Professional Documents
Culture Documents
300 209 by Supermario v4 PDF
300 209 by Supermario v4 PDF
300 209 by Supermario v4 PDF
Number: 000-000
Passing Score: 846
Time Limit: 120 min
File Version: 4.0
Vendor: Cisco
Version: 4.0
Questions: 448
Date: 2019 07 04
Prepared by Supermario
Exam A
QUESTION 1
Which two IKEv1 policy options must match on each peer when you configure an IPsec site-to- site VPN?
(Choose two.)
A. priority number
B. hash algorithm
C. encryption algorithm
D. session lifetime
E. PRF algorithm
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Which two parameters are configured within an IKEv2 proposal on an IOS router? (Choose two.)
A. authentication
B. encryption
C. integrity
D. lifetime
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 3
In a spoke-to-spoke DMVPN topology, which type of interface does a branch router require?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 4
To change the title panel on the logon page of the Cisco IOS WebVPN portal, which file must you
configure?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 5
Which three plugins are available for clientless SSL VPN? (Choose three.)
A. CIFS
B. RDP2
C. SSH
D. VNC
E. SQLNET
F. ICMP
Explanation/Reference:
QUESTION 6
Which command simplifies the task of converting an SSL VPN to an IKEv2 VPN on a Cisco ASA appliance
that has an invalid IKEv2 configuration?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Below is a reference for this question:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-
ptn-113597.html
If your IKEv1, or even SSL, configuration already exists, the ASA makes the migration process simple. On
the command line, enter the migrate command:
migrate {l2l | remote-access {ikev2 | ssl} | overwrite} Things of note:
Keyword definitions:
l2l - This converts current IKEv1 l2l tunnels to IKEv2.
remote access - This converts the remote access configuration. You can convert either the IKEv1 or the
SSL tunnel groups to IKEv2.
overwrite - If you have a IKEv2 configuration that you wish to overwrite, then this keyword converts the
current IKEv1 configuration and removes the superfluous IKEv2 configuration.
QUESTION 7
Which statement describes a prerequisite for single-sign-on Netegrity Cookie Support in an IOC SSL
VPN?
Explanation/Reference:
QUESTION 8
Which two statements describe effects of the DoNothing option within the untrusted network policy on a
Cisco AnyConnect profile? (Choose two.)
Correct Answer: DE
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/
b_AnyConnect_Administrator_Guide_4-0/configure-vpn.html#ID-1428-00000152
QUESTION 9
Which command enables IOS SSL VPN Smart Tunnel support for PuTTY?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
Which three remote access VPN methods in an ASA appliance provide support for Cisco Secure Desktop?
(Choose three.)
A. IKEv1
B. IKEv2
C. SSL client
D. SSL clientless
E. ESP
F. L2TP
Explanation/Reference:
QUESTION 11
A user is unable to establish an AnyConnect VPN connection to an ASA. When using the Real- Time Log
viewer within ASDM to troubleshoot the issue, which two filter options would the administrator choose to
show only syslog messages relevant to the VPN connection? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 12
Which Cisco ASDM option configures forwarding syslog messages to email?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
Which Cisco ASDM option configures WebVPN access on a Cisco ASA?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 14
A user with IP address 10.10.10.10 is unable to access a HTTP website at IP address 209.165.200.225
through a Cisco ASA. Which two features and commands will help troubleshoot the issue? (Choose two.)
A. Capture user traffic using command capture capin interface inside match ip host 10.10.10.10 any
B. After verifying that user traffic reaches the firewall using syslogs or captures, use packet tracer
command packet-tracer input inside tcp 10.10.10.10 1234 209.165.200.225 80
C. Enable logging at level 1 and check the syslogs using commands logging enable, logging buffered 1
and show logging | include 10.10.10.10
D. Check if an access-list on the firewall is blocking the user by using command show running-config
access-list | include 10.10.10.10
E. Use packet tracer command packet-tracer input inside udp 0.10.10.10 1234192.168.1.3 161 to see
what the firewall is doing with the user's traffic
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 15
A Cisco router may have a fan issue that could increase its temperature and trigger a failure. What
troubleshooting steps would verify the issue without causing additional risks?
A. Configure logging using commands "logging on", "logging buffered 4", and check for fan failure logs
using "show logging"
B. Configure logging using commands "logging on", "logging buffered 6", and check for fan failure logs
using "show logging"
C. Configure logging using commands "logging on", "logging discriminator msglog1 console 7", and check
for fan failure logs using "show logging"
D. Configure logging using commands "logging host 10.11.10.11", "logging trap 2", and check for fan
failure logs at the syslog server 10.11.10.11
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 16
Which of these are the two types of keys used when implementing GET VPN? (Choose two)
A. key encryption
B. group encryption
C. pre-shared key
D. public key
E. private key
F. traffic encryption key
Correct Answer: AF
Section: (none)
Explanation
Explanation/Reference:
QUESTION 17
A private wan connection is suspected of intermittently corrupting data. Which technology can a network
administrator use to detect and drop the altered data traffic?
A. AES-128
B. RSA Certificates
C. SHA2-HMAC
D. 3DES
E. Diffie-Helman Key Generation
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 18
A company needs to provide secure access to its remote workforce. The end users use public kiosk
computers and a wide range of devices. They will be accessing only an internal web application. Which
VPN solution satisfies these requirements?
A. Clientless SSLVPN
B. AnyConnect Client using SSLVPN
C. AnyConnect Client using IKEv2
D. FlexVPN Client
E. Windows built-in PPTP client
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 19
A network administrator is configuring AES encryption for the ISAKMP policy on an IOS router.
Which two configurations are valid? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 20
Which two qualify as Next Generation Encryption integrity algorithms? (Choose two.)
A. SHA-512
B. SHA-256
C. SHA-192
D. SHA-380
E. SHA-192
F. SHA-196
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 21
Which statement is true when implementing a router with a dynamic public IP address in a crypto map
based site-to-site VPN?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 22
Which two statements are true when designing a SSL VPN solution using Cisco AnyConnect? (Choose
two.)
Correct Answer: DE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 23
Refer to the exhibit. Given the partial configuration shown, which two statements are correct? (Choose
two.)
A. The tunnel will use the routing protocol configured for GigabitEthemet 1/1 for all tunnel communication
with the peer.
B. The IP route statement to reach the remote network behind the DMVPN peer is incorrect, it should be
ip route 192.168.2.0 255.255.255.0 tunnel 0.
C. This is an example of a static point-to-point VTI tunnel.
D. The tunnel will use esp-sha-hmac encryption in ESP tunnel mode.
E. The tunnel will use 128-bit AES encryption in ESP tunnel mode.
Correct Answer: CE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 24
What are two benefits of DMVPN Phase 3? (Choose two.)
A. Administrators can use summarization of routing protocol updates from hub to spokes.
B. It introduces hierarchical DMVPN deployments.
C. It introduces non-hierarchical DMVPN deployments.
D. It supports L2TP over IPSec as one of the VPN protocols.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 25
Which are two main use cases for Clientless SSL VPN? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 26
Which technology can rate-limit the number of tunnels on a DMVPN hub when system utilization is above a
specified percentage?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 27
Which technology supports tunnel interfaces while remaining compatible with legacy VPN
implementations?
A. FlexVPN
B. DMVPN
C. GET VPN
D. SSL VPN
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 28
Which IKEv2 feature minimizes the configuration of a FlexVPN on Cisco IOS devices?
A. IKEv2 Suite-B
B. IKEv2 proposals
C. IKEv2 profiles
D. IKEv2 Smart Defaults
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 29
When an IPsec SVTI is configured, which technology processes traffic forwarding for encryption?
A. ACL
B. IP routing
C. RRI
D. front door VPN routing and forwarding
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 30
Which Cisco IOS VPN feature simplifies IPsec VPN configuration and design by using on- demand virtual
access interfaces that are cloned from a virtual template configuration?
A. GET VPN
B. dynamic VTI
C. static VTI
D. GRE tunnels
E. GRE over IPsec tunnels
F. DMVPN
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 31
A Cisco IOS SSL VPN gateway is configured to operate in clientless mode so that users can access file
shares on a Microsoft Windows 2003 server. Which protocol is used between the Cisco IOS router and the
Windows server?
A. HTTPS
B. NetBIOS
C. CIFS
D. HTTP
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 32
You are configuring a Cisco IOS SSL VPN gateway to operate with DVTI support. Which command must
you configure on the virtual template?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 33
Which protocol supports high availability in a Cisco IOS SSL VPN environment?
A. HSRP
B. VRRP
C. GLBP
D. IRDP
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 34
When you configure IPsec VPN High Availability Enhancements, which technology does Cisco recommend
that you enable to make reconvergence faster?
A. EOT
B. IP SLAs
C. periodic IKE keepalives
D. VPN fast detection
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 35
Which hash algorithm is required to protect classified information?
A. MD5
B. SHA-1
C. SHA-256
D. SHA-384
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 36
Which cryptographic algorithms are approved to protect Top Secret information?
A. HIPPA DES
B. AES-128
C. RC4-128
D. AES-256
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 37
Which Cisco firewall platform supports Cisco NGE?
A. FWSM
B. Cisco ASA 5505
C. Cisco ASA 5580
D. Cisco ASA 5525-X
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 38
Which algorithm is replaced by elliptic curve cryptography in Cisco NGE?
A. 3DES
B. AES
C. DES
D. RSA
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 39
Which encryption and authentication algorithms does Cisco recommend when deploying a Cisco NGE
supported VPN solution?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 40
An administrator wishes to limit the networks reachable over the Anyconnect VPN tunnels. Which
configuration on the ASA will correctly limit the networks reachable to 209.165.201.0/27 and
209.165.202.128/27?
A. access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit
209.165.202.128 255.255.255.224 ! group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitlist
B. access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit
209.165.202.128 255.255.255.224 ! group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
split-tunnel-policy tunnelall
split-tunnel-network-list value splitlist
C. group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224 split-tunnel-network-list ipv4 2
209.165.202.128 255.255.255.224
D. access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit
209.165.202.128 255.255.255.224 ! crypto anyconnect vpn-tunnel-policy tunnelspecified
crypto anyconnect vpn-tunnel-network-list splitlist
E. crypto anyconnect vpn-tunnel-policy tunnelspecified
crypto anyconnect split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224 crypto anyconnect
split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 41
Which NGE IKE Diffie-Hellman group identifier has the strongest cryptographic properties?
A. group 10
B. group 24
C. group 5
D. group 20
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-cfg-ikev2-
flex.html#GUID-6F6D8166-508A-4669-9DDC-4FE7AE9B9939
http://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html#9
QUESTION 42
What is the Cisco recommended TCP maximum segment on a DMVPN tunnel interface when the MTU is
set to 1400 bytes?
A. 1160 bytes
B. 1260 bytes
C. 1360 bytes
D. 1240 bytes
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 43
Which technology does a multipoint GRE interface require to resolve endpoints?
A. ESP
B. dynamic routing
C. NHRP
D. CEF
E. IPSec
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 44
Which two cryptographic technologies are recommended for use with FlexVPN? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 45
Which command configures IKEv2 symmetric identity authentication?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 46
Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two.)
A. aes-cbc-192, sha256, 14
B. 3des, md5, 5
C. 3des, sha1, 1
D. aes-cbc-128, sha, 5
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 47
What is the default storage location of user-level bookmarks in an IOS clientless SSL VPN?
A. disk0:/webvpn/{context name}/
B. disk1:/webvpn/{context name}/
C. flash:/webvpn/{context name}/
D. nvram:/webvpn/{context name}/
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 48
Which command will prevent a group policy from inheriting a filter ACL in a clientless SSL VPN?
A. vpn-filter none
B. no vpn-filter
C. filter value none
D. filter value ACLname
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Specify the name of the ACL to apply to VPN session, using the vpn-filter command in group policy mode.
(You can also configure this attribute in username mode, in which case the value configured under
username supersedes the group-policy value.)
hostname(config-group-policy)# vpn-filter {value ACL name | none}
hostname(config-group-policy)#
You configure ACLs to permit or deny various types of traffic for this group policy. You then enter the vpn-
filter command to apply those ACLs.
To remove the ACL, including a null value created by entering the vpn-filter none command, enter the no
form of this command. The no option allows inheritance of a value from another group policy.
A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the
none keyword instead of specifying an ACL name. The none keyword indicates that there is no access list
and sets a null value, thereby disallowing an access list.
QUESTION 49
Which command specifies the path to the Host Scan package in an ASA AnyConnect VPN?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 50
Hotspot Questions
When a tunnel is initiated by the headquarter ASA, which one of the following Diffie- Hellman groups is
selected by the headquarter ASA during CREATE_CHILD_SA exchange?
A. 1
B. 2
C. 5
D. 14
E. 19
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Traffic initiated by the HQ ASA is assigned to the static outside crypto map, which shown below to use DH
group 5.
QUESTION 51
Hotspot Questions
Based on the provided ASDM configuration for the remote ASA, which one of the following is correct?
A. An access-list must be configured on the outside interfaceto permit inbound VPN traffic
B. A route to 192.168.22.0/24 will not be automatically installed in the routing table
C. The ASA will use a window of 128 packets (64x2) to perform the anti-replay check _
D. The tunnel can also be established on TCP port 10000
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating
encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor
keeps track of which packets it has seen on the basis of these numbers. Currently, the default window size
is 64 packets. Generally, this number (window size) is sufficient, but there are times when you may want to
expand this window size. The IPsec Anti-Replay Window:
Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep
track of more than 64 packets.
QUESTION 52
Hotspot Questions
If the IKEv2 tunnel were to establish successfully, which encryption algorithm would be used to encrypt
traffic?
A. DES
B. 3DES
C. AES
D. AES192
E. AES256
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Both ASA's are configured to support AES 256, so during the IPSec negotiation they will use the strongest
algorithm that is supported by each peer.
QUESTION 53
Hotspot Questions
After implementing the IKEv2 tunnel, it was observed that remote users on the 192.168.33.0/24 network
are unable to access the internet. Which of the following can be done to resolve this problem?
A. Change the Diffie-Hellman group on the headquarter ASA to group5forthe dynamic crypto map
B. Change the remote traffic selector on the remote ASA to 192.168.22.0/24
C. Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers
D. Change the local traffic selector on the headquarter ASA to 0.0.0.0/0
E. Change the remote traffic selector on the headquarter ASA to 0.0.0.0/0
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec
tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most
likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 to
192.168.22.0/24.
