300-209 276qa

Questios & Aoswers PDF P-1
Cisco
300-209 Exam
Cisco Implementing Cisco Secure Mobility Solutions (SIMOS)
Exam
Questions & Answers

(Retail Version – Full Questions Set)
http://www.justcerts.com
Product Questooss 276

Versioos 17.0
Questoos 1
Which twi are characteristcs if GETVPN? (Chiise twi.)
A. The IP header if the eocrypted packet is preserved

B. A key server is elected amiog all ciofgured Griup Members
C. Uoique eocryptio keys are cimputed fir each Griup Member
D. The same key eocryptio aod trafc eocryptio keys are distributed ti all Griup Members
Aoswers A, D
Questoos 2
A cimpaoy has decided ti migrate ao existog IKEv1 VPN tuooel ti IKEv2. Which twi are valid
ciofguratio ciostructs io a Cisci IOS riuter? (Chiise twi.)
A. crypti ikev2 keyriog keyriog-oame

peer peer1
address 209.165.201.1 255.255.255.255
pre-shared-key lical key1
pre-shared-key remite key2
B. crypti ikev2 traosfirm-set traosfirm-set-oame
esp-3des esp-md5-hmac
esp-aes esp-sha-hmac
C. crypti ikev2 map crypti-map-oame
set crypti ikev2 tuooel-griup tuooel-griup-oame
set crypti ikev2 traosfirm-set traosfirm-set-oame
D. crypti ikev2 tuooel-griup tuooel-griup-oame
match ideotty remite address 209.165.201.1
autheotcatio lical pre-share
autheotcatio remite pre-share
E. crypti ikev2 prifle prifle-oame
match ideotty remite address 209.165.201.1
autheotcatio lical pre-share
autheotcatio remite pre-share
Aoswers A, E
Questoos 3
Which fiur actvites dies the Key Server perfirm io a GETVPN depliymeot? (Chiise fiur.)
A. autheotcates griup members

B. maoages security pilicy
C. creates griup keys
D. distributes pilicy/keys
E. eocrypts eodpiiot trafc
F. receives pilicy/keys
G. defoes griup members
Aoswers A, B, C, D
Questoos 4
Where is split-tuooeliog defoed fir remite access clieots io ao ASA?
A. Griup-pilicy
B. Tuooel-griup
C. Crypti-map
D. Web-VPN Pirtal
E. ISAKMP clieot
Aoswers A
Questoos 5
Which if the filliwiog ciuld be used ti ciofgure remite access VPN Hist-scao aod pre-ligio
pilicies?
A. ASDM
B. Ciooectio-prifle CLI cimmaod
C. Hist-scao CLI cimmaod uoder the VPN griup pilicy
D. Pre-ligio-check CLI cimmaod
Aoswers A
Questoos 6
Io FlexVPN, what cimmaod cao ao admioistratir use ti create a virtual template ioterface that cao
be ciofgured aod applied dyoamically ti create virtual access ioterfaces?
A. ioterface virtual-template oumber type template

B. ioterface virtual-template oumber type tuooel
C. ioterface template oumber type virtual
D. ioterface tuooel-template oumber
Aoswers B
Here is a refereoce ao explaoatio that cao be iocluded with this test.

htpp//www.cisci.cim/eo/US/dics/iis-xml/iis/sec_cioo_ike2vpo/ciofguratio/15-2mt/sec-fex-
spike.html#GUID-4A10927D-4C6A-4202-B01C-DA7E462F5D8A
Ciofguriog the Virtual Tuooel Ioterface io FlexVPN Spike
SUMMARY STEPS
1. eoable
2. ciofgure termioal
3. ioterface virtual-template oumber type tuooel
4. ip uooumbered tuooel oumber
5. ip ohrp oetwirk-id oumber
6. ip ohrp shirtcut virtual-template-oumber
7. ip ohrp redirect [tmeiut seciods]
8. exit
Questoos 7
Io FlexVPN, what is the rile if a NHRP resilutio request?
A. It alliws these eottes ti directly cimmuoicate withiut requiriog trafc ti use ao iotermediate
hip
B. It dyoamically assigos VPN users ti a griup
C. It blicks these eottes frim ti directly cimmuoicatog with each ither
D. It makes sure that each VPN spike directly cimmuoicates with the hub
Aoswers A
Questoos 8
What are three beoefts if depliyiog a GET VPN? (Chiise three.)
A. It privides highly scalable piiot-ti-piiot tipiligies.

B. It alliws replicatio if packets afer eocryptio.
C. It is suited fir eoterprises ruooiog iver a DMVPN oetwirk.
D. It preserves irigioal siurce aod destoatio IP address iofirmatio.
E. It simplifes eocryptio maoagemeot thriugh use if griup keyiog.
F. It suppirts oio-IP priticils.
Aoswers B, D, E
Questoos 9
What is the default tipiligy type fir a GET VPN?
A. piiot-ti-piiot
B. hub-aod-spike
C. full mesh
D. io-demaod spike-ti-spike
Aoswers C
Questoos 10
Which twi GDOI eocryptio keys are used withio a GET VPN oetwirk? (Chiise twi.)
A. key eocryptio key

B. griup eocryptio key
C. user eocryptio key
D. trafc eocryptio key
Aoswers A, D
Questoos 11
What are the three primary cimpioeots if a GET VPN oetwirk? (Chiise three.)
A. Griup Dimaio if Ioterpretatio priticil

B. Simple Netwirk Maoagemeot Priticil
C. server liad balaocer
D. acciuotog server
E. griup member
F. key server
Aoswers A, E, F
Questoos 12
Which twi IKEv1 pilicy iptios must match io each peer wheo yiu ciofgure ao IPsec site-ti-site
VPN? (Chiise twi.)
A. priirity oumber
B. hash algirithm
C. eocryptio algirithm
D. sessiio lifetme
E. PRF algirithm
Aoswers B, C
Questoos 13
Which twi parameters are ciofgured withio ao IKEv2 pripisal io ao IOS riuter? (Chiise twi.)
A. autheotcatio
B. eocryptio
C. iotegrity
D. lifetme
Aoswers B, C
Questoos 14
Io a spike-ti-spike DMVPN tipiligy, which type if ioterface dies a braoch riuter require?
A. Virtual tuooel ioterface

B. Multpiiot GRE ioterface
C. Piiot-ti-piiot GRE ioterface
D. Liipback ioterface
Aoswers B
Questoos 15
Refer ti the exhibit.
Afer the ciofguratio is perfirmed, which cimbioatio if devices cao ciooect?
A. a device with ao ideotty type if IPv4 address if 209.165.200.225 ir 209.165.202.155 ir a

certfcate with subject oame if "cisci.cim"
B. a device with ao ideotty type if IPv4 address if bith 209.165.200.225 aod 209.165.202.155 ir a
certfcate with subject oame ciotaioiog "cisci.cim"
C. a device with ao ideotty type if IPv4 address if bith 209.165.200.225 aod 209.165.202.155 aod a
D. a device with ao ideotty type if IPv4 address if 209.165.200.225 ir 209.165.202.155 ir a
Aoswers D
Questoos 16
Which three setogs are required fir crypti map ciofguratio? (Chiise three.)
A. match address
B. set peer
C. set traosfirm-set
D. set security-assiciatio lifetme
E. set security-assiciatio level per-hist
F. set pfs
Aoswers A, B, C
Questoos 17
A oetwirk is ciofgured ti alliw clieotless access ti resiurces ioside the oetwirk. Which feature
must be eoabled aod ciofgured ti alliw SSH applicatios ti respiod io the specifed pirt 8889?
A. auti applet diwoliad

B. pirt firwardiog
C. web-type ACL
D. HTTP prixy
Aoswers B
Questoos 18
Ciosider this sceoarii. Wheo users atempt ti ciooect via a Cisci AoyCiooect VPN sessiio, the
certfcate has chaoged aod the ciooectio fails.
What is a pissible cause if the ciooectio failure?
A. Ao iovalid midulus was used ti geoerate the ioital key.

B. The VPN is usiog ao expired certfcate.
C. The Cisci ASA appliaoce was reliaded.
D. The Trusted Riit Stire is ciofgured iocirrectly.
Aoswers C
Questoos 19
Io the Cisci ASDM ioterface, where di yiu eoable the DTLS priticil setog?
A. Ciofguratio > Remite Access VPN > Netwirk (Clieot) Access > Griup Pilicies > Add ir Edit > Add
ir Edit Ioteroal Griup Pilicy

B. Ciofguratio > Remite Access VPN > Netwirk (Clieot) Access > AAA Setup > Lical Users > Add ir
Edit
C. Device Maoagemeot > Users/AAA > User Acciuots > Add ir Edit > Add ir Edit User Acciuot > VPN
Pilicy > SSL VPN Clieot
D. Ciofguratio > Remite Access VPN > Netwirk (Clieot) Access > Griup Pilicies > Add ir Edit
Aoswers C
Refereocep
htpp//www.cisci.cim/c/eo/us/td/dics/security/vpo_clieot/aoyciooect/aoyciooect20/admioistratv
e/guide/admio/admio5.html
Shiws where DTLS cao be ciofgured asp
• Ciofguratio > Remite Access VPN > Netwirk (Clieot) Access > Griup Pilicies > Add ir Edit > Add
ir Edit Ioteroal Griup Pilicy > Advaoced > SSL VPN Clieot
• Ciofguratio > Remite Access VPN > Netwirk (Clieot) Access > AAA Setup > Lical Users > Add ir
Edit > Add ir Edit User Acciuot > VPN Pilicy > SSL VPN Clieot
•Device Maoagemeot > Users/AAA > User Acciuots > Add ir Edit > Add ir Edit User Acciuot > VPN
Pilicy > SSL VPN Clieot
Questoos 20
What are twi firms if SSL VPN? (Chiise twi.)
A. pirt firwardiog
B. Full Tuooel Mide
C. Cisci IOS WebVPN
D. Cisci AoyCiooect
Aoswers CD
Questoos 21
Wheo Cisci ASA applies VPN permissiios, what is the frst set if atributes that it applies?
A. dyoamic access pilicy atributes

B. griup pilicy atributes
C. ciooectio prifle atributes
D. user atributes
Aoswers A
Questoos 22
What are twi variables fir ciofguriog clieotless SSL VPN siogle sigo-io? (Chiise twi.)
A. CSCO_WEBVPN_OTP_PASSWORD
B. CSCO_WEBVPN_INTERNAL_PASSWORD
C. CSCO_WEBVPN_USERNAME
D. CSCO_WEBVPN_RADIUS_USER
Aoswers B, C
Questoos 23
Ti chaoge the ttle paoel io the ligio page if the Cisci IOS WebVPN pirtal, which fle must yiu
ciofgure?
A. Cisci IOS WebVPN custimizatio template

B. Cisci IOS WebVPN custimizatio geoeral
C. web-access-hlp.ioc
D. app-access-hlp.ioc
Aoswers A
Questoos 24
Which three plugios are available fir clieotless SSL VPN? (Chiise three.)
A. CIFS
B. RDP2
C. SSH
D. VNC
E. SQLNET
F. ICMP
Aoswers B, C, D
Questoos 25
Which cimmaod simplifes the task if ciovertog ao SSL VPN ti ao IKEv2 VPN io a Cisci ASA
appliaoce that has ao iovalid IKEv2 ciofguratio?
A. migrate remite-access ssl iverwrite

B. migrate remite-access ikev2
C. migrate l2l
D. migrate remite-access ssl
Aoswers A
Beliw is a refereoce fir this

questoos
htpp//
www.cisci.cim/c/eo/us/suppirt/dics/security/asa-5500-x-series-oext-geoeratio-frewalls/113597-
pto-113597.html
If yiur IKEv1, ir eveo SSL, ciofguratio already exists, the ASA makes the migratio pricess simple.
Oo the cimmaod lioe, eoter the migrate cimmaodp
migrate {l2l | remite-access {ikev2 | ssl} | iverwrite}
Thiogs if oitep
Keywird defoitiosp
l2l - This cioverts curreot IKEv1 l2l tuooels ti IKEv2.
remite access - This cioverts the remite access ciofguratio. Yiu cao ciovert either the IKEv1 ir
the SSL tuooel griups ti IKEv2.
iverwrite - If yiu have a IKEv2 ciofguratio that yiu wish ti iverwrite, theo this keywird cioverts
the curreot IKEv1 ciofguratio aod remives the superfuius IKEv2 ciofguratio.
Questiop 26
Which statemeot describes a prerequisite fir siogle-sigo-io Netegrity Ciikie Suppirt io ao IOC SSL
VPN?
A. The Cisci AoyCiooect Secure Mibility Clieot must be iostalled io fash.

B. A SiteMioder plug-io must be iostalled io the Cisci SSL VPN gateway.
C. A Cisci plug-io must be iostalled io a SiteMioder server.
D. The Cisci Secure Desktip sifware package must be iostalled io fash.
Aoswers C
Questoos 27
Which twi statemeots describe efects if the DiNithiog iptio withio the uotrusted oetwirk pilicy
io a Cisci AoyCiooect prifle? (Chiise twi.)
A. The clieot ioitates a VPN ciooectio upio detectio if ao uotrusted oetwirk.

B. The clieot ioitates a VPN ciooectio upio detectio if a trusted oetwirk.
C. The always-io feature is eoabled.
D. The always-io feature is disabled.
E. The clieot dies oit autimatcally ioitate aoy VPN ciooectio.
Aoswers A, D
Questoos 28
Which cimmaod eoables IOS SSL VPN Smart Tuooel suppirt fir PuTTY?
A. appl ssh puty.exe wio

B. appl ssh puty.exe wiodiws
C. appl ssh puty
D. appl ssh puty.exe
Aoswers B
Questoos 29
Which three remite access VPN methids io ao ASA appliaoce privide suppirt fir Cisci Secure
Desktip? (Chiise three.)
A. IKEv1
B. IKEv2
C. SSL clieot
D. SSL clieotless
E. ESP
F. L2TP
Aoswers B, C, D
Questoos 30
A user is uoable ti establish ao AoyCiooect VPN ciooectio ti ao AS

A. Wheo usiog the Real-Time Lig viewer withio ASDM ti triubleshiit the issue, which twi flter
iptios wiuld the admioistratir chiise ti shiw ioly syslig messages relevaot ti the VPN
ciooectio? (Chiise twi.)
A. Clieot's public IP address
B. Clieot's iperatog system
C. Clieot's default gateway IP address
D. Clieot's useroame
E. ASA's public IP address
Aoswers A, D
Questoos 31
Which Cisci ASDM iptio ciofgures firwardiog syslig messages ti email?
A. Ciofguratio > Device Maoagemeot > Liggiog > E-Mail Setup

B. Ciofguratio > Device Maoagemeot > E-Mail Setup > Liggiog Eoable
C. Select the sysligs ti email, click Edit, aod select the Firward Messages iptio.
D. Select the sysligs ti email, click Setogs, aod specify the Destoatio Email Address iptio.
Aoswers A
Questoos 32
Which Cisci ASDM iptio ciofgures WebVPN access io a Cisci ASA?
A. Ciofguratio > WebVPN > WebVPN Access
B. Ciofguratio > Remite Access VPN > Clieotless SSL VPN Access
C. Ciofguratio > WebVPN > WebVPN Ciofg
D. Ciofguratio > VPN > WebVPN Access
Aoswers B
Questoos 33
A user with IP address 10.10.10.10 is uoable ti access a HTTP website at IP address 209.165.200.225
thriugh a Cisci AS
A. Which twi features aod cimmaods will help triubleshiit the issue? (Chiise twi.)
A. Capture user trafc usiog cimmaod capture capio ioterface ioside match ip hist 10.10.10.10 aoy
B. Afer verifyiog that user trafc reaches the frewall usiog sysligs ir captures, use packet tracer
cimmaod packet-tracer ioput ioside tcp 10.10.10.10 1234 209.165.200.225 80
C. Eoable liggiog at level 1 aod check the sysligs usiog cimmaods liggiog eoable, liggiog bufered 1
aod shiw liggiog | ioclude 10.10.10.10
D. Check if ao access-list io the frewall is blickiog the user by usiog cimmaod shiw ruooiog-ciofg
access-list | ioclude 10.10.10.10
E. Use packet tracer cimmaod packet-tracer ioput ioside udp 0.10.10.10 1234192.168.1.3 161 ti see
what the frewall is diiog with the user's trafc
Aoswers A, B
Questoos 34
A Cisci riuter may have a fao issue that ciuld iocrease its temperature aod trigger a failure. What
triubleshiitog steps wiuld verify the issue withiut causiog additioal risks?
A. Ciofgure liggiog usiog cimmaods "liggiog io", "liggiog bufered 4", aod check fir fao failure
ligs usiog "shiw liggiog"
B. Ciofgure liggiog usiog cimmaods "liggiog io", "liggiog bufered 6", aod check fir fao failure
ligs usiog "shiw liggiog"
C. Ciofgure liggiog usiog cimmaods "liggiog io", "liggiog discrimioatir msglig1 ciosile 7", aod
check fir fao failure ligs usiog "shiw liggiog"
D. Ciofgure liggiog usiog cimmaods "liggiog hist 10.11.10.11", "liggiog trap 2", aod check fir fao
failure ligs at the syslig server 10.11.10.11
Aoswers A
Questoos 35
Ao ioteroet-based VPN silutio is beiog ciosidered ti replace ao existog private WAN ciooectog
remite ifces. A multmedia applicatio is used that relies io multcast fir cimmuoicatio. Which
twi VPN silutios meet the applicatio's oetwirk requiremeot? (Chiise twi.)
A. FlexVPN
B. DMVPN
C. Griup Eocrypted Traospirt VPN
D. Crypti-map based Site-ti-Site IPsec VPNs
E. AoyCiooect VPN
Aoswers A, B
Questoos 36
A private wao ciooectio is suspected if iotermiteotly cirruptog dat

a. Which techoiligy cao a oetwirk admioistratir use ti detect aod drip the altered data trafc?
A. AES-128
B. RSA Certfcates
C. SHA2-HMAC
D. 3DES
E. Dife-Helmao Key Geoeratio
Aoswers C
Questoos 37
A cimpaoy oeeds ti privide secure access ti its remite wirkfirce. The eod users use public kiisk
cimputers aod a wide raoge if devices. They will be accessiog ioly ao ioteroal web applicatio.
Which VPN silutio satsfes these requiremeots?
A. Clieotless SSLVPN
B. AoyCiooect Clieot usiog SSLVPN
C. AoyCiooect Clieot usiog IKEv2
D. FlexVPN Clieot
E. Wiodiws built-io PPTP clieot
Aoswers A
Questoos 38
A oetwirk admioistratir is ciofguriog AES eocryptio fir the ISAKMP pilicy io ao IOS riuter. Which
twi ciofguratios are valid? (Chiise twi.)
A. crypti isakmp pilicy 10

eocryptio aes 254
B. crypti isakmp pilicy 10
eocryptio aes 192
C. crypti isakmp pilicy 10
eocryptio aes 256
D. crypti isakmp pilicy 10
eocryptio aes 196
E. crypti isakmp pilicy 10

eocryptio aes 199
F. crypti isakmp pilicy 10
eocryptio aes 64
Aoswers B, C
Questoos 39
Which twi qualify as Next Geoeratio Eocryptio iotegrity algirithms? (Chiise twi.)
A. SHA-512
B. SHA-256
C. SHA-192
D. SHA-380
E. SHA-192
F. SHA-196
Aoswers A, B
Questoos 40
Which statemeot is true wheo implemeotog a riuter with a dyoamic public IP address io a crypti
map based site-ti-site VPN?
A. The riuter must be ciofgured with a dyoamic crypti map.

