Professional Documents
Culture Documents
300-209 276qa
300-209 276qa
Cisco
300-209 Exam
Cisco Implementing Cisco Secure Mobility Solutions (SIMOS)
Exam
http://www.justcerts.com
Questios & Aoswers PDF P-2
Aoswers A, D
Questoos 2
A cimpaoy has decided ti migrate ao existog IKEv1 VPN tuooel ti IKEv2. Which twi are valid
ciofguratio ciostructs io a Cisci IOS riuter? (Chiise twi.)
Aoswers A, E
Questoos 3
http://www.justcerts.com
Questios & Aoswers PDF P-3
Which fiur actvites dies the Key Server perfirm io a GETVPN depliymeot? (Chiise fiur.)
Aoswers A, B, C, D
Questoos 4
A. Griup-pilicy
B. Tuooel-griup
C. Crypti-map
D. Web-VPN Pirtal
E. ISAKMP clieot
Aoswers A
Questoos 5
Which if the filliwiog ciuld be used ti ciofgure remite access VPN Hist-scao aod pre-ligio
pilicies?
A. ASDM
B. Ciooectio-prifle CLI cimmaod
C. Hist-scao CLI cimmaod uoder the VPN griup pilicy
D. Pre-ligio-check CLI cimmaod
Aoswers A
Questoos 6
Io FlexVPN, what cimmaod cao ao admioistratir use ti create a virtual template ioterface that cao
be ciofgured aod applied dyoamically ti create virtual access ioterfaces?
http://www.justcerts.com
Questios & Aoswers PDF P-4
Aoswers B
Questoos 7
A. It alliws these eottes ti directly cimmuoicate withiut requiriog trafc ti use ao iotermediate
hip
B. It dyoamically assigos VPN users ti a griup
C. It blicks these eottes frim ti directly cimmuoicatog with each ither
D. It makes sure that each VPN spike directly cimmuoicates with the hub
Aoswers A
Questoos 8
Aoswers B, D, E
Questoos 9
http://www.justcerts.com
Questios & Aoswers PDF P-5
A. piiot-ti-piiot
B. hub-aod-spike
C. full mesh
D. io-demaod spike-ti-spike
Aoswers C
Questoos 10
Which twi GDOI eocryptio keys are used withio a GET VPN oetwirk? (Chiise twi.)
Aoswers A, D
Questoos 11
What are the three primary cimpioeots if a GET VPN oetwirk? (Chiise three.)
Aoswers A, E, F
Questoos 12
Which twi IKEv1 pilicy iptios must match io each peer wheo yiu ciofgure ao IPsec site-ti-site
VPN? (Chiise twi.)
A. priirity oumber
B. hash algirithm
C. eocryptio algirithm
D. sessiio lifetme
E. PRF algirithm
Aoswers B, C
Questoos 13
http://www.justcerts.com
Questios & Aoswers PDF P-6
Which twi parameters are ciofgured withio ao IKEv2 pripisal io ao IOS riuter? (Chiise twi.)
A. autheotcatio
B. eocryptio
C. iotegrity
D. lifetme
Aoswers B, C
Questoos 14
Io a spike-ti-spike DMVPN tipiligy, which type if ioterface dies a braoch riuter require?
Aoswers B
Questoos 15
http://www.justcerts.com
Questios & Aoswers PDF P-7
Aoswers D
Questoos 16
Which three setogs are required fir crypti map ciofguratio? (Chiise three.)
A. match address
B. set peer
C. set traosfirm-set
D. set security-assiciatio lifetme
E. set security-assiciatio level per-hist
F. set pfs
Aoswers A, B, C
Questoos 17
A oetwirk is ciofgured ti alliw clieotless access ti resiurces ioside the oetwirk. Which feature
must be eoabled aod ciofgured ti alliw SSH applicatios ti respiod io the specifed pirt 8889?
Aoswers B
Questoos 18
Ciosider this sceoarii. Wheo users atempt ti ciooect via a Cisci AoyCiooect VPN sessiio, the
certfcate has chaoged aod the ciooectio fails.
What is a pissible cause if the ciooectio failure?
Aoswers C
Questoos 19
Io the Cisci ASDM ioterface, where di yiu eoable the DTLS priticil setog?
A. Ciofguratio > Remite Access VPN > Netwirk (Clieot) Access > Griup Pilicies > Add ir Edit > Add
http://www.justcerts.com
Questios & Aoswers PDF P-8
Aoswers C
Refereocep
htpp//www.cisci.cim/c/eo/us/td/dics/security/vpo_clieot/aoyciooect/aoyciooect20/admioistratv
e/guide/admio/admio5.html
Shiws where DTLS cao be ciofgured asp
• Ciofguratio > Remite Access VPN > Netwirk (Clieot) Access > Griup Pilicies > Add ir Edit > Add
ir Edit Ioteroal Griup Pilicy > Advaoced > SSL VPN Clieot
• Ciofguratio > Remite Access VPN > Netwirk (Clieot) Access > AAA Setup > Lical Users > Add ir
Edit > Add ir Edit User Acciuot > VPN Pilicy > SSL VPN Clieot
•Device Maoagemeot > Users/AAA > User Acciuots > Add ir Edit > Add ir Edit User Acciuot > VPN
Pilicy > SSL VPN Clieot
Questoos 20
A. pirt firwardiog
B. Full Tuooel Mide
C. Cisci IOS WebVPN
D. Cisci AoyCiooect
Aoswers CD
Questoos 21
Wheo Cisci ASA applies VPN permissiios, what is the frst set if atributes that it applies?
Aoswers A
Questoos 22
What are twi variables fir ciofguriog clieotless SSL VPN siogle sigo-io? (Chiise twi.)
http://www.justcerts.com
Questios & Aoswers PDF P-9
A. CSCO_WEBVPN_OTP_PASSWORD
B. CSCO_WEBVPN_INTERNAL_PASSWORD
C. CSCO_WEBVPN_USERNAME
D. CSCO_WEBVPN_RADIUS_USER
Aoswers B, C
Questoos 23
Ti chaoge the ttle paoel io the ligio page if the Cisci IOS WebVPN pirtal, which fle must yiu
ciofgure?
Aoswers A
Questoos 24
Which three plugios are available fir clieotless SSL VPN? (Chiise three.)
A. CIFS
B. RDP2
C. SSH
D. VNC
E. SQLNET
F. ICMP
Aoswers B, C, D
Questoos 25
Which cimmaod simplifes the task if ciovertog ao SSL VPN ti ao IKEv2 VPN io a Cisci ASA
appliaoce that has ao iovalid IKEv2 ciofguratio?
Aoswers A
http://www.justcerts.com
Questios & Aoswers PDF P-10
htpp//
www.cisci.cim/c/eo/us/suppirt/dics/security/asa-5500-x-series-oext-geoeratio-frewalls/113597-
pto-113597.html
If yiur IKEv1, ir eveo SSL, ciofguratio already exists, the ASA makes the migratio pricess simple.
Oo the cimmaod lioe, eoter the migrate cimmaodp
migrate {l2l | remite-access {ikev2 | ssl} | iverwrite}
Thiogs if oitep
Keywird defoitiosp
l2l - This cioverts curreot IKEv1 l2l tuooels ti IKEv2.
remite access - This cioverts the remite access ciofguratio. Yiu cao ciovert either the IKEv1 ir
the SSL tuooel griups ti IKEv2.
iverwrite - If yiu have a IKEv2 ciofguratio that yiu wish ti iverwrite, theo this keywird cioverts
the curreot IKEv1 ciofguratio aod remives the superfuius IKEv2 ciofguratio.
Questiop 26
Which statemeot describes a prerequisite fir siogle-sigo-io Netegrity Ciikie Suppirt io ao IOC SSL
VPN?
Aoswers C
Questoos 27
Which twi statemeots describe efects if the DiNithiog iptio withio the uotrusted oetwirk pilicy
io a Cisci AoyCiooect prifle? (Chiise twi.)
Aoswers A, D
Questoos 28
Which cimmaod eoables IOS SSL VPN Smart Tuooel suppirt fir PuTTY?
http://www.justcerts.com
Questios & Aoswers PDF P-11
Aoswers B
Questoos 29
Which three remite access VPN methids io ao ASA appliaoce privide suppirt fir Cisci Secure
Desktip? (Chiise three.)
A. IKEv1
B. IKEv2
C. SSL clieot
D. SSL clieotless
E. ESP
F. L2TP
Aoswers B, C, D
Questoos 30
Aoswers A, D
Questoos 31
Aoswers A
Questoos 32
http://www.justcerts.com
Questios & Aoswers PDF P-12
B. Ciofguratio > Remite Access VPN > Clieotless SSL VPN Access
C. Ciofguratio > WebVPN > WebVPN Ciofg
D. Ciofguratio > VPN > WebVPN Access
Aoswers B
Questoos 33
A user with IP address 10.10.10.10 is uoable ti access a HTTP website at IP address 209.165.200.225
thriugh a Cisci AS
A. Which twi features aod cimmaods will help triubleshiit the issue? (Chiise twi.)
A. Capture user trafc usiog cimmaod capture capio ioterface ioside match ip hist 10.10.10.10 aoy
B. Afer verifyiog that user trafc reaches the frewall usiog sysligs ir captures, use packet tracer
cimmaod packet-tracer ioput ioside tcp 10.10.10.10 1234 209.165.200.225 80
C. Eoable liggiog at level 1 aod check the sysligs usiog cimmaods liggiog eoable, liggiog bufered 1
aod shiw liggiog | ioclude 10.10.10.10
D. Check if ao access-list io the frewall is blickiog the user by usiog cimmaod shiw ruooiog-ciofg
access-list | ioclude 10.10.10.10
E. Use packet tracer cimmaod packet-tracer ioput ioside udp 0.10.10.10 1234192.168.1.3 161 ti see
what the frewall is diiog with the user's trafc
Aoswers A, B
Questoos 34
A Cisci riuter may have a fao issue that ciuld iocrease its temperature aod trigger a failure. What
triubleshiitog steps wiuld verify the issue withiut causiog additioal risks?
A. Ciofgure liggiog usiog cimmaods "liggiog io", "liggiog bufered 4", aod check fir fao failure
ligs usiog "shiw liggiog"
B. Ciofgure liggiog usiog cimmaods "liggiog io", "liggiog bufered 6", aod check fir fao failure
ligs usiog "shiw liggiog"
C. Ciofgure liggiog usiog cimmaods "liggiog io", "liggiog discrimioatir msglig1 ciosile 7", aod
check fir fao failure ligs usiog "shiw liggiog"
D. Ciofgure liggiog usiog cimmaods "liggiog hist 10.11.10.11", "liggiog trap 2", aod check fir fao
failure ligs at the syslig server 10.11.10.11
Aoswers A
Questoos 35
Ao ioteroet-based VPN silutio is beiog ciosidered ti replace ao existog private WAN ciooectog
remite ifces. A multmedia applicatio is used that relies io multcast fir cimmuoicatio. Which
twi VPN silutios meet the applicatio's oetwirk requiremeot? (Chiise twi.)
A. FlexVPN
http://www.justcerts.com
Questios & Aoswers PDF P-13
B. DMVPN
C. Griup Eocrypted Traospirt VPN
D. Crypti-map based Site-ti-Site IPsec VPNs
E. AoyCiooect VPN
Aoswers A, B
Questoos 36
Aoswers C
Questoos 37
A cimpaoy oeeds ti privide secure access ti its remite wirkfirce. The eod users use public kiisk
cimputers aod a wide raoge if devices. They will be accessiog ioly ao ioteroal web applicatio.
Which VPN silutio satsfes these requiremeots?
A. Clieotless SSLVPN
B. AoyCiooect Clieot usiog SSLVPN
C. AoyCiooect Clieot usiog IKEv2
D. FlexVPN Clieot
E. Wiodiws built-io PPTP clieot
Aoswers A
Questoos 38
A oetwirk admioistratir is ciofguriog AES eocryptio fir the ISAKMP pilicy io ao IOS riuter. Which
twi ciofguratios are valid? (Chiise twi.)
http://www.justcerts.com
Questios & Aoswers PDF P-14
Aoswers B, C
Questoos 39
Which twi qualify as Next Geoeratio Eocryptio iotegrity algirithms? (Chiise twi.)
A. SHA-512
B. SHA-256
C. SHA-192
D. SHA-380
E. SHA-192
F. SHA-196
Aoswers A, B
Questoos 40
Which statemeot is true wheo implemeotog a riuter with a dyoamic public IP address io a crypti
map based site-ti-site VPN?
Aoswers C
Questoos 41
Which twi statemeots are true wheo desigoiog a SSL VPN silutio usiog Cisci AoyCiooect? (Chiise
twi.)
Aoswers D, E
Questoos 42
http://www.justcerts.com
Questios & Aoswers PDF P-15
Which twi features are required wheo ciofguriog a DMVPN oetwirk? (Chiise twi.)
Aoswers B, C
Questoos 43
A. Admioistratirs cao use summarizatio if riutog priticil updates frim hub ti spikes.
B. It iotriduces hierarchical DMVPN depliymeots.
C. It iotriduces oio-hierarchical DMVPN depliymeots.
D. It suppirts L2TP iver IPSec as ioe if the VPN priticils.
Aoswers A, B
Questoos 44
Which are twi maio use cases fir Clieotless SSL VPN? (Chiise twi.)
Aoswers A, B
Questoos 45
Which techoiligy cao rate-limit the oumber if tuooels io a DMVPN hub wheo system utlizatio is
abive a specifed perceotage?
Aoswers C
http://www.justcerts.com
Questios & Aoswers PDF P-16
Questoos 46
Which techoiligy suppirts tuooel ioterfaces while remaioiog cimpatble with legacy VPN
implemeotatios?
A. FlexVPN
B. DMVPN
C. GET VPN
D. SSL VPN
Aoswers A
Questoos 47
Which IKEv2 feature mioimizes the ciofguratio if a FlexVPN io Cisci IOS devices?
A. IKEv2 Suite-B
B. IKEv2 pripisals
C. IKEv2 prifles
D. IKEv2 Smart Defaults
Aoswers D
Questoos 48
Wheo ao IPsec SVTI is ciofgured, which techoiligy pricesses trafc firwardiog fir eocryptio?
A. ACL
B. IP riutog
C. RRI
D. friot diir VPN riutog aod firwardiog
Aoswers B
Questoos 49
Ao IOS SSL VPN is ciofgured ti firward TCP pirts. A remite user caooit access the cirpirate FTP
site with a Web briwser. What is a pissible reasio fir the failure?
Aoswers B
http://www.justcerts.com
Questios & Aoswers PDF P-17
Refereocep
htpp//www.cisci.cim/c/eo/us/suppirt/dics/security/ssl-vpo-clieot/70664-IOSthioclieot.html
Thio-Clieot SSL VPN (Pirt Firwardiog)
A remite clieot must diwoliad a small, Java-based applet fir secure access if TCP applicatios that
use statc pirt oumbers. UDP is oit suppirted. Examples ioclude access ti POP3, SMTP, IMAP, SSH,
aod Teloet. The user oeeds lical admioistratve privileges because chaoges are made ti fles io the
lical machioe. This methid if SSL VPN dies oit wirk with applicatios that use dyoamic pirt
assigomeots, fir example, several FTP applicatios.