QUESTION 54
Hotspot Questions
Which option shows the correct traffic selectors for the child SA on the remote ASA, when the headquarter
ASA initiates the tunnel?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec
tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most
likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 (THE LOCAL
SIDE) to 192.168.22.0/24 (THE REMOTE SIDE).
QUESTION 55
Which two are characteristics of GETVPN? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 56
A company has decided to migrate an existing IKEv1 VPN tunnel to IKEv2. Which two arevalid
configuration constructs on a Cisco IOS router? (Choose two.)
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 57
Which four activities does the Key Server perform in a GETVPN deployment? (Choose four.)
Explanation/Reference:
QUESTION 58
Where is split-tunneling defined for remote access clients on an ASA?
A. Group-policy
B. Tunnel-group
C. Crypto-map
D. Web-VPN Portal
E. ISAKMP client
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 59
Which of the following could be used to configure remote access VPN Host-scan and pre- login policies?
A. ASDM
B. Connection-profile CLI command
C. Host-scan CLI command under the VPN group policy
D. Pre-login-check CLI command
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 60
In FlexVPN, what command can an administrator use to create a virtual template interface that can be
configured and applied dynamically to create virtual access interfaces?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Here is a reference an explanation that can be included with this test. http://www.cisco.com/en/US/docs/
ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-spoke.html#GUID-4A10927D-4C6A-4202-
B01C-DA7E462F5D8A
QUESTION 61
In FlexVPN, what is the role of a NHRP resolution request?
A. It allows these entities to directly communicate without requiring traffic to use an intermediate hop
B. It dynamically assigns VPN users to a group
C. It blocks these entities from to directly communicating with each other
D. It makes sure that each VPN spoke directly communicates with the hub
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 62
What are three benefits of deploying a GET VPN? (Choose three.)
Explanation/Reference:
QUESTION 63
What is the default topology type for a GET VPN?
A. point-to-point
B. hub-and-spoke
C. full mesh
D. on-demand spoke-to-spoke
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 64
Which two GDOI encryption keys are used within a GET VPN network? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 65
What are the three primary components of a GET VPN network? (Choose three.)
Explanation/Reference:
QUESTION 66
Refer to the exhibit. After the configuration is performed, which combination of devices can connect?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 67
Which three settings are required for crypto map configuration? (Choose three.)
A. match address
B. set peer
C. set transform-set
D. set security-association lifetime
E. set security-association level per-host
F. set pfs
Correct Answer: ABC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 68
A network is configured to allow clientless access to resources inside the network. Which feature must be
enabled and configured to allow SSH applications to respond on the specified port 8889?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 69
Consider this scenario. When users attempt to connect via a Cisco AnyConnect VPN session, the
certificate has changed and the connection fails.
What is a possible cause of the connection failure?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 70
In the Cisco ASDM interface, where do you enable the DTLS protocol setting?
A. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add
or Edit Internal Group Policy
B. Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or
Edit
C. Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN
Policy > SSL VPN Client
D. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 71
What are two forms of SSL VPN? (Choose two.)
A. port forwarding
B. Full Tunnel Mode
C. Cisco IOS WebVPN
D. Cisco AnyConnect
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 72
When Cisco ASA applies VPN permissions, what is the first set of attributes that it applies?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 73
What are two variables for configuring clientless SSL VPN single sign-on? (Choose two.)
A. CSCO_WEBVPN_OTP_PASSWORD
B. CSCO_WEBVPN_INTERNAL_PASSWORD
C. CSCO_WEBVPN_USERNAME
D. CSCO_WEBVPN_RADIUS_USER
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 74
Refer to the exhibit. Based on the partial configuration shown, which the GET VPN group member GDOI
configuration?
A. key server IP address
B. local priority
C. mapping of the IPsec profile to the IPsec SA
D. mapping of the IPsec transform set to the GDOI group
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 75
An internet-based VPN solution is being considered to replace anexisting private WAN connectingremote
offices. A multimedia application is used that relies on multicast for communication. Which two VPN
solutions meet the application's network requirement? (Choose two.)
A. FlexVPN
B. DMVPN
C. Group Encrypted Transport VPN
D. Crypto-map based Site-to-Site IPsec VPNs
E. AnyConnect VPN
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 76
In a GET VPN solution, which two ways can the key server distribute the new keys to the group members
during the rekey process? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 77
An IOS SSL VPN is configured to forward TCP ports. A remote user cannot access the corporate FTP site
with a Web browser. What is a possible reason for the failure?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/c/en/us/support/docs/security/ssl-vpn-client/70664-IOSthinclient.html
Thin-Client SSL VPN (Port Forwarding)
A remote client must download a small, Java-based applet for secure access of TCP applications that use
static port numbers. UDP is not supported. Examples include access to POP3, SMTP, IMAP, SSH, and
Telnet. The user needs local administrative privileges because changes are made to files on the local
machine. This method of SSL VPN does not work with applications that use dynamic port assignments, for
example, several FTP applications.
QUESTION 78
When implementing GET VPN, which of these is a characteristic of GDOI IKE?
A. GDOI IKE sessions are established between all peers in the network
B. GDOI IKE uses UDP port 500
C. Security associations do not need to linger between members once a group member has authenticated
to the key server and obtained the group policy
D. Each pair of peers has a private set of IPsec security associations that is only shared between the two
peers
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 79
Which two features are required when configuring a DMVPN network? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 80
When you are configuring a DMVPN network, which tunnel mode should you use for the hub router
configuration?
A. GRE multipoint
B. classic point-to-point GRE
C. IPsec multipoint
D. nonbroadcast multiaccess
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 81
Which Cisco IOS feature provides secure, on-demand meshed connectivity?
A. Easy VPN
B. IPsec VPN
C. mGRE
D. DMVPN
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 82
Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN hub
router?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 83
When you are configuring a hub-and-spoke DMVPN network, which tunnel mode should you use for the
spoke router configuration?
A. GRE multipoint
B. Classis point-to-point GRE
C. IPsec multipoint
D. Nonbroadcast multiaccess
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 84
With Cisco ASA active/standby failover, by default, how many monitored interface failures will cause
failover to occur?
A. 1
B. 2
C. 3
D. 4
E. 5
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 85
Which two statements about the running configuration of the Cisco ASA are true? (Choose Two)
A. The auto NAT configuration causes all traffic arriving on the inside interface destined to any outside
destinations to be translated with dynamic port address transmission using the outside interface IP
address.
B. The Cisco ASA is using the Cisco ASDM image from disk1:/asdm-642.bin
C. The Cisco ASA is setup as the DHCP server for hosts that are on the inside and outside interfaces.
D. SSH and Cisco ASDM access to the Cisco ASA requires AAA authentication using the LOCAL user
database.
E. The Cisco ASA is using a persistent self-signed certified so users can authenticate the Cisco ASA
when accessing it via ASDM
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 86
Which option lists the main tasks in the correct order to configure a new Layer 3 and 4 inspection policy on
the Cisco ASA appliance using the Cisco ASDM Configuration > Firewall > Service Policy Rules pane?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 87
By default, how does a Cisco ASA appliance process IP fragments?
A. Each fragment passes through the Cisco ASA appliance without any inspections.
B. Each fragment is blocked by the Cisco ASA appliance.
C. The Cisco ASA appliance verifies each fragment and performs virtual IP re-assembly before the full IP
packet is forwarded out.
D. The Cisco ASA appliance forwards the packet out as soon as all of the fragments of the packet have
been received.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 88
Which other match command is used with the match flow ip destination-address command within the class
map configurations of the Cisco ASA MPF?
A. match tunnel-group
B. match access-list
C. match default-inspection-traffic
D. match port
E. match dscp
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 89
Which Cisco ASA configuration is used to configure the TCP intercept feature?
A. a TCP map
B. an access list
C. the established command
D. the set connection command with the embryonic-conn-max option
E. a type inspect policy map
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 90
On which type of encrypted traffic can a Cisco ASA appliance running software version 8.4.1 perform
application inspection and control?
A. IPsec
B. SSL
C. IPsec or SSL
D. Cisco Unified Communications
E. Secure FTP
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 91
The Cisco ASA software image has been erased from flash memory. Which two statements about the
process to recover the Cisco ASA software image are true? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 92
Which two Cisco ASA licensing features are correct with Cisco ASA Software Version 8.3 and later?
(Choose two.)
A. Identical licenses are not required on the primary and secondary Cisco ASA appliance.
B. Cisco ASA appliances configured as failover pairs disregard the time-based activation keys.
C. Time-based licenses are stackable in duration but not in capacity.
D. A time-based license completely overrides the permanent license, ignoring all permanently licensed
features until the time-based license is uninstalled.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 93
Which three actions can be applied to a traffic class within a type inspect policy map? (Choose three.)
A. drop
B. priority
C. log
D. pass
E. inspect
F. reset
Correct Answer: ACF
Section: (none)
Explanation
Explanation/Reference:
QUESTION 94
Which Cisco ASA platform should be selected if the requirements are to support 35,000 connections per
second, 600,000 maximum connections, and traffic shaping?
A. 5540
B. 5550
C. 5580-20
D. 5580-40
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 95
Authorization of a clientless SSL VPN defines the actions that a user may perform within a clientless SSL
VPN session. Which statement is correct concerning the SSL VPN authorization process?
A. Remote clients can be authorized by applying a dynamic access policy, which is configured on an
external AAA server.
B. Remote clients can be authorized externally by applying group parameters from an external database.
C. Remote client authorization is supported by RADIUS and TACACS+ protocols.
D. To configure external authorization, you must configure the Cisco ASA for cut-through proxy.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
CISCO SSL VPN guide
The aaa authentication command is entered to specify an authentication list or server group under a SSL
VPN context configuration. If this command is not configured and AAA is configured globally on the router,
global authentication will be applied to the context configuration.
The database that is configured for remote-user authentication on the SSL VPN gateway can be a local
database, or the database can be accessed through any RADIUS or TACACS+ AAA server.
We recommend that you use a separate AAA server, such as a Cisco Access Control Server (ACS). A
separate AAA server provides a more robust security solution. It allows you to configure unique passwords
for each remote user and accounting and logging for remote-user sessions.
QUESTION 96
Which Cisco ASA SSL VPN feature provides support for PCI compliance by allowing for the validation of
two sets of username and password credentials on the SSL VPN login page?
A. Single Sign-On
B. Certificate to Profile Mapping
C. Double Authentication
D. RSA OTP
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 97
A custom desktop application needs to access an internal server. An administrator is tasked with
configuring the company's SSL VPN gateway to allow remote users to work. Which two technologies
would accommodate the company's requirement? (Choose two).
A. AnyConnect client
B. Smart Tunnels
C. Email Proxy
D. Content Rewriter
E. Portal Customizations
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 98
A rogue static route is installed in the routing table of a Cisco FlexVPN and is causing traffic to be
blackholed. Which command should be used to identify the peer from which that route originated?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 99
Refer to the exhibit. Which authentication method was used by the remote peer to prove its identity?
A. Extensible Authentication Protocol
B. certificate authentication
C. pre-shared key
D. XAUTH
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 100
Refer to the exhibit. An IPsec peer is exchanging routes using IKEv2, but the routes are not installed in the
RIB. Which configuration error is causing the failure?
A. IKEv2 routing requires certificate authentication, not pre-shared keys.
B. An invalid administrative distance value was configured.
C. The match identity command must refer to an access list of routes.
D. The IKEv2 authorization policy is not referenced in the IKEv2 profile.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 101
Refer to the exhibit. An administrator is adding IPv6 addressing to an already functioning tunnel. The
administrator is unable to ping 2001:DB8:100::2 but can ping 209.165.200.226. Which configuration needs
to be added or changed?
A. No configuration change is necessary. Everything is working correctly.
B. OSPFv3 needs to be configured on the interface.
C. NHRP needs to be configured to provide NBMA mapping.
D. Tunnel mode needs to be changed to GRE IPv4.
E. Tunnel mode needs to be changed to GRE IPv6.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
We encapsulate IPv6 Packets in IPv4 Packets to deliver their in IPv4 infrastructure. The GRE tunnel have
to be also an IPv4.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/xe-3s/ir-xe-3s-book/ip6-ip4-gre-
tunls-xe.html
QUESTION 102
Refer to the exhibit. The IKEv2 tunnel between Router1 and Router2 is failing during session
establishment. Which action will allow the session to establish correctly?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 103
You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the
debug crypto isakmp command on the headend router, you see the following output.
What does this output suggest?
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP
(0:1); no offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE.
Processing of Main Mode failed with peer at 10.10.10.10
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 104
You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the
debug crypto ipsec command on the headend router, you see the following output.
What does this output suggest?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 105
Which adaptive security appliance command can be used to see a generic framework of the requirements
for configuring a VPN tunnel between an adaptive security appliance and a Cisco IOS router at a remote
office?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 106
After completing a site-to-site VPN setup between two routers, application performance over the tunnel is
slow. You issue the show crypto ipsec sa command and see the following output. What does this output
suggest?
interfacE. Tunnel100
Crypto map tag: Tunnel100-head-0, local addr 10.10.10.10 protected vrF. (none)
local ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/47/0) remote
ident (addr/mask/prot/port): (10.20.20.20/255.255.255.255/47/0) current_peer
209.165.200.230 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 34836, #pkts encrypt: 34836, #pkts digest: 34836 #pkts decaps:
26922, #pkts decrypt: 19211, #pkts verify: 19211 #pkts compresseD. 0, #pkts
decompresseD. 0
#pkts not compresseD. 0, #pkts compr. faileD. 0
#pkts not decompresseD. 0, #pkts decompress faileD. 0 #send errors 0, #recv
errors 0
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 107
Which Cisco adaptive security appliance command can be used to view the count of all active VPN
sessions?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 108
Refer to the exhibit. An administrator had the above configuration working with SSL protocol, but as soon
as the administrator specified IPsec as the primary protocol, the Cisco AnyConnect client was not able to
connect. What is the problem?
A. IPsec will not work in conjunction with a group URL.
B. The Cisco AnyConnect implementation does not allow the two group URLs to be the same.
SSL does allow this.
C. If you specify the primary protocol as IPsec, the User Group must be the exact name of the connection
profile (tunnel group).