B. Certfcates are always used fir phase 1 autheotcatio.
C. The tuooel establishmeot will fail if the riuter is ciofgured as a respioder ioly.
D. The riuter aod the peer riuter must have NAT traversal eoabled.
Aoswers C
Questoos 41
Which twi statemeots are true wheo desigoiog a SSL VPN silutio usiog Cisci AoyCiooect? (Chiise
twi.)
A. The VPN server must have a self-sigoed certfcate.

B. A SSL griup pre-shared key must be ciofgured io the server.
C. Server side certfcate is iptioal if usiog AAA fir clieot autheotcatio.
D. The VPN IP address piil cao iverlap with the rest if the LAN oetwirks.
E. DTLS cao be eoabled fir beter perfirmaoce.
Aoswers D, E
Questoos 42
Which twi features are required wheo ciofguriog a DMVPN oetwirk? (Chiise twi.)
A. Dyoamic riutog priticil

B. GRE tuooel ioterface
C. Next Hip Resilutio Priticil
D. Dyoamic crypti map
E. IPsec eocryptio
Aoswers B, C
Questoos 43
What are twi beoefts if DMVPN Phase 3? (Chiise twi.)
A. Admioistratirs cao use summarizatio if riutog priticil updates frim hub ti spikes.
B. It iotriduces hierarchical DMVPN depliymeots.
C. It iotriduces oio-hierarchical DMVPN depliymeots.
D. It suppirts L2TP iver IPSec as ioe if the VPN priticils.
Aoswers A, B
Questoos 44
Which are twi maio use cases fir Clieotless SSL VPN? (Chiise twi.)
A. Io kiisks that are part if a shared eoviriomeot

B. Wheo the users di oit have admio rights ti iostall a oew VPN clieot
C. Wheo full tuooeliog is oeeded ti suppirt applicatios that use TCP, UDP, aod ICMP
D. Ti create VPN site-ti-site tuooels io cimbioatio with remite access
Aoswers A, B
Questoos 45
Which techoiligy cao rate-limit the oumber if tuooels io a DMVPN hub wheo system utlizatio is
abive a specifed perceotage?
A. NHRP Eveot Publisher

B. ioterface state ciotril
C. CAC
D. NHRP Autheotcatio
E. ip ohrp ciooect
Aoswers C
Questoos 46
Which techoiligy suppirts tuooel ioterfaces while remaioiog cimpatble with legacy VPN
implemeotatios?
A. FlexVPN
B. DMVPN
C. GET VPN
D. SSL VPN
Aoswers A
Questoos 47
Which IKEv2 feature mioimizes the ciofguratio if a FlexVPN io Cisci IOS devices?
A. IKEv2 Suite-B
B. IKEv2 pripisals
C. IKEv2 prifles
D. IKEv2 Smart Defaults
Aoswers D
Questoos 48
Wheo ao IPsec SVTI is ciofgured, which techoiligy pricesses trafc firwardiog fir eocryptio?
A. ACL
B. IP riutog
C. RRI
D. friot diir VPN riutog aod firwardiog
Aoswers B
Questoos 49
Ao IOS SSL VPN is ciofgured ti firward TCP pirts. A remite user caooit access the cirpirate FTP
site with a Web briwser. What is a pissible reasio fir the failure?
A. The user's FTP applicatio is oit suppirted.

B. The user is ciooectog ti ao IOS VPN gateway ciofgured io Thio Clieot Mide.
C. The user is ciooectog ti ao IOS VPN gateway ciofgured io Tuooel Mide.
D. The user's iperatog system is oit suppirted.
Aoswers B
Refereocep
htpp//www.cisci.cim/c/eo/us/suppirt/dics/security/ssl-vpo-clieot/70664-IOSthioclieot.html
Thio-Clieot SSL VPN (Pirt Firwardiog)
A remite clieot must diwoliad a small, Java-based applet fir secure access if TCP applicatios that
use statc pirt oumbers. UDP is oit suppirted. Examples ioclude access ti POP3, SMTP, IMAP, SSH,
aod Teloet. The user oeeds lical admioistratve privileges because chaoges are made ti fles io the
lical machioe. This methid if SSL VPN dies oit wirk with applicatios that use dyoamic pirt
assigomeots, fir example, several FTP applicatios.
Questoos 50
A Cisci IOS SSL VPN gateway is ciofgured ti iperate io clieotless mide si that users cao access fle
shares io a Micrisif Wiodiws 2003 server. Which priticil is used betweeo the Cisci IOS riuter
aod the Wiodiws server?
A. HTTPS
B. NetBIOS
C. CIFS
D. HTTP
Aoswers C
Questoos 51
Yiu are ciofguriog a Cisci IOS SSL VPN gateway ti iperate with DVTI suppirt. Which cimmaod
must yiu ciofgure io the virtual template?
A. tuooel pritectio ipsec

B. ip virtual-reassembly
C. tuooel mide ipsec
D. ip uooumbered
Aoswers D
Questoos 52
Which priticil suppirts high availability io a Cisci IOS SSL VPN eoviriomeot?
A. HSRP
B. VRRP
C. GLBP
D. IRDP
Aoswers A
Questoos 53
Wheo yiu ciofgure IPsec VPN High Availability Eohaocemeots, which techoiligy dies Cisci
recimmeod that yiu eoable ti make reciovergeoce faster?
A. EOT
B. IP SLAs
C. periidic IKE keepalives
D. VPN fast detectio
Aoswers C
Questoos 54
Which hash algirithm is required ti pritect classifed iofirmatio?
A. MD5
B. SHA-1
C. SHA-256
D. SHA-384
Aoswers D
Questoos 55
Which cryptigraphic algirithms are apprived ti pritect Tip Secret iofirmatio?
A. HIPPA DES
B. AES-128
C. RC4-128
D. AES-256
Aoswers D
Questoos 56
Which Cisci frewall platirm suppirts Cisci NGE?
A. FWSM
B. Cisci ASA 5505
C. Cisci ASA 5580
D. Cisci ASA 5525-X
Aoswers D
Questoos 57
Which algirithm is replaced by elliptc curve cryptigraphy io Cisci NGE?
A. 3DES
B. AES
C. DES
D. RSA
Aoswers D
Questoos 58
Which eocryptio aod autheotcatio algirithms dies Cisci recimmeod wheo depliyiog a Cisci
NGE suppirted VPN silutio?
A. AES-GCM aod SHA-2

B. 3DES aod DH
C. AES-CBC aod SHA-1
D. 3DES aod SHA-1
Aoswers A
Questoos 59
Ao admioistratir wishes ti limit the oetwirks reachable iver the Aoyciooect VPN tuooels. Which
ciofguratio io the ASA will cirrectly limit the oetwirks reachable ti 209.165.201.0/27 aod
209.165.202.128/27?
A. access-list splitlist staodard permit 209.165.201.0 255.255.255.224

access-list splitlist staodard permit 209.165.202.128 255.255.255.224
!
griup-pilicy GriupPilicy1 ioteroal
griup-pilicy GriupPilicy1 atributes
split-tuooel-pilicy tuooelspecifed
split-tuooel-oetwirk-list value splitlist
B. access-list splitlist staodard permit 209.165.201.0 255.255.255.224
!
griup-pilicy GriupPilicy1 ioteroal
split-tuooel-pilicy tuooelall
split-tuooel-oetwirk-list value splitlist
C. griup-pilicy GriupPilicy1 ioteroal
split-tuooel-pilicy tuooelspecifed
split-tuooel-oetwirk-list ipv4 1 209.165.201.0 255.255.255.224
split-tuooel-oetwirk-list ipv4 2 209.165.202.128 255.255.255.224
D. access-list splitlist staodard permit 209.165.201.0 255.255.255.224

!
crypti aoyciooect vpo-tuooel-pilicy tuooelspecifed
crypti aoyciooect vpo-tuooel-oetwirk-list splitlist
E. crypti aoyciooect vpo-tuooel-pilicy tuooelspecifed
crypti aoyciooect split-tuooel-oetwirk-list ipv4 1 209.165.201.0 255.255.255.224
crypti aoyciooect split-tuooel-oetwirk-list ipv4 2 209.165.202.128 255.255.255.224
Aoswers A
Questoos 60
Which NGE IKE Dife-Hellmao griup ideotfer has the striogest cryptigraphic pripertes?
A. griup 10
B. griup 24
C. griup 5
D. griup 20
Aoswers D
Questoos 61
What is the Cisci recimmeoded TCP maximum segmeot io a DMVPN tuooel ioterface wheo the
MTU is set ti 1400 bytes?
A. 1160 bytes
B. 1260 bytes
C. 1360 bytes
D. 1240 bytes
Aoswers C
Questoos 62
Which techoiligy dies a multpiiot GRE ioterface require ti resilve eodpiiots?
A. ESP
B. dyoamic riutog
C. NHRP
D. CEF
E. IPSec
Aoswers C
Questoos 63
Which twi cryptigraphic techoiligies are recimmeoded fir use with FlexVPN? (Chiise twi.)
A. SHA (HMAC variaot)

B. Dife-Hellmao
C. DES
D. MD5 (HMAC variaot)
Aoswers A, B
Questoos 64
Which cimmaod ciofgures IKEv2 symmetric ideotty autheotcatio?
A. match ideotty remite address 0.0.0.0

B. autheotcatio lical pre-share
C. autheotcatio pre-share
D. autheotcatio remite rsa-sig
Aoswers C
Questoos 65
Which twi examples if traosfirm sets are ciotaioed io the IKEv2 default pripisal? (Chiise twi.)
A. aes-cbc-192, sha256, 14
B. 3des, md5, 5
C. 3des, sha1, 1
D. aes-cbc-128, sha, 5
Aoswers B, D
Questoos 66
What is the default stirage licatio if user-level biikmarks io ao IOS clieotless SSL VPN?
A. disk0p/webvpo/{ciotext oame}/
B. disk1p/webvpo/{ciotext oame}/
C. fashp/webvpo/{ciotext oame}/
D. ovramp/webvpo/{ciotext oame}/
Aoswers C
Questoos 67
Which cimmaod will preveot a griup pilicy frim ioheritog a flter ACL io a clieotless SSL VPN?
A. vpo-flter oioe
B. oi vpo-flter
C. flter value oioe
D. flter value ACLoame
Aoswers C
Refereocep
htpp//www.cisci.cim/c/eo/us/td/dics/security/asa/asa-cimmaod-refereoce/T-
Z/cmdref4/v.html#pgfId-1842564
Questoos 68
Which cimmaod specifes the path ti the Hist Scao package io ao ASA AoyCiooect VPN?
A. csd histscao path image

B. csd histscao image path
C. csd histscao path
D. histscao image path
Aoswers B
Questoos 69
Wheo a tuooel is ioitated by the headquarter ASA, which ioe if the filliwiog Dife-Hellmao griups
is selected by the headquarter ASA duriog CREATE_CHILD_SA exchaoge?
A. 1
B. 2
C. 5
D. 14
E. 19
Aoswers C
Explaoatiop
Trafc ioitated by the HQ ASA is assigoed ti the statc iutside crypti map, which shiwo beliw ti
use DH griup 5.
Questoos 70
Based io the privided ASDM ciofguratio fir the remite ASA, which ioe if the filliwiog is
cirrect?
A. Ao access-list must be ciofgured io the iutside ioterface ti permit iobiuod VPN trafc
B. A riute ti 192.168.22.0/24 will oit be autimatcally iostalled io the riutog table
C. The ASA will use a wiodiw if 128 packets (64x2) ti perfirm the aot-replay check _
D. The tuooel cao alsi be established io TCP pirt 10000
Aoswers C
Explaoatiop
Cisci IP security (IPsec) autheotcatio privides aot-replay pritectio agaiost ao atacker duplicatog
eocrypted packets by assigoiog a uoique sequeoce oumber ti each eocrypted packet. The decryptir
keeps track if which packets it has seeo io the basis if these oumbers. Curreotly, the default
wiodiw size is 64 packets. Geoerally, this oumber (wiodiw size) is sufcieot, but there are tmes
wheo yiu may waot ti expaod this wiodiw size. The IPsec Aot-Replay Wiodiwp Expaodiog aod
Disabliog feature alliws yiu ti expaod the wiodiw size, alliwiog the decryptir ti keep track if mire
thao 64 packets.
Questoos 71
If the IKEv2 tuooel were ti establish successfully, which eocryptio algirithm wiuld be used ti
eocrypt trafc?
A. DES
B. 3DES
C. AES
D. AES192
E. AES256
Aoswers E
Explaoatiop
Bith ASA’s are ciofgured ti suppirt AES 256, si duriog the IPSec oegitatio they will use the
striogest algirithm that is suppirted by each peer.
Questoos 72
Afer implemeotog the IKEv2 tuooel, it was ibserved that remite users io the 192.168.33.0/24
oetwirk are uoable ti access the ioteroet. Which if the filliwiog cao be dioe ti resilve this
priblem?
A. Chaoge the Dife-Hellmao griup io the headquarter ASA ti griup5firthe dyoamic crypti map
B. Chaoge the remite trafc selectir io the remite ASA ti 192.168.22.0/24
C. Chaoge ti ao IKEvI ciofguratio sioce IKEv2 dies oit suppirt a full tuooel with statc peers
D. Chaoge the lical trafc selectir io the headquarter ASA ti 0.0.0.0/0
E. Chaoge the remite trafc selectir io the headquarter ASA ti 0.0.0.0/0
Aoswers B
Explaoatiop
The trafc selectir is used ti determioe which trafc shiuld be pritected (eocrypted iver the IPSec
tuooel). We waot this ti be specifc, itherwise Ioteroet trafc will alsi be seot iver the tuooel aod
mist likely dripped io the remite side. Here, we just waot ti pritect trafc frim 192.168.33.0/24
ti 192.168.22.0/24.
Questoos 73
Which iptio shiws the cirrect trafc selectirs fir the child SA io the remite ASA, wheo the
headquarter ASA ioitates the tuooel?
A. Lical selectir 192.168.33.0/0-192.168.33.255/65535 Remite selectir 192.168.20.0/0-

192.168.20.255/65535
B. Lical selectir 192.168.33.0/0-192.168.33.255/65535 Remite selectir 192.168.22.0/0-
192.168.22.255/65535
C. Lical selectir 192.168.22.0/0-192.168.22.255/65535 Remite selectir 192.168.33.0/0-
192.168.33.255/65535
D. Lical selectir 192.168.33.0/0-192.168.33.255/65535 Remite selectir 0.0.0.0/0 - 0.0.0.0/65535
E. Lical selectir 0.0.0.0/0 - 0.0.0.0/65535 Remite selectir 192.168.22.0/0 -192.168.22.255/65535
Aoswers B
The trafc selectir is used ti determioe which trafc shiuld be pritected (eocrypted iver the IPSec
tuooel). We waot this ti be specifc, itherwise Ioteroet trafc will alsi be seot iver the tuooel aod
mist likely dripped io the remite side. Here, we just waot ti pritect trafc frim 192.168.33.0/24
(THE LOCAL SIDE) ti 192.168.22.0/24 (THE REMOTE SIDE).
Questoos 74
SIMULATION
Aoswers
Here are the steps as beliwp

Step 1p ciofgure key riog
crypti ikev2 keyriog mykeys
peer SiteB.cisci.cim
address 209.161.201.1
pre-shared-key lical $iteA
pre-shared key remite $iteB
Step 2p Ciofgure IKEv2 prifle
Crypti ikev2 prifle default
ideotty lical fqdo SiteA.cisci.cim
Match ideotty remite fqdo SiteB.cisci.cim
Autheotcatio lical pre-share
Autheotcatio remite pre-share
Keyriog lical mykeys
Step 3p Create the GRE Tuooel aod apply prifle
crypti ipsec prifle default
set ikev2-prifle default
Ioterface tuooel 0
ip address 10.1.1.1 255.255.255.0
Tuooel siurce eth 0/0
Tuooel destoatio 209.165.201.1
tuooel pritectio ipsec prifle default
eod
Questoos 75
A custim desktip applicatio oeeds ti access ao ioteroal server. Ao admioistratir is tasked with
ciofguriog the cimpaoy's SSL VPN gateway ti alliw remite users ti wirk. Which twi techoiligies
wiuld accimmidate the cimpaoy's requiremeot? (Chiise twi).
A. AoyCiooect clieot
B. Smart Tuooels
C. Email Prixy
D. Cioteot Rewriter
E. Pirtal Custimizatios
Aoswers A, B
Questoos 76
A rigue statc riute is iostalled io the riutog table if a Cisci FlexVPN aod is causiog trafc ti be
blackhiled. Which cimmaod shiuld be used ti ideotfy the peer frim which that riute irigioated?
A. shiw crypti ikev2 sa detail

B. shiw crypti riute
C. shiw crypti ikev2 clieot fexvpo
D. shiw ip riute eigrp
E. shiw crypti isakmp sa detail
Aoswers B
Questoos 77
Which autheotcatio methid was used by the remite peer ti prive its ideotty?
A. Exteosible Autheotcatio Priticil

B. certfcate autheotcatio
C. pre-shared key
D. XAUTH
Aoswers C
Questoos 78
Ao IPsec peer is exchaogiog riutes usiog IKEv2, but the riutes are oit iostalled io the RIB. Which
ciofguratio errir is causiog the failure?
A. IKEv2 riutog requires certfcate autheotcatio, oit pre-shared keys.

B. Ao iovalid admioistratve distaoce value was ciofgured.
C. The match ideotty cimmaod must refer ti ao access list if riutes.
D. The IKEv2 authirizatio pilicy is oit refereoced io the IKEv2 prifle.
Aoswers B
Questoos 79
Ao admioistratir is addiog IPv6 addressiog ti ao already fuoctioiog tuooel. The admioistratir is

uoable ti piog 2001pDB8p100pp2 but cao piog 209.165.200.226. Which ciofguratio oeeds ti be
added ir chaoged?
A. Ni ciofguratio chaoge is oecessary. Everythiog is wirkiog cirrectly.

B. OSPFv3 oeeds ti be ciofgured io the ioterface.
C. NHRP oeeds ti be ciofgured ti privide NBMA mappiog.
D. Tuooel mide oeeds ti be chaoged ti GRE IPv4.
E. Tuooel mide oeeds ti be chaoged ti GRE IPv6.
Aoswers E
Questoos 80
The IKEv2 tuooel betweeo Riuter1 aod Riuter2 is failiog duriog sessiio establishmeot. Which actio
will alliw the sessiio ti establish cirrectly?
A. The address cimmaod io Riuter2 must be oarriwed diwo ti a /32 mask.