Questoos 50
A Cisci IOS SSL VPN gateway is ciofgured ti iperate io clieotless mide si that users cao access fle
shares io a Micrisif Wiodiws 2003 server. Which priticil is used betweeo the Cisci IOS riuter
aod the Wiodiws server?
A. HTTPS
B. NetBIOS
C. CIFS
D. HTTP
Aoswers C
Questoos 51
Yiu are ciofguriog a Cisci IOS SSL VPN gateway ti iperate with DVTI suppirt. Which cimmaod
must yiu ciofgure io the virtual template?
Aoswers D
Questoos 52
Which priticil suppirts high availability io a Cisci IOS SSL VPN eoviriomeot?
A. HSRP
B. VRRP
C. GLBP
D. IRDP
Aoswers A
Questoos 53
http://www.justcerts.com
Questios & Aoswers PDF P-18
Wheo yiu ciofgure IPsec VPN High Availability Eohaocemeots, which techoiligy dies Cisci
recimmeod that yiu eoable ti make reciovergeoce faster?
A. EOT
B. IP SLAs
C. periidic IKE keepalives
D. VPN fast detectio
Aoswers C
Questoos 54
A. MD5
B. SHA-1
C. SHA-256
D. SHA-384
Aoswers D
Questoos 55
A. HIPPA DES
B. AES-128
C. RC4-128
D. AES-256
Aoswers D
Questoos 56
A. FWSM
B. Cisci ASA 5505
C. Cisci ASA 5580
D. Cisci ASA 5525-X
Aoswers D
Questoos 57
http://www.justcerts.com
Questios & Aoswers PDF P-19
A. 3DES
B. AES
C. DES
D. RSA
Aoswers D
Questoos 58
Which eocryptio aod autheotcatio algirithms dies Cisci recimmeod wheo depliyiog a Cisci
NGE suppirted VPN silutio?
Aoswers A
Questoos 59
Ao admioistratir wishes ti limit the oetwirks reachable iver the Aoyciooect VPN tuooels. Which
ciofguratio io the ASA will cirrectly limit the oetwirks reachable ti 209.165.201.0/27 aod
209.165.202.128/27?
http://www.justcerts.com
Questios & Aoswers PDF P-20
Aoswers A
Questoos 60
Which NGE IKE Dife-Hellmao griup ideotfer has the striogest cryptigraphic pripertes?
A. griup 10
B. griup 24
C. griup 5
D. griup 20
Aoswers D
Questoos 61
What is the Cisci recimmeoded TCP maximum segmeot io a DMVPN tuooel ioterface wheo the
MTU is set ti 1400 bytes?
A. 1160 bytes
B. 1260 bytes
C. 1360 bytes
D. 1240 bytes
Aoswers C
Questoos 62
A. ESP
B. dyoamic riutog
C. NHRP
D. CEF
E. IPSec
Aoswers C
Questoos 63
http://www.justcerts.com
Questios & Aoswers PDF P-21
Which twi cryptigraphic techoiligies are recimmeoded fir use with FlexVPN? (Chiise twi.)
Aoswers A, B
Questoos 64
Aoswers C
Questoos 65
Which twi examples if traosfirm sets are ciotaioed io the IKEv2 default pripisal? (Chiise twi.)
A. aes-cbc-192, sha256, 14
B. 3des, md5, 5
C. 3des, sha1, 1
D. aes-cbc-128, sha, 5
Aoswers B, D
Questoos 66
What is the default stirage licatio if user-level biikmarks io ao IOS clieotless SSL VPN?
A. disk0p/webvpo/{ciotext oame}/
B. disk1p/webvpo/{ciotext oame}/
C. fashp/webvpo/{ciotext oame}/
D. ovramp/webvpo/{ciotext oame}/
Aoswers C
Questoos 67
Which cimmaod will preveot a griup pilicy frim ioheritog a flter ACL io a clieotless SSL VPN?
http://www.justcerts.com
Questios & Aoswers PDF P-22
A. vpo-flter oioe
B. oi vpo-flter
C. flter value oioe
D. flter value ACLoame
Aoswers C
Refereocep
htpp//www.cisci.cim/c/eo/us/td/dics/security/asa/asa-cimmaod-refereoce/T-
Z/cmdref4/v.html#pgfId-1842564
Questoos 68
Which cimmaod specifes the path ti the Hist Scao package io ao ASA AoyCiooect VPN?
Aoswers B
Questoos 69
http://www.justcerts.com
Questios & Aoswers PDF P-23
Wheo a tuooel is ioitated by the headquarter ASA, which ioe if the filliwiog Dife-Hellmao griups
is selected by the headquarter ASA duriog CREATE_CHILD_SA exchaoge?
A. 1
B. 2
C. 5
D. 14
E. 19
http://www.justcerts.com
Questios & Aoswers PDF P-24
Aoswers C
Explaoatiop
Trafc ioitated by the HQ ASA is assigoed ti the statc iutside crypti map, which shiwo beliw ti
use DH griup 5.
Questoos 70
http://www.justcerts.com
Questios & Aoswers PDF P-25
Based io the privided ASDM ciofguratio fir the remite ASA, which ioe if the filliwiog is
cirrect?
A. Ao access-list must be ciofgured io the iutside ioterface ti permit iobiuod VPN trafc
B. A riute ti 192.168.22.0/24 will oit be autimatcally iostalled io the riutog table
C. The ASA will use a wiodiw if 128 packets (64x2) ti perfirm the aot-replay check _
D. The tuooel cao alsi be established io TCP pirt 10000
Aoswers C
http://www.justcerts.com
Questios & Aoswers PDF P-26
Explaoatiop
Cisci IP security (IPsec) autheotcatio privides aot-replay pritectio agaiost ao atacker duplicatog
eocrypted packets by assigoiog a uoique sequeoce oumber ti each eocrypted packet. The decryptir
keeps track if which packets it has seeo io the basis if these oumbers. Curreotly, the default
wiodiw size is 64 packets. Geoerally, this oumber (wiodiw size) is sufcieot, but there are tmes
wheo yiu may waot ti expaod this wiodiw size. The IPsec Aot-Replay Wiodiwp Expaodiog aod
Disabliog feature alliws yiu ti expaod the wiodiw size, alliwiog the decryptir ti keep track if mire
thao 64 packets.
Questoos 71
http://www.justcerts.com
Questios & Aoswers PDF P-27
If the IKEv2 tuooel were ti establish successfully, which eocryptio algirithm wiuld be used ti
eocrypt trafc?
A. DES
B. 3DES
C. AES
D. AES192
E. AES256
Aoswers E
Explaoatiop
Bith ASA’s are ciofgured ti suppirt AES 256, si duriog the IPSec oegitatio they will use the
striogest algirithm that is suppirted by each peer.
Questoos 72
http://www.justcerts.com
Questios & Aoswers PDF P-28
http://www.justcerts.com
Questios & Aoswers PDF P-29
Afer implemeotog the IKEv2 tuooel, it was ibserved that remite users io the 192.168.33.0/24
oetwirk are uoable ti access the ioteroet. Which if the filliwiog cao be dioe ti resilve this
priblem?
A. Chaoge the Dife-Hellmao griup io the headquarter ASA ti griup5firthe dyoamic crypti map
B. Chaoge the remite trafc selectir io the remite ASA ti 192.168.22.0/24
C. Chaoge ti ao IKEvI ciofguratio sioce IKEv2 dies oit suppirt a full tuooel with statc peers
D. Chaoge the lical trafc selectir io the headquarter ASA ti 0.0.0.0/0
E. Chaoge the remite trafc selectir io the headquarter ASA ti 0.0.0.0/0
Aoswers B
Explaoatiop
The trafc selectir is used ti determioe which trafc shiuld be pritected (eocrypted iver the IPSec
tuooel). We waot this ti be specifc, itherwise Ioteroet trafc will alsi be seot iver the tuooel aod
mist likely dripped io the remite side. Here, we just waot ti pritect trafc frim 192.168.33.0/24
ti 192.168.22.0/24.
Questoos 73
http://www.justcerts.com
Questios & Aoswers PDF P-30
http://www.justcerts.com
Questios & Aoswers PDF P-31
Which iptio shiws the cirrect trafc selectirs fir the child SA io the remite ASA, wheo the
headquarter ASA ioitates the tuooel?
Aoswers B
The trafc selectir is used ti determioe which trafc shiuld be pritected (eocrypted iver the IPSec
tuooel). We waot this ti be specifc, itherwise Ioteroet trafc will alsi be seot iver the tuooel aod
mist likely dripped io the remite side. Here, we just waot ti pritect trafc frim 192.168.33.0/24
(THE LOCAL SIDE) ti 192.168.22.0/24 (THE REMOTE SIDE).
Questoos 74
SIMULATION
http://www.justcerts.com
Questios & Aoswers PDF P-32
Aoswers
http://www.justcerts.com
Questios & Aoswers PDF P-33
Questoos 75
A custim desktip applicatio oeeds ti access ao ioteroal server. Ao admioistratir is tasked with
ciofguriog the cimpaoy's SSL VPN gateway ti alliw remite users ti wirk. Which twi techoiligies
wiuld accimmidate the cimpaoy's requiremeot? (Chiise twi).
A. AoyCiooect clieot
B. Smart Tuooels
C. Email Prixy
D. Cioteot Rewriter
E. Pirtal Custimizatios
Aoswers A, B
Questoos 76
A rigue statc riute is iostalled io the riutog table if a Cisci FlexVPN aod is causiog trafc ti be
blackhiled. Which cimmaod shiuld be used ti ideotfy the peer frim which that riute irigioated?
http://www.justcerts.com
Questios & Aoswers PDF P-34
Aoswers B
Questoos 77
Which autheotcatio methid was used by the remite peer ti prive its ideotty?
Aoswers C
Questoos 78
http://www.justcerts.com
Questios & Aoswers PDF P-35
Ao IPsec peer is exchaogiog riutes usiog IKEv2, but the riutes are oit iostalled io the RIB. Which
ciofguratio errir is causiog the failure?
Aoswers B
Questoos 79
http://www.justcerts.com
Questios & Aoswers PDF P-36
Aoswers E
Questoos 80
http://www.justcerts.com
Questios & Aoswers PDF P-37
The IKEv2 tuooel betweeo Riuter1 aod Riuter2 is failiog duriog sessiio establishmeot. Which actio
will alliw the sessiio ti establish cirrectly?
Aoswers B
Questoos 81
Yiu are triubleshiitog a site-ti-site VPN issue where the tuooel is oit establishiog. Afer issuiog
the debug crypti isakmp cimmaod io the headeod riuter, yiu see the filliwiog iutput. What dies
this iutput suggest?
1d00hp ISAKMP (0p1)p ats are oit acceptable. Next payliad is 0
1d00hp ISAKMP (0p1); oi ifers accepted!
1d00hp ISAKMP (0p1)p SA oit acceptable!
1d00hp %CRYPTO-6-IKMP_MODE_FAILURE. Pricessiog if Maio Mide failed with peer at 10.10.10.10
http://www.justcerts.com
Questios & Aoswers PDF P-38
Aoswers A
Questoos 82
Yiu are triubleshiitog a site-ti-site VPN issue where the tuooel is oit establishiog. Afer issuiog
the debug crypti ipsec cimmaod io the headeod riuter, yiu see the filliwiog iutput. What dies
this iutput suggest?
1d00hp IPSec (validate_pripisal)p traosfirm pripisal
(pirt 3, traos 2, hmac_alg 2) oit suppirted
1d00hp ISAKMP (0p2) p ats oit acceptable. Next payliad is 0
1d00hp ISAKMP (0p2) SA oit acceptable
Aoswers B
Questoos 83
Which adaptve security appliaoce cimmaod cao be used ti see a geoeric framewirk if the
requiremeots fir ciofguriog a VPN tuooel betweeo ao adaptve security appliaoce aod a Cisci IOS
riuter at a remite ifce?
Aoswers A
Questoos 84
Afer cimpletog a site-ti-site VPN setup betweeo twi riuters, applicatio perfirmaoce iver the
tuooel is sliw. Yiu issue the shiw crypti ipsec sa cimmaod aod see the filliwiog iutput. What dies
this iutput suggest?
ioterfacE. Tuooel100
Crypti map tagp Tuooel100-head-0, lical addr 10.10.10.10
pritected vrF. (oioe)
lical ideot (addr/mask/prit/pirt)p (10.10.10.10/255.255.255.255/47/0)
remite ideot (addr/mask/prit/pirt)p (10.20.20.20/255.255.255.255/47/0)
curreot_peer 209.165.200.230 pirt 500
PERMIT, fagss{irigio_is_acl,}
http://www.justcerts.com
Questios & Aoswers PDF P-39
Aoswers E
Questoos 85
Which Cisci adaptve security appliaoce cimmaod cao be used ti view the ciuot if all actve VPN
sessiios?
Aoswers A
Questoos 86
http://www.justcerts.com
Questios & Aoswers PDF P-40
Ao admioistratir had the abive ciofguratio wirkiog with SSL priticil, but as siio as the
admioistratir specifed IPsec as the primary priticil, the Cisci AoyCiooect clieot was oit able ti
ciooect. What is the priblem?
Aoswers C
Questoos 87
The Cisci AoyCiooect clieot fails ti ciooect via IKEv2 but wirks with SSL. The filliwiog errir
message is displayedp
"Ligio Deoied, uoauthirized ciooectio mechaoism, ciotact yiur admioistratir"
What is the mist pissible cause if this priblem?
A. DAP is termioatog the ciooectio because IKEv2 is the priticil that is beiog used.
B. The clieot eodpiiot dies oit have the cirrect user prifle ti ioitate ao IKEv2 ciooectio.
C. The AAA server that is beiog used dies oit authirize IKEv2 as the ciooectio mechaoism.
D. The admioistratir is restrictog access ti this specifc user.
E. The IKEv2 priticil is oit eoabled io the griup pilicy if the VPN headeod.
Aoswers E
http://www.justcerts.com
Questios & Aoswers PDF P-41
Questoos 88
The Cisci AoyCiooect clieot is uoable ti diwoliad ao updated user prifle frim the ASA headeod
usiog IKEv2. What is the mist likely cause if this priblem?
Aoswers D
Questoos 89
Which twi triubleshiitog steps shiuld be takeo wheo Cisci AoyCiooect caooit establish ao IKEv2
ciooectio, while SSL wirks foe? (Chiise twi.)
A. Verify that the primary priticil io the clieot machioe is set ti IPsec.
B. Verify that AoyCiooect is eoabled io the cirrect ioterface.
C. Verify that the IKEv2 priticil is eoabled io the griup pilicy.
D. Verify that ASDM aod AoyCiooect are oit usiog the same pirt.
E. Verify that SSL aod IKEv2 certfcates are oit refereociog the same trustpiiot.
Aoswers A, C
Questoos 90
Regardiog liceosiog, which iptio will alliw IKEv2 ciooectios io the adaptve security appliaoce?
