Q1. Which two cryptographic technologies are recommended for use with FlexVPN? (Choose two.) A. SHA (HMAC variant) B. Diffie-Hellman C. DES D. MD5 (HMAC variant) View AnswerAnswer: A,B Q2. Which command enables the router to form EIGRP neighbor adjacencies with peers using a different subnet than the ingress interface? A. ip unnumbered interface B. eigrp router-id C. passive-interface interface name D. ip split-horizon eigrp as number View AnswerAnswer: A Q3. Which algorithm…
Q1. Which VPN feature allows remote access clients to print documents to local network printers? A. Reverse Route Injection B. split tunneling C. loopback addressing D. dynamic virtual tunnels View AnswerAnswer: B Q2. Which two GDOI encryption keys are used within a GET VPN network? (Choose two.) A. key encryption key B. group encryption key C. user encryption key D. traffic encryption key View AnswerAnswer: A,D Q3. Refer to the exhibit. A customer…
Q1. Which command specifies the path to the Host Scan package in an ASA AnyConnect VPN? A. csd hostscan path image B. csd hostscan image path C. csd hostscan path D. hostscan image path View AnswerAnswer: B Q2. In FlexVPN, what is the role of a NHRP resolution request? A. It allows these entities to directly communicate without requiring traffic to use an intermediate hop B. It dynamically…
Q1. Which three configurations are required for both IPsec VTI and crypto map-based VPNs? (Choose three.) A. transform set B. ISAKMP policy C. ACL that defines traffic to encrypt D. dynamic routing protocol E. tunnel interface F. IPsec profile G. PSK or PKI trustpoint with certificate View AnswerAnswer: A,B,G Q2. Refer to the exhibit. The IKEv2 tunnel between Router1 and Router2 is failing during session establishment. Which action will allow…
Q1. Which two are characteristics of GETVPN? (Choose two.) A. The IP header of the encrypted packet is preserved B. A key server is elected among all configured Group Members C. Unique encryption keys are computed for each Group Member D. The same key encryption and traffic encryption keys are distributed to all Group Members View AnswerAnswer: A,D Q2. Which type of NHRP packet is unique…
Q1. When you configure IPsec VPN High Availability Enhancements, which technology does Cisco recommend that you enable to make reconvergence faster? A. EOT B. IP SLAs C. periodic IKE keepalives D. VPN fast detection View AnswerAnswer: C Q2. Remote users want to access internal servers behind an ASA using Microsoft terminal services. Which option outlines the steps required to allow users access via the ASA clientless…
Q1. Refer to the exhibit. What is the problem with the IKEv2 site-to-site VPN tunnel? A. incorrect PSK B. crypto access list mismatch C. incorrect tunnel group D. crypto policy mismatch E. incorrect certificate View AnswerAnswer: B Q2. What are two variables for configuring clientless SSL VPN single sign-on? (Choose two.) A. CSCO_WEBVPN_OTP_PASSWORD B. CSCO_WEBVPN_INTERNAL_PASSWORD C. CSCO_WEBVPN_USERNAME D. CSCO_WEBVPN_RADIUS_USER View AnswerAnswer: B,C Q3. Which alogrithm is an example of asymmetric encryption? A. RC4 B. AES C. ECDSA D.…
Q1. In a spoke-to-spoke DMVPN topology, which type of interface does a branch router require? A. Virtual tunnel interface B. Multipoint GRE interface C. Point-to-point GRE interface D. Loopback interface View AnswerAnswer: B Q2. Which option shows the correct traffic selectors for the child SA on the remote ASA, when the headquarter ASA initiates the tunnel? A. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 192.168.20.0/0-192.168.20.255/65535 B. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote…
Q1. Which two statements are true when designing a SSL VPN solution using Cisco AnyConnect? (Choose two.) A. The VPN server must have a self-signed certificate. B. A SSL group pre-shared key must be configured on the server. C. Server side certificate is optional if using AAA for client authentication. D. The VPN IP address pool can overlap with the rest of the LAN…
Q1. Refer to the exhibit. You executed the show crypto ipsec sa command to troubleshoot an IPSec issue. What problem does the given output indicate? A. IKEv2 failed to establish a phase 2 negotiation. B. The Crypto ACL is different on the peer device. C. ISAKMP was unable to find a matching SA. D. IKEv2 was used in aggressive mode. View AnswerAnswer: B Q2. Refer to the…
Q1. Which command clears all crypto configuration from a Cisco Adaptive Security Appliance? A. clear configure crypto B. clear configure crypto ipsec C. clear crypto map D. clear crypto ikev2 sa View AnswerAnswer: A Q2. Which two are characteristics of GETVPN? (Choose two.) A. The IP header of the encrypted packet is preserved B. A key server is elected among all configured Group Members C. Unique encryption keys are…
