NEW QUESTION 1

A network engineer is troubleshooting a site VPN tunnel configured on a Cisco ASA and wants to validate that the tunnel is sending and receiving traffic. Which command accomplishes this task?

• A. show crypto ikev1 sa peer
• B. show crypto ikev2 sa peer
• C. show crypto ipsec sa peer
• D. show crypto isakmp sa peer

Answer: C

NEW QUESTION 2

Which technology does a multipoint GRE interface require to resolve endpoints?

• A. ESP
• B. dynamic routing
• C. NHRP
• D. CEF
• E. IPSec

Answer: C

NEW QUESTION 3

Which command is used to determine how many GMs have registered in a GETVPN environment?

• A. show crypto isakmp sa
• B. show crypto gdoi ks members
• C. show crypto gdoi gm
• D. show crypto ipsec sa
• E. show crypto isakmp sa count

Answer: B

NEW QUESTION 4

Refer to the exhibit.

The user "contractor" inherits which VPN group policy?

• A. employee
• B. management
• C. DefaultWEBVPNGroup
• D. DfltGrpPolicy
• E. new_hire

Answer: D

NEW QUESTION 5

Which two cryptographic technologies are recommended for use with FlexVPN? (Choose two.)

• A. SHA (HMAC variant)
• B. Diffie-Hellman
• C. DES
• D. MD5 (HMAC variant)

Answer: AB

NEW QUESTION 6

Which technology must be installed on the client computer to enable users to launch applications from a Clientless SSL VPN?

• A. Java
• B. QuickTime plug-in
• C. Silverlight
• D. Flash

Answer: A

NEW QUESTION 7

Which purpose of configuring perfect Forward secret is true?

• A. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 2 keys.
• B. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 1 keys.
• C. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 1 keys.
• D. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 2 keys.

Answer: A

NEW QUESTION 8


Refer to the exhibit. VPN load balancing provides a way to distribute remote access, IPsec, and SSL VPN connections across multiple security appliances. Which remote access client types does the load balancing feature support?

• A. IPsec site-to-site tunnels
• B. L2TP over IPsec
• C. OpenVPN
• D. Cisco AnyConnect Secure Mobility Client

Answer: B

NEW QUESTION 9

Which two technologies are considered to be Suite B cryptography? (Choose two.)

• A. MD5
• B. SHA2
• C. Elliptical Curve Diffie-Hellman
• D. 3DES
• E. DES

Answer: BC

NEW QUESTION 10

Which statement is true when implementing a router with a dynamic public IP address in a crypto map based site-to-site VPN?

• A. The router must be configured with a dynamic crypto map.
• B. Certificates are always used for phase 1 authentication.
• C. The tunnel establishment will fail if the router is configured as a responder only.
• D. The router and the peer router must have NAT traversal enabled.

Answer: C

NEW QUESTION 11

You are configuring a Cisco IOS SSL VPN gateway to operate with DVTI support. Which command must you configure on the virtual template?

• A. tunnel protection ipsec
• B. ip virtual-reassembly
• C. tunnel mode ipsec
• D. ip unnumbered

Answer: D

NEW QUESTION 12

Which hash algorithm is required to protect classified information?

• A. MD5
• B. SHA-1
• C. SHA-256
• D. SHA-384

Answer: D

NEW QUESTION 13

What are two variables for configuring clientless SSL VPN single sign-on? (Choose two.)

• A. CSCO_WEBVPN_OTP_PASSWORD
• B. CSCO_WEBVPN_INTERNAL_PASSWORD
• C. CSCO_WEBVPN_USERNAME
• D. CSCO_WEBVPN_RADIUS_USER

Answer: BC

NEW QUESTION 14

What are the three primary components of a GET VPN network? (Choose three.)

• A. Group Domain of Interpretation protocol
• B. Simple Network Management Protocol
• C. server load balancer
• D. accounting server
• E. group member
• F. key server

Answer: AEF

NEW QUESTION 15

Which technology can you implement to reduce latency issues associated with a Cisco AnyConnect VPN?

• A. DTLS
• B. SCTP
• C. DCCP
• D. SRTP

Answer: A

NEW QUESTION 16

Which statement about the hub in a DMVPN configuration with iBGP is true?

• A. It must be a route reflector client.
• B. It must redistribute EIGRP from the spokes.
• C. It must be in a different AS.
• D. It must be a route reflector.

Answer: D

NEW QUESTION 17

What must be enabled in the web browser of the client computer to support Clientless SSL VPN?

• A. cookies
• B. ActiveX
• C. Silverlight
• D. popups

Answer: A

NEW QUESTION 18

Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for this exercise.
Topology:



In what state is the IKE security association in on the Cisco ASA?