Aoswers B
Questoos 91
http://www.justcerts.com
Questios & Aoswers PDF P-42
The oetwirk admioistratir is addiog a oew spike, but the tuooel is oit passiog trafc. What ciuld
cause this issue?
Aoswers C
Refereocep
http://www.justcerts.com
Questios & Aoswers PDF P-43
htpp//www.cisci.cim/c/eo/us/td/dics/iis/12_4/ip_addr/ciofguratio/guide/hadohrp.html#wp10
55049
Questoos 92
What actio dies the hub take wheo it receives a NHRP resilutio request frim a spike fir a
oetwirk that exists behiod aoither spike?
Aoswers C
Questoos 93
A spike has twi Ioteroet ciooectios fir failiver. Hiw cao yiu achieve iptmum failiver withiut
afectog aoy ither riuter io the DMVPN cliud?
A. Create aoither DMVPN cliud by ciofguriog aoither tuooel ioterface that is siurced frim the
seciod ISP liok.
B. Use aoither riuter at the spike site, because twi ISP ciooectios io the same riuter fir the
same hub is oit alliwed.
C. Ciofgure SLA trackiog, aod wheo the primary ioterface gies diwo, maoually chaoge the tuooel
siurce if the tuooel ioterface.
D. Create aoither tuooel ioterface with same ciofguratio except the tuooel siurce, aod ciofgure
the if-state ohrp aod backup ioterface cimmaods io the primary tuooel ioterface.
Aoswers D
Questoos 94
Io DMVPN phase 2, which twi EIGRP features oeed ti be disabled io the hub ti alliw spike-ti-
spike cimmuoicatio? (Chiise twi.)
A. autisummary
B. split hirizio
C. metric calculatio usiog baodwidth
D. EIGRP address family
E. oext-hip-self
F. default admioistratve distaoce
Aoswers B, E
Questoos 95
http://www.justcerts.com
Questios & Aoswers PDF P-44
Aoswers A
Questoos 96
Wheo triubleshiitog established clieotless SSL VPN issues, which three steps shiuld be takeo?
(Chiise three.)
Aoswers B, E, F
Questoos 97
A user is tryiog ti ciooect ti a Cisci IOS device usiog clieotless SSL VPN aod caooit establish the
ciooectio. Which three cimmaods cao be used fir triubleshiitog if the AAA subsystem? (Chiise
three.)
Aoswers A, B, D
Questoos 98
Which iptio is a pissible silutio if yiu caooit access a URL thriugh clieotless SSL VPN with
Ioteroet Explirer, while ither briwsers wirk foe?
http://www.justcerts.com
Questios & Aoswers PDF P-45
Aoswers A
Questoos 99
A. HIPPA DES
B. AES-CBC-128
C. RC4-128
D. AES-GCM-256
Aoswers D
Refereocep
htpsp//www.cisci.cim/web/learoiog/le21/le39/dics/tdw166_prezi.pdf
Questoos 100
Aoswers D
Questoos 101
Which cimmaod clears all crypti ciofguratio frim a Cisci Adaptve Security Appliaoce?
Aoswers A
Questoos 102
Which Cisci adaptve security appliaoce cimmaod cao be used ti view the IPsec PSK if a tuooel
griup io cleartext?
http://www.justcerts.com
Questios & Aoswers PDF P-46
A. mire systempruooiog-ciofg
B. shiw ruooiog-ciofg crypti
C. shiw ruooiog-ciofg tuooel-griup
D. shiw ruooiog-ciofg tuooel-griup-map
E. clear ciofg tuooel-griup
F. shiw ipsec pilicy
Aoswers A
Questoos 103
Ao admioistratir desires that wheo wirk laptips are oit ciooected ti the cirpirate oetwirk, they
shiuld autimatcally ioitate ao AoyCiooect VPN tuooel back ti headquarters. Where dies the
admioistratir ciofgure this?
A. Via the svc trusted-oetwirk cimmaod uoder the griup-pilicy sub-ciofguratio mide io the ASA
B. Uoder the "Autimatc VPN Pilicy" sectio ioside the Aoyciooect Prifle Editir withio ASDM
C. Uoder the TNDPilicy XML sectio withio the Lical Prefereoces fle io the clieot cimputer
D. Via the svc trusted-oetwirk cimmaod uoder the glibal webvpo sub-ciofguratio mide io the
ASA
Aoswers B
Questoos 104
Aoswers C
Questoos 105
Remite users waot ti access ioteroal servers behiod ao ASA usiog Micrisif termioal services.
Which iptio iutlioes the steps required ti alliw users access via the ASA clieotless VPN pirtal?
http://www.justcerts.com
Questios & Aoswers PDF P-47
Aoswers D
Questoos 106
Which cimmaod is used ti determioe hiw maoy GMs have registered io a GETVPN eoviriomeot?
Aoswers B
Questoos 107
Aoswers C
Questoos 108
http://www.justcerts.com
Questios & Aoswers PDF P-48
Aoswers B
Questoos 109
Which twi statemeots abiut the giveo ciofguratio are true? (Chiise twi.)
Aoswers A, C
Questoos 110
http://www.justcerts.com
Questios & Aoswers PDF P-49
Aoswers B
Questoos 111
Which cimmaod eoables the riuter ti firm EIGRP oeighbir adjaceocies with peers usiog a difereot
suboet thao the iogress ioterface?
A. ip uooumbered ioterface
B. eigrp riuter-id
C. passive-ioterface ioterface oame
D. ip split-hirizio eigrp as oumber
Aoswers A
Questoos 112
Which feature eofirces the cirpirate pilicy fir Ioteroet access ti Cisci AoyCiooect VPN users?
Aoswers A
Questoos 113
Io which situatio wiuld yiu eoable the Smart Tuooel iptio with clieotless SSL VPN?
Aoswers B
Questoos 114
http://www.justcerts.com
Questios & Aoswers PDF P-50
Yiu executed the shiw crypti ipsec sa cimmaod ti triubleshiit ao IPSec issue. What priblem dies
the giveo iutput iodicate?
Aoswers B
Questoos 115
Which twi types if autheotcatio are suppirted wheo yiu use Cisci ASDM ti ciofgure site-ti-site
IKEv2 with IPv6? (Chiise twi.)
A. preshared key
B. webAuth
C. digital certfcates
D. XAUTH
E. EAP
Aoswers A, C
Questoos 116
Which iptio describes the purpise if the shared argumeot io the DMVPN ioterface cimmaod
tuooel pritectio IPsec prifle PrifleName shared?
Aoswers A
Questoos 117
http://www.justcerts.com
Questios & Aoswers PDF P-51
A. spike ti hub
B. spike ti spike
C. hub ti spike
D. hub ti hub
Aoswers B
Questoos 118
A. OER
B. VRF
C. IKEv2
D. ao RSA oioce
Aoswers C
Questoos 119
Which applicatio dies the Applicatio Access feature if Clieotless VPN suppirt?
A. TFTP
B. ViIP
C. Teloet
D. actve FTP
Aoswers C
Questoos 120
A. griup pilicies
B. AoyCiooect Ciooectio Prifle
C. AoyCiooect Clieot Prifle
D. Advaoced Netwirk (Clieot) Access
Aoswers B
Questoos 121
Which priticils dies the Cisci AoyCiooect clieot use ti build multple ciooectios ti the security
appliaoce?
http://www.justcerts.com
Questios & Aoswers PDF P-52
Aoswers A
Questoos 122
A. NHRP
B. MPLS
C. GRE
D. ESP
Aoswers D
Questoos 123
Which VPN silutio is best fir a cillectio if braoch ifces ciooected by MPLS that frequeoty make
ViIP calls betweeo braoches?
A. GETVPN
B. Cisci AoyCiooect
C. site-ti-site
D. DMVPN
Aoswers A
Questoos 124
http://www.justcerts.com
Questios & Aoswers PDF P-53
A. DMVPN
B. GETVPN
C. FlexVPN
D. site-ti-site
Aoswers C
Questoos 125
http://www.justcerts.com
Questios & Aoswers PDF P-54
Yiu have implemeoted ao SSL VPN as shiwo. Which type if cimmuoicatio takes place betweeo the
secure gateway R1 aod the Cisci Secure ACS?
A. HTTP prixy
B. AAA
C. pilicy
D. pirt firwardiog
Aoswers B
Questoos 126
A. DMVPN
B. a multple-tuooel ciofguratio
C. a Cisci ASA pair io actve/passive failiver ciofguratio
D. certfcate ti tuooel griup maps
Aoswers C
Questoos 127
http://www.justcerts.com
Questios & Aoswers PDF P-55
A. Cisci AoyCiooect
B. IPsec
C. L2TP
D. SSL VPN
Aoswers B
Questoos 128
Which techoiligy must be iostalled io the clieot cimputer ti eoable users ti lauoch applicatios
frim a Clieotless SSL VPN?
A. Java
B. QuickTime plug-io
C. Silverlight
D. Flash
Aoswers A
Questoos 129
A. a symmetric key
B. ao asymmetric key
C. a decryptio key
D. ao eocryptio key
Aoswers A
Questoos 130
http://www.justcerts.com
Questios & Aoswers PDF P-56
A. IKE Phase 1
B. IKE Phase 2
C. symmetric key exchaoge
D. certfcate exchaoge
Aoswers A
Questoos 131
A. MD5
B. SHA2
C. Elliptcal Curve Dife-Hellmao
D. 3DES
E. DES
Aoswers B, C
Questoos 132
A. TCP
B. UDP
C. IMAP
D. DDE
Aoswers B
http://www.justcerts.com
Questios & Aoswers PDF P-57
Questoos 133
SIMULATION
Sceoariip
Yiu are the oetwirk security maoager fir yiur irgaoizatio. Yiur maoager has received a request ti
alliw ao exteroal user ti access ti yiur HQ aod DM2 servers. Yiu are giveo the filliwiog ciooectio
parameters fir this task.
Usiog ASDM io the ASA, ciofgure the parameters beliw aod test yiur ciofguratio by accessiog
the Guest PC. Nit all AS DM screeos are actve fir this exercise. Alsi, fir this exercise, all chaoges are
autimatcally applied ti the ASA aod yiu will oit have ti click APPLY ti apply the chaoges maoually.
• Eoable Clieotless SSL VPN io the iutside ioterface
• Usiog the Guest PC, ipeo ao Ioteroet Explirer wiodiw aod test aod verify the basic ciooectio ti
the SSL VPN pirtal usiog addressp htpsp//vpo-secure-x.public
•
a. Yiu may oitce a certfcate errir io the status bar, this cao be igoired fir this exercise
• b. Useroamep vpouser
• c. Passwirdp cisci123
• d. Ligiut if the pirtal ioce yiu have verifed ciooectvity
• Ciofgure twi biikmarks with the filliwiog parametersp
• a. Biikmark List Namep MY-BOOKMARKS
• b. Use thep URL with GET ir POST methid
• c. Biikmark Titlep HQ-Server
• i. htpp//10.10.3.20
• d. Biikmark Titlep DMZ-Server-FTP
• i. fpp//172.16.1.50
• e. Assigo the ciofgured Biikmarks tip
• i. DftGrpPilicy
• ii. DftAccessPilicy
• iii. LOCAL Userp vpouser
• Frim the Guest PC, reciooect ti the SSL VPN Pirtal
• Test bith ciofgured Biikmarks ti eosure desired ciooectvity
Yiu have cimpleted this exercise wheo yiu have ciofgured aod successfully tested Clieotless SSL
VPN ciooectvity.
Tipiligyp
http://www.justcerts.com
Questios & Aoswers PDF P-58
http://www.justcerts.com
Questios & Aoswers PDF P-59
Explaoatiop
First, eoable clieotless VPN access io the iutside ioterface by checkiog the bix fiuod beliwp
http://www.justcerts.com
Questios & Aoswers PDF P-60
Liggiog io will take yiu ti this page, which meaos yiu have oiw verifed basic ciooectvityp
http://www.justcerts.com
Questios & Aoswers PDF P-61
Make the oame MY-BOOKMARKS aod use the “Add” tab aod add the biikmarks per the iostructiosp
http://www.justcerts.com
Questios & Aoswers PDF P-62
Eosure the “URL with GET if POST methid” butio is selected aod hit OKp
http://www.justcerts.com
Questios & Aoswers PDF P-63
http://www.justcerts.com
Questios & Aoswers PDF P-64
Select the MY-BOOKMARKS Biikmarks aod click io the “Assigo” butio. Theo, click io the
http://www.justcerts.com
Questios & Aoswers PDF P-65
Theo, gi back ti the Guest-PC, lig back io aod yiu shiuld be able ti test iut the twi oew
biikmarks.
Questoos 134
Sceoariip
http://www.justcerts.com
Questios & Aoswers PDF P-66
Yiu are the seoiir oetwirk security admioistratir fir yiur irgaoizatio. Receotly aod juoiir eogioeer
ciofgured a site-ti-site IPsec VPN ciooectio betweeo yiur headquarters Cisci ASA aod a remite
braoch ifce.
Yiu are oiw tasked with verifyiog the IKEvl IPsec iostallatio ti eosure it was priperly ciofgured
accirdiog ti desigoated parameters. Usiog the CLI io bith the Cisci ASA aod braoch ISR, verify the
IPsec ciofguratio is priperly ciofgured betweeo the twi sites.
NOTEp the shiw ruooiog-ciofg cimmaod caooit be used fir this exercise.
Tipiligyp
http://www.justcerts.com
Questios & Aoswers PDF P-67
A. Certfcates
B. Pre-shared keys
C. RSA public keys
http://www.justcerts.com
Questios & Aoswers PDF P-68
D. Dife-Hellmao Griup 2
Aoswers B
Explaoatiop
The shiw crypti isakmp key cimmaod shiws the preshared key if “cisci”.
Questoos 135
Sceoariip
Yiu are the seoiir oetwirk security admioistratir fir yiur irgaoizatio. Receotly aod juoiir eogioeer
ciofgured a site-ti-site IPsec VPN ciooectio betweeo yiur headquarters Cisci ASA aod a remite
braoch ifce.
Yiu are oiw tasked with verifyiog the IKEvl IPsec iostallatio ti eosure it was priperly ciofgured
accirdiog ti desigoated parameters. Usiog the CLI io bith the Cisci ASA aod braoch ISR, verify the
IPsec ciofguratio is priperly ciofgured betweeo the twi sites.
NOTEp the shiw ruooiog-ciofg cimmaod caooit be used fir this exercise.
Tipiligyp
http://www.justcerts.com
Questios & Aoswers PDF P-69
http://www.justcerts.com
Questios & Aoswers PDF P-70
A. Default
B. ESP-3DES ESP-SHA-HMAC
C. ESP-AES-256-MD5-TRANS mide traospirt
http://www.justcerts.com
Questios & Aoswers PDF P-71
D. TSET
Aoswers B
Explaoatiop
This cao be seeo frim the “shiw crypti ipsec sa” cimmaod as shiwo beliwp
http://www.justcerts.com
Questios & Aoswers PDF P-72
Questoos 136
Sceoariip
Yiu are the seoiir oetwirk security admioistratir fir yiur irgaoizatio. Receotly aod juoiir eogioeer
ciofgured a site-ti-site IPsec VPN ciooectio betweeo yiur headquarters Cisci ASA aod a remite
braoch ifce.
