Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. CORRECT TEXT
Scenario
You are the network security administrator for your organization. Your company is growing and a remote branch office is being created. You are tasked with configuring your headquarters Cisco ASA to create a site-to-site IPsec VPN connection to the branch office Cisco ISR. The branch office ISR has already been deployed and configured and you need to complete the IPsec connectivity configurations on the HQ ASA to bring the new office online.
Use the following parameters to complete your configuration using ASDM. For this exercise, not all ASDM screens are active.
. Enable IKEv1 on outside I/F for Site-to-site VPN
. Add a Connection Profile with the following parameters:
. Peer IP: 203.0.113.1
. Connection name: 203.0.113.1
. Local protected network: 10.10.9.0/24
. Remote protected network: 10.11.11.0/24
. Group Policy Name: use the default policy name supplied
. Preshared key: cisco
. Disable IKEv2
. Encryption Algorithms: use the ASA defaults
. Disable pre-configured NAT for testing of the IPsec tunnel
. Disable the outside NAT pool rule
. Establish the IPsec tunnel by sending ICMP pings from the Employee PC to the Branch Server at IP address 10.11.11.20
. Verify tunnel establishment in ASDM VPN Statistics> Sessions window pane
You have completed this exercise when you have successfully configured, established, and verified site-to-site IPsec connectivity between the ASA and the Branch ISR.
Topology
Answer: Review the explanation for detailed answer steps.
Explanation:
First, click on Configuration ->Site-to-Site VPN to bring up this screen:
Click on “allow IKE v1 Access” for the outside per the instructions as shown below:
Then click apply at the bottom of the page. This will bring up the following pop up message:
Click on Send.
Next, we need to set up the connection profile. From the connection profile tab, click on “Add”
Then, fill in the information per the instructions as shown below:
Hit OK and you should see this:
To test this, we need to disable NAT. Go to Configuration -> Firewall -> NAT rules and you should see this:
Click on Rule 1 to get the details and you will see this:
We need to uncheck the “Enable rule” button on the bottom. It might also be a good idea to uncheck the “Translate DNS replies that match the rule” but it should not be needed. Then, go back to the topology:
Click on Employee PC, and you will see a desktop with a command prompt shortcut. Use this to ping the IP address of 10.11.11.20 and you should see replies:
We can also verify by viewing the VPN Statistics -> Sessions and see the bytes in/out incrementing as shown below:
Q2. Which cryptographic algorithms are approved to protect Top Secret information?
A. HIPPA DES
B. AES-128
C. RC4-128
D. AES-256
Answer: D
Q3. Which three remote access VPN methods in an ASA appliance provide support for Cisco Secure Desktop? (Choose three.)
A. IKEv1
B. IKEv2
C. SSL client
D. SSL clientless
E. ESP
F. L2TP
Answer: B,C,D
Q4. Scenario
Your organization has just implemented a Cisco AnyConnect SSL VPN solution. Using
Cisco ASDM, answer the questions regarding the implementation. Note: Not all screens or option selections are active for this exercise.
Topology
Default_Home
Which address pool is being assigned to the users connecting via the AnyConnect client?
A. AC_Address_Pool
B. Remote_Address_Pool
C. Outside_Address_Pool
D. VPN_Address_Pool
Answer: D
Explanation:
First Navigate to the Configuration -> Remote Access VPN tab and then choose the “AnyConnect Connection Profile as shown below:
Capture
Then, clicking on the AnyConnect Profile at the bottom will bring you to the edit page shown below:
Capture
From here we can see that the Client Address Pools in use is the “VPN_Access_Pool”
Q5. Which three configuration parameters are mandatory for an IKEv2 profile? (Choose three.)
A. IKEv2 proposal
B. local authentication method
C. match identity or certificate
D. IKEv2 policy
E. PKI certificate authority
F. remote authentication method
G. IKEv2 profile description
H. virtual template
Answer: B,C,F
Q6. Refer to the exhibit.
The customer can establish an AnyConnect connection on the first attempt only. Subsequent attempts fail. What might be the issue?
A. IKEv2 is blocked over the path.
B. UserGroup must be different than the name of the connection profile.
C. The primary protocol should be SSL.
D. UserGroup must be the same as the name of the connection profile.
Answer: D
Q7. Which three types of web resources or protocols are enabled by default on the Cisco ASA Clientless SSL VPN portal? (Choose three.)
A. HTTP
B. VNC
C. CIFS
D. RDP
E. HTTPS
F. ICA (Citrix)
Answer: A,C,E
Q8. Which protocol can be used for better throughput performance when using.Cisco AnyConnect VPN?
A. TLSv1
B. TLSv1.1
C. TLSv1.2
D. DTLSv1
Answer: D
Q9. Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for this exercise.
Topology:
Which crypto map tag is being used on the Cisco ASA?
A. outside_cryptomap
B. VPN-to-ASA
C. L2L_Tunnel
D. outside_map1
Answer: D
Explanation:
This is seen from the “show crypto ipsec sa” command on the ASA.
Q10. In the Diffie-Hellman protocol, which type of key is the shared secret?
A. a symmetric key
B. an asymmetric key
C. a decryption key
D. an encryption key
Answer: A
Q11. You are configuring a Cisco IOS SSL VPN gateway to operate with DVTI support. Which command must you configure on the virtual template?
A. tunnel protection ipsec
B. ip virtual-reassembly
C. tunnel mode ipsec
D. ip unnumbered
Answer: D
Q12. What URL do you use to download a packet capture file in a format which can be used by a packet analyzer?
A. ftp://<hostname>/capture/<capture_name>/
B. https://<asdm_enabled _interface:port>/<capture_name>/
C. https://<asdm_enabled_interface:port>/admin/capture/<capture_name>/pcap
D. https://<hostname>/<capture_name>/pcap
Answer: C
Q13. If the IKEv2 tunnel were to establish successfully, which encryption algorithm would be used to encrypt traffic?
A. DES
B. 3DES
C. AES
D. AES192
E. AES256
Answer: E
Explanation:
Both ASA’s are configured to support AES 256, so during the IPSec negotiation they will use the strongest algorithm that is supported by each peer.
Q14. Which application does the Application Access feature of Clientless VPN support?
A. TFTP
B. VoIP
C. Telnet
D. active FTP
Answer: C
Q15. In which situation would you enable the Smart Tunnel option with clientless SSL VPN?
A. when a user is using an outdated version of a web browser
B. when an application is failing in the rewrite process
C. when IPsec should be used over SSL VPN
D. when a user has a nonsupported Java version installed
E. when cookies are disabled
Answer: B