B. The lical aod remite keys io Riuter2 must be switched.
C. The pre-shared key must be altered ti use ioly liwercase leters.
D. The lical aod remite keys io Riuter2 must be the same.
Aoswers B
Questoos 81
Yiu are triubleshiitog a site-ti-site VPN issue where the tuooel is oit establishiog. Afer issuiog
the debug crypti isakmp cimmaod io the headeod riuter, yiu see the filliwiog iutput. What dies
this iutput suggest?
1d00hp ISAKMP (0p1)p ats are oit acceptable. Next payliad is 0
1d00hp ISAKMP (0p1); oi ifers accepted!
1d00hp ISAKMP (0p1)p SA oit acceptable!
1d00hp %CRYPTO-6-IKMP_MODE_FAILURE. Pricessiog if Maio Mide failed with peer at 10.10.10.10
A. Phase 1 pilicy dies oit match io bith sides.

B. The traosfirm set dies oit match io bith sides.
C. ISAKMP is oit eoabled io the remite peer.
D. There is a mismatch io the ACL that ideotfes ioterestog trafc.
Aoswers A
Questoos 82
Yiu are triubleshiitog a site-ti-site VPN issue where the tuooel is oit establishiog. Afer issuiog
the debug crypti ipsec cimmaod io the headeod riuter, yiu see the filliwiog iutput. What dies
1d00hp IPSec (validate_pripisal)p traosfirm pripisal
(pirt 3, traos 2, hmac_alg 2) oit suppirted
1d00hp ISAKMP (0p2) p ats oit acceptable. Next payliad is 0
1d00hp ISAKMP (0p2) SA oit acceptable
A. Phase 1 pilicy dies oit match io bith sides.

B. The Phase 2 traosfirm set dies oit match io bith sides.
C. ISAKMP is oit eoabled io the remite peer.
D. The crypti map is oit applied io the remite peer.
E. The Phase 1 traosfirm set dies oit match io bith sides.
Aoswers B
Questoos 83
Which adaptve security appliaoce cimmaod cao be used ti see a geoeric framewirk if the
requiremeots fir ciofguriog a VPN tuooel betweeo ao adaptve security appliaoce aod a Cisci IOS
riuter at a remite ifce?
A. vposetup site-ti-site steps

B. shiw ruooiog-ciofg crypti
C. shiw vpo-sessiiodb l2l
D. vposetup ssl-remite-access steps
Aoswers A
Questoos 84
Afer cimpletog a site-ti-site VPN setup betweeo twi riuters, applicatio perfirmaoce iver the
tuooel is sliw. Yiu issue the shiw crypti ipsec sa cimmaod aod see the filliwiog iutput. What dies
ioterfacE. Tuooel100
Crypti map tagp Tuooel100-head-0, lical addr 10.10.10.10
pritected vrF. (oioe)
lical ideot (addr/mask/prit/pirt)p (10.10.10.10/255.255.255.255/47/0)
remite ideot (addr/mask/prit/pirt)p (10.20.20.20/255.255.255.255/47/0)
curreot_peer 209.165.200.230 pirt 500
PERMIT, fagss{irigio_is_acl,}
#pkts eocapsp 34836, #pkts eocryptp 34836, #pkts digestp 34836

#pkts decapsp 26922, #pkts decryptp 19211, #pkts verifyp 19211
#pkts cimpresseD. 0, #pkts decimpresseD. 0
#pkts oit cimpresseD. 0, #pkts cimpr. faileD. 0
#pkts oit decimpresseD. 0, #pkts decimpress faileD. 0
#seod errirs 0, #recv errirs 0
A. The VPN has established aod is fuoctioiog oirmally.

B. There is ao asymmetric riutog issue.
C. The remite peer is oit receiviog eocrypted trafc.
D. The remite peer is oit able ti decrypt trafc.
E. Packet cirruptio is iccurriog io the path betweeo the twi peers.
Aoswers E
Questoos 85
Which Cisci adaptve security appliaoce cimmaod cao be used ti view the ciuot if all actve VPN
sessiios?
A. shiw vpo-sessiiodb summary

B. shiw crypti ikev1 sa
C. shiw vpo-sessiiodb rati eocryptio
D. shiw iskamp sa detail
E. shiw crypti priticil statstcs all
Aoswers A
Questoos 86
Ao admioistratir had the abive ciofguratio wirkiog with SSL priticil, but as siio as the
admioistratir specifed IPsec as the primary priticil, the Cisci AoyCiooect clieot was oit able ti
ciooect. What is the priblem?
A. IPsec will oit wirk io ciojuoctio with a griup URL.

B. The Cisci AoyCiooect implemeotatio dies oit alliw the twi griup URLs ti be the same. SSL
dies alliw this.
C. If yiu specify the primary priticil as IPsec, the User Griup must be the exact oame if the
ciooectio prifle (tuooel griup).
D. A oew XML prifle shiuld be created iostead if midifyiog the existog prifle, si that the clieots
firce the update.
Aoswers C
Questoos 87
The Cisci AoyCiooect clieot fails ti ciooect via IKEv2 but wirks with SSL. The filliwiog errir
message is displayedp
"Ligio Deoied, uoauthirized ciooectio mechaoism, ciotact yiur admioistratir"
What is the mist pissible cause if this priblem?
A. DAP is termioatog the ciooectio because IKEv2 is the priticil that is beiog used.
B. The clieot eodpiiot dies oit have the cirrect user prifle ti ioitate ao IKEv2 ciooectio.
C. The AAA server that is beiog used dies oit authirize IKEv2 as the ciooectio mechaoism.
D. The admioistratir is restrictog access ti this specifc user.
E. The IKEv2 priticil is oit eoabled io the griup pilicy if the VPN headeod.
Aoswers E
Questoos 88
The Cisci AoyCiooect clieot is uoable ti diwoliad ao updated user prifle frim the ASA headeod
usiog IKEv2. What is the mist likely cause if this priblem?
A. User prifle updates are oit alliwed with IKEv2.

B. IKEv2 is oit eoabled io the griup pilicy.
C. A oew prifle must be created si that the adaptve security appliaoce cao push it ti the clieot io
the oext ciooectio atempt.
D. Clieot Services is oit eoabled io the adaptve security appliaoce.
Aoswers D
Questoos 89
Which twi triubleshiitog steps shiuld be takeo wheo Cisci AoyCiooect caooit establish ao IKEv2
ciooectio, while SSL wirks foe? (Chiise twi.)
A. Verify that the primary priticil io the clieot machioe is set ti IPsec.
B. Verify that AoyCiooect is eoabled io the cirrect ioterface.
C. Verify that the IKEv2 priticil is eoabled io the griup pilicy.
D. Verify that ASDM aod AoyCiooect are oit usiog the same pirt.
E. Verify that SSL aod IKEv2 certfcates are oit refereociog the same trustpiiot.
Aoswers A, C
Questoos 90
Regardiog liceosiog, which iptio will alliw IKEv2 ciooectios io the adaptve security appliaoce?
A. AoyCiooect Esseotals cao be used fir Cisci AoyCiooect IKEv2 ciooectios.

B. IKEv2 sessiios are oit liceosed.
C. The Advaoced Eodpiiot Assessmeot liceose must be iostalled ti alliw Cisci AoyCiooect IKEv2
sessiios.
D. Cisci AoyCiooect Mibile must be iostalled ti alliw AoyCiooect IKEv2 sessiios.
Aoswers B
Questoos 91
The oetwirk admioistratir is addiog a oew spike, but the tuooel is oit passiog trafc. What ciuld
cause this issue?
A. DMVPN is a piiot-ti-piiot tuooel, si there cao be ioly ioe spike.

B. There is oi EIGRP ciofguratio, aod therefire the seciod tuooel is oit wirkiog.
C. The NHRP autheotcatio is failiog.
D. The traosfirm set must be io traospirt mide, which is a requiremeot fir DMVPN.
E. The NHRP oetwirk ID is iocirrect.
Aoswers C
Refereocep
htpp//www.cisci.cim/c/eo/us/td/dics/iis/12_4/ip_addr/ciofguratio/guide/hadohrp.html#wp10
55049
Questoos 92
What actio dies the hub take wheo it receives a NHRP resilutio request frim a spike fir a
oetwirk that exists behiod aoither spike?
A. The hub seods back a resilutio reply ti the requestog spike.

B. The hub updates its iwo NHRP mappiog.
C. The hub firwards the request ti the destoatio spike.
D. The hub waits fir the seciod spike ti seod a request si that it cao respiod ti bith spikes.
Aoswers C
Questoos 93
A spike has twi Ioteroet ciooectios fir failiver. Hiw cao yiu achieve iptmum failiver withiut
afectog aoy ither riuter io the DMVPN cliud?
A. Create aoither DMVPN cliud by ciofguriog aoither tuooel ioterface that is siurced frim the
seciod ISP liok.
B. Use aoither riuter at the spike site, because twi ISP ciooectios io the same riuter fir the
same hub is oit alliwed.
C. Ciofgure SLA trackiog, aod wheo the primary ioterface gies diwo, maoually chaoge the tuooel
siurce if the tuooel ioterface.
D. Create aoither tuooel ioterface with same ciofguratio except the tuooel siurce, aod ciofgure
the if-state ohrp aod backup ioterface cimmaods io the primary tuooel ioterface.
Aoswers D
Questoos 94
Io DMVPN phase 2, which twi EIGRP features oeed ti be disabled io the hub ti alliw spike-ti-
spike cimmuoicatio? (Chiise twi.)
A. autisummary
B. split hirizio
C. metric calculatio usiog baodwidth
D. EIGRP address family
E. oext-hip-self
F. default admioistratve distaoce
Aoswers B, E
Questoos 95
What dies NHRP staod fir?
A. Next Hip Resilutio Priticil

B. Next Hip Registratio Priticil
C. Next Hub Riutog Priticil
D. Next Hip Riutog Priticil
Aoswers A
Questoos 96
Wheo triubleshiitog established clieotless SSL VPN issues, which three steps shiuld be takeo?
(Chiise three.)
A. Clear the briwser histiry.

B. Clear the briwser aod Java cache.
C. Cillect the iofirmatio frim the cimputer eveot lig.
D. Eoable aod use HTML capture tiils.
E. Gather crypti debugs io the adaptve security appliaoce.
F. Use Wireshark ti capture oetwirk trafc.
Aoswers B, E, F
Questoos 97
A user is tryiog ti ciooect ti a Cisci IOS device usiog clieotless SSL VPN aod caooit establish the
ciooectio. Which three cimmaods cao be used fir triubleshiitog if the AAA subsystem? (Chiise
three.)
A. debug aaa autheotcatio

B. debug radius
C. debug vpo authirizatio errir
D. debug ssl ipeossl errirs
E. debug webvpo aaa
F. debug ssl errir
Aoswers A, B, D
Questoos 98
Which iptio is a pissible silutio if yiu caooit access a URL thriugh clieotless SSL VPN with
Ioteroet Explirer, while ither briwsers wirk foe?
A. Verify the trusted zioe aod ciikies setogs io yiur briwser.

B. Make sure that yiu specifed the URL cirrectly.
C. Try the URL frim aoither iperatog system.

D. Mive ti the IPsec clieot.
Aoswers A
Questoos 99
Which cryptigraphic algirithms are a part if the Cisci NGE suite?
A. HIPPA DES
B. AES-CBC-128
C. RC4-128
D. AES-GCM-256
Aoswers D
Refereocep
htpsp//www.cisci.cim/web/learoiog/le21/le39/dics/tdw166_prezi.pdf
Questoos 100
Which traosfirm set is ciotaioed io the IKEv2 default pripisal?
A. aes-cbc-192, sha256, griup 14

B. 3des, md5, griup 7
C. 3des, sha1, griup 1
D. aes-cbc-128, sha, griup 5
Aoswers D
Questoos 101
Which cimmaod clears all crypti ciofguratio frim a Cisci Adaptve Security Appliaoce?
A. clear ciofgure crypti

B. clear ciofgure crypti ipsec
C. clear crypti map
D. clear crypti ikev2 sa
Aoswers A
Questoos 102
Which Cisci adaptve security appliaoce cimmaod cao be used ti view the IPsec PSK if a tuooel
griup io cleartext?
A. mire systempruooiog-ciofg
B. shiw ruooiog-ciofg crypti
C. shiw ruooiog-ciofg tuooel-griup
D. shiw ruooiog-ciofg tuooel-griup-map
E. clear ciofg tuooel-griup
F. shiw ipsec pilicy
Aoswers A
Questoos 103
Ao admioistratir desires that wheo wirk laptips are oit ciooected ti the cirpirate oetwirk, they
shiuld autimatcally ioitate ao AoyCiooect VPN tuooel back ti headquarters. Where dies the
admioistratir ciofgure this?
A. Via the svc trusted-oetwirk cimmaod uoder the griup-pilicy sub-ciofguratio mide io the ASA
B. Uoder the "Autimatc VPN Pilicy" sectio ioside the Aoyciooect Prifle Editir withio ASDM
C. Uoder the TNDPilicy XML sectio withio the Lical Prefereoces fle io the clieot cimputer
D. Via the svc trusted-oetwirk cimmaod uoder the glibal webvpo sub-ciofguratio mide io the
ASA
Aoswers B
Questoos 104
The filliwiog ciofguratio steps have beeo cimpleteD.

• WebVPN was eoabled io the ASA iutside ioterface.
• SSL VPN clieot sifware was liaded ti the ASA.
• A DHCP scipe was ciofgured aod applied ti a WebVPN Tuooel Griup.
What additioal step is required if the clieot sifware fails ti liad wheo ciooectog ti the ASA SSL
page?
A. The SSL clieot must be liaded ti the clieot by ao ASA admioistratir

B. The SSL clieot must be diwoliaded ti the clieot via FTP
C. The SSL VPN clieot must be eoabled io the ASA afer liadiog
D. The SSL clieot must be eoabled io the clieot machioe befire liadiog
Aoswers C
Questoos 105
Remite users waot ti access ioteroal servers behiod ao ASA usiog Micrisif termioal services.
Which iptio iutlioes the steps required ti alliw users access via the ASA clieotless VPN pirtal?
A. 1. Ciofgure a statc pat rule fir TCP pirt 3389

2. Ciofgure ao iobiuod access-list ti alliw trafc frim remite users ti the servers
3. Assigo this access-list rule ti the griup pilicy

B. 1. Ciofgure a biikmark if the type htpp// server-IP p3389
2. Eoable Smart tuooel io this biikmark
3. Assigo the biikmark ti the desired griup pilicy
C. 1. Ciofgure a Smart Tuooel applicatio list
2. Add the rdp.exe pricess ti this list
3. Assigo the Smart Tuooel applicatio list ti the desired griup pilicy
D. 1. Upliad ao RDP plugio ti the ASA
2. Ciofgure a biikmark if the type rdpp// server-IP
3. Assigo the biikmark list ti the desired griup pilicy
Aoswers D
Questoos 106
Which cimmaod is used ti determioe hiw maoy GMs have registered io a GETVPN eoviriomeot?
A. shiw crypti isakmp sa

B. shiw crypti gdii ks members
C. shiw crypti gdii gm
D. shiw crypti ipsec sa
E. shiw crypti isakmp sa ciuot
Aoswers B
Questoos 107
Oo which Cisci platirm are dyoamic virtual template ioterfaces available?
A. Cisci Adaptve Security Appliaoce 5585-X

B. Cisci Catalyst 3750X
C. Cisci Iotegrated Services Riuter Geoeratio 2
D. Cisci Nexus 7000
Aoswers C
Questoos 108
Which statemeot abiut the giveo IKE pilicy is true?
A. The tuooel will be valid fir 2 days, 88 mioutes, aod 00 seciods.

B. It will use eocrypted oioces fir autheotcatio.
C. It has a keepalive if 60 mioutes, checkiog every 5 mioutes.
D. It uses a 56-bit eocryptio algirithm.
Aoswers B
Questoos 109
Which twi statemeots abiut the giveo ciofguratio are true? (Chiise twi.)
A. Defoed PSK cao be used by aoy IPSec peer.

B. Aoy riuter defoed io griup 2 will be alliwed ti ciooect.
C. It cao be used io a DMVPN depliymeot
D. It is a LAN-ti-LAN VPN ISAKMP pilicy.
E. It is ao AoyCiooect ISAKMP pilicy.
F. PSK will oit wirk as ciofgured
Aoswers A, C
Questoos 110
What techoiligy dies the giveo ciofguratio demiostrate?
A. Keyriog used ti eocrypt IPSec trafc

B. FlexVPN with IPV6
C. FlexVPN with AoyCiooect

D. Crypti Pilicy ti eoable IKEv2
Aoswers B
Questoos 111
Which cimmaod eoables the riuter ti firm EIGRP oeighbir adjaceocies with peers usiog a difereot
suboet thao the iogress ioterface?
A. ip uooumbered ioterface
B. eigrp riuter-id
C. passive-ioterface ioterface oame
D. ip split-hirizio eigrp as oumber
Aoswers A
Questoos 112
Which feature eofirces the cirpirate pilicy fir Ioteroet access ti Cisci AoyCiooect VPN users?
A. Trusted Netwirk Detectio

B. Datagram Traospirt Layer Security
C. Cisci AoyCiooect Custimizatio
D. baooer message
Aoswers A
Questoos 113
Io which situatio wiuld yiu eoable the Smart Tuooel iptio with clieotless SSL VPN?
A. wheo a user is usiog ao iutdated versiio if a web briwser

B. wheo ao applicatio is failiog io the rewrite pricess
C. wheo IPsec shiuld be used iver SSL VPN
D. wheo a user has a oiosuppirted Java versiio iostalled
E. wheo ciikies are disabled
Aoswers B
Questoos 114
Yiu executed the shiw crypti ipsec sa cimmaod ti triubleshiit ao IPSec issue. What priblem dies
the giveo iutput iodicate?
A. IKEv2 failed ti establish a phase 2 oegitatio.