D. A new XML profile should be created instead of modifying the existing profile, so that the clients force
the update.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 109
The Cisco AnyConnect client fails to connect via IKEv2 but works with SSL. The following error message is
displayed:
A. DAP is terminating the connection because IKEv2 is the protocol that is being used.
B. The client endpoint does not have the correct user profile to initiate an IKEv2 connection.
C. The AAA server that is being used does not authorize IKEv2 as the connection mechanism.
D. The administrator is restricting access to this specific user.
E. The IKEv2 protocol is not enabled in the group policy of the VPN headend.
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 110
The Cisco AnyConnect client is unable to download an updated user profile from the ASA headend using
IKEv2. What is the most likely cause of this problem?
A. User profile updates are not allowed with IKEv2.
B. IKEv2 is not enabled on the group policy.
C. A new profile must be created so that the adaptive security appliance can push it to the client on the
next connection attempt.
D. Client Services is not enabled on the adaptive security appliance.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 111
Refer to the exhibit. The network administrator is adding a new spoke, but the tunnel is not passing traffic.
What could cause this issue?
A. DMVPN is a point-to-point tunnel, so there can be only one spoke.
B. There is no EIGRP configuration, and therefore the second tunnel is not working.
C. The NHRP authentication is failing.
D. The transform set must be in transport mode, which is a requirement for DMVPN.
E. The NHRP network ID is incorrect.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html#wp1055049
QUESTION 112
Which two troubleshooting steps should be taken when Cisco AnyConnect cannot establish an IKEv2
connection, while SSL works fine? (Choose two.)
A. Verify that the primary protocol on the client machine is set to IPsec.
B. Verify that AnyConnect is enabled on the correct interface.
C. Verify that the IKEv2 protocol is enabled on the group policy.
D. Verify that ASDM and AnyConnect are not using the same port.
E. Verify that SSL and IKEv2 certificates are not referencing the same trustpoint.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 113
Regarding licensing, which option will allow IKEv2 connections on the adaptive security appliance?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 114
What action does the hub take when it receives a NHRP resolution request from a spoke for a network that
exists behind another spoke?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 115
A spoke has two Internet connections for failover. How can you achieve optimum failover without affecting
any other router in the DMVPN cloud?
A. Create another DMVPN cloud by configuring another tunnel interface that is sourced from the second
ISP link.
B. Use another router at the spoke site, because two ISP connections on the same router for the same
hub is not allowed.
C. Configure SLA tracking, and when the primary interface goes down, manually change the tunnel
source of the tunnel interface.
D. Create another tunnel interface with same configuration except the tunnel source, and configure the if-
state nhrp and backup interface commands on the primary tunnel interface.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-
xe-3s-book/sec-conn-dmvpn-tun-mon.pdf
QUESTION 116
In DMVPN phase 2, which two EIGRP features need to be disabled on the hub to allow spoke-to- spoke
communication? (Choose two.)
A. autosummary
B. split horizon
C. metric calculation using bandwidth
D. EIGRP address family
E. next-hop-self
F. default administrative distance
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 117
What does NHRP stand for?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 118
When troubleshooting established clientless SSL VPN issues, which three steps should be taken?
(Choose three.)
QUESTION 119
A user is trying to connect to a Cisco IOS device using clientless SSL VPN and cannot establish the
connection. Which three commands can be used for troubleshooting of the AAA subsystem? (Choose
three.)
Explanation/Reference:
QUESTION 120
Which option is a possible solution if you cannot access a URL through clientless SSL VPN with Internet
Explorer, while other browsers work fine?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 121
Refer to the exhibit. A new NOC engineer, while viewing a real-time log from an SSL VPN tunnel, has a
question about a line in the log.
The IP address 172.26.26.30 is attached to which interface in the network?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 122
You have been using pre-shared keys for IKE authentication on your VPN.
Your network has grown rapidly, and now you need to create VPNs with numerous IPsec peers.
How can you enable scaling to numerous IPsec peers?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 123
Which statement is correct concerning the trusted network detection (TND) feature?
A. The Cisco AnyConnect 3.0 Client supports TND on Windows, Mac, and Linux platforms.
B. With TND, one result of a Cisco Secure Desktop basic scan on an endpoint is to determine whether a
device is a member of a trusted or an untrusted network.
C. If enabled, and a CSD scan determines that a host is a member of an untrusted network, an
administrator can configure the TND feature to prohibit an end user from launching the Cisco
AnyConnect VPN Client.
D. When the user is inside the corporate network, TND can be configured to automatically disconnect a
Cisco AnyConnect session.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administrat ion/guide/
ac03features.html
Trusted Network Detection
Trusted Network Detection (TND) gives you the ability to have AnyConnect automatically disconnect a
VPN connection when the user is inside the corporate network (the trusted network) and start the VPN
connection when the user is outside the corporate network (the untrusted network). This feature
encourages greater security awareness by initiating a VPN connection when the user is outside the trusted
network.
If AnyConnect is also running Start Before Logon (SBL), and the user moves into the trusted network, the
SBL window displayed on the computer automatically closes. TND does not interfere with the ability of the
user to manually establish a VPN connection. It does not disconnect a VPN connection that the user starts
manually in the trusted network. TND only disconnects the VPN session if the user first connects in an
untrusted network and moves into a trusted network. For example, TND disconnects the VPN session if
the user makes a VPN connection at home and then moves into the corporate office.
Because the TND feature controls the AnyConnect GUI and automatically initiates connections, the GUI
should run at all times. If the user exits the GUI, TND does not automatically start the VPN connection.
You configure TND in the AnyConnect profile. No changes are required to the ASA configuration.
QUESTION 124
Refer to the exhibit. A NOC engineer needs to tune some postlogin parameters on an SSL VPN tunnel.
From the information shown, where should the engineer navigate to, in order to find all the postlogin
session parameters?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administrat ion/guide/
ac05hostscanposture.html#wp1039696
QUESTION 125
Which statement about plug-ins is false?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/
deployhtml#wp1162435
Plug-ins
The security appliance supports Java plug-ins for clientless SSL VPN connections.
Plug-ins are Java programs that operate in a browser.
These plug-ins include SSH/Telnet, RDP, VNC, and Citrix.
Per the GNU General Public License (GPL), Cisco redistributes plug-ins without making any changes to
them.
Per the GPL, Cisco cannot directly enhance these plug-ins. To use plug-ins you must install Java Runtime
Environment (JRE) 1.4.2.x or greater.
You must also use a compatible browser specified here:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpncompatibility.html
QUESTION 126
When attempting to tunnel FTP traffic through a stateful firewall that might be performing NAT or PAT,
which type of VPN tunneling should you use to allow the VPN traffic through the stateful firewall?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
IP Security (IPSec) over Transmission Control Protocol (TCP) enables a VPN Client to operate in an
environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key
Exchange (IKE, User Datagram Protocol (UDP) 500) cannot function, or can function only with modification
to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP
packet, and it enables secure tunneling through both Network Address Translation (NAT) and Port
Address Translation (PAT) devices and firewalls
QUESTION 127
Refer to the exhibit. The ABC Corporation is changing remote-user authentication from pre-shared keys to
certificate-based authentication. For most employee authentication, its group membership (the employees)
governs corporate access. Certain management personnel need access to more confidential servers.
Access is based on the group and name, such as finance and level_2. When it is time to pilot the new
authentication policy, a finance manager is able to access the department-assigned servers but cannot
access the restricted servers.
As the network engineer, where would you look for the problem?
A. Check the validity of the identity and root certificate on the PC of the finance manager.
B. Change the Management Certificate to Connection Profile Maps > Rule Priority to a number that is
greater than 10.
C. Check if the Management Certificate to Connection Profile Maps > Rules is configured correctly.
D. Check if the Certificate to Connection Profile Maps > Policy is set correctly.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 128
Refer to the exhibit. While configuring a site-to-site VPN tunnel, a new NOC engineer encounters the
Reverse Route Injection parameter.
Assuming that static routes are redistributed by the Cisco ASA to the IGP, what effect does enabling
Reverse Route Injection on the local Cisco ASA have on a configuration?
A. The local Cisco ASA advertises its default routes to the distant end of the site-to-site VPN tunnel.
B. The local Cisco ASA advertises routes from the dynamic routing protocol that is running on the local
Cisco ASA to the distant end of the site-to-site VPN tunnel.
C. The local Cisco ASA advertises routes that are at the distant end of the site-to-site VPN tunnel.
D. The local Cisco ASA advertises routes that are on its side of the site-to-site VPN tunnel to the distant
end of the site-to-site VPN tunnel.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080 9d07de.shtml
QUESTION 129
Refer to the exhibit. The "level_2" digital certificate was installed on a laptop.
What can cause an "invalid not active" status message?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html
Certificates have a date and time that they become valid and that they expire. When the security appliance
enrolls with a CA and gets a certificate, the security appliance checks that the current time is within the
valid range for the certificate. If it is outside that range, enrollment fails.
Same would apply to communication between ASA and PC
QUESTION 130
After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune the IPsec
policy parameters.
Where is the correct place to tune the IPsec policy parameters in Cisco ASDM?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 131
Refer to the exhibit. A new NOC engineer is troubleshooting a VPN connection.
Which statement about the fields within the Cisco VPN Client Statistics screen is correct?
A. The ISP-assigned IP address of 10.0.21.1 is assigned to the VPN adapter of the PC.
B. The IP address of the security appliance to which the Cisco VPN Client is connected is 192.168.1.2.
C. CorpNet is the name of the Cisco ASA group policy whose tunnel parameters the connection is using.
D. The ability of the client to send packets transparently and unencrypted through the tunnel for test
purposes is turned off.
E. With split tunneling enabled, the Cisco VPN Client registers no decrypted packets.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 132
What is a valid reason for configuring a list of backup servers on the Cisco AnyConnect VPN Client profile?
Correct Answer: C
Section: (none)
Explanation
QUESTION 133
Your corporate finance department purchased a new non-web-based TCP application tool to run on one of
its servers.
Certain finance employees need remote access to the software during nonbusiness hours. These
employees do not have "admin" privileges to their PCs.
What is the correct way to configure the SSL VPN tunnel to allow this application to run?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 134
A temporary worker must use clientless SSL VPN with an SSH plug-in, in order to access the console of
an internal corporate server, the projects.xyz.com server.
For security reasons, the network security auditor insists that the temporary user is restricted to the one
internal corporate server, 10.0.4.18.
You are the network engineer who is responsible for the network access of the temporary user.
What should you do to restrict SSH access to the one projects.xyz.com server?
A. Configure access-list temp_user_acl extended permit TCP any host 10.0.4.18 eq 22.
B. Configure access-list temp_user_acl standard permit host 10.0.4.18 eq 22.
C. Configure access-list temp_acl webtype permit url ssh://10.0.4.18.
D. Configure a plug-in SSH bookmark for host 10.0.4.18, and disable network browsing on the clientless
SSL VPN portal of the temporary worker.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 135
Refer to the exhibit. A junior network engineer configured the corporate Cisco ASA appliance to
accommodate a new temporary worker. For security reasons, the IT department wants to restrict the
internal network access of the new temporary worker to the corporate server, with an IP address of
10.0.4.10. After the junior network engineer finished the configuration, an IT security specialist tested the
account of the temporary worker. The tester was able to access the URLs of additional secure servers
from the WebVPN user account of the temporary worker.
What did the junior network engineer configure incorrectly?
A. The ACL was configured incorrectly.
B. The ACL was applied incorrectly or was not applied.
C. Network browsing was not restricted on the temporary worker group policy.
D. Network browsing was not restricted on the temporary worker user policy.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 136
Refer to the exhibit. You are configuring a laptop with the Cisco VPN Client, which uses digital certificates
for authentication.
Which protocol does the Cisco VPN Client use to retrieve the digital certificate from the CA server?
A. FTP
B. LDAP
C. HTTPS
D. SCEP
E. OCSP
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html
About CRLs
Certificate Revocation Lists provide the security appliance with one means of determining whether a
certificate that is within its valid time range has been revoked by its issuing CA. CRL configuration is a part
of the configuration of a trustpoint.
You can configure the security appliance to make CRL checks mandatory when authenticating a certificate
(revocation-check crl command). You can also make the CRL check optional by adding the none argument
(revocation-check crl none command), which allows the certificate authentication to succeed when the CA
is unavailable to provide updated CRL data.
The security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each
trustpoint are cached for a length of time configurable for each trustpoint. When the security appliance has
cached a CRL for more than the length of time it is configured to cache CRLs, the security appliance
considers the CRL too old to be reliable, or "stale". The security appliance attempts to retrieve a newer
version of the CRL the next time a certificate authentication requires checking the stale CRL.
QUESTION 137
Refer to the exhibit. The user "contractor" inherits which VPN group policy?
A. employee
B. management
C. DefaultWEBVPNGroup
D. DfltGrpPolicy
E. new_hire
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 138
When initiating a new SSL or TLS session, the client receives the server SSL certificate and validates it.
After validating the server certificate, what does the client use the certificate for?
A. The client and server use the server public key to encrypt the SSL session data.
B. The server creates a separate session key and sends it to the client. The client decrypts the session
key by using the server public key.
C. The client and server switch to a DH key exchange to establish a session key.
D. The client generates a random session key, encrypts it with the server public key, and then sends it to
the server.
Correct Answer: D
Section: (none)
Explanation
QUESTION 139
Refer to the exhibit. A NOC engineer is in the process of entering information into the Create New VPN
Connection Entry fields.
Which statement correctly describes how to do this?
A. In the Connection Entry field, enter the name of the connection profile as it is specified on the Cisco
ASA appliance.
B. In the Host field, enter the IP address of the remote client device.
C. In the Authentication tab, click the Group Authentication or Mutual Group Authentication radio button to
enable symmetrical pre-shared key authentication.
D. In the Name field, enter the name of the connection profile as it is specified on the Cisco ASA
appliance.
Correct Answer: D
Section: (none)
Explanation
QUESTION 140
Refer to the exhibit. For the ABC Corporation, members of the NOC need the ability to select tunnel groups
from a drop-down menu on the Cisco WebVPN login page.
As the Cisco ASA administrator, how would you accomplish this task?
A. Define a special identity certificate with multiple groups, which are defined in the certificate OU field,
that will grant the certificate holder access to the named groups on the login page.
B. Under Group Policies, define a default group that encompasses the required individual groups that will
appear on the login page.
C. Under Connection Profiles, define a NOC profile that encompasses the required individual profiles that
will appear on the login page.
D. Under Connection Profiles, enable "Allow user to select connection profile."
Correct Answer: D
Section: (none)
Explanation
QUESTION 141
Refer to the exhibit. While troubleshooting on a remote-access VPN application, a new NOC engineer
received the message that is shown.