• A. There are no security associations in place
• B. MM_ACTIVE
• C. ACTIVE(ACTIVE)
• D. QM_IDLE

Answer: B

Explanation:
This can be seen from the “show crypto isa sa” command:

NEW QUESTION 19

A client has asked an engineer to assist in installing and upgrading to the latest version of Cisco Any Connect Secure and upgrading to the latest version of Cisco Any Connect Secure Mobility Client. Which type of deployment method requires the updated version of the client to be loaded only on the headend device such as an ASA or ISE device?

• A. Web-deploy
• B. Cloud-deploy
• C. Cloud-update
• D. Web-update

Answer: A

NEW QUESTION 20

Which Cisco adaptive security appliance command can be used to view the count of all active VPN sessions?

• A. show vpn-sessiondb summary
• B. show crypto ikev1 sa
• C. show vpn-sessiondb ratio encryption
• D. show iskamp sa detail
• E. show crypto protocol statistics all

Answer: A

NEW QUESTION 21
From the CLI of a Cisco ASA 5520, which command shows specific information about current clientless and Cisco Anyconnect SSL VPN users only?

• A. show crypto ikve1 sa detail
• B. show vpn-sessiondb remote
• C. show vpn-sessiondb
• D. show von-sessiondb detail

Answer: D

NEW QUESTION 22

Refer to the exhibit.

What is the problem with the IKEv2 site-to-site VPN tunnel?

• A. incorrect PSK
• B. crypto access list mismatch
• C. incorrect tunnel group
• D. crypto policy mismatch
• E. incorrect certificate

Answer: D

NEW QUESTION 23

Drag and drop the debug messages on the left onto the associated function during trouble shooting on the right.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 24

Which two options are features of Cisco GET VPN? (Choose two.)

• A. Allows for optimal routing
• B. provides point to point IPsec SA
• C. Provides encryption for MPLS
• D. uses public Internet
• E. uses MORE

Answer: AC

NEW QUESTION 25

An IOS SSL VPN is configured to forward TCP ports. A remote user cannot access the corporate FTP site with a Web browser. What is a possible reason for the failure?

• A. The user's FTP application is not supported.
• B. The user is connecting to an IOS VPN gateway configured in Thin Client Mode.
• C. The user is connecting to an IOS VPN gateway configured in Tunnel Mode.
• D. The user's operating system is not supported.

Answer: B

Explanation:

Reference:
http://www.cisco.com/c/en/us/support/docs/security/ssl-vpn-client/70664-IOSthinclient.html
Thin-Client SSL VPN (Port Forwarding)
A remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported. Examples include access to POP3, SMTP, IMAP, SSH, and Telnet. The user needs local administrative privileges because changes are made to files on the local machine. This method of SSL VPN does not work with applications that use dynamic port assignments, for example, several FTP applications.

NEW QUESTION 26

What is the Cisco recommended TCP maximum segment on a DMVPN tunnel interface when the MTU is set to 1400 bytes?

• A. 1160 bytes
• B. 1260 bytes
• C. 1360 bytes
• D. 1240 bytes

Answer: C

NEW QUESTION 27

Which functionality is provided by L2TPv3 over FlexVPN?

• A. the extension of a Layer 2 domain across the FlexVPN
• B. the extension of a Layer 3 domain across the FlexVPN
• C. secure communication between servers on the FlexVPN
• D. a secure backdoor for remote access users through the FlexVPN

Answer: A

NEW QUESTION 28

A spoke has two Internet connections for failover. How can you achieve optimum failover without affecting any other router in the DMVPN cloud?

• A. Create another DMVPN cloud by configuring another tunnel interface that is sourced from the second ISP link.
• B. Use another router at the spoke site, because two ISP connections on the same router for the same hub is not allowed.
• C. Configure SLA tracking, and when the primary interface goes down, manually change the tunnel source of the tunnel interface.
• D. Create another tunnel interface with same configuration except the tunnel source, and configure the if-state nhrp and backup interface commands on the primary tunnel interface.

Answer: D

NEW QUESTION 29

An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation headquarters, tried to access the XYZ sales demonstration folder to transfer a demonstration via FTP from an ABC conference room behind the firewall. The engineer could not reach XYZ through the remote-access VPN tunnel. From home the previous day, however, the engineer did connect to the XYZ sales demonstration folder and transferred the demonstration via IPsec over DSL.
To get the connection to work and transfer the demonstration, what should the engineer do?

• A. Change the MTU size on the IPsec client to account for the change from DSL to cable transmission.
• B. Enable the local LAN access option on the IPsec client.
• C. Enable the IPsec over TCP option on the IPsec client.
• D. Enable the clientless SSL VPN option on the PC.

Answer: C

Explanation:
IP Security (IPSec) over Transmission Control Protocol (TCP) enables a VPN Client to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, User Datagram Protocol (UDP) 500) cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and it enables secure tunneling through both Network Address Translation (NAT) and Port Address Translation (PAT) devices and firewalls

NEW QUESTION 30
......