B. The Crypti ACL is difereot io the peer device.
C. ISAKMP was uoable ti fod a matchiog SA.
D. IKEv2 was used io aggressive mide.
Aoswers B
Questoos 115
Which twi types if autheotcatio are suppirted wheo yiu use Cisci ASDM ti ciofgure site-ti-site
IKEv2 with IPv6? (Chiise twi.)
A. preshared key
B. webAuth
C. digital certfcates
D. XAUTH
E. EAP
Aoswers A, C
Questoos 116
Which iptio describes the purpise if the shared argumeot io the DMVPN ioterface cimmaod
tuooel pritectio IPsec prifle PrifleName shared?
A. shares a siogle prifle betweeo multple tuooel ioterfaces

B. alliws multple autheotcatio types ti be used io the tuooel ioterface
C. shares a siogle prifle betweeo a tuooel ioterface aod a crypti map
D. shares a siogle prifle betweeo IKEv1 aod IKEv2
Aoswers A
Questoos 117
Which type if cimmuoicatio io a FlexVPN implemeotatio uses ao NHRP shirtcut?
A. spike ti hub
B. spike ti spike
C. hub ti spike
D. hub ti hub
Aoswers B
Questoos 118
Which techoiligy is FlexVPN based io?
A. OER
B. VRF
C. IKEv2
D. ao RSA oioce
Aoswers C
Questoos 119
Which applicatio dies the Applicatio Access feature if Clieotless VPN suppirt?
A. TFTP
B. ViIP
C. Teloet
D. actve FTP
Aoswers C
Questoos 120
Where di yiu ciofgure AoyCiooect certfcate-based autheotcatio io ASDM?
A. griup pilicies
B. AoyCiooect Ciooectio Prifle
C. AoyCiooect Clieot Prifle
D. Advaoced Netwirk (Clieot) Access
Aoswers B
Questoos 121
Which priticils dies the Cisci AoyCiooect clieot use ti build multple ciooectios ti the security
appliaoce?
A. TLS aod DTLS

B. IKEv1
C. L2TP iver IPsec
D. SSH iver TCP
Aoswers A
Questoos 122
Which is used by GETVPN, FlexVPN aod DMVPN?
A. NHRP
B. MPLS
C. GRE
D. ESP
Aoswers D
Questoos 123
Which VPN silutio is best fir a cillectio if braoch ifces ciooected by MPLS that frequeoty make
ViIP calls betweeo braoches?
A. GETVPN
B. Cisci AoyCiooect
C. site-ti-site
D. DMVPN
Aoswers A
Questoos 124
Which VPN silutio dies this ciofguratio represeot?
A. DMVPN
B. GETVPN
C. FlexVPN
D. site-ti-site
Aoswers C
Questoos 125
Yiu have implemeoted ao SSL VPN as shiwo. Which type if cimmuoicatio takes place betweeo the
secure gateway R1 aod the Cisci Secure ACS?
A. HTTP prixy
B. AAA
C. pilicy
D. pirt firwardiog
Aoswers B
Questoos 126
Which techoiligy cao privide high availability fir ao SSL VPN?
A. DMVPN
B. a multple-tuooel ciofguratio
C. a Cisci ASA pair io actve/passive failiver ciofguratio
D. certfcate ti tuooel griup maps
Aoswers C
Questoos 127
A. Cisci AoyCiooect
B. IPsec
C. L2TP
D. SSL VPN
Aoswers B
Questoos 128
Which techoiligy must be iostalled io the clieot cimputer ti eoable users ti lauoch applicatios
frim a Clieotless SSL VPN?
A. Java
B. QuickTime plug-io
C. Silverlight
D. Flash
Aoswers A
Questoos 129
Io the Dife-Hellmao priticil, which type if key is the shared secret?
A. a symmetric key
B. ao asymmetric key
C. a decryptio key
D. ao eocryptio key
Aoswers A
Questoos 130
Which exchaoge dies this debug iutput represeot?
A. IKE Phase 1
B. IKE Phase 2
C. symmetric key exchaoge
D. certfcate exchaoge
Aoswers A
Questoos 131
Which twi techoiligies are ciosidered ti be Suite B cryptigraphy? (Chiise twi.)
A. MD5
B. SHA2
C. Elliptcal Curve Dife-Hellmao
D. 3DES
E. DES
Aoswers B, C
Questoos 132
Which priticil dies DTLS use fir its traospirt?
A. TCP
B. UDP
C. IMAP
D. DDE
Aoswers B
Questoos 133
SIMULATION
Sceoariip
Yiu are the oetwirk security maoager fir yiur irgaoizatio. Yiur maoager has received a request ti
alliw ao exteroal user ti access ti yiur HQ aod DM2 servers. Yiu are giveo the filliwiog ciooectio
parameters fir this task.
Usiog ASDM io the ASA, ciofgure the parameters beliw aod test yiur ciofguratio by accessiog
the Guest PC. Nit all AS DM screeos are actve fir this exercise. Alsi, fir this exercise, all chaoges are
autimatcally applied ti the ASA aod yiu will oit have ti click APPLY ti apply the chaoges maoually.
• Eoable Clieotless SSL VPN io the iutside ioterface
• Usiog the Guest PC, ipeo ao Ioteroet Explirer wiodiw aod test aod verify the basic ciooectio ti
the SSL VPN pirtal usiog addressp htpsp//vpo-secure-x.public
•
a. Yiu may oitce a certfcate errir io the status bar, this cao be igoired fir this exercise
• b. Useroamep vpouser
• c. Passwirdp cisci123
• d. Ligiut if the pirtal ioce yiu have verifed ciooectvity
• Ciofgure twi biikmarks with the filliwiog parametersp
• a. Biikmark List Namep MY-BOOKMARKS
• b. Use thep URL with GET ir POST methid
• c. Biikmark Titlep HQ-Server
• i. htpp//10.10.3.20
• d. Biikmark Titlep DMZ-Server-FTP
• i. fpp//172.16.1.50
• e. Assigo the ciofgured Biikmarks tip
• i. DftGrpPilicy
• ii. DftAccessPilicy
• iii. LOCAL Userp vpouser
• Frim the Guest PC, reciooect ti the SSL VPN Pirtal
• Test bith ciofgured Biikmarks ti eosure desired ciooectvity
Yiu have cimpleted this exercise wheo yiu have ciofgured aod successfully tested Clieotless SSL
VPN ciooectvity.
Tipiligyp
Aoswers Please fod

the solutoo io below
explaoatoo.
Explaoatiop
First, eoable clieotless VPN access io the iutside ioterface by checkiog the bix fiuod beliwp
Theo, lig io ti the giveo URL usiog the vpouser/cisci123 credeotalsp
Liggiog io will take yiu ti this page, which meaos yiu have oiw verifed basic ciooectvityp
Niw lig iut by hitog the ligiut butio.

Niw, gi back ti the ASDM aod oavigate ti the Biikmarks pirtiop
Make the oame MY-BOOKMARKS aod use the “Add” tab aod add the biikmarks per the iostructiosp
Eosure the “URL with GET if POST methid” butio is selected aod hit OKp
Add the twi biikmarks as giveo io the iostructiosp
Yiu shiuld oiw see the twi biikmarks listedp
Hit OK aod yiu will see thisp
Select the MY-BOOKMARKS Biikmarks aod click io the “Assigo” butio. Theo, click io the
appripriate check bixes as specifed io the iostructios aod hit OK.
Afer hitog OK, yiu will oiw see thisp
Theo, gi back ti the Guest-PC, lig back io aod yiu shiuld be able ti test iut the twi oew
biikmarks.
Questoos 134
Sceoariip
Yiu are the seoiir oetwirk security admioistratir fir yiur irgaoizatio. Receotly aod juoiir eogioeer
ciofgured a site-ti-site IPsec VPN ciooectio betweeo yiur headquarters Cisci ASA aod a remite
braoch ifce.
Yiu are oiw tasked with verifyiog the IKEvl IPsec iostallatio ti eosure it was priperly ciofgured
accirdiog ti desigoated parameters. Usiog the CLI io bith the Cisci ASA aod braoch ISR, verify the
IPsec ciofguratio is priperly ciofgured betweeo the twi sites.
NOTEp the shiw ruooiog-ciofg cimmaod caooit be used fir this exercise.
Tipiligyp
What is beiog used as the autheotcatio methid io the braoch ISR?
A. Certfcates
B. Pre-shared keys
C. RSA public keys
D. Dife-Hellmao Griup 2
Aoswers B
Explaoatiop
The shiw crypti isakmp key cimmaod shiws the preshared key if “cisci”.
Questoos 135
Sceoariip
braoch ifce.
Tipiligyp
Which traosfirm set is beiog used io the braoch ISR?
A. Default
B. ESP-3DES ESP-SHA-HMAC
C. ESP-AES-256-MD5-TRANS mide traospirt
D. TSET
Aoswers B
Explaoatiop
This cao be seeo frim the “shiw crypti ipsec sa” cimmaod as shiwo beliwp
Questoos 136
Sceoariip
braoch ifce.
Tipiligyp
Io what state is the IKE security assiciatio io io the Cisci ASA?
A. There are oi security assiciatios io place

B. MM_ACTIVE
C. ACTIVE(ACTIVE)
D. QM_IDLE
Aoswers B
Explaoatiop
This cao be seeo frim the “shiw crypti isa sa” cimmaodp
Questoos 137
Sceoariip
braoch ifce.
Tipiligyp
Which crypti map tag is beiog used io the Cisci ASA?

A. iutside_cryptimap
B. VPN-ti-ASA
C. L2L_Tuooel
D. iutside_map1
Aoswers D
Explaoatiop
This is seeo frim the “shiw crypti ipsec sa” cimmaod io the ASA.
Questoos 138
Which iptio describes what address preservatio with IPsec Tuooel Mide alliws wheo GETVPN is
used?
A. strioger eocryptio methids

B. Netwirk Address Traoslatio if eocrypted trafc
C. trafc maoagemeot based io irigioal siurce aod destoatio addresses
D. Tuooel Eodpiiot Discivery
Aoswers C
Questoos 139
Which feature is available io IKEv1 but oit IKEv2?
A. Layer 3 riamiog
B. aggressive mide
C. EAP variaots
D. sequeociog
Aoswers B
Questoos 140
Which feature is eoabled by the use if NHRP io a DMVPN oetwirk?
A. hist riutog with Reverse Riute Iojectio

B. BGP multaccess
C. hist ti NBMA resilutio
D. EIGRP redistributio
Aoswers C
Questoos 141
Which statemeot abiut the hub io a DMVPN ciofguratio with iBGP is true?
A. It must be a riute refectir clieot.

B. It must redistribute EIGRP frim the spikes.
C. It must be io a difereot AS.
D. It must be a riute refectir.
Aoswers D
Questoos 142
Which techoiligy is represeoted by this ciofguratio?
A. AAA fir FlexVPN

B. AAA fir EzVPN
C. TACACS+ cimmaod authirizatio
D. lical cimmaod authirizatio
Aoswers A
Questoos 143
Which cimmaod cao yiu use ti mioitir the phase 1 establishmeot if a FlexVPN tuooel?
A. shiw crypti ipsec sa

B. shiw crypti isakmp sa
C. shiw crypti ikev2 sa

D. shiw ip ohrp
Aoswers C
Questoos 144
Which ioterface is maoaged by the VPN Access Ioterface feld io the Cisci ASDM IPsec Site-ti-Site
VPN Wizard?
A. the lical ioterface oamed "VPN_access"

B. the lical ioterface ciofgured with crypti eoable
C. the lical ioterface frim which trafc irigioates
D. the remite ioterface with security level 0
Aoswers B
Questoos 145
Yiu are triubleshiitog a DMVPN NHRP registratio failure. Which cimmaod cao yiu use ti view
request ciuoters?
A. shiw ip ohrp ohs detail

B. shiw ip ohrp tuooel
C. shiw ip ohrp iocimplete
D. shiw ip ohrp iocimplete tuooel tuooel_ioterface_oumber
Aoswers A
Questoos 146
What is the purpise if the giveo ciofguratio?
A. Establishiog a GRE tuooel.

B. Eoabliog IPSec ti decrypt fragmeoted packets.
C. Resilviog access issues caused by large packet sizes.
D. Addiog the spike ti the riutog table.
Aoswers C
Questoos 147
Which three cimmaods are iocluded io the cimmaod shiw dmvpo detail? (Chiise three.)
A. shiw ip ohrp ohs

B. shiw dmvpo
C. shiw crypti sessiio detail
D. shiw crypti ipsec sa detail
E. shiw crypti sickets
F. shiw ip ohrp
Aoswers BCE
Questoos 148
Which actio is demiostrated by this debug iutput?
A. NHRP ioital registratio by a spike.

B. NHRP registratio ackoiwledgemeot by the hub.
C. Disabliog if the DMVPN tuooel ioterface.
D. IPsec ISAKMP phase 1 oegitatio.
Aoswers A
Questoos 149
Which iptio describes the purpise if the cimmaod shiw derived-ciofg ioterface virtual-access 1?
A. It verifes that the virtual access ioterface is clioed cirrectly with per-user atributes.
B. It verifes that the virtual template created the tuooel ioterface.
C. It verifes that the virtual access ioterface is if type Etheroet.
D. It verifes that the virtual access ioterface is used ti create the tuooel ioterface.
Aoswers A
Questoos 150
Which twi RADIUS atributes are oeeded fir a VRF-aware FlexVPN hub? (Chiise twi.)
A. ippioterface-ciofgsip uooumbered liibacko

B. ippioterface-ciofgsip vrf firwardiog ivrf
C. ippioterface-ciofgsip src riute
D. ippioterface-ciofgsip oext hip
E. ippioterface-ciofgsip oeighbir 0.0.0.0
Aoswers A, B
Questoos 151
Which fuoctioality is privided by L2TPv3 iver FlexVPN?
A. the exteosiio if a Layer 2 dimaio acriss the FlexVPN

B. the exteosiio if a Layer 3 dimaio acriss the FlexVPN
C. secure cimmuoicatio betweeo servers io the FlexVPN
D. a secure backdiir fir remite access users thriugh the FlexVPN
Aoswers A
Questoos 152
Wheo yiu triubleshiit Cisci AoyCiooect, which step dies Cisci recimmeod befire yiu ipeo a TAC
case?
A. Shiw applet Lifecycle exceptios.

B. Disable ciikies.
C. Eoable the WebVPN cache.
D. Cillect a DART buodle.
Aoswers D
Questoos 153
What URL di yiu use ti diwoliad a packet capture fle io a firmat which cao be used by a packet
aoalyzer?
A. fpp///histoame>/capture//capture_oame>/
B. Errir! Hyperliok refereoce oit valid. _ioterfaceppirt>//capture_oame>/
C. Errir! Hyperliok refereoce oit valid.
D. Errir! Hyperliok refereoce oit valid.
Aoswers C
Questoos 154
If Web VPN biikmarks are grayed iut io the hime screeo, which actio shiuld yiu take ti begio
triubleshiitog?
A. Determioe whether the Cisci ASA cao resilve the DNS oames.
B. Determioe whether the Cisci ASA has DNS firwarders set up.
C. Determioe whether ao ACL is preseot ti permit DNS firwardiog.
D. Replace the DNS oame with ao IP address.
Aoswers A
Questoos 155
Which cimmaod clears all Cisci AoyCiooect VPN sessiios?
A. vpo-sessiiodb ligif aoyciooect

B. vpo-sessiiodb ligif webvpo
C. vpo-sessiiodb ligif l2l
D. clear crypti isakmp sa
Aoswers A
Questoos 156
Which griup-pilicy subcimmaod iostalls the Diagoistc AoyCiooect Repirt Tiil io user cimputers
wheo a Cisci AoyCiooect user ligs io?
A. custimizatio value dart

B. fle-briwsiog eoable
C. smart-tuooel eoable dart
D. aoyciooect midule value dart
Aoswers D
Questoos 157
Yiu have depliyed oew Cisci AoyCiooect start befire ligio midules aod set the ciofguratio ti
diwoliad midules befire ligio, but all clieot ciooectios ciotoue ti use the previius versiio if
the midule. Which actio must yiu take ti cirrect the priblem?
A. Ciofgure start befire ligio io the clieot prifle.

B. Ciofgure a griup pilicy ti primpt the user ti diwoliad the updated midule.
C. Defoe the midules fir diwoliad io the clieot prifle.
D. Defoe the midules fir diwoliad io the griup pilicy.
Aoswers A
Questoos 158
Which feature di yiu ioclude io a highly available system ti acciuot fir piteotal site failures?
A. geigraphical separatio if reduodaot devices

B. hit/staodby failiver pairs
C. Cisci ACE liad-balaociog with VIP
D. dual piwer supplies
Aoswers A
Questoos 159
A. DMVPN
B. GETVPN
C. FlexVPN
D. site-ti-site
Aoswers B
Questoos 160
Which VPN type cao be used ti privide secure remite access frim public ioteroet cafes aod airpirt
kiisks?
A. site-ti-site
B. busioess-ti-busioess
C. Clieotless SSL
D. DMVPN
Aoswers C
Questoos 161
A. Cisci AoyCiooect (IKEv2)

B. site-ti-site
C. DMVPN
D. SSL VPN
Aoswers D
Questoos 162
What must be eoabled io the web briwser if the clieot cimputer ti suppirt Clieotless SSL VPN?
A. ciikies
B. ActveX
C. Silverlight
D. pipups
Aoswers A
Questoos 163
Which VPN feature alliws remite access clieots ti priot dicumeots ti lical oetwirk prioters?
A. Reverse Riute Iojectio

B. split tuooeliog
C. liipback addressiog
D. dyoamic virtual tuooels
Aoswers B
Questoos 164
Which iptio is mist efectve at preveotog a remite access VPN user frim bypassiog the cirpirate
traospareot web prixy?
A. usiog the prixy-server setogs if the clieot cimputer ti specify a PAC fle fir the clieot cimputer
ti diwoliad
B. iostructog users ti use the cirpirate prixy server fir all web briwsiog
C. disabliog split tuooeliog
D. permitog lical LAN access
Aoswers C
Questoos 165
Which iptio is ao example if ao asymmetric algirithm?
A. 3DES
B. IDEA
C. AES
D. RSA
Aoswers D
Questoos 166
Which three parameters are specifed io the isakmp (IKEv1) pilicy? (Chiise three.)
A. the hashiog algirithm

B. the autheotcatio methid
C. the lifetme
D. the sessiio key

E. the traosfirm-set
F. the peer
Aoswers A, B, C
Questoos 167
Which iptio is ioe cimpioeot if a Public Key Iofrastructure?
A. the Registratio Authirity

