Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Which option is one component of a Public Key Infrastructure?
A. the Registration Authority
B. Active Directory
C. RADIUS
D. TACACS+
Answer: A
Q2. Which command will prevent a group policy from inheriting a filter ACL in a clientless SSL VPN?
A. vpn-filter none
B. no vpn-filter
C. filter value none
D. filter value ACLname
Answer: C
Reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/v.html#pgfId-1842564
Q3. A user is unable to establish an AnyConnect VPN connection to an ASA. When using the Real-Time Log viewer within ASDM to troubleshoot the issue, which two filter options would the administrator choose to show only syslog messages relevant to the VPN connection? (Choose two.)
A. Client's public IP address
B. Client's operating system
C. Client's default gateway IP address
D. Client's username
E. ASA's public IP address
Answer: A,D
Q4. Which VPN type can be used to provide secure remote access from public internet cafes and airport kiosks?
A. site-to-site
B. business-to-business
C. Clientless SSL
D. DMVPN
Answer: C
Q5. Which cryptographic algorithms are approved to protect Top Secret information?
A. HIPPA DES
B. AES-128
C. RC4-128
D. AES-256
Answer: D
Q6. You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the debug crypto ipsec command on the headend router, you see the following output. What does this output suggest?
1d00h: IPSec (validate_proposal): transform proposal
(port 3, trans 2, hmac_alg 2) not supported
1d00h: ISAKMP (0:2) : atts not acceptable. Next payload is 0
1d00h: ISAKMP (0:2) SA not acceptable
A. Phase 1 policy does not match on both sides.
B. The Phase 2 transform set does not match on both sides.
C. ISAKMP is not enabled on the remote peer.
D. The crypto map is not applied on the remote peer.
E. The Phase 1 transform set does not match on both sides.
Answer: B
Q7. Which functionality is provided by L2TPv3 over FlexVPN?
A. the extension of a Layer 2 domain across the FlexVPN
B. the extension of a Layer 3 domain across the FlexVPN
C. secure communication between servers on the FlexVPN
D. a secure backdoor for remote access users through the FlexVPN
Answer: A
Q8. Which two troubleshooting steps should be taken when Cisco AnyConnect cannot establish an IKEv2 connection, while SSL works fine? (Choose two.)
A. Verify that the primary protocol on the client machine is set to IPsec.
B. Verify that AnyConnect is enabled on the correct interface.
C. Verify that the IKEv2 protocol is enabled on the group policy.
D. Verify that ASDM and AnyConnect are not using the same port.
E. Verify that SSL and IKEv2 certificates are not referencing the same trustpoint.
Answer: A,C
Q9. When a tunnel is initiated by the headquarter ASA, which one of the following Diffie-Hellman groups is selected by the headquarter ASA during CREATE_CHILD_SA exchange?
A. 1
B. 2
C. 5
D. 14
E. 19
Answer: C
Explanation:
Traffic initiated by the HQ ASA is assigned to the static outside crypto map, which shown below to use DH group 5.
Q10. Refer to the exhibit.
Which type of VPN implementation is displayed?
A. IKEv2 reconnect
B. IKEv1 cluster
C. IKEv2 load balancer
D. IKEv1 client
E. IPsec high availability
F. IKEv2 backup gateway
Answer: C
Q11. Where is split-tunneling defined for remote access clients on an ASA?
A. Group-policy
B. Tunnel-group
C. Crypto-map
D. Web-VPN Portal
E. ISAKMP client
Answer: A
Q12. Which three parameters are specified in the isakmp (IKEv1) policy? (Choose three.)
A. the hashing algorithm
B. the authentication method
C. the lifetime
D. the session key
E. the transform-set
F. the peer
Answer: A,B,C
Q13. Which Cisco adaptive security appliance command can be used to view the IPsec PSK of a tunnel group in cleartext?
A. more system:running-config
B. show running-config crypto
C. show running-config tunnel-group
D. show running-config tunnel-group-map
E. clear config tunnel-group
F. show ipsec policy
Answer: A
Q14. A rogue static route is installed in the routing table of a Cisco FlexVPN and is causing
traffic to be blackholed. Which command should be used to identify the peer from which that route originated?
A. show crypto ikev2 sa detail
B. show crypto route
C. show crypto ikev2 client flexvpn
D. show ip route eigrp
E. show crypto isakmp sa detail
Answer: B
Q15. Which option describes the purpose of the command show derived-config interface virtual-access 1?
A. It verifies that the virtual access interface is cloned correctly with per-user attributes.
B. It verifies that the virtual template created the tunnel interface.
C. It verifies that the virtual access interface is of type Ethernet.
D. It verifies that the virtual access interface is used to create the tunnel interface.
Answer: A