Cisco 300-730 Free Practice Questions

NEW QUESTION 1
Which command automatically initiates a smart tunnel when a user logs in to the WebVPN portal page?

• A. auto-upgrade
• B. auto-connect
• C. auto-start
• D. auto-run

Answer: C

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/webvpn-configure-policy-group.html

NEW QUESTION 2
In a FlexVPN deployment, the spokes successfully connect to the hub, but spoke-to-spoke tunnels do not form. Which troubleshooting step solves the issue?

• A. Verify the spoke configuration to check if the NHRP redirect is enabled.
• B. Verify that the spoke receives redirect messages and sends resolution requests.
• C. Verify the hub configuration to check if the NHRP shortcut is enabled.
• D. Verify that the tunnel interface is contained within a VRF.

Answer: B

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-summ-maps.pdf

NEW QUESTION 3
Under which section must a bookmark or URL list be configured on a Cisco ASA to be available for clientless SSLVPN users?

• A. tunnel-group (general-attributes)
• B. tunnel-group (webvpn-attributes)
• C. webvpn (group-policy)
• D. webvpn (global configuration)

Answer: D

NEW QUESTION 4
A second set of traffic selectors is negotiated between two peers using IKEv2. Which IKEv2 packet will contain details of the exchange?

• A. IKEv2 IKE_SA_INIT
• B. IKEv2 INFORMATIONAL
• C. IKEv2 CREATE_CHILD_SA
• D. IKEv2 IKE_AUTH

Answer: B

NEW QUESTION 5
A Cisco ASA is configured in active/standby mode. What is needed to ensure that Cisco AnyConnect users can connect after a failover event?

• A. AnyConnect images must be uploaded to both failover ASA devices.
• B. The vpnsession-db must be cleared manually.
• C. Configure a backup server in the XML profile.
• D. AnyConnect client must point to the standby IP address.

Answer: A

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_active_standby.html

NEW QUESTION 6
Which IKE identity does an IOS/IOS-XE headend expect to receive if an IPsec Cisco AnyConnect client uses default settings?

• A. *$SecureMobilityClient$*
• B. *$AnyConnectClient$*
• C. *$RemoteAccessVpnClient$*
• D. *$DfltlkeldentityS*

Answer: B

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

NEW QUESTION 7
Refer to the exhibit.

Which VPN technology is used in the exhibit?

• A. DVTI
• B. VTI
• C. DMVPN
• D. GRE

Answer: B

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/zZ-Archive/IPsec_Virtual_Tunnel_Interface.html#GUID-EB8C433B-2394-42B9-997F-B40803E58A91

NEW QUESTION 8
Refer to the exhibit.

Client 1 cannot communicate with client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which command on the ASA is missing?

• A. dns-server value 10.1.1.2
• B. same-security-traffic permit intra-interface
• C. same-security-traffic permit inter-interface
• D. dns-server value 10.1.1.3

Answer: B

NEW QUESTION 9
Refer to the exhibit.

The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?
A.

• A.
• B. D.

Answer: D

NEW QUESTION 10
Which technology is used to send multicast traffic over a site-to-site VPN?

• A. GRE over IPsec on IOS router
• B. GRE over IPsec on FTD
• C. IPsec tunnel on FTD
• D. GRE tunnel on ASA

Answer: B

NEW QUESTION 11
Which configuration construct must be used in a FlexVPN tunnel?

• A. EAP configuration
• B. multipoint GRE tunnel interface
• C. IKEv1 policy
• D. IKEv2 profile

Answer: D

NEW QUESTION 12
What are two functions of ECDH and ECDSA? (Choose two.)

• A. nonrepudiation
• B. revocation
• C. digital signature
• D. key exchange
• E. encryption

Answer: CD

Explanation:
Reference: https://tools.cisco.com/security/center/resources/next_generation_cryptography

NEW QUESTION 13
Refer to the exhibit.

Which two commands under the tunnel-group webvpn-attributes result in a Cisco AnyConnect user receiving the AnyConnect prompt in the exhibit? (Choose two.)