A. The IP address that is assigned to the PC of the VPN user is not within the range of addresses that are
assigned to the SVC connection.
B. The IP address that is assigned to the PC of the VPN user is in use. The remote user needs to select a
different host address within the range.
C. The IP address that is assigned to the PC of the VPN user is in the wrong subnet. The remote user
needs to select a different host number within the correct subnet.
D. The IP address pool for contractors was not applied to their connection profile.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
%ASA-5-722006: Group group User user-name IP IP_address Invalid address IP_address assigned to
SVC connection.
An invalid address was assigned to the user. Recommended Action Verify and correct the address
assignment, if possible.
QUESTION 142
When using clientless SSL VPN, you might not want some applications or web resources to go through the
Cisco ASA appliance.
For these application and web resources, as a Cisco ASA administrator, which configuration should you
use?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_web.html
Content Rewrite
The Content Rewrite pane lists all applications for which content rewrite is enabled or disabled.
Clientless SSL VPN processes application traffic through a content transformation/rewriting engine that
includes advanced elements such as JavaScript, VBScript, Java, and multi- byte characters to proxy HTTP
traffic which may have different semantics and access control rules depending on whether the user is
using an application within or independently of an SSL VPN device.
By default, the security appliance rewrites, or transforms, all clientless traffic. You might not want some
applications and web resources (for example, public websites) to go through the security appliance. The
security appliance therefore lets you create rewrite rules that let users browse certain sites and
applications without going through the security appliance. This is similar to split-tunneling in an IPSec VPN
connection. You can create multiple rewrite rules. The rule number is important because the security
appliance searches rewrite rules by order number, starting with the lowest, and applies the first rule that
matches.
QUESTION 143
Refer to the exhibit. While troubleshooting a remote-access application, a new NOC engineer received the
logging message that is shown in the exhibit.
A. IKE configuration
B. extended authentication configuration
C. IPsec configuration
D. digital certificate configuration
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 144
Which statement about CRL configuration is correct?
Explanation/Reference:
Explanation:
ASA SSLVPN deployment guide:
The security appliance supports various authentication methods: RSA one-time passwords, Radius,
Kerberos, LDAP, NT Domain, TACACS, Local/Internal, digital certificates, and a combination of both
authentication and certificates.
QUESTION 145
Refer to the exhibit. When the user "contractor" Cisco AnyConnect tunnel is established, what type of
Cisco ASA user restrictions are applied to the tunnel?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 146
Refer to the exhibit. A NOC engineer needs to tune some prelogin parameters on an SSL VPN tunnel.
From the information that is shown, where should the engineer navigate to find the prelogin session
attributes?
A. "engineering" Group Policy
B. "contractor" Connection Profile
C. "engineer1" AAA/Local Users
D. DfltGrpPolicy Group Policy
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administrat ion/guide/
ac05hostscanposture.html#wp1039696
QUESTION 147
An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation headquarters,
tried to access the XYZ sales demonstration folder to transfer a demonstration via FTP from an ABC
conference room behind the firewall. The engineer could not reach XYZ through the remote-access VPN
tunnel. From home the previous day, however, the engineer did connect to the XYZ sales demonstration
folder and transferred the demonstration via IPsec over DSL.
To get the connection to work and transfer the demonstration, what should the engineer do?
A. Change the MTU size on the IPsec client to account for the change from DSL to cable transmission.
B. Enable the local LAN access option on the IPsec client.
C. Enable the IPsec over TCP option on the IPsec client.
D. Enable the clientless SSL VPN option on the PC.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
IP Security (IPSec) over Transmission Control Protocol (TCP) enables a VPN Client to operate in an
environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key
Exchange (IKE, User Datagram Protocol (UDP) 500) cannot function, or can function only with modification
to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP
packet, and it enables secure tunneling through both Network Address Translation (NAT) and Port
Address Translation (PAT) devices and firewalls
QUESTION 148
Which statement regarding hashing is correct?
A. MD5 produces a 64-bit message digest.
B. SHA-1 produces a 160-bit message digest.
C. MD5 takes more CPU cycles to compute than SHA-1.
D. Changing 1 bit of the input to SHA-1 can change up to 5 bits in the output.
Correct Answer: B
Section: (none)
Explanation
QUESTION 149
Refer to the exhibit. In the CLI snippet that is shown, what is the function of the deny option in the access
list?
A. When set in conjunction with outbound connection-type bidirectional, its function is to prevent the
specified traffic from being protected by the crypto map entry.
B. When set in conjunction with connection-type originate-only, its function is to instruct the Cisco ASA to
deny specific inbound traffic if it is not encrypted.
C. When set in conjunction with outbound connection-type answer-only, its function is to instruct the Cisco
ASA to deny specific outbound traffic if it is not encrypted.
D. When set in conjunction with connection-type originate-only, its function is to cause all IP traffic that
matches the specified conditions to be protected by the crypto map.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 150
Which cryptographic algorithms are a part of the Cisco NGE suite?
A. HIPPA DES
B. AES-CBC-128
C. RC4-128
D. AES-GCM-256
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
https://www.cisco.com/web/learning/le21/le39/docs/tdw166_prezo.pdf
QUESTION 151
Which transform set is contained in the IKEv2 default proposal?
Explanation/Reference:
QUESTION 152
Which command clears all crypto configuration from a Cisco Adaptive Security Appliance?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 153
Which Cisco adaptive security appliance command can be used to view the IPsec PSK of a tunnel group in
cleartext?
A. more system:running-config
B. show running-config crypto
C. show running-config tunnel-group
D. show running-config tunnel-group-map
E. clear config tunnel-group
F. show ipsec policy
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 154
An administrator desires that when work laptops are not connected to the corporate network, they should
automatically initiate an AnyConnect VPN tunnel back to headquarters. Where does the administrator
configure this?
A. Via the svc trusted-network command under the group-policy sub-configuration mode on the ASA
B. Under the "Automatic VPN Policy" section inside the Anyconnect Profile Editor within ASDM
C. Under the TNDPolicy XML section within the Local Preferences file on the client computer
D. Via the svc trusted-network command under the global webvpn sub-configuration mode on the ASA
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 155
The following configuration steps have been completed:
What additional step is required if the client software fails to load when connecting to the ASA SSL page?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70511-
sslvpnclient-asa.html#step2
From the document above under link “Step 2. Install and Enable the SSL VPN Client on the ASA”.
Starting with Step 5, it said to enable the “SSL VPN Client” after uploading the image.
This is very true because I forgot to do this one time after loading a new version of Anyconnect and the
client failed to load.
QUESTION 156
Remote users want to access internal servers behind an ASA using Microsoft terminal services. Which
option outlines the steps required to allow users access via the ASA clientless VPN portal?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 157
Which command is used to determine how many GMs have registered in a GETVPN environment?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 158
On which Cisco platform are dynamic virtual template interfaces available?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 159
Refer to the exhibit. Which statement about the given IKE policy is true?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 160
Refer to the exhibit. Which two statements about the given configuration are true? (Choose two.)
A. Defined PSK can be used by any IPSec peer.
B. Any router defined in group 2 will be allowed to connect.
C. It can be used in a DMVPN deployment
D. It is a LAN-to-LAN VPN ISAKMP policy.
E. It is an AnyConnect ISAKMP policy.
F. PSK will not work as configured
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 161
Refer to the exhibit. What technology does the given configuration demonstrate?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 162
Which command enables the router to form EIGRP neighbor adjacencies with peers using a different
subnet than the ingress interface?
A. ip unnumbered interface
B. eigrp router-id
C. passive-interface interface name
D. ip split-horizon eigrp as number
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 163
Which feature enforces the corporate policy for Internet access to Cisco AnyConnect VPN users?
A. Trusted Network Detection
B. Datagram Transport Layer Security
C. Cisco AnyConnect Customization
D. banner message
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 164
In which situation would you enable the Smart Tunnel option with clientless SSL VPN?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 165
Refer to the exhibit. You executed the show crypto ipsec sa command to troubleshoot an IPSec issue.
What problem does the given output indicate?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 166
Which two types of authentication are supported when you use Cisco ASDM to configure site- to-site
IKEv2 with IPv6? (Choose two.)
A. preshared key
B. webAuth
C. digital certificates
D. XAUTH
E. EAP
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 167
Which option describes the purpose of the shared argument in the DMVPN interface command tunnel
protection IPsec profile ProfileName shared?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 168
Which type of communication in a FlexVPN implementation uses an NHRP shortcut?
A. spoke to hub
B. spoke to spoke
C. hub to spoke
D. hub to hub
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 169
Which technology is FlexVPN based on?
A. OER
B. VRF
C. IKEv2
D. an RSA nonce
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 170
Which application does the Application Access feature of Clientless VPN support?
A. TFTP
B. VoIP
C. Telnet
D. active FTP
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 171
Where do you configure AnyConnect certificate-based authentication in ASDM?
A. group policies
B. AnyConnect Connection Profile
C. AnyConnect Client Profile
D. Advanced Network (Client) Access
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 172
Which protocols does the Cisco AnyConnect client use to build multiple connections to the security
appliance?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 173
Which is used by GETVPN, FlexVPN and DMVPN?
A. NHRP
B. MPLS
C. GRE
D. ESP
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 174
Which VPN solution is best for a collection of branch offices connected by MPLS that frequenty make VoIP
calls between branches?
A. GETVPN
B. Cisco AnyConnect
C. site-to-site
D. DMVPN
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 175
Refer to the exhibit. Which VPN solution does this configuration represent?
A. DMVPN
B. GETVPN
C. FlexVPN
D. site-to-site
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 176
Refer to the exhibit. You have implemented an SSL VPN as shown. Which type of communication takes
place between the secure gateway R1 and the Cisco Secure ACS?
A. HTTP proxy
B. AAA
C. policy
D. port forwarding
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 177
Which technology can provide high availability for an SSL VPN?
A. DMVPN
B. a multiple-tunnel configuration
C. a Cisco ASA pair in active/passive failover configuration
D. certificate to tunnel group maps
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 178
Refer to the exhibit. Which VPN solution does this configuration represent?
A. Cisco AnyConnect
B. IPsec
C. L2TP
D. SSL VPN
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 179
Which technology must be installed on the client computer to enable users to launch applications from a
Clientless SSL VPN?
A. Java
B. QuickTime plug-in
C. Silverlight
D. Flash
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 180
In the Diffie-Hellman protocol, which type of key is the shared secret?
A. a symmetric key
B. an asymmetric key
C. a decryption key
D. an encryption key
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 181
Refer to the exhibit. Which exchange does this debug output represent?
A. IKE Phase 1
B. IKE Phase 2
C. symmetric key exchange
D. certificate exchange
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 182
Which two technologies are considered to be Suite B cryptography? (Choose two.)
A. MD5
B. SHA2
C. Elliptical Curve Diffie-Hellman
D. 3DES
E. DES
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 183
Which protocol does DTLS use for its transport?
A. TCP
B. UDP
C. IMAP
D. DDE
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 184
Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer
configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote
branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured
according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR. verify the
IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for the this exercise.
Topology:
What is being used as the authentication method on the branch ISR?
A. Certifcates
B. Pre-shared public keys
C. RSA public keys
D. Diffie-Hellman Group 2
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The show crypto isakmp key command shows the preshared key of "cisco"
QUESTION 185
Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer
configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote
branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured
according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR. verify the
IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for the this exercise.
Topology:
Which transform set is being used on the branch ISR?
A. Default
B. ESP-3DES ESP-SHA-HMAC
C. ESP-AES-256-MD5-TRANS mode transport
D. TSET
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
This can be seen from the "show crypto ipsec sa" command as shown below:
QUESTION 186
Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer
configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote
branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured
according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR. verify the
IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for the this exercise.
Topology:
In what state is the IKE security association in on the Cisco ASA?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
This can be seen from the "show crypto isa sa" command:
QUESTION 187
Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer
configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote
branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured
according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR. verify the
IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for the this exercise.
Topology:
Which crypto map tag is being used on the Cisco ASA?
A. outside_cryptomap
B. VPN-to-ASA
C. L2L_Tunnel
D. outside_map1
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
This is seen from the "show crypto ipsec sa" command on the ASA.
QUESTION 188
Which option describes what address preservation with IPsec Tunnel Mode allows when GETVPN is
used?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 189
Which feature is available in IKEv1 but not IKEv2?
A. Layer 3 roaming
B. aggressive mode
C. EAP variants
D. sequencing
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 190
Which feature is enabled by the use of NHRP in a DMVPN network?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 191
Which statement about the hub in a DMVPN configuration with iBGP is true?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 192
Refer to the exhibit. Which technology is represented by this configuration?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 193
Which command can you use to monitor the phase 1 establishment of a FlexVPN tunnel?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 194
Which interface is managed by the VPN Access Interface field in the Cisco ASDM IPsec Site-to-Site VPN
Wizard?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 195
You are troubleshooting a DMVPN NHRP registration failure. Which command can you use to view
request counters?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 196
Refer to the exhibit. What is the purpose of the given configuration?
A. Establishing a GRE tunnel.
B. Enabling IPSec to decrypt fragmented packets.
C. Resolving access issues caused by large packet sizes.
D. Adding the spoke to the routing table.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 197
Which three commands are included in the command show dmvpn detail? (Choose three.)
Explanation/Reference:
QUESTION 198
Refer to the exhibit. Which action is demonstrated by this debug output?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 199
Which option describes the purpose of the command show derived-config interface virtual-access 1?
A. It verifies that the virtual access interface is cloned correctly with per-user attributes.
B. It verifies that the virtual template created the tunnel interface.
C. It verifies that the virtual access interface is of type Ethernet.
D. It verifies that the virtual access interface is used to create the tunnel interface.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 200
Which two RADIUS attributes are needed for a VRF-aware FlexVPN hub? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 201
Which functionality is provided by L2TPv3 over FlexVPN?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 202
When you troubleshoot Cisco AnyConnect, which step does Cisco recommend before you open a TAC
case?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 203
What URL do you use to download a packet capture file in a format which can be used by a packet
analyzer?
A. ftp://<hostname>/capture/<capture_name>/
B. https://<asdm_enabled _interface:port>/<capture_name>/
C. https://<asdm_enabled_interface:port>/admin/capture/<capture_name>/pcap
D. https://<hostname>/<capture_name>/pcap
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 204
If Web VPN bookmarks are grayed out on the home screen, which action should you take to begin
troubleshooting?
