Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. A network is configured to allow clientless access to resources inside the network. Which feature must be enabled and configured to allow SSH applications to respond on the specified port 8889?
A. auto applet download
B. port forwarding
C. web-type ACL
D. HTTP proxy
Answer: B
Q2. Refer to the exhibit.
The network administrator is adding a new spoke, but the tunnel is not passing traffic. What
could cause this issue?
A. DMVPN is a point-to-point tunnel, so there can be only one spoke.
B. There is no EIGRP configuration, and therefore the second tunnel is not working.
C. The NHRP authentication is failing.
D. The transform set must be in transport mode, which is a requirement for DMVPN.
E. The NHRP network ID is incorrect.
Answer: C
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html#w p1055049
Q3. Which cryptographic algorithms are a part of the Cisco NGE suite?
A. HIPPA DES
B. AES-CBC-128
C. RC4-128
D. AES-GCM-256
Answer: D
Explanation: Reference:
https://www.cisco.com/web/learning/le21/le39/docs/tdw166_prezo.pdf
Q4. Which command is used to determine how many GMs have registered in a GETVPN environment?
A. show crypto isakmp sa
B. show crypto gdoi ks members
C. show crypto gdoi gm
D. show crypto ipsec sa
E. show crypto isakmp sa count
Answer: B
Q5. You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the debug crypto isakmp command on the headend router, you see the following output. What does this output suggest?
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0
1d00h: ISAKMP (0:1); no offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE. Processing of Main Mode failed with peer at 10.10.10.10
A. Phase 1 policy does not match on both sides.
B. The transform set does not match on both sides.
C. ISAKMP is not enabled on the remote peer.
D. There is a mismatch in the ACL that identifies interesting traffic.
Answer: A
Q6. Which option is an example of an asymmetric algorithm?
A. 3DES
B. IDEA
C. AES
D. RSA
Answer: D
Q7. A user with IP address 10.10.10.10 is unable to access a HTTP website at IP address
209.165.200.225 through a Cisco ASA. Which two features and commands will help troubleshoot the issue? (Choose two.)
A. Capture user traffic using command capture capin interface inside match ip host 10.10.10.10 any
B. After verifying that user traffic reaches the firewall using syslogs or captures, use packet tracer command packet-tracer input inside tcp 10.10.10.10 1234 209.165.200.225 80
C. Enable logging at level 1 and check the syslogs using commands logging enable, logging buffered 1 and show logging | include 10.10.10.10
D. Check if an access-list on the firewall is blocking the user by using command show running-config access-list | include 10.10.10.10
E. Use packet tracer command packet-tracer input inside udp 0.10.10.10 1234192.168.1.3 161 to see what the firewall is doing with the user's traffic
Answer: A,B
Q8. Which configuration is used to build a tunnel between a Cisco ASA and ISR?
A. crypto map
B. DMVPN
C. GET VPN
D. GRE with IPsec
E. GRE without IPsec
Answer: A
Q9. Which three changes must be made to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is configured? (Choose three.)
A. Enable EIGRP next-hop-self on the hub.
B. Disable EIGRP next-hop-self on the hub.
C. Enable EIGRP split-horizon on the hub.
D. Add NHRP redirects on the hub.
E. Add NHRP shortcuts on the spoke.
F. Add NHRP shortcuts on the hub.
Answer: A,D,E
Q10. Refer to the exhibit.
An administrator had the above configuration working with SSL protocol, but as soon as the administrator specified IPsec as the primary protocol, the Cisco AnyConnect client was not able to connect. What is the problem?
A. IPsec will not work in conjunction with a group URL.
B. The Cisco AnyConnect implementation does not allow the two group URLs to be the same. SSL does allow this.
C. If you specify the primary protocol as IPsec, the User Group must be the exact name of the connection profile (tunnel group).
D. A new XML profile should be created instead of modifying the existing profile, so that the clients force the update.
Answer: C
Q11. Which option is a possible solution if you cannot access a URL through clientless SSL VPN with Internet Explorer, while other browsers work fine?
A. Verify the trusted zone and cookies settings in your browser.
B. Make sure that you specified the URL correctly.
C. Try the URL from another operating system.
D. Move to the IPsec client.
Answer: A
Q12. Which group-policy subcommand installs the Diagnostic AnyConnect Report Tool on user computers when a Cisco AnyConnect user logs in?
A. customization value dart
B. file-browsing enable
C. smart-tunnel enable dart
D. anyconnect module value dart
Answer: D
Q13. What is the default topology type for a GET VPN?
A. point-to-point
B. hub-and-spoke
C. full mesh
D. on-demand spoke-to-spoke
Answer: C
Q14. Which three configurations are required for both IPsec VTI and crypto map-based VPNs? (Choose three.)
A. transform set
B. ISAKMP policy
C. ACL that defines traffic to encrypt
D. dynamic routing protocol
E. tunnel interface
F. IPsec profile
G. PSK or PKI trustpoint with certificate
Answer: A,B,G
Q15. Which feature do you include in a highly available system to account for potential site failures?
A. geographical separation of redundant devices
B. hot/standby failover pairs
C. Cisco ACE load-balancing with VIP
D. dual power supplies
Answer: A