Q1. Which option describes the purpose of the shared argument in the DMVPN interface command tunnel protection IPsec profile ProfileName shared? A. shares a single profile between multiple tunnel interfaces B. allows multiple authentication types to be used on the tunnel interface C. shares a single profile between a tunnel interface and a crypto map D. shares a single profile between IKEv1 and IKEv2 View…
Q1. Which two are features of GETVPN but not DMVPN and FlexVPN?.(Choose two.) A. one IPsec SA for all encrypted traffic B. no requirement for an overlay routing protocol C. design for use over public or private WAN D. sequence numbers that enable scalable replay checking E. enabled use of ESP or AH F. preservation of IP protocol in outer header View AnswerAnswer: A,B Q2. Which option is…
Q1. Which transform set is contained in the IKEv2 default proposal? A. aes-cbc-192, sha256, group 14 B. 3des, md5, group 7 C. 3des, sha1, group 1 D. aes-cbc-128, sha, group 5 View AnswerAnswer: D Q2. Refer to the exhibit. Which two characteristics of the VPN implementation are evident? (Choose two.) A. dual DMVPN cloud setup with dual hub B. DMVPN Phase 3 implementation C. single DMVPN cloud setup with dual…
Q1. Which hash algorithm is required to protect classified information? A. MD5 B. SHA-1 C. SHA-256 D. SHA-384 View AnswerAnswer: D Q2. Which option is a required element of Secure Device Provisioning communications? A. the introducer B. the certificate authority C. the requestor D. the registration authority View AnswerAnswer: A Q3. Which command specifies the path to the Host Scan package in an ASA AnyConnect VPN? A. csd hostscan path image B. csd hostscan…
Q1. The Cisco AnyConnect client is unable to download an updated user profile from the ASA headend using IKEv2. What is the most likely cause of this problem? A. User profile updates are not allowed with IKEv2. B. IKEv2 is not enabled on the group policy. C. A new profile must be created so that the adaptive security appliance can push it to…
Q1. A Cisco router may have a fan issue that could increase its temperature and trigger a failure. What troubleshooting steps would verify the issue without causing additional risks? A. Configure logging using commands "logging on", "logging buffered 4", and check for fan failure logs using "show logging" B. Configure logging using commands "logging on", "logging buffered 6", and check for fan…
Q1. CORRECT TEXT Scenario You are the network security administrator for your organization. Your company is growing and a remote branch office is being created. You are tasked with configuring your headquarters Cisco ASA to create a site-to-site IPsec VPN connection to the branch office Cisco ISR. The branch office ISR has already been deployed and configured and you need to complete…
Q1. Consider this scenario. When users attempt to connect via a Cisco AnyConnect VPN session, the certificate has changed and the connection fails. What is a possible cause of the connection failure? A. An invalid modulus was used to generate the initial key. B. The VPN is using an expired certificate. C. The Cisco ASA appliance was reloaded. D. The Trusted Root Store is configured…
Q1. Refer to the exhibit. Which technology does this configuration demonstrate? A. AnyConnect SSL over IPv4+IPv6 B. AnyConnect FlexVPN over IPv4+IPv6 C. AnyConnect FlexVPN IPv6 over IPv4 D. AnyConnect SSL IPv6 over IPv4 View AnswerAnswer: A Q2. Which statement describes a prerequisite for single-sign-on Netegrity Cookie Support in an IOC SSL VPN? A. The Cisco AnyConnect Secure Mobility Client must be installed in flash. B. A SiteMinder plug-in must…
Q1. Which option is one component of a Public Key Infrastructure? A. the Registration Authority B. Active Directory C. RADIUS D. TACACS+ View AnswerAnswer: A Q2. Which command will prevent a group policy from inheriting a filter ACL in a clientless SSL VPN? A. vpn-filter none B. no vpn-filter C. filter value none D. filter value ACLname View AnswerAnswer: C Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/v.html#pgfId-1842564 Q3. A user is unable to establish an AnyConnect VPN connection to…
Q1. Which two statements are true when designing a SSL VPN solution using Cisco AnyConnect? (Choose two.) A. The VPN server must have a self-signed certificate. B. A SSL group pre-shared key must be configured on the server. C. Server side certificate is optional if using AAA for client authentication. D. The VPN IP address pool can overlap with the rest of the LAN…
Q1. Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two.) A. aes-cbc-192, sha256, 14 B. 3des, md5, 5 C. 3des, sha1, 1 D. aes-cbc-128, sha, 5 View AnswerAnswer: B,D Q2. A spoke has two Internet connections for failover. How can you achieve optimum failover without affecting any other router in the DMVPN cloud? A. Create another DMVPN cloud by configuring another…