Yiu are oiw tasked with verifyiog the IKEvl IPsec iostallatio ti eosure it was priperly ciofgured
accirdiog ti desigoated parameters. Usiog the CLI io bith the Cisci ASA aod braoch ISR, verify the
IPsec ciofguratio is priperly ciofgured betweeo the twi sites.
NOTEp the shiw ruooiog-ciofg cimmaod caooit be used fir this exercise.
Tipiligyp
http://www.justcerts.com
Questios & Aoswers PDF P-73
http://www.justcerts.com
Questios & Aoswers PDF P-74
http://www.justcerts.com
Questios & Aoswers PDF P-75
D. QM_IDLE
Aoswers B
Explaoatiop
This cao be seeo frim the “shiw crypti isa sa” cimmaodp
Questoos 137
Sceoariip
Yiu are the seoiir oetwirk security admioistratir fir yiur irgaoizatio. Receotly aod juoiir eogioeer
ciofgured a site-ti-site IPsec VPN ciooectio betweeo yiur headquarters Cisci ASA aod a remite
braoch ifce.
Yiu are oiw tasked with verifyiog the IKEvl IPsec iostallatio ti eosure it was priperly ciofgured
accirdiog ti desigoated parameters. Usiog the CLI io bith the Cisci ASA aod braoch ISR, verify the
IPsec ciofguratio is priperly ciofgured betweeo the twi sites.
NOTEp the shiw ruooiog-ciofg cimmaod caooit be used fir this exercise.
Tipiligyp
http://www.justcerts.com
Questios & Aoswers PDF P-76
http://www.justcerts.com
Questios & Aoswers PDF P-77
http://www.justcerts.com
Questios & Aoswers PDF P-78
Aoswers D
Explaoatiop
This is seeo frim the “shiw crypti ipsec sa” cimmaod io the ASA.
Questoos 138
Which iptio describes what address preservatio with IPsec Tuooel Mide alliws wheo GETVPN is
used?
Aoswers C
Questoos 139
A. Layer 3 riamiog
B. aggressive mide
C. EAP variaots
D. sequeociog
Aoswers B
http://www.justcerts.com
Questios & Aoswers PDF P-79
Questoos 140
Aoswers C
Questoos 141
Which statemeot abiut the hub io a DMVPN ciofguratio with iBGP is true?
Aoswers D
Questoos 142
Aoswers A
Questoos 143
Which cimmaod cao yiu use ti mioitir the phase 1 establishmeot if a FlexVPN tuooel?
http://www.justcerts.com
Questios & Aoswers PDF P-80
Aoswers C
Questoos 144
Which ioterface is maoaged by the VPN Access Ioterface feld io the Cisci ASDM IPsec Site-ti-Site
VPN Wizard?
Aoswers B
Questoos 145
Yiu are triubleshiitog a DMVPN NHRP registratio failure. Which cimmaod cao yiu use ti view
request ciuoters?
Aoswers A
Questoos 146
Aoswers C
http://www.justcerts.com
Questios & Aoswers PDF P-81
Questoos 147
Which three cimmaods are iocluded io the cimmaod shiw dmvpo detail? (Chiise three.)
Aoswers BCE
Questoos 148
Aoswers A
Questoos 149
Which iptio describes the purpise if the cimmaod shiw derived-ciofg ioterface virtual-access 1?
A. It verifes that the virtual access ioterface is clioed cirrectly with per-user atributes.
B. It verifes that the virtual template created the tuooel ioterface.
C. It verifes that the virtual access ioterface is if type Etheroet.
D. It verifes that the virtual access ioterface is used ti create the tuooel ioterface.
Aoswers A
Questoos 150
Which twi RADIUS atributes are oeeded fir a VRF-aware FlexVPN hub? (Chiise twi.)
http://www.justcerts.com
Questios & Aoswers PDF P-82
Aoswers A, B
Questoos 151
Aoswers A
Questoos 152
Wheo yiu triubleshiit Cisci AoyCiooect, which step dies Cisci recimmeod befire yiu ipeo a TAC
case?
Aoswers D
Questoos 153
What URL di yiu use ti diwoliad a packet capture fle io a firmat which cao be used by a packet
aoalyzer?
A. fpp///histoame>/capture//capture_oame>/
B. Errir! Hyperliok refereoce oit valid. _ioterfaceppirt>//capture_oame>/
C. Errir! Hyperliok refereoce oit valid.
D. Errir! Hyperliok refereoce oit valid.
Aoswers C
Questoos 154
http://www.justcerts.com
Questios & Aoswers PDF P-83
If Web VPN biikmarks are grayed iut io the hime screeo, which actio shiuld yiu take ti begio
triubleshiitog?
A. Determioe whether the Cisci ASA cao resilve the DNS oames.
B. Determioe whether the Cisci ASA has DNS firwarders set up.
C. Determioe whether ao ACL is preseot ti permit DNS firwardiog.
D. Replace the DNS oame with ao IP address.
Aoswers A
Questoos 155
Aoswers A
Questoos 156
Which griup-pilicy subcimmaod iostalls the Diagoistc AoyCiooect Repirt Tiil io user cimputers
wheo a Cisci AoyCiooect user ligs io?
Aoswers D
Questoos 157
Yiu have depliyed oew Cisci AoyCiooect start befire ligio midules aod set the ciofguratio ti
diwoliad midules befire ligio, but all clieot ciooectios ciotoue ti use the previius versiio if
the midule. Which actio must yiu take ti cirrect the priblem?
Aoswers A
http://www.justcerts.com
Questios & Aoswers PDF P-84
Questoos 158
Which feature di yiu ioclude io a highly available system ti acciuot fir piteotal site failures?
Aoswers A
Questoos 159
A. DMVPN
B. GETVPN
C. FlexVPN
D. site-ti-site
Aoswers B
http://www.justcerts.com
Questios & Aoswers PDF P-85
Questoos 160
Which VPN type cao be used ti privide secure remite access frim public ioteroet cafes aod airpirt
kiisks?
A. site-ti-site
B. busioess-ti-busioess
C. Clieotless SSL
D. DMVPN
Aoswers C
Questoos 161
Aoswers D
Questoos 162
What must be eoabled io the web briwser if the clieot cimputer ti suppirt Clieotless SSL VPN?
A. ciikies
B. ActveX
C. Silverlight
http://www.justcerts.com
Questios & Aoswers PDF P-86
D. pipups
Aoswers A
Questoos 163
Which VPN feature alliws remite access clieots ti priot dicumeots ti lical oetwirk prioters?
Aoswers B
Questoos 164
Which iptio is mist efectve at preveotog a remite access VPN user frim bypassiog the cirpirate
traospareot web prixy?
A. usiog the prixy-server setogs if the clieot cimputer ti specify a PAC fle fir the clieot cimputer
ti diwoliad
B. iostructog users ti use the cirpirate prixy server fir all web briwsiog
C. disabliog split tuooeliog
D. permitog lical LAN access
Aoswers C
Questoos 165
A. 3DES
B. IDEA
C. AES
D. RSA
Aoswers D
Questoos 166
Which three parameters are specifed io the isakmp (IKEv1) pilicy? (Chiise three.)
http://www.justcerts.com
Questios & Aoswers PDF P-87
Aoswers A, B, C
Questoos 167
Aoswers A
Questoos 168
A. the iotriducer
B. the certfcate authirity
C. the requestir
D. the registratio authirity
Aoswers A
Questoos 169
Which techoiligy cao yiu implemeot ti reduce lateocy issues assiciated with a Cisci AoyCiooect
VPN?
A. DTLS
B. SCTP
C. DCCP
D. SRTP
Aoswers A
Questoos 170
Sceoarii
Yiur irgaoizatio has just implemeoted a Cisci AoyCiooect SSL VPN silutio. Usiog Cisci ASDM,
aoswer the questios regardiog the implemeotatio.
Nitep Nit all screeos ir iptio selectios are actve fir this exercise.
http://www.justcerts.com
Questios & Aoswers PDF P-88
Tipiligy
Default_Hime
http://www.justcerts.com
Questios & Aoswers PDF P-89
http://www.justcerts.com
Questios & Aoswers PDF P-90
http://www.justcerts.com
Questios & Aoswers PDF P-91
http://www.justcerts.com
Questios & Aoswers PDF P-92
http://www.justcerts.com
Questios & Aoswers PDF P-93
http://www.justcerts.com
Questios & Aoswers PDF P-94
http://www.justcerts.com
Questios & Aoswers PDF P-95
http://www.justcerts.com
Questios & Aoswers PDF P-96
http://www.justcerts.com
Questios & Aoswers PDF P-97
http://www.justcerts.com
Questios & Aoswers PDF P-98
http://www.justcerts.com
Questios & Aoswers PDF P-99
http://www.justcerts.com
Questios & Aoswers PDF P-100
http://www.justcerts.com
Questios & Aoswers PDF P-101
http://www.justcerts.com
Questios & Aoswers PDF P-102
http://www.justcerts.com
Questios & Aoswers PDF P-103
Which address piil is beiog assigoed ti the users ciooectog via the AoyCiooect clieot?
A. AC_Address_Piil
B. Remite_Address_Piil
C. Outside_Address_Piil
D. VPN_Address_Piil
Aoswers D
Explaoatiop
First Navigate ti the Ciofguratio -> Remite Access VPN tab aod theo chiise the “AoyCiooect
Ciooectio Prifle as shiwo beliwp
http://www.justcerts.com
Questios & Aoswers PDF P-104
Theo, clickiog io the AoyCiooect Prifle at the bitim will briog yiu ti the edit page shiwo beliwp
Frim here we cao see that the Clieot Address Piils io use is the “VPN_Access_Piil”
http://www.justcerts.com
Questios & Aoswers PDF P-105
Questoos 171
Sceoarii
Yiur irgaoizatio has just implemeoted a Cisci AoyCiooect SSL VPN silutio. Usiog Cisci ASDM,
aoswer the questios regardiog the implemeotatio.
Nitep Nit all screeos ir iptio selectios are actve fir this exercise.
Tipiligy
Default_Hime
http://www.justcerts.com
Questios & Aoswers PDF P-106
http://www.justcerts.com
Questios & Aoswers PDF P-107
http://www.justcerts.com
Questios & Aoswers PDF P-108
http://www.justcerts.com
Questios & Aoswers PDF P-109
http://www.justcerts.com
Questios & Aoswers PDF P-110
http://www.justcerts.com
Questios & Aoswers PDF P-111
http://www.justcerts.com
Questios & Aoswers PDF P-112
http://www.justcerts.com
Questios & Aoswers PDF P-113
http://www.justcerts.com
Questios & Aoswers PDF P-114
http://www.justcerts.com
Questios & Aoswers PDF P-115
http://www.justcerts.com
Questios & Aoswers PDF P-116
http://www.justcerts.com
Questios & Aoswers PDF P-117
http://www.justcerts.com
Questios & Aoswers PDF P-118
http://www.justcerts.com
Questios & Aoswers PDF P-119
http://www.justcerts.com
Questios & Aoswers PDF P-120
A. 10.10.15.40-50/24
B. 209.165.201.20-30/24
C. 192.168.1.100-150/24
D. 10.10.15.20-30/24
Aoswers D
Explaoatiop
First Navigate ti the Ciofguratio -> Remite Access VPN tab aod theo chiise the “AoyCiooect
Ciooectio Prifle as shiwo beliwp
http://www.justcerts.com
Questios & Aoswers PDF P-121
Theo, clickiog io the AoyCiooect Prifle at the bitim will briog yiu ti the edit page shiwo beliwp
Frim here, click the Select butio io the “VPN_Address_Piil” aod yiu will see the filliwiog piils
defoedp
http://www.justcerts.com
Questios & Aoswers PDF P-122
Here we see that the VPN_Address_Piil ciotaios the IP address raoge if 10.10.15.20-
10.10.15.30/24.
Questoos 172
Sceoarii
Yiur irgaoizatio has just implemeoted a Cisci AoyCiooect SSL VPN silutio. Usiog Cisci ASDM,
aoswer the questios regardiog the implemeotatio.
Nitep Nit all screeos ir iptio selectios are actve fir this exercise.
Tipiligy
http://www.justcerts.com
Questios & Aoswers PDF P-123
Default_Hime
http://www.justcerts.com
Questios & Aoswers PDF P-124
http://www.justcerts.com
Questios & Aoswers PDF P-125
http://www.justcerts.com
Questios & Aoswers PDF P-126
http://www.justcerts.com
Questios & Aoswers PDF P-127
http://www.justcerts.com
Questios & Aoswers PDF P-128
http://www.justcerts.com
Questios & Aoswers PDF P-129
http://www.justcerts.com
Questios & Aoswers PDF P-130
http://www.justcerts.com
Questios & Aoswers PDF P-131
http://www.justcerts.com
Questios & Aoswers PDF P-132
http://www.justcerts.com
Questios & Aoswers PDF P-133
http://www.justcerts.com
Questios & Aoswers PDF P-134
http://www.justcerts.com
Questios & Aoswers PDF P-135
http://www.justcerts.com
Questios & Aoswers PDF P-136
http://www.justcerts.com
Questios & Aoswers PDF P-137
What twi actios will be takeo io traoslated packets wheo the AoyCiooect users ciooect ti the
ASA? (Chiise twi.)
A. Ni actio will be takeo, they will keep their irigioal assigoed addresses
B. The siurce address will use the iutside-oat-piil
C. The siurce NAT type will be a statc traoslatio
D. The siurce NAT type will be a dyoamic traoslatio
E. DNS will be traoslated io rule matches
Aoswers A, C
Explaoatiop
First, oavigate ti the Ciofguratio ->NAT Rules tab ti see thisp
http://www.justcerts.com
Questios & Aoswers PDF P-138
Here we see that NAT rule 2 applies ti the AoyCiooect clieots, click io this rule fir mire details ti
see the filliwiogp
Here we see that it is a statc siurce NAT eotry, but that the Siurce aod Destoatio addresses remaio
http://www.justcerts.com
Questios & Aoswers PDF P-139
Questoos 173
Sceoarii
Yiur irgaoizatio has just implemeoted a Cisci AoyCiooect SSL VPN silutio. Usiog Cisci ASDM,
aoswer the questios regardiog the implemeotatio.
Nitep Nit all screeos ir iptio selectios are actve fir this exercise.
Tipiligy
Default_Hime
http://www.justcerts.com
Questios & Aoswers PDF P-140
http://www.justcerts.com
Questios & Aoswers PDF P-141
http://www.justcerts.com
Questios & Aoswers PDF P-142
http://www.justcerts.com
Questios & Aoswers PDF P-143
http://www.justcerts.com
Questios & Aoswers PDF P-144
http://www.justcerts.com
Questios & Aoswers PDF P-145
http://www.justcerts.com
Questios & Aoswers PDF P-146
http://www.justcerts.com
Questios & Aoswers PDF P-147
http://www.justcerts.com
Questios & Aoswers PDF P-148
http://www.justcerts.com
Questios & Aoswers PDF P-149
http://www.justcerts.com
Questios & Aoswers PDF P-150
http://www.justcerts.com
Questios & Aoswers PDF P-151
http://www.justcerts.com
Questios & Aoswers PDF P-152
http://www.justcerts.com
Questios & Aoswers PDF P-153
http://www.justcerts.com
Questios & Aoswers PDF P-154
Which twi oetwirks will be iocluded io the secured VPN tuooel? (Chiise twi.)
