.)
A. The end-user Cisco AnyConnect VPN software will remain installed on the end system.
B. If the Cisco AnyConnect VPN software fails to install on the end-user PC, the end user cannot use other modes.
C. Client based full tunnel access has been enabled.
D. Traffic destined to the network will not be tunneled and will be allowed access via a split tunnel.
E. Clients will be assigned IP addresses in the range.

Correct Answer: AC Section: (none) Explanation

Which two of these are benefits of implementing a zone-based policy firewall in transparent mode? (Choose two.)
“Pass Any Exam. Any Time.” – 4 Cisco 642-637 Exam
A. Less firewall management is needed.
B. It can be easily introduced into an existing network.
C. IP readdressing is unnecessary.
D. It adds the ability to statefully inspect non-IP traffic.
E. It has less impact on data flows.

Correct Answer: BC Section: (none) Explanation

When configuring a zone-based policy firewall, what will be the resulting action if you do not specify any zone pairs for a possible pair of zones?
A. All sessions will pass through the zone without being inspected.
B. All sessions will be denied between these two zones by default.
C. All sessions will have to pass through the router “self zone” for inspection before being allowed to pass to the destination zone.
D. This configuration statelessly allows packets to be delivered to the destination zone.

Correct Answer: B Section: (none) Explanation
Explanation: Zone Pair Configuration The configuration of the zone pair is important because its configuration dictates the direction in which traffic is allowed to flow. As stated previously, a zone pair is unidirectional and is the part of the configuration that controls traffic between zones; this is referred to as interzone. If no zone pair is defined, traffic will not flow between zones

Refer to the exhibit. What can be determined from the output of this show command?

A. The IPsec connection is in an idle state.
B. The IKE association is in the process of being set up. “Pass Any Exam. Any Time.” – 5 Cisco 642-637 Exam
C. The IKE status is authenticated.
D. The ISAKMP state is waiting for quick mode status to authenticate before IPsec parameters are passed between peers
E. IKE Quick Mode is in the idle state, indicating a problem with IKE phase 1.

Correct Answer: C Section: (none) Explanation
Explanation: Verify Local IKE Sessions Use the show crypto isakmp sa command to display the current IKE Security Associations (SA) on the local router. The QM_IDLE status indicates successful establishment of the IKE SA, meaning that the ISAKMP process is idle after having successfully negotiated and established SAs. Example 15-5 shows the output of the show crypto isakmp sa command.



Correct Answer: Section: (none) Explanation
“Pass Any Exam. Any Time.” – 6 Cisco 642-637 Exam


Verify cryptographic configs router# show crypto isakmp policy rotection suite priority 15 ncryption algorithm: DES – Data Encryption Standard (56 bit keys) ash algorithm: Message Digest 5 uthentication method: Rivest-Shamir-Adleman Signature iffie-Hellman Group: #2 (1024 bit) ifetime: 5000 seconds, no volume limit rotection suite priority 20
“Pass Any Exam. Any Time.” – 7 Cisco 642-637 Exam
ncryption algorithm: DES – Data Encryption Standard (56 bit keys) ash algorithm: Secure Hash Standard authentication method: preshared Ke

You are running Cisco IOS IPS software on your edge router. A new threat has become an issue. The
Cisco IOS IPS software has a signature that can address the new threat, but you previously retired the
signature. You decide to unretire that signature to regain the desired protection level.
How should you act on your decision?

A. Retired signatures are not present in the routers memory. You will need to download a new signature package to regain the retired signature.
B. You should re-enable the signature and start inspecting traffic for signs of the new threat.
C. Unretiring a signature will cause the router to recompile the signature database, which can temporarily affect performance.
D. You cannot unretire a signature. To avoid a disruption in traffic flow, it’s best to create a custom signature until you can download a new signature package and reload the router.

Correct Answer: C Section: (none) Explanation
Some signatures can be retired. This signature is not present in the router’s memory. Unretiring a retired
signature requires that the router recompile the signature database. This can temporarily affect
performance and take a long time with a large signature database.
Which statement best describes inside policy based NAT?
A. Policy NAT rules are those that determine which addresses need to be translated per the enterprise security policy
B. Policy NAT consists of policy rules based on outside sources attempting to communicate with inside endpoints.
C. These rules use source addresses as the decision for translation policies.
D. These rules are sensitive to all communicating endpoints.