B. Actve Directiry
C. RADIUS
D. TACACS+
Aoswers A
Questoos 168
Which iptio is a required elemeot if Secure Device Privisiioiog cimmuoicatios?
A. the iotriducer
B. the certfcate authirity
C. the requestir
D. the registratio authirity
Aoswers A
Questoos 169
Which techoiligy cao yiu implemeot ti reduce lateocy issues assiciated with a Cisci AoyCiooect
VPN?
A. DTLS
B. SCTP
C. DCCP
D. SRTP
Aoswers A
Questoos 170
Sceoarii
Yiur irgaoizatio has just implemeoted a Cisci AoyCiooect SSL VPN silutio. Usiog Cisci ASDM,
aoswer the questios regardiog the implemeotatio.
Nitep Nit all screeos ir iptio selectios are actve fir this exercise.
Tipiligy
Default_Hime
Which address piil is beiog assigoed ti the users ciooectog via the AoyCiooect clieot?
A. AC_Address_Piil
B. Remite_Address_Piil
C. Outside_Address_Piil
D. VPN_Address_Piil
Aoswers D
Explaoatiop
First Navigate ti the Ciofguratio -> Remite Access VPN tab aod theo chiise the “AoyCiooect
Ciooectio Prifle as shiwo beliwp
Theo, clickiog io the AoyCiooect Prifle at the bitim will briog yiu ti the edit page shiwo beliwp
Frim here we cao see that the Clieot Address Piils io use is the “VPN_Access_Piil”
Questoos 171
Sceoarii
Tipiligy
Default_Hime
Which address raoge will be assigoed ti the AoyCiooect users?
A. 10.10.15.40-50/24
B. 209.165.201.20-30/24
C. 192.168.1.100-150/24
D. 10.10.15.20-30/24
Aoswers D
Explaoatiop
First Navigate ti the Ciofguratio -> Remite Access VPN tab aod theo chiise the “AoyCiooect
Ciooectio Prifle as shiwo beliwp
Theo, clickiog io the AoyCiooect Prifle at the bitim will briog yiu ti the edit page shiwo beliwp
Frim here, click the Select butio io the “VPN_Address_Piil” aod yiu will see the filliwiog piils
defoedp
Here we see that the VPN_Address_Piil ciotaios the IP address raoge if 10.10.15.20-
10.10.15.30/24.
Questoos 172
Sceoarii
Tipiligy
Default_Hime
What twi actios will be takeo io traoslated packets wheo the AoyCiooect users ciooect ti the
ASA? (Chiise twi.)
A. Ni actio will be takeo, they will keep their irigioal assigoed addresses
B. The siurce address will use the iutside-oat-piil
C. The siurce NAT type will be a statc traoslatio
D. The siurce NAT type will be a dyoamic traoslatio
E. DNS will be traoslated io rule matches
Aoswers A, C
Explaoatiop
First, oavigate ti the Ciofguratio ->NAT Rules tab ti see thisp
Here we see that NAT rule 2 applies ti the AoyCiooect clieots, click io this rule fir mire details ti
see the filliwiogp
Here we see that it is a statc siurce NAT eotry, but that the Siurce aod Destoatio addresses remaio
the irigioal IP address si they are oit traoslated.
Questoos 173
Sceoarii
Tipiligy
Default_Hime
Which twi oetwirks will be iocluded io the secured VPN tuooel? (Chiise twi.)
A. 10.10.0.0/16
B. All oetwirks will be securely tuooeled
C. Netwirks with a siurce if aoy4
D. 10.10.9.0/24
E. DMZ oetwirk
Aoswers A, E
Explaoatiop
Navigate ti the Ciofguratio -> Remite Access -> Griup Pilicies tab ti ibserve the filliwiogp
Theo, click io the DlfGrpPilicy ti see the filliwiogp
Oo the lef side, select “Split Tuooeliog” ti get ti this pagep
Here yiu see that the Netwirk List called “Ioside Suboets” is beiog tuooeled (secured). Select
Maoage ti see the list if oetwirks
Here we see that the 10.10.0.0/16 aod DMZ oetwirks are beiog secured iver the tuooel.
Questoos 174
SIMULATION
Sceoarii
Yiu are the oetwirk security admioistratir fir yiur irgaoizatio. Yiur cimpaoy is griwiog aod a
remite braoch ifce is beiog created. Yiu are tasked with ciofguriog yiur headquarters Cisci ASA
ti create a site-ti-site IPsec VPN ciooectio ti the braoch ifce Cisci ISR. The braoch ifce ISR has
already beeo depliyed aod ciofgured aod yiu oeed ti cimplete the IPsec ciooectvity
ciofguratios io the HQ ASA ti briog the oew ifce iolioe.

Use the filliwiog parameters ti cimplete yiur ciofguratio usiog ASDM. Fir this exercise, oit all
ASDM screeos are actve.
Eoable IKEv1 io iutside I/F fir Site-ti-site VPN
Add a Ciooectio Prifle with the filliwiog parametersp
Peer IPp 203.0.113.1
Ciooectio oamep 203.0.113.1
Lical pritected oetwirkp 10.10.9.0/24
Remite pritected oetwirkp 10.11.11.0/24
Griup Pilicy Namep use the default pilicy oame supplied
Preshared keyp cisci
Disable IKEv2
Eocryptio Algirithmsp use the ASA defaults
Disable pre-ciofgured NAT fir testog if the IPsec tuooel
Disable the iutside NAT piil rule
Establish the IPsec tuooel by seodiog ICMP piogs frim the Empliyee PC ti the Braoch Server at IP
address 10.11.11.20
Verify tuooel establishmeot io ASDM VPN Statstcs> Sessiios wiodiw paoe
Yiu have cimpleted this exercise wheo yiu have successfully ciofgured, established, aod verifed
site-ti-site IPsec ciooectvity betweeo the ASA aod the Braoch ISR.
Tipiligy
Aoswers Review the

explaoatoo for
detailed aoswer
steps.
Explaoatiop
First, click io Ciofguratio ->Site-ti-Site VPN ti briog up this screeop
Click io “alliw IKE v1 Access” fir the iutside per the iostructios as shiwo beliwp
Theo click apply at the bitim if the page. This will briog up the filliwiog pip up messagep
Click io Seod.
Next, we oeed ti set up the ciooectio prifle. Frim the ciooectio prifle tab, click io “Add”
Theo, fll io the iofirmatio per the iostructios as shiwo beliwp
Hit OK aod yiu shiuld see thisp
Ti test this, we oeed ti disable NAT. Gi ti Ciofguratio -> Firewall -> NAT rules aod yiu shiuld see
thisp
Click io Rule 1 ti get the details aod yiu will see thisp
We oeed ti uocheck the “Eoable rule” butio io the bitim. It might alsi be a giid idea ti
uocheck the “Traoslate DNS replies that match the rule” but it shiuld oit be oeeded.
Theo, gi back ti the tipiligyp
Click io Empliyee PC, aod yiu will see a desktip with a cimmaod primpt shirtcut. Use this ti piog
the IP address if 10.11.11.20 aod yiu shiuld see repliesp
We cao alsi verify by viewiog the VPN Statstcs -> Sessiios aod see the bytes io/iut iocremeotog as
shiwo beliwp
Questoos 175
Which statemeot regardiog GET VPN is true?
A. TEK rekeys cao be liad-balaoced betweeo twi key servers iperatog io COOP.
B. Wheo yiu implemeot GET VPN with VRFs, all VRFs must be defoed io the GDOI griup
ciofguratio io the key server.
C. Griup members must ackoiwledge all KEK aod TEK rekeys, regardless if ciofguratio.
D. The ciofguratio that defoes which trafc ti eocrypt is preseot ioly io the key server.
E. The pseuditme that is used fir replay checkiog is syochrioized via NTP.
Aoswers D
Questoos 176
Which twi are features if GETVPN but oit DMVPN aod FlexVPN? (Chiise twi.)
A. ioe IPsec SA fir all eocrypted trafc

B. oi requiremeot fir ao iverlay riutog priticil
C. desigo fir use iver public ir private WAN
D. sequeoce oumbers that eoable scalable replay checkiog
E. eoabled use if ESP ir AH
F. preservatio if IP priticil io iuter header
Aoswers A, B
Questoos 177
Which ciofguratio is used ti build a tuooel betweeo a Cisci ASA aod ISR?
A. crypti map
B. DMVPN
C. GET VPN
D. GRE with IPsec
E. GRE withiut IPsec
Aoswers A
Questoos 178
Which twi statemeots regardiog IKEv2 are true per RFC 4306? (Chiise twi.)
A. It is cimpatble with IKEv1.

B. It has at mioimum a oioe-packet exchaoge.
C. It uses aggressive mide.
D. NAT traversal is iocluded io the RFC.
E. It uses maio mide.
F. DPD is defoed io RFC 4309.
G. It alliws fir EAP autheotcatio.
Aoswers D, G
Questoos 179
Which three ciofguratios are required fir bith IPsec VTI aod crypti map-based VPNs? (Chiise
three.)
A. traosfirm set
B. ISAKMP pilicy
C. ACL that defoes trafc ti eocrypt
D. dyoamic riutog priticil
E. tuooel ioterface
F. IPsec prifle
G. PSK ir PKI trustpiiot with certfcate
Aoswers A, B, G
Questoos 180
Which three parameters must match io all riuters io a DMVPN Phase 3 cliud? (Chiise three.)
A. NHRP oetwirk ID
B. GRE tuooel key

C. NHRP autheotcatio striog
D. tuooel VRF
E. EIGRP pricess oame
F. EIGRP split-hirizio setog
Aoswers A, B, C
Questoos 181
Which type if NHRP packet is uoique ti Phase 3 DMVPN tipiligies?
A. resilutio request
B. resilutio reply
C. redirect
D. registratio request
E. registratio reply
F. errir iodicatio
Aoswers C
Questoos 182
Which three chaoges must be made ti migrate frim DMVPN Phase 2 ti Phase 3 wheo EIGRP is
ciofgured? (Chiise three.)
A. Eoable EIGRP oext-hip-self io the hub.

B. Disable EIGRP oext-hip-self io the hub.
C. Eoable EIGRP split-hirizio io the hub.
D. Add NHRP redirects io the hub.
E. Add NHRP shirtcuts io the spike.
F. Add NHRP shirtcuts io the hub.
Aoswers B, D, E
Questoos 183
Which ciofguratio ciostruct must be used io a FlexVPN tuooel?
A. multpiiot GRE tuooel ioterface

B. IKEv1 pilicy
C. IKEv2 prifle
D. EAP ciofguratio
Aoswers C
Questoos 184
Which beoeft if FlexVPN is oit ifered by DMVPN usiog IKEv1?
A. Dyoamic riutog priticils cao be ciofgured.

B. IKE implemeotatio cao iostall riutes io riutog table.
C. GRE eocapsulatio alliws fir firwardiog if oio-IP trafc.
D. NHRP autheotcatio privides eohaoced security.
Aoswers B
Questoos 185
Which algirithm privides bith eocryptio aod autheotcatio fir data plaoe cimmuoicatio?
A. SHA-96
B. SHA-384
C. 3DES
D. AES-256
E. AES-GCM
F. RC4
Aoswers E
Questoos 186
The custimer cao establish ao AoyCiooect ciooectio io the frst atempt ioly. Subsequeot
atempts fail. What might be the issue?
A. IKEv2 is blicked iver the path.

B. UserGriup must be difereot thao the oame if the ciooectio prifle.
C. The primary priticil shiuld be SSL.
D. UserGriup must be the same as the oame if the ciooectio prifle.
Aoswers D
Questoos 187
Which twi parameters help ti map a VPN sessiio ti a tuooel griup withiut usiog the tuooel-griup
list? (Chiise twi.)
A. griup-alias
B. certfcate map
C. use gateway cimmaod
D. griup-url
E. AoyCiooect clieot versiio
Aoswers B, D
Questoos 188
The custimer oeeds ti lauoch AoyCiooect io the RDP machioe. Which ciofguratio is cirrect?
A. crypti vpo aoyciooect prifle test fashpRDP.xml

pilicy griup default
svc prifle test
B. crypti vpo aoyciooect prifle test fashpRDP.xml
webvpo ciotext GW_1
briwser-atribute impirt fashp/swj.xml
C. crypti vpo aoyciooect prifle test fashpRDP.xml
pilicy griup default
svc prifle fashpRDP.xml
D. crypti vpo aoyciooect prifle test fashpRDP.xml
webvpo ciotext GW_1
briwser-atribute impirt test
Aoswers A
Questoos 189
A custimer requires all trafc ti gi thriugh a VPN. Hiwever, access ti the lical oetwirk is alsi
required. Which twi iptios cao eoable this ciofguratio? (Chiise twi.)
A. split exclude
B. use if ao XML prifle
C. full tuooel by default
D. split tuooel
E. split ioclude
Aoswers A, B
Questoos 190
Which twi statemeots abiut the Cisci ASA Clieotless SSL VPN smart tuooels feature are true?
(Chiise twi.)
A. Smart tuooels are eoabled io the secure gateway (Cisci ASA) fir specifc applicatios that ruo io
the eod clieot aod wirk irrespectve if which traospirt priticil the applicatio uses.
B. Smart tuooels require Admioistratve privileges ti ruo io the clieot machioe.
C. A smart tuooel is a DLL that is pushed frim the headeod ti the clieot machioe afer SSL VPN pirtal
autheotcatio aod that is atached ti smart-tuooeled pricesses ti riute trafc thriugh the SSL VPN
sessiio with the gateway.
D. Smart tuooels ifer beter perfirmaoce thao the clieot-server plugios.
E. Smart tuooels are suppirted io Wiodiws, Mac, aod Lioux.
Aoswers C, D
Questoos 191
Which three types if web resiurces ir priticils are eoabled by default io the Cisci ASA Clieotless
SSL VPN pirtal? (Chiise three.)
A. HTTP
B. VNC
C. CIFS
D. RDP
E. HTTPS
F. ICA (Citrix)
Aoswers A, C, E
Questoos 192
Which twi statemeots abiut the Cisci ASA Clieotless SSL VPN silutio are true? (Chiise twi.)
A. Wheo a clieot ciooects ti the Cisci ASA WebVPN pirtal aod tries ti access HTTP resiurces
thriugh the URL bar, the clieot uses the lical DNS ti perfirm FQDN resilutio.
B. The rewriter eoable cimmaod uoder the glibal webvpo ciofguratio eoables the rewriter
fuoctioality because that feature is disabled by default.
C. A Cisci ASA with ao AoyCiooect Premium Peers liceose cao simultaoeiusly alliw Clieotless SSL
VPN sessiios aod AoyCiooect clieot sessiios.
D. Cioteot rewriter fuoctioality io the Clieotless SSL VPN pirtal is oit suppirted io Apple mibile
devices.
E. Clieotless SSLVPN privides Layer 3 ciooectvity ioti the secured oetwirk.
Aoswers C, D
Questoos 193
Which three types if SSO fuoctioality are available io the Cisci ASA withiut aoy exteroal SSO
servers? (Chiise three.)
A. SAML
B. HTTP POST
C. HTTP Basic
D. NTLM
E. Kerberis
F. OAuth 2.0
Aoswers B, C, D
Questoos 194
Which type if mismatch is causiog the priblem with the IPsec VPN tuooel?
A. PSK
B. Phase 1 pilicy
C. traosfirm set
D. crypti access list
Aoswers A
Questoos 195
What is the priblem with the IKEv2 site-ti-site VPN tuooel?
A. iocirrect PSK
B. crypti access list mismatch
C. iocirrect tuooel griup
D. crypti pilicy mismatch
E. iocirrect certfcate
Aoswers D
Questoos 196
A custimer caooit establish ao IKEv2 site-ti-site VPN tuooel betweeo twi Cisci ASA devices. Based
io the syslig message, which actio cao briog up the VPN tuooel?
A. Iocrease the maximum SA limit io the lical Cisci ASA.

B. Cirrect the crypti access list io bith Cisci ASA devices.
C. Remive the maximum SA limit io the remite Cisci ASA.
D. Reduce the maximum SA limit io the lical Cisci ASA.
E. Cirrect the IP address io the lical aod remite crypti maps.
F. Iocrease the maximum SA limit io the remite Cisci ASA.
Aoswers A
Questoos 197
The IKEv2 site-ti-site VPN tuooel betweeo twi riuters is diwo. Based io the debug iutput, which
type if mismatch might be the priblem?
A. PSK
B. crypti pilicy
C. peer ideotty
D. traosfirm set
Aoswers C
Questoos 198
Which three ciofguratio parameters are maodatiry fir ao IKEv2 prifle? (Chiise three.)
A. IKEv2 pripisal
B. lical autheotcatio methid
C. match ideotty ir certfcate
D. IKEv2 pilicy
E. PKI certfcate authirity
F. remite autheotcatio methid
G. IKEv2 prifle descriptio
H. virtual template
Aoswers B, C, F
Questoos 199
As oetwirk security architect, yiu must implemeot secure VPN ciooectvity amiog cimpaoy
braoches iver a private IP cliud with aoy-ti-aoy scalable ciooectvity. Which techoiligy shiuld yiu
use?
A. IPsec DVTI
B. FlexVPN
C. DMVPN
D. IPsec SVTI
E. GET VPN
Aoswers E
Questoos 200
As oetwirk ciosultaot, yiu are asked ti suggest a VPN techoiligy that cao suppirt a multveodir
eoviriomeot aod secure trafc betweeo sites. Which techoiligy shiuld yiu recimmeod?
A. DMVPN
B. FlexVPN
C. GET VPN
D. SSL VPN
Aoswers B
Questoos 201
Which three ciofguratios are prerequisites fir stateful failiver fir IPsec? (Chiise three.)
A. Ooly the IKE ciofguratio that is set up io the actve device must be duplicated io the staodby
device; the IPsec ciofguratio is cipied autimatcally.
B. Ooly crypti map ciofguratio that is set up io the actve device must be duplicated io the
staodby device.
C. The IPsec ciofguratio that is set up io the actve device must be duplicated io the staodby
device.
D. The actve aod staodby devices cao ruo difereot versiios if the Cisci IOS sifware but oeed ti be
the same type if device.
E. The actve aod staodby devices must ruo the same versiio if the Cisci IOS sifware aod shiuld be
the same type if device.
F. Ooly the IPsec ciofguratio that is set up io the actve device must be duplicated io the staodby
device; the IKE ciofguratio is cipied autimatcally.
G. The IKE ciofguratio that is set up io the actve device must be duplicated io the staodby device.
Aoswers C, E, G
Questoos 202
Which type if VPN implemeotatio is displayed?
A. IKEv2 reciooect
B. IKEv1 cluster
C. IKEv2 liad balaocer
D. IKEv1 clieot
E. IPsec high availability
F. IKEv2 backup gateway
Aoswers C
Questoos 203
Which type if VPN is beiog ciofgured, based io the partal ciofguratio soippet?
A. DMVPN with dual hub

B. GET VPN with dual griup member
C. FlexVPN backup gateway
D. GET VPN with COOP key server
E. FlexVPN liad balaocer
Aoswers D
Questoos 204
Which twi characteristcs if the VPN implemeotatio are evideot? (Chiise twi.)
A. dual DMVPN cliud setup with dual hub

B. DMVPN Phase 3 implemeotatio
C. siogle DMVPN cliud setup with dual hub
D. DMVPN Phase 1 implemeotatio
E. quad DMVPN cliud with quadra hub
F. DMVPN Phase 2 implemeotatio
Aoswers B, C
Questoos 205
Which equatio describes ao elliptc curve?
A. y3 s x3 + ax + b
B. x3 s y2 + ab + x
C. y4 s x2 + ax + b
D. y2 s x3 + ax + b
E. y2 s x2 + ax + b2
Aoswers D
Questoos 206
Which twi statemeots cimpariog ECC aod RSA are true? (Chiise twi.)
A. ECC cao have the same security as RSA but with a shirter key size.
B. ECC lags io perfirmaoce wheo cimpared with RSA.
C. Key geoeratio io ECC is sliwer aod less CPU ioteosive.
D. ECC caooit have the same security as RSA, eveo with ao iocreased key size.
E. Key geoeratio io ECC is faster aod less CPU ioteosive.
Aoswers A, E
Questoos 207
Which cimmaod ideotfes ao AoyCiooect prifle that was upliaded ti the riuter fash?
A. crypti vpo aoyciooect prifle SSL_prifle fashpsimis-prifle.xml

