Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Which two are characteristics of GETVPN? (Choose two.)
A. The IP header of the encrypted packet is preserved
B. A key server is elected among all configured Group Members
C. Unique encryption keys are computed for each Group Member
D. The same key encryption and traffic encryption keys are distributed to all Group Members
Answer: A,D
Q2. Which type of NHRP packet is unique to Phase 3 DMVPN topologies?
A. resolution request
B. resolution reply
C. redirect
D. registration request
E. registration reply
F. error indication
Answer: C
Q3. Which technology can rate-limit the number of tunnels on a DMVPN hub when system utilization is above a specified percentage?
A. NHRP Event Publisher
B. interface state control
C. CAC
D. NHRP Authentication
E. ip nhrp connect
Answer: C
Q4. Which three settings are required for crypto map configuration? (Choose three.)
A. match address
B. set peer
C. set transform-set
D. set security-association lifetime
E. set security-association level per-host
F. set pfs
Answer: A,B,C
Q5. Where do you configure AnyConnect certificate-based authentication in ASDM?
A. group policies
B. AnyConnect Connection Profile
C. AnyConnect Client Profile
D. Advanced Network (Client) Access
Answer: B
Q6. A user with IP address 10.10.10.10 is unable to access a HTTP website at IP address
209.165.200.225 through a Cisco ASA. Which two features and commands will help troubleshoot the issue? (Choose two.)
A. Capture user traffic using command capture capin interface inside match ip host 10.10.10.10 any
B. After verifying that user traffic reaches the firewall using syslogs or captures, use packet tracer command packet-tracer input inside tcp 10.10.10.10 1234 209.165.200.225 80
C. Enable logging at level 1 and check the syslogs using commands logging enable, logging buffered 1 and show logging | include 10.10.10.10
D. Check if an access-list on the firewall is blocking the user by using command show running-config access-list | include 10.10.10.10
E. Use packet tracer command packet-tracer input inside udp 0.10.10.10 1234192.168.1.3 161 to see what the firewall is doing with the user's traffic
Answer: A,B
Q7. Which technology must be installed on the client computer to enable users to launch applications from a Clientless SSL VPN?
A. Java
B. QuickTime plug-in
C. Silverlight
D. Flash
Answer: A
Q8. Which feature enforces the corporate policy for Internet access to Cisco AnyConnect VPN users?
A. Trusted Network Detection
B. Datagram Transport Layer Security
C. Cisco AnyConnect Customization
D. banner message
Answer: A
Q9. When you troubleshoot Cisco AnyConnect, which step does Cisco recommend before you open a TAC case?
A. Show applet Lifecycle exceptions.
B. Disable cookies.
C. Enable the WebVPN cache.
D. Collect a DART bundle.
Answer: D
Q10. After implementing the IKEv2 tunnel, it was observed that remote users on the 192.168.33.0/24 network are unable to access the internet. Which of the following can be done to resolve this problem?
A. Change the Diffie-Hellman group on the headquarter ASA to group5forthe dynamic crypto map
B. Change the remote traffic selector on the remote ASA to 192.168.22.0/24
C. Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers
D. Change the local traffic selector on the headquarter ASA to 0.0.0.0/0
E. Change the remote traffic selector on the headquarter ASA to 0.0.0.0/0
Answer: B
Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 to 192.168.22.0/24.
Q11. Which.protocol must be enabled on the inside interface to use cluster encryption in SSL VPN load balancing?
A. TLS
B. DTLS
C. IKEv2
D. ISAKMP
Answer: D
Q12. Which command can you use to monitor the phase 1 establishment of a FlexVPN tunnel?
A. show crypto ipsec sa
B. show crypto isakmp sa
C. show crypto ikev2 sa
D. show ip nhrp
Answer: C
Q13. Which option is most effective at preventing a remote access VPN user from bypassing the corporate transparent web proxy?
A. using the proxy-server settings of the client computer to specify a PAC file for the client computer to download
B. instructing users to use the corporate proxy server for all web browsing
C. disabling split tunneling
D. permitting local LAN access
Answer: C
Q14. As network security architect, you must implement secure VPN connectivity among company branches over a private IP cloud with any-to-any scalable connectivity. Which.technology should you use?
A. IPsec DVTI
B. FlexVPN
C. DMVPN
D. IPsec SVTI
E. GET VPN
Answer: E
Q15. Which VPN solution is best for a collection of branch offices connected by MPLS that frequenty make VoIP calls between branches?
A. GETVPN
B. Cisco AnyConnect
C. site-to-site
D. DMVPN
Answer: A