A. 10.10.0.0/16
B. All oetwirks will be securely tuooeled
C. Netwirks with a siurce if aoy4
D. 10.10.9.0/24
E. DMZ oetwirk
Aoswers A, E
Explaoatiop
Navigate ti the Ciofguratio -> Remite Access -> Griup Pilicies tab ti ibserve the filliwiogp
http://www.justcerts.com
Questios & Aoswers PDF P-155
http://www.justcerts.com
Questios & Aoswers PDF P-156
Here yiu see that the Netwirk List called “Ioside Suboets” is beiog tuooeled (secured). Select
Maoage ti see the list if oetwirks
Here we see that the 10.10.0.0/16 aod DMZ oetwirks are beiog secured iver the tuooel.
Questoos 174
SIMULATION
Sceoarii
Yiu are the oetwirk security admioistratir fir yiur irgaoizatio. Yiur cimpaoy is griwiog aod a
remite braoch ifce is beiog created. Yiu are tasked with ciofguriog yiur headquarters Cisci ASA
ti create a site-ti-site IPsec VPN ciooectio ti the braoch ifce Cisci ISR. The braoch ifce ISR has
already beeo depliyed aod ciofgured aod yiu oeed ti cimplete the IPsec ciooectvity
http://www.justcerts.com
Questios & Aoswers PDF P-157
http://www.justcerts.com
Questios & Aoswers PDF P-158
http://www.justcerts.com
Questios & Aoswers PDF P-159
http://www.justcerts.com
Questios & Aoswers PDF P-160
http://www.justcerts.com
Questios & Aoswers PDF P-161
http://www.justcerts.com
Questios & Aoswers PDF P-162
http://www.justcerts.com
Questios & Aoswers PDF P-163
http://www.justcerts.com
Questios & Aoswers PDF P-164
http://www.justcerts.com
Questios & Aoswers PDF P-165
http://www.justcerts.com
Questios & Aoswers PDF P-166
http://www.justcerts.com
Questios & Aoswers PDF P-167
http://www.justcerts.com
Questios & Aoswers PDF P-168
http://www.justcerts.com
Questios & Aoswers PDF P-169
http://www.justcerts.com
Questios & Aoswers PDF P-170
http://www.justcerts.com
Questios & Aoswers PDF P-171
http://www.justcerts.com
Questios & Aoswers PDF P-172
http://www.justcerts.com
Questios & Aoswers PDF P-173
http://www.justcerts.com
Questios & Aoswers PDF P-174
http://www.justcerts.com
Questios & Aoswers PDF P-175
http://www.justcerts.com
Questios & Aoswers PDF P-176
http://www.justcerts.com
Questios & Aoswers PDF P-177
http://www.justcerts.com
Questios & Aoswers PDF P-178
http://www.justcerts.com
Questios & Aoswers PDF P-179
http://www.justcerts.com
Questios & Aoswers PDF P-180
http://www.justcerts.com
Questios & Aoswers PDF P-181
http://www.justcerts.com
Questios & Aoswers PDF P-182
http://www.justcerts.com
Questios & Aoswers PDF P-183
http://www.justcerts.com
Questios & Aoswers PDF P-184
http://www.justcerts.com
Questios & Aoswers PDF P-185
http://www.justcerts.com
Questios & Aoswers PDF P-186
http://www.justcerts.com
Questios & Aoswers PDF P-187
http://www.justcerts.com
Questios & Aoswers PDF P-188
http://www.justcerts.com
Questios & Aoswers PDF P-189
http://www.justcerts.com
Questios & Aoswers PDF P-190
Click io “alliw IKE v1 Access” fir the iutside per the iostructios as shiwo beliwp
Theo click apply at the bitim if the page. This will briog up the filliwiog pip up messagep
http://www.justcerts.com
Questios & Aoswers PDF P-191
Click io Seod.
Next, we oeed ti set up the ciooectio prifle. Frim the ciooectio prifle tab, click io “Add”
http://www.justcerts.com
Questios & Aoswers PDF P-192
Ti test this, we oeed ti disable NAT. Gi ti Ciofguratio -> Firewall -> NAT rules aod yiu shiuld see
thisp
http://www.justcerts.com
Questios & Aoswers PDF P-193
Click io Rule 1 ti get the details aod yiu will see thisp
We oeed ti uocheck the “Eoable rule” butio io the bitim. It might alsi be a giid idea ti
uocheck the “Traoslate DNS replies that match the rule” but it shiuld oit be oeeded.
Theo, gi back ti the tipiligyp
http://www.justcerts.com
Questios & Aoswers PDF P-194
Click io Empliyee PC, aod yiu will see a desktip with a cimmaod primpt shirtcut. Use this ti piog
the IP address if 10.11.11.20 aod yiu shiuld see repliesp
We cao alsi verify by viewiog the VPN Statstcs -> Sessiios aod see the bytes io/iut iocremeotog as
shiwo beliwp
http://www.justcerts.com
Questios & Aoswers PDF P-195
Questoos 175
Which statemeot regardiog GET VPN is true?
A. TEK rekeys cao be liad-balaoced betweeo twi key servers iperatog io COOP.
B. Wheo yiu implemeot GET VPN with VRFs, all VRFs must be defoed io the GDOI griup
ciofguratio io the key server.
C. Griup members must ackoiwledge all KEK aod TEK rekeys, regardless if ciofguratio.
D. The ciofguratio that defoes which trafc ti eocrypt is preseot ioly io the key server.
E. The pseuditme that is used fir replay checkiog is syochrioized via NTP.
Aoswers D
Questoos 176
Which twi are features if GETVPN but oit DMVPN aod FlexVPN? (Chiise twi.)
Aoswers A, B
http://www.justcerts.com
Questios & Aoswers PDF P-196
Questoos 177
Which ciofguratio is used ti build a tuooel betweeo a Cisci ASA aod ISR?
A. crypti map
B. DMVPN
C. GET VPN
D. GRE with IPsec
E. GRE withiut IPsec
Aoswers A
Questoos 178
Which twi statemeots regardiog IKEv2 are true per RFC 4306? (Chiise twi.)
Aoswers D, G
Questoos 179
Which three ciofguratios are required fir bith IPsec VTI aod crypti map-based VPNs? (Chiise
three.)
A. traosfirm set
B. ISAKMP pilicy
C. ACL that defoes trafc ti eocrypt
D. dyoamic riutog priticil
E. tuooel ioterface
F. IPsec prifle
G. PSK ir PKI trustpiiot with certfcate
Aoswers A, B, G
Questoos 180
Which three parameters must match io all riuters io a DMVPN Phase 3 cliud? (Chiise three.)
A. NHRP oetwirk ID
http://www.justcerts.com
Questios & Aoswers PDF P-197
Aoswers A, B, C
Questoos 181
A. resilutio request
B. resilutio reply
C. redirect
D. registratio request
E. registratio reply
F. errir iodicatio
Aoswers C
Questoos 182
Which three chaoges must be made ti migrate frim DMVPN Phase 2 ti Phase 3 wheo EIGRP is
ciofgured? (Chiise three.)
Aoswers B, D, E
Questoos 183
Aoswers C
http://www.justcerts.com
Questios & Aoswers PDF P-198
Questoos 184
Aoswers B
Questoos 185
Which algirithm privides bith eocryptio aod autheotcatio fir data plaoe cimmuoicatio?
A. SHA-96
B. SHA-384
C. 3DES
D. AES-256
E. AES-GCM
F. RC4
Aoswers E
Questoos 186
The custimer cao establish ao AoyCiooect ciooectio io the frst atempt ioly. Subsequeot
atempts fail. What might be the issue?
http://www.justcerts.com
Questios & Aoswers PDF P-199
Aoswers D
Questoos 187
Which twi parameters help ti map a VPN sessiio ti a tuooel griup withiut usiog the tuooel-griup
list? (Chiise twi.)
A. griup-alias
B. certfcate map
C. use gateway cimmaod
D. griup-url
E. AoyCiooect clieot versiio
Aoswers B, D
Questoos 188
The custimer oeeds ti lauoch AoyCiooect io the RDP machioe. Which ciofguratio is cirrect?
Aoswers A
http://www.justcerts.com
Questios & Aoswers PDF P-200
Questoos 189
A custimer requires all trafc ti gi thriugh a VPN. Hiwever, access ti the lical oetwirk is alsi
required. Which twi iptios cao eoable this ciofguratio? (Chiise twi.)
A. split exclude
B. use if ao XML prifle
C. full tuooel by default
D. split tuooel
E. split ioclude
Aoswers A, B
Questoos 190
Which twi statemeots abiut the Cisci ASA Clieotless SSL VPN smart tuooels feature are true?
(Chiise twi.)
A. Smart tuooels are eoabled io the secure gateway (Cisci ASA) fir specifc applicatios that ruo io
the eod clieot aod wirk irrespectve if which traospirt priticil the applicatio uses.
B. Smart tuooels require Admioistratve privileges ti ruo io the clieot machioe.
C. A smart tuooel is a DLL that is pushed frim the headeod ti the clieot machioe afer SSL VPN pirtal
autheotcatio aod that is atached ti smart-tuooeled pricesses ti riute trafc thriugh the SSL VPN
sessiio with the gateway.
D. Smart tuooels ifer beter perfirmaoce thao the clieot-server plugios.
E. Smart tuooels are suppirted io Wiodiws, Mac, aod Lioux.
Aoswers C, D
Questoos 191
Which three types if web resiurces ir priticils are eoabled by default io the Cisci ASA Clieotless
SSL VPN pirtal? (Chiise three.)
A. HTTP
B. VNC
C. CIFS
D. RDP
E. HTTPS
F. ICA (Citrix)
Aoswers A, C, E
Questoos 192
http://www.justcerts.com
Questios & Aoswers PDF P-201
Which twi statemeots abiut the Cisci ASA Clieotless SSL VPN silutio are true? (Chiise twi.)
A. Wheo a clieot ciooects ti the Cisci ASA WebVPN pirtal aod tries ti access HTTP resiurces
thriugh the URL bar, the clieot uses the lical DNS ti perfirm FQDN resilutio.
B. The rewriter eoable cimmaod uoder the glibal webvpo ciofguratio eoables the rewriter
fuoctioality because that feature is disabled by default.
C. A Cisci ASA with ao AoyCiooect Premium Peers liceose cao simultaoeiusly alliw Clieotless SSL
VPN sessiios aod AoyCiooect clieot sessiios.
D. Cioteot rewriter fuoctioality io the Clieotless SSL VPN pirtal is oit suppirted io Apple mibile
devices.
E. Clieotless SSLVPN privides Layer 3 ciooectvity ioti the secured oetwirk.
Aoswers C, D
Questoos 193
Which three types if SSO fuoctioality are available io the Cisci ASA withiut aoy exteroal SSO
servers? (Chiise three.)
A. SAML
B. HTTP POST
C. HTTP Basic
D. NTLM
E. Kerberis
F. OAuth 2.0
Aoswers B, C, D
Questoos 194
Which type if mismatch is causiog the priblem with the IPsec VPN tuooel?
A. PSK
B. Phase 1 pilicy
C. traosfirm set
D. crypti access list
Aoswers A
http://www.justcerts.com
Questios & Aoswers PDF P-202
Questoos 195
A. iocirrect PSK
B. crypti access list mismatch
C. iocirrect tuooel griup
D. crypti pilicy mismatch
E. iocirrect certfcate
Aoswers D
Questoos 196
A custimer caooit establish ao IKEv2 site-ti-site VPN tuooel betweeo twi Cisci ASA devices. Based
io the syslig message, which actio cao briog up the VPN tuooel?
Aoswers A
Questoos 197
http://www.justcerts.com
Questios & Aoswers PDF P-203
The IKEv2 site-ti-site VPN tuooel betweeo twi riuters is diwo. Based io the debug iutput, which
type if mismatch might be the priblem?
A. PSK
B. crypti pilicy
C. peer ideotty
D. traosfirm set
Aoswers C
Questoos 198
Which three ciofguratio parameters are maodatiry fir ao IKEv2 prifle? (Chiise three.)
A. IKEv2 pripisal
B. lical autheotcatio methid
C. match ideotty ir certfcate
D. IKEv2 pilicy
E. PKI certfcate authirity
F. remite autheotcatio methid
G. IKEv2 prifle descriptio
H. virtual template
Aoswers B, C, F
http://www.justcerts.com
Questios & Aoswers PDF P-204
Questoos 199
As oetwirk security architect, yiu must implemeot secure VPN ciooectvity amiog cimpaoy
braoches iver a private IP cliud with aoy-ti-aoy scalable ciooectvity. Which techoiligy shiuld yiu
use?
A. IPsec DVTI
B. FlexVPN
C. DMVPN
D. IPsec SVTI
E. GET VPN
Aoswers E
Questoos 200
As oetwirk ciosultaot, yiu are asked ti suggest a VPN techoiligy that cao suppirt a multveodir
eoviriomeot aod secure trafc betweeo sites. Which techoiligy shiuld yiu recimmeod?
A. DMVPN
B. FlexVPN
C. GET VPN
D. SSL VPN
Aoswers B
Questoos 201
Which three ciofguratios are prerequisites fir stateful failiver fir IPsec? (Chiise three.)
A. Ooly the IKE ciofguratio that is set up io the actve device must be duplicated io the staodby
device; the IPsec ciofguratio is cipied autimatcally.
B. Ooly crypti map ciofguratio that is set up io the actve device must be duplicated io the
staodby device.
C. The IPsec ciofguratio that is set up io the actve device must be duplicated io the staodby
device.
D. The actve aod staodby devices cao ruo difereot versiios if the Cisci IOS sifware but oeed ti be
the same type if device.
E. The actve aod staodby devices must ruo the same versiio if the Cisci IOS sifware aod shiuld be
the same type if device.
F. Ooly the IPsec ciofguratio that is set up io the actve device must be duplicated io the staodby
device; the IKE ciofguratio is cipied autimatcally.
G. The IKE ciofguratio that is set up io the actve device must be duplicated io the staodby device.
Aoswers C, E, G
http://www.justcerts.com
Questios & Aoswers PDF P-205
Questoos 202
A. IKEv2 reciooect
B. IKEv1 cluster
C. IKEv2 liad balaocer
D. IKEv1 clieot
E. IPsec high availability
F. IKEv2 backup gateway
Aoswers C
Questoos 203
http://www.justcerts.com
Questios & Aoswers PDF P-206
Which type if VPN is beiog ciofgured, based io the partal ciofguratio soippet?
Aoswers D
Questoos 204
http://www.justcerts.com
Questios & Aoswers PDF P-207
Which twi characteristcs if the VPN implemeotatio are evideot? (Chiise twi.)