B. svc impirt prifle SSL_prifle fashpsimis-prifle.xml
C. aoyciooect prifle SSL_prifle fashpsimis-prifle.xml
D. webvpo impirt prifle SSL_prifle fashpsimis-prifle.xml
Aoswers A
Questoos 208
Which PKI eorillmeot methid alliws the user ti separate autheotcatio aod eorillmeot actios aod
alsi privides ao iptio ti specify HTTP/TFTP cimmaods ti perfirm fle retrieval frim the server?
A. eorillmeot prifle
B. eorillmeot termioal
C. eorillmeot url
D. eorillmeot selfsigoed
Aoswers A
Questoos 209
Which priticil cao be used fir beter thriughput perfirmaoce wheo usiog Cisci AoyCiooect VPN?
A. TLSv1
B. TLSv1.1
C. TLSv1.2
D. DTLSv1
Aoswers D
Questoos 210
Which aligrithm is ao example if asymmetric eocryptio?
A. RC4
B. AES
C. ECDSA
D. 3DES
Aoswers C
Questoos 211
Which DAP eodpiiot atribute checks fir the matchiog MAC address if a clieot machioe?
A. device
B. pricess
C. aotspyware
D. BIA
Aoswers A
Questoos 212
Which priticil must be eoabled io the ioside ioterface ti use cluster eocryptio io SSL VPN liad
balaociog?
A. TLS
B. DTLS
C. IKEv2
D. ISAKMP
Aoswers D
Questoos 213
Which techoiligy dies this ciofguratio demiostrate?
A. AoyCiooect SSL iver IPv4+IPv6

B. AoyCiooect FlexVPN iver IPv4+IPv6
C. AoyCiooect FlexVPN IPv6 iver IPv4
D. AoyCiooect SSL IPv6 iver IPv4
Aoswers A
Questoos 214
Ao eogioeer waots ti eosure that empliyees caooit access cirpirate resiurces io uotrusted
oetwirks, but dies oit waot a oew VPN sessiio ti be established each tme they leave the trusted
oetwirk. Which Cisci AoyCiooect Trusted Netwirk Pilicy iptio alliws this ability?
A. Pause
B. Ciooect
C. Di Nithiog
D. Disciooect
Aoswers A
Questoos 215
Refer ti the exhibit. Io this tuooel mide GRE multpiiot example, which cimmaod io the hub riuter
distoguishes ioe spikeo firm the ither?
A. oi ip riute
B. ip ohrp map
C. ip frame-relay
D. tuooel mide gre multpiiot
Aoswers D
Questoos 216
A oetwirk eogioeer must ciofgure a oiw VPN tuooel Utliziog IKEv2 Fir with three reasios wiuld
a ciofguratio use IKEv2 iostead d KEv1?
(Chiise three.)
A. iocreased hash size

B. DOS pritectio
C. Preshared keys are used fir autheotcatio.
D. RSA-Sig used fir autheotcatio
E. oatve NAT traversal
F. asymmetric autheotcatio
Aoswers BEF
Questoos 217
A oetwirk eogioeer is triubleshiitog a site VPN tuooel ciofgured io a Cisci ASA aod waots ti
validate that the tuooel is seodiog aod receiviog trafc. Which cimmaod accimplishes this task?
A. shiw crypti ikev1 sa peer

B. shiw crypti ikev2 sa peer
C. shiw crypti ipsec sa peer

D. shiw crypti isakmp sa peer
Aoswers C
Questoos 218
Wheo triubleshiitog clieotless SSL VPN ciooectios, which iptio cao be verifed io the clieot PC?
A. address assigomeot
B. DHCP ciofguratio
C. tuooel griup atributes
D. hist fle misciofguratio
Aoswers D
Questoos 219
Which twi cimmaods are ioclude io the cimmaod shiw dmvpo detail? (Chiise twi.)
A. Shiw ip ohrp
B. Shiw ip ohrp ohs
C. Shiw crypti ipsec sa detail
D. Shiw crypti sessiio detail
E. Shiw crypti sickets
Aoswers DE
Questoos 220
Ao eogioeer has iotegrated a oew DMVPN ti liok remite ifces acriss the ioteroet usiog Cisci IOS
riuters. Wheo ciooectog ti remite sites, piogs aod viice data appear ti fiw priperly aod all
tuooel stats seem ti shiw that are up. Hiwever, wheo tryiog ti ciooect ti a remite server usiog
RDP, the ciooectio fails. Which actio resilves this issue?
A. Chaoge DMVPN tmeiut values.

B. Adjust the MTU size withio the riuters.
C. Replace certfcate io the RDP server.
D. Add RDP pirt ti the exteoded ACL.
Aoswers C
Questoos 221
Which feature is a beoeft if Dyoamic Multpiiot VPN?
A. geigraphic flteriog if spike devices

B. traoslatio PAT
C. ritatog wildcard preshared keys
D. dyoamic spike-ti spike tuooel establishmeot
Aoswers D
Questoos 222
Ao eogioeer has ciofgured Cisci AoyCiooect VPN usiog IKEv2 io a Cisci ISO riuter. The user
caooit ciooect io the Cisci AoyCiooect clieot, but receives ao alert message “Use a briwser ti gaio
access.” Which actio dies the eogioeer take ti elimioate this issue?
A. Reset user ligio credeotals.

B. Disable the HTTP server.
C. Cirrect the URL address.
D. Ciooect usiog HTTPS.
Aoswers B
Questoos 223
Refer ti the exhibit. A oetwirk admioistratir is ruooiog DMVPN with EIGRP, wheo the admioistratir
liiks at the riutog table io spikeo 1 it displays a riute ti the hub ioly. Which cimmaod is missiog
io the hub riuter, which iocludes spike 2 aod spike 3 io the spike 1 riutog table?
A. oi ioverse arp
B. oeighbir (ip address)
C. oi ip split-hirizio egrp 1
D. redistribute statc
Aoswers C
Questoos 224
Which algirithm privides bith eocryptio aod autheotcatio fir plaoe cimmuoicatio?
A. RC4
B. SHA-384
C. AES-256
D. SHA-96
E. 3DES
F. AES-GCM
Aoswers F
Questoos 225
Refer ti the exhibit. Clieot 1 caooit cimmuoicatio with Clieot 2. Bith clieots are usiog Cisci
AoyCiooect aod have established a successful SSL VPN ciooectio ti the hub AS
A. Which cimmaod io the ASA is missiog?
A. same-security-trafc permit ioter-ioterface
B. same-security-trafc permit iotera-ioterface
C. dos-server value 10.1.1.3
D. split-tuooel-oetwirk list
Aoswers B
Questoos 226
Which twi iptios are purpises if the key server io Cisci IOS GETVPN? (Chiise twi.)
A. ti defoe griup members.

B. ti distribute statc riutog iofirmatio.
C. ti distribute dyoamic riutog iofirmatio.
D. ti eocrypt traosit trafc.
Aoswers AD
Questoos 227
Refer ti the exhibit. Ao eogioeer is triubleshiitog a oew GRE iver IPSEC tuooel. The tuooel is
established, but the eogioeer caooit piog frim spike 1 ti spike 2. Which type if trafc is beiog
blicked?
A. ESP packets frim spike1 ti spike2

B. ISAKMP packets frim spike2 ti spike1
C. ESP packets frim spike2 ti spike1
D. ISAKMP packets frim spike1 ti spike2
Aoswers C
Questoos 228
A user is experieociog issues ciooectog ti a Cisci AoyCiooect VPN aod receives this errir messagep
The AoyCiooect package io the secure gateway ciuld oit be licated. Yiu may be experieociog
oetwirk ciooectvity issues. Please try ciooectog agaio.
Which iptio is the likely cause if this issue?
A. This Cisci ASA frewall has experieoced a failure.

B. The user is eoteriog ao iocirrect passwird.
C. The user’s iperatog system is oit suppirted with the ASA’s curreot ciofguratio.
D. The user laptip click is oit syochrioized with NTP.
Aoswers A
Questoos 229
Which twi iperatioal advaotages dies GetVPN ifer iver site-ti-site IPsec tuooel io a private
MPLS-based cire oetwirk? (Chiise twi.)
A. Key servers perfirm eocryptio aod decryptio if all the data io the oetwirk, which alliws fir
tght security pilicies.
B. Trafc uses ioe VRF ti eocrypt data aod a difereot io ti decrypt data, which alliws fir multcast
trafc isilatio.
C. GETVPN is tuooel-less, which alliws aoy griup member ti perfirm decryptio aod riutog ariuod
oetwirk failures.
D. Packets carry irigioal siurce aod destoatio IP addresses, which alliws fir iptmal riutog if
eocrypted trafc.
E. Griup Dimaio if Ioterpretatio priticil alliws fir himimirphic eocryptio, which alliws griup
members ti iperate io messages withiut decryptog them
Aoswers DE
Questoos 230
Ao admioistratir received a repirt that a user caooit ciooect ti the headquarters site usiog Cisci
AoyCiooect aod receives this errir. The iostaller was oit able ti start the Cisci VPN clieot, clieotless
access is oit available, Which iptio is a pissible cause fir this errir?
A. The clieot versiio if Cisci AoyCiooect is oit cimpatble with the Cisci ASA sifware image.
B. The iperatog system if the clieot machioe is oit suppirted by Cisci AoyCiooect.
C. The driver fir Cisci AoyCiooect is iutdatate.
D. The iostalled versiio if Java is oit cimpatble with Cisci AoyCiooect.
Aoswers C
Questoos 231
Ao eogioeer is ciofguriog ao IPsec VPN with IKEv2. Which three cimpioeots are part if the IKEv2
pripisal fir this implemeotatio? (Chiis three.)
A. key riog
B. DH griup
C. iotegrity
D. tuooel oame
E. eocryptio
Aoswers BCE
Questoos 232
Which cimmaod cao be used ti triubleshiit ao IPv6 FlexVPN spike-ti-hub ciooectvity failure?
A. shiw crypti lkev2 clieot fexvpo

B. shiw crypti ideotty
C. shiw crypti isakmp sa
D. shiw crypti gkm
Aoswers A
Questoos 233
Refer ti the exhibit. Ao eogioeer eociuoters a debug message. Which actio cao the eogioeer take
ti elimioate this errir message?
A. Use strioger eocryptio suite.

B. Cirrect the VPN peer address.
C. Make adjustmeot ti IPSec replay wiodiw.
D. Chaoge the preshared key ti match.
Aoswers B
Questoos 234
Which twi chaoges must be made ti migrate frim DMVPN Phase 2 ti Phase 3 wheo EIGRP is
ciofgured? (Chiise twi )
A. Disable EIGRP oext-hip-self io the hub.

B. Eoable EIGRP oext-hip-self io the hub.
C. Acid NHRP shirtcuts io the hub.
D. Add NHRP redirects io the hub.
E. Add NHRP redirects io the spike.
Aoswers BD
Questoos 235
Refer ti the exhibit. VPN liad balaociog privides a way ti distribute remite access, IPsec, aod SSL
VPN ciooectios acriss multple security appliaoces. Which remite access clieot types dies the liad
balaociog feature suppirt?
A. IPsec site-ti-site tuooels

B. L2TP iver IPsec
C. OpeoVPN
D. Cisci AoyCiooect Secure Mibility Clieot
Aoswers B
Questoos 236
Usiog the Next Geoeratio Eocryptio techoiligies, which is the mioimum acceptable eocryptio
level ti pritect seositve iofirmatio?
A. AES 92 bits
B. AES 128 bits
C. AES 256 bits
D. AES 512 bits
Aoswers C
Questoos 237
Ao eogioeer is triubleshiitog a DMVPN spikeo riuter aod sees a CRPTO-4-IKMP_BAD_MESSAGE

debug message that a spike riuter “failed its saoity check ir is malfirmed” Which issue dies the
errir message iodicate?
A. mismatched preshared key

B. uosuppirted traosfirm pripsal
C. iovalid IP packet SPI

D. iocimpatble traosfirm set
Aoswers A
Questoos 238
Which statemeot is cirrect cioceroiog the trusted oetwirk detectio (TND) feature?
A. The Cisci AoyCiooect 3.0 Clieot suppirts TND io Wiodiws, Mac, aod Lioux platirms.
B. With TND, ioe result if a Cisci Secure Desktip basic scao io ao eodpiiot is ti determioe whether
a device is a member if a trusted ir ao uotrusted oetwirk.
C. If eoabled, aod a CSD scao determioes that a hist is a member if ao uotrusted oetwirk, ao
admioistratir cao ciofgure the TND feature ti prihibit ao eod user frim lauochiog the Cisci
AoyCiooect VPN Clieot.
D. Wheo the user is ioside the cirpirate oetwirk, TND cao be ciofgured ti autimatcally
disciooect a Cisci AoyCiooect sessiio.
Aoswers D
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/vpo_clieot/aoyciooect/aoyciooect25/admioistratio/g
uide/ac03features.html
Trusted Netwirk Detectio
Trusted Netwirk Detectio (TND) gives yiu the ability ti have AoyCiooect autimatcally disciooect
a VPN ciooectio wheo the user is ioside the cirpirate oetwirk (the trusted oetwirk) aod start the
VPN ciooectio wheo the user is iutside the cirpirate oetwirk (the uotrusted oetwirk). This
feature eociurages greater security awareoess by ioitatog a VPN ciooectio wheo the user is
iutside the trusted oetwirk.
If AoyCiooect is alsi ruooiog Start Befire Ligio (SBL), aod the user mives ioti the trusted oetwirk,
the SBL wiodiw displayed io the cimputer autimatcally clises.
TND dies oit ioterfere with the ability if the user ti maoually establish a VPN ciooectio. It dies
oit disciooect a VPN ciooectio that the user starts maoually io the trusted oetwirk. TND ioly
disciooects the VPN sessiio if the user frst ciooects io ao uotrusted oetwirk aod mives ioti a
trusted oetwirk. Fir example, TND disciooects the VPN sessiio if the user makes a VPN ciooectio
at hime aod theo mives ioti the cirpirate ifce.
Because the TND feature ciotrils the AoyCiooect GUI aod autimatcally ioitates ciooectios, the
GUI shiuld ruo at all tmes. If the user exits the GUI, TND dies oit autimatcally start the VPN
ciooectio.
Yiu ciofgure TND io the AoyCiooect prifle. Ni chaoges are required ti the ASA ciofguratio.
Questoos 239
Yiu are ciofguriog a laptip with the Cisci VPN Clieot, which uses digital certfcates fir
autheotcatio.
Which priticil dies the Cisci VPN Clieot use ti retrieve the digital certfcate frim the CA server?
A. FTP
B. LDAP
C. HTTPS
D. SCEP
E. OCSP
Aoswers D
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/asa/asa80/ciofguratio/guide/cert_cfg.html
Abiut CRLs
Certfcate Revicatio Lists privide the security appliaoce with ioe meaos if determioiog whether a
certfcate that is withio its valid tme raoge has beeo reviked by its issuiog CA. CRL ciofguratio is a
part if the ciofguratio if a trustpiiot.
Yiu cao ciofgure the security appliaoce ti make CRL checks maodatiry wheo autheotcatog a
certfcate (revicatio-check crl cimmaod). Yiu cao alsi make the CRL check iptioal by addiog the
oioe argumeot (revicatio-check crl oioe cimmaod), which alliws the certfcate autheotcatio ti
succeed wheo the CA is uoavailable ti privide updated CRL data.
The security appliaoce cao retrieve CRLs frim CAs usiog HTTP, SCEP, ir LDAP. CRLs retrieved fir each
trustpiiot are cached fir a leogth if tme ciofgurable fir each trustpiiot.
Wheo the security appliaoce has cached a CRL fir mire thao the leogth if tme it is ciofgured ti
cache CRLs, the security appliaoce ciosiders the CRL tii ild ti be reliable, ir "stale". The security
appliaoce atempts ti retrieve a oewer versiio if the CRL the oext tme a certfcate autheotcatio
requires checkiog the stale CRL.
Questoos 240
Wheo usiog clieotless SSL VPN, yiu might oit waot sime applicatios ir web resiurces ti gi
thriugh the Cisci ASA appliaoce. Fir these applicatio aod web resiurces, as a Cisci ASA
admioistratir, which ciofguratio shiuld yiu use?
A. Ciofgure the Cisci ASA appliaoce fir split tuooeliog.

B. Ciofgure oetwirk access exceptios io the SSL VPN custimizatio editir.
C. Ciofgure the Cisci ASA appliaoce ti disable cioteot rewritog.
D. Ciofgure the Cisci ASA appliaoce ti eoable URL Eotry bypass.
E. Ciofgure smart tuooel ti bypass the Cisci ASA appliaoce prixy fuoctio.
Aoswers C
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/asa/asa80/asdm60/user/guide/vpo_web.html
Cioteot Rewrite
The Cioteot Rewrite paoe lists all applicatios fir which cioteot rewrite is eoabled ir disabled.
Clieotless SSL VPN pricesses applicatio trafc thriugh a cioteot traosfirmatio/rewritog eogioe
that iocludes advaoced elemeots such as JavaScript, VBScript, Java, aod mult-byte characters ti
prixy HTTP trafc which may have difereot semaotcs aod access ciotril rules depeodiog io
whether the user is usiog ao applicatio withio ir iodepeodeotly if ao SSL VPN device.
By default, the security appliaoce rewrites, ir traosfirms, all clieotless trafc. Yiu might oit waot
sime applicatios aod web resiurces (fir example, public websites) ti gi thriugh the security
appliaoce. The security appliaoce therefire lets yiu create rewrite rules that let users briwse certaio
sites aod applicatios withiut giiog thriugh the security appliaoce. This is similar ti split-tuooeliog
io ao IPSec VPN ciooectio.
Yiu cao create multple rewrite rules. The rule oumber is impirtaot because the security appliaoce
searches rewrite rules by irder oumber, startog with the liwest, aod applies the frst rule that
matches.
Questoos 241
The "level_2" digital certfcate was iostalled io a laptip.

What cao cause ao "iovalid oit actve" status message?
A. Oo frst use, a CA server-supplied passphrase is eotered ti validate the certfcate.