• A. group-url https://172.16.31.10/General enable
• B. group-policy General internal
• C. authentication aaa
• D. authentication certificate
• E. group-alias General enable

Answer: BE

NEW QUESTION 14
Refer to the exhibit.

An engineer is troubleshooting a new GRE over IPsec tunnel. The tunnel is established but the engineer cannot ping from spoke 1 to spoke 2. Which type of traffic is being blocked?

• A. ESP packets from spoke2 to spoke1
• B. ISAKMP packets from spoke2 to spoke1
• C. ESP packets from spoke1 to spoke2
• D. ISAKMP packets from spoke1 to spoke2

Answer: A

NEW QUESTION 15
Which two changes must be made in order to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is configured? (Choose two.)

• A. Add NHRP shortcuts on the hub.
• B. Add NHRP redirects on the spoke.
• C. Disable EIGRP next-hop-self on the hub.
• D. Enable EIGRP next-hop-self on the hub.
• E. Add NHRP redirects on the hub.

Answer: CE

NEW QUESTION 16
Which command is used to troubleshoot an IPv6 FlexVPN spoke-to-hub connectivity failure?

• A. show crypto ikev2 sa
• B. show crypto isakmp sa
• C. show crypto gkm
• D. show crypto identity

Answer: A

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116413-configure-flexvpn-00.pdf

NEW QUESTION 17
Refer to the exhibit.

The IKEv2 site-to-site VPN tunnel between two routers is down. Based on the debug output, which type of mismatch is the problem?

• A. preshared key
• B. peer identity
• C. transform set
• D. ikev2 proposal

Answer: B

NEW QUESTION 18
Which feature of GETVPN is a limitation of DMVPN and FlexVPN?

• A. sequence numbers that enable scalable replay checking
• B. enabled use of ESP or AH
• C. design for use over public or private WAN
• D. no requirement for an overlay routing protocol

Answer: D

NEW QUESTION 19
DRAG DROP
Drag and drop the correct commands from the night onto the blanks within the code on the left to implement a design that allow for dynamic spoke-to-spoke communication. Not all comments are used.
Select and Place:

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-16/sec-conn-dmvpn-xe-16-book/sec-conn-dmvpn-summ-maps.html

NEW QUESTION 20
Refer to the exhibit.

Cisco AnyConnect must be set up on a router to allow users to access internal servers 192.168.0.10 and 192.168.0.11. All other traffic should go out of the client's local NIC. Which command accomplishes this configuration?

• A. svc split include 192.168.0.0 255.255.255.0
• B. svc split exclude 192.168.0.0 255.255.255.0
• C. svc split include acl CCNP
• D. svc split exclude acl CCNP

Answer: C

NEW QUESTION 21
Which statement about GETVPN is true?

• A. The configuration that defines which traffic to encrypt originates from the key server.
• B. TEK rekeys can be load-balanced between two key servers operating in COOP.
• C. The pseudotime that is used for replay checking is synchronized via NTP.
• D. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.

Answer: A

NEW QUESTION 22
Which two statements about the Cisco ASA Clientless SSL VPN solution are true? (Choose two.)

• A. When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the client uses the local DNS to perform FQDN resolution.
• B. The rewriter enable command under the global webvpn configuration enables the rewriter functionality because that feature is disabled by default.
• C. A Cisco ASA can simultaneously allow Clientless SSL VPN sessions and AnyConnect client sessions.
• D. When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the ASA uses its configured DNS servers to perform FQDN resolution.
• E. Clientless SSLVPN provides Layer 3 connectivity into the secured network.

Answer: CD

NEW QUESTION 23
Refer to the exhibit.

A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based on the syslog message, which action brings up the VPN tunnel?

• A. Reduce the maximum SA limit on the local Cisco ASA.
• B. Increase the maximum in-negotiation SA limit on the local Cisco ASA.
• C. Remove the maximum SA limit on the remote Cisco ASA.
• D. Correct the crypto access list on both Cisco ASA devices.

Answer: B

NEW QUESTION 24
......