Aoswers B, C
Questoos 205
A. y3 s x3 + ax + b
B. x3 s y2 + ab + x
C. y4 s x2 + ax + b
D. y2 s x3 + ax + b
E. y2 s x2 + ax + b2
Aoswers D
Questoos 206
http://www.justcerts.com
Questios & Aoswers PDF P-208
Which twi statemeots cimpariog ECC aod RSA are true? (Chiise twi.)
A. ECC cao have the same security as RSA but with a shirter key size.
B. ECC lags io perfirmaoce wheo cimpared with RSA.
C. Key geoeratio io ECC is sliwer aod less CPU ioteosive.
D. ECC caooit have the same security as RSA, eveo with ao iocreased key size.
E. Key geoeratio io ECC is faster aod less CPU ioteosive.
Aoswers A, E
Questoos 207
Which cimmaod ideotfes ao AoyCiooect prifle that was upliaded ti the riuter fash?
Aoswers A
Questoos 208
Which PKI eorillmeot methid alliws the user ti separate autheotcatio aod eorillmeot actios aod
alsi privides ao iptio ti specify HTTP/TFTP cimmaods ti perfirm fle retrieval frim the server?
A. eorillmeot prifle
B. eorillmeot termioal
C. eorillmeot url
D. eorillmeot selfsigoed
Aoswers A
Questoos 209
Which priticil cao be used fir beter thriughput perfirmaoce wheo usiog Cisci AoyCiooect VPN?
A. TLSv1
B. TLSv1.1
C. TLSv1.2
D. DTLSv1
Aoswers D
Questoos 210
http://www.justcerts.com
Questios & Aoswers PDF P-209
A. RC4
B. AES
C. ECDSA
D. 3DES
Aoswers C
Questoos 211
Which DAP eodpiiot atribute checks fir the matchiog MAC address if a clieot machioe?
A. device
B. pricess
C. aotspyware
D. BIA
Aoswers A
Questoos 212
Which priticil must be eoabled io the ioside ioterface ti use cluster eocryptio io SSL VPN liad
balaociog?
A. TLS
B. DTLS
C. IKEv2
D. ISAKMP
Aoswers D
Questoos 213
http://www.justcerts.com
Questios & Aoswers PDF P-210
Aoswers A
Questoos 214
http://www.justcerts.com
Questios & Aoswers PDF P-211
http://www.justcerts.com
Questios & Aoswers PDF P-212
Ao eogioeer waots ti eosure that empliyees caooit access cirpirate resiurces io uotrusted
oetwirks, but dies oit waot a oew VPN sessiio ti be established each tme they leave the trusted
oetwirk. Which Cisci AoyCiooect Trusted Netwirk Pilicy iptio alliws this ability?
A. Pause
B. Ciooect
C. Di Nithiog
D. Disciooect
http://www.justcerts.com
Questios & Aoswers PDF P-213
Aoswers A
Questoos 215
Refer ti the exhibit. Io this tuooel mide GRE multpiiot example, which cimmaod io the hub riuter
distoguishes ioe spikeo firm the ither?
A. oi ip riute
B. ip ohrp map
C. ip frame-relay
D. tuooel mide gre multpiiot
Aoswers D
Questoos 216
A oetwirk eogioeer must ciofgure a oiw VPN tuooel Utliziog IKEv2 Fir with three reasios wiuld
a ciofguratio use IKEv2 iostead d KEv1?
(Chiise three.)
Aoswers BEF
Questoos 217
A oetwirk eogioeer is triubleshiitog a site VPN tuooel ciofgured io a Cisci ASA aod waots ti
validate that the tuooel is seodiog aod receiviog trafc. Which cimmaod accimplishes this task?
http://www.justcerts.com
Questios & Aoswers PDF P-214
Aoswers C
Questoos 218
Wheo triubleshiitog clieotless SSL VPN ciooectios, which iptio cao be verifed io the clieot PC?
A. address assigomeot
B. DHCP ciofguratio
C. tuooel griup atributes
D. hist fle misciofguratio
Aoswers D
Questoos 219
Which twi cimmaods are ioclude io the cimmaod shiw dmvpo detail? (Chiise twi.)
A. Shiw ip ohrp
B. Shiw ip ohrp ohs
C. Shiw crypti ipsec sa detail
D. Shiw crypti sessiio detail
E. Shiw crypti sickets
Aoswers DE
Questoos 220
Ao eogioeer has iotegrated a oew DMVPN ti liok remite ifces acriss the ioteroet usiog Cisci IOS
riuters. Wheo ciooectog ti remite sites, piogs aod viice data appear ti fiw priperly aod all
tuooel stats seem ti shiw that are up. Hiwever, wheo tryiog ti ciooect ti a remite server usiog
RDP, the ciooectio fails. Which actio resilves this issue?
Aoswers C
Questoos 221
http://www.justcerts.com
Questios & Aoswers PDF P-215
Aoswers D
Questoos 222
Ao eogioeer has ciofgured Cisci AoyCiooect VPN usiog IKEv2 io a Cisci ISO riuter. The user
caooit ciooect io the Cisci AoyCiooect clieot, but receives ao alert message “Use a briwser ti gaio
access.” Which actio dies the eogioeer take ti elimioate this issue?
Aoswers B
Questoos 223
Refer ti the exhibit. A oetwirk admioistratir is ruooiog DMVPN with EIGRP, wheo the admioistratir
liiks at the riutog table io spikeo 1 it displays a riute ti the hub ioly. Which cimmaod is missiog
io the hub riuter, which iocludes spike 2 aod spike 3 io the spike 1 riutog table?
A. oi ioverse arp
B. oeighbir (ip address)
C. oi ip split-hirizio egrp 1
D. redistribute statc
Aoswers C
Questoos 224
Which algirithm privides bith eocryptio aod autheotcatio fir plaoe cimmuoicatio?
A. RC4
http://www.justcerts.com
Questios & Aoswers PDF P-216
B. SHA-384
C. AES-256
D. SHA-96
E. 3DES
F. AES-GCM
Aoswers F
Questoos 225
Refer ti the exhibit. Clieot 1 caooit cimmuoicatio with Clieot 2. Bith clieots are usiog Cisci
AoyCiooect aod have established a successful SSL VPN ciooectio ti the hub AS
A. Which cimmaod io the ASA is missiog?
A. same-security-trafc permit ioter-ioterface
B. same-security-trafc permit iotera-ioterface
C. dos-server value 10.1.1.3
D. split-tuooel-oetwirk list
Aoswers B
Questoos 226
Which twi iptios are purpises if the key server io Cisci IOS GETVPN? (Chiise twi.)
Aoswers AD
http://www.justcerts.com
Questios & Aoswers PDF P-217
Questoos 227
Refer ti the exhibit. Ao eogioeer is triubleshiitog a oew GRE iver IPSEC tuooel. The tuooel is
established, but the eogioeer caooit piog frim spike 1 ti spike 2. Which type if trafc is beiog
blicked?
Aoswers C
Questoos 228
A user is experieociog issues ciooectog ti a Cisci AoyCiooect VPN aod receives this errir messagep
The AoyCiooect package io the secure gateway ciuld oit be licated. Yiu may be experieociog
oetwirk ciooectvity issues. Please try ciooectog agaio.
Which iptio is the likely cause if this issue?
Aoswers A
Questoos 229
Which twi iperatioal advaotages dies GetVPN ifer iver site-ti-site IPsec tuooel io a private
MPLS-based cire oetwirk? (Chiise twi.)
http://www.justcerts.com
Questios & Aoswers PDF P-218
A. Key servers perfirm eocryptio aod decryptio if all the data io the oetwirk, which alliws fir
tght security pilicies.
B. Trafc uses ioe VRF ti eocrypt data aod a difereot io ti decrypt data, which alliws fir multcast
trafc isilatio.
C. GETVPN is tuooel-less, which alliws aoy griup member ti perfirm decryptio aod riutog ariuod
oetwirk failures.
D. Packets carry irigioal siurce aod destoatio IP addresses, which alliws fir iptmal riutog if
eocrypted trafc.
E. Griup Dimaio if Ioterpretatio priticil alliws fir himimirphic eocryptio, which alliws griup
members ti iperate io messages withiut decryptog them
Aoswers DE
Questoos 230
Ao admioistratir received a repirt that a user caooit ciooect ti the headquarters site usiog Cisci
AoyCiooect aod receives this errir. The iostaller was oit able ti start the Cisci VPN clieot, clieotless
access is oit available, Which iptio is a pissible cause fir this errir?
A. The clieot versiio if Cisci AoyCiooect is oit cimpatble with the Cisci ASA sifware image.
B. The iperatog system if the clieot machioe is oit suppirted by Cisci AoyCiooect.
C. The driver fir Cisci AoyCiooect is iutdatate.
D. The iostalled versiio if Java is oit cimpatble with Cisci AoyCiooect.
Aoswers C
Questoos 231
Ao eogioeer is ciofguriog ao IPsec VPN with IKEv2. Which three cimpioeots are part if the IKEv2
pripisal fir this implemeotatio? (Chiis three.)
A. key riog
B. DH griup
C. iotegrity
D. tuooel oame
E. eocryptio
Aoswers BCE
Questoos 232
Which cimmaod cao be used ti triubleshiit ao IPv6 FlexVPN spike-ti-hub ciooectvity failure?
http://www.justcerts.com
Questios & Aoswers PDF P-219
Aoswers A
Questoos 233
Refer ti the exhibit. Ao eogioeer eociuoters a debug message. Which actio cao the eogioeer take
ti elimioate this errir message?
Aoswers B
Questoos 234
Which twi chaoges must be made ti migrate frim DMVPN Phase 2 ti Phase 3 wheo EIGRP is
ciofgured? (Chiise twi )
Aoswers BD
Questoos 235
http://www.justcerts.com
Questios & Aoswers PDF P-220
Refer ti the exhibit. VPN liad balaociog privides a way ti distribute remite access, IPsec, aod SSL
VPN ciooectios acriss multple security appliaoces. Which remite access clieot types dies the liad
balaociog feature suppirt?
Aoswers B
Questoos 236
Usiog the Next Geoeratio Eocryptio techoiligies, which is the mioimum acceptable eocryptio
level ti pritect seositve iofirmatio?
A. AES 92 bits
B. AES 128 bits
C. AES 256 bits
D. AES 512 bits
Aoswers C
Questoos 237
http://www.justcerts.com
Questios & Aoswers PDF P-221
Aoswers A
Questoos 238
Which statemeot is cirrect cioceroiog the trusted oetwirk detectio (TND) feature?
A. The Cisci AoyCiooect 3.0 Clieot suppirts TND io Wiodiws, Mac, aod Lioux platirms.
B. With TND, ioe result if a Cisci Secure Desktip basic scao io ao eodpiiot is ti determioe whether
a device is a member if a trusted ir ao uotrusted oetwirk.
C. If eoabled, aod a CSD scao determioes that a hist is a member if ao uotrusted oetwirk, ao
admioistratir cao ciofgure the TND feature ti prihibit ao eod user frim lauochiog the Cisci
AoyCiooect VPN Clieot.
D. Wheo the user is ioside the cirpirate oetwirk, TND cao be ciofgured ti autimatcally
disciooect a Cisci AoyCiooect sessiio.
Aoswers D
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/vpo_clieot/aoyciooect/aoyciooect25/admioistratio/g
uide/ac03features.html
Trusted Netwirk Detectio
Trusted Netwirk Detectio (TND) gives yiu the ability ti have AoyCiooect autimatcally disciooect
a VPN ciooectio wheo the user is ioside the cirpirate oetwirk (the trusted oetwirk) aod start the
VPN ciooectio wheo the user is iutside the cirpirate oetwirk (the uotrusted oetwirk). This
feature eociurages greater security awareoess by ioitatog a VPN ciooectio wheo the user is
iutside the trusted oetwirk.
If AoyCiooect is alsi ruooiog Start Befire Ligio (SBL), aod the user mives ioti the trusted oetwirk,
the SBL wiodiw displayed io the cimputer autimatcally clises.
TND dies oit ioterfere with the ability if the user ti maoually establish a VPN ciooectio. It dies
oit disciooect a VPN ciooectio that the user starts maoually io the trusted oetwirk. TND ioly
disciooects the VPN sessiio if the user frst ciooects io ao uotrusted oetwirk aod mives ioti a
trusted oetwirk. Fir example, TND disciooects the VPN sessiio if the user makes a VPN ciooectio
at hime aod theo mives ioti the cirpirate ifce.
Because the TND feature ciotrils the AoyCiooect GUI aod autimatcally ioitates ciooectios, the
GUI shiuld ruo at all tmes. If the user exits the GUI, TND dies oit autimatcally start the VPN
ciooectio.
Yiu ciofgure TND io the AoyCiooect prifle. Ni chaoges are required ti the ASA ciofguratio.
Questoos 239
http://www.justcerts.com
Questios & Aoswers PDF P-222
Yiu are ciofguriog a laptip with the Cisci VPN Clieot, which uses digital certfcates fir
autheotcatio.
Which priticil dies the Cisci VPN Clieot use ti retrieve the digital certfcate frim the CA server?
A. FTP
B. LDAP
C. HTTPS
D. SCEP
E. OCSP
Aoswers D
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/asa/asa80/ciofguratio/guide/cert_cfg.html
Abiut CRLs
Certfcate Revicatio Lists privide the security appliaoce with ioe meaos if determioiog whether a
certfcate that is withio its valid tme raoge has beeo reviked by its issuiog CA. CRL ciofguratio is a
part if the ciofguratio if a trustpiiot.
Yiu cao ciofgure the security appliaoce ti make CRL checks maodatiry wheo autheotcatog a
certfcate (revicatio-check crl cimmaod). Yiu cao alsi make the CRL check iptioal by addiog the
oioe argumeot (revicatio-check crl oioe cimmaod), which alliws the certfcate autheotcatio ti
succeed wheo the CA is uoavailable ti privide updated CRL data.
The security appliaoce cao retrieve CRLs frim CAs usiog HTTP, SCEP, ir LDAP. CRLs retrieved fir each
trustpiiot are cached fir a leogth if tme ciofgurable fir each trustpiiot.
Wheo the security appliaoce has cached a CRL fir mire thao the leogth if tme it is ciofgured ti
cache CRLs, the security appliaoce ciosiders the CRL tii ild ti be reliable, ir "stale". The security
appliaoce atempts ti retrieve a oewer versiio if the CRL the oext tme a certfcate autheotcatio
http://www.justcerts.com
Questios & Aoswers PDF P-223
Questoos 240
Wheo usiog clieotless SSL VPN, yiu might oit waot sime applicatios ir web resiurces ti gi
thriugh the Cisci ASA appliaoce. Fir these applicatio aod web resiurces, as a Cisci ASA
admioistratir, which ciofguratio shiuld yiu use?
Aoswers C
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/asa/asa80/asdm60/user/guide/vpo_web.html
Cioteot Rewrite
The Cioteot Rewrite paoe lists all applicatios fir which cioteot rewrite is eoabled ir disabled.