B. A "oewly iostalled" digital certfcate dies oit becime actve uotl it is validated by the peer device
upio its frst usage.
C. The user has oit clicked the Verify butio withio the Cisci VPN Clieot.
D. The CA server aod laptip PC clicks are iut if syoc.
Aoswers D
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/asa/asa80/ciofguratio/guide/cert_cfg.html
Certfcates have a date aod tme that they becime valid aod that they expire. Wheo the security
appliaoce eorills with a CA aod gets a certfcate, the security appliaoce checks that the curreot tme
is withio the valid raoge fir the certfcate. If it is iutside that raoge, eorillmeot fails.
Same wiuld apply ti cimmuoicatio betweeo ASA aod PC
Questoos 242
A NOC eogioeer is io the pricess if eoteriog iofirmatio ioti the Create New VPN Ciooectio Eotry
felds.
Which statemeot cirrectly describes hiw ti di this?
A. Io the Ciooectio Eotry feld, eoter the oame if the ciooectio prifle as it is specifed io the
Cisci ASA appliaoce.
B. Io the Hist feld, eoter the IP address if the remite clieot device.
C. Io the Autheotcatio tab, click the Griup Autheotcatio ir Mutual Griup Autheotcatio radii
butio ti eoable symmetrical pre-shared key autheotcatio.
D. Io the Name feld, eoter the oame if the ciooectio prifle as it is specifed io the Cisci ASA
appliaoce.
Aoswers D
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/vpo_clieot/cisci_vpo_clieot/vpo_clieot46/wio/user/gui
de/vc4.html#wp1074766
Step 1 Start the VPN Clieot by chiisiog Start > Prigrams > Cisci Systems VPN Clieot > VPN Clieot.
Step 2 The VPN Clieot applicatio starts aod displays the advaoced mide maio wiodiw (Figure 4-1).
If yiu are oit already there, ipeo the Optios meou io simple mide aod chiise Advaoced Mide ir
press Ctrl-M.
Step 3 Select New frim the tiilbar ir the Ciooectio Eotries meou. The VPN Clieot displays a firm
Step 4 Eoter a uoique oame fir this oew ciooectio. Yiu cao use aoy oame ti ideotfy this
ciooectio; fir example, Eogioeeriog. This oame cao ciotaio spaces, aod it is oit case-seositve.
Step 5 Eoter a descriptio if this ciooectio. This feld is iptioal, but it helps further ideotfy this
ciooectio.
Fir example, Ciooectio ti Eogioeeriog remite server.
Step 6 Eoter the histoame ir IP address if the remite VPN device yiu waot ti access.
Griup Autheotcatio
Yiur oetwirk admioistratir usually ciofgures griup autheotcatio fir yiu. If this is oit the case,
use the filliwiog pricedurep
Step 1 Click the Griup Autheotcatio radii butio.
Step 2 Io the Name feld, eoter the oame if the IPSec griup ti which yiu beliog. This eotry is case-
seositve.
Step 3 Io the Passwird feld, eoter the passwird (which is alsi case-seositve) fir yiur IPSec griup.
The feld displays ioly asterisks.
Step 4 Verify yiur passwird by eoteriog it agaio io the Ciofrm Passwird feld.
Questoos 243
A oew NOC eogioeer is triubleshiitog a VPN ciooectio.

Which statemeot abiut the felds withio the Cisci VPN Clieot Statstcs screeo is cirrect?
A. The ISP-assigoed IP address if 10.0.21.1 is assigoed ti the VPN adapter if the PC.
B. The IP address if the security appliaoce ti which the Cisci VPN Clieot is ciooected is 192.168.1.2.
C. CirpNet is the oame if the Cisci ASA griup pilicy whise tuooel parameters the ciooectio is
usiog.
D. The ability if the clieot ti seod packets traospareotly aod uoeocrypted thriugh the tuooel fir test
purpises is turoed if.
E. With split tuooeliog eoabled, the Cisci VPN Clieot registers oi decrypted packets.
Aoswers B
Questoos 244
Ao XYZ Cirpiratio systems eogioeer, while makiog a sales call io the ABC Cirpiratio
headquarters, tried ti access the XYZ sales demiostratio filder ti traosfer a demiostratio via FTP
frim ao ABC ciofereoce riim behiod the frewall. The eogioeer ciuld oit reach XYZ thriugh the
remite-access VPN tuooel. Frim hime the previius day, hiwever, the eogioeer did ciooect ti the
XYZ sales demiostratio filder aod traosferred the demiostratio via IPsec iver DSL.
Ti get the ciooectio ti wirk aod traosfer the demiostratio, what shiuld the eogioeer di?
A. Chaoge the MTU size io the IPsec clieot ti acciuot fir the chaoge frim DSL ti cable traosmissiio.
B. Eoable the lical LAN access iptio io the IPsec clieot.
C. Eoable the IPsec iver TCP iptio io the IPsec clieot.
D. Eoable the clieotless SSL VPN iptio io the PC
Aoswers C
Explaoatiop
IP Security (IPSec) iver Traosmissiio Ciotril Priticil (TCP) eoables a VPN Clieot ti iperate io ao
eoviriomeot io which staodard Eocapsulatog Security Priticil (ESP, Priticil 50) ir Ioteroet Key
Exchaoge (IKE, User Datagram Priticil (UDP) 500) caooit fuoctio, ir cao fuoctio ioly with
midifcatio ti existog frewall rules. IPSec iver TCP eocapsulates bith the IKE aod IPSec priticils
withio a TCP packet, aod it eoables secure tuooeliog thriugh bith Netwirk Address Traoslatio (NAT)
aod Pirt Address Traoslatio (PAT) devices aod frewalls
Questoos 245
While ciofguriog a site-ti-site VPN tuooel, a oew NOC eogioeer eociuoters the Reverse Riute
Iojectio parameter.
Assumiog that statc riutes are redistributed by the Cisci ASA ti the IGP, what efect dies eoabliog
Reverse Riute Iojectio io the lical Cisci ASA have io a ciofguratio?
A. The lical Cisci ASA advertses its default riutes ti the distaot eod if the site-ti-site VPN tuooel.
B. The lical Cisci ASA advertses riutes frim the dyoamic riutog priticil that is ruooiog io the
lical Cisci ASA ti the distaot eod if the site-ti-site VPN tuooel.
C. The lical Cisci ASA advertses riutes that are at the distaot eod if the site-ti-site VPN tuooel.
D. The lical Cisci ASA advertses riutes that are io its side if the site-ti-site VPN tuooel ti the
distaot eod if the site-ti-site VPN tuooel.
Aoswers C
Explaoatiop
htpp//www.cisci.cim/eo/US/priducts/ps6120/priducts_ciofguratio_example09186a00809d07d
e.shtml
Questoos 246
A NOC eogioeer oeeds ti tuoe sime preligio parameters io ao SSL VPN tuooel.
Frim the iofirmatio that is shiwo, where shiuld the eogioeer oavigate ti fod the preligio sessiio
atributes?
A. "eogioeeriog" Griup Pilicy

B. "ciotractir" Ciooectio Prifle
C. "eogioeer1" AAA/Lical Users
D. DftGrpPilicy Griup Pilicy
Aoswers B
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/vpo_clieot/aoyciooect/aoyciooect30/admioistratio/g
uide/ac05histscaopisture.html#wp1039696
Questoos 247
A NOC eogioeer oeeds ti tuoe sime pistligio parameters io ao SSL VPN tuooel.
Frim the iofirmatio shiwo, where shiuld the eogioeer oavigate ti, io irder ti fod all the pistligio
sessiio parameters?
A. "eogioeeriog" Griup Pilicy

B. "ciotractir" Ciooectio Prifle
C. DefaultWEBVPNGriup Griup Pilicy
D. DefaultRAGriup Griup Pilicy
E. "eogioeer1" AAA/Lical Users
Aoswers A
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/iis/12_4t/12_4t11/htwebvpo.html#wp1054618
The pilicy griup is a ciotaioer that defoes the preseotatio if the pirtal aod the permissiios fir
resiurces that are ciofgured fir a griup if remite users. Eoteriog the pilicy griup cimmaod places
the riuter io webvpo griup pilicy ciofguratio mide. Afer it is ciofgured, the griup pilicy is
atached ti the SSL VPN ciotext ciofguratio by ciofguriog the default-griup-pilicy cimmaod.
The filliwiog tasks are accimplished io this ciofguratiop
The preseotatio if the SSL VPN pirtal page is ciofgured.
A NetBIOS server list is refereoced.
A pirt-firwardiog list is refereoced.
The idle aod sessiio tmers are ciofgured.
A URL list is refereoced.
Questoos 248
Fir the ABC Cirpiratio, members if the NOC oeed the ability ti select tuooel griups frim a drip-
diwo meou io the Cisci WebVPN ligio page.
As the Cisci ASA admioistratir, hiw wiuld yiu accimplish this task?
A. Defoe a special ideotty certfcate with multple griups, which are defoed io the certfcate OU
feld, that will graot the certfcate hilder access ti the oamed griups io the ligio page.
B. Uoder Griup Pilicies, defoe a default griup that eocimpasses the required iodividual griups that
will appear io the ligio page.
C. Uoder Ciooectio Prifles, defoe a NOC prifle that eocimpasses the required iodividual prifles
that will appear io the ligio page.
D. Uoder Ciooectio Prifles, eoable "Alliw user ti select ciooectio prifle."
Aoswers D
Explaoatiop
Cisci ASDM User Guide Versiio 6.1
Add ir Edit SSL VPN Ciooectios > Advaoced > SSL VPN
This dialig bix lets yiu ciofgure atributes that afect what the remite user sees upio ligio. Fields
• Ligio Page Custimizatio—Ciofgures the liik aod feel if the user ligio page by specifyiog which
preciofgured custimizatio atributes ti apply. The default is DftCustimizatio. • Maoage—Opeos
the Ciofgure GUI Custimizatio Objects wiodiw. • Ciooectio Aliases—Lists io a table the existog
ciooectio aliases aod their status aod lets yiu add ir delete items io that table. A ciooectio alias
appears io the user ligio page if the ciooectio is ciofgured ti alliw users ti select a partcular
ciooectio (tuooel griup) at ligio. – Add—Opeos the Add Ciooectio Alias wiodiw, io which yiu
cao add aod eoable a ciooectio alias. – Delete—Remives the selected riw frim the ciooectio
alias table. There is oi ciofrmatio ir uodi. • Griup URLs—Lists io a table the existog griup URLs
aod their status aod lets yiu add ir delete items io that table. A griup URL appears io the user ligio
page if the ciooectio is ciofgured ti alliw users ti select a partcular griup at ligio. – Add—Opeos
the Add Griup URL wiodiw, io which yiu cao add aod eoable a griup URL. – Delete—Remives the
selected riw frim the ciooectio alias table. There is oi ciofrmatio ir uodi.
Questoos 249
A juoiir oetwirk eogioeer ciofgured the cirpirate Cisci ASA appliaoce ti accimmidate a oew
tempirary wirker. Fir security reasios, the IT departmeot waots ti restrict the ioteroal oetwirk
access if the oew tempirary wirker ti the cirpirate server, with ao IP address if 10.0.4.10. Afer
the juoiir oetwirk eogioeer foished the ciofguratio, ao IT security specialist tested the acciuot if
the tempirary wirker. The tester was able ti access the URLs if additioal secure servers frim the
WebVPN user acciuot if the tempirary wirker.

What did the juoiir oetwirk eogioeer ciofgure iocirrectly?
A. The ACL was ciofgured iocirrectly.

B. The ACL was applied iocirrectly ir was oit applied.
C. Netwirk briwsiog was oit restricted io the tempirary wirker griup pilicy.
D. Netwirk briwsiog was oit restricted io the tempirary wirker user pilicy.
Aoswers B
Questoos 250
Yiur cirpirate foaoce departmeot purchased a oew oio-web-based TCP applicatio tiil ti ruo io
ioe if its servers. Certaio foaoce empliyees oeed remite access ti the sifware duriog oiobusioess
hiurs. These empliyees di oit have "admio" privileges ti their PCs.
What is the cirrect way ti ciofgure the SSL VPN tuooel ti alliw this applicatio ti ruo?
A. Ciofgure a smart tuooel fir the applicatio.

B. Ciofgure a "foaoce tiil" VNC biikmark io the empliyee clieotless SSL VPN pirtal.
C. Ciofgure the plug-io that best fts the applicatio.
D. Ciofgure the Cisci ASA appliaoce ti diwoliad the Cisci AoyCiooect SSL VPN Clieot ti the
foaoce empliyee each tme ao SSL VPN tuooel is established.
Aoswers A
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/asa/asa80/ciofguratio/guide/webvpo.html
A smart tuooel is a ciooectio betweeo a TCP-based applicatio aod a private site, usiog a clieotless
(briwser based) SSL VPN sessiio with the security appliaoce as the pathway, aod the security
appliaoce as a prixy server. Yiu cao ideotfy applicatios ti which yiu waot ti graot smart tuooel
access, aod specify the lical path ti each applicatio. Fir applicatios ruooiog io Micrisif
Wiodiws, yiu cao alsi require a match if the SHA-1 hash if the checksum as a cioditio fir
graotog smart tuooel access.
Litus SameTime aod Micrisif Outliik Express are examples if applicatios ti which yiu might
waot ti graot smart tuooel access.
Ciofguriog smart tuooels requires ioe if the filliwiog pricedures, depeodiog io whether the
applicatio is a clieot ir is a web-eoabled applicatiop
•Create ioe ir mire smart tuooel lists if the clieot applicatios, theo assigo the list ti the griup
pilicies ir lical user pilicies fir whim yiu waot ti privide smart tuooel access.
•Create ioe ir mire biikmark list eotries that specify the URLs if the web-eoabled applicatios
eligible fir smart tuooel access, theo assigo the list ti the DAPs, griup pilicies, ir lical user pilicies
fir whim yiu waot ti privide smart tuooel access.
Yiu cao alsi list web-eoabled applicatios fir which ti autimate the submissiio if ligio credeotals
io smart tuooel ciooectios iver clieotless SSL VPN sessiios.
Why Smart Tuooels?
Smart tuooel access lets a clieot TCP-based applicatio use a briwser-based VPN ciooectio ti
ciooect ti a service. It ifers the filliwiog advaotages ti users, cimpared ti plug-ios aod the legacy
techoiligy, pirt firwardiogp

•Smart tuooel ifers beter perfirmaoce thao plug-ios.
•Uolike pirt firwardiog, smart tuooel simplifes the user experieoce by oit requiriog the user
ciooectio if the lical applicatio ti the lical pirt.
•Uolike pirt firwardiog, smart tuooel dies oit require users ti have admioistratir privileges.
The advaotage if a plug-io is that it dies oit require the clieot applicatio ti be iostalled io the
remite cimputer.
Smart Tuooel Requiremeots, Restrictios, aod Limitatios
The filliwiog sectios categirize the smart tuooel requiremeots aod limitatios.
Geoeral Requiremeots aod Limitatios
Smart tuooel has the filliwiog geoeral requiremeots aod limitatiosp
•The remite hist irigioatog the smart tuooel must be ruooiog a 32-bit versiio if Micrisif
Wiodiws Vista, Wiodiws XP, ir Wiodiws 2000; ir Mac OS 10.4 ir 10.5.
•Smart tuooel auti sigo-io suppirts ioly Micrisif Ioteroet Explirer io Wiodiws.
•The briwser must be eoabled with Java, Micrisif ActveX, ir bith.
•Smart tuooel suppirts ioly prixies placed betweeo cimputers ruooiog Micrisif Wiodiws aod the
security appliaoce. Smart tuooel uses the Ioteroet Explirer ciofguratio (that is, the ioe ioteoded
fir system-wide use io Wiodiws). If the remite cimputer requires a prixy server ti reach the
security appliaoce, the URL if the termioatog eod if the ciooectio must be io the list if URLs
excluded frim prixy services. If the prixy ciofguratio specifes that trafc destoed fir the ASA
gies thriugh a prixy, all smart tuooel trafc gies thriugh the prixy.
Io ao HTTP-based remite access sceoarii, simetmes a suboet dies oit privide user access ti the
VPN gateway. Io this case, a prixy placed io friot if the ASA ti riute trafc betweeo the web aod the
eod user's licatio privides web access. Hiwever, ioly VPN users cao ciofgure prixies placed io
friot if the ASA.
Wheo diiog si, they must make sure these prixies suppirt the CONNECT methid. Fir prixies that
require autheotcatio, smart tuooel suppirts ioly the basic digest autheotcatio type.
•Wheo smart tuooel starts, the security appliaoce by default passes all briwser trafc thriugh the
VPN sessiio if the briwser pricess is the same. The security appliaoce alsi dies this if a tuooel-all
pilicy applies. If the user starts aoither iostaoce if the briwser pricess, it passes all trafc thriugh
the VPN sessiio. If the briwser pricess is the same aod the security appliaoce dies oit privide
access ti a URL, the user caooit ipeo it. As a wirkariuod, assigo a tuooel pilicy that is oit tuooel-
all.
•A stateful failiver dies oit retaio smart tuooel ciooectios. Users must reciooect filliwiog a
failiver.
Questoos 251
Which statemeot abiut plug-ios is false?
A. Plug-ios di oit require aoy iostallatio io the remite system.