Correct Answer: A Section: (none) Explanation
The original dump had this option:

“Pass Any Exam. Any Time.” – 8
Cisco 642-637 Exam

A) Policy NAT rules are those that determine which addresses need to be translated per the enterprise
security policy
The newer dump did not so no sure the answer is still A)
asa82/configuration/guide/nat_overview.html#wp10 88419

Refer to the exhibit. What can be determined about the IPS category configuration shown?

A. All categories are disabled.
B. All categories are retired.
C. After all other categories were disabled, a custom category named “os ios” was created
D. Only attacks on the Cisco IOS system result in preventative actions.

Correct Answer: D Section: (none) Explanation
Explanation: This configuration task is completed by entering the signature category configuration mode using the ip ips signature-category command. See Example 13-3 for the relevant configuration. First, retire and disable all signatures because only the desired signatures will be enabled. This is achieved using the category all command. Then, use the retired true and enabled false commands to disable and retire all signatures by default. Next, enable all signatures that are designed to prevent attacks against Cisco IOS Software devices and assign a preventative action to them. Enter the category that comprises these signatures using the category os ios command and enable them by using the retired false and enabled true commands. Use the event-action produce- alert deny-packet-inline command to enable these signatures to generate an alert and drop the offending packets when they trigger.
“Pass Any Exam. Any Time.” – 9 Cisco 642-637 Exam

When Cisco IOS IPS is configured to use SDEE for event notification, how are events managed?
A. They are stored in the router’s event store and will allow authenticated remote systems to pull events from the event store.
B. All events are immediately sent to the remote SDEE server.
C. Events are sent via syslog over a secure SSUTLS communications channel.
D. When the event store reaches its maximum configured number of event notifications, the stored events are sent via SDEE to a remote authenticated server and a new event store is created.

Correct Answer: A Section: (none) Explanation
SDEE uses a pull communication model for event messages. This allows management consoles to pull
alerts from the Cisco IPS sensors over an HTTPS connection. When Cisco SDEE notification is enabled,
by default, 200 events can be stored in the local event store. This number can be increased to hold a
maximum of 1000. All stored events are lost if SDEE notifications are disabled, and a new local event store
is allocated when the notification feature is enabled again.
Which two of these will match a regular expression with the following configuration parameters? [a-zA-Z][0-9][a-z] (Choose two.)
A. Q3h
B. B4Mn
C. aaB132AA
D. c7lm
E. BBpjnrIT

Correct Answer: AD Section: (none) Explanation Explanation/Reference:

“Pass Any Exam. Any Time.” – 10 Cisco 642-637 Exam Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attempts to exhaust critical router resources and if preventative controls have been bypassed or are not working correctly?
A. Control Plane Protection
B. Management Plane Protection
C. CPU and memory thresholding

Correct Answer: C Section: (none) Explanation
Explanation: CPU and Memory Thresholding One of the ways to monitor whether an attack is occurring on a device is through the simple monitoring of device resources, including CPU and memory utilization. This is done by configuring the use of CPU or memory threshold monitoring. Both of these features can be combined with a remote management server to notify an organization when the CPU and memory conditions on a device become critical.
“With CPU Thresholding Notification, users can configure CPU utilization thresholds, which trigger a notification when exceeded. Cisco IOS Software supports two CPU utilization thresholds:”
Which Cisco IOS IPS feature allows to you remove one or more actions from all active signatures based on the attacker and/or target address criteria, as well as the event risk rating criteria?
A. signature event action filters
B. signature event action overrides
C. signature attack severity rating
D. signature event risk rating

Correct Answer: A Section: (none) Explanation
“Pass Any Exam. Any Time.” – 11 Cisco 642-637 Exam You are troubleshooting reported connectivity issues from remote users who are accessing corporate headquarters via an IPsec VPN connection. What should be your first step in troubleshooting these issues?
A. issue a show crypto isakmp policy command to verify matching policies of the tunnel endpoints
B. ping the tunnel endpoint
C. run a traceroute to verify the tunnel path
D. debug the connection process and look for any error messages in tunnel establishment

Correct Answer: B Section: (none) Explanation
Page 398 – Very Important – several Questions from this Troubleshooting Flow
Follow these steps to proceed through the recommended flow for troubleshooting IKE peering:

Step 1. Verify peer reachability using the ping and traceroute commands with the tunnel source and
destination IP addresses on both peers. If connectivity is verified, proceed to Step 2; otherwise, check the
path between the two peers for routing or access (firewall or access list) issues.