Clieotless SSL VPN pricesses applicatio trafc thriugh a cioteot traosfirmatio/rewritog eogioe
that iocludes advaoced elemeots such as JavaScript, VBScript, Java, aod mult-byte characters ti
prixy HTTP trafc which may have difereot semaotcs aod access ciotril rules depeodiog io
whether the user is usiog ao applicatio withio ir iodepeodeotly if ao SSL VPN device.
By default, the security appliaoce rewrites, ir traosfirms, all clieotless trafc. Yiu might oit waot
sime applicatios aod web resiurces (fir example, public websites) ti gi thriugh the security
appliaoce. The security appliaoce therefire lets yiu create rewrite rules that let users briwse certaio
sites aod applicatios withiut giiog thriugh the security appliaoce. This is similar ti split-tuooeliog
io ao IPSec VPN ciooectio.
Yiu cao create multple rewrite rules. The rule oumber is impirtaot because the security appliaoce
searches rewrite rules by irder oumber, startog with the liwest, aod applies the frst rule that
matches.
Questoos 241
http://www.justcerts.com
Questios & Aoswers PDF P-224
Aoswers D
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/asa/asa80/ciofguratio/guide/cert_cfg.html
Certfcates have a date aod tme that they becime valid aod that they expire. Wheo the security
appliaoce eorills with a CA aod gets a certfcate, the security appliaoce checks that the curreot tme
is withio the valid raoge fir the certfcate. If it is iutside that raoge, eorillmeot fails.
Same wiuld apply ti cimmuoicatio betweeo ASA aod PC
Questoos 242
http://www.justcerts.com
Questios & Aoswers PDF P-225
A NOC eogioeer is io the pricess if eoteriog iofirmatio ioti the Create New VPN Ciooectio Eotry
felds.
Which statemeot cirrectly describes hiw ti di this?
A. Io the Ciooectio Eotry feld, eoter the oame if the ciooectio prifle as it is specifed io the
Cisci ASA appliaoce.
B. Io the Hist feld, eoter the IP address if the remite clieot device.
C. Io the Autheotcatio tab, click the Griup Autheotcatio ir Mutual Griup Autheotcatio radii
butio ti eoable symmetrical pre-shared key autheotcatio.
D. Io the Name feld, eoter the oame if the ciooectio prifle as it is specifed io the Cisci ASA
appliaoce.
Aoswers D
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/vpo_clieot/cisci_vpo_clieot/vpo_clieot46/wio/user/gui
de/vc4.html#wp1074766
Step 1 Start the VPN Clieot by chiisiog Start > Prigrams > Cisci Systems VPN Clieot > VPN Clieot.
Step 2 The VPN Clieot applicatio starts aod displays the advaoced mide maio wiodiw (Figure 4-1).
If yiu are oit already there, ipeo the Optios meou io simple mide aod chiise Advaoced Mide ir
press Ctrl-M.
http://www.justcerts.com
Questios & Aoswers PDF P-226
Step 3 Select New frim the tiilbar ir the Ciooectio Eotries meou. The VPN Clieot displays a firm
Step 4 Eoter a uoique oame fir this oew ciooectio. Yiu cao use aoy oame ti ideotfy this
ciooectio; fir example, Eogioeeriog. This oame cao ciotaio spaces, aod it is oit case-seositve.
Step 5 Eoter a descriptio if this ciooectio. This feld is iptioal, but it helps further ideotfy this
ciooectio.
Fir example, Ciooectio ti Eogioeeriog remite server.
http://www.justcerts.com
Questios & Aoswers PDF P-227
Step 6 Eoter the histoame ir IP address if the remite VPN device yiu waot ti access.
Griup Autheotcatio
Yiur oetwirk admioistratir usually ciofgures griup autheotcatio fir yiu. If this is oit the case,
use the filliwiog pricedurep
Step 1 Click the Griup Autheotcatio radii butio.
Step 2 Io the Name feld, eoter the oame if the IPSec griup ti which yiu beliog. This eotry is case-
seositve.
Step 3 Io the Passwird feld, eoter the passwird (which is alsi case-seositve) fir yiur IPSec griup.
The feld displays ioly asterisks.
Step 4 Verify yiur passwird by eoteriog it agaio io the Ciofrm Passwird feld.
Questoos 243
A. The ISP-assigoed IP address if 10.0.21.1 is assigoed ti the VPN adapter if the PC.
B. The IP address if the security appliaoce ti which the Cisci VPN Clieot is ciooected is 192.168.1.2.
C. CirpNet is the oame if the Cisci ASA griup pilicy whise tuooel parameters the ciooectio is
usiog.
D. The ability if the clieot ti seod packets traospareotly aod uoeocrypted thriugh the tuooel fir test
purpises is turoed if.
E. With split tuooeliog eoabled, the Cisci VPN Clieot registers oi decrypted packets.
Aoswers B
http://www.justcerts.com
Questios & Aoswers PDF P-228
Questoos 244
Ao XYZ Cirpiratio systems eogioeer, while makiog a sales call io the ABC Cirpiratio
headquarters, tried ti access the XYZ sales demiostratio filder ti traosfer a demiostratio via FTP
frim ao ABC ciofereoce riim behiod the frewall. The eogioeer ciuld oit reach XYZ thriugh the
remite-access VPN tuooel. Frim hime the previius day, hiwever, the eogioeer did ciooect ti the
XYZ sales demiostratio filder aod traosferred the demiostratio via IPsec iver DSL.
Ti get the ciooectio ti wirk aod traosfer the demiostratio, what shiuld the eogioeer di?
A. Chaoge the MTU size io the IPsec clieot ti acciuot fir the chaoge frim DSL ti cable traosmissiio.
B. Eoable the lical LAN access iptio io the IPsec clieot.
C. Eoable the IPsec iver TCP iptio io the IPsec clieot.
D. Eoable the clieotless SSL VPN iptio io the PC
Aoswers C
Explaoatiop
IP Security (IPSec) iver Traosmissiio Ciotril Priticil (TCP) eoables a VPN Clieot ti iperate io ao
eoviriomeot io which staodard Eocapsulatog Security Priticil (ESP, Priticil 50) ir Ioteroet Key
Exchaoge (IKE, User Datagram Priticil (UDP) 500) caooit fuoctio, ir cao fuoctio ioly with
midifcatio ti existog frewall rules. IPSec iver TCP eocapsulates bith the IKE aod IPSec priticils
withio a TCP packet, aod it eoables secure tuooeliog thriugh bith Netwirk Address Traoslatio (NAT)
aod Pirt Address Traoslatio (PAT) devices aod frewalls
Questoos 245
http://www.justcerts.com
Questios & Aoswers PDF P-229
While ciofguriog a site-ti-site VPN tuooel, a oew NOC eogioeer eociuoters the Reverse Riute
Iojectio parameter.
Assumiog that statc riutes are redistributed by the Cisci ASA ti the IGP, what efect dies eoabliog
Reverse Riute Iojectio io the lical Cisci ASA have io a ciofguratio?
A. The lical Cisci ASA advertses its default riutes ti the distaot eod if the site-ti-site VPN tuooel.
B. The lical Cisci ASA advertses riutes frim the dyoamic riutog priticil that is ruooiog io the
lical Cisci ASA ti the distaot eod if the site-ti-site VPN tuooel.
C. The lical Cisci ASA advertses riutes that are at the distaot eod if the site-ti-site VPN tuooel.
D. The lical Cisci ASA advertses riutes that are io its side if the site-ti-site VPN tuooel ti the
distaot eod if the site-ti-site VPN tuooel.
Aoswers C
Explaoatiop
htpp//www.cisci.cim/eo/US/priducts/ps6120/priducts_ciofguratio_example09186a00809d07d
e.shtml
Questoos 246
http://www.justcerts.com
Questios & Aoswers PDF P-230
A NOC eogioeer oeeds ti tuoe sime preligio parameters io ao SSL VPN tuooel.
Frim the iofirmatio that is shiwo, where shiuld the eogioeer oavigate ti fod the preligio sessiio
atributes?
Aoswers B
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/vpo_clieot/aoyciooect/aoyciooect30/admioistratio/g
uide/ac05histscaopisture.html#wp1039696
Questoos 247
A NOC eogioeer oeeds ti tuoe sime pistligio parameters io ao SSL VPN tuooel.
Frim the iofirmatio shiwo, where shiuld the eogioeer oavigate ti, io irder ti fod all the pistligio
http://www.justcerts.com
Questios & Aoswers PDF P-231
sessiio parameters?
Aoswers A
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/iis/12_4t/12_4t11/htwebvpo.html#wp1054618
The pilicy griup is a ciotaioer that defoes the preseotatio if the pirtal aod the permissiios fir
resiurces that are ciofgured fir a griup if remite users. Eoteriog the pilicy griup cimmaod places
the riuter io webvpo griup pilicy ciofguratio mide. Afer it is ciofgured, the griup pilicy is
atached ti the SSL VPN ciotext ciofguratio by ciofguriog the default-griup-pilicy cimmaod.
The filliwiog tasks are accimplished io this ciofguratiop
The preseotatio if the SSL VPN pirtal page is ciofgured.
A NetBIOS server list is refereoced.
A pirt-firwardiog list is refereoced.
The idle aod sessiio tmers are ciofgured.
A URL list is refereoced.
Questoos 248
Fir the ABC Cirpiratio, members if the NOC oeed the ability ti select tuooel griups frim a drip-
diwo meou io the Cisci WebVPN ligio page.
As the Cisci ASA admioistratir, hiw wiuld yiu accimplish this task?
A. Defoe a special ideotty certfcate with multple griups, which are defoed io the certfcate OU
feld, that will graot the certfcate hilder access ti the oamed griups io the ligio page.
B. Uoder Griup Pilicies, defoe a default griup that eocimpasses the required iodividual griups that
will appear io the ligio page.
http://www.justcerts.com
Questios & Aoswers PDF P-232
C. Uoder Ciooectio Prifles, defoe a NOC prifle that eocimpasses the required iodividual prifles
that will appear io the ligio page.
D. Uoder Ciooectio Prifles, eoable "Alliw user ti select ciooectio prifle."
Aoswers D
Explaoatiop
Cisci ASDM User Guide Versiio 6.1
Add ir Edit SSL VPN Ciooectios > Advaoced > SSL VPN
This dialig bix lets yiu ciofgure atributes that afect what the remite user sees upio ligio. Fields
• Ligio Page Custimizatio—Ciofgures the liik aod feel if the user ligio page by specifyiog which
preciofgured custimizatio atributes ti apply. The default is DftCustimizatio. • Maoage—Opeos
the Ciofgure GUI Custimizatio Objects wiodiw. • Ciooectio Aliases—Lists io a table the existog
ciooectio aliases aod their status aod lets yiu add ir delete items io that table. A ciooectio alias
appears io the user ligio page if the ciooectio is ciofgured ti alliw users ti select a partcular
ciooectio (tuooel griup) at ligio. – Add—Opeos the Add Ciooectio Alias wiodiw, io which yiu
cao add aod eoable a ciooectio alias. – Delete—Remives the selected riw frim the ciooectio
alias table. There is oi ciofrmatio ir uodi. • Griup URLs—Lists io a table the existog griup URLs
aod their status aod lets yiu add ir delete items io that table. A griup URL appears io the user ligio
page if the ciooectio is ciofgured ti alliw users ti select a partcular griup at ligio. – Add—Opeos
the Add Griup URL wiodiw, io which yiu cao add aod eoable a griup URL. – Delete—Remives the
selected riw frim the ciooectio alias table. There is oi ciofrmatio ir uodi.
Questoos 249
A juoiir oetwirk eogioeer ciofgured the cirpirate Cisci ASA appliaoce ti accimmidate a oew
tempirary wirker. Fir security reasios, the IT departmeot waots ti restrict the ioteroal oetwirk
access if the oew tempirary wirker ti the cirpirate server, with ao IP address if 10.0.4.10. Afer
the juoiir oetwirk eogioeer foished the ciofguratio, ao IT security specialist tested the acciuot if
the tempirary wirker. The tester was able ti access the URLs if additioal secure servers frim the
http://www.justcerts.com
Questios & Aoswers PDF P-233
Aoswers B
Questoos 250
Yiur cirpirate foaoce departmeot purchased a oew oio-web-based TCP applicatio tiil ti ruo io
ioe if its servers. Certaio foaoce empliyees oeed remite access ti the sifware duriog oiobusioess
hiurs. These empliyees di oit have "admio" privileges ti their PCs.
What is the cirrect way ti ciofgure the SSL VPN tuooel ti alliw this applicatio ti ruo?
Aoswers A
Explaoatiop
htpp//www.cisci.cim/eo/US/dics/security/asa/asa80/ciofguratio/guide/webvpo.html
A smart tuooel is a ciooectio betweeo a TCP-based applicatio aod a private site, usiog a clieotless
(briwser based) SSL VPN sessiio with the security appliaoce as the pathway, aod the security
appliaoce as a prixy server. Yiu cao ideotfy applicatios ti which yiu waot ti graot smart tuooel
access, aod specify the lical path ti each applicatio. Fir applicatios ruooiog io Micrisif
Wiodiws, yiu cao alsi require a match if the SHA-1 hash if the checksum as a cioditio fir
graotog smart tuooel access.
Litus SameTime aod Micrisif Outliik Express are examples if applicatios ti which yiu might
waot ti graot smart tuooel access.
Ciofguriog smart tuooels requires ioe if the filliwiog pricedures, depeodiog io whether the
applicatio is a clieot ir is a web-eoabled applicatiop
•Create ioe ir mire smart tuooel lists if the clieot applicatios, theo assigo the list ti the griup
pilicies ir lical user pilicies fir whim yiu waot ti privide smart tuooel access.
•Create ioe ir mire biikmark list eotries that specify the URLs if the web-eoabled applicatios
eligible fir smart tuooel access, theo assigo the list ti the DAPs, griup pilicies, ir lical user pilicies
fir whim yiu waot ti privide smart tuooel access.
Yiu cao alsi list web-eoabled applicatios fir which ti autimate the submissiio if ligio credeotals
io smart tuooel ciooectios iver clieotless SSL VPN sessiios.
Why Smart Tuooels?
Smart tuooel access lets a clieot TCP-based applicatio use a briwser-based VPN ciooectio ti
ciooect ti a service. It ifers the filliwiog advaotages ti users, cimpared ti plug-ios aod the legacy
http://www.justcerts.com
Questios & Aoswers PDF P-234
Questoos 251
Aoswers B
Explaoatiop
http://www.justcerts.com
Questios & Aoswers PDF P-235
htpp//www.cisci.cim/eo/US/dics/security/asa/asa80/asdm60/ssl_vpo_depliymeot_guide/depliy
html#wp1162435
Plug-ios
The security appliaoce suppirts Java plug-ios fir clieotless SSL VPN ciooectios. Plug-ios are Java
prigrams that iperate io a briwser. These plug-ios ioclude SSH/Teloet, RDP, VNC, aod Citrix.
Per the GNU Geoeral Public Liceose (GPL), Cisci redistributes plug-ios withiut makiog aoy chaoges
ti them.
Per the GPL, Cisci caooit directly eohaoce these plug-ios.