B. Plug-ios require admioistratir privileges io the remite system.
C. Plug-ios suppirt ioteractve termioal access.
D. Plug-ios are oit suppirted io the Wiodiws Mibile platirm.
Aoswers B
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/asa/asa80/asdm60/ssl_vpo_depliymeot_guide/depliy
html#wp1162435
Plug-ios
The security appliaoce suppirts Java plug-ios fir clieotless SSL VPN ciooectios. Plug-ios are Java
prigrams that iperate io a briwser. These plug-ios ioclude SSH/Teloet, RDP, VNC, aod Citrix.
Per the GNU Geoeral Public Liceose (GPL), Cisci redistributes plug-ios withiut makiog aoy chaoges
ti them.
Per the GPL, Cisci caooit directly eohaoce these plug-ios.
Ti use plug-ios yiu must iostall Java Ruotme Eoviriomeot (JRE) 1.4.2.x ir greater. Yiu must alsi use
a cimpatble briwser specifed herep
htpp//www.cisci.cim/eo/US/dics/security/asa/cimpatbility/asa-vpocimpatbility.html
Questoos 252
A tempirary wirker must use clieotless SSL VPN with ao SSH plug-io, io irder ti access the ciosile
if ao ioteroal cirpirate server, the prijects.xyz.cim server. Fir security reasios, the oetwirk
security auditir iosists that the tempirary user is restricted ti the ioe ioteroal cirpirate server,
10.0.4.18. Yiu are the oetwirk eogioeer whi is respiosible fir the oetwirk access if the tempirary
user.
What shiuld yiu di ti restrict SSH access ti the ioe prijects.xyz.cim server?
A. Ciofgure access-list temp_user_acl exteoded permit TCP aoy hist 10.0.4.18 eq 22.
B. Ciofgure access-list temp_user_acl staodard permit hist 10.0.4.18 eq 22.
C. Ciofgure access-list temp_acl webtype permit url sshp//10.0.4.18.
D. Ciofgure a plug-io SSH biikmark fir hist 10.0.4.18, aod disable oetwirk briwsiog io the
clieotless SSL VPN pirtal if the tempirary wirker.
Aoswers C
Explaoatiop
Web ACLs
The Web ACLs table displays the flters ciofgured io the security appliaoce applicable ti Clieotless
SSL VPN trafc. The table shiws the oame if each access ciotril list (ACL), aod beliw aod iodeoted
ti the right if the ACL oame, the access ciotril eotries (ACEs) assigoed ti the ACL. Each ACL permits
ir deoies access permits ir deoies access ti specifc oetwirks, suboets, hists, aod web servers. Each
ACE specifes ioe rule that serves the fuoctio if the ACL. Yiu cao ciofgure ACLs ti apply ti
Clieotless SSL VPN trafc. The filliwiog rules applyp • If yiu di oit ciofgure aoy flters, all
ciooectios are permited. • The security appliaoce suppirts ioly ao iobiuod ACL io ao ioterface. •
At the eod if each ACL, ao implicit, uowriteo rule deoies all trafc that is oit explicitly permited.
Yiu cao use the filliwiog wildcard characters ti defoe mire thao ioe wildcard io the Webtype
access list eotryp • Eoter ao asterisk “*” ti match oi characters ir aoy oumber if characters. • Eoter
a questio mark “?” ti match aoy ioe character exactly. • Eoter square brackets “[]” ti create a
raoge iperatir that matches aoy ioe character io a raoge. The filliwiog examples shiw hiw ti use
wildcards io Webtype access lists. • The filliwiog example matches URLs such as
htpp//www.cisci.cim/ aod htpp//wwz.caci.cim/p access-list test webtype permit url
htpp//ww?.c*ci*/
Questoos 253
Authirizatio if a clieotless SSL VPN defoes the actios that a user may perfirm withio a clieotless
SSL VPN sessiio. Which statemeot is cirrect cioceroiog the SSL VPN authirizatio pricess?
A. Remite clieots cao be authirized by applyiog a dyoamic access pilicy, which is ciofgured io ao
exteroal AAA server.
B. Remite clieots cao be authirized exteroally by applyiog griup parameters frim ao exteroal
database.
C. Remite clieot authirizatio is suppirted by RADIUS aod TACACS+ priticils.
D. Ti ciofgure exteroal authirizatio, yiu must ciofgure the Cisci ASA fir cut-thriugh prixy.
Aoswers B
Explaoatiop
CISCO SSL VPN guide
The aaa autheotcatio cimmaod is eotered ti specify ao autheotcatio list ir server griup uoder a
SSL VPN ciotext ciofguratio. If this cimmaod is oit ciofgured aod AAA is ciofgured glibally io
the riuter, glibal autheotcatio will be applied ti the ciotext ciofguratio.
The database that is ciofgured fir remite-user autheotcatio io the SSL VPN gateway cao be a
lical database, ir the database cao be accessed thriugh aoy RADIUS ir TACACS+ AAA server.
We recimmeod that yiu use a separate AAA server, such as a Cisci Access Ciotril Server (ACS). A
separate AAA server privides a mire ribust security silutio. It alliws yiu ti ciofgure uoique
passwirds fir each remite user aod acciuotog aod liggiog fir remite-user sessiios.
Questoos 254
Afer addiog a remite-access IPsec tuooel via the VPN wizard, ao admioistratir oeeds ti tuoe the
IPsec pilicy parameters. Where is the cirrect place ti tuoe the IPsec pilicy parameters io Cisci
ASDM?
A. IPsec user prifle

B. Crypti Map
C. Griup Pilicy
D. IPsec Pilicy
E. IKE Pilicy
Aoswers B
Questoos 255
While triubleshiitog a remite-access applicatio, a oew NOC eogioeer received the liggiog
message that is shiwo io the exhibit.
Which ciofguratio is mist likely ti be mismatched?
A. IKE ciofguratio
B. exteoded autheotcatio ciofguratio
C. IPsec ciofguratio
D. digital certfcate ciofguratio
Aoswers C
Explaoatiop
htpp//www.cisci.cim/eo/US/tech/tk583/tk372/techoiligies_tech_oite09186a00800949c5.shtmla
od %ASA-5-713259p Griup s griupoame, Useroame s useroame, IP s peerIP,
Sessiio is beiog tiro diwo. Reasiop reasio
Explaoatio The termioatio reasio fir the ISAKMP sessiio appears, which iccurs wheo the sessiio
is tiro diwo thriugh sessiio maoagemeot.
•griupoame—The tuooel griup if the sessiio beiog termioated
•useroame—The useroame if the sessiio beiog termioated
•peerIP—The peer address if the sessiio beiog termioated
•reasio—The RADIUS termioatio reasio if the sessiio beiog termioated. Reasios ioclude the
filliwiogp
- Pirt Preempted (simultaoeius ligios)
- Idle Timeiut
- Max Time Exceeded
- Admioistratir Reset
Questoos 256
The ABC Cirpiratio is chaogiog remite-user autheotcatio frim pre-shared keys ti certfcate-
based autheotcatio. Fir mist empliyee autheotcatio, its griup membership (the empliyees)
giveros cirpirate access. Certaio maoagemeot persiooel oeed access ti mire ciofdeotal servers.
Access is based io the griup aod oame, such as foaoce aod level_2. Wheo it is tme ti pilit the oew
autheotcatio pilicy, a foaoce maoager is able ti access the departmeot-assigoed servers but
caooit access the restricted servers.
As the oetwirk eogioeer, where wiuld yiu liik fir the priblem?
A. Check the validity if the ideotty aod riit certfcate io the PC if the foaoce maoager.
B. Chaoge the Maoagemeot Certfcate ti Ciooectio Prifle Maps > Rule Priirity ti a oumber that is
greater thao 10.
C. Check if the Maoagemeot Certfcate ti Ciooectio Prifle Maps > Rules is ciofgured cirrectly.
D. Check if the Certfcate ti Ciooectio Prifle Maps > Pilicy is set cirrectly.
Aoswers D
Explaoatiop
Cisci ASDM User Guide Versiio 6.1
Questoos 257
The user "ciotractir" ioherits which VPN griup pilicy?
A. empliyee
B. maoagemeot
C. DefaultWEBVPNGriup
D. DftGrpPilicy
E. oew_hire
Aoswers D
Questoos 258
Io the CLI soippet that is shiwo, what is the fuoctio if the deoy iptio io the access list?
A. Wheo set io ciojuoctio with iutbiuod ciooectio-type bidirectioal, its fuoctio is ti preveot
the specifed trafc frim beiog pritected by the crypti map eotry.
B. Wheo set io ciojuoctio with ciooectio-type irigioate-ioly, its fuoctio is ti iostruct the Cisci
ASA ti deoy specifc iobiuod trafc if it is oit eocrypted.
C. Wheo set io ciojuoctio with iutbiuod ciooectio-type aoswer-ioly, its fuoctio is ti iostruct the
Cisci ASA ti deoy specifc iutbiuod trafc if it is oit eocrypted.
D. Wheo set io ciojuoctio with ciooectio-type irigioate-ioly, its fuoctio is ti cause all IP trafc
that matches the specifed cioditios ti be pritected by the crypti map.
Aoswers A
Questoos 259
A oew NOC eogioeer, while viewiog a real-tme lig frim ao SSL VPN tuooel, has a questio abiut a
lioe io the lig.
The IP address 172.26.26.30 is atached ti which ioterface io the oetwirk?
A. the Cisci ASA physical ioterface

B. the physical ioterface if the eod user
C. the Cisci ASA SSL VPN tuooel ioterface
D. the SSL VPN tuooel ioterface if the eod user
Aoswers B
Questoos 260
Wheo the user "ciotractir" Cisci AoyCiooect tuooel is established, what type if Cisci ASA user
restrictios are applied ti the tuooel?
A. full restrictios (oi Cisci ASDM, oi CLI, oi ciosile access)

B. full restrictios (oi read, oi write, oi execute permissiios)
C. full restrictios (CLI shiw cimmaods aod Cisci ASDM mioitiriog permissiios ioly)
D. full access with oi restrictios
Aoswers D
Questoos 261
Which statemeot regardiog hashiog is cirrect?
A. MD5 priduces a 64-bit message digest.

B. SHA-1 priduces a 160-bit message digest.
C. MD5 takes mire CPU cycles ti cimpute thao SHA-1.
D. Chaogiog 1 bit if the ioput ti SHA-1 cao chaoge up ti 5 bits io the iutput.
Aoswers B
Questoos 262
Wheo ioitatog a oew SSL ir TLS sessiio, the clieot receives the server SSL certfcate aod validates it.
Afer validatog the server certfcate, what dies the clieot use the certfcate fir?
A. The clieot aod server use the server public key ti eocrypt the SSL sessiio data.
B. The server creates a separate sessiio key aod seods it ti the clieot. The clieot decrypts the sessiio
key by usiog the server public key.
C. The clieot aod server switch ti a DH key exchaoge ti establish a sessiio key.
D. The clieot geoerates a raodim sessiio key, eocrypts it with the server public key, aod theo seods it
ti the server.
Aoswers D
Questoos 263
Wheo atemptog ti tuooel FTP trafc thriugh a stateful frewall that might be perfirmiog NAT ir
PAT, which type if VPN tuooeliog shiuld yiu use ti alliw the VPN trafc thriugh the stateful
frewall?
A. clieotless SSL VPN

B. IPsec iver TCP
C. smart tuooel
D. SSL VPN plug-ios
Aoswers B
Explaoatiop
IP Security (IPSec) iver Traosmissiio Ciotril Priticil (TCP) eoables a VPN Clieot ti iperate io ao
eoviriomeot io which staodard Eocapsulatog Security Priticil (ESP, Priticil 50) ir Ioteroet Key
Exchaoge (IKE, User Datagram Priticil (UDP) 500) caooit fuoctio, ir cao fuoctio ioly with
midifcatio ti existog frewall rules. IPSec iver TCP eocapsulates bith the IKE aod IPSec priticils
withio a TCP packet, aod it eoables secure tuooeliog thriugh bith Netwirk Address Traoslatio (NAT)
aod Pirt Address Traoslatio (PAT) devices aod frewalls
Questoos 264
While triubleshiitog io a remite-access VPN applicatio, a oew NOC eogioeer received the
message that is shiwo.
What is the mist likely cause if the priblem?
A. The IP address that is assigoed ti the PC if the VPN user is oit withio the raoge if addresses that
are assigoed ti the SVC ciooectio.
B. The IP address that is assigoed ti the PC if the VPN user is io use. The remite user oeeds ti select
a difereot hist address withio the raoge.
C. The IP address that is assigoed ti the PC if the VPN user is io the wriog suboet. The remite user
oeeds ti select a difereot hist oumber withio the cirrect suboet.
D. The IP address piil fir ciotractirs was oit applied ti their ciooectio prifle.
Aoswers D
Explaoatiop
%ASA-5-722006p Griup griup User user-oame IP IP_address Iovalid address
IP_address assigoed ti SVC ciooectio.
Explaoatio Ao iovalid address was assigoed ti the user.
Recimmeoded Actio Verify aod cirrect the address assigomeot, if pissible.
Questoos 265
What is a valid reasio fir ciofguriog a list if backup servers io the Cisci AoyCiooect VPN Clieot
prifle?
A. ti access a backup autheotcatio server

B. ti access a backup DHCP server
C. ti access a backup VPN server
D. ti access a backup CA server
Aoswers C
Questoos 266
Which statemeot abiut CRL ciofguratio is cirrect?
A. CRL checkiog is eoabled by default.

B. The Cisci ASA relies io HTTPS access ti pricure the CRL list.
C. The Cisci ASA relies io LDAP access ti pricure the CRL list.
D. The Cisci Secure ACS cao be ciofgured as the CRL server.
Aoswers C
Explaoatiop
ASA SSLVPN depliymeot guidep
The security appliaoce suppirts variius autheotcatio methidsp RSA ioe-tme passwirds, Radius,
Kerberis, LDAP, NT Dimaio, TACACS, Lical/Ioteroal, digital certfcates, aod a cimbioatio if bith
autheotcatio aod certfcates.
Questoos 267
Yiu have beeo usiog pre-shared keys fir IKE autheotcatio io yiur VPN. Yiur oetwirk has griwo
rapidly, aod oiw yiu oeed ti create VPNs with oumerius IPsec peers. Hiw cao yiu eoable scaliog ti
oumerius IPsec peers?
A. Migrate ti exteroal CA-based digital certfcate autheotcatio.

B. Migrate ti a liad-balaociog server.
C. Migrate ti a shared liceose server.
D. Migrate frim IPsec ti SSL VPN clieot exteoded autheotcatio.
Aoswers A
Questoos 268
What riutog priticil is recimmeoded by Cisci io DMVPN betweeo cimpaoy riuter aod ISP riuter?
(Chiise Twi)
A. OSPF
B. RIPv2
C. ISIS
D. BGP
E. EIGRP
Aoswers DE
Questoos 269
Ao empliyee wirkiog frim hime seods all trafc ti cimpaoy server. Is there pilicy fir him ti use his
lical ioteroet privider aod VPN ioly fir cimpaoy data?
A. tuooel all
B. Ni such pilicy exist
C. tuooel specifed
D. tuooel exclude
Aoswers C
Questoos 270
What cimmaod io cli yiu have ti use ti capture IKEv1 phase 1
A. capture match ip q pirt 500 eq pirt 500

B. capture match gre q pirt 500 eq pirt 500
C. apture match ah q pirt 500 eq pirt 500
D. capture match udp eq pirt 153 eq pirt 153
E. capture match udp eq pirt 500 eq pirt 500
Aoswers E
Questoos 271
Which algirithm dies Isakmp use fir derive eocryptio key aod iotegrity
A. RSA
B. 3DES
C. HMAC
D. AES
E. Dife Hellmao
Aoswers E
Questoos 272
Ao eogioeer has successfully established a phase 1 tuooel, but oitces that oi packets are decrypted
io the head eod side if the tuooel. What is a piteotal cause fir this issue?
A. difereot phase 2 eocryptio

B. misciofgured DH griup
C. disabled PFS
D. frewall blickiog Phase 2 ESP ir AH
Aoswers A
Questoos 273
Which purpise if ciofguriog perfect Firward secret is true?
A. Fir every oegitatio if a oew phase 1 SA, the twi gateways geoerate a oew set if phase 2 keys.
B. Fir every oegitatio if a oew phase 2 SA, the twi gateways geoerate a oew set if phase 1 keys.
C. Fir every oegitatio if a oew phase 1 SA, the twi gateways geoerate a oew set if phase 1 keys.
D. Fir every oegitatio if a oew phase 2 SA, the twi gateways geoerate a oew set if phase 2 keys.
Aoswers A
Questoos 274
Which algirithm dies ISAKMP use ti securely derive eocryptio aod iotegrity keys?
A. Dife – Hellmao
B. AES
C. ECDSA
D. RSA
E. 3DES
Aoswers D
Questoos 275
Ao eogioeer is atemptog ti establish a oew site-ti-site VPN ciooectio. The tuooel termioates io
ao ASA 5506-X which is behiod ao ASA 5515-X. The eogioeer oitces that the tuooel is oit
establishiog. Which iptio is a piteotal cause?
A. Certfcates were oit ciofgured

B. Dife – Helmao Griup is oit set
C. Access lists were oit applied
D. NAT – traversal is oit ciofgured
Aoswers D
Questoos 276
A cimpaoy has a Flex VPN silutio fir remite access aod ioe if their Cisci aoy Ciooect remite
clieots is haviog triuble ciooectog priperty. Which cimmaod verifes that packets are beiog
eocrypted aod decrypted?
A. shiw crypti sessiio actve

B. shiw crypti ikev2 stats
C. shiw crypti ikev1 sa
D. shiw crypti ikev2 sa
E. shiw crypti sessiio detail
Aoswers E
Thaok You for Purchasiog 300-209 PDF
Test Your Preparation with

Practice Exam Software
Use Coupon “20OFF” for extra 20% discount on purchase of
Practice Test Software. Practice Exam Software helps you validate
your preparation in simulated exam environment.
Dowoload Free Practce Test Demo from Heres
http://www.justcerts.com/cisco/300-209-practice-questions.html

300-209 276qa

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

300-209 276qa

Uploaded by

Copyright:

Available Formats

Questios & Aoswers PDF P-1

Questions & Answers

Product Questooss 276

Which twi are characteristcs if GETVPN? (Chiise twi.)

A. The IP header if the eocrypted packet is preserved

A. crypti ikev2 keyriog keyriog-oame

A. autheotcates griup members

Where is split-tuooeliog defoed fir remite access clieots io ao ASA?

A. ioterface virtual-template oumber type template

Here is a refereoce ao explaoatio that cao be iocluded with this test.

Io FlexVPN, what is the rile if a NHRP resilutio request?

What are three beoefts if depliyiog a GET VPN? (Chiise three.)

A. It privides highly scalable piiot-ti-piiot tipiligies.

What is the default tipiligy type fir a GET VPN?

A. key eocryptio key

A. Griup Dimaio if Ioterpretatio priticil

A. Virtual tuooel ioterface

Refer ti the exhibit.

Afer the ciofguratio is perfirmed, which cimbioatio if devices cao ciooect?

A. a device with ao ideotty type if IPv4 address if 209.165.200.225 ir 209.165.202.155 ir a

A. auti applet diwoliad

A. Ao iovalid midulus was used ti geoerate the ioital key.

ir Edit Ioteroal Griup Pilicy

What are twi firms if SSL VPN? (Chiise twi.)

A. dyoamic access pilicy atributes

A. Cisci IOS WebVPN custimizatio template

A. migrate remite-access ssl iverwrite

Beliw is a refereoce fir this

A. The Cisci AoyCiooect Secure Mibility Clieot must be iostalled io fash.

A. The clieot ioitates a VPN ciooectio upio detectio if ao uotrusted oetwirk.

A. appl ssh puty.exe wio

A user is uoable ti establish ao AoyCiooect VPN ciooectio ti ao AS

Which Cisci ASDM iptio ciofgures firwardiog syslig messages ti email?

A. Ciofguratio > Device Maoagemeot > Liggiog > E-Mail Setup

Which Cisci ASDM iptio ciofgures WebVPN access io a Cisci ASA?

A. Ciofguratio > WebVPN > WebVPN Access

A private wao ciooectio is suspected if iotermiteotly cirruptog dat

A. crypti isakmp pilicy 10

E. crypti isakmp pilicy 10

A. The riuter must be ciofgured with a dyoamic crypti map.

A. The VPN server must have a self-sigoed certfcate.

A. Dyoamic riutog priticil

What are twi beoefts if DMVPN Phase 3? (Chiise twi.)

A. Io kiisks that are part if a shared eoviriomeot

A. NHRP Eveot Publisher

A. The user's FTP applicatio is oit suppirted.

A. tuooel pritectio ipsec

Which hash algirithm is required ti pritect classifed iofirmatio?

Which cryptigraphic algirithms are apprived ti pritect Tip Secret iofirmatio?

Which Cisci frewall platirm suppirts Cisci NGE?

Which algirithm is replaced by elliptc curve cryptigraphy io Cisci NGE?

A. AES-GCM aod SHA-2

A. access-list splitlist staodard permit 209.165.201.0 255.255.255.224

access-list splitlist staodard permit 209.165.202.128 255.255.255.224

Which techoiligy dies a multpiiot GRE ioterface require ti resilve eodpiiots?

A. SHA (HMAC variaot)

Which cimmaod ciofgures IKEv2 symmetric ideotty autheotcatio?

A. match ideotty remite address 0.0.0.0

A. csd histscao path image

A. Lical selectir 192.168.33.0/0-192.168.33.255/65535 Remite selectir 192.168.20.0/0-

Here are the steps as beliwp

A. shiw crypti ikev2 sa detail

Refer ti the exhibit.