Q1. A network is configured to allow clientless access to resources inside the network. Which feature must be enabled and configured to allow SSH applications to respond on the specified port 8889? A. auto applet download B. port forwarding C. web-type ACL D. HTTP proxy View AnswerAnswer: B Q2. Refer to the exhibit. The network administrator is adding a new spoke, but the tunnel is not passing…
Q1. Which benefit of FlexVPN is not offered by DMVPN using IKEv1? A. Dynamic routing protocols can be configured. B. IKE implementation can install routes in routing table. C. GRE encapsulation allows for forwarding of non-IP traffic. D. NHRP authentication provides enhanced security. View AnswerAnswer: B Q2. A company has decided to migrate an existing IKEv1 VPN tunnel to IKEv2. Which two are valid configuration constructs…
Q1. Refer to the exhibit. The IKEv2 tunnel between Router1 and Router2 is failing during session establishment. Which action will allow the session to establish correctly? A. The address command on Router2 must be narrowed down to a /32 mask. B. The local and remote keys on Router2 must be switched. C. The pre-shared key must be altered to use only lowercase letters. D. The…
Q1. Which three configuration parameters are mandatory for an IKEv2 profile? (Choose three.) A. IKEv2 proposal B. local authentication method C. match identity or certificate D. IKEv2 policy E. PKI certificate authority F. remote authentication method G. IKEv2 profile description H. virtual template View AnswerAnswer: B,C,F Q2. Which equation describes an elliptic curve? A. y3 = x3 + ax + b B. x3 = y2 + ab + x C. y4 = x2…
Q1. Which four activities does the Key Server perform in a GETVPN deployment? (Choose four.) A. authenticates group members B. manages security policy C. creates group keys D. distributes policy/keys E. encrypts endpoint traffic F. receives policy/keys G. defines group members View AnswerAnswer: A,B,C,D Q2. Which two IKEv1 policy options must match on each peer when you configure an IPsec site-to-site VPN? (Choose two.) A. priority number B. hash algorithm C. encryption…
Q1. Refer to the exhibit. Which VPN solution does this configuration represent? A. Cisco AnyConnect (IKEv2) B. site-to-site C. DMVPN D. SSL VPN View AnswerAnswer: D Q2. What are three benefits of deploying a GET VPN? (Choose three.) A. It provides highly scalable point-to-point topologies. B. It allows replication of packets after encryption. C. It is suited for enterprises running over a DMVPN network. D. It preserves original source and destination…
Q1. What are the three primary components of a GET VPN network? (Choose three.) A. Group Domain of Interpretation protocol B. Simple Network Management Protocol C. server load balancer D. accounting server E. group member F. key server View AnswerAnswer: A,E,F Q2. You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the debug crypto isakmp command on the headend router, you see…
Q1. Which cryptographic algorithms are a part of the Cisco NGE suite? A. HIPPA DES B. AES-CBC-128 C. RC4-128 D. AES-GCM-256 View AnswerAnswer: D Explanation: Reference: https://www.cisco.com/web/learning/le21/le39/docs/tdw166_prezo.pdf Q2. Which encryption and authentication algorithms does Cisco recommend when deploying a Cisco NGE supported VPN solution? A. AES-GCM and SHA-2 B. 3DES and DH C. AES-CBC and SHA-1 D. 3DES and SHA-1 View AnswerAnswer: A Q3. CORRECT TEXT View AnswerAnswer: Here are the steps as below: Step 1:…
Q1. If the IKEv2 tunnel were to establish successfully, which encryption algorithm would be used to encrypt traffic? A. DES B. 3DES C. AES D. AES192 E. AES256 View AnswerAnswer: E Explanation: Both ASA’s are configured to support AES 256, so during the IPSec negotiation they will use the strongest algorithm that is supported by each peer. Q2. Which option describes what address preservation with IPsec Tunnel Mode allows…
Q1. Which two statements comparing.ECC and RSA are true? (Choose two.) A. ECC can have the same security as RSA but with a shorter key size. B. ECC lags in performance when compared with RSA. C. Key generation in ECC is slower and less CPU intensive. D. ECC cannot have the same security as RSA, even with an increased key size. E. Key generation in…
Q1. Which of the following could be used to configure remote access VPN Host-scan and pre-login policies? A. ASDM B. Connection-profile CLI command C. Host-scan CLI command under the VPN group policy D. Pre-login-check CLI command View AnswerAnswer: A Q2. Which statement describes a prerequisite for single-sign-on Netegrity Cookie Support in an IOC SSL VPN? A. The Cisco AnyConnect Secure Mobility Client must be installed in flash. B.…
