Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Which four activities does the Key Server perform in a GETVPN deployment? (Choose four.)
A. authenticates group members
B. manages security policy
C. creates group keys
D. distributes policy/keys
E. encrypts endpoint traffic
F. receives policy/keys
G. defines group members
Answer: A,B,C,D
Q2. Which two IKEv1 policy options must match on each peer when you configure an IPsec site-to-site VPN? (Choose two.)
A. priority number
B. hash algorithm
C. encryption algorithm
D. session lifetime
E. PRF algorithm
Answer: B,C
Q3. Which command clears all crypto configuration from a Cisco Adaptive Security Appliance?
A. clear configure crypto
B. clear configure crypto ipsec
C. clear crypto map
D. clear crypto ikev2 sa
Answer: A
Q4. Which three configurations are required for both IPsec VTI and crypto map-based VPNs? (Choose three.)
A. transform set
B. ISAKMP policy
C. ACL that defines traffic to encrypt
D. dynamic routing protocol
E. tunnel interface
F. IPsec profile
G. PSK or PKI trustpoint with certificate
Answer: A,B,G
Q5. After implementing the IKEv2 tunnel, it was observed that remote users on the 192.168.33.0/24 network are unable to access the internet. Which of the following can be done to resolve this problem?
A. Change the Diffie-Hellman group on the headquarter ASA to group5forthe dynamic crypto map
B. Change the remote traffic selector on the remote ASA to 192.168.22.0/24
C. Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers
D. Change the local traffic selector on the headquarter ASA to 0.0.0.0/0
E. Change the remote traffic selector on the headquarter ASA to 0.0.0.0/0
Answer: B
Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 to 192.168.22.0/24.
Q6. Which two cryptographic technologies are recommended for use with FlexVPN? (Choose two.)
A. SHA (HMAC variant)
B. Diffie-Hellman
C. DES
D. MD5 (HMAC variant)
Answer: A,B
Q7. Which protocols does the Cisco AnyConnect client use to build multiple connections to the security appliance?
A. TLS and DTLS
B. IKEv1
C. L2TP over IPsec
D. SSH over TCP
Answer: A
Q8. Scenario
Your organization has just implemented a Cisco AnyConnect SSL VPN solution. Using Cisco ASDM, answer the questions regarding the implementation.
Note: Not all screens or option selections are active for this exercise.
Topology
Default_Home
Which two networks will be included in the secured VPN tunnel? (Choose two.)
A. 10.10.0.0/16
B. All networks will be securely tunneled
C. Networks with a source of any4
D. 10.10.9.0/24
E. DMZ network
Answer: A,E
Explanation:
Navigate to the Configuration -> Remote Access -> Group Policies tab to observe the following:
Then, click on the DlftGrpPolicy to see the following:
On the left side, select “Split Tunneling” to get to this page:
Here you see that the Network List called “Inside Subnets” is being tunneled (secured). Select Manage to see the list of networks
Here we see that the 10.10.0.0/16 and DMZ networks are being secured over the tunnel.
Q9. Refer to the exhibit.
Which technology is represented by this configuration?
A. AAA for FlexVPN
B. AAA for EzVPN
C. TACACS+ command authorization
D. local command authorization
Answer: A
Q10. Which option is an example of an asymmetric algorithm?
A. 3DES
B. IDEA
C. AES
D. RSA
Answer: D
Q11. Which alogrithm is an example of asymmetric encryption?
A. RC4
B. AES
C. ECDSA
D. 3DES
Answer: C
Q12. Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two.)
A. aes-cbc-192, sha256, 14
B. 3des, md5, 5
C. 3des, sha1, 1
D. aes-cbc-128, sha, 5
Answer: B,D
Q13. When you configure IPsec VPN High Availability Enhancements, which technology does Cisco recommend that you enable to make reconvergence faster?
A. EOT
B. IP SLAs
C. periodic IKE keepalives
D. VPN fast detection
Answer: C
Q14. Which three remote access VPN methods in an ASA appliance provide support for Cisco Secure Desktop? (Choose three.)
A. IKEv1
B. IKEv2
C. SSL client
D. SSL clientless
E. ESP
F. L2TP
Answer: B,C,D
Q15. Which two RADIUS attributes are needed for a VRF-aware FlexVPN hub? (Choose two.)
A. ip:interface-config=ip unnumbered loobackn
B. ip:interface-config=ip vrf forwarding ivrf
C. ip:interface-config=ip src route
D. ip:interface-config=ip next hop
E. ip:interface-config=ip neighbor 0.0.0.0
Answer: A,B