A. Determine whether the Cisco ASA can resolve the DNS names.
B. Determine whether the Cisco ASA has DNS forwarders set up.
C. Determine whether an ACL is present to permit DNS forwarding.
D. Replace the DNS name with an IP address.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html#anc15
WebVPN Clients Cannot Hit Bookmarks and is Grayed Out
Problem
If these bookmarks were configured for users to sign in to the clientless VPN, but on the home screen
under "Web Applications" they show up as grayed out, how can I enable these HTTP links so that the
users are able to click them and go into the particular URL?
Solution
You should first make sure that the ASA can resolve the websites through DNS. Try to ping the websites
by name. If the ASA cannot resolve the name, the link is grayed out. If the DNS servers are internal to your
network, configure the DNS domain-lookup private interface.
QUESTION 205
Which command clears all Cisco AnyConnect VPN sessions?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 206
Which group-policy subcommand installs the Diagnostic AnyConnect Report Tool on user computers when
a Cisco AnyConnect user logs in?
A. customization value dart
B. file-browsing enable
C. smart-tunnel enable dart
D. anyconnect module value dart
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 207
You have deployed new Cisco AnyConnect start before logon modules and set the configuration to
download modules before logon, but all client connections continue to use the previous version of the
module. Which action must you take to correct the problem?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 208
Which feature do you include in a highly available system to account for potential site failures?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 209
Refer to the exhibit. Which VPN solution does this configuration represent?
A. DMVPN
B. GETVPN
C. FlexVPN
D. site-to-site
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 210
Which VPN type can be used to provide secure remote access from public internet cafes and airport
kiosks?
A. site-to-site
B. business-to-business
C. Clientless SSL
D. DMVPN
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 211
Refer to the exhibit. Which VPN solution does this configuration represent?
A. Cisco AnyConnect (IKEv2)
B. site-to-site
C. DMVPN
D. SSL VPN
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 212
What must be enabled in the web browser of the client computer to support Clientless SSL VPN?
A. cookies
B. ActiveX
C. Silverlight
D. popups
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 213
Which VPN feature allows remote access clients to print documents to local network printers?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 214
Which option is most effective at preventing a remote access VPN user from bypassing the corporate
transparent web proxy?
A. using the proxy-server settings of the client computer to specify a PAC file for the client computer to
download
B. instructing users to use the corporate proxy server for all web browsing
C. disabling split tunneling
D. permitting local LAN access
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 215
Which option is an example of an asymmetric algorithm?
A. 3DES
B. IDEA
C. AES
D. RSA
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.encryptionanddecryption.com/algorithms/asymmetric_algorithms.html
QUESTION 216
Which three parameters are specified in the isakmp (IKEv1) policy? (Choose three.)
Explanation/Reference:
QUESTION 217
Which option is one component of a Public Key Infrastructure?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 218
Which option is a required element of Secure Device Provisioning communications?
A. the introducer
B. the certificate authority
C. the requestor
D. the registration authority
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 219
Which technology can you implement to reduce latency issues associated with a Cisco AnyConnect VPN?
A. DTLS
B. SCTP
C. DCCP
D. SRTP
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 220
Which three types of SSO functionality are available on the Cisco ASA without any external SSO servers?
(Choose three.)
A. SAML
B. HTTP POST
C. HTTP Basic
D. NTLM
E. Kerberos
F. OAuth 2.0
Explanation/Reference:
QUESTION 221
Which two statements about the Cisco ASA Clientless SSL VPN smart tunnels feature are true? (Choose
two.)
A. Smart tunnels are enabled on the secure gateway (Cisco ASA) for specific applications that run on the
end client and work irrespective of which transport protocol the application uses.
B. Smart tunnels require Administrative privileges to run on the client machine.
C. A smart tunnel is a DLL that is pushed from the headend to the client machine after SSL VPN portal
authentication and that is attached to smart-tunneled processes to route traffic through the SSL VPN
session with the gateway.
D. Smart tunnels offer better performance than the client-server plugins.
E. Smart tunnels are supported on Windows, Mac, and Linux.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 222
As network security architect, you must implement secure VPN connectivity among company branches
over a private IP cloud with any-to-any scalable connectivity.
Which technology should you use?
A. IPsec DVTI
B. FlexVPN
C. DMVPN
D. IPsec SVTI
E. GET VPN
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 223
Which three configurations are required for both IPsec VTI and crypto map-based VPNs? (Choose three.)
A. transform set
B. ISAKMP policy
C. ACL that defines traffic to encrypt
D. dynamic routing protocol
E. tunnel interface
F. IPsec profile
G. PSK or PKI trustpoint with certificate
Explanation/Reference:
QUESTION 224
Refer to the exhibit. Which type of mismatch is causing the problem with the IPsec VPN tunnel?
A. PSK
B. Phase 1 policy
C. transform set
D. crypto access list
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 225
Which three changes must be made to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is
configured? (Choose three.)
Explanation/Reference:
QUESTION 226
Which algorithm provides both encryption and authentication for data plane communication?
A. SHA-96
B. SHA-384
C. 3DES
D. AES-256
E. AES-GCM
F. RC4
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 227
Which three configurations are prerequisites for stateful failover for IPsec? (Choose three.)
A. Only the IKE configuration that is set up on the active device must be duplicated on the standby device;
the IPsec configuration is copied automatically.
B. Only crypto map configuration that is set up on the active device must be duplicated on the standby
device.
C. The IPsec configuration that is set up on the active device must be duplicated on the standby device.
D. The active and standby devices can run different versions of the Cisco IOS software but need to be the
same type of device.
E. The active and standby devices must run the same version of the Cisco IOS software and should be
the same type of device.
F. Only the IPsec configuration that is set up on the active device must be duplicated on the standby
device; the IKE configuration is copied automatically.
G. The IKE configuration that is set up on the active device must be duplicated on the standby device.
Explanation/Reference:
QUESTION 228
Which two statements comparing ECC and RSA are true? (Choose two.)
A. ECC can have the same security as RSA but with a shorter key size.
B. ECC lags in performance when compared with RSA.
C. Key generation in ECC is slower and less CPU intensive.
D. ECC cannot have the same security as RSA, even with an increased key size.
E. Key generation in ECC is faster and less CPU intensive.
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 229
Which two are features of GETVPN but not DMVPN and FlexVPN? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 230
A customer requires all traffic to go through a VPN. However, access to the local network is also required.
Which two options can enable this configuration? (Choose two.)
A. split exclude
B. use of an XML profile
C. full tunnel by default
D. split tunnel
E. split include
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 231
As network consultant, you are asked to suggest a VPN technology that can support a multivendor
environment and secure traffic between sites. Which technology should you recommend?
A. DMVPN
B. FlexVPN
C. GET VPN
D. SSL VPN
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 232
Which protocol must be enabled on the inside interface to use cluster encryption in SSL VPN load
balancing?
A. TLS
B. DTLS
C. IKEv2
D. ISAKMP
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 233
Refer to the exhibit. Which type of VPN implementation is displayed?
A. IKEv2 reconnect
B. IKEv1 cluster
C. IKEv2 load balancer
D. IKEv1 client
E. IPsec high availability
F. IKEv2 backup gateway
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 234
Which PKI enrollment method allows the user to separate authentication and enrollment actions and also
provides an option to specify HTTP/TFTP commands to perform file retrieval from the server?
A. enrollment profile
B. enrollment terminal
C. enrollment url
D. enrollment selfsigned
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 235
Refer to the exhibit. A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA
devices. Based on the syslog message, which action can bring up the VPN tunnel?
A. Increase the maximum SA limit on the local Cisco ASA.
B. Correct the crypto access list on both Cisco ASA devices.
C. Remove the maximum SA limit on the remote Cisco ASA.
D. Reduce the maximum SA limit on the local Cisco ASA.
E. Correct the IP address in the local and remote crypto maps.
F. Increase the maximum SA limit on the remote Cisco ASA.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Since unknown request rejected by CAC. CAC is use to limit SA.
QUESTION 236
Refer to the exhibit. Which type of VPN is being configured, based on the partial configuration snippet?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 237
Which configuration is used to build a tunnel between a Cisco ASA and ISR?
A. crypto map
B. DMVPN
C. GET VPN
D. GRE with IPsec
E. GRE without IPsec
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 238
Refer to the exhibit. What is the problem with the IKEv2 site-to-site VPN tunnel?
A. incorrect PSK
B. crypto access list mismatch
C. incorrect tunnel group
D. crypto policy mismatch
E. incorrect certificate
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 239
Which two statements regarding IKEv2 are true per RFC 4306? (Choose two.)
Correct Answer: DG
Section: (none)
Explanation
Explanation/Reference:
QUESTION 240
Which DAP endpoint attribute checks for the matching MAC address of a client machine?
A. device
B. process
C. antispyware
D. BIA
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 241
Which type of NHRP packet is unique to Phase 3 DMVPN topologies?
A. resolution request
B. resolution reply
C. traffic indication
D. registration request
E. registration reply
F. error indication
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 242
Which three types of web resources or protocols are enabled by default on the Cisco ASA Clientless SSL
VPN portal? (Choose three.)
A. HTTP
B. VNC
C. CIFS
D. RDP
E. HTTPS
F. ICA (Citrix)
Explanation/Reference:
QUESTION 243
Which three parameters must match on all routers in a DMVPN Phase 3 cloud? (Choose three.)
A. NHRP network ID
B. GRE tunnel key
C. NHRP authentication string
D. tunnel VRF
E. EIGRP process name
F. EIGRP split-horizon setting
Explanation/Reference:
QUESTION 244
Refer to the exhibit. The customer needs to launch AnyConnect in the RDP machine.
Which configuration is correct?
A. crypto vpn anyconnect profile test flash:RDP.xml policy group default svc profile test
B. crypto vpn anyconnect profile test flash:RDP.xml webvpn context GW_1 browser-attribute import flash:/
swj.xml
C. crypto vpn anyconnect profile test flash:RDP.xml policy group default svc profile flash:RDP.xml
D. crypto vpn anyconnect profile test flash:RDP.xml webvpn context GW_1 browser-attribute import test
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 245
Which two statements about the Cisco ASA Clientless SSL VPN solution are true? (Choose two.)
A. When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through
the URL bar, the client uses the local DNS to perform FQDN resolution.
B. The rewriter enable command under the global webvpn configuration enables the rewriter functionality
because that feature is disabled by default.
C. A Cisco ASA with an AnyConnect Premium Peers license can simultaneously allow Clientless SSL
VPN sessions and AnyConnect client sessions.
D. Content rewriter functionality in the Clientless SSL VPN portal is not supported on Apple mobile
devices.
E. Clientless SSLVPN provides Layer 3 connectivity into the secured network.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 246
Refer to the exhibit. Which two characteristics of the VPN implementation are evident? (Choose two.)
A. dual DMVPN cloud setup with dual hub
B. DMVPN Phase 3 implementation
C. single DMVPN cloud setup with dual hub
D. DMVPN Phase 1 implementation
E. quad DMVPN cloud with quadra hub
F. DMVPN Phase 2 implementation
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 247
Which protocol can be used for better throughput performance when using Cisco AnyConnect VPN?
A. TLSv1
B. TLSv1.1
C. TLSv1.2
D. DTLSv1
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 248
Which configuration construct must be used in a FlexVPN tunnel?
A. multipoint GRE tunnel interface
B. IKEv1 policy
C. IKEv2 profile
D. EAP configuration
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 249
Which benefit of FlexVPN is not offered by DMVPN using IKEv1?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 250
Which command identifies an AnyConnect profile that was uploaded to the router flash?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 251
Refer to the exhibit. The customer can establish an AnyConnect connection on the first attempt only.
Subsequent attempts fail. What might be the issue?
A. IKEv2 is blocked over the path.
B. UserGroup must be different than the name of the connection profile.
C. The primary protocol should be SSL.
D. UserGroup must be the same as the name of the connection profile.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 252
Which alogrithm is an example of asymmetric encryption?
A. RC4
B. AES
C. ECDSA
D. 3DES
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 253
Which three configuration parameters are mandatory for an IKEv2 profile? (Choose three.)
A. IKEv2 proposal
B. local authentication method
C. match identity or certificate
D. IKEv2 policy
E. PKI certificate authority
F. remote authentication method
G. IKEv2 profile description
H. virtual template
Explanation/Reference:
QUESTION 254
Which two parameters help to map a VPN session to a tunnel group without using the tunnel- group list?
(Choose two.)
A. group-alias
B. certificate map
C. use gateway command
D. group-url
E. AnyConnect client version
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 255
Refer to the exhibit. Which technology does this configuration demonstrate?
A. AnyConnect SSL over IPv4+IPv6
B. AnyConnect FlexVPN over IPv4+IPv6
C. AnyConnect FlexVPN IPv6 over IPv4
D. AnyConnect SSL IPv6 over IPv4
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
FlexVPN use IPSec/IKEv2, SSL use TLS
“vpn-tunnel-protocol ikev2 ssl-client’ is part of FlexVPN configuration …the configuration for SSL would be
“vpn-tunnel-protocol ssl-client”
http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/115735-acssl-ip-
config-00.html
QUESTION 256
Refer to the exhibit. The IKEv2 site-to-site VPN tunnel between two routers is down.
Based on the debug output, which type of mismatch might be the problem?
A. PSK
B. crypto policy
C. peer identity
D. transform set
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 257
Which equation describes an elliptic curve?
A. y3 = x3 + ax + b
B. x3 = y2 + ab + x
C. y4 = x2 + ax + b
D. y2 = x3 + ax + b
E. y2 = x2 + ax + b2
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 258
An engineer wants to ensure that employees cannot access corporate resources on untrusted networks,
but does not want a new VPN session to be established each time they leave the trusted network. Which
Cisco AnyConnect Trusted Network Policy option allows this ability?
A. Pause
B. Connect
C. Do Nothing
D. Disconnect
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 259
Refer to the exhibit. In this tunnel mode GRE multipoint example, which command on the hub router
distinguishes one spoken form the other?
A. no ip route
B. ip nhrp map
C. ip frame-relay
D. tunnel mode gre multipoint
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 260
A network engineer must configure a now VPN tunnel Utilizing IKEv2 For with three reasons would a
configuration use IKEv2 instead d KEv1? (Choose three.)
Explanation/Reference:
QUESTION 261
A network engineer is troubleshooting a site VPN tunnel configured on a Cisco ASA and wants to validate
that the tunnel is sending and receiving traffic. Which command accomplishes this task?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 262
When troubleshooting clientless SSL VPN connections, which option can be verified on the client PC?
