Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Which two statements comparing.ECC and RSA are true? (Choose two.)
A. ECC can have the same security as RSA but with a shorter key size.
B. ECC lags in performance when compared with RSA.
C. Key generation in ECC is slower and less CPU intensive.
D. ECC cannot have the same security as RSA, even with an increased key size.
E. Key generation in ECC is faster and less CPU intensive.
Answer: A,E
Q2. Refer to the exhibit.
The network administrator is adding a new spoke, but the tunnel is not passing traffic. What
could cause this issue?
A. DMVPN is a point-to-point tunnel, so there can be only one spoke.
B. There is no EIGRP configuration, and therefore the second tunnel is not working.
C. The NHRP authentication is failing.
D. The transform set must be in transport mode, which is a requirement for DMVPN.
E. The NHRP network ID is incorrect.
Answer: C
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html#w p1055049
Q3. Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for this exercise.
Topology:
at is being used as the authentication method on the branch ISR?
A. Certifcates
B. Pre-shared keys
C. RSA public keys
D. Diffie-Hellman Group 2
Answer: B
Explanation:
The show crypto isakmp key command shows the preshared key of “cisco”.
Q4. A network is configured to allow clientless access to resources inside the network. Which feature must be enabled and configured to allow SSH applications to respond on the specified port 8889?
A. auto applet download
B. port forwarding
C. web-type ACL
D. HTTP proxy
Answer: B
Q5. Which technology can rate-limit the number of tunnels on a DMVPN hub when system utilization is above a specified percentage?
A. NHRP Event Publisher
B. interface state control
C. CAC
D. NHRP Authentication
E. ip nhrp connect
Answer: C
Q6. Which two qualify as Next Generation Encryption integrity algorithms? (Choose two.)
A. SHA-512
B. SHA-256
C. SHA-192
D. SHA-380
E. SHA-192
F. SHA-196
Answer: A,B
Q7. Refer to the exhibit.
Which technology does this configuration demonstrate?
A. AnyConnect SSL over IPv4+IPv6
B. AnyConnect FlexVPN over IPv4+IPv6
C. AnyConnect FlexVPN IPv6 over IPv4
D. AnyConnect SSL IPv6 over IPv4
Answer: A
Q8. Which two technologies are considered to be Suite B cryptography? (Choose two.)
A. MD5
B. SHA2
C. Elliptical Curve Diffie-Hellman
D. 3DES
E. DES
Answer: B,C
Q9. A Cisco IOS SSL VPN gateway is configured to operate in clientless mode so that users can access file shares on a Microsoft Windows 2003 server. Which protocol is used between the Cisco IOS router and the Windows server?
A. HTTPS
B. NetBIOS
C. CIFS
D. HTTP
Answer: C
Q10. Refer to the exhibit.
An IPsec peer is exchanging routes using IKEv2, but the routes are not installed in the RIB. Which configuration error is causing the failure?
A. IKEv2 routing requires certificate authentication, not pre-shared keys.
B. An invalid administrative distance value was configured.
C. The match identity command must refer to an access list of routes.
D. The IKEv2 authorization policy is not referenced in the IKEv2 profile.
Answer: B
Q11. Regarding licensing, which option will allow IKEv2 connections on the adaptive security appliance?
A. AnyConnect Essentials can be used for Cisco AnyConnect IKEv2 connections.
B. IKEv2 sessions are not licensed.
C. The Advanced Endpoint Assessment license must be installed to allow Cisco AnyConnect IKEv2 sessions.
D. Cisco AnyConnect Mobile must be installed to allow AnyConnect IKEv2 sessions.
Answer: B
Q12. Which option is most effective at preventing a remote access VPN user from bypassing the corporate transparent web proxy?
A. using the proxy-server settings of the client computer to specify a PAC file for the client computer to download
B. instructing users to use the corporate proxy server for all web browsing
C. disabling split tunneling
D. permitting local LAN access
Answer: C
Q13. Which two statements.about the Cisco ASA Clientless SSL VPN smart tunnels feature are true? (Choose two.)
A. Smart tunnels are enabled on the secure gateway (Cisco ASA) for specific applications that run on the end client and work irrespective of which transport protocol the application uses.
B. Smart tunnels require Administrative privileges to run on the client machine.
C. A smart tunnel is a DLL that is pushed from the headend to the client machine after SSL VPN portal authentication and that is attached to smart-tunneled processes to route traffic through the SSL VPN session with the gateway.
D. Smart tunnels offer better performance than the client-server plugins.
E. Smart tunnels are supported on Windows, Mac, and Linux.
Answer: C,D
Q14. Which two statements regarding IKEv2 are true per RFC 4306? (Choose two.)
A. It is compatible with IKEv1.
B. It has at minimum a nine-packet exchange.
C. It uses aggressive mode.
D. NAT traversal is included in the RFC.
E. It uses main mode.
F. DPD is defined in RFC 4309.
G. It allows for EAP authentication.
Answer: D,G
Q15. Which two features are required when configuring a DMVPN network? (Choose two.)
A. Dynamic routing protocol
B. GRE tunnel interface
C. Next Hop Resolution Protocol
D. Dynamic crypto map
E. IPsec encryption
Answer: B,C