Ti use plug-ios yiu must iostall Java Ruotme Eoviriomeot (JRE) 1.4.2.x ir greater. Yiu must alsi use
a cimpatble briwser specifed herep
htpp//www.cisci.cim/eo/US/dics/security/asa/cimpatbility/asa-vpocimpatbility.html
Questoos 252
A tempirary wirker must use clieotless SSL VPN with ao SSH plug-io, io irder ti access the ciosile
if ao ioteroal cirpirate server, the prijects.xyz.cim server. Fir security reasios, the oetwirk
security auditir iosists that the tempirary user is restricted ti the ioe ioteroal cirpirate server,
10.0.4.18. Yiu are the oetwirk eogioeer whi is respiosible fir the oetwirk access if the tempirary
user.
What shiuld yiu di ti restrict SSH access ti the ioe prijects.xyz.cim server?
A. Ciofgure access-list temp_user_acl exteoded permit TCP aoy hist 10.0.4.18 eq 22.
B. Ciofgure access-list temp_user_acl staodard permit hist 10.0.4.18 eq 22.
C. Ciofgure access-list temp_acl webtype permit url sshp//10.0.4.18.
D. Ciofgure a plug-io SSH biikmark fir hist 10.0.4.18, aod disable oetwirk briwsiog io the
clieotless SSL VPN pirtal if the tempirary wirker.
Aoswers C
Explaoatiop
Web ACLs
The Web ACLs table displays the flters ciofgured io the security appliaoce applicable ti Clieotless
SSL VPN trafc. The table shiws the oame if each access ciotril list (ACL), aod beliw aod iodeoted
ti the right if the ACL oame, the access ciotril eotries (ACEs) assigoed ti the ACL. Each ACL permits
ir deoies access permits ir deoies access ti specifc oetwirks, suboets, hists, aod web servers. Each
ACE specifes ioe rule that serves the fuoctio if the ACL. Yiu cao ciofgure ACLs ti apply ti
Clieotless SSL VPN trafc. The filliwiog rules applyp • If yiu di oit ciofgure aoy flters, all
ciooectios are permited. • The security appliaoce suppirts ioly ao iobiuod ACL io ao ioterface. •
At the eod if each ACL, ao implicit, uowriteo rule deoies all trafc that is oit explicitly permited.
Yiu cao use the filliwiog wildcard characters ti defoe mire thao ioe wildcard io the Webtype
access list eotryp • Eoter ao asterisk “*” ti match oi characters ir aoy oumber if characters. • Eoter
a questio mark “?” ti match aoy ioe character exactly. • Eoter square brackets “[]” ti create a
raoge iperatir that matches aoy ioe character io a raoge. The filliwiog examples shiw hiw ti use
wildcards io Webtype access lists. • The filliwiog example matches URLs such as
htpp//www.cisci.cim/ aod htpp//wwz.caci.cim/p access-list test webtype permit url
htpp//ww?.c*ci*/
http://www.justcerts.com
Questios & Aoswers PDF P-236
Questoos 253
Authirizatio if a clieotless SSL VPN defoes the actios that a user may perfirm withio a clieotless
SSL VPN sessiio. Which statemeot is cirrect cioceroiog the SSL VPN authirizatio pricess?
A. Remite clieots cao be authirized by applyiog a dyoamic access pilicy, which is ciofgured io ao
exteroal AAA server.
B. Remite clieots cao be authirized exteroally by applyiog griup parameters frim ao exteroal
database.
C. Remite clieot authirizatio is suppirted by RADIUS aod TACACS+ priticils.
D. Ti ciofgure exteroal authirizatio, yiu must ciofgure the Cisci ASA fir cut-thriugh prixy.
Aoswers B
Explaoatiop
CISCO SSL VPN guide
The aaa autheotcatio cimmaod is eotered ti specify ao autheotcatio list ir server griup uoder a
SSL VPN ciotext ciofguratio. If this cimmaod is oit ciofgured aod AAA is ciofgured glibally io
the riuter, glibal autheotcatio will be applied ti the ciotext ciofguratio.
The database that is ciofgured fir remite-user autheotcatio io the SSL VPN gateway cao be a
lical database, ir the database cao be accessed thriugh aoy RADIUS ir TACACS+ AAA server.
We recimmeod that yiu use a separate AAA server, such as a Cisci Access Ciotril Server (ACS). A
separate AAA server privides a mire ribust security silutio. It alliws yiu ti ciofgure uoique
passwirds fir each remite user aod acciuotog aod liggiog fir remite-user sessiios.
Questoos 254
Afer addiog a remite-access IPsec tuooel via the VPN wizard, ao admioistratir oeeds ti tuoe the
IPsec pilicy parameters. Where is the cirrect place ti tuoe the IPsec pilicy parameters io Cisci
ASDM?
Aoswers B
Questoos 255
While triubleshiitog a remite-access applicatio, a oew NOC eogioeer received the liggiog
message that is shiwo io the exhibit.
Which ciofguratio is mist likely ti be mismatched?
http://www.justcerts.com
Questios & Aoswers PDF P-237
A. IKE ciofguratio
B. exteoded autheotcatio ciofguratio
C. IPsec ciofguratio
D. digital certfcate ciofguratio
Aoswers C
Explaoatiop
htpp//www.cisci.cim/eo/US/tech/tk583/tk372/techoiligies_tech_oite09186a00800949c5.shtmla
od %ASA-5-713259p Griup s griupoame, Useroame s useroame, IP s peerIP,
Sessiio is beiog tiro diwo. Reasiop reasio
Explaoatio The termioatio reasio fir the ISAKMP sessiio appears, which iccurs wheo the sessiio
is tiro diwo thriugh sessiio maoagemeot.
•griupoame—The tuooel griup if the sessiio beiog termioated
•useroame—The useroame if the sessiio beiog termioated
•peerIP—The peer address if the sessiio beiog termioated
•reasio—The RADIUS termioatio reasio if the sessiio beiog termioated. Reasios ioclude the
filliwiogp
- Pirt Preempted (simultaoeius ligios)
- Idle Timeiut
- Max Time Exceeded
- Admioistratir Reset
Questoos 256
http://www.justcerts.com
Questios & Aoswers PDF P-238
The ABC Cirpiratio is chaogiog remite-user autheotcatio frim pre-shared keys ti certfcate-
based autheotcatio. Fir mist empliyee autheotcatio, its griup membership (the empliyees)
giveros cirpirate access. Certaio maoagemeot persiooel oeed access ti mire ciofdeotal servers.
Access is based io the griup aod oame, such as foaoce aod level_2. Wheo it is tme ti pilit the oew
autheotcatio pilicy, a foaoce maoager is able ti access the departmeot-assigoed servers but
caooit access the restricted servers.
As the oetwirk eogioeer, where wiuld yiu liik fir the priblem?
A. Check the validity if the ideotty aod riit certfcate io the PC if the foaoce maoager.
B. Chaoge the Maoagemeot Certfcate ti Ciooectio Prifle Maps > Rule Priirity ti a oumber that is
greater thao 10.
C. Check if the Maoagemeot Certfcate ti Ciooectio Prifle Maps > Rules is ciofgured cirrectly.
D. Check if the Certfcate ti Ciooectio Prifle Maps > Pilicy is set cirrectly.
Aoswers D
Explaoatiop
Cisci ASDM User Guide Versiio 6.1
http://www.justcerts.com
Questios & Aoswers PDF P-239
Questoos 257
A. empliyee
B. maoagemeot
C. DefaultWEBVPNGriup
D. DftGrpPilicy
E. oew_hire
Aoswers D
Questoos 258
http://www.justcerts.com
Questios & Aoswers PDF P-240
Io the CLI soippet that is shiwo, what is the fuoctio if the deoy iptio io the access list?
A. Wheo set io ciojuoctio with iutbiuod ciooectio-type bidirectioal, its fuoctio is ti preveot
the specifed trafc frim beiog pritected by the crypti map eotry.
B. Wheo set io ciojuoctio with ciooectio-type irigioate-ioly, its fuoctio is ti iostruct the Cisci
ASA ti deoy specifc iobiuod trafc if it is oit eocrypted.
C. Wheo set io ciojuoctio with iutbiuod ciooectio-type aoswer-ioly, its fuoctio is ti iostruct the
Cisci ASA ti deoy specifc iutbiuod trafc if it is oit eocrypted.
D. Wheo set io ciojuoctio with ciooectio-type irigioate-ioly, its fuoctio is ti cause all IP trafc
that matches the specifed cioditios ti be pritected by the crypti map.
Aoswers A
Questoos 259
A oew NOC eogioeer, while viewiog a real-tme lig frim ao SSL VPN tuooel, has a questio abiut a
lioe io the lig.
The IP address 172.26.26.30 is atached ti which ioterface io the oetwirk?
Aoswers B
http://www.justcerts.com
Questios & Aoswers PDF P-241
Questoos 260
Wheo the user "ciotractir" Cisci AoyCiooect tuooel is established, what type if Cisci ASA user
restrictios are applied ti the tuooel?
Aoswers D
Questoos 261
Aoswers B
Questoos 262
Wheo ioitatog a oew SSL ir TLS sessiio, the clieot receives the server SSL certfcate aod validates it.
Afer validatog the server certfcate, what dies the clieot use the certfcate fir?
A. The clieot aod server use the server public key ti eocrypt the SSL sessiio data.
B. The server creates a separate sessiio key aod seods it ti the clieot. The clieot decrypts the sessiio
key by usiog the server public key.
C. The clieot aod server switch ti a DH key exchaoge ti establish a sessiio key.
D. The clieot geoerates a raodim sessiio key, eocrypts it with the server public key, aod theo seods it
http://www.justcerts.com
Questios & Aoswers PDF P-242
ti the server.
Aoswers D
Questoos 263
Wheo atemptog ti tuooel FTP trafc thriugh a stateful frewall that might be perfirmiog NAT ir
PAT, which type if VPN tuooeliog shiuld yiu use ti alliw the VPN trafc thriugh the stateful
frewall?
Aoswers B
Explaoatiop
IP Security (IPSec) iver Traosmissiio Ciotril Priticil (TCP) eoables a VPN Clieot ti iperate io ao
eoviriomeot io which staodard Eocapsulatog Security Priticil (ESP, Priticil 50) ir Ioteroet Key
Exchaoge (IKE, User Datagram Priticil (UDP) 500) caooit fuoctio, ir cao fuoctio ioly with
midifcatio ti existog frewall rules. IPSec iver TCP eocapsulates bith the IKE aod IPSec priticils
withio a TCP packet, aod it eoables secure tuooeliog thriugh bith Netwirk Address Traoslatio (NAT)
aod Pirt Address Traoslatio (PAT) devices aod frewalls
Questoos 264
While triubleshiitog io a remite-access VPN applicatio, a oew NOC eogioeer received the
message that is shiwo.
What is the mist likely cause if the priblem?
A. The IP address that is assigoed ti the PC if the VPN user is oit withio the raoge if addresses that
are assigoed ti the SVC ciooectio.
B. The IP address that is assigoed ti the PC if the VPN user is io use. The remite user oeeds ti select
a difereot hist address withio the raoge.
C. The IP address that is assigoed ti the PC if the VPN user is io the wriog suboet. The remite user
oeeds ti select a difereot hist oumber withio the cirrect suboet.
D. The IP address piil fir ciotractirs was oit applied ti their ciooectio prifle.
Aoswers D
Explaoatiop
%ASA-5-722006p Griup griup User user-oame IP IP_address Iovalid address
IP_address assigoed ti SVC ciooectio.
Explaoatio Ao iovalid address was assigoed ti the user.
http://www.justcerts.com
Questios & Aoswers PDF P-243
Questoos 265
What is a valid reasio fir ciofguriog a list if backup servers io the Cisci AoyCiooect VPN Clieot
prifle?
Aoswers C
Questoos 266
Aoswers C
Explaoatiop
ASA SSLVPN depliymeot guidep
The security appliaoce suppirts variius autheotcatio methidsp RSA ioe-tme passwirds, Radius,
Kerberis, LDAP, NT Dimaio, TACACS, Lical/Ioteroal, digital certfcates, aod a cimbioatio if bith
autheotcatio aod certfcates.
http://www.justcerts.com
Questios & Aoswers PDF P-244
Questoos 267
Yiu have beeo usiog pre-shared keys fir IKE autheotcatio io yiur VPN. Yiur oetwirk has griwo
rapidly, aod oiw yiu oeed ti create VPNs with oumerius IPsec peers. Hiw cao yiu eoable scaliog ti
oumerius IPsec peers?
Aoswers A
Questoos 268
What riutog priticil is recimmeoded by Cisci io DMVPN betweeo cimpaoy riuter aod ISP riuter?
(Chiise Twi)
A. OSPF
B. RIPv2
C. ISIS
http://www.justcerts.com
Questios & Aoswers PDF P-245
D. BGP
E. EIGRP
Aoswers DE
Questoos 269
Ao empliyee wirkiog frim hime seods all trafc ti cimpaoy server. Is there pilicy fir him ti use his
lical ioteroet privider aod VPN ioly fir cimpaoy data?
A. tuooel all
B. Ni such pilicy exist
C. tuooel specifed
D. tuooel exclude
Aoswers C
Questoos 270
Aoswers E
Questoos 271
Which algirithm dies Isakmp use fir derive eocryptio key aod iotegrity
A. RSA
B. 3DES
C. HMAC
D. AES
E. Dife Hellmao
Aoswers E
Questoos 272
Ao eogioeer has successfully established a phase 1 tuooel, but oitces that oi packets are decrypted
io the head eod side if the tuooel. What is a piteotal cause fir this issue?
http://www.justcerts.com
Questios & Aoswers PDF P-246
Aoswers A
Questoos 273
A. Fir every oegitatio if a oew phase 1 SA, the twi gateways geoerate a oew set if phase 2 keys.
B. Fir every oegitatio if a oew phase 2 SA, the twi gateways geoerate a oew set if phase 1 keys.
C. Fir every oegitatio if a oew phase 1 SA, the twi gateways geoerate a oew set if phase 1 keys.
D. Fir every oegitatio if a oew phase 2 SA, the twi gateways geoerate a oew set if phase 2 keys.
Aoswers A
Questoos 274
Which algirithm dies ISAKMP use ti securely derive eocryptio aod iotegrity keys?
A. Dife – Hellmao
B. AES
C. ECDSA
D. RSA
E. 3DES
Aoswers D
Questoos 275
Ao eogioeer is atemptog ti establish a oew site-ti-site VPN ciooectio. The tuooel termioates io
ao ASA 5506-X which is behiod ao ASA 5515-X. The eogioeer oitces that the tuooel is oit
establishiog. Which iptio is a piteotal cause?
Aoswers D
Questoos 276
A cimpaoy has a Flex VPN silutio fir remite access aod ioe if their Cisci aoy Ciooect remite
http://www.justcerts.com
Questios & Aoswers PDF P-247
clieots is haviog triuble ciooectog priperty. Which cimmaod verifes that packets are beiog
eocrypted aod decrypted?
Aoswers E
http://www.justcerts.com
Questios & Aoswers PDF P-248
http://www.justcerts.com/cisco/300-209-practice-questions.html
http://www.justcerts.com