A. address assignment
B. DHCP configuration
C. tunnel group attributes
D. host file misconfiguration
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/webvpn-
troubleshooting.html
QUESTION 263
Which two commands are include in the command show dmvpn detail? (Choose two.)
A. Show ip nhrp
B. Show ip nhrp nhs
C. Show crypto ipsec sa detail
D. Show crypto session detail
E. Show crypto sockets
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
show dmvpn detail” returns the output of show ip nhrp nhs, show dmvpn,and show crypto session detail
http://www.cisco.com/c/en/us/support/docs/security-vpn/dynamic-multi-point-vpn-dmvpn/116957-technote-
dmvpn-00.html
QUESTION 264
An engineer has integrated a new DMVPN to link remote offices across the internet using Cisco IOS
routers. When connecting to remote sites, pings and voice data appear to flow properly and all tunnel stats
seem to show that are up. However, when trying to connect to a remote server using RDP, the connection
fails. Which action resolves this issue?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Answers A and C do not make sense.
Answer D is valid only for split tunneling…if we want to pass the RDP traffic off tunnel. The ACL configured
to establish the DMVPN tunnel only need udp 500/4500 and esp (50).
Answer B should be correct because voice traffic (UDP) and ping use smaller MTU size and will not be
fragmented…and thus will work. RDP uses TCP / 3389 and isn’t fault tolerant.
QUESTION 265
Which feature is a benefit of Dynamic Multipoint VPN?
A. geographic filtering of spoke devices
B. translation PAT
C. rotating wildcard preshared keys
D. dynamic spoke-to spoke tunnel establishment
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 266
An engineer has configured Cisco AnyConnect VPN using IKEv2 on a Cisco ISO router. The user cannot
connect in the Cisco AnyConnect client, but receives an alert message "Use a browser to gain access."
Which action does the engineer take to eliminate this issue?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115755-flexvpn-ike-eap-00.html
QUESTION 267
Refer to the exhibit. A network administrator is running DMVPN with EIGRP, when the administrator looks
at the routing table on spoken 1 it displays a route to the hub only.
Which command is missing on the hub router, which includes spoke 2 and spoke 3 in the spoke 1 routing
table?
A. no inverse arp
B. neighbor (ip address)
C. no ip split-horizon egrp 1
D. redistribute static
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 268
Which algorithm provides both encryption and authentication for plane communication?
A. RC4
B. SHA-384
C. AES-256
D. SHA-96
E. 3DES
F. AES-GCM
Correct Answer: F
Section: (none)
Explanation
Explanation/Reference:
QUESTION 269
Refer to the exhibit. Client 1 cannot communication with Client 2. Both clients are using Cisco AnyConnect
and have established a successful SSL VPN connection to the hub ASA.
Which command on the ASA is missing?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 270
Which statement regarding GET VPN is true?
A. When you implement GET VPN with VRFs, all VHFs must be defined in the GDOI group configuration
on the key server.
B. T ne pseudotime that is used for replay checking is synchronized via NTP.
C. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.
D. TEK rekesys can be load-balanced between two key servers operating in COOP.
E. The configuration that defines which traffic to encrypt is present only on the key server.
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 271
Which two statements comparing ECC and RSA are true? (Choose two.)
A. Key generation in FCC is slower and more CPU intensive than RSA.
B. ECC can have the same security as RSA but with a shorter key size
C. Key generation in ECC is faster and less CPU intensive than RSA.
D. ECC cannot have the same security as RSA. even with an increased key size.
E. ECC lags m performance when compared with RSA.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 272
Refer to the exhibit. An engineer is troubleshooting a new GRE over IPSEC tunnel.
The tunnel is established, but the engineer cannot ping from spoke 1 to spoke 2.
Which type of traffic is being blocked?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 273
A user is experiencing issues connecting to a Cisco AnyConnect VPN and receives this error message:
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 274
Which two operational advantages does GetVPN offer over site-to-site IPsec tunnel in a private MPLS-
based core network? (Choose two.)
A. Key servers perform encryption and decryption of all the data in the network, which allows for tight
security policies.
B. Traffic uses one VRF to encrypt data and a different on to decrypt data, which allows for multicast
traffic isolation.
C. GETVPN is tunnel-less, which allows any group member to perform decryption and routing around
network failures.
D. Packets carry original source and destination IP addresses, which allows for optimal routing of
encrypted traffic.
E. Group Domain of Interpretation protocol allows for homomorphic encryption, which allows group
members to operate on messages without decrypting them
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/
deployment_guide_c07_554713.html
QUESTION 275
An administrator received a report that a user cannot connect to the headquarters site using Cisco
AnyConnect and receives this error. The installer was not able to start the Cisco VPN client, clientless
access is not available, Which option is a possible cause for this error?
A. The client version of Cisco AnyConnect is not compatible with the Cisco ASA software image.
B. The operating system of the client machine is not supported by Cisco AnyConnect.
C. The driver for Cisco AnyConnect is outdatate.
D. The installed version of Java is not compatible with Cisco AnyConnect.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 276
An engineer is configuring an IPsec VPN with IKEv2.
Which three components are part of the IKEv2 proposal for this implementation? (Choos three.)
A. key ring
B. DH group
C. integrity
D. tunnel name
E. encryption
Explanation/Reference:
QUESTION 277
Which command can be used to troubleshoot an IPv6 FlexVPN spoke-to-hub connectivity failure?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 278
Refer to the exhibit. An engineer encounters a debug message.
Which action can the engineer take to eliminate this error message?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 279
Which two changes must be made to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is
configured? (Choose two )
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 280
Refer to the exhibit. VPN load balancing provides a way to distribute remote access, IPsec, and SSL VPN
connections across multiple security appliances. Which remote access client types does the load
balancing feature support?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 281
Which two are features of GETVPN but not DMVPN and FlexVPN? (Choose two.)
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 282
Using the Next Generation Encryption technologies, which is the minimum acceptable encryption level to
protect sensitive information?
A. AES 92 bits
B. AES 128 bits
C. AES 256 bits
D. AES 512 bits
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 283
An engineer is troubleshooting a DMVPN spoken router and sees a CRPTO-4- IKMP_BAD_MESSAGE
debug message that a spoke router "failed its sanity check or is malformed" Which issue does the error
message indicate?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 284
A company has a Flex VPN solution for remote access and one of their Cisco any Connect remote clients
is having trouble connecting property.
Which command verifies that packets are being encrypted and decrypted?
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 285
Refer to the exhibit, which result of this command is true?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 286
An engineer is attempting to establish a new site-to site VPN connection. The tunnel terminates on an ASA
5506-X which is behind an ASA 5515-x.
The engineer notices that the tunnel is not establishing. Which option is a potential cause?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 287
Which algorithm does ISAKMP use to securely derive encryption and integrity keys?
A. Diffie-Hellman
B. AES
C. ECDSA
D. RSA
E. 3DES
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm. The ASA
uses this algorithm to derive the encryption and hash keys
https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/
vpn_ike.pdf
QUESTION 288
Which purpose of configuring perfect Forward secret is true?
A. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 2 keys.
B. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 1 keys.
C. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 1 keys.
D. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 2 keys.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 289
An engineer has successfully established a phase 1 tunnel, but notices that no packets are decrypted on
the head end side of the tunnel.
What is a potential cause for this issue?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 290
Which option describes traffic that will initiate a VPN connection?
A. trusted
B. external
C. internal
D. interesting
Correct Answer: D
Section: (none)
Explanation
QUESTION 291
A company wants to validate hosts before allowing them on the network via remote access VPN.
Which Dynamic Access Policies (DAP) method provides additional host level validation?
A. TACACS check
B. folder check
C. file check
D. hostname check
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 292
Which option must be enabled to allow an SSLVPN which is configured for DTLS to fall back to TLS?
Correct Answer: B
Section: (none)
Explanation
QUESTION 293
Which two components are required for a Cisco IOS-based PKI solution? (Choose two)
A. FTP/HTTP server
B. certificate authority
C. RADIUS server
D. NTP
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 294
Which option is the main difference between GET VPN and DMVPN?
Correct Answer: B
Section: (none)
Explanation
QUESTION 295
An engineer is configuring SSL VPN to provide access to a corporate network for remote users.
Traffic destined to the enterprise IP range should go over the tunnel and all other traffic should go directly
to the internet.
Which feature should be configured?
A. dual-horning
B. hairpinning
C. split-tunnel
D. U-turning
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 296
Which two options are purposes of the key server in Cisco IOS GETVPN? (Choose two)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Key server is responsible for maintaining security policies, authenticating the GMs and providing the
session key for encrypting traffic. KS authenticates the individual GMs at the time of registration. Only after
successful registration the GMs can participate in group SA.
http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/
deployment_guide_c07_554713.html
QUESTION 297
Which command will allow a referenced ASA interface to become accessible across a site-to-site VPN?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118092-configure-
asa-00.html
QUESTION 298
Which two attributes can be matched from the identity of the remote peer when using IKEv2 Name
Manager? (Choose two)
A. fqdn
B. hostname
C. IP address
D. kerberos
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 299
Which option is one of the difference between FlexVPN and DMVPN?
Correct Answer: A
Section: (none)
Explanation
QUESTION 300
From the CLI od a cisco ASA 5520, which command shows specific information about current clientless
and cisco Any connect SSL VPN users only?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 301
A user is experiencing issues connection to a cisco Anyconnect VPN and receives this error message.
The AnyConnect package on the secure gateway could not be located. You may be experiencing network
connectivity issues.
Please by connecting again. Which option is the likely cause of this issue?
A. The user's operating system is not supported with the ASA's current configuration.
B. The use laptop clock is not synchronized with NTP.
C. The user is entering an incorrect password.
D. The cisco ASA firewall has experienced a failure.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 302
A customer requires site-to-site VPNs to connect third-party business partners and has purchased two
ASAs.
The customer requests an active/active configuration.
Which model is needed to support an active/active solution?
A. NAT context
B. single context
C. multiple context
D. PAT context.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 303
An engineer is configuring IPsec VPN and wants to choose an authentication protocol that is reliable and
supports ACK and sequence.
Which protocol accomplishes this goal?
A. IKEv1
B. AES-192
C. ESP
D. AES-256
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 304
While attempting to establish a site-to-site VPN, the engineer notices that phase 1 of the VPN tunnel fails.
The engineer wants to run a capture to confirm that the outside interface is receiving phase 1 information
from the third-party peer address. Which command must be run on the ASA to verify this information?
A. Capture capin interface outside match udp any eq 500 any eq 500
B. Capture capin interface outside match gre any any
C. Capture capin interface outside macth upto any eq123 any eq 123
D. Capture capin interface outside match ipsec any any
E. Capture capin interface outside match ah any any
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 305
An engineer is troubleshooting VPN connectivity issues between a PC and ASA using Cisco AnyConnect
IPsec IKEv2.
Which requirement must be satisfied for proper functioning?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 306
A client has asked an engineer to assist in installing and upgrading to the latest version of cisco
Anyconnect secure Mobility client.
Which type of deployment method requires the updated version of the client to be loaded only on the
headend device such as an ASA or ISE device?
A. web-update
B. pre-deploy
C. web-deploy
D. cloud-deploy
E. cloud-update
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 307
Why must a network engineer avoid usage of the default X509 certificate when implementing clientless
SSLVPN on an ASA?
Correct Answer: C
Section: (none)
Explanation
QUESTION 308
A company's remote locations connect to data centers via MPLS.
A new request requires that unicast traffic that exist the remote location be encrypted.
Which no tunneled technology can be used to satisfy this requirement?
A. SSL
B. GET VPN
C. DMVPN
D. EzVPN
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 309
An engineer notices that while an employee is connected remotely, all traffic is being routed to the
corporate network.
Which split-tunnel policy allows a remote client to use their local provide for internet access when working
from home?
A. exclude specified.
B. tunnel all
C. No policy allows that type of configuration.
D. tunnel specified
Correct Answer: D
Section: (none)
Explanation
QUESTION 310
An Engineer must deploy a VPN solution to provide simple configuration, per-peer policy, cross-site
communication, and third party interoperability. Which VPN technology is best to accommodate this
requirement?
A. DMVPN
B. FlexVPN
C. GETVPN
D. IPsec
Correct Answer: B
Section: (none)
Explanation
QUESTION 311
An Engineer wants to ensure that operating system and service packs on a remote device with a Cisco
clientless SSL VPN are identified. Which feature must be used?
Correct Answer: C
Section: (none)
Explanation
QUESTION 312
What advantage does elliptic curve cryptography have over RSA cryptography?
Correct Answer: D
Section: (none)
Explanation
QUESTION 313
An engineer must set up DMPN Phase2 with EIGRP to ensure spoke-to-spoke communication. Which two
EIGRP features must be disabled?
A. stub routing
B. split horizon
C. route redistribution
D. auto-summary
E. next-hop self
Correct Answer: BE
Section: (none)
Explanation
QUESTION 314
Which command does a network engineer type on both spoke routers to check for unidirectional traffic
within the VPN tunnel?
Correct Answer: D
Section: (none)
Explanation
QUESTION 315
Refer to exhibit. An engineer must implement DMVPN phase2 and was provided with this configuration by
the senior engineer as a template. Which two conclusions can be made from the configuration? (choose
two)
interface Tunnel10
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 150
no ip split-horizon eigrp 100
no ip next-hop-self eigrp 100
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
Correct Answer: AB
Section: (none)
Explanation
QUESTION 316
An engineer is troubleshooting IPsec VPN and wants to show each phase2 SA build as well as the amount
of traffic sent. Which command accomplishes that goal?
Correct Answer: D
Section: (none)
Explanation
QUESTION 317
An engineer is troubleshooting IPsec VPN and wants to check the inbound and outbound data plane
security association built between peers. Which command must be run?
Correct Answer: C
Section: (none)
Explanation
QUESTION 318
During a SSL session between a client and a server, who is the responsible for generating the master key
that generates the symmetric keys that are used during the session?
Correct Answer: B
Section: (none)
Explanation
QUESTION 319
An engineer is troubleshooting IPsec VPN and wants to review the IKE connectivity status between peers.
Which IKE status indicates that all is running properly?
