Cisco 300-209 Free Practice Questions

Q1. Refer to the exhibit. 

The IKEv2 tunnel between Router1 and Router2 is failing during session establishment. Which action will allow the session to establish correctly? 

A. The address command on Router2 must be narrowed down to a /32 mask. 

B. The local and remote keys on Router2 must be switched. 

C. The pre-shared key must be altered to use only lowercase letters. 

D. The local and remote keys on Router2 must be the same. 

View Answer

Q2. When you configure IPsec VPN High Availability Enhancements, which technology does Cisco recommend that you enable to make reconvergence faster? 

A. EOT 

B. IP SLAs 

C. periodic IKE keepalives 

D. VPN fast detection 

View Answer

Q3. What action does the hub take when it receives a NHRP resolution request from a spoke for a network that exists behind another spoke? 

A. The hub sends back a resolution reply to the requesting spoke. 

B. The hub updates its own NHRP mapping. 

C. The hub forwards the request to the destination spoke. 

D. The hub waits for the second spoke to send a request so that it can respond to both spokes. 

View Answer

Q4. Which statement regarding GET VPN is true? 

A. TEK rekeys can be load-balanced between two key servers operating in COOP. 

B. When you implement GET VPN with VRFs, all VRFs must be defined in the GDOI group configuration on the key server. 

C. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration. 

D. The configuration that defines which traffic to encrypt is present only on the key server. 

E. The pseudotime that is used for replay checking is synchronized via NTP. 

View Answer

Q5. Scenario: 

You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. 

You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites. 

NOTE: the show running-config command cannot be used for this exercise. 

Topology: 

Which crypto map tag is being used on the Cisco ASA? 

A. outside_cryptomap 

B. VPN-to-ASA 

C. L2L_Tunnel 

D. outside_map1 

View Answer

Q6. Which command can you use to monitor the phase 1 establishment of a FlexVPN tunnel? 

A. show crypto ipsec sa 

B. show crypto isakmp sa 

C. show crypto ikev2 sa 

D. show ip nhrp 

View Answer

Q7. An internet-based VPN solution is being considered to replace an existing private WAN connecting remote offices. A multimedia application is used that relies on multicast for communication. Which two VPN solutions meet the application's network requirement? (Choose two.) 

A. FlexVPN 

B. DMVPN 

C. Group Encrypted Transport VPN 

D. Crypto-map based Site-to-Site IPsec VPNs 

E. AnyConnect VPN 

View Answer

Q8. Which two technologies are considered to be Suite B cryptography? (Choose two.) 

A. MD5 

B. SHA2 

C. Elliptical Curve Diffie-Hellman 

D. 3DES 

E. DES 

View Answer

Q9. The Cisco AnyConnect client is unable to download an updated user profile from the ASA headend using IKEv2. What is the most likely cause of this problem? 

A. User profile updates are not allowed with IKEv2. 

B. IKEv2 is not enabled on the group policy. 

C. A new profile must be created so that the adaptive security appliance can push it to the client on the next connection attempt. 

D. Client Services is not enabled on the adaptive security appliance. 

View Answer

Q10. Refer to the exhibit. 

Which statement about the given IKE policy is true? 

A. The tunnel will be valid for 2 days, 88 minutes, and 00 seconds. 

B. It will use encrypted nonces for authentication. 

C. It has a keepalive of 60 minutes, checking every 5 minutes. 

D. It uses a 56-bit encryption algorithm. 

View Answer

Q11. What are two variables for configuring clientless SSL VPN single sign-on? (Choose two.) 

A. CSCO_WEBVPN_OTP_PASSWORD 

B. CSCO_WEBVPN_INTERNAL_PASSWORD 

C. CSCO_WEBVPN_USERNAME 

D. CSCO_WEBVPN_RADIUS_USER 

View Answer

Q12. Which configuration construct must be used in a FlexVPN tunnel? 

A. multipoint GRE tunnel interface 

B. IKEv1 policy 

C. IKEv2 profile 

D. EAP configuration 

View Answer

Q13. Scenario 

Your organization has just implemented a Cisco AnyConnect SSL VPN solution. Using 

Cisco ASDM, answer the questions regarding the implementation. Note: Not all screens or option selections are active for this exercise. 

Topology 

Default_Home 

Which address pool is being assigned to the users connecting via the AnyConnect client? 

A. AC_Address_Pool 

B. Remote_Address_Pool 

C. Outside_Address_Pool 

D. VPN_Address_Pool 

View Answer

Q14. If Web VPN bookmarks are grayed out on the home screen, which action should you take to begin troubleshooting? 

A. Determine whether the Cisco ASA can resolve the DNS names. 

B. Determine whether the Cisco ASA has DNS forwarders set up. 

C. Determine whether an ACL is present to permit DNS forwarding. 

D. Replace the DNS name with an IP address. 

View Answer

Q15. In the Cisco ASDM interface, where do you enable the DTLS protocol setting? 

A. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy 

B. Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit 

C. Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client 

D. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit 

View Answer