Step 2. Verify the IKE policy on both peers using the show crypto isakmp policy command. Debug
messages revealed by the debug crypto isakmp command will also point out IKE policy mismatches.

Step 3. Verify IKE peer authentication. The debug crypto isakmp command will display unsuccessful
authentication. Step 4. Upon successful completion of Steps 13, the IKE SA should be establishing. This
can be verified with the show crypto isakmp sa command and looking for a state of QM_IDLE.

Which of these is correct regarding the configuration of virtual-access interfaces?
A. They cannot be saved to the startup configuration.
B. You must use static routes inside the tunnels.
C. DVTI interfaces should be assigned a unique IP address range.
D. The Virtual-Access 1 interface must be enabled in an up/up state administratively

Correct Answer: A Section: (none) Explanation
“Pass Any Exam. Any Time.” – 12 Cisco 642-637 Exam
Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate router interfaces. All other zones and interfaces have been properly configured. Given the configuration example shown, what can be determined?

A. Hosts in the INSIDE zone, with addresses in the network, can access any host in the network using the SSH protocol.
B. If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must pass through the router self zone using the INTRAZONE policy.
C. This is an illegal configuration. You cannot have the same source and destination zones.
D. This policy configuration is not needed, traffic within the same zone is allowed to pass by default.

Correct Answer: B Section: (none) Explanation
Explanation: The zone pair can also be configured to control the traffic permitted directly into the device; this includes control and management plane traffic. This is configured by creating a zone pair using the self zone as the source or destination zone. With the release of IOS 15.0.1M, it is also possible to control the traffic within the same zone; this is referred to as intrazone.
This is configured by creating a zone pair with the same two zone names as both source and destination.
“Pass Any Exam. Any Time.” – 13 Cisco 642-637 Exam
Which action does the command private-vlan association 100,200 take?
A. configures VLANs 100 and 200 and associates them as a community
B. associates VLANs 100 and 200 with the primary VLAN
C. creates two private VLANs with the designation of VLAN 100 and VLAN 200
D. assigns VLANs 100 and 200 as an association of private VLANs

Correct Answer: B Section: (none) Explanation
Which of these allows you to add event actions globally based on the risk rating of each event, without having to configure each signature individually?
A. event action summarization
B. event action filter
C. event action override
D. signature event action processor

Correct Answer: C Section: (none) Explanation
When using Cisco Easy VPN, what are the three options for entering an XAUTH username and password for establishing a VPN connection from the Cisco Easy VPN remote router? (Choose three.)
A. using an external AAA server
B. entering the information via the router crypto ipsec client ezvpn connect CLI command in privileged EXEC mode
C. using the router local user database
D. entering the information from the PC via a browser
E. storing the XAUTH credentials in the router configuration file “Pass Any Exam. Any Time.” 14 Cisco 642-637 Exam

Correct Answer: BDE Section: (none) Explanation
Explanation: Begin by configuring the local network AAA authorization list with the aaa authorization network command. This will tell the router to use only the locally configured user database on the router for its authorization resource. C If XAUTH is being used, it must be decided where to store the authentication credentials: Store the XAUTH username and password in the configuration file on the router: This option is typically used if the router is shared between many PCs and the goal is to have the VPN tunnel up all the time. E Do not store the XAUTH username and password on the router: If this option is used, a PC user who is connected to the router is presented with a web page that allows the username and password to be manually entered. D EZVPN Remote connection profile using the crypto ipsec client ezvpn command Use the group command to specify the group name and group password to authenticate to the EZVPN Server as a part of a group. Use the username command to specify the stored username and password used to provide additional authentication using XAUTH. B


Both PDF and software format demos for Cisco 642-637 exam dumps are offered by Flydumps for free.You can try Cisco 642-637 free demo before you decide to buy the full version practice test.Cisco 642-637 exam dumps details are researched and produced by our Professional Certification Experts who are constantly using industry experience to produce precise, and logical.Cisco 642-637 exam dumps will not only help you pass in one attempt,but also save your valuable time.