A. AG_AUTH
B. QM_IDLE
C. MM_SA_SETUP
D. AC_INT_EXCH
Correct Answer: B
Section: (none)
Explanation
QUESTION 320
An engineer is configuring clientless VPN. The finance department has a database server that only they
should access but the sales department can currently access it. The finance and the sales department are
configured as separate group-policies. Which option must be added to the configuration to make sure the
users in the sales department cannot access the finance department server?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 321
Which two option are features of CISCO GET VPN? (choose two)
Correct Answer: DE
Section: (none)
Explanation
QUESTION 322
Which header is used when a data plane IPsec packet is created?
A. IKEv1
B. AES
C. SHA
D. ESP
Correct Answer: D
Section: (none)
Explanation
QUESTION 323
Which access list are used in a typical IPsec VPN configuration?
Correct Answer: D
Section: (none)
Explanation
QUESTION 324
Which two options are benefits of IKEv2 over IKEv1? (choose two)
Correct Answer: BC
Section: (none)
Explanation
QUESTION 325
Dynamic access policies can support several posture assessment methods to collect endpoint security
attributes. From which operating system does an endpoint collect information?
A. CISCO NAC
B. Advanced Endpoint Assessment
C. Host Scan
D. CISCO Secure Desktop
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 326
Refer to the Exhibit. Which technology is being used?
A. DMVPN
B. GET VPN
C. Ipsec
D. FlexVPN
Correct Answer: C
Section: (none)
Explanation
QUESTION 327
Which parameter in Ipsec VPN tunnel configurations is optional?
A. lifetime
B. Perfect Forward Secrecy
C. encryption
D. hash
Correct Answer: B
Section: (none)
Explanation
QUESTION 328
An engineer is troubleshooting DMVPN and has entered the show crypto isakmp sa command. What can
be verified with the output of this command?
QUESTION 329
A CISCO AnyConnect client establishes a SSL VPN connection with ASA at the corporate office. The
client has not established SSL VPN connection in some time. An Engineer wants to make sure the client
computer meets the enterprise security policy. Which feature can update a client to meet an enterprise
security policy?
Correct Answer: D
Section: (none)
Explanation
QUESTION 330
Which two statements about the internet Key Exchange version 1 are true? (Choose two)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 331
Which two are features of GETVPN but not DMVPN and FlexVPN? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 332
Which command configures IKEv2 symmetric identity authentication?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 333
Which command clears all Cisco AnyConnect VPN sessions on a Cisco ASA?
Correct Answer: A
Section: (none)
Explanation
QUESTION 334
The following configuration steps have been completed: WebVPN was enabled on the ASA outside
interface. ?SSL VPN client software was loaded to the ASA. ?A DHCP scope was configured and applied
to a WebVPN Tunnel Group. What additional step is required if the client software fails to load when
connecting to the ASA SSL page?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70511-
sslvpnclient-asa.html#step2
From the document above under link “Step 2. Install and Enable the SSL VPN Client on the ASA”.
Starting with Step 5, it said to enable the “SSL VPN Client” after uploading the image.
This is very true because I forgot to do this one time after loading a new version of Anyconnect and the
client failed to load.
QUESTION 335
Which command will allow a referenced ASA interface to become accessible across a site-to-site VPN?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118092-configure-
asa-00.html
QUESTION 336
Which header is used when a data plane IPsec packet is created?
A. IKEv1
B. AES
C. SHA
D. ESP
Correct Answer: D
Section: (none)
Explanation
QUESTION 337
A customer has two ASAs configured in high availability and is experiencing connection drops that require
re-establishment each time failover occurs.
Which type of failover has been implemented?
A. Stateless
B. routed
C. trans parent
D. stateful
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/
ha_overview.html#wp1078922
Stateless (Regular) Failover
When a failover occurs, all active connections are dropped. Clients need to reestablish connections when
the new active unit takes over.
Stateful Failover
When Stateful Failover is enabled, the active unit continually passes per-connection state information to
the standby unit. After a failover occurs, the same connection information is available at the new active
unit. Supported end-user applications are not required to reconnect to keep the same communication
session.
QUESTION 338
In a new DMVPN deployment, phase 1 completes successfully. However, phase2 experiences issues.
Which troubleshooting step is valid in this situation?
Correct Answer: A
Section: (none)
Explanation
QUESTION 339
An engineer is configuring clientless SSL VPN. The finance department has a database server that only
they should access, but the sales department can currently access it. The finance and the sales
departments are configured as separate group-policies. Which option must be added to the configuration
to make sure the users in the sales department cannot access the finance department server?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 340
Refer to the Exhibit. All internal clients behind the ASA are port address translated to the public outside
interface, which has an IP address of 3.3.3.3. Client 1 and Client 2 have established successful SSL VPN
connections to the ASA. However, when either client performs a browser search on their IP address, it
shows up as 3.3.3.3.
Why is the happening when both clients have a direct connection to the local internet service provider?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 341
Refer to the Exhibit. Users at each end of this VPN tunnel cannot communicate with each other. Which
cause of this behavior is true?
A. The Diffie-Hellman groups configured are different
B. The pre shared key does not match.
C. Phase 1 is not completed and troubleshooting is required.
D. The issue occurs in phase 2 of the tunnel.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 342
An engineer is defining ECC variables and has set the input_mode set to B. Which statement is true?
Correct Answer: A
Section: (none)
Explanation
QUESTION 343
Refer to the Exhibit. An engineer must implement DMVPN phase 2 and two conclusions can be made from
the configuration? (Choose two.)
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 344
An engineer wants to ensure that Diffie-Helman keys are re-generated upon a pahse-2 rekey. What option
can be configured to allow this?
A. Aggressive mode
B. Dead-peer detection
C. Main mode
D. Perfect-forward secrecy
Correct Answer: D
Section: (none)
Explanation
QUESTION 345
Which two options are features of Cisco GET VPN? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
QUESTION 346
Refer to the Exhibit. Which statement about this output is true?
A. Identity between endpoints is verified using a certificate authority
B. The tunnel is not functional because NAT-T is not configured.
C. This router has sent the first packet to establish the Flex VPN tunnel
D. The remote device encrypts IKEv2 packets using key "282FE"0B3B5C99A2B".
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 347
Refer to the Exhibit. A network security engineer is troubleshooting intermittent connectivity issues across
a tunnel. Based on the output from the show crypto ipsec sa command, which cause is most likely?
A. ISAKMP and/or IP sec may be bouncing up and down.
B. The security association lifetimes are set to default values.
C. Return traffic is not coming back from the other end of the tunnel.
D. Traffic may flow in only one direction across this tunnel.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 348
Refer to the Exhibit. Which statement is accurate based on this configuration?
A. Spoke 1 fails the authentication because the authentication methods are incorrect.
B. Spoke 2 passes the authentication to the hub and successfully proceeds to phase 2.
C. Spoke 1 passes the authentication to the hub and successfully proceeds to phase 2.
D. Spoke 2 fails the authentication because the remote authentication method is incorrect.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 349
A customer requests a VPN solution to support multicast traffic and connectivity with non-Cisco devices.
What VPN solution would meet the customer requirements?
A. GET VPN
B. EZ VPN
C. Flex VPN
D. L2L VPN
Correct Answer: C
Section: (none)
Explanation
QUESTION 350
Refer to the Exhibit. Which description of the status of this VPN tunnel is true?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 351
Which two option, are benefits of AES compared to 3DES? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
QUESTION 352
A client has asked an engineer to assist in installing and upgrading to the latest version of Cisco Any
Connect Secure and upgrading to the latest version of Cisco Any Connect Secure Mobility Client. Which
type of deployment method requires the updated version of the client to be loaded only on the headend
device such as an ASA or ISE device?
A. Web-deploy
B. Cloud-deploy
C. Cloud-update
D. Web-update
Correct Answer: A
Section: (none)
Explanation
QUESTION 353
A customer requires site-to-site VPNs to connect to third party business partners and has purchased two
ASAs. The customer requests an active/active configuration. Winch mode is needed to support and active/
active solution?
A. single context
B. NAT context
C. PAT context
D. multiple context
Correct Answer: D
Section: (none)
Explanation
QUESTION 354
An engineer is troubleshooting VPN connectivity issues between a PC and ASA using Cisco AnyConnect
IPsec IKEv2. Which requirement must be satisfied for proper functioning?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 355
An engineer is configuring an IP VPN with IKEv2. Which two components are part of the IKEv2 proposal
for this implementation? (Choose two.)
A. Key ring
B. Encryption
C. Tunnel mode
D. Peer name
E. integrity
Correct Answer: BE
Section: (none)
Explanation
QUESTION 356
An engineer is using DMVPN to provide secure connectivity between a data center and remote sites.
Which two routing protocols are recommended for use between the routers? (Choose two.)
A. EIGRP
B. IS-IS
C. RIPv2
D. BGP
E. OSPF
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 357
In a FlexVPN deployment, the spokes are successfully connecting to the hub. However, spoke-to- spoke
tunnels do not form. Which trouble shooting step is valid for this issue?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 358
An engineer is troubleshooting network issues and wants to check the Layer 2 connectivity between
routers. Which command must be run?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 359
Witch option is an advantage of using elliptic curve cryptography?
A. Efficiency of operation
B. Ease of implementation
C. symmetrical key exchange
D. resistance to quantum attacks.
Correct Answer: A
Section: (none)
Explanation
QUESTION 360
A company has acquired a competitor whose network infrastructure uses only IPv6. An engineer must
configure VPN access sourced from the new company. Which remote access VPN solution must be used?
A. GET VPN
B. Any Connect
C. EzVPN
D. DMVPN
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 361
Which way to send OSPF routing updates over a site-to-site IPsec tunnel is true?
A. Set the network type for the inside interface to nonbroadcast mode, and add the remote end as an
OSPF neighbor.
B. Set the network type for the outside interface to broadcast mode, and add the headend device as an
OSPF neighbor.
C. Set the network type for the DMZ interface to nonbroadcast mode, add the headend as an OSPF
neighbor.
D. Set the network type for the outside interface to nonbroadcast mode, and add the remote end as an
OSPF neighbor.
Correct Answer: D
Section: (none)
Explanation
QUESTION 362
Which access lists are used in a typical IPsec VPN configuration?
Correct Answer: C
Section: (none)
Explanation
QUESTION 363
Which two parameters are specified in the isakmp (IKEv1) policy? (Choose two.)
A. the peer
B. the hashing algorithm
C. the session key
D. the authentication method
E. the transform-set
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 364
An engineer is assisting in the continued implementation of a VPN solution and discovers an NHRP server
configuration. Which type of VPN solution has been implemented?
A. DMVPN
B. IPsec VPN
C. SSL VPN
D. GET VPN
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 365
Which two options are purposes of the key server in Cisco IOS GETVPN? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Key server is responsible for maintaining security policies, authenticating the GMs and providing the
session key for encrypting traffic. KS authenticates the individual GMs at the time of registration. Only after
successful registration the GMs can participate in group SA.
http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/
deployment_guide_c07_554713.html
QUESTION 366
Refer to the Exhibit. Why is the tunnel not establishing?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 367
An engineer is configuring SSL VPN for remote access. A real-time application that is sensitive to packet
delays will be used. Which feature should the engineer confirm is enabled to avoid latency and bandwidth
problems associated with SSL connections?
A. DTLS
B. DPD
C. SVC
D. IKEv2
Correct Answer: A
Section: (none)
Explanation
QUESTION 368
Which two operational advantages does Get VPN offer over site-to-site IPsec tunnel in a private MPLS-
based core network? (Choose two.)
A. Packets carry original source and destination IP addresses, which allows (or optimal routing of
encrypted traffic.
B. Group Domain of Interpretation protocol allows for homomorphic encryption, which allows group
members to operate on messages without decrypting them.
C. NETVPN is tunnel-less, which allows any group member to perform decryption and routing around
network failures.
D. Key servers perform encryption and decryption of all the data in the network, which allows for tight
security policies
E. Traffic uses one VRF to encrypt data and a different one to decrypt data, which allows for multicast
traffic isolation
Correct Answer: AC
Section: (none)
Explanation
QUESTION 369
Which must be configured for a Cisco Anyconnect client to determine the trustworthiness of a wireless
network?
Correct Answer: A
Section: (none)
Explanation
QUESTION 370
An engineer is troubleshooting DMVPN and wants to check if traffic flows in only one direction
Correct Answer: A
Section: (none)
Explanation
QUESTION 371
A network administrator has deployed Cisco AnyConnect Secure Mobility Client to each member of the
sales force. Which option is the verification method for tins deployment?
A. RADIUS server
B. AAA authentication
C. NI domain
D. RSA SDI
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 372
When you configure an access list on the external interface of a FlexVPN hub, which step is optional
Correct Answer: A
Section: (none)
Explanation
QUESTION 373
An Network Engineer is troubleshooting a VPN tunnel configured on an ASA and has found that Phase 1 is
not completing. Which configuration parameter must match for IKE Phae 1 tunnel to get successfully
negotiated?
A. SA lifetime
B. transform-set
C. DH group
D. idle timeout
Correct Answer: C
Section: (none)
Explanation
QUESTION 374
An engineer is configuring an IKEV1 tunnel. Which two Diffie- Hellman group values for this
implementation? (Choose two)
A. 2
B. 5
C. 10
D. 14
E. 19
Correct Answer: AB
Section: (none)
Explanation
QUESTION 375
Cisco AnyConnect VPN user receives this message every 30 mins. Secure VPN connection terminated
locally by the client. Reason 428: Maximum connection Lifetime Exceeded
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 376
An engineer is troubleshooting an IPSec site-to-site tunnel and verifies that the tunnel status is
MM_WAIT_MSG6. what can be determined this message ?
Correct Answer: C
Section: (none)
Explanation
QUESTION 377
What encryption algorithm does Cisco recommend that you avoid?
A. HMAC-SHA1
B. HMAC-MD5
C. AES-CBS
D. DES
Correct Answer: D
Section: (none)
Explanation
QUESTION 378
What does DART stand for?
A. Device and report tool
B. Diagnostic Anyconnect Reporting Tool
C. Delivery and Reporting Tool
D. Diagnostics and Reporting Tool
Correct Answer: D
Section: (none)
Explanation
QUESTION 379
Which two NHRP functions are specific to DMVPN Phase 3 Implementation? (Choose two)
A. resolution reply
B. redirect
C. resolution request
D. registration reply
E. registration request
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 380
An Engineer must configure GETVPN to transfer over the network between corporate offices.
which two options are the advantages to choose GETVPN over EZVPN? (TWO)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 381
What are two benefits of using DTLS when implementing a Cisco AnyConnect SSL VPN on a Cisco ASA
or router ? (Choose two)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 382
What are two benefits of using DTLS when implementing a Cisco AnyConnect SSL VPN on a Cisco ASA
or router ? (Choose two)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 383
An enginer must Setup Site-to-Site VPN with any-to-any topology that provides secure routing across
backbone. which VPN techology allows a shared IPSEC SA to be used?
A. FlexVPN
B. IPSEC VPN
C. GET VPN
D. DMVPN
Correct Answer: C
Section: (none)
Explanation
QUESTION 384
Mobile work force client are using Cisco Encryption for AnyConnect for remote access to the corporate
network. In a attempt to save bandwidth on the internet circuit, those working remotely are permitted use to
their local connectivity for internet use white still connect to the corporate network. Which feature allows
distinct destination to be encryption on the remote client?
A. DART
B. Split Tuning
C. NAT Exempt
D. Kerberos
Correct Answer: B
Section: (none)
Explanation
QUESTION 385
What is the name of the transform set being used on the ISR?
A. Default
B. ESP-AESESP-SHA-HMAC
C. SP-AES-256-MD5-TRANS
D. TSET
Correct Answer: B
Section: (none)
Explanation
QUESTION 386
Which two components are required a Cisco IOS-based PKI solution?
A. preshared key
B. NTP
C. RADIUS server
D. certificate authority
E. FT/HTTP server
Correct Answer: AD
Section: (none)
Explanation
QUESTION 387
An engineer is configuring high availability for crypto-map-based site-to-site VPNs on Cisco devices.
Which protocol must be used?
A. VRRP
B. BFD
C. ESP
D. HSRP
Correct Answer: D
Section: (none)
Explanation
QUESTION 388
Which cryptographic algorithm is used for data integrity?
A. SHA-256
B. ECDH-384
C. ECDSA-256
D. RSA-3072
Correct Answer: A
Section: (none)
Explanation
QUESTION 389
An engineer is configuring a site-t-site VPM tunnel. Which two IKV1 parameter must match on both peers?
(Choose two.
A. encryption algorithm
B. access lists
C. encryption domains
D. QoS
E. hashing method
Correct Answer: AE
Section: (none)
Explanation
QUESTION 390
A network engineer is troubleshooting a VPN configured on an ASA and has found Phase 1 is not
completing. Which configured parameter must match for the IKE Phase 1 tunnel to get successfully
negotiated/
A. SA lifetime
B. idle timeout
C. transform-set
D. DH group
Correct Answer: D
Section: (none)
Explanation
QUESTION 391
An engineer must set up a site-to-site VPN implementation with an any-to-any topology that provides
secures routing across the router backbone. Which VPN technology allows a shared IPsec SA to be used?
A. FilexVPN
B. IPsec VPN
C. GET VPN
D. DMVPN
Correct Answer: C
Section: (none)
Explanation
QUESTION 392
An engineer must configure HET VPN transverse over the network between corporate offices. Which two
options are key advantages to choosing GET VPN EssaVPN? (Choose two.)
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 393
What does DAK l stand for?
Correct Answer: C
Section: (none)
Explanation
QUESTION 394
When you confrere an access list on the external interface of a FlexVPN hub. which step is optional?
A. allowing IP protocol SO
B. allowing ICMP protocol
C. allowing UDP port 500
D. allowing UDP port 4500
Correct Answer: B
Section: (none)
Explanation
QUESTION 395
Within a PKI system, which option is a trusted entity?
A. registration authority
B. root certificate
C. certificate authority
D. RSA authentication server
Correct Answer: C
Section: (none)
Explanation
QUESTION 396
What are two features of Cisco GET VPN? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 397
A Cisco AnyConnect VPN user receives this message every 30 minutes:
Secure VPN Connection terminated locally by the Client. Reason 426: Maximum Configured Lifetime
Exceeded
Which configuration changes on the ASA firewall address this issue?
Correct Answer: D
Section: (none)
Explanation
QUESTION 398
Which VPN technology is preferred to reduce latency and provide encryption over MPLS without the use of
a central hub?
A. DMVPN
B. IPsec
C. FlexVPN
D. GET VPN
Correct Answer: D
Section: (none)
Explanation
QUESTION 399
Which option is a benefit of ECC as compared to public key cryptography?
Correct Answer: C
Section: (none)
Explanation
QUESTION 400
What are two benefits of SSL VPN versus IPSec VPN when considering a remote-access VPN
technology? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
QUESTION 401
What represents a possible network configuration issue in clientless SSL VPN deployments?
Correct Answer: C
Section: (none)
Explanation
QUESTION 402
Which statement about the local and remote methods in an IKEv2 authentication exchange is true?
A. They must be different.
B. They must be the same.
C. They may be the same or different.
D. There must be one local and two remote methods.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 403
An engineer must set up a site-to-site VPN implementation with an any-to-any topology that provides
secure routing across the router backbone. Which VPN technology allows a shared IPSec SA to be used?
A. GET VPN
B. FlexVPN
C. IPsec VPN
D. DMVPN
Correct Answer: A
Section: (none)
Explanation
QUESTION 404
Refer to the exhibit. Which action must be taken before adding users to the local certificate authority server
database?
Explanation/Reference:
QUESTION 405
An engineer has deployed Cisco IOS crypto-map based VPN and wants to ensure that state information is
shared in an HA group. Which high availabilit technology must be used?
A. GLBP
B. VRRP
C. IRRP
D. HSRP
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 406
Which option is a benefit of DTLS as compared to TLS?
A. increases reliability
B. increases performance
C. controls packet loss
D. controls packet order
Correct Answer: B
Section: (none)
Explanation
QUESTION 407
Refer to the exhibit. An engineer has configured two new VPN tunnels to 172.18.1.1 and 172.19.1.1.
However, communication between 10.1.0.10 and 10.1.11.10 does not function.
What is the reason?
A. NAT-T is disabled
B. The remote peer 172.17.1.1 doesn't support AES256
C. overlapping crypto ACL
D. invalid route
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 408
You are designing a remote VPN solution that will use the Cisco AnyConnect client. By default, which type
of traffic should you enable on the perimeter firewall to allow users to initiate sessions from the LAN to an
external Cisco ASA?
A. TCP port 443 in TLS mode
B. UDP port 848 in DTLS mode
C. UDP ports 500 and 4500
D. TCP port 8443 in DTLS mode
Correct Answer: A
Section: (none)
Explanation
QUESTION 409
A network engineer testing a clientless VPN connection on a local workstation sees the "Clientless
(browser) SSL VPN access is not allowed." message in the web browser. Which command remediates the
problem?
A. vpn-tunnel-protocol ssl-clientless
B. deny-message none
C. svc dtls enable
D. auto-signon allow uri cifs://X.X.X.XT auth-type all
Correct Answer: A
Section: (none)
Explanation
QUESTION 410
A network engineer wants to send multicast traffic between two routers that are separated by an IP cloud.
The network engineer has access to the two routers, but does not have administrative control of the
devices within the IP cloud. How can this goal be accomplished?
Correct Answer: D
Section: (none)
Explanation
QUESTION 411
Refer to the exhibit. An engineer is troubleshooting this configuration. Why is the VPN tunnel not
functioning?
A. There should be route for the 10.8.8.0/24 network configured.
B. AES 256 can't be used with IKEv1.
C. IKEv1 is not enabled.
D. The IKEv1 policy number should be at least 256.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 412
Which two NHRP functions are specific to DMVPN Phase 3 implementation? (Choose two.)
A. registration request
B. registration reply
C. resolution request
D. resolution reply
E. redirect
Correct Answer: DE
Section: (none)
Explanation
QUESTION 413
During an SSL session between a client and a server, who is responsible for generating the master key
that generates the symmetric keys that are use during the session?
A. cipher suite
B. public key infrastructure
C. client browser
D. web server
Correct Answer: C
Section: (none)
Explanation
QUESTION 414
Drag and Drop Question
Drag and drop the steps on the left into the correct order of DMVPN process execution for quick mode
exchange on the right.
Explanation/Reference:
QUESTION 415
Refer to exhibit. You are implementing an IKEv2 Ipsec tunnel between two internet routers by suing PSKs.
After the configuration is complete, the Ipsec
VPN tunnel fails to negotiate. You enable debugging to troubleshoot the issue. Which action do you take to
resolve the issue?
A. Verify the IKEv2 keyring address and PSK configuration on both routers
B. Configure an IKEv2 authorization policy to authorize the peer router
C. Modify the Diffe-Hellman key used in the IKEv2 policy
D. Configure the IKEv2 identity of each router by using an email address
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 416
Which two features are available in the Plus license for Cisco Anyconnect? (Choose two)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 417
Which Cryptographic method provides passphrase protection while importing or exporting?
A. Serpent
B. AES
C. Blowfish
D. RSA
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 418
You must implement DMVPN Phase 3 by using EIGRP as the dynamic routing protocol for the tunnel
overlay.
Which action do you take to allow EIGRP to advertise all routes between the hub and all the spokes?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 419
Refer to exhibit. You are implementing DMVPN Phase 3 in an existing network that uses DMVPN Pahse 1.
You configure NHRP, but the creation of the
spoke-to-spoke tunnel fails. Which action do you take to resolve the issue?
A. Remove the multicast flag from the NHRP configuration
B. Configure the tunnel of the hub by using point-to-point tunnel mode
C. Configure the tunnel of the spoke by using mGRE tunnel mode
D. Remove NHRP redirects from the hub configuration
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 420
Refer to exhibit. You implement a DMVPN Phase 3 full-mesh design. Spoke-to-spoke tunnels fails to
establish successfully via the hub. Which action
do you take in the hub configuration to resolve the issue?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 421
Refer to the exhibit. Which result of running the command is true?
A. authenticates the IKEV1 peers in the 172.16.0.0/16 using the cisco123 key
B. cisco
C. cisco
D. cisco
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 422
Refer to the exhibit. Which VPN technology produces this configuration output?
A. DVTI
B. SVTI
C. FlexVPN
D. DMVPN
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 423
Which two descriptions of the characteristics of Cisco GET VPN are true?
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 424
Which two components are necessary for configuring spoke-to-spoke FlexVPN configurations? (Choose
two)
A. IKEv2
B. HSRP group
C. IVRF
D. NHRP redirect
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 425
What is the functional difference between IKEv1 and IKEv2 on a router?
A. RRI
B. DPD
C. HSRP
D. Failover
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 426
Drag and Drop Question
Drag and drop the steps on the left into the correct order
Explanation/Reference:
QUESTION 427
Drag and Drop Question
Drag and drop the descriptions from the left onto the correct IPsec tunnel on the right.
Explanation/Reference:
QUESTION 428
When using clienteles SSL VPN on a Cisco ASA, which authentication method is required for single sign-
on?
A. SAML 2.0
B. LOCAL
C. RADIUS
D. TACACS
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 429
Which two methods customise the installation of the Cisco AnyConnect client? (Choose two.)
A. resource profiles
B. command-line parameters
C. client profiles
D. installer transforms
E. installation profiles
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 430
When configuring a FlexVPN, which two components must be configured for IKEv2? (Choose two)
A. method
B. proposal
C. preference
D. persistence
E. profile
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 431
Refer to the exhibit. You configure Clienteles SSL VPN on a Cisco ASA. Users from Company A cannot
bonnet to the Clienteles SSL VPN. Which possible cause of the connection failure is most likely?
A. The users have authentication issues
B. An ACL for DAP is blocking the users
C. The license limit is exceeded
D. The users are behind the same NAT IP address
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 432
When a Cisco ASA is configured for Active/Standby failover, what is replicated between the devices ?
A. VPN sessions
B. Cisco Anyconnect profiles
C. Hostscan images
D. Cisco AnyConnect images
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 433
Which description of how DTLS improve application performance is true?
Explanation/Reference:
QUESTION 434
Refer to the exhibit. You have a Clienteles SSL VPN service on a Cisco ASA. Which situation prevents the
user from connecting?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 435
You are configuring a Cisco ASA for Clienteles SSL VPN. Which command do you run to prevent web
browsing from the Cisco SSL VPN portal page?
A. http-proxy 0.0.0.0
B. url-entry disable
C. url-list disable
D. http server disable
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 436
Which two features are available in the Plus license for Cisco AnyConnect? (Choose two)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 437
Which command displays the NBMA IP address when DMVPN is configured with tunnel protection?
A. show ip nhrp
B. show crypto socket
C. show crypto session
D. show ip interface tunnel
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 438
Your company network security policy requires that all network traffic be tunnelled to the corporate office.
End users must be able to access local LAN resources when they connect to the corporate network. Which
two configurations do you implement in Cisco AnyConnect? (Choose two)
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 439
Where must an engineer configure a preshared key for site-to-site VPN tunnel configured on a Cisco
ASA?
A. group policy
B. tunnel group
C. crypto map
D. isakmp policy
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 440
Which method dynamically advertises the network routes for remote tunnel endpoints?
A. dynamic routing
B. CEF
C. RRI
D. policy-based routing
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 441
Refer to the exhibit. You are implementing an IKEv2 IPsec tunnel between two internet routers by using
PSKs. After the configuration is complete, the IPsec VPN tunnel fails to negotiate. You enable debugging
to troubleshooting the issue. Which action do you take to resolve the issue?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 442
Which benefit of ECC as compared to RSA is true?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 443
Which VPN solution enables you to publish applications to users by using bookmarks?
A. Port forwarding
B. SSL VPN full network access
C. Clienteles SSL VPN
D. IPsec VPN
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 444
Refer to the exhibit. You are configuring FlexVPN on a router. The tunnel fails to come up. Which type of
mismatch is the root cause of the failure?
A. access list
B. peer ID
C. preshared key
D. transform set
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 445
incorrect pre-share key
Explanation/Reference:
QUESTION 446
You need to configure your company’s client VPN access to send antivirus client update traffic directly to a
vendor’s cloud server. All other traffic must go to the corporate network. Which feature do you configure?
A. full tunnel
B. split tunnel
C. smart tunnel
D. split DNS
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 447
Which VPN technology preserves IP headers and prevents overlay routing?
A. site-to-site VPN
B. GET VPN
C. Cisco Easy VPN
D. DMVPN
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 448
Refer to exhibit. You are implementing an IKEv1 Ipsec tunnel between two internet routers by using PSKS.
After the configuration is complete the Ipsec VPN tunnel fails to negotiate. What must be configured to
resolve the issue?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference: