Вы находитесь на странице: 1из 11

Huseein aljanabi

huss.shaneen@ymail.com
QUESTION NO: 214

An engineer wants to ensure that employees cannot access corporate resources on


untrusted networks, but does not want a new VPