300 209 by Supermario v4 PDF

300-209
Number: 000-000
Passing Score: 846
Time Limit: 120 min
File Version: 4.0
Vendor: Cisco
Exam Code: 300-209
Exam Name: Implementing Cisco Secure Mobility Solutions
Version: 4.0
Questions: 448
Date: 2019 07 04
Prepared by Supermario
Exam A
QUESTION 1
Which two IKEv1 policy options must match on each peer when you configure an IPsec site-to- site VPN?
(Choose two.)
A. priority number
B. hash algorithm
C. encryption algorithm
D. session lifetime
E. PRF algorithm
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Which two parameters are configured within an IKEv2 proposal on an IOS router? (Choose two.)
A. authentication
B. encryption
C. integrity
D. lifetime
Correct Answer: BC
Section: (none)
Explanation
QUESTION 3
In a spoke-to-spoke DMVPN topology, which type of interface does a branch router require?
A. virtual tunnel interface

B. multipoint GRE interface
C. point-to-point GRE interface
D. loopback interface
Correct Answer: B
Section: (none)
Explanation
QUESTION 4
To change the title panel on the logon page of the Cisco IOS WebVPN portal, which file must you
configure?
A. Cisco IOS WebVPN customization template

B. Cisco IOS WebVPN customization general
C. web-access-hlp.inc
D. app-access-hlp.inc
Correct Answer: A
Section: (none)
Explanation
QUESTION 5
Which three plugins are available for clientless SSL VPN? (Choose three.)
A. CIFS
B. RDP2
C. SSH
D. VNC
E. SQLNET
F. ICMP
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 6
Which command simplifies the task of converting an SSL VPN to an IKEv2 VPN on a Cisco ASA appliance
that has an invalid IKEv2 configuration?
A. migrate remote-access ssl overwrite

B. migrate remote-access ikev2
C. migrate l2l
D. migrate remote-access ssl
Correct Answer: A
Section: (none)
Explanation
Explanation:
Below is a reference for this question:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-
ptn-113597.html
If your IKEv1, or even SSL, configuration already exists, the ASA makes the migration process simple. On
the command line, enter the migrate command:
migrate {l2l | remote-access {ikev2 | ssl} | overwrite} Things of note:
Keyword definitions:
l2l - This converts current IKEv1 l2l tunnels to IKEv2.
remote access - This converts the remote access configuration. You can convert either the IKEv1 or the
SSL tunnel groups to IKEv2.
overwrite - If you have a IKEv2 configuration that you wish to overwrite, then this keyword converts the
current IKEv1 configuration and removes the superfluous IKEv2 configuration.
QUESTION 7
Which statement describes a prerequisite for single-sign-on Netegrity Cookie Support in an IOC SSL
VPN?
A. The Cisco AnyConnect Secure Mobility Client must be installed in flash.

B. A SiteMinder plug-in must be installed on the Cisco SSL VPN gateway.
C. A Cisco plug-in must be installed on a SiteMinder server.
D. The Cisco Secure Desktop software package must be installed in flash.
Correct Answer: C
Section: (none)
Explanation
QUESTION 8
Which two statements describe effects of the DoNothing option within the untrusted network policy on a
Cisco AnyConnect profile? (Choose two.)
A. The client initiates a VPN connection upon detection of an untrusted network.

B. The client initiates a VPN connection upon detection of a trusted network.
C. The always-on feature is enabled.
D. The always-on feature is disabled.
E. The client does not automatically initiate any VPN connection.
Correct Answer: DE
Section: (none)
Explanation
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/
b_AnyConnect_Administrator_Guide_4-0/configure-vpn.html#ID-1428-00000152
QUESTION 9
Which command enables IOS SSL VPN Smart Tunnel support for PuTTY?
A. appl ssh putty.exe win

B. appl ssh putty.exe windows
C. appl ssh putty
D. appl ssh putty.exe
Correct Answer: B
Section: (none)
Explanation
QUESTION 10
Which three remote access VPN methods in an ASA appliance provide support for Cisco Secure Desktop?
(Choose three.)
A. IKEv1
B. IKEv2
C. SSL client
D. SSL clientless
E. ESP
F. L2TP
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 11
A user is unable to establish an AnyConnect VPN connection to an ASA. When using the Real- Time Log
viewer within ASDM to troubleshoot the issue, which two filter options would the administrator choose to
show only syslog messages relevant to the VPN connection? (Choose two.)
A. Client's public IP address

B. Client's operating system
C. Client's default gateway IP address
D. Client's username
E. ASA's public IP address
Correct Answer: AD
Section: (none)
Explanation
QUESTION 12
Which Cisco ASDM option configures forwarding syslog messages to email?
A. Configuration > Device Management > Logging > E-Mail Setup

B. Configuration > Device Management > E-Mail Setup > Logging Enable
C. Select the syslogs to email, click Edit, and select the Forward Messages option.
D. Select the syslogs to email, click Settings, and specify the Destination Email Address option.
Correct Answer: A
Section: (none)
Explanation
QUESTION 13
Which Cisco ASDM option configures WebVPN access on a Cisco ASA?
A. Configuration > WebVPN > WebVPN Access

B. Configuration > Remote Access VPN > Clientless SSL VPN Access
C. Configuration > WebVPN > WebVPN Config
D. Configuration > VPN > WebVPN Access
Correct Answer: B
Section: (none)
Explanation
QUESTION 14
A user with IP address 10.10.10.10 is unable to access a HTTP website at IP address 209.165.200.225
through a Cisco ASA. Which two features and commands will help troubleshoot the issue? (Choose two.)
A. Capture user traffic using command capture capin interface inside match ip host 10.10.10.10 any
B. After verifying that user traffic reaches the firewall using syslogs or captures, use packet tracer
command packet-tracer input inside tcp 10.10.10.10 1234 209.165.200.225 80
C. Enable logging at level 1 and check the syslogs using commands logging enable, logging buffered 1
and show logging | include 10.10.10.10
D. Check if an access-list on the firewall is blocking the user by using command show running-config
access-list | include 10.10.10.10
E. Use packet tracer command packet-tracer input inside udp 0.10.10.10 1234192.168.1.3 161 to see
what the firewall is doing with the user's traffic
Correct Answer: AB
Section: (none)
Explanation
QUESTION 15
A Cisco router may have a fan issue that could increase its temperature and trigger a failure. What
troubleshooting steps would verify the issue without causing additional risks?
A. Configure logging using commands "logging on", "logging buffered 4", and check for fan failure logs
using "show logging"
B. Configure logging using commands "logging on", "logging buffered 6", and check for fan failure logs
using "show logging"
C. Configure logging using commands "logging on", "logging discriminator msglog1 console 7", and check
for fan failure logs using "show logging"
D. Configure logging using commands "logging host 10.11.10.11", "logging trap 2", and check for fan
failure logs at the syslog server 10.11.10.11
Correct Answer: A
Section: (none)
Explanation
QUESTION 16
Which of these are the two types of keys used when implementing GET VPN? (Choose two)
A. key encryption
B. group encryption
C. pre-shared key
D. public key
E. private key
F. traffic encryption key
Correct Answer: AF
Section: (none)
Explanation
QUESTION 17
A private wan connection is suspected of intermittently corrupting data. Which technology can a network
administrator use to detect and drop the altered data traffic?
A. AES-128
B. RSA Certificates
C. SHA2-HMAC
D. 3DES
E. Diffie-Helman Key Generation
Correct Answer: C
Section: (none)
Explanation
QUESTION 18
A company needs to provide secure access to its remote workforce. The end users use public kiosk
computers and a wide range of devices. They will be accessing only an internal web application. Which
VPN solution satisfies these requirements?
A. Clientless SSLVPN
B. AnyConnect Client using SSLVPN
C. AnyConnect Client using IKEv2
D. FlexVPN Client
E. Windows built-in PPTP client
Correct Answer: A
Section: (none)
Explanation
QUESTION 19
A network administrator is configuring AES encryption for the ISAKMP policy on an IOS router.
Which two configurations are valid? (Choose two.)
A. crypto isakmp policy 10

encryption aes 254
B. crypto isakmp policy 10
encryption aes 192
C. crypto isakmp policy 10
encryption aes 256
D. crypto isakmp policy 10
encryption aes 196
E. crypto isakmp policy 10
encryption aes 198
F. crypto isakmp policy 10
encryption aes 64
Correct Answer: BC
Section: (none)
Explanation
QUESTION 20
Which two qualify as Next Generation Encryption integrity algorithms? (Choose two.)
A. SHA-512
B. SHA-256
C. SHA-192
D. SHA-380
E. SHA-192
F. SHA-196
Correct Answer: AB
Section: (none)
Explanation
QUESTION 21
Which statement is true when implementing a router with a dynamic public IP address in a crypto map
based site-to-site VPN?
A. The router must be configured with a dynamic crypto map.

B. Certificates are always used for phase 1 authentication.
C. The tunnel establishment will fail if the router is configured as a responder only.
D. The router and the peer router must have NAT traversal enabled.
Correct Answer: C
Section: (none)
Explanation
QUESTION 22
Which two statements are true when designing a SSL VPN solution using Cisco AnyConnect? (Choose
two.)
A. The VPN server must have a self-signed certificate.

B. A SSL group pre-shared key must be configured on the server.
C. Server side certificate is optional if using AAA for client authentication.
D. The VPN IP address pool can overlap with the rest of the LAN networks.
E. DTLS can be enabled for better performance.
Correct Answer: DE
Section: (none)
Explanation
QUESTION 23
Refer to the exhibit. Given the partial configuration shown, which two statements are correct? (Choose
two.)
A. The tunnel will use the routing protocol configured for GigabitEthemet 1/1 for all tunnel communication
with the peer.
B. The IP route statement to reach the remote network behind the DMVPN peer is incorrect, it should be
ip route 192.168.2.0 255.255.255.0 tunnel 0.
C. This is an example of a static point-to-point VTI tunnel.
D. The tunnel will use esp-sha-hmac encryption in ESP tunnel mode.
E. The tunnel will use 128-bit AES encryption in ESP tunnel mode.
Correct Answer: CE
Section: (none)
Explanation
QUESTION 24
What are two benefits of DMVPN Phase 3? (Choose two.)
A. Administrators can use summarization of routing protocol updates from hub to spokes.
B. It introduces hierarchical DMVPN deployments.
C. It introduces non-hierarchical DMVPN deployments.
D. It supports L2TP over IPSec as one of the VPN protocols.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 25
Which are two main use cases for Clientless SSL VPN? (Choose two.)
A. In kiosks that are part of a shared environment

B. When the users do not have admin rights to install a new VPN client
C. When full tunneling is needed to support applications that use TCP, UDP, and ICMP
D. To create VPN site-to-site tunnels in combination with remote access
Correct Answer: AB
Section: (none)
Explanation
QUESTION 26
Which technology can rate-limit the number of tunnels on a DMVPN hub when system utilization is above a
specified percentage?
A. NHRP Event Publisher

B. interface state control
C. CAC
D. NHRP Authentication
E. ip nhrp connect
Correct Answer: C
Section: (none)
Explanation
QUESTION 27
Which technology supports tunnel interfaces while remaining compatible with legacy VPN
implementations?
A. FlexVPN
B. DMVPN
C. GET VPN
D. SSL VPN
Correct Answer: A
Section: (none)
Explanation
QUESTION 28
Which IKEv2 feature minimizes the configuration of a FlexVPN on Cisco IOS devices?
A. IKEv2 Suite-B
B. IKEv2 proposals
C. IKEv2 profiles
D. IKEv2 Smart Defaults
Correct Answer: D
Section: (none)
Explanation
QUESTION 29
When an IPsec SVTI is configured, which technology processes traffic forwarding for encryption?
A. ACL
B. IP routing
C. RRI
D. front door VPN routing and forwarding
Correct Answer: B
Section: (none)
Explanation
QUESTION 30
Which Cisco IOS VPN feature simplifies IPsec VPN configuration and design by using on- demand virtual
access interfaces that are cloned from a virtual template configuration?
A. GET VPN
B. dynamic VTI
C. static VTI
D. GRE tunnels
E. GRE over IPsec tunnels
F. DMVPN
Correct Answer: B
Section: (none)
Explanation
QUESTION 31
A Cisco IOS SSL VPN gateway is configured to operate in clientless mode so that users can access file
shares on a Microsoft Windows 2003 server. Which protocol is used between the Cisco IOS router and the
Windows server?
A. HTTPS
B. NetBIOS
C. CIFS
D. HTTP
Correct Answer: C
Section: (none)
Explanation
QUESTION 32
You are configuring a Cisco IOS SSL VPN gateway to operate with DVTI support. Which command must
you configure on the virtual template?
A. tunnel protection ipsec

B. ip virtual-reassembly
C. tunnel mode ipsec
D. ip unnumbered
Correct Answer: D
Section: (none)
Explanation
QUESTION 33
Which protocol supports high availability in a Cisco IOS SSL VPN environment?
A. HSRP
B. VRRP
C. GLBP
D. IRDP
Correct Answer: A
Section: (none)
Explanation
QUESTION 34
When you configure IPsec VPN High Availability Enhancements, which technology does Cisco recommend
that you enable to make reconvergence faster?
A. EOT
B. IP SLAs
C. periodic IKE keepalives
D. VPN fast detection
Correct Answer: C
Section: (none)
Explanation
QUESTION 35
Which hash algorithm is required to protect classified information?
A. MD5
B. SHA-1
C. SHA-256
D. SHA-384
Correct Answer: D
Section: (none)
Explanation
QUESTION 36
Which cryptographic algorithms are approved to protect Top Secret information?
A. HIPPA DES
B. AES-128
C. RC4-128
D. AES-256
Correct Answer: D
Section: (none)
Explanation
QUESTION 37
Which Cisco firewall platform supports Cisco NGE?
A. FWSM
B. Cisco ASA 5505
C. Cisco ASA 5580
D. Cisco ASA 5525-X
Correct Answer: D
Section: (none)
Explanation
QUESTION 38
Which algorithm is replaced by elliptic curve cryptography in Cisco NGE?
A. 3DES
B. AES
C. DES
D. RSA
Correct Answer: D
Section: (none)
Explanation
QUESTION 39
Which encryption and authentication algorithms does Cisco recommend when deploying a Cisco NGE
supported VPN solution?
A. AES-GCM and SHA-2

B. 3DES and DH
C. AES-CBC and SHA-1
D. 3DES and SHA-1
Correct Answer: A
Section: (none)
Explanation
QUESTION 40
An administrator wishes to limit the networks reachable over the Anyconnect VPN tunnels. Which
configuration on the ASA will correctly limit the networks reachable to 209.165.201.0/27 and
209.165.202.128/27?
A. access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit
209.165.202.128 255.255.255.224 ! group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitlist
B. access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit
209.165.202.128 255.255.255.224 ! group-policy GroupPolicy1 internal
split-tunnel-policy tunnelall
split-tunnel-network-list value splitlist
C. group-policy GroupPolicy1 internal
split-tunnel-policy tunnelspecified
split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224 split-tunnel-network-list ipv4 2
209.165.202.128 255.255.255.224
D. access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit
209.165.202.128 255.255.255.224 ! crypto anyconnect vpn-tunnel-policy tunnelspecified
crypto anyconnect vpn-tunnel-network-list splitlist
E. crypto anyconnect vpn-tunnel-policy tunnelspecified
crypto anyconnect split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224 crypto anyconnect
split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224
Correct Answer: A
Section: (none)
Explanation
QUESTION 41
Which NGE IKE Diffie-Hellman group identifier has the strongest cryptographic properties?
A. group 10
B. group 24
C. group 5
D. group 20
Correct Answer: D
Section: (none)
Explanation
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-cfg-ikev2-
flex.html#GUID-6F6D8166-508A-4669-9DDC-4FE7AE9B9939
http://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html#9
QUESTION 42
What is the Cisco recommended TCP maximum segment on a DMVPN tunnel interface when the MTU is
set to 1400 bytes?
A. 1160 bytes
B. 1260 bytes
C. 1360 bytes
D. 1240 bytes
Correct Answer: C
Section: (none)
Explanation
QUESTION 43
Which technology does a multipoint GRE interface require to resolve endpoints?
A. ESP
B. dynamic routing
C. NHRP
D. CEF
E. IPSec
Correct Answer: C
Section: (none)
Explanation
QUESTION 44
Which two cryptographic technologies are recommended for use with FlexVPN? (Choose two.)
A. SHA (HMAC variant)

B. Diffie-Hellman
C. DES
D. MD5 (HMAC variant)
Correct Answer: AB
Section: (none)
Explanation
QUESTION 45
Which command configures IKEv2 symmetric identity authentication?
A. match identity remote address 0.0.0.0

B. authentication local pre-share
C. authentication pre-share
D. authentication remote rsa-sig
Correct Answer: C
Section: (none)
Explanation
QUESTION 46
Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two.)
A. aes-cbc-192, sha256, 14
B. 3des, md5, 5
C. 3des, sha1, 1
D. aes-cbc-128, sha, 5
Correct Answer: BD
Section: (none)
Explanation
QUESTION 47
What is the default storage location of user-level bookmarks in an IOS clientless SSL VPN?
A. disk0:/webvpn/{context name}/
B. disk1:/webvpn/{context name}/
C. flash:/webvpn/{context name}/
D. nvram:/webvpn/{context name}/
Correct Answer: C
Section: (none)
Explanation
QUESTION 48
Which command will prevent a group policy from inheriting a filter ACL in a clientless SSL VPN?
A. vpn-filter none
B. no vpn-filter
C. filter value none
D. filter value ACLname
Correct Answer: A
Section: (none)
Explanation
Explanation:
Specify the name of the ACL to apply to VPN session, using the vpn-filter command in group policy mode.
(You can also configure this attribute in username mode, in which case the value configured under
username supersedes the group-policy value.)
hostname(config-group-policy)# vpn-filter {value ACL name | none}
hostname(config-group-policy)#
You configure ACLs to permit or deny various types of traffic for this group policy. You then enter the vpn-
filter command to apply those ACLs.
To remove the ACL, including a null value created by entering the vpn-filter none command, enter the no
form of this command. The no option allows inheritance of a value from another group policy.
A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the
none keyword instead of specifying an ACL name. The none keyword indicates that there is no access list
and sets a null value, thereby disallowing an access list.
QUESTION 49
Which command specifies the path to the Host Scan package in an ASA AnyConnect VPN?
A. csd hostscan path image

B. csd hostscan image path
C. csd hostscan path
D. hostscan image path
Correct Answer: B
Section: (none)
Explanation
QUESTION 50
Hotspot Questions
When a tunnel is initiated by the headquarter ASA, which one of the following Diffie- Hellman groups is
selected by the headquarter ASA during CREATE_CHILD_SA exchange?
A. 1
B. 2
C. 5
D. 14
E. 19
Correct Answer: C
Section: (none)
Explanation
Explanation:
Traffic initiated by the HQ ASA is assigned to the static outside crypto map, which shown below to use DH
group 5.
QUESTION 51
Hotspot Questions
Based on the provided ASDM configuration for the remote ASA, which one of the following is correct?
A. An access-list must be configured on the outside interfaceto permit inbound VPN traffic
B. A route to 192.168.22.0/24 will not be automatically installed in the routing table
C. The ASA will use a window of 128 packets (64x2) to perform the anti-replay check _
D. The tunnel can also be established on TCP port 10000
Correct Answer: C
Section: (none)
Explanation
Explanation:
Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating
encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor
keeps track of which packets it has seen on the basis of these numbers. Currently, the default window size
is 64 packets. Generally, this number (window size) is sufficient, but there are times when you may want to
expand this window size. The IPsec Anti-Replay Window:
Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep
track of more than 64 packets.
QUESTION 52
Hotspot Questions
If the IKEv2 tunnel were to establish successfully, which encryption algorithm would be used to encrypt
traffic?
A. DES
B. 3DES
C. AES
D. AES192
E. AES256
Correct Answer: E
Section: (none)
Explanation
Explanation:
Both ASA's are configured to support AES 256, so during the IPSec negotiation they will use the strongest
algorithm that is supported by each peer.
QUESTION 53
Hotspot Questions
After implementing the IKEv2 tunnel, it was observed that remote users on the 192.168.33.0/24 network
are unable to access the internet. Which of the following can be done to resolve this problem?
A. Change the Diffie-Hellman group on the headquarter ASA to group5forthe dynamic crypto map
B. Change the remote traffic selector on the remote ASA to 192.168.22.0/24
C. Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers
D. Change the local traffic selector on the headquarter ASA to 0.0.0.0/0
E. Change the remote traffic selector on the headquarter ASA to 0.0.0.0/0
Correct Answer: B
Section: (none)
Explanation
Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec
tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most
likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 to
192.168.22.0/24.
QUESTION 54
Hotspot Questions
Which option shows the correct traffic selectors for the child SA on the remote ASA, when the headquarter
ASA initiates the tunnel?
A. Local selector 192.168.33.0/0-192.168.33.255/65535

Remote selector 192.168.20.0/0-192.168.20.255/65535
B. Local selector 192.168.33.0/0-192.168.33.255/65535
Remote selector 192.168.22.0/0-192.168.22.255/65535
C. Local selector 192.168.22.0/0-192.168.22.255/65535
Remote selector 192.168.33.0/0-192.168.33.255/65535
D. Local selector 192.168.33.0/0-192.168.33.255/65535
Remote selector 0.0.0.0/0 - 0.0.0.0/65535
E. Local selector 0.0.0.0/0 - 0.0.0.0/65535
Remote selector 192.168.22.0/0 -192.168.22.255/65535
Correct Answer: B
Section: (none)
Explanation
Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec
tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most
likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 (THE LOCAL
SIDE) to 192.168.22.0/24 (THE REMOTE SIDE).
QUESTION 55
Which two are characteristics of GETVPN? (Choose two.)
A. The IP header of the encrypted packet is preserved

B. A key server is elected among all configured Group Members
C. Unique encryption keys are computed for each Group Member
D. The same key encryption and traffic encryption keys are distributed to all Group Members
Correct Answer: AD
Section: (none)
Explanation
QUESTION 56
A company has decided to migrate an existing IKEv1 VPN tunnel to IKEv2. Which two arevalid
configuration constructs on a Cisco IOS router? (Choose two.)
A. crypto ikev2 keyring keyring-name

peer peer1
address 209.165.201.1 255.255.255.255
pre-shared-key local key1
pre-shared-key remote key2
B. crypto ikev2 transform-set transform-set-name esp-3des esp-md5-hmac esp-aes esp-sha-hmac
C. crypto ikev2 map crypto-map-name
set crypto ikev2 tunnel-group tunnel-group-name
set crypto ikev2 transform-set transform-set-name
D. crypto ikev2 tunnel-group tunnel-group-name
match identity remote address 209.165.201.1
authentication local pre-share
authentication remote pre-share
E. crypto ikev2 profile profile-name
match identity remote address 209.165.201.1
authentication local pre-share
authentication remote pre-share
Correct Answer: AE
Section: (none)
Explanation
QUESTION 57
Which four activities does the Key Server perform in a GETVPN deployment? (Choose four.)
A. authenticates group members

B. manages security policy
C. creates group keys
D. distributes policy/keys
E. encrypts endpoint traffic
F. receives policy/keys
G. defines group members
Correct Answer: ABCD

Section: (none)
Explanation
QUESTION 58
Where is split-tunneling defined for remote access clients on an ASA?
A. Group-policy
B. Tunnel-group
C. Crypto-map
D. Web-VPN Portal
E. ISAKMP client
Correct Answer: A
Section: (none)
Explanation
QUESTION 59
Which of the following could be used to configure remote access VPN Host-scan and prelogin policies?
A. ASDM
B. Connection-profile CLI command
C. Host-scan CLI command under the VPN group policy
D. Pre-login-check CLI command
Correct Answer: A
Section: (none)
Explanation
QUESTION 60
In FlexVPN, what command can an administrator use to create a virtual template interface that can be
configured and applied dynamically to create virtual access interfaces?
A. interface virtual-template number type template

B. interface virtual-template number type tunnel
C. interface template number type virtual
D. interface tunnel-template number
Correct Answer: B
Section: (none)
Explanation
Explanation:
Here is a reference an explanation that can be included with this test. http://www.cisco.com/en/US/docs/
ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-spoke.html#GUID-4A10927D-4C6A-4202-
B01C-DA7E462F5D8A
QUESTION 61
In FlexVPN, what is the role of a NHRP resolution request?
A. It allows these entities to directly communicate without requiring traffic to use an intermediate hop
B. It dynamically assigns VPN users to a group
C. It blocks these entities from to directly communicating with each other
D. It makes sure that each VPN spoke directly communicates with the hub
Correct Answer: A
Section: (none)
Explanation
QUESTION 62
What are three benefits of deploying a GET VPN? (Choose three.)
A. It provides highly scalable point-to-point topologies.

B. It allows replication of packets after encryption.
C. It is suited for enterprises running over a DMVPN network.
D. It preserves original source and destination IP address information.
E. It simplifies encryption management through use of group keying.
F. It supports non-IP protocols.
Correct Answer: BDE

Section: (none)
Explanation
QUESTION 63
What is the default topology type for a GET VPN?
A. point-to-point
B. hub-and-spoke
C. full mesh
D. on-demand spoke-to-spoke
Correct Answer: C
Section: (none)
Explanation
QUESTION 64
Which two GDOI encryption keys are used within a GET VPN network? (Choose two.)
A. key encryption key

B. group encryption key
C. user encryption key
D. traffic encryption key
Correct Answer: AD
Section: (none)
Explanation
QUESTION 65
What are the three primary components of a GET VPN network? (Choose three.)
A. Group Domain of Interpretation protocol

B. Simple Network Management Protocol
C. server load balancer
D. accounting server
E. group member
F. key server
Correct Answer: AEF

Section: (none)
Explanation
QUESTION 66
Refer to the exhibit. After the configuration is performed, which combination of devices can connect?
A. a device with an identity type of IPv4 address of 209.165.200.225 or 209.165.202.155 or a certificate

with subject name of "cisco.com"
B. a device with an identity type of IPv4 address of both 209.165.200.225 and 209.165.202.155 or a
certificate with subject name containing "cisco.com"
C. a device with an identity type of IPv4 address of both 209.165.200.225 and 209.165.202.155 and a
certificate with subject name containing "cisco.com"
D. a device with an identity type of IPv4 address of 209.165.200.225 or 209.165.202.155 or a certificate
with subject name containing "cisco.com"
Correct Answer: D
Section: (none)
Explanation
QUESTION 67
Which three settings are required for crypto map configuration? (Choose three.)
A. match address
B. set peer
C. set transform-set
D. set security-association lifetime
E. set security-association level per-host
F. set pfs
Correct Answer: ABC
Section: (none)
Explanation
QUESTION 68
A network is configured to allow clientless access to resources inside the network. Which feature must be
enabled and configured to allow SSH applications to respond on the specified port 8889?
A. auto applet download

B. port forwarding
C. web-type ACL
D. HTTP proxy
Correct Answer: B
Section: (none)
Explanation
QUESTION 69
Consider this scenario. When users attempt to connect via a Cisco AnyConnect VPN session, the
certificate has changed and the connection fails.
What is a possible cause of the connection failure?
A. An invalid modulus was used to generate the initial key.

B. The VPN is using an expired certificate.
C. The Cisco ASA appliance was reloaded.
D. The Trusted Root Store is configured incorrectly.
Correct Answer: C
Section: (none)
Explanation
QUESTION 70
In the Cisco ASDM interface, where do you enable the DTLS protocol setting?
A. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add
or Edit Internal Group Policy
B. Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or
Edit
C. Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN
Policy > SSL VPN Client
D. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit
Correct Answer: D
Section: (none)
Explanation
QUESTION 71
What are two forms of SSL VPN? (Choose two.)
A. port forwarding
B. Full Tunnel Mode
C. Cisco IOS WebVPN
D. Cisco AnyConnect
Correct Answer: AB
Section: (none)
Explanation
QUESTION 72
When Cisco ASA applies VPN permissions, what is the first set of attributes that it applies?
A. dynamic access policy attributes

B. group policy attributes
C. connection profile attributes
D. user attributes
Correct Answer: A
Section: (none)
Explanation
QUESTION 73
What are two variables for configuring clientless SSL VPN single sign-on? (Choose two.)
A. CSCO_WEBVPN_OTP_PASSWORD
B. CSCO_WEBVPN_INTERNAL_PASSWORD
C. CSCO_WEBVPN_USERNAME
D. CSCO_WEBVPN_RADIUS_USER
Correct Answer: BC
Section: (none)
Explanation
QUESTION 74
Refer to the exhibit. Based on the partial configuration shown, which the GET VPN group member GDOI
configuration?
A. key server IP address
B. local priority
C. mapping of the IPsec profile to the IPsec SA
D. mapping of the IPsec transform set to the GDOI group
Correct Answer: A
Section: (none)
Explanation
QUESTION 75
An internet-based VPN solution is being considered to replace anexisting private WAN connectingremote
offices. A multimedia application is used that relies on multicast for communication. Which two VPN
solutions meet the application's network requirement? (Choose two.)
A. FlexVPN
B. DMVPN
C. Group Encrypted Transport VPN
D. Crypto-map based Site-to-Site IPsec VPNs
E. AnyConnect VPN
Correct Answer: AB
Section: (none)
Explanation
QUESTION 76
In a GET VPN solution, which two ways can the key server distribute the new keys to the group members
during the rekey process? (Choose two.)
A. multicast UDP transmission

B. multicast TCP transmission
C. unicast UDP transmission
D. unicast TCP transmission
Correct Answer: AC
Section: (none)
Explanation
QUESTION 77
An IOS SSL VPN is configured to forward TCP ports. A remote user cannot access the corporate FTP site
with a Web browser. What is a possible reason for the failure?
A. The user's FTP application is not supported.

B. The user is connecting to an IOS VPN gateway configured in Thin Client Mode.
C. The user is connecting to an IOS VPN gateway configured in Tunnel Mode.
D. The user's operating system is not supported.
Correct Answer: B
Section: (none)
Explanation
Explanation:
http://www.cisco.com/c/en/us/support/docs/security/ssl-vpn-client/70664-IOSthinclient.html
Thin-Client SSL VPN (Port Forwarding)
A remote client must download a small, Java-based applet for secure access of TCP applications that use
static port numbers. UDP is not supported. Examples include access to POP3, SMTP, IMAP, SSH, and
Telnet. The user needs local administrative privileges because changes are made to files on the local
machine. This method of SSL VPN does not work with applications that use dynamic port assignments, for
example, several FTP applications.
QUESTION 78
When implementing GET VPN, which of these is a characteristic of GDOI IKE?
A. GDOI IKE sessions are established between all peers in the network
B. GDOI IKE uses UDP port 500
C. Security associations do not need to linger between members once a group member has authenticated
to the key server and obtained the group policy
D. Each pair of peers has a private set of IPsec security associations that is only shared between the two
peers
Correct Answer: C
Section: (none)
Explanation
QUESTION 79
Which two features are required when configuring a DMVPN network? (Choose two.)
A. Dynamic routing protocol

B. GRE tunnel interface
C. Next Hop Resolution Protocol
D. Dynamic crypto map
E. IPsec encryption
Correct Answer: BC
Section: (none)
Explanation
QUESTION 80
When you are configuring a DMVPN network, which tunnel mode should you use for the hub router
configuration?
A. GRE multipoint
B. classic point-to-point GRE
C. IPsec multipoint
D. nonbroadcast multiaccess
Correct Answer: A
Section: (none)
Explanation
QUESTION 81
Which Cisco IOS feature provides secure, on-demand meshed connectivity?
A. Easy VPN
B. IPsec VPN
C. mGRE
D. DMVPN
Correct Answer: D
Section: (none)
Explanation
QUESTION 82
Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN hub
router?
A. Only one tunnel can be created per tunnel source interface.

B. Only one tunnel can be created and should be associated with a loopback interface for dynamic
redundancy
C. The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub.
D. You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a unique tunnel key.
Correct Answer: D
Section: (none)
Explanation
QUESTION 83
When you are configuring a hub-and-spoke DMVPN network, which tunnel mode should you use for the
spoke router configuration?
A. GRE multipoint
B. Classis point-to-point GRE
C. IPsec multipoint
D. Nonbroadcast multiaccess
Correct Answer: A
Section: (none)
Explanation
QUESTION 84
With Cisco ASA active/standby failover, by default, how many monitored interface failures will cause
failover to occur?
A. 1
B. 2
C. 3
D. 4
E. 5
Correct Answer: A
Section: (none)
Explanation
QUESTION 85
Which two statements about the running configuration of the Cisco ASA are true? (Choose Two)
A. The auto NAT configuration causes all traffic arriving on the inside interface destined to any outside
destinations to be translated with dynamic port address transmission using the outside interface IP
address.
B. The Cisco ASA is using the Cisco ASDM image from disk1:/asdm-642.bin
C. The Cisco ASA is setup as the DHCP server for hosts that are on the inside and outside interfaces.
D. SSH and Cisco ASDM access to the Cisco ASA requires AAA authentication using the LOCAL user
database.
E. The Cisco ASA is using a persistent self-signed certified so users can authenticate the Cisco ASA
when accessing it via ASDM
Correct Answer: AE
Section: (none)
Explanation
QUESTION 86
Which option lists the main tasks in the correct order to configure a new Layer 3 and 4 inspection policy on
the Cisco ASA appliance using the Cisco ASDM Configuration > Firewall > Service Policy Rules pane?
A. 1. Create a class map to identify which traffic to match.

2. Create a policy map and apply action(s) to the traffic class(es).
3. Apply the policy map to an interface or globally using a service policy.
B. 1. Create a service policy rule.
2. Identify which traffic to match.
3. Apply action(s) to the traffic.
C. 1. Create a Layer 3 and 4 type inspect policy map.
2. Create class map(s) within the policy map to identify which traffic to match.
D. 1. Identify which traffic to match.
2. Apply action(s) to the traffic.
3. Create a policy map.
Correct Answer: B
Section: (none)
Explanation
QUESTION 87
By default, how does a Cisco ASA appliance process IP fragments?
A. Each fragment passes through the Cisco ASA appliance without any inspections.
B. Each fragment is blocked by the Cisco ASA appliance.
C. The Cisco ASA appliance verifies each fragment and performs virtual IP re-assembly before the full IP
packet is forwarded out.
D. The Cisco ASA appliance forwards the packet out as soon as all of the fragments of the packet have
been received.
Correct Answer: C
Section: (none)
Explanation
QUESTION 88
Which other match command is used with the match flow ip destination-address command within the class
map configurations of the Cisco ASA MPF?
A. match tunnel-group
B. match access-list
C. match default-inspection-traffic
D. match port
E. match dscp
Correct Answer: A
Section: (none)
Explanation
QUESTION 89
Which Cisco ASA configuration is used to configure the TCP intercept feature?
A. a TCP map
B. an access list
C. the established command
D. the set connection command with the embryonic-conn-max option
E. a type inspect policy map
Correct Answer: D
Section: (none)
Explanation
QUESTION 90
On which type of encrypted traffic can a Cisco ASA appliance running software version 8.4.1 perform
application inspection and control?
A. IPsec
B. SSL
C. IPsec or SSL
D. Cisco Unified Communications
E. Secure FTP
Correct Answer: D
Section: (none)
Explanation
QUESTION 91
The Cisco ASA software image has been erased from flash memory. Which two statements about the
process to recover the Cisco ASA software image are true? (Choose two.)
A. Access to the ROM monitor mode is required.

B. The Cisco ASA appliance must have connectivity to the TFTP server where the Cisco ASA image is
stored through the Management 0/0 interface.
C. The copy tftp flash command is necessary to start the TFTP file transfer.
D. The server command is necessary to set the TFTP server IP address.
E. Cisco ASA password recovery must be enabled
Correct Answer: AD
Section: (none)
Explanation
QUESTION 92
Which two Cisco ASA licensing features are correct with Cisco ASA Software Version 8.3 and later?
(Choose two.)
A. Identical licenses are not required on the primary and secondary Cisco ASA appliance.
B. Cisco ASA appliances configured as failover pairs disregard the time-based activation keys.
C. Time-based licenses are stackable in duration but not in capacity.
D. A time-based license completely overrides the permanent license, ignoring all permanently licensed
features until the time-based license is uninstalled.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 93
Which three actions can be applied to a traffic class within a type inspect policy map? (Choose three.)
A. drop
B. priority
C. log
D. pass
E. inspect
F. reset
Correct Answer: ACF
Section: (none)
Explanation
QUESTION 94
Which Cisco ASA platform should be selected if the requirements are to support 35,000 connections per
second, 600,000 maximum connections, and traffic shaping?
A. 5540
B. 5550
C. 5580-20
D. 5580-40
Correct Answer: B
Section: (none)
Explanation
QUESTION 95
Authorization of a clientless SSL VPN defines the actions that a user may perform within a clientless SSL
VPN session. Which statement is correct concerning the SSL VPN authorization process?
A. Remote clients can be authorized by applying a dynamic access policy, which is configured on an
external AAA server.
B. Remote clients can be authorized externally by applying group parameters from an external database.
C. Remote client authorization is supported by RADIUS and TACACS+ protocols.
D. To configure external authorization, you must configure the Cisco ASA for cut-through proxy.
Correct Answer: B
Section: (none)
Explanation
Explanation:
CISCO SSL VPN guide
The aaa authentication command is entered to specify an authentication list or server group under a SSL
VPN context configuration. If this command is not configured and AAA is configured globally on the router,
global authentication will be applied to the context configuration.
The database that is configured for remote-user authentication on the SSL VPN gateway can be a local
database, or the database can be accessed through any RADIUS or TACACS+ AAA server.
We recommend that you use a separate AAA server, such as a Cisco Access Control Server (ACS). A
separate AAA server provides a more robust security solution. It allows you to configure unique passwords
for each remote user and accounting and logging for remote-user sessions.
QUESTION 96
Which Cisco ASA SSL VPN feature provides support for PCI compliance by allowing for the validation of
two sets of username and password credentials on the SSL VPN login page?
A. Single Sign-On
B. Certificate to Profile Mapping
C. Double Authentication
D. RSA OTP
Correct Answer: C
Section: (none)
Explanation
QUESTION 97
A custom desktop application needs to access an internal server. An administrator is tasked with
configuring the company's SSL VPN gateway to allow remote users to work. Which two technologies
would accommodate the company's requirement? (Choose two).
A. AnyConnect client
B. Smart Tunnels
C. Email Proxy
D. Content Rewriter
E. Portal Customizations
Correct Answer: AB
Section: (none)
Explanation
QUESTION 98
A rogue static route is installed in the routing table of a Cisco FlexVPN and is causing traffic to be
blackholed. Which command should be used to identify the peer from which that route originated?
A. show crypto ikev2 sa detail

B. show crypto route
C. show crypto ikev2 client flexvpn
D. show ip route eigrp
E. show crypto isakmp sa detail
Correct Answer: A
Section: (none)
Explanation
QUESTION 99
Refer to the exhibit. Which authentication method was used by the remote peer to prove its identity?
A. Extensible Authentication Protocol
B. certificate authentication
C. pre-shared key
D. XAUTH
Correct Answer: C
Section: (none)
Explanation
QUESTION 100
Refer to the exhibit. An IPsec peer is exchanging routes using IKEv2, but the routes are not installed in the
RIB. Which configuration error is causing the failure?
A. IKEv2 routing requires certificate authentication, not pre-shared keys.
B. An invalid administrative distance value was configured.
C. The match identity command must refer to an access list of routes.
D. The IKEv2 authorization policy is not referenced in the IKEv2 profile.
Correct Answer: B
Section: (none)
Explanation
QUESTION 101
Refer to the exhibit. An administrator is adding IPv6 addressing to an already functioning tunnel. The
administrator is unable to ping 2001:DB8:100::2 but can ping 209.165.200.226. Which configuration needs
to be added or changed?
A. No configuration change is necessary. Everything is working correctly.
B. OSPFv3 needs to be configured on the interface.
C. NHRP needs to be configured to provide NBMA mapping.
D. Tunnel mode needs to be changed to GRE IPv4.
E. Tunnel mode needs to be changed to GRE IPv6.
Correct Answer: D
Section: (none)
Explanation
Explanation:
We encapsulate IPv6 Packets in IPv4 Packets to deliver their in IPv4 infrastructure. The GRE tunnel have
to be also an IPv4.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/xe-3s/ir-xe-3s-book/ip6-ip4-gre-
tunls-xe.html
QUESTION 102
Refer to the exhibit. The IKEv2 tunnel between Router1 and Router2 is failing during session
establishment. Which action will allow the session to establish correctly?
A. The address command on Router2 must be narrowed down to a /32 mask.

B. The local and remote keys on Router2 must be switched.
C. The pre-shared key must be altered to use only lowercase letters.
D. The local and remote keys on Router2 must be the same.
Correct Answer: B
Section: (none)
Explanation
QUESTION 103
You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the
debug crypto isakmp command on the headend router, you see the following output.
What does this output suggest?
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP
(0:1); no offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE.
Processing of Main Mode failed with peer at 10.10.10.10
A. Phase 1 policy does not match on both sides.

B. The transform set does not match on both sides.
C. ISAKMP is not enabled on the remote peer.
D. There is a mismatch in the ACL that identifies interesting traffic.
Correct Answer: A
Section: (none)
Explanation
QUESTION 104
You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the
debug crypto ipsec command on the headend router, you see the following output.
What does this output suggest?
1d00h: IPSec (validate_proposal): transform proposal (port 3, trans 2, hmac_alg

2) not supported
1d00h: ISAKMP (0:2) : atts not acceptable. Next payload is 0 1d00h: ISAKMP
(0:2) SA not acceptable
A. Phase 1 policy does not match on both sides.

B. The Phase 2 transform set does not match on both sides.
C. ISAKMP is not enabled on the remote peer.
D. The crypto map is not applied on the remote peer.
E. The Phase 1 transform set does not match on both sides.
Correct Answer: B
Section: (none)
Explanation
QUESTION 105
Which adaptive security appliance command can be used to see a generic framework of the requirements
for configuring a VPN tunnel between an adaptive security appliance and a Cisco IOS router at a remote
office?
A. vpnsetup site-to-site steps

B. show running-config crypto
C. show vpn-sessiondb l2l
D. vpnsetup ssl-remote-access steps
Correct Answer: A
Section: (none)
Explanation
QUESTION 106
After completing a site-to-site VPN setup between two routers, application performance over the tunnel is
slow. You issue the show crypto ipsec sa command and see the following output. What does this output
suggest?
interfacE. Tunnel100
Crypto map tag: Tunnel100-head-0, local addr 10.10.10.10 protected vrF. (none)
local ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/47/0) remote
ident (addr/mask/prot/port): (10.20.20.20/255.255.255.255/47/0) current_peer
209.165.200.230 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 34836, #pkts encrypt: 34836, #pkts digest: 34836 #pkts decaps:
26922, #pkts decrypt: 19211, #pkts verify: 19211 #pkts compresseD. 0, #pkts
decompresseD. 0
#pkts not compresseD. 0, #pkts compr. faileD. 0
#pkts not decompresseD. 0, #pkts decompress faileD. 0 #send errors 0, #recv
errors 0
A. The VPN has established and is functioning normally.

B. There is an asymmetric routing issue.
C. The remote peer is not receiving encrypted traffic.
D. The remote peer is not able to decrypt traffic.
E. Packet corruption is occurring on the path between the two peers.
Correct Answer: E
Section: (none)
Explanation
QUESTION 107
Which Cisco adaptive security appliance command can be used to view the count of all active VPN
sessions?
A. show vpn-sessiondb summary

B. show crypto ikev1 sa
C. show vpn-sessiondb ratio encryption
D. show iskamp sa detail
E. show crypto protocol statistics all
Correct Answer: A
Section: (none)
Explanation
QUESTION 108
Refer to the exhibit. An administrator had the above configuration working with SSL protocol, but as soon
as the administrator specified IPsec as the primary protocol, the Cisco AnyConnect client was not able to
connect. What is the problem?
A. IPsec will not work in conjunction with a group URL.
B. The Cisco AnyConnect implementation does not allow the two group URLs to be the same.
SSL does allow this.
C. If you specify the primary protocol as IPsec, the User Group must be the exact name of the connection
profile (tunnel group).
D. A new XML profile should be created instead of modifying the existing profile, so that the clients force
the update.
Correct Answer: C
Section: (none)
Explanation
QUESTION 109
The Cisco AnyConnect client fails to connect via IKEv2 but works with SSL. The following error message is
displayed:
"Login Denied, unauthorized connection mechanism, contact your administrator"
What is the most possible cause of this problem?
A. DAP is terminating the connection because IKEv2 is the protocol that is being used.
B. The client endpoint does not have the correct user profile to initiate an IKEv2 connection.
C. The AAA server that is being used does not authorize IKEv2 as the connection mechanism.
D. The administrator is restricting access to this specific user.
E. The IKEv2 protocol is not enabled in the group policy of the VPN headend.
Correct Answer: E
Section: (none)
Explanation
QUESTION 110
The Cisco AnyConnect client is unable to download an updated user profile from the ASA headend using
IKEv2. What is the most likely cause of this problem?
A. User profile updates are not allowed with IKEv2.
B. IKEv2 is not enabled on the group policy.
C. A new profile must be created so that the adaptive security appliance can push it to the client on the
next connection attempt.
D. Client Services is not enabled on the adaptive security appliance.
Correct Answer: D
Section: (none)
Explanation
QUESTION 111
Refer to the exhibit. The network administrator is adding a new spoke, but the tunnel is not passing traffic.
What could cause this issue?
A. DMVPN is a point-to-point tunnel, so there can be only one spoke.
B. There is no EIGRP configuration, and therefore the second tunnel is not working.
C. The NHRP authentication is failing.
D. The transform set must be in transport mode, which is a requirement for DMVPN.
E. The NHRP network ID is incorrect.
Correct Answer: C
Section: (none)
Explanation
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html#wp1055049
QUESTION 112
Which two troubleshooting steps should be taken when Cisco AnyConnect cannot establish an IKEv2
connection, while SSL works fine? (Choose two.)
A. Verify that the primary protocol on the client machine is set to IPsec.
B. Verify that AnyConnect is enabled on the correct interface.
C. Verify that the IKEv2 protocol is enabled on the group policy.
D. Verify that ASDM and AnyConnect are not using the same port.
E. Verify that SSL and IKEv2 certificates are not referencing the same trustpoint.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 113
Regarding licensing, which option will allow IKEv2 connections on the adaptive security appliance?
A. AnyConnect Essentials can be used for Cisco AnyConnect IKEv2 connections.

B. IKEv2 sessions are not licensed.
C. The Advanced Endpoint Assessment license must be installed to allow Cisco AnyConnect IKEv2
sessions.
D. Cisco AnyConnect Mobile must be installed to allow AnyConnect IKEv2 sessions.
Correct Answer: A
Section: (none)
Explanation
QUESTION 114
What action does the hub take when it receives a NHRP resolution request from a spoke for a network that
exists behind another spoke?
A. The hub sends back a resolution reply to the requesting spoke.

B. The hub updates its own NHRP mapping.
C. The hub forwards the request to the destination spoke.
D. The hub waits for the second spoke to send a request so that it can respond to both spokes.
Correct Answer: C
Section: (none)
Explanation
QUESTION 115
A spoke has two Internet connections for failover. How can you achieve optimum failover without affecting
any other router in the DMVPN cloud?
A. Create another DMVPN cloud by configuring another tunnel interface that is sourced from the second
ISP link.
B. Use another router at the spoke site, because two ISP connections on the same router for the same
hub is not allowed.
C. Configure SLA tracking, and when the primary interface goes down, manually change the tunnel
source of the tunnel interface.
D. Create another tunnel interface with same configuration except the tunnel source, and configure the if-
state nhrp and backup interface commands on the primary tunnel interface.
Correct Answer: D
Section: (none)
Explanation
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-
xe-3s-book/sec-conn-dmvpn-tun-mon.pdf
QUESTION 116
In DMVPN phase 2, which two EIGRP features need to be disabled on the hub to allow spoke-to- spoke
communication? (Choose two.)
A. autosummary
B. split horizon
C. metric calculation using bandwidth
D. EIGRP address family
E. next-hop-self
F. default administrative distance
Correct Answer: BE
Section: (none)
Explanation
QUESTION 117
What does NHRP stand for?
A. Next Hop Resolution Protocol

B. Next Hop Registration Protocol
C. Next Hub Routing Protocol
D. Next Hop Routing Protocol
Correct Answer: A
Section: (none)
Explanation
QUESTION 118
When troubleshooting established clientless SSL VPN issues, which three steps should be taken?
(Choose three.)
A. Clear the browser history.

B. Clear the browser and Java cache.
C. Collect the information from the computer event log.
D. Enable and use HTML capture tools.
E. Gather crypto debugs on the adaptive security appliance.
F. Use Wireshark to capture network traffic.
Correct Answer: BDF

Section: (none)
Explanation
Explanation:
ssl-clientless-trouble.html
QUESTION 119
A user is trying to connect to a Cisco IOS device using clientless SSL VPN and cannot establish the
connection. Which three commands can be used for troubleshooting of the AAA subsystem? (Choose
three.)
A. debug aaa authentication

B. debug radius
C. debug vpn authorization error
D. debug ssl openssl errors
E. debug webvpn aaa
F. debug ssl error
Correct Answer: ABE

Section: (none)
Explanation
QUESTION 120
Which option is a possible solution if you cannot access a URL through clientless SSL VPN with Internet
Explorer, while other browsers work fine?
A. Verify the trusted zone and cookies settings in your browser.

B. Make sure that you specified the URL correctly.
C. Try the URL from another operating system.
D. Move to the IPsec client.
Correct Answer: A
Section: (none)
Explanation
QUESTION 121
Refer to the exhibit. A new NOC engineer, while viewing a real-time log from an SSL VPN tunnel, has a
question about a line in the log.
The IP address 172.26.26.30 is attached to which interface in the network?
A. the Cisco ASA physical interface

B. the physical interface of the end user
C. the Cisco ASA SSL VPN tunnel interface
D. the SSL VPN tunnel interface of the end user
Correct Answer: B
Section: (none)
Explanation
QUESTION 122
You have been using pre-shared keys for IKE authentication on your VPN.
Your network has grown rapidly, and now you need to create VPNs with numerous IPsec peers.
How can you enable scaling to numerous IPsec peers?
A. Migrate to external CA-based digital certificate authentication.

B. Migrate to a load-balancing server.
C. Migrate to a shared license server.
D. Migrate from IPsec to SSL VPN client extended authentication.
Correct Answer: A
Section: (none)
Explanation
QUESTION 123
Which statement is correct concerning the trusted network detection (TND) feature?
A. The Cisco AnyConnect 3.0 Client supports TND on Windows, Mac, and Linux platforms.
B. With TND, one result of a Cisco Secure Desktop basic scan on an endpoint is to determine whether a
device is a member of a trusted or an untrusted network.
C. If enabled, and a CSD scan determines that a host is a member of an untrusted network, an
administrator can configure the TND feature to prohibit an end user from launching the Cisco
AnyConnect VPN Client.
D. When the user is inside the corporate network, TND can be configured to automatically disconnect a
Cisco AnyConnect session.
Correct Answer: D
Section: (none)
Explanation
Explanation:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administrat ion/guide/
ac03features.html
Trusted Network Detection
Trusted Network Detection (TND) gives you the ability to have AnyConnect automatically disconnect a
VPN connection when the user is inside the corporate network (the trusted network) and start the VPN
connection when the user is outside the corporate network (the untrusted network). This feature
encourages greater security awareness by initiating a VPN connection when the user is outside the trusted
network.
If AnyConnect is also running Start Before Logon (SBL), and the user moves into the trusted network, the
SBL window displayed on the computer automatically closes. TND does not interfere with the ability of the
user to manually establish a VPN connection. It does not disconnect a VPN connection that the user starts
manually in the trusted network. TND only disconnects the VPN session if the user first connects in an
untrusted network and moves into a trusted network. For example, TND disconnects the VPN session if
the user makes a VPN connection at home and then moves into the corporate office.
Because the TND feature controls the AnyConnect GUI and automatically initiates connections, the GUI
should run at all times. If the user exits the GUI, TND does not automatically start the VPN connection.
You configure TND in the AnyConnect profile. No changes are required to the ASA configuration.
QUESTION 124
Refer to the exhibit. A NOC engineer needs to tune some postlogin parameters on an SSL VPN tunnel.
From the information shown, where should the engineer navigate to, in order to find all the postlogin
session parameters?
A. "engineering" Group Policy

B. "contractor" Connection Profile
C. DefaultWEBVPNGroup Group Policy
D. DefaultRAGroup Group Policy
E. "engineer1" AAA/Local Users
Correct Answer: B
Section: (none)
Explanation
Explanation:
ac05hostscanposture.html#wp1039696
QUESTION 125
Which statement about plug-ins is false?
A. Plug-ins do not require any installation on the remote system.

B. Plug-ins require administrator privileges on the remote system.
C. Plug-ins support interactive terminal access.
D. Plug-ins are not supported on the Windows Mobile platform.
Correct Answer: B
Section: (none)
Explanation
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/
deployhtml#wp1162435
Plug-ins
The security appliance supports Java plug-ins for clientless SSL VPN connections.
Plug-ins are Java programs that operate in a browser.
These plug-ins include SSH/Telnet, RDP, VNC, and Citrix.
Per the GNU General Public License (GPL), Cisco redistributes plug-ins without making any changes to
them.
Per the GPL, Cisco cannot directly enhance these plug-ins. To use plug-ins you must install Java Runtime
Environment (JRE) 1.4.2.x or greater.
You must also use a compatible browser specified here:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpncompatibility.html
QUESTION 126
When attempting to tunnel FTP traffic through a stateful firewall that might be performing NAT or PAT,
which type of VPN tunneling should you use to allow the VPN traffic through the stateful firewall?
A. clientless SSL VPN

B. IPsec over TCP
C. smart tunnel
D. SSL VPN plug-ins
Correct Answer: B
Section: (none)
Explanation
Explanation:
IP Security (IPSec) over Transmission Control Protocol (TCP) enables a VPN Client to operate in an
environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key
Exchange (IKE, User Datagram Protocol (UDP) 500) cannot function, or can function only with modification
to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP
packet, and it enables secure tunneling through both Network Address Translation (NAT) and Port
Address Translation (PAT) devices and firewalls
QUESTION 127
Refer to the exhibit. The ABC Corporation is changing remote-user authentication from pre-shared keys to
certificate-based authentication. For most employee authentication, its group membership (the employees)
governs corporate access. Certain management personnel need access to more confidential servers.
Access is based on the group and name, such as finance and level_2. When it is time to pilot the new
authentication policy, a finance manager is able to access the department-assigned servers but cannot
access the restricted servers.
As the network engineer, where would you look for the problem?
A. Check the validity of the identity and root certificate on the PC of the finance manager.
B. Change the Management Certificate to Connection Profile Maps > Rule Priority to a number that is
greater than 10.
C. Check if the Management Certificate to Connection Profile Maps > Rules is configured correctly.
D. Check if the Certificate to Connection Profile Maps > Policy is set correctly.
Correct Answer: D
Section: (none)
Explanation
QUESTION 128
Refer to the exhibit. While configuring a site-to-site VPN tunnel, a new NOC engineer encounters the
Reverse Route Injection parameter.
Assuming that static routes are redistributed by the Cisco ASA to the IGP, what effect does enabling
Reverse Route Injection on the local Cisco ASA have on a configuration?
A. The local Cisco ASA advertises its default routes to the distant end of the site-to-site VPN tunnel.
B. The local Cisco ASA advertises routes from the dynamic routing protocol that is running on the local
Cisco ASA to the distant end of the site-to-site VPN tunnel.
C. The local Cisco ASA advertises routes that are at the distant end of the site-to-site VPN tunnel.
D. The local Cisco ASA advertises routes that are on its side of the site-to-site VPN tunnel to the distant
end of the site-to-site VPN tunnel.
Correct Answer: C
Section: (none)
Explanation
Explanation:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080 9d07de.shtml
QUESTION 129
Refer to the exhibit. The "level_2" digital certificate was installed on a laptop.
What can cause an "invalid not active" status message?
A. On first use, a CA server-supplied passphrase is entered to validate the certificate.

B. A "newly installed" digital certificate does not become active until it is validated by the peer device upon
its first usage.
C. The user has not clicked the Verify button within the Cisco VPN Client.
D. The CA server and laptop PC clocks are out of sync.
Correct Answer: D
Section: (none)
Explanation
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html
Certificates have a date and time that they become valid and that they expire. When the security appliance
enrolls with a CA and gets a certificate, the security appliance checks that the current time is within the
valid range for the certificate. If it is outside that range, enrollment fails.
Same would apply to communication between ASA and PC
QUESTION 130
After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune the IPsec
policy parameters.
Where is the correct place to tune the IPsec policy parameters in Cisco ASDM?
A. IPsec user profile

B. Crypto Map
C. Group Policy
D. IPsec Policy
E. IKE Policy
Correct Answer: B
Section: (none)
Explanation
QUESTION 131
Refer to the exhibit. A new NOC engineer is troubleshooting a VPN connection.
Which statement about the fields within the Cisco VPN Client Statistics screen is correct?
A. The ISP-assigned IP address of 10.0.21.1 is assigned to the VPN adapter of the PC.
B. The IP address of the security appliance to which the Cisco VPN Client is connected is 192.168.1.2.
C. CorpNet is the name of the Cisco ASA group policy whose tunnel parameters the connection is using.
D. The ability of the client to send packets transparently and unencrypted through the tunnel for test
purposes is turned off.
E. With split tunneling enabled, the Cisco VPN Client registers no decrypted packets.
Correct Answer: B
Section: (none)
Explanation
QUESTION 132
What is a valid reason for configuring a list of backup servers on the Cisco AnyConnect VPN Client profile?
A. to access a backup authentication server

B. to access a backup DHCP server
C. to access a backup VPN server
D. to access a backup CA server
Correct Answer: C
Section: (none)
Explanation
QUESTION 133
Your corporate finance department purchased a new non-web-based TCP application tool to run on one of
its servers.
Certain finance employees need remote access to the software during nonbusiness hours. These
employees do not have "admin" privileges to their PCs.
What is the correct way to configure the SSL VPN tunnel to allow this application to run?
A. Configure a smart tunnel for the application.

B. Configure a "finance tool" VNC bookmark on the employee clientless SSL VPN portal.
C. Configure the plug-in that best fits the application.
D. Configure the Cisco ASA appliance to download the Cisco AnyConnect SSL VPN Client to the finance
employee each time an SSL VPN tunnel is established.
Correct Answer: A
Section: (none)
Explanation
QUESTION 134
A temporary worker must use clientless SSL VPN with an SSH plug-in, in order to access the console of
an internal corporate server, the projects.xyz.com server.
For security reasons, the network security auditor insists that the temporary user is restricted to the one
internal corporate server, 10.0.4.18.
You are the network engineer who is responsible for the network access of the temporary user.
What should you do to restrict SSH access to the one projects.xyz.com server?
A. Configure access-list temp_user_acl extended permit TCP any host 10.0.4.18 eq 22.
B. Configure access-list temp_user_acl standard permit host 10.0.4.18 eq 22.
C. Configure access-list temp_acl webtype permit url ssh://10.0.4.18.
D. Configure a plug-in SSH bookmark for host 10.0.4.18, and disable network browsing on the clientless
SSL VPN portal of the temporary worker.
Correct Answer: C
Section: (none)
Explanation
QUESTION 135
Refer to the exhibit. A junior network engineer configured the corporate Cisco ASA appliance to
accommodate a new temporary worker. For security reasons, the IT department wants to restrict the
internal network access of the new temporary worker to the corporate server, with an IP address of
10.0.4.10. After the junior network engineer finished the configuration, an IT security specialist tested the
account of the temporary worker. The tester was able to access the URLs of additional secure servers
from the WebVPN user account of the temporary worker.
What did the junior network engineer configure incorrectly?
A. The ACL was configured incorrectly.
B. The ACL was applied incorrectly or was not applied.
C. Network browsing was not restricted on the temporary worker group policy.
D. Network browsing was not restricted on the temporary worker user policy.
Correct Answer: B
Section: (none)
Explanation
QUESTION 136
Refer to the exhibit. You are configuring a laptop with the Cisco VPN Client, which uses digital certificates
for authentication.
Which protocol does the Cisco VPN Client use to retrieve the digital certificate from the CA server?
A. FTP
B. LDAP
C. HTTPS
D. SCEP
E. OCSP
Correct Answer: D
Section: (none)
Explanation
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html
About CRLs
Certificate Revocation Lists provide the security appliance with one means of determining whether a
certificate that is within its valid time range has been revoked by its issuing CA. CRL configuration is a part
of the configuration of a trustpoint.
You can configure the security appliance to make CRL checks mandatory when authenticating a certificate
(revocation-check crl command). You can also make the CRL check optional by adding the none argument
(revocation-check crl none command), which allows the certificate authentication to succeed when the CA
is unavailable to provide updated CRL data.
The security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each
trustpoint are cached for a length of time configurable for each trustpoint. When the security appliance has
cached a CRL for more than the length of time it is configured to cache CRLs, the security appliance
considers the CRL too old to be reliable, or "stale". The security appliance attempts to retrieve a newer
version of the CRL the next time a certificate authentication requires checking the stale CRL.
QUESTION 137
Refer to the exhibit. The user "contractor" inherits which VPN group policy?
A. employee
B. management
C. DefaultWEBVPNGroup
D. DfltGrpPolicy
E. new_hire
Correct Answer: D
Section: (none)
Explanation
QUESTION 138
When initiating a new SSL or TLS session, the client receives the server SSL certificate and validates it.
After validating the server certificate, what does the client use the certificate for?
A. The client and server use the server public key to encrypt the SSL session data.
B. The server creates a separate session key and sends it to the client. The client decrypts the session
key by using the server public key.
C. The client and server switch to a DH key exchange to establish a session key.
D. The client generates a random session key, encrypts it with the server public key, and then sends it to
the server.
Correct Answer: D
Section: (none)
Explanation
QUESTION 139
Refer to the exhibit. A NOC engineer is in the process of entering information into the Create New VPN
Connection Entry fields.
Which statement correctly describes how to do this?
A. In the Connection Entry field, enter the name of the connection profile as it is specified on the Cisco
ASA appliance.
B. In the Host field, enter the IP address of the remote client device.
C. In the Authentication tab, click the Group Authentication or Mutual Group Authentication radio button to
enable symmetrical pre-shared key authentication.
D. In the Name field, enter the name of the connection profile as it is specified on the Cisco ASA
appliance.
Correct Answer: D
Section: (none)
Explanation
QUESTION 140
Refer to the exhibit. For the ABC Corporation, members of the NOC need the ability to select tunnel groups
from a drop-down menu on the Cisco WebVPN login page.
As the Cisco ASA administrator, how would you accomplish this task?
A. Define a special identity certificate with multiple groups, which are defined in the certificate OU field,
that will grant the certificate holder access to the named groups on the login page.
B. Under Group Policies, define a default group that encompasses the required individual groups that will
appear on the login page.
C. Under Connection Profiles, define a NOC profile that encompasses the required individual profiles that
will appear on the login page.
D. Under Connection Profiles, enable "Allow user to select connection profile."
Correct Answer: D
Section: (none)
Explanation
QUESTION 141
Refer to the exhibit. While troubleshooting on a remote-access VPN application, a new NOC engineer
received the message that is shown.
What is the most likely cause of the problem?
A. The IP address that is assigned to the PC of the VPN user is not within the range of addresses that are
assigned to the SVC connection.
B. The IP address that is assigned to the PC of the VPN user is in use. The remote user needs to select a
different host address within the range.
C. The IP address that is assigned to the PC of the VPN user is in the wrong subnet. The remote user
needs to select a different host number within the correct subnet.
D. The IP address pool for contractors was not applied to their connection profile.
Correct Answer: D
Section: (none)
Explanation
Explanation:
%ASA-5-722006: Group group User user-name IP IP_address Invalid address IP_address assigned to
SVC connection.
An invalid address was assigned to the user. Recommended Action Verify and correct the address
assignment, if possible.
QUESTION 142
When using clientless SSL VPN, you might not want some applications or web resources to go through the
Cisco ASA appliance.
For these application and web resources, as a Cisco ASA administrator, which configuration should you
use?
A. Configure the Cisco ASA appliance for split tunneling.

B. Configure network access exceptions in the SSL VPN customization editor.
C. Configure the Cisco ASA appliance to disable content rewriting.
D. Configure the Cisco ASA appliance to enable URL Entry bypass.
E. Configure smart tunnel to bypass the Cisco ASA appliance proxy function.
Correct Answer: C
Section: (none)
Explanation
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_web.html
Content Rewrite
The Content Rewrite pane lists all applications for which content rewrite is enabled or disabled.
Clientless SSL VPN processes application traffic through a content transformation/rewriting engine that
includes advanced elements such as JavaScript, VBScript, Java, and multi- byte characters to proxy HTTP
traffic which may have different semantics and access control rules depending on whether the user is
using an application within or independently of an SSL VPN device.
By default, the security appliance rewrites, or transforms, all clientless traffic. You might not want some
applications and web resources (for example, public websites) to go through the security appliance. The
security appliance therefore lets you create rewrite rules that let users browse certain sites and
applications without going through the security appliance. This is similar to split-tunneling in an IPSec VPN
connection. You can create multiple rewrite rules. The rule number is important because the security
appliance searches rewrite rules by order number, starting with the lowest, and applies the first rule that
matches.
QUESTION 143
Refer to the exhibit. While troubleshooting a remote-access application, a new NOC engineer received the
logging message that is shown in the exhibit.
Which configuration is most likely to be mismatched?
A. IKE configuration
B. extended authentication configuration
C. IPsec configuration
D. digital certificate configuration
Correct Answer: C
Section: (none)
Explanation
QUESTION 144
Which statement about CRL configuration is correct?
A. CRL checking is enabled by default.

B. The Cisco ASA relies on HTTPS access to procure the CRL list.
C. The Cisco ASA relies on LDAP access to procure the CRL list.
D. The Cisco Secure ACS can be configured as the CRL server.
Correct Answer: C
Section: (none)
Explanation
Explanation:
ASA SSLVPN deployment guide:
The security appliance supports various authentication methods: RSA one-time passwords, Radius,
Kerberos, LDAP, NT Domain, TACACS, Local/Internal, digital certificates, and a combination of both
authentication and certificates.
QUESTION 145
Refer to the exhibit. When the user "contractor" Cisco AnyConnect tunnel is established, what type of
Cisco ASA user restrictions are applied to the tunnel?
A. full restrictions (no Cisco ASDM, no CLI, no console access)

B. full restrictions (no read, no write, no execute permissions)
C. full restrictions (CLI show commands and Cisco ASDM monitoring permissions only)
D. full access with no restrictions
Correct Answer: D
Section: (none)
Explanation
QUESTION 146
Refer to the exhibit. A NOC engineer needs to tune some prelogin parameters on an SSL VPN tunnel.
From the information that is shown, where should the engineer navigate to find the prelogin session
attributes?
A. "engineering" Group Policy
B. "contractor" Connection Profile
C. "engineer1" AAA/Local Users
D. DfltGrpPolicy Group Policy
Correct Answer: B
Section: (none)
Explanation
Explanation:
ac05hostscanposture.html#wp1039696
QUESTION 147
An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation headquarters,
tried to access the XYZ sales demonstration folder to transfer a demonstration via FTP from an ABC
conference room behind the firewall. The engineer could not reach XYZ through the remote-access VPN
tunnel. From home the previous day, however, the engineer did connect to the XYZ sales demonstration
folder and transferred the demonstration via IPsec over DSL.
To get the connection to work and transfer the demonstration, what should the engineer do?
A. Change the MTU size on the IPsec client to account for the change from DSL to cable transmission.
B. Enable the local LAN access option on the IPsec client.
C. Enable the IPsec over TCP option on the IPsec client.
D. Enable the clientless SSL VPN option on the PC.
Correct Answer: C
Section: (none)
Explanation
Explanation:
IP Security (IPSec) over Transmission Control Protocol (TCP) enables a VPN Client to operate in an
environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key
Exchange (IKE, User Datagram Protocol (UDP) 500) cannot function, or can function only with modification
to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP
packet, and it enables secure tunneling through both Network Address Translation (NAT) and Port
Address Translation (PAT) devices and firewalls
QUESTION 148
Which statement regarding hashing is correct?
A. MD5 produces a 64-bit message digest.
B. SHA-1 produces a 160-bit message digest.
C. MD5 takes more CPU cycles to compute than SHA-1.
D. Changing 1 bit of the input to SHA-1 can change up to 5 bits in the output.
Correct Answer: B
Section: (none)
Explanation
QUESTION 149
Refer to the exhibit. In the CLI snippet that is shown, what is the function of the deny option in the access
list?
A. When set in conjunction with outbound connection-type bidirectional, its function is to prevent the
specified traffic from being protected by the crypto map entry.
B. When set in conjunction with connection-type originate-only, its function is to instruct the Cisco ASA to
deny specific inbound traffic if it is not encrypted.
C. When set in conjunction with outbound connection-type answer-only, its function is to instruct the Cisco
ASA to deny specific outbound traffic if it is not encrypted.
D. When set in conjunction with connection-type originate-only, its function is to cause all IP traffic that
matches the specified conditions to be protected by the crypto map.
Correct Answer: A
Section: (none)
Explanation
QUESTION 150
Which cryptographic algorithms are a part of the Cisco NGE suite?
A. HIPPA DES
B. AES-CBC-128
C. RC4-128
D. AES-GCM-256
Correct Answer: D
Section: (none)
Explanation
Explanation:
https://www.cisco.com/web/learning/le21/le39/docs/tdw166_prezo.pdf
QUESTION 151
Which transform set is contained in the IKEv2 default proposal?
A. aes-cbc-192, sha256, group 14

B. 3des, md5, group 7
C. 3des, sha1, group 1
D. aes-cbc-128, sha, group 5
Correct Answer: D
Section: (none)
Explanation
QUESTION 152
Which command clears all crypto configuration from a Cisco Adaptive Security Appliance?
A. clear configure crypto

B. clear configure crypto ipsec
C. clear crypto map
D. clear crypto ikev2 sa
Correct Answer: A
Section: (none)
Explanation
QUESTION 153
Which Cisco adaptive security appliance command can be used to view the IPsec PSK of a tunnel group in
cleartext?
A. more system:running-config
B. show running-config crypto
C. show running-config tunnel-group
D. show running-config tunnel-group-map
E. clear config tunnel-group
F. show ipsec policy
Correct Answer: A
Section: (none)
Explanation
QUESTION 154
An administrator desires that when work laptops are not connected to the corporate network, they should
automatically initiate an AnyConnect VPN tunnel back to headquarters. Where does the administrator
configure this?
A. Via the svc trusted-network command under the group-policy sub-configuration mode on the ASA
B. Under the "Automatic VPN Policy" section inside the Anyconnect Profile Editor within ASDM
C. Under the TNDPolicy XML section within the Local Preferences file on the client computer
D. Via the svc trusted-network command under the global webvpn sub-configuration mode on the ASA
Correct Answer: B
Section: (none)
Explanation
QUESTION 155
The following configuration steps have been completed:
- WebVPN was enabled on the ASA outside interface.

- SSL VPN client software was loaded to the ASA.
- A DHCP scope was configured and applied to a WebVPN Tunnel Group.
What additional step is required if the client software fails to load when connecting to the ASA SSL page?
A. The SSL client must be loaded to the client by an ASA administrator

B. The SSL client must be downloaded to the client via FTP
C. The SSL VPN client must be enabled on the ASA after loading
D. The SSL client must be enabled on the client machine before loading
Correct Answer: C
Section: (none)
Explanation
Explanation:
sslvpnclient-asa.html#step2
From the document above under link “Step 2. Install and Enable the SSL VPN Client on the ASA”.
Starting with Step 5, it said to enable the “SSL VPN Client” after uploading the image.
This is very true because I forgot to do this one time after loading a new version of Anyconnect and the
client failed to load.
QUESTION 156
Remote users want to access internal servers behind an ASA using Microsoft terminal services. Which
option outlines the steps required to allow users access via the ASA clientless VPN portal?
A. 1. Configure a static pat rule for TCP port 3389

2. Configure an inbound access-list to allow traffic from remote users to the servers
3. Assign this access-list rule to the group policy
B. 1. Configure a bookmark of the type http:// server-IP :3389
2. Enable Smart tunnel on this bookmark
3. Assign the bookmark to the desired group policy
C. 1. Configure a Smart Tunnel application list
2. Add the rdp.exe process to this list
3. Assign the Smart Tunnel application list to the desired group policy
D. 1. Upload an RDP plugin to the ASA
2. Configure a bookmark of the type rdp:// server-IP
3. Assign the bookmark list to the desired group policy
Correct Answer: D
Section: (none)
Explanation
QUESTION 157
Which command is used to determine how many GMs have registered in a GETVPN environment?
A. show crypto isakmp sa

B. show crypto gdoi ks members
C. show crypto gdoi gm
D. show crypto ipsec sa
E. show crypto isakmp sa count
Correct Answer: B
Section: (none)
Explanation
QUESTION 158
On which Cisco platform are dynamic virtual template interfaces available?
A. Cisco Adaptive Security Appliance 5585-X

B. Cisco Catalyst 3750X
C. Cisco Integrated Services Router Generation 2
D. Cisco Nexus 7000
Correct Answer: C
Section: (none)
Explanation
QUESTION 159
Refer to the exhibit. Which statement about the given IKE policy is true?
A. The tunnel will be valid for 2 days, 88 minutes, and 00 seconds.

B. It will use encrypted nonces for authentication.
C. It has a keepalive of 60 minutes, checking every 5 minutes.
D. It uses a 56-bit encryption algorithm.
Correct Answer: B
Section: (none)
Explanation
QUESTION 160
Refer to the exhibit. Which two statements about the given configuration are true? (Choose two.)
A. Defined PSK can be used by any IPSec peer.
B. Any router defined in group 2 will be allowed to connect.
C. It can be used in a DMVPN deployment
D. It is a LAN-to-LAN VPN ISAKMP policy.
E. It is an AnyConnect ISAKMP policy.
F. PSK will not work as configured
Correct Answer: AC
Section: (none)
Explanation
QUESTION 161
Refer to the exhibit. What technology does the given configuration demonstrate?
A. Keyring used to encrypt IPSec traffic

B. FlexVPN with IPV6
C. FlexVPN with AnyConnect
D. Crypto Policy to enable IKEv2
Correct Answer: B
Section: (none)
Explanation
QUESTION 162
Which command enables the router to form EIGRP neighbor adjacencies with peers using a different
subnet than the ingress interface?
A. ip unnumbered interface
B. eigrp router-id
C. passive-interface interface name
D. ip split-horizon eigrp as number
Correct Answer: A
Section: (none)
Explanation
QUESTION 163
Which feature enforces the corporate policy for Internet access to Cisco AnyConnect VPN users?
A. Trusted Network Detection
B. Datagram Transport Layer Security
C. Cisco AnyConnect Customization
D. banner message
Correct Answer: A
Section: (none)
Explanation
QUESTION 164
In which situation would you enable the Smart Tunnel option with clientless SSL VPN?
A. when a user is using an outdated version of a web browser

B. when an application is failing in the rewrite process
C. when IPsec should be used over SSL VPN
D. when a user has a nonsupported Java version installed
E. when cookies are disabled
Correct Answer: B
Section: (none)
Explanation
QUESTION 165
Refer to the exhibit. You executed the show crypto ipsec sa command to troubleshoot an IPSec issue.
What problem does the given output indicate?
A. IKEv2 failed to establish a phase 2 negotiation.

B. The Crypto ACL is different on the peer device.
C. ISAKMP was unable to find a matching SA.
D. IKEv2 was used in aggressive mode.
Correct Answer: B
Section: (none)
Explanation
QUESTION 166
Which two types of authentication are supported when you use Cisco ASDM to configure site- to-site
IKEv2 with IPv6? (Choose two.)
A. preshared key
B. webAuth
C. digital certificates
D. XAUTH
E. EAP
Correct Answer: AC
Section: (none)
Explanation
QUESTION 167
Which option describes the purpose of the shared argument in the DMVPN interface command tunnel
protection IPsec profile ProfileName shared?
A. shares a single profile between multiple tunnel interfaces

B. allows multiple authentication types to be used on the tunnel interface
C. shares a single profile between a tunnel interface and a crypto map
D. shares a single profile between IKEv1 and IKEv2
Correct Answer: A
Section: (none)
Explanation
QUESTION 168
Which type of communication in a FlexVPN implementation uses an NHRP shortcut?
A. spoke to hub
B. spoke to spoke
C. hub to spoke
D. hub to hub
Correct Answer: B
Section: (none)
Explanation
QUESTION 169
Which technology is FlexVPN based on?
A. OER
B. VRF
C. IKEv2
D. an RSA nonce
Correct Answer: C
Section: (none)
Explanation
QUESTION 170
Which application does the Application Access feature of Clientless VPN support?
A. TFTP
B. VoIP
C. Telnet
D. active FTP
Correct Answer: C
Section: (none)
Explanation
QUESTION 171
Where do you configure AnyConnect certificate-based authentication in ASDM?
A. group policies
B. AnyConnect Connection Profile
C. AnyConnect Client Profile
D. Advanced Network (Client) Access
Correct Answer: B
Section: (none)
Explanation
QUESTION 172
Which protocols does the Cisco AnyConnect client use to build multiple connections to the security
appliance?
A. TLS and DTLS

B. IKEv1
C. L2TP over IPsec
D. SSH over TCP
Correct Answer: A
Section: (none)
Explanation
QUESTION 173
Which is used by GETVPN, FlexVPN and DMVPN?
A. NHRP
B. MPLS
C. GRE
D. ESP
Correct Answer: D
Section: (none)
Explanation
QUESTION 174
Which VPN solution is best for a collection of branch offices connected by MPLS that frequenty make VoIP
calls between branches?
A. GETVPN
B. Cisco AnyConnect
C. site-to-site
D. DMVPN
Correct Answer: A
Section: (none)
Explanation
QUESTION 175
Refer to the exhibit. Which VPN solution does this configuration represent?
A. DMVPN
B. GETVPN
C. FlexVPN
D. site-to-site
Correct Answer: C
Section: (none)
Explanation
QUESTION 176
Refer to the exhibit. You have implemented an SSL VPN as shown. Which type of communication takes
place between the secure gateway R1 and the Cisco Secure ACS?
A. HTTP proxy
B. AAA
C. policy
D. port forwarding
Correct Answer: B
Section: (none)
Explanation
QUESTION 177
Which technology can provide high availability for an SSL VPN?
A. DMVPN
B. a multiple-tunnel configuration
C. a Cisco ASA pair in active/passive failover configuration
D. certificate to tunnel group maps
Correct Answer: C
Section: (none)
Explanation
QUESTION 178
A. Cisco AnyConnect
B. IPsec
C. L2TP
D. SSL VPN
Correct Answer: B
Section: (none)
Explanation
QUESTION 179
Which technology must be installed on the client computer to enable users to launch applications from a
Clientless SSL VPN?
A. Java
B. QuickTime plug-in
C. Silverlight
D. Flash
Correct Answer: A
Section: (none)
Explanation
QUESTION 180
In the Diffie-Hellman protocol, which type of key is the shared secret?
A. a symmetric key
B. an asymmetric key
C. a decryption key
D. an encryption key
Correct Answer: A
Section: (none)
Explanation
QUESTION 181
Refer to the exhibit. Which exchange does this debug output represent?
A. IKE Phase 1
B. IKE Phase 2
C. symmetric key exchange
D. certificate exchange
Correct Answer: A
Section: (none)
Explanation
QUESTION 182
Which two technologies are considered to be Suite B cryptography? (Choose two.)
A. MD5
B. SHA2
C. Elliptical Curve Diffie-Hellman
D. 3DES
E. DES
Correct Answer: BC
Section: (none)
Explanation
QUESTION 183
Which protocol does DTLS use for its transport?
A. TCP
B. UDP
C. IMAP
D. DDE
Correct Answer: B
Section: (none)
Explanation
QUESTION 184
Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer
configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote
branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured
according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR. verify the
IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for the this exercise.
Topology:
What is being used as the authentication method on the branch ISR?
A. Certifcates
B. Pre-shared public keys
C. RSA public keys
D. Diffie-Hellman Group 2
Correct Answer: B
Section: (none)
Explanation
The show crypto isakmp key command shows the preshared key of "cisco"
QUESTION 185
Scenario:
branch office.
Topology:
Which transform set is being used on the branch ISR?
A. Default
B. ESP-3DES ESP-SHA-HMAC
C. ESP-AES-256-MD5-TRANS mode transport
D. TSET
Correct Answer: B
Section: (none)
Explanation
This can be seen from the "show crypto ipsec sa" command as shown below:
QUESTION 186
Scenario:
branch office.
Topology:
In what state is the IKE security association in on the Cisco ASA?
A. There are no security associations in place

B. MM_ACTIVE
C. ACTIVE(ACTIVE)
D. QM_IDLE
Correct Answer: B
Section: (none)
Explanation
This can be seen from the "show crypto isa sa" command:
QUESTION 187
Scenario:
branch office.
Topology:
Which crypto map tag is being used on the Cisco ASA?
A. outside_cryptomap
B. VPN-to-ASA
C. L2L_Tunnel
D. outside_map1
Correct Answer: D
Section: (none)
Explanation
This is seen from the "show crypto ipsec sa" command on the ASA.
QUESTION 188
Which option describes what address preservation with IPsec Tunnel Mode allows when GETVPN is
used?
A. stronger encryption methods

B. Network Address Translation of encrypted traffic
C. traffic management based on original source and destination addresses
D. Tunnel Endpoint Discovery
Correct Answer: C
Section: (none)
Explanation
QUESTION 189
Which feature is available in IKEv1 but not IKEv2?
A. Layer 3 roaming
B. aggressive mode
C. EAP variants
D. sequencing
Correct Answer: B
Section: (none)
Explanation
QUESTION 190
Which feature is enabled by the use of NHRP in a DMVPN network?
A. host routing with Reverse Route Injection

B. BGP multiaccess
C. host to NBMA resolution
D. EIGRP redistribution
Correct Answer: C
Section: (none)
Explanation
QUESTION 191
Which statement about the hub in a DMVPN configuration with iBGP is true?
A. It must be a route reflector client.

B. It must redistribute EIGRP from the spokes.
C. It must be in a different AS.
D. It must be a route reflector.
Correct Answer: D
Section: (none)
Explanation
QUESTION 192
Refer to the exhibit. Which technology is represented by this configuration?
A. AAA for FlexVPN

B. AAA for EzVPN
C. TACACS+ command authorization
D. local command authorization
Correct Answer: A
Section: (none)
Explanation
QUESTION 193
Which command can you use to monitor the phase 1 establishment of a FlexVPN tunnel?
A. show crypto ipsec sa

B. show crypto isakmp sa
C. show crypto ikev2 sa
D. show ip nhrp
Correct Answer: C
Section: (none)
Explanation
QUESTION 194
Which interface is managed by the VPN Access Interface field in the Cisco ASDM IPsec Site-to-Site VPN
Wizard?
A. the local interface named "VPN_access"

B. the local interface configured with crypto enable
C. the local interface from which traffic originates
D. the remote interface with security level 0
Correct Answer: B
Section: (none)
Explanation
QUESTION 195
You are troubleshooting a DMVPN NHRP registration failure. Which command can you use to view
request counters?
A. show ip nhrp nhs detail

B. show ip nhrp tunnel
C. show ip nhrp incomplete
D. show ip nhrp incomplete tunnel tunnel_interface_number
Correct Answer: A
Section: (none)
Explanation
QUESTION 196
Refer to the exhibit. What is the purpose of the given configuration?
A. Establishing a GRE tunnel.
B. Enabling IPSec to decrypt fragmented packets.
C. Resolving access issues caused by large packet sizes.
D. Adding the spoke to the routing table.
Correct Answer: C
Section: (none)
Explanation
QUESTION 197
Which three commands are included in the command show dmvpn detail? (Choose three.)
A. show ip nhrp nhs

B. show dmvpn
C. show crypto session detail
D. show crypto ipsec sa detail
E. show crypto sockets
F. show ip nhrp
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 198
Refer to the exhibit. Which action is demonstrated by this debug output?
A. NHRP initial registration by a spoke.

B. NHRP registration acknowledgement by the hub.
C. Disabling of the DMVPN tunnel interface.
D. IPsec ISAKMP phase 1 negotiation.
Correct Answer: A
Section: (none)
Explanation
QUESTION 199
Which option describes the purpose of the command show derived-config interface virtual-access 1?
A. It verifies that the virtual access interface is cloned correctly with per-user attributes.
B. It verifies that the virtual template created the tunnel interface.
C. It verifies that the virtual access interface is of type Ethernet.
D. It verifies that the virtual access interface is used to create the tunnel interface.
Correct Answer: A
Section: (none)
Explanation
QUESTION 200
Which two RADIUS attributes are needed for a VRF-aware FlexVPN hub? (Choose two.)
A. ip:interface-config=ip unnumbered loobackn

B. ip:interface-config=ip vrf forwarding ivrf
C. ip:interface-config=ip src route
D. ip:interface-config=ip next hop
E. ip:interface-config=ip neighbor 0.0.0.0
Correct Answer: AB
Section: (none)
Explanation
QUESTION 201
Which functionality is provided by L2TPv3 over FlexVPN?
A. the extension of a Layer 2 domain across the FlexVPN

B. the extension of a Layer 3 domain across the FlexVPN
C. secure communication between servers on the FlexVPN
D. a secure backdoor for remote access users through the FlexVPN
Correct Answer: A
Section: (none)
Explanation
QUESTION 202
When you troubleshoot Cisco AnyConnect, which step does Cisco recommend before you open a TAC
case?
A. Show applet Lifecycle exceptions.

B. Disable cookies.
C. Enable the WebVPN cache.
D. Collect a DART bundle.
Correct Answer: D
Section: (none)
Explanation
QUESTION 203
What URL do you use to download a packet capture file in a format which can be used by a packet
analyzer?
A. ftp://<hostname>/capture/<capture_name>/
B. https://<asdm_enabled _interface:port>/<capture_name>/
C. https://<asdm_enabled_interface:port>/admin/capture/<capture_name>/pcap
D. https://<hostname>/<capture_name>/pcap
Correct Answer: C
Section: (none)
Explanation
QUESTION 204
If Web VPN bookmarks are grayed out on the home screen, which action should you take to begin
troubleshooting?
A. Determine whether the Cisco ASA can resolve the DNS names.
B. Determine whether the Cisco ASA has DNS forwarders set up.
C. Determine whether an ACL is present to permit DNS forwarding.
D. Replace the DNS name with an IP address.
Correct Answer: A
Section: (none)
Explanation
Explanation:
http://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html#anc15
WebVPN Clients Cannot Hit Bookmarks and is Grayed Out
Problem
If these bookmarks were configured for users to sign in to the clientless VPN, but on the home screen
under "Web Applications" they show up as grayed out, how can I enable these HTTP links so that the
users are able to click them and go into the particular URL?
Solution
You should first make sure that the ASA can resolve the websites through DNS. Try to ping the websites
by name. If the ASA cannot resolve the name, the link is grayed out. If the DNS servers are internal to your
network, configure the DNS domain-lookup private interface.
QUESTION 205
Which command clears all Cisco AnyConnect VPN sessions?
A. vpn-sessiondb logoff anyconnect

B. vpn-sessiondb logoff webvpn
C. vpn-sessiondb logoff l2l
D. clear crypto isakmp sa
Correct Answer: A
Section: (none)
Explanation
QUESTION 206
Which group-policy subcommand installs the Diagnostic AnyConnect Report Tool on user computers when
a Cisco AnyConnect user logs in?
A. customization value dart
B. file-browsing enable
C. smart-tunnel enable dart
D. anyconnect module value dart
Correct Answer: D
Section: (none)
Explanation
QUESTION 207
You have deployed new Cisco AnyConnect start before logon modules and set the configuration to
download modules before logon, but all client connections continue to use the previous version of the
module. Which action must you take to correct the problem?
A. Configure start before logon in the client profile.

B. Configure a group policy to prompt the user to download the updated module.
C. Define the modules for download in the client profile.
D. Define the modules for download in the group policy.
Correct Answer: A
Section: (none)
Explanation
QUESTION 208
Which feature do you include in a highly available system to account for potential site failures?
A. geographical separation of redundant devices

B. hot/standby failover pairs
C. Cisco ACE load-balancing with VIP
D. dual power supplies
Correct Answer: A
Section: (none)
Explanation
QUESTION 209
A. DMVPN
B. GETVPN
C. FlexVPN
D. site-to-site
Correct Answer: B
Section: (none)
Explanation
QUESTION 210
Which VPN type can be used to provide secure remote access from public internet cafes and airport
kiosks?
A. site-to-site
B. business-to-business
C. Clientless SSL
D. DMVPN
Correct Answer: C
Section: (none)
Explanation
QUESTION 211
A. Cisco AnyConnect (IKEv2)
B. site-to-site
C. DMVPN
D. SSL VPN
Correct Answer: D
Section: (none)
Explanation
QUESTION 212
What must be enabled in the web browser of the client computer to support Clientless SSL VPN?
A. cookies
B. ActiveX
C. Silverlight
D. popups
Correct Answer: A
Section: (none)
Explanation
QUESTION 213
Which VPN feature allows remote access clients to print documents to local network printers?
A. Reverse Route Injection

B. split tunneling
C. loopback addressing
D. dynamic virtual tunnels
Correct Answer: B
Section: (none)
Explanation
QUESTION 214
Which option is most effective at preventing a remote access VPN user from bypassing the corporate
transparent web proxy?
A. using the proxy-server settings of the client computer to specify a PAC file for the client computer to
download
B. instructing users to use the corporate proxy server for all web browsing
C. disabling split tunneling
D. permitting local LAN access
Correct Answer: C
Section: (none)
Explanation
QUESTION 215
Which option is an example of an asymmetric algorithm?
A. 3DES
B. IDEA
C. AES
D. RSA
Correct Answer: D
Section: (none)
Explanation
Explanation:
http://www.encryptionanddecryption.com/algorithms/asymmetric_algorithms.html
QUESTION 216
Which three parameters are specified in the isakmp (IKEv1) policy? (Choose three.)
A. the hashing algorithm

B. the authentication method
C. the lifetime
D. the session key
E. the transform-set
F. the peer
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 217
Which option is one component of a Public Key Infrastructure?
A. the Registration Authority

B. Active Directory
C. RADIUS
D. TACACS+
Correct Answer: A
Section: (none)
Explanation
QUESTION 218
Which option is a required element of Secure Device Provisioning communications?
A. the introducer
B. the certificate authority
C. the requestor
D. the registration authority
Correct Answer: A
Section: (none)
Explanation
QUESTION 219
Which technology can you implement to reduce latency issues associated with a Cisco AnyConnect VPN?
A. DTLS
B. SCTP
C. DCCP
D. SRTP
Correct Answer: A
Section: (none)
Explanation
QUESTION 220
Which three types of SSO functionality are available on the Cisco ASA without any external SSO servers?
(Choose three.)
A. SAML
B. HTTP POST
C. HTTP Basic
D. NTLM
E. Kerberos
F. OAuth 2.0
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 221
Which two statements about the Cisco ASA Clientless SSL VPN smart tunnels feature are true? (Choose
two.)
A. Smart tunnels are enabled on the secure gateway (Cisco ASA) for specific applications that run on the
end client and work irrespective of which transport protocol the application uses.
B. Smart tunnels require Administrative privileges to run on the client machine.
C. A smart tunnel is a DLL that is pushed from the headend to the client machine after SSL VPN portal
authentication and that is attached to smart-tunneled processes to route traffic through the SSL VPN
session with the gateway.
D. Smart tunnels offer better performance than the client-server plugins.
E. Smart tunnels are supported on Windows, Mac, and Linux.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 222
As network security architect, you must implement secure VPN connectivity among company branches
over a private IP cloud with any-to-any scalable connectivity.
Which technology should you use?
A. IPsec DVTI
B. FlexVPN
C. DMVPN
D. IPsec SVTI
E. GET VPN
Correct Answer: E
Section: (none)
Explanation
QUESTION 223
Which three configurations are required for both IPsec VTI and crypto map-based VPNs? (Choose three.)
A. transform set
B. ISAKMP policy
C. ACL that defines traffic to encrypt
D. dynamic routing protocol
E. tunnel interface
F. IPsec profile
G. PSK or PKI trustpoint with certificate
Correct Answer: ABG

Section: (none)
Explanation
QUESTION 224
Refer to the exhibit. Which type of mismatch is causing the problem with the IPsec VPN tunnel?
A. PSK
B. Phase 1 policy
C. transform set
D. crypto access list
Correct Answer: A
Section: (none)
Explanation
QUESTION 225
Which three changes must be made to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is
configured? (Choose three.)
A. Enable EIGRP next-hop-self on the hub.

B. Disable EIGRP next-hop-self on the hub.
C. Enable EIGRP split-horizon on the hub.
D. Add NHRP redirects on the hub.
E. Add NHRP shortcuts on the spoke.
F. Add NHRP shortcuts on the hub.
Correct Answer: BDE

Section: (none)
Explanation
QUESTION 226
Which algorithm provides both encryption and authentication for data plane communication?
A. SHA-96
B. SHA-384
C. 3DES
D. AES-256
E. AES-GCM
F. RC4
Correct Answer: E
Section: (none)
Explanation
QUESTION 227
Which three configurations are prerequisites for stateful failover for IPsec? (Choose three.)
A. Only the IKE configuration that is set up on the active device must be duplicated on the standby device;
the IPsec configuration is copied automatically.
B. Only crypto map configuration that is set up on the active device must be duplicated on the standby
device.
C. The IPsec configuration that is set up on the active device must be duplicated on the standby device.
D. The active and standby devices can run different versions of the Cisco IOS software but need to be the
same type of device.
E. The active and standby devices must run the same version of the Cisco IOS software and should be
the same type of device.
F. Only the IPsec configuration that is set up on the active device must be duplicated on the standby
device; the IKE configuration is copied automatically.
G. The IKE configuration that is set up on the active device must be duplicated on the standby device.
Correct Answer: CEG

Section: (none)
Explanation
QUESTION 228
Which two statements comparing ECC and RSA are true? (Choose two.)
A. ECC can have the same security as RSA but with a shorter key size.
B. ECC lags in performance when compared with RSA.
C. Key generation in ECC is slower and less CPU intensive.
D. ECC cannot have the same security as RSA, even with an increased key size.
E. Key generation in ECC is faster and less CPU intensive.
Correct Answer: AE
Section: (none)
Explanation
QUESTION 229
Which two are features of GETVPN but not DMVPN and FlexVPN? (Choose two.)
A. one IPsec SA for all encrypted traffic

B. no requirement for an overlay routing protocol
C. design for use over public or private WAN
D. sequence numbers that enable scalable replay checking
E. enabled use of ESP or AH
F. preservation of IP protocol in outer header
Correct Answer: AB
Section: (none)
Explanation
QUESTION 230
A customer requires all traffic to go through a VPN. However, access to the local network is also required.
Which two options can enable this configuration? (Choose two.)
A. split exclude
B. use of an XML profile
C. full tunnel by default
D. split tunnel
E. split include
Correct Answer: AB
Section: (none)
Explanation
QUESTION 231
As network consultant, you are asked to suggest a VPN technology that can support a multivendor
environment and secure traffic between sites. Which technology should you recommend?
A. DMVPN
B. FlexVPN
C. GET VPN
D. SSL VPN
Correct Answer: B
Section: (none)
Explanation
QUESTION 232
Which protocol must be enabled on the inside interface to use cluster encryption in SSL VPN load
balancing?
A. TLS
B. DTLS
C. IKEv2
D. ISAKMP
Correct Answer: D
Section: (none)
Explanation
QUESTION 233
Refer to the exhibit. Which type of VPN implementation is displayed?
A. IKEv2 reconnect
B. IKEv1 cluster
C. IKEv2 load balancer
D. IKEv1 client
E. IPsec high availability
F. IKEv2 backup gateway
Correct Answer: C
Section: (none)
Explanation
QUESTION 234
Which PKI enrollment method allows the user to separate authentication and enrollment actions and also
provides an option to specify HTTP/TFTP commands to perform file retrieval from the server?
A. enrollment profile
B. enrollment terminal
C. enrollment url
D. enrollment selfsigned
Correct Answer: A
Section: (none)
Explanation
QUESTION 235
Refer to the exhibit. A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA
devices. Based on the syslog message, which action can bring up the VPN tunnel?
A. Increase the maximum SA limit on the local Cisco ASA.
B. Correct the crypto access list on both Cisco ASA devices.
C. Remove the maximum SA limit on the remote Cisco ASA.
D. Reduce the maximum SA limit on the local Cisco ASA.
E. Correct the IP address in the local and remote crypto maps.
F. Increase the maximum SA limit on the remote Cisco ASA.
Correct Answer: A
Section: (none)
Explanation
Explanation:
Since unknown request rejected by CAC. CAC is use to limit SA.
QUESTION 236
Refer to the exhibit. Which type of VPN is being configured, based on the partial configuration snippet?
A. DMVPN with dual hub

B. GET VPN with dual group member
C. FlexVPN backup gateway
D. GET VPN with COOP key server
E. FlexVPN load balancer
Correct Answer: D
Section: (none)
Explanation
QUESTION 237
Which configuration is used to build a tunnel between a Cisco ASA and ISR?
A. crypto map
B. DMVPN
C. GET VPN
D. GRE with IPsec
E. GRE without IPsec
Correct Answer: A
Section: (none)
Explanation
QUESTION 238
Refer to the exhibit. What is the problem with the IKEv2 site-to-site VPN tunnel?
A. incorrect PSK
B. crypto access list mismatch
C. incorrect tunnel group
D. crypto policy mismatch
E. incorrect certificate
Correct Answer: B
Section: (none)
Explanation
QUESTION 239
Which two statements regarding IKEv2 are true per RFC 4306? (Choose two.)
A. It is compatible with IKEv1.

B. It has at minimum a nine-packet exchange.
C. It uses aggressive mode.
D. NAT traversal is included in the RFC.
E. It uses main mode.
F. DPD is defined in RFC 4309.
G. It allows for EAP authentication.
Correct Answer: DG
Section: (none)
Explanation
QUESTION 240
Which DAP endpoint attribute checks for the matching MAC address of a client machine?
A. device
B. process
C. antispyware
D. BIA
Correct Answer: A
Section: (none)
Explanation
QUESTION 241
Which type of NHRP packet is unique to Phase 3 DMVPN topologies?
A. resolution request
B. resolution reply
C. traffic indication
D. registration request
E. registration reply
F. error indication
Correct Answer: C
Section: (none)
Explanation
QUESTION 242
Which three types of web resources or protocols are enabled by default on the Cisco ASA Clientless SSL
VPN portal? (Choose three.)
A. HTTP
B. VNC
C. CIFS
D. RDP
E. HTTPS
F. ICA (Citrix)
Correct Answer: ACE

Section: (none)
Explanation
QUESTION 243
Which three parameters must match on all routers in a DMVPN Phase 3 cloud? (Choose three.)
A. NHRP network ID
B. GRE tunnel key
C. NHRP authentication string
D. tunnel VRF
E. EIGRP process name
F. EIGRP split-horizon setting
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 244
Refer to the exhibit. The customer needs to launch AnyConnect in the RDP machine.
Which configuration is correct?
A. crypto vpn anyconnect profile test flash:RDP.xml policy group default svc profile test
B. crypto vpn anyconnect profile test flash:RDP.xml webvpn context GW_1 browser-attribute import flash:/
swj.xml
C. crypto vpn anyconnect profile test flash:RDP.xml policy group default svc profile flash:RDP.xml
D. crypto vpn anyconnect profile test flash:RDP.xml webvpn context GW_1 browser-attribute import test
Correct Answer: A
Section: (none)
Explanation
QUESTION 245
Which two statements about the Cisco ASA Clientless SSL VPN solution are true? (Choose two.)
A. When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through
the URL bar, the client uses the local DNS to perform FQDN resolution.
B. The rewriter enable command under the global webvpn configuration enables the rewriter functionality
because that feature is disabled by default.
C. A Cisco ASA with an AnyConnect Premium Peers license can simultaneously allow Clientless SSL
VPN sessions and AnyConnect client sessions.
D. Content rewriter functionality in the Clientless SSL VPN portal is not supported on Apple mobile
devices.
E. Clientless SSLVPN provides Layer 3 connectivity into the secured network.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 246
Refer to the exhibit. Which two characteristics of the VPN implementation are evident? (Choose two.)
A. dual DMVPN cloud setup with dual hub
B. DMVPN Phase 3 implementation
C. single DMVPN cloud setup with dual hub
D. DMVPN Phase 1 implementation
E. quad DMVPN cloud with quadra hub
F. DMVPN Phase 2 implementation
Correct Answer: BC
Section: (none)
Explanation
QUESTION 247
Which protocol can be used for better throughput performance when using Cisco AnyConnect VPN?
A. TLSv1
B. TLSv1.1
C. TLSv1.2
D. DTLSv1
Correct Answer: D
Section: (none)
Explanation
QUESTION 248
Which configuration construct must be used in a FlexVPN tunnel?
A. multipoint GRE tunnel interface
B. IKEv1 policy
C. IKEv2 profile
D. EAP configuration
Correct Answer: C
Section: (none)
Explanation
QUESTION 249
Which benefit of FlexVPN is not offered by DMVPN using IKEv1?
A. Dynamic routing protocols can be configured.

B. IKE implementation can install routes in routing table.
C. GRE encapsulation allows for forwarding of non-IP traffic.
D. NHRP authentication provides enhanced security.
Correct Answer: B
Section: (none)
Explanation
QUESTION 250
Which command identifies an AnyConnect profile that was uploaded to the router flash?
A. crypto vpn anyconnect profile SSL_profile flash:simos-profile.xml

B. svc import profile SSL_profile flash:simos-profile.xml
C. anyconnect profile SSL_profile flash:simos-profile.xml
D. webvpn import profile SSL_profile flash:simos-profile.xml
Correct Answer: A
Section: (none)
Explanation
QUESTION 251
Refer to the exhibit. The customer can establish an AnyConnect connection on the first attempt only.
Subsequent attempts fail. What might be the issue?
A. IKEv2 is blocked over the path.
B. UserGroup must be different than the name of the connection profile.
C. The primary protocol should be SSL.
D. UserGroup must be the same as the name of the connection profile.
Correct Answer: D
Section: (none)
Explanation
QUESTION 252
Which alogrithm is an example of asymmetric encryption?
A. RC4
B. AES
C. ECDSA
D. 3DES
Correct Answer: C
Section: (none)
Explanation
QUESTION 253
Which three configuration parameters are mandatory for an IKEv2 profile? (Choose three.)
A. IKEv2 proposal
B. local authentication method
C. match identity or certificate
D. IKEv2 policy
E. PKI certificate authority
F. remote authentication method
G. IKEv2 profile description
H. virtual template
Correct Answer: BCF

Section: (none)
Explanation
QUESTION 254
Which two parameters help to map a VPN session to a tunnel group without using the tunnel- group list?
(Choose two.)
A. group-alias
B. certificate map
C. use gateway command
D. group-url
E. AnyConnect client version
Correct Answer: BD
Section: (none)
Explanation
QUESTION 255
Refer to the exhibit. Which technology does this configuration demonstrate?
A. AnyConnect SSL over IPv4+IPv6
B. AnyConnect FlexVPN over IPv4+IPv6
C. AnyConnect FlexVPN IPv6 over IPv4
D. AnyConnect SSL IPv6 over IPv4
Correct Answer: B
Section: (none)
Explanation
Explanation:
FlexVPN use IPSec/IKEv2, SSL use TLS
“vpn-tunnel-protocol ikev2 ssl-client’ is part of FlexVPN configuration …the configuration for SSL would be
“vpn-tunnel-protocol ssl-client”
http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/115735-acssl-ip-
config-00.html
QUESTION 256
Refer to the exhibit. The IKEv2 site-to-site VPN tunnel between two routers is down.
Based on the debug output, which type of mismatch might be the problem?
A. PSK
B. crypto policy
C. peer identity
D. transform set
Correct Answer: C
Section: (none)
Explanation
QUESTION 257
Which equation describes an elliptic curve?
A. y3 = x3 + ax + b
B. x3 = y2 + ab + x
C. y4 = x2 + ax + b
D. y2 = x3 + ax + b
E. y2 = x2 + ax + b2
Correct Answer: D
Section: (none)
Explanation
QUESTION 258
An engineer wants to ensure that employees cannot access corporate resources on untrusted networks,
but does not want a new VPN session to be established each time they leave the trusted network. Which
Cisco AnyConnect Trusted Network Policy option allows this ability?
A. Pause
B. Connect
C. Do Nothing
D. Disconnect
Correct Answer: A
Section: (none)
Explanation
QUESTION 259
Refer to the exhibit. In this tunnel mode GRE multipoint example, which command on the hub router
distinguishes one spoken form the other?
A. no ip route
B. ip nhrp map
C. ip frame-relay
D. tunnel mode gre multipoint
Correct Answer: B
Section: (none)
Explanation
QUESTION 260
A network engineer must configure a now VPN tunnel Utilizing IKEv2 For with three reasons would a
configuration use IKEv2 instead d KEv1? (Choose three.)
A. increased hash size

B. DOS protection
C. Preshared keys are used for authentication.
D. RSA-Sig used for authentication
E. native NAT traversal
F. asymmetric authentication
Correct Answer: BEF

Section: (none)
Explanation
QUESTION 261
A network engineer is troubleshooting a site VPN tunnel configured on a Cisco ASA and wants to validate
that the tunnel is sending and receiving traffic. Which command accomplishes this task?
A. show crypto ikev1 sa peer

B. show crypto ikev2 sa peer
C. show crypto ipsec sa peer
D. show crypto isakmp sa peer
Correct Answer: C
Section: (none)
Explanation
QUESTION 262
When troubleshooting clientless SSL VPN connections, which option can be verified on the client PC?
A. address assignment
B. DHCP configuration
C. tunnel group attributes
D. host file misconfiguration
Correct Answer: D
Section: (none)
Explanation
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/webvpn-
troubleshooting.html
QUESTION 263
Which two commands are include in the command show dmvpn detail? (Choose two.)
A. Show ip nhrp
B. Show ip nhrp nhs
C. Show crypto ipsec sa detail
D. Show crypto session detail
E. Show crypto sockets
Correct Answer: BD
Section: (none)
Explanation
Explanation:
show dmvpn detail” returns the output of show ip nhrp nhs, show dmvpn,and show crypto session detail
http://www.cisco.com/c/en/us/support/docs/security-vpn/dynamic-multi-point-vpn-dmvpn/116957-technote-
dmvpn-00.html
QUESTION 264
An engineer has integrated a new DMVPN to link remote offices across the internet using Cisco IOS
routers. When connecting to remote sites, pings and voice data appear to flow properly and all tunnel stats
seem to show that are up. However, when trying to connect to a remote server using RDP, the connection
fails. Which action resolves this issue?
A. Change DMVPN timeout values.

B. Adjust the MTU size within the routers.
C. Replace certificate on the RDP server.
D. Add RDP port to the extended ACL.
Correct Answer: B
Section: (none)
Explanation
Explanation:
Answers A and C do not make sense.
Answer D is valid only for split tunneling…if we want to pass the RDP traffic off tunnel. The ACL configured
to establish the DMVPN tunnel only need udp 500/4500 and esp (50).
Answer B should be correct because voice traffic (UDP) and ping use smaller MTU size and will not be
fragmented…and thus will work. RDP uses TCP / 3389 and isn’t fault tolerant.
QUESTION 265
Which feature is a benefit of Dynamic Multipoint VPN?
A. geographic filtering of spoke devices
B. translation PAT
C. rotating wildcard preshared keys
D. dynamic spoke-to spoke tunnel establishment
Correct Answer: D
Section: (none)
Explanation
QUESTION 266
An engineer has configured Cisco AnyConnect VPN using IKEv2 on a Cisco ISO router. The user cannot
connect in the Cisco AnyConnect client, but receives an alert message "Use a browser to gain access."
Which action does the engineer take to eliminate this issue?
A. Reset user login credentials.

B. Disable the HTTP server.
C. Correct the URL address.
D. Connect using HTTPS.
Correct Answer: B
Section: (none)
Explanation
Explanation:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115755-flexvpn-ike-eap-00.html
QUESTION 267
Refer to the exhibit. A network administrator is running DMVPN with EIGRP, when the administrator looks
at the routing table on spoken 1 it displays a route to the hub only.
Which command is missing on the hub router, which includes spoke 2 and spoke 3 in the spoke 1 routing
table?
A. no inverse arp
B. neighbor (ip address)
C. no ip split-horizon egrp 1
D. redistribute static
Correct Answer: C
Section: (none)
Explanation
QUESTION 268
Which algorithm provides both encryption and authentication for plane communication?
A. RC4
B. SHA-384
C. AES-256
D. SHA-96
E. 3DES
F. AES-GCM
Correct Answer: F
Section: (none)
Explanation
QUESTION 269
Refer to the exhibit. Client 1 cannot communication with Client 2. Both clients are using Cisco AnyConnect
and have established a successful SSL VPN connection to the hub ASA.
Which command on the ASA is missing?
A. same-security-traffic permit inter-interface

B. same-security-traffic permit intra-interface
C. dns-server value 10.1.1.3
D. split-tunnel-network list
Correct Answer: B
Section: (none)
Explanation
QUESTION 270
Which statement regarding GET VPN is true?
A. When you implement GET VPN with VRFs, all VHFs must be defined in the GDOI group configuration
on the key server.
B. T ne pseudotime that is used for replay checking is synchronized via NTP.
C. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.
D. TEK rekesys can be load-balanced between two key servers operating in COOP.
E. The configuration that defines which traffic to encrypt is present only on the key server.
Correct Answer: E
Section: (none)
Explanation
QUESTION 271
Which two statements comparing ECC and RSA are true? (Choose two.)
A. Key generation in FCC is slower and more CPU intensive than RSA.
B. ECC can have the same security as RSA but with a shorter key size
C. Key generation in ECC is faster and less CPU intensive than RSA.
D. ECC cannot have the same security as RSA. even with an increased key size.
E. ECC lags m performance when compared with RSA.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 272
Refer to the exhibit. An engineer is troubleshooting a new GRE over IPSEC tunnel.
The tunnel is established, but the engineer cannot ping from spoke 1 to spoke 2.
Which type of traffic is being blocked?
A. ESP packets from spoke1 to spoke2

B. ISAKMP packets from spoke2 to spoke1
C. ESP packets from spoke2 to spoke1
D. ISAKMP packets from spoke1 to spoke2
Correct Answer: C
Section: (none)
Explanation
QUESTION 273
A user is experiencing issues connecting to a Cisco AnyConnect VPN and receives this error message:
The AnyConnect package on the secure gateway could not be located.

You may be experiencing network connectivity issues. Please try connecting
again.
Which option is the likely cause of this issue?
A. This Cisco ASA firewall has experienced a failure.

B. The user is entering an incorrect password.
C. The user's operating system is not supported with the ASA's current configuration.
D. The user laptop clock is not synchronized with NTP.
Correct Answer: C
Section: (none)
Explanation
QUESTION 274
Which two operational advantages does GetVPN offer over site-to-site IPsec tunnel in a private MPLS-
based core network? (Choose two.)
A. Key servers perform encryption and decryption of all the data in the network, which allows for tight
security policies.
B. Traffic uses one VRF to encrypt data and a different on to decrypt data, which allows for multicast
traffic isolation.
C. GETVPN is tunnel-less, which allows any group member to perform decryption and routing around
network failures.
D. Packets carry original source and destination IP addresses, which allows for optimal routing of
encrypted traffic.
E. Group Domain of Interpretation protocol allows for homomorphic encryption, which allows group
members to operate on messages without decrypting them
Correct Answer: CD
Section: (none)
Explanation
Explanation:
http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/
deployment_guide_c07_554713.html
QUESTION 275
An administrator received a report that a user cannot connect to the headquarters site using Cisco
AnyConnect and receives this error. The installer was not able to start the Cisco VPN client, clientless
access is not available, Which option is a possible cause for this error?
A. The client version of Cisco AnyConnect is not compatible with the Cisco ASA software image.
B. The operating system of the client machine is not supported by Cisco AnyConnect.
C. The driver for Cisco AnyConnect is outdatate.
D. The installed version of Java is not compatible with Cisco AnyConnect.
Correct Answer: A
Section: (none)
Explanation
QUESTION 276
An engineer is configuring an IPsec VPN with IKEv2.
Which three components are part of the IKEv2 proposal for this implementation? (Choos three.)
A. key ring
B. DH group
C. integrity
D. tunnel name
E. encryption
Correct Answer: BCE

Section: (none)
Explanation
QUESTION 277
Which command can be used to troubleshoot an IPv6 FlexVPN spoke-to-hub connectivity failure?
A. show crypto lkev2 client flexvpn

B. show crypto identity
C. show crypto isakmp sa
D. show crypto gkm
Correct Answer: A
Section: (none)
Explanation
QUESTION 278
Refer to the exhibit. An engineer encounters a debug message.
Which action can the engineer take to eliminate this error message?
A. Use stronger encryption suite.

B. Correct the VPN peer address.
C. Make adjustment to IPSec replay window.
D. Change the preshared key to match.
Correct Answer: C
Section: (none)
Explanation
QUESTION 279
Which two changes must be made to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is
configured? (Choose two )
A. Disable EIGRP next-hop-self on the hub.

B. Enable EIGRP next-hop-self on the hub.
C. Add NHRP shortcuts on the hub.
D. Add NHRP redirects on the hub.
E. Add NHRP redirects on the spoke.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 280
Refer to the exhibit. VPN load balancing provides a way to distribute remote access, IPsec, and SSL VPN
connections across multiple security appliances. Which remote access client types does the load
balancing feature support?
A. IPsec site-to-site tunnels

B. L2TP over IPsec
C. OpenVPN
D. Cisco AnyConnect Secure Mobility Client
Correct Answer: D
Section: (none)
Explanation
QUESTION 281
A. sequence numbers that enable scalable replay checking CD protocol

B. no requirement for an overlay routing protocol.
C. design for use over public or private.
D. WAN enabled use of ESP or AH.
E. one IPsec SA for all encrypted traffic.
Correct Answer: BE
Section: (none)
Explanation
QUESTION 282
Using the Next Generation Encryption technologies, which is the minimum acceptable encryption level to
protect sensitive information?
A. AES 92 bits
B. AES 128 bits
C. AES 256 bits
D. AES 512 bits
Correct Answer: B
Section: (none)
Explanation
QUESTION 283
An engineer is troubleshooting a DMVPN spoken router and sees a CRPTO-4- IKMP_BAD_MESSAGE
debug message that a spoke router "failed its sanity check or is malformed" Which issue does the error
message indicate?
A. mismatched preshared key

B. unsupported transform propsal
C. invalid IP packet SPI
D. incompatible transform set
Correct Answer: A
Section: (none)
Explanation
QUESTION 284
A company has a Flex VPN solution for remote access and one of their Cisco any Connect remote clients
is having trouble connecting property.
Which command verifies that packets are being encrypted and decrypted?
A. show crypto session active

B. show crypto ikev2 stats
C. show crypto ikev1 sa
D. show crypto ikev2 sa
E. show crypto session detail
Correct Answer: E
Section: (none)
Explanation
QUESTION 285
Refer to the exhibit, which result of this command is true?
A. Makes the router generate a certificate signing request

B. Generates an RSA key called TRIALFOUR
C. It displays the RSA public keys of the router
D. It specifies self- signed enrollment for a trust point
Correct Answer: D
Section: (none)
Explanation
QUESTION 286
An engineer is attempting to establish a new site-to site VPN connection. The tunnel terminates on an ASA
5506-X which is behind an ASA 5515-x.
The engineer notices that the tunnel is not establishing. Which option is a potential cause?
A. Certificates were not configured

B. Diffie -Helman Group is not set
C. Access lists were not applied
D. NAT - traversal is not configured
Correct Answer: D
Section: (none)
Explanation
QUESTION 287
Which algorithm does ISAKMP use to securely derive encryption and integrity keys?
A. Diffie-Hellman
B. AES
C. ECDSA
D. RSA
E. 3DES
Correct Answer: A
Section: (none)
Explanation
Explanation:
A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm. The ASA
uses this algorithm to derive the encryption and hash keys
https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/
vpn_ike.pdf
QUESTION 288
Which purpose of configuring perfect Forward secret is true?
A. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 2 keys.
B. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 1 keys.
C. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 1 keys.
D. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 2 keys.
Correct Answer: B
Section: (none)
Explanation
QUESTION 289
An engineer has successfully established a phase 1 tunnel, but notices that no packets are decrypted on
the head end side of the tunnel.
What is a potential cause for this issue?
A. different phase 2 encryption

B. misconfigured DH group
C. disabled PFS
D. firewall blocking Phase 2 ESP or AH
Correct Answer: D
Section: (none)
Explanation
QUESTION 290
Which option describes traffic that will initiate a VPN connection?
A. trusted
B. external
C. internal
D. interesting
Correct Answer: D
Section: (none)
Explanation
QUESTION 291
A company wants to validate hosts before allowing them on the network via remote access VPN.
Which Dynamic Access Policies (DAP) method provides additional host level validation?
A. TACACS check
B. folder check
C. file check
D. hostname check
Correct Answer: D
Section: (none)
Explanation
QUESTION 292
Which option must be enabled to allow an SSLVPN which is configured for DTLS to fall back to TLS?
A. svc rekey method ssl

B. svc dpd-interval
C. svc profiles value
D. svc dtls enable
Correct Answer: B
Section: (none)
Explanation
QUESTION 293
Which two components are required for a Cisco IOS-based PKI solution? (Choose two)
A. FTP/HTTP server
B. certificate authority
C. RADIUS server
D. NTP
Correct Answer: BD
Section: (none)
Explanation
QUESTION 294
Which option is the main difference between GET VPN and DMVPN?
A. AES encryption support

B. dynamic spoke-to-spoke tunnel communications
C. Next Hop Resolution Protocol
D. Group Domain of Interpretation protocol
Correct Answer: B
Section: (none)
Explanation
QUESTION 295
An engineer is configuring SSL VPN to provide access to a corporate network for remote users.
Traffic destined to the enterprise IP range should go over the tunnel and all other traffic should go directly
to the internet.
Which feature should be configured?
A. dual-horning
B. hairpinning
C. split-tunnel
D. U-turning
Correct Answer: C
Section: (none)
Explanation
QUESTION 296
Which two options are purposes of the key server in Cisco IOS GETVPN? (Choose two)
A. to distribute dynamic routing information

B. to define and distribute security policies
C. to encrypt transit data time
D. to authenticate group members
E. to distribute static routing information
Correct Answer: BD
Section: (none)
Explanation
Explanation:
Key server is responsible for maintaining security policies, authenticating the GMs and providing the
session key for encrypting traffic. KS authenticates the individual GMs at the time of registration. Only after
successful registration the GMs can participate in group SA.
QUESTION 297
Which command will allow a referenced ASA interface to become accessible across a site-to-site VPN?
A. access-list 101 extended permit ICMP any any

B. crypto map vpn 10 match address 101
C. crypto map vpn interface inside
D. management-access <interface name>
Correct Answer: D
Section: (none)
Explanation
Explanation:
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118092-configure-
asa-00.html
QUESTION 298
Which two attributes can be matched from the identity of the remote peer when using IKEv2 Name
Manager? (Choose two)
A. fqdn
B. hostname
C. IP address
D. kerberos
Correct Answer: AB
Section: (none)
Explanation
QUESTION 299
Which option is one of the difference between FlexVPN and DMVPN?
A. flexvpn uses ikev2 and dmvpn can use ikev1 or ikev2

B. dmvpn can use ikev1 and ikev2 where flexvpn only uses ikev1
C. flexvpn can use ikev1 and ikev2 where dmvpn uses only ikev2
D. dmvp uses ikev1 and flexvpn use ikev3
Correct Answer: A
Section: (none)
Explanation
QUESTION 300
From the CLI od a cisco ASA 5520, which command shows specific information about current clientless
and cisco Any connect SSL VPN users only?
A. show crypto ikve1 sa detail

B. show vpn-sessiondb remote
C. show vpn-sessiondb
D. show von-sessiondb detail
Correct Answer: D
Section: (none)
Explanation
QUESTION 301
A user is experiencing issues connection to a cisco Anyconnect VPN and receives this error message.
The AnyConnect package on the secure gateway could not be located. You may be experiencing network
connectivity issues.
Please by connecting again. Which option is the likely cause of this issue?
A. The user's operating system is not supported with the ASA's current configuration.
B. The use laptop clock is not synchronized with NTP.
C. The user is entering an incorrect password.
D. The cisco ASA firewall has experienced a failure.
Correct Answer: A
Section: (none)
Explanation
QUESTION 302
A customer requires site-to-site VPNs to connect third-party business partners and has purchased two
ASAs.
The customer requests an active/active configuration.
Which model is needed to support an active/active solution?
A. NAT context
B. single context
C. multiple context
D. PAT context.
Correct Answer: C
Section: (none)
Explanation
QUESTION 303
An engineer is configuring IPsec VPN and wants to choose an authentication protocol that is reliable and
supports ACK and sequence.
Which protocol accomplishes this goal?
A. IKEv1
B. AES-192
C. ESP
D. AES-256
Correct Answer: C
Section: (none)
Explanation
QUESTION 304
While attempting to establish a site-to-site VPN, the engineer notices that phase 1 of the VPN tunnel fails.
The engineer wants to run a capture to confirm that the outside interface is receiving phase 1 information
from the third-party peer address. Which command must be run on the ASA to verify this information?
A. Capture capin interface outside match udp any eq 500 any eq 500
B. Capture capin interface outside match gre any any
C. Capture capin interface outside macth upto any eq123 any eq 123
D. Capture capin interface outside match ipsec any any
E. Capture capin interface outside match ah any any
Correct Answer: A
Section: (none)
Explanation
QUESTION 305
An engineer is troubleshooting VPN connectivity issues between a PC and ASA using Cisco AnyConnect
IPsec IKEv2.
Which requirement must be satisfied for proper functioning?
A. The SAN must be used as the CN for the ASA-side certificates.

B. Profile and binary updates must be downloaded over IPsec.
C. The connection must use EAP-AnyConnect.
D. PC certificate must contain the server-auth EKU.
Correct Answer: D
Section: (none)
Explanation
QUESTION 306
A client has asked an engineer to assist in installing and upgrading to the latest version of cisco
Anyconnect secure Mobility client.
Which type of deployment method requires the updated version of the client to be loaded only on the
headend device such as an ASA or ISE device?
A. web-update
B. pre-deploy
C. web-deploy
D. cloud-deploy
E. cloud-update
Correct Answer: C
Section: (none)
Explanation
QUESTION 307
Why must a network engineer avoid usage of the default X509 certificate when implementing clientless
SSLVPN on an ASA?
A. The certificate is too weak to provide adequate security.

B. The certificate is regenerated at each reboot.
C. The certificate must be managed by the local CA.
D. The default X.509 certificate is not supported for SSLVPN.
Correct Answer: C
Section: (none)
Explanation
QUESTION 308
A company's remote locations connect to data centers via MPLS.
A new request requires that unicast traffic that exist the remote location be encrypted.
Which no tunneled technology can be used to satisfy this requirement?
A. SSL
B. GET VPN
C. DMVPN
D. EzVPN
Correct Answer: B
Section: (none)
Explanation
QUESTION 309
An engineer notices that while an employee is connected remotely, all traffic is being routed to the
corporate network.
Which split-tunnel policy allows a remote client to use their local provide for internet access when working
from home?
A. exclude specified.
B. tunnel all
C. No policy allows that type of configuration.
D. tunnel specified
Correct Answer: D
Section: (none)
Explanation
QUESTION 310
An Engineer must deploy a VPN solution to provide simple configuration, per-peer policy, cross-site
communication, and third party interoperability. Which VPN technology is best to accommodate this
requirement?
A. DMVPN
B. FlexVPN
C. GETVPN
D. IPsec
Correct Answer: B
Section: (none)
Explanation
QUESTION 311
An Engineer wants to ensure that operating system and service packs on a remote device with a Cisco
clientless SSL VPN are identified. Which feature must be used?
A. keystroke logger detection

B. host emulation detection
C. host scan
D. cache cleaner
Correct Answer: C
Section: (none)
Explanation
QUESTION 312
What advantage does elliptic curve cryptography have over RSA cryptography?
A. ECC has wider industry adoption

B. ECC compress the enciphered data
C. ECC utilizes symmetric encryption for greater performance
D. ECC provides greater security with a smaller key size
Correct Answer: D
Section: (none)
Explanation
QUESTION 313
An engineer must set up DMPN Phase2 with EIGRP to ensure spoke-to-spoke communication. Which two
EIGRP features must be disabled?
A. stub routing
B. split horizon
C. route redistribution
D. auto-summary
E. next-hop self
Correct Answer: BE
Section: (none)
Explanation
QUESTION 314
Which command does a network engineer type on both spoke routers to check for unidirectional traffic
within the VPN tunnel?
A. show crypto ipsec summary

B. show eigrp neighbors
C. show crypto isakmp sa detail
D. show crypto ipsec sa peer
Correct Answer: D
Section: (none)
Explanation
QUESTION 315
Refer to exhibit. An engineer must implement DMVPN phase2 and was provided with this configuration by
the senior engineer as a template. Which two conclusions can be made from the configuration? (choose
two)
interface Tunnel10
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 150
no ip split-horizon eigrp 100
no ip next-hop-self eigrp 100
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
A. EIGRP is used as the dynamic routing protocol

B. spoke-to-spoke communication is allowed
C. EIGRP route redistribution is not allowed
D. EIGRP neighbor adjacency will fail
E. next-hop-self is required
Correct Answer: AB
Section: (none)
Explanation
QUESTION 316
An engineer is troubleshooting IPsec VPN and wants to show each phase2 SA build as well as the amount
of traffic sent. Which command accomplishes that goal?
A. show crypto esp sa

C. show crypto engine connection active
Correct Answer: D
Section: (none)
Explanation
QUESTION 317
An engineer is troubleshooting IPsec VPN and wants to check the inbound and outbound data plane
security association built between peers. Which command must be run?
A. show crypto esp sa

C. show crypto ipsec sa
D. show crypto ike sa
Correct Answer: C
Section: (none)
Explanation
QUESTION 318
During a SSL session between a client and a server, who is the responsible for generating the master key
that generates the symmetric keys that are used during the session?
A. public key infrastructure

B. client browser
C. web server
D. cipher suite
Correct Answer: B
Section: (none)
Explanation
QUESTION 319
An engineer is troubleshooting IPsec VPN and wants to review the IKE connectivity status between peers.
Which IKE status indicates that all is running properly?
A. AG_AUTH
B. QM_IDLE
C. MM_SA_SETUP
D. AC_INT_EXCH
Correct Answer: B
Section: (none)
Explanation
QUESTION 320
An engineer is configuring clientless VPN. The finance department has a database server that only they
should access but the sales department can currently access it. The finance and the sales department are
configured as separate group-policies. Which option must be added to the configuration to make sure the
users in the sales department cannot access the finance department server?
A. tunnel group lock

B. port forwarding
C. VPN filter ACL
D. webtype ACL
Correct Answer: D
Section: (none)
Explanation
QUESTION 321
Which two option are features of CISCO GET VPN? (choose two)
A. uses public internet

B. use mGRE
C. provides point-to-point IPsec SA
D. provides encryption for MPLS
E. allows for optimal routing
Correct Answer: DE
Section: (none)
Explanation
QUESTION 322
Which header is used when a data plane IPsec packet is created?
A. IKEv1
B. AES
C. SHA
D. ESP
Correct Answer: D
Section: (none)
Explanation
QUESTION 323
Which access list are used in a typical IPsec VPN configuration?
A. ACL to define policy based routing

B. ACL for routing policy neighbors accross the tunnel
C. ACL to NAT traffic accross the VPN tunnel
D. ACL to define what traffic to exempt from NAT
Correct Answer: D
Section: (none)
Explanation
QUESTION 324
Which two options are benefits of IKEv2 over IKEv1? (choose two)
A. IKEv2 supports NAT traversal whereas IKEv1 cannot

B. IKEv2 supports EAP for remote access connections
C. IKEv2 supports sending identifiers in clear text
D. IKEv2 supports stronger encryption ciphers than IKEv1
E. IKEv2 supports public key encryption whereas IKEv1 does not
Correct Answer: BC
Section: (none)
Explanation
QUESTION 325
Dynamic access policies can support several posture assessment methods to collect endpoint security
attributes. From which operating system does an endpoint collect information?
A. CISCO NAC
B. Advanced Endpoint Assessment
C. Host Scan
D. CISCO Secure Desktop
Correct Answer: D
Section: (none)
Explanation
QUESTION 326
Refer to the Exhibit. Which technology is being used?
crypto map mapcisco 10 ipsec-isakmp

set peer 10.234.8.1
set trasform-set setcisco
match address 100
!
interface Ethernet1
ip address 10.180.0.1 255.255.255.0
crypto map mapcisco
!
A. DMVPN
B. GET VPN
C. Ipsec
D. FlexVPN
Correct Answer: C
Section: (none)
Explanation
QUESTION 327
Which parameter in Ipsec VPN tunnel configurations is optional?
A. lifetime
B. Perfect Forward Secrecy
C. encryption
D. hash
Correct Answer: B
Section: (none)
Explanation
QUESTION 328
An engineer is troubleshooting DMVPN and has entered the show crypto isakmp sa command. What can
be verified with the output of this command?
A. NHRP registration is complete

B. the mGRE tunnel key matches the remote peer
C. per-Qos policies have been applied
D. IKE connectivity to branch offices has been established
Correct Answer: D
Section: (none)
Explanation
QUESTION 329
A CISCO AnyConnect client establishes a SSL VPN connection with ASA at the corporate office. The
client has not established SSL VPN connection in some time. An Engineer wants to make sure the client
computer meets the enterprise security policy. Which feature can update a client to meet an enterprise
security policy?
A. FreePOWER Advanced Malware Production

B. EndPoint Assessment
C. Basic Host Scan
D. Advanced Endpoint Assessment
Correct Answer: D
Section: (none)
Explanation
QUESTION 330
Which two statements about the internet Key Exchange version 1 are true? (Choose two)
A. Aggressive mode negotiates faster than main mode.

B. When using aggressive mode, perfect forward secrecy is required.
C. When using aggressive mode, the initiator and responder identities are passed in clear
D. Main mode negotiates faster than aggressive mode.
E. When using main mode, the initiator and responder identities are passed in clear text
Correct Answer: AC
Section: (none)
Explanation
QUESTION 331
A. one IPsec SA for all encrypted traffic

B. no requirement for an overlay routing protocol
C. design for use over public or private WAN
D. sequence numbers that enable scalable replay checking
E. enabled use of ESP or AH
F. preservation of IP protocol in outer header
Correct Answer: AB
Section: (none)
Explanation
QUESTION 332
Which command configures IKEv2 symmetric identity authentication?
A. match identity remote address 0.0.0.0

B. authentication local pre-share
C. authentication pre-share
D. authentication remote rsa-sig
Correct Answer: C
Section: (none)
Explanation
QUESTION 333
Which command clears all Cisco AnyConnect VPN sessions on a Cisco ASA?
A. vpn-sessiondb logoff anyconnect

B. vpn-sessiondb logoff webvpn
C. clear crypto isakmp sa
D. vpn-sessiondb logoff l2l
Correct Answer: A
Section: (none)
Explanation
QUESTION 334
The following configuration steps have been completed: WebVPN was enabled on the ASA outside
interface. ?SSL VPN client software was loaded to the ASA. ?A DHCP scope was configured and applied
to a WebVPN Tunnel Group. What additional step is required if the client software fails to load when
connecting to the ASA SSL page?
A. The SSL client must be loaded to the client by an ASA administrator

B. The SSL client must be downloaded to the client via FTP
C. The SSL VPN client must be enabled on the ASA after loading
D. The SSL client must be enabled on the client machine before loading
Correct Answer: C
Section: (none)
Explanation
Explanation:
sslvpnclient-asa.html#step2
From the document above under link “Step 2. Install and Enable the SSL VPN Client on the ASA”.
Starting with Step 5, it said to enable the “SSL VPN Client” after uploading the image.
This is very true because I forgot to do this one time after loading a new version of Anyconnect and the
client failed to load.
QUESTION 335
Which command will allow a referenced ASA interface to become accessible across a site-to-site VPN?
A. access-list 101 extended permit ICMP any any

B. crypto map vpn 10 match address 101
C. crypto map vpn interface inside
D. management-access <interface name>
Correct Answer: D
Section: (none)
Explanation
Explanation:
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118092-configure-
asa-00.html
QUESTION 336
Which header is used when a data plane IPsec packet is created?
A. IKEv1
B. AES
C. SHA
D. ESP
Correct Answer: D
Section: (none)
Explanation
QUESTION 337
A customer has two ASAs configured in high availability and is experiencing connection drops that require
re-establishment each time failover occurs.
Which type of failover has been implemented?
A. Stateless
B. routed
C. trans parent
D. stateful
Correct Answer: A
Section: (none)
Explanation
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/
ha_overview.html#wp1078922
Stateless (Regular) Failover
When a failover occurs, all active connections are dropped. Clients need to reestablish connections when
the new active unit takes over.
Stateful Failover
When Stateful Failover is enabled, the active unit continually passes per-connection state information to
the standby unit. After a failover occurs, the same connection information is available at the new active
unit. Supported end-user applications are not required to reconnect to keep the same communication
session.
QUESTION 338
In a new DMVPN deployment, phase 1 completes successfully. However, phase2 experiences issues.
Which troubleshooting step is valid in this situation?
A. Temporarily remove encryption to check if the GRE tunnel is working.

B. Verify IP routing between the external IPs of the two peers is correct.
C. Remove NHRP configuration and reset the tunnels.
D. Ensure that the nodes use the same authentication method.
Correct Answer: A
Section: (none)
Explanation
QUESTION 339
An engineer is configuring clientless SSL VPN. The finance department has a database server that only
they should access, but the sales department can currently access it. The finance and the sales
departments are configured as separate group-policies. Which option must be added to the configuration
to make sure the users in the sales department cannot access the finance department server?
A. Web type ACL

B. Port forwarding
C. Tunnel group lock
D. VPN filter ACL
Correct Answer: A
Section: (none)
Explanation
QUESTION 340
Refer to the Exhibit. All internal clients behind the ASA are port address translated to the public outside
interface, which has an IP address of 3.3.3.3. Client 1 and Client 2 have established successful SSL VPN
connections to the ASA. However, when either client performs a browser search on their IP address, it
shows up as 3.3.3.3.
Why is the happening when both clients have a direct connection to the local internet service provider?
A. Same-security-traffic permit inter-interface has not been configured.

B. Tunnel All Networks is configured under Group Policy.
C. Exclude Network List Below is configured under Group Policy.
D. Tunnel Network List Below is configured under Group Policy.
Correct Answer: B
Section: (none)
Explanation
QUESTION 341
Refer to the Exhibit. Users at each end of this VPN tunnel cannot communicate with each other. Which
cause of this behavior is true?
A. The Diffie-Hellman groups configured are different
B. The pre shared key does not match.
C. Phase 1 is not completed and troubleshooting is required.
D. The issue occurs in phase 2 of the tunnel.
Correct Answer: D
Section: (none)
Explanation
QUESTION 342
An engineer is defining ECC variables and has set the input_mode set to B. Which statement is true?
A. DTMF voice is accepted

B. Get Digits are written to the CED
C. Mixed mode input is not accepted
D. An ASR is not being used
Correct Answer: A
Section: (none)
Explanation
QUESTION 343
Refer to the Exhibit. An engineer must implement DMVPN phase 2 and two conclusions can be made from
the configuration? (Choose two.)
A. Spoke-to-spoke communication is allowed.

B. Next-hop-self is required.
C. EIGRP neighbor adjacency will fail.
D. EIGRP route redistribution is not allowed
E. EIGRP used as the dynamic routing protocol.
Correct Answer: AE
Section: (none)
Explanation
QUESTION 344
An engineer wants to ensure that Diffie-Helman keys are re-generated upon a pahse-2 rekey. What option
can be configured to allow this?
A. Aggressive mode
B. Dead-peer detection
C. Main mode
D. Perfect-forward secrecy
Correct Answer: D
Section: (none)
Explanation
QUESTION 345
Which two options are features of Cisco GET VPN? (Choose two.)
A. Allows for optimal routing

B. provides point to point IPsec SA
C. Provides encryption for MPLS
D. uses public Internet
E. uses MORE
Correct Answer: AC
Section: (none)
Explanation
QUESTION 346
Refer to the Exhibit. Which statement about this output is true?
A. Identity between endpoints is verified using a certificate authority
B. The tunnel is not functional because NAT-T is not configured.
C. This router has sent the first packet to establish the Flex VPN tunnel
D. The remote device encrypts IKEv2 packets using key "282FE"0B3B5C99A2B".
Correct Answer: A
Section: (none)
Explanation
QUESTION 347
Refer to the Exhibit. A network security engineer is troubleshooting intermittent connectivity issues across
a tunnel. Based on the output from the show crypto ipsec sa command, which cause is most likely?
A. ISAKMP and/or IP sec may be bouncing up and down.
B. The security association lifetimes are set to default values.
C. Return traffic is not coming back from the other end of the tunnel.
D. Traffic may flow in only one direction across this tunnel.
Correct Answer: B
Section: (none)
Explanation
QUESTION 348
Refer to the Exhibit. Which statement is accurate based on this configuration?
A. Spoke 1 fails the authentication because the authentication methods are incorrect.
B. Spoke 2 passes the authentication to the hub and successfully proceeds to phase 2.
C. Spoke 1 passes the authentication to the hub and successfully proceeds to phase 2.
D. Spoke 2 fails the authentication because the remote authentication method is incorrect.
Correct Answer: A
Section: (none)
Explanation
QUESTION 349
A customer requests a VPN solution to support multicast traffic and connectivity with non-Cisco devices.
What VPN solution would meet the customer requirements?
A. GET VPN
B. EZ VPN
C. Flex VPN
D. L2L VPN
Correct Answer: C
Section: (none)
Explanation
QUESTION 350
Refer to the Exhibit. Which description of the status of this VPN tunnel is true?
A. The pre shared key in phase 1 is mismatched between tunnel endpoints

B. The phase 1 is complete, phase 2 status is unknown
C. The integrity algorithm does not match between the two endpoints.
D. The tunnel is up and waiting for traffic to flow across it
Correct Answer: A
Section: (none)
Explanation
QUESTION 351
Which two option, are benefits of AES compared to 3DES? (Choose two.)
A. switches encryption keys every 32 GB of data transfer

B. faster encryption
C. shorter encryption keys
D. longer encryption block length
E. repeating encryption keys
Correct Answer: BD
Section: (none)
Explanation
QUESTION 352
A client has asked an engineer to assist in installing and upgrading to the latest version of Cisco Any
Connect Secure and upgrading to the latest version of Cisco Any Connect Secure Mobility Client. Which
type of deployment method requires the updated version of the client to be loaded only on the headend
device such as an ASA or ISE device?
A. Web-deploy
B. Cloud-deploy
C. Cloud-update
D. Web-update
Correct Answer: A
Section: (none)
Explanation
QUESTION 353
A customer requires site-to-site VPNs to connect to third party business partners and has purchased two
ASAs. The customer requests an active/active configuration. Winch mode is needed to support and active/
active solution?
A. single context
B. NAT context
C. PAT context
D. multiple context
Correct Answer: D
Section: (none)
Explanation
QUESTION 354
An engineer is troubleshooting VPN connectivity issues between a PC and ASA using Cisco AnyConnect
IPsec IKEv2. Which requirement must be satisfied for proper functioning?
A. PC certificate must contain the server-auth EKU.

B. The connection must use EAP-AnyConnect.
C. The SAN must be used as the CN for the ASA-side certificates.
D. profile and binary updates must be downloading over IPSec
Correct Answer: A
Section: (none)
Explanation
QUESTION 355
An engineer is configuring an IP VPN with IKEv2. Which two components are part of the IKEv2 proposal
for this implementation? (Choose two.)
A. Key ring
B. Encryption
C. Tunnel mode
D. Peer name
E. integrity
Correct Answer: BE
Section: (none)
Explanation
QUESTION 356
An engineer is using DMVPN to provide secure connectivity between a data center and remote sites.
Which two routing protocols are recommended for use between the routers? (Choose two.)
A. EIGRP
B. IS-IS
C. RIPv2
D. BGP
E. OSPF
Correct Answer: AD
Section: (none)
Explanation
QUESTION 357
In a FlexVPN deployment, the spokes are successfully connecting to the hub. However, spoke-to- spoke
tunnels do not form. Which trouble shooting step is valid for this issue?
A. Verify the spoke configuration to check if the NHRP redirect is enabled.

B. Verify the hub configuration to check if the NHRP shortcut is enabled.
C. Verify the tunnel interface is contained within a VRF.
D. Verify the spoke receives redirect messages and send resolution requests
Correct Answer: D
Section: (none)
Explanation
QUESTION 358
An engineer is troubleshooting network issues and wants to check the Layer 2 connectivity between
routers. Which command must be run?
A. show ip eigrp neighbors

B. show cdp neighbor
C. show crypto isakmp sa
Correct Answer: B
Section: (none)
Explanation
QUESTION 359
Witch option is an advantage of using elliptic curve cryptography?
A. Efficiency of operation
B. Ease of implementation
C. symmetrical key exchange
D. resistance to quantum attacks.
Correct Answer: A
Section: (none)
Explanation
QUESTION 360
A company has acquired a competitor whose network infrastructure uses only IPv6. An engineer must
configure VPN access sourced from the new company. Which remote access VPN solution must be used?
A. GET VPN
B. Any Connect
C. EzVPN
D. DMVPN
Correct Answer: B
Section: (none)
Explanation
QUESTION 361
Which way to send OSPF routing updates over a site-to-site IPsec tunnel is true?
A. Set the network type for the inside interface to nonbroadcast mode, and add the remote end as an
OSPF neighbor.
B. Set the network type for the outside interface to broadcast mode, and add the headend device as an
OSPF neighbor.
C. Set the network type for the DMZ interface to nonbroadcast mode, add the headend as an OSPF
neighbor.
D. Set the network type for the outside interface to nonbroadcast mode, and add the remote end as an
OSPF neighbor.
Correct Answer: D
Section: (none)
Explanation
QUESTION 362
Which access lists are used in a typical IPsec VPN configuration?
A. ACL to NAT traffic across the VPN tunnel

B. ACL to define policy based routing
C. ACL to define what traffic to exempt from NAT
D. ACL for routing neighbors across the tunnel
Correct Answer: C
Section: (none)
Explanation
QUESTION 363
Which two parameters are specified in the isakmp (IKEv1) policy? (Choose two.)
A. the peer
B. the hashing algorithm
C. the session key
D. the authentication method
E. the transform-set
Correct Answer: BD
Section: (none)
Explanation
QUESTION 364
An engineer is assisting in the continued implementation of a VPN solution and discovers an NHRP server
configuration. Which type of VPN solution has been implemented?
A. DMVPN
B. IPsec VPN
C. SSL VPN
D. GET VPN
Correct Answer: A
Section: (none)
Explanation
QUESTION 365
Which two options are purposes of the key server in Cisco IOS GETVPN? (Choose two.)
A. to distributed static routing information

B. to authenticate group members
C. to define and distribute security policies
D. to distribute dynamic routing information
E. to encrypt transit data traffic.
Correct Answer: BC
Section: (none)
Explanation
Explanation:
Key server is responsible for maintaining security policies, authenticating the GMs and providing the
session key for encrypting traffic. KS authenticates the individual GMs at the time of registration. Only after
successful registration the GMs can participate in group SA.
QUESTION 366
Refer to the Exhibit. Why is the tunnel not establishing?
A. Lifetimes are misconfigured.

B. ISAKMP packets are blocked.
C. NAT statements are missing.
D. GRE is not working correctly.
Correct Answer: B
Section: (none)
Explanation
QUESTION 367
An engineer is configuring SSL VPN for remote access. A real-time application that is sensitive to packet
delays will be used. Which feature should the engineer confirm is enabled to avoid latency and bandwidth
problems associated with SSL connections?
A. DTLS
B. DPD
C. SVC
D. IKEv2
Correct Answer: A
Section: (none)
Explanation
QUESTION 368
Which two operational advantages does Get VPN offer over site-to-site IPsec tunnel in a private MPLS-
based core network? (Choose two.)
A. Packets carry original source and destination IP addresses, which allows (or optimal routing of
encrypted traffic.
B. Group Domain of Interpretation protocol allows for homomorphic encryption, which allows group
members to operate on messages without decrypting them.
C. NETVPN is tunnel-less, which allows any group member to perform decryption and routing around
network failures.
D. Key servers perform encryption and decryption of all the data in the network, which allows for tight
security policies
E. Traffic uses one VRF to encrypt data and a different one to decrypt data, which allows for multicast
traffic isolation
Correct Answer: AC
Section: (none)
Explanation
QUESTION 369
Which must be configured for a Cisco Anyconnect client to determine the trustworthiness of a wireless
network?
A. Trusted network detection

B. allow local proxy connections
C. start before login
D. allow VPN disconnect
Correct Answer: A
Section: (none)
Explanation
QUESTION 370
An engineer is troubleshooting DMVPN and wants to check if traffic flows in only one direction
A. show crypto ipsec sa

B. show crypto lkev2 sa
C. show crypto isakmp as
D. show crypto angina accelerator statistics
Correct Answer: A
Section: (none)
Explanation
QUESTION 371
A network administrator has deployed Cisco AnyConnect Secure Mobility Client to each member of the
sales force. Which option is the verification method for tins deployment?
A. RADIUS server
B. AAA authentication
C. NI domain
D. RSA SDI
Correct Answer: B
Section: (none)
Explanation
QUESTION 372
When you configure an access list on the external interface of a FlexVPN hub, which step is optional
A. allowing ICMP protocol

B. allowing IP Protocol 50
C. allowing UDP port 500
D. allowing UDP port 4500
Correct Answer: A
Section: (none)
Explanation
QUESTION 373
An Network Engineer is troubleshooting a VPN tunnel configured on an ASA and has found that Phase 1 is
not completing. Which configuration parameter must match for IKE Phae 1 tunnel to get successfully
negotiated?
A. SA lifetime
B. transform-set
C. DH group
D. idle timeout
Correct Answer: C
Section: (none)
Explanation
QUESTION 374
An engineer is configuring an IKEV1 tunnel. Which two Diffie- Hellman group values for this
implementation? (Choose two)
A. 2
B. 5
C. 10
D. 14
E. 19
Correct Answer: AB
Section: (none)
Explanation
QUESTION 375
Cisco AnyConnect VPN user receives this message every 30 mins. Secure VPN connection terminated
locally by the client. Reason 428: Maximum connection Lifetime Exceeded
A. ASA(config)# clear crypto isakmp sa

B. ASA(config)# clear crypto ipsec sa
C. ASA(config)# isakmp policy 1 lifetime 1800
D. ASA(config)# isakmp policy 1 lifetime 0
Correct Answer: D
Section: (none)
Explanation
QUESTION 376
An engineer is troubleshooting an IPSec site-to-site tunnel and verifies that the tunnel status is
MM_WAIT_MSG6. what can be determined this message ?
A. The encryption policy has not been confirmed by the initiator

B. The encryption policy has not been confirmed by the responder
C. The PSK has not been confirmed by the initiator
D. The PSK has not been confirmed by the responder
Correct Answer: C
Section: (none)
Explanation
QUESTION 377
What encryption algorithm does Cisco recommend that you avoid?
A. HMAC-SHA1
B. HMAC-MD5
C. AES-CBS
D. DES
Correct Answer: D
Section: (none)
Explanation
QUESTION 378
What does DART stand for?
A. Device and report tool
B. Diagnostic Anyconnect Reporting Tool
C. Delivery and Reporting Tool
D. Diagnostics and Reporting Tool
Correct Answer: D
Section: (none)
Explanation
QUESTION 379
Which two NHRP functions are specific to DMVPN Phase 3 Implementation? (Choose two)
A. resolution reply
B. redirect
C. resolution request
D. registration reply
E. registration request
Correct Answer: AB
Section: (none)
Explanation
QUESTION 380
An Engineer must configure GETVPN to transfer over the network between corporate offices.
which two options are the advantages to choose GETVPN over EZVPN? (TWO)
A. GETVPN is highly scalable any to any mesh topology

B. GETVPN has QoS support
C. GETVPN has unique session keys for improved security
D. GETVPN supports multicast
E. GET VPN supports a hub-and -spoke topology
Correct Answer: AC
Section: (none)
Explanation
QUESTION 381
What are two benefits of using DTLS when implementing a Cisco AnyConnect SSL VPN on a Cisco ASA
or router ? (Choose two)
A. has enhanced dead peer detection

B. Provides latency avoidance
C. establishes two simultaneous tunnels
D. provides greater security and integrity of the tunnel
E. uses TLS Only for the tunnel
Correct Answer: BC
Section: (none)
Explanation
QUESTION 382
What are two benefits of using DTLS when implementing a Cisco AnyConnect SSL VPN on a Cisco ASA
or router ? (Choose two)
A. has enhanced dead peer detection

B. Provides latency avoidance
C. establishes two simultaneous tunnels
D. provides greater security and integrity of the tunnel
E. uses TLS Only for the tunnel
Correct Answer: BC
Section: (none)
Explanation
QUESTION 383
An enginer must Setup Site-to-Site VPN with any-to-any topology that provides secure routing across
backbone. which VPN techology allows a shared IPSEC SA to be used?
A. FlexVPN
B. IPSEC VPN
C. GET VPN
D. DMVPN
Correct Answer: C
Section: (none)
Explanation
QUESTION 384
Mobile work force client are using Cisco Encryption for AnyConnect for remote access to the corporate
network. In a attempt to save bandwidth on the internet circuit, those working remotely are permitted use to
their local connectivity for internet use white still connect to the corporate network. Which feature allows
distinct destination to be encryption on the remote client?
A. DART
B. Split Tuning
C. NAT Exempt
D. Kerberos
Correct Answer: B
Section: (none)
Explanation
QUESTION 385
What is the name of the transform set being used on the ISR?
A. Default
B. ESP-AESESP-SHA-HMAC
C. SP-AES-256-MD5-TRANS
D. TSET
Correct Answer: B
Section: (none)
Explanation
QUESTION 386
Which two components are required a Cisco IOS-based PKI solution?
A. preshared key
B. NTP
C. RADIUS server
D. certificate authority
E. FT/HTTP server
Correct Answer: AD
Section: (none)
Explanation
QUESTION 387
An engineer is configuring high availability for crypto-map-based site-to-site VPNs on Cisco devices.
Which protocol must be used?
A. VRRP
B. BFD
C. ESP
D. HSRP
Correct Answer: D
Section: (none)
Explanation
QUESTION 388
Which cryptographic algorithm is used for data integrity?
A. SHA-256
B. ECDH-384
C. ECDSA-256
D. RSA-3072
Correct Answer: A
Section: (none)
Explanation
QUESTION 389
An engineer is configuring a site-t-site VPM tunnel. Which two IKV1 parameter must match on both peers?
(Choose two.
A. encryption algorithm
B. access lists
C. encryption domains
D. QoS
E. hashing method
Correct Answer: AE
Section: (none)
Explanation
QUESTION 390
A network engineer is troubleshooting a VPN configured on an ASA and has found Phase 1 is not
completing. Which configured parameter must match for the IKE Phase 1 tunnel to get successfully
negotiated/
A. SA lifetime
B. idle timeout
C. transform-set
D. DH group
Correct Answer: D
Section: (none)
Explanation
QUESTION 391
An engineer must set up a site-to-site VPN implementation with an any-to-any topology that provides
secures routing across the router backbone. Which VPN technology allows a shared IPsec SA to be used?
A. FilexVPN
B. IPsec VPN
C. GET VPN
D. DMVPN
Correct Answer: C
Section: (none)
Explanation
QUESTION 392
An engineer must configure HET VPN transverse over the network between corporate offices. Which two
options are key advantages to choosing GET VPN EssaVPN? (Choose two.)
A. GET VPN has unique session keys for improved security.

B. GET VPN supports multicast.
C. GET VPN supports a hub and-spoke topology.
D. GET VPN QoS support.
E. GET VPN is highly scalable any to an mesh topology
Correct Answer: AE
Section: (none)
Explanation
QUESTION 393
What does DAK l stand for?
A. Device and Report Tool

B. Diagnostic AnyConnect Reporting Tool
C. Diagnostics and Reporting Tool
D. Delivery and Reporting Tool
Correct Answer: C
Section: (none)
Explanation
QUESTION 394
When you confrere an access list on the external interface of a FlexVPN hub. which step is optional?
A. allowing IP protocol SO
B. allowing ICMP protocol
C. allowing UDP port 500
D. allowing UDP port 4500
Correct Answer: B
Section: (none)
Explanation
QUESTION 395
Within a PKI system, which option is a trusted entity?
A. registration authority
B. root certificate
C. certificate authority
D. RSA authentication server
Correct Answer: C
Section: (none)
Explanation
QUESTION 396
What are two features of Cisco GET VPN? (Choose two.)
A. allows for optimal routing

B. uses public Internet
C. provides encryption for MPLS
D. provides point-to-point IPsec SA
E. uses MGRE
Correct Answer: AC
Section: (none)
Explanation
QUESTION 397
A Cisco AnyConnect VPN user receives this message every 30 minutes:
Secure VPN Connection terminated locally by the Client. Reason 426: Maximum Configured Lifetime
Exceeded
Which configuration changes on the ASA firewall address this issue?
A. ASA(config)# clear crypto isakmp sa

B. ASA(config)# clear crypto ipsec sa
C. ASA(config)# isakmp policy 1 lifetime 1800
D. TASA(config)# isakmp policy 1 lifetime 0
Correct Answer: D
Section: (none)
Explanation
QUESTION 398
Which VPN technology is preferred to reduce latency and provide encryption over MPLS without the use of
a central hub?
A. DMVPN
B. IPsec
C. FlexVPN
D. GET VPN
Correct Answer: D
Section: (none)
Explanation
QUESTION 399
Which option is a benefit of ECC as compared to public key cryptography?
A. improves security by using a large key size

B. increases speed by using many algorithm methods
C. increases speed by using a small key
D. improves security by using many keys
Correct Answer: C
Section: (none)
Explanation
QUESTION 400
What are two benefits of SSL VPN versus IPSec VPN when considering a remote-access VPN
technology? (Choose two.)
A. It is accessible via web browser.

B. It leverages existing network infrastructure.
C. It minimizes desktop support.
D. It allows for increased client customization.
E. It works in environments that are heavily filtered.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 401
What represents a possible network configuration issue in clientless SSL VPN deployments?
A. The AnyConnect version is not up to date.

B. The VPN IP pool is exhausted.
C. The SSL server public certificate is untrusted.
D. NAT exemption has not been configured.
Correct Answer: C
Section: (none)
Explanation
QUESTION 402
Which statement about the local and remote methods in an IKEv2 authentication exchange is true?
A. They must be different.
B. They must be the same.
C. They may be the same or different.
D. There must be one local and two remote methods.
Correct Answer: C
Section: (none)
Explanation
QUESTION 403
An engineer must set up a site-to-site VPN implementation with an any-to-any topology that provides
secure routing across the router backbone. Which VPN technology allows a shared IPSec SA to be used?
A. GET VPN
B. FlexVPN
C. IPsec VPN
D. DMVPN
Correct Answer: A
Section: (none)
Explanation
QUESTION 404
Refer to the exhibit. Which action must be taken before adding users to the local certificate authority server
database?
A. Enable the CA server.

B. Configure the Server Name/IP Address.
C. Set and confirm a passphrase.
D. Set the CA Server key size.
Correct Answer: A
Section: (none)
Explanation
QUESTION 405
An engineer has deployed Cisco IOS crypto-map based VPN and wants to ensure that state information is
shared in an HA group. Which high availabilit technology must be used?
A. GLBP
B. VRRP
C. IRRP
D. HSRP
Correct Answer: D
Section: (none)
Explanation
QUESTION 406
Which option is a benefit of DTLS as compared to TLS?
A. increases reliability
B. increases performance
C. controls packet loss
D. controls packet order
Correct Answer: B
Section: (none)
Explanation
QUESTION 407
Refer to the exhibit. An engineer has configured two new VPN tunnels to 172.18.1.1 and 172.19.1.1.
However, communication between 10.1.0.10 and 10.1.11.10 does not function.
What is the reason?
A. NAT-T is disabled
B. The remote peer 172.17.1.1 doesn't support AES256
C. overlapping crypto ACL
D. invalid route
Correct Answer: C
Section: (none)
Explanation
QUESTION 408
You are designing a remote VPN solution that will use the Cisco AnyConnect client. By default, which type
of traffic should you enable on the perimeter firewall to allow users to initiate sessions from the LAN to an
external Cisco ASA?
A. TCP port 443 in TLS mode
B. UDP port 848 in DTLS mode
C. UDP ports 500 and 4500
D. TCP port 8443 in DTLS mode
Correct Answer: A
Section: (none)
Explanation
QUESTION 409
A network engineer testing a clientless VPN connection on a local workstation sees the "Clientless
(browser) SSL VPN access is not allowed." message in the web browser. Which command remediates the
problem?
A. vpn-tunnel-protocol ssl-clientless
B. deny-message none
C. svc dtls enable
D. auto-signon allow uri cifs://X.X.X.XT auth-type all
Correct Answer: A
Section: (none)
Explanation
QUESTION 410
A network engineer wants to send multicast traffic between two routers that are separated by an IP cloud.
The network engineer has access to the two routers, but does not have administrative control of the
devices within the IP cloud. How can this goal be accomplished?
A. Use IP PIM dense-mode.

B. Configure a crypto-map based site-to-site VPN between the two routers.
C. Turn on IP multicast routing.
D. Configure a generic routing encapsulation tunnel.
Correct Answer: D
Section: (none)
Explanation
QUESTION 411
Refer to the exhibit. An engineer is troubleshooting this configuration. Why is the VPN tunnel not
functioning?
A. There should be route for the 10.8.8.0/24 network configured.
B. AES 256 can't be used with IKEv1.
C. IKEv1 is not enabled.
D. The IKEv1 policy number should be at least 256.
Correct Answer: C
Section: (none)
Explanation
QUESTION 412
Which two NHRP functions are specific to DMVPN Phase 3 implementation? (Choose two.)
A. registration request
B. registration reply
C. resolution request
D. resolution reply
E. redirect
Correct Answer: DE
Section: (none)
Explanation
QUESTION 413
During an SSL session between a client and a server, who is responsible for generating the master key
that generates the symmetric keys that are use during the session?
A. cipher suite
B. public key infrastructure
C. client browser
D. web server
Correct Answer: C
Section: (none)
Explanation
QUESTION 414
Drag and Drop Question
Drag and drop the steps on the left into the correct order of DMVPN process execution for quick mode
exchange on the right.
Select and Place:

Correct Answer:
Section: (none)
Explanation
QUESTION 415
Refer to exhibit. You are implementing an IKEv2 Ipsec tunnel between two internet routers by suing PSKs.
After the configuration is complete, the Ipsec
VPN tunnel fails to negotiate. You enable debugging to troubleshoot the issue. Which action do you take to
resolve the issue?
A. Verify the IKEv2 keyring address and PSK configuration on both routers
B. Configure an IKEv2 authorization policy to authorize the peer router
C. Modify the Diffe-Hellman key used in the IKEv2 policy
D. Configure the IKEv2 identity of each router by using an email address
Correct Answer: A
Section: (none)
Explanation
QUESTION 416
Which two features are available in the Plus license for Cisco Anyconnect? (Choose two)
A. Network Access Manager

B. Posture services
C. Suite B cryptography
D. IPSec IKEv2
E. Clientless SSL VPN
Correct Answer: AD
Section: (none)
Explanation
QUESTION 417
Which Cryptographic method provides passphrase protection while importing or exporting?
A. Serpent
B. AES
C. Blowfish
D. RSA
Correct Answer: D
Section: (none)
Explanation
QUESTION 418
You must implement DMVPN Phase 3 by using EIGRP as the dynamic routing protocol for the tunnel
overlay.
Which action do you take to allow EIGRP to advertise all routes between the hub and all the spokes?
A. Summerize routes from the hub to the spokes

B. Configure the hub to set itself as the next hop when advertising networks to the spokes
C. Add a distribute list to permit the spoke subnets and deny all other networks
D. Disable split-horizon for EIGRP on the hub
Correct Answer: D
Section: (none)
Explanation
QUESTION 419
Refer to exhibit. You are implementing DMVPN Phase 3 in an existing network that uses DMVPN Pahse 1.
You configure NHRP, but the creation of the
spoke-to-spoke tunnel fails. Which action do you take to resolve the issue?
A. Remove the multicast flag from the NHRP configuration
B. Configure the tunnel of the hub by using point-to-point tunnel mode
C. Configure the tunnel of the spoke by using mGRE tunnel mode
D. Remove NHRP redirects from the hub configuration
Correct Answer: C
Section: (none)
Explanation
QUESTION 420
Refer to exhibit. You implement a DMVPN Phase 3 full-mesh design. Spoke-to-spoke tunnels fails to
establish successfully via the hub. Which action
do you take in the hub configuration to resolve the issue?
A. Enable split horizon for EIGRP

B. Configure the hub tunnel to a point-to-point GRE tunnel interface
C. Configure a loopback interface as the source of the tunnel interface
D. Configure the hub to set itself as the next hop in the routing updates to the spokes
Correct Answer: D
Section: (none)
Explanation
QUESTION 421
Refer to the exhibit. Which result of running the command is true?
#crypto isakmp key cisco123 address 172.16.0.0
A. authenticates the IKEV1 peers in the 172.16.0.0/16 using the cisco123 key
B. cisco
C. cisco
D. cisco
Correct Answer: A
Section: (none)
Explanation
QUESTION 422
Refer to the exhibit. Which VPN technology produces this configuration output?
A. DVTI
B. SVTI
C. FlexVPN
D. DMVPN
Correct Answer: B
Section: (none)
Explanation
QUESTION 423
Which two descriptions of the characteristics of Cisco GET VPN are true?
A. uses VTIs to establish Ipsec tunnels

B. requires that GRE tunnels exist between participating routers
C. uses a common set of traffic encryption keys shared by group members
D. provides a tuneless transport mechanism
E. encrypts the data payload and IP header of a packet
Correct Answer: CD
Section: (none)
Explanation
QUESTION 424
Which two components are necessary for configuring spoke-to-spoke FlexVPN configurations? (Choose
two)
A. IKEv2
B. HSRP group
C. IVRF
D. NHRP redirect
Correct Answer: AD
Section: (none)
Explanation
QUESTION 425
What is the functional difference between IKEv1 and IKEv2 on a router?
A. RRI
B. DPD
C. HSRP
D. Failover
Correct Answer: B
Section: (none)
Explanation
QUESTION 426
Drag and drop the steps on the left into the correct order
Select and Place:

Correct Answer:
Section: (none)
Explanation
QUESTION 427
Drag and drop the descriptions from the left onto the correct IPsec tunnel on the right.
Select and Place:

Correct Answer:
Section: (none)
Explanation
QUESTION 428
When using clienteles SSL VPN on a Cisco ASA, which authentication method is required for single sign-
on?
A. SAML 2.0
B. LOCAL
C. RADIUS
D. TACACS
Correct Answer: A
Section: (none)
Explanation
QUESTION 429
Which two methods customise the installation of the Cisco AnyConnect client? (Choose two.)
A. resource profiles
B. command-line parameters
C. client profiles
D. installer transforms
E. installation profiles
Correct Answer: BD
Section: (none)
Explanation
QUESTION 430
When configuring a FlexVPN, which two components must be configured for IKEv2? (Choose two)
A. method
B. proposal
C. preference
D. persistence
E. profile
Correct Answer: BE
Section: (none)
Explanation
QUESTION 431
Refer to the exhibit. You configure Clienteles SSL VPN on a Cisco ASA. Users from Company A cannot
bonnet to the Clienteles SSL VPN. Which possible cause of the connection failure is most likely?
A. The users have authentication issues
B. An ACL for DAP is blocking the users
C. The license limit is exceeded
D. The users are behind the same NAT IP address
Correct Answer: C
Section: (none)
Explanation
QUESTION 432
When a Cisco ASA is configured for Active/Standby failover, what is replicated between the devices ?
A. VPN sessions
B. Cisco Anyconnect profiles
C. Hostscan images
D. Cisco AnyConnect images
Correct Answer: A
Section: (none)
Explanation
QUESTION 433
Which description of how DTLS improve application performance is true?
A. Uses a flow control mechanism

B. Uses connection-oriented sessions
C. Creates less overhead by using UDP
D. Avoids bandwidth and latency issues
Correct Answer: D
Section: (none)
Explanation
QUESTION 434
Refer to the exhibit. You have a Clienteles SSL VPN service on a Cisco ASA. Which situation prevents the
user from connecting?
A. The Clienteles SSL VPN protocol is disabled

B. The user’s browser is incompatible
C. The user is behind a web proxy
D. The user has a non-Cisco VPN client
Correct Answer: A
Section: (none)
Explanation
QUESTION 435
You are configuring a Cisco ASA for Clienteles SSL VPN. Which command do you run to prevent web
browsing from the Cisco SSL VPN portal page?
A. http-proxy 0.0.0.0
B. url-entry disable
C. url-list disable
D. http server disable
Correct Answer: B
Section: (none)
Explanation
QUESTION 436
Which two features are available in the Plus license for Cisco AnyConnect? (Choose two)
A. Network Access Manager

B. posture services
C. Suite B cryptography
D. IPsec IKEv2
E. Clienteles SSL VPN
Correct Answer: AD
Section: (none)
Explanation
QUESTION 437
Which command displays the NBMA IP address when DMVPN is configured with tunnel protection?
A. show ip nhrp
B. show crypto socket
C. show crypto session
D. show ip interface tunnel
Correct Answer: A
Section: (none)
Explanation
QUESTION 438
Your company network security policy requires that all network traffic be tunnelled to the corporate office.
End users must be able to access local LAN resources when they connect to the corporate network. Which
two configurations do you implement in Cisco AnyConnect? (Choose two)
A. Client Bypass Protocol

B. split-exclude tunnelling
C. tunnel all
D. static routes
E. local LAN access
Correct Answer: BE
Section: (none)
Explanation
QUESTION 439
Where must an engineer configure a preshared key for site-to-site VPN tunnel configured on a Cisco
ASA?
A. group policy
B. tunnel group
C. crypto map
D. isakmp policy
Correct Answer: B
Section: (none)
Explanation
QUESTION 440
Which method dynamically advertises the network routes for remote tunnel endpoints?
A. dynamic routing
B. CEF
C. RRI
D. policy-based routing
Correct Answer: C
Section: (none)
Explanation
QUESTION 441
Refer to the exhibit. You are implementing an IKEv2 IPsec tunnel between two internet routers by using
PSKs. After the configuration is complete, the IPsec VPN tunnel fails to negotiate. You enable debugging
to troubleshooting the issue. Which action do you take to resolve the issue?
A. configure the IKEv2 identity of each router by using an email address

B. Configure an IKEv2 authorization policy to authorise the peer router
C. Verify the IKEv2 keyring address and PSK configuration on both routers
D. Modify the Diffie-Hellman key used in the IKEv2 policy
Correct Answer: C
Section: (none)
Explanation
QUESTION 442
Which benefit of ECC as compared to RSA is true?
A. can be used on Cisco ASA and Cisco IOS devices

B. supports Clienteles SSL VPN
C. requires multiple keys
D. can provide higher security at a lower computational cost
Correct Answer: D
Section: (none)
Explanation
QUESTION 443
Which VPN solution enables you to publish applications to users by using bookmarks?
A. Port forwarding
B. SSL VPN full network access
C. Clienteles SSL VPN
D. IPsec VPN
Correct Answer: C
Section: (none)
Explanation
QUESTION 444
Refer to the exhibit. You are configuring FlexVPN on a router. The tunnel fails to come up. Which type of
mismatch is the root cause of the failure?
A. access list
B. peer ID
C. preshared key
D. transform set
Correct Answer: C
Section: (none)
Explanation
QUESTION 445
incorrect pre-share key
Select and Place:

Correct Answer:
Section: (none)
Explanation
QUESTION 446
You need to configure your company’s client VPN access to send antivirus client update traffic directly to a
vendor’s cloud server. All other traffic must go to the corporate network. Which feature do you configure?
A. full tunnel
B. split tunnel
C. smart tunnel
D. split DNS
Correct Answer: B
Section: (none)
Explanation
QUESTION 447
Which VPN technology preserves IP headers and prevents overlay routing?
A. site-to-site VPN
B. GET VPN
C. Cisco Easy VPN
D. DMVPN
Correct Answer: B
Section: (none)
Explanation
QUESTION 448
Refer to exhibit. You are implementing an IKEv1 Ipsec tunnel between two internet routers by using PSKS.
After the configuration is complete the Ipsec VPN tunnel fails to negotiate. What must be configured to
resolve the issue?
A. matching ISAKMP policies on both routers

B. matching PSKs on both routers
C. correct tunnel destinations on both routers
D. ISAKMP identity for both routers
Correct Answer: B
Section: (none)
Explanation

300 209 by Supermario v4 PDF

Uploaded by

Copyright:

Available Formats

You might also like

300 209 by Supermario v4 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

300 209 by Supermario v4 PDF

Uploaded by

Copyright:

Available Formats

300-209

Exam Code: 300-209

Exam Name: Implementing Cisco Secure Mobility Solutions

A. virtual tunnel interface

A. Cisco IOS WebVPN customization template

Correct Answer: BCD

A. migrate remote-access ssl overwrite

A. The Cisco AnyConnect Secure Mobility Client must be installed in flash.

A. The client initiates a VPN connection upon detection of an untrusted network.

A. appl ssh putty.exe win

Correct Answer: BCD

A. Client's public IP address

A. Configuration > Device Management > Logging > E-Mail Setup

A. Configuration > WebVPN > WebVPN Access

A. crypto isakmp policy 10

A. The router must be configured with a dynamic crypto map.

A. The VPN server must have a self-signed certificate.

A. In kiosks that are part of a shared environment

A. NHRP Event Publisher

A. tunnel protection ipsec

A. AES-GCM and SHA-2

A. SHA (HMAC variant)

A. match identity remote address 0.0.0.0

A. csd hostscan path image

A. Local selector 192.168.33.0/0-192.168.33.255/65535

A. The IP header of the encrypted packet is preserved

A. crypto ikev2 keyring keyring-name

A. authenticates group members

Correct Answer: ABCD

A. interface virtual-template number type template

A. It provides highly scalable point-to-point topologies.

Correct Answer: BDE

A. key encryption key

A. Group Domain of Interpretation protocol

Correct Answer: AEF

A. a device with an identity type of IPv4 address of 209.165.200.225 or 209.165.202.155 or a certificate

A. auto applet download

A. An invalid modulus was used to generate the initial key.

A. dynamic access policy attributes

A. multicast UDP transmission

A. The user's FTP application is not supported.

A. Dynamic routing protocol

A. Only one tunnel can be created per tunnel source interface.

A. 1. Create a class map to identify which traffic to match.

A. Access to the ROM monitor mode is required.

A. show crypto ikev2 sa detail

A. The address command on Router2 must be narrowed down to a /32 mask.

A. Phase 1 policy does not match on both sides.

1d00h: IPSec (validate_proposal): transform proposal (port 3, trans 2, hmac_alg

A. Phase 1 policy does not match on both sides.

A. vpnsetup site-to-site steps

A. The VPN has established and is functioning normally.

A. show vpn-sessiondb summary

"Login Denied, unauthorized connection mechanism, contact your administrator"

What is the most possible cause of this problem?

A. AnyConnect Essentials can be used for Cisco AnyConnect IKEv2 connections.

A. The hub sends back a resolution reply to the requesting spoke.

A. Next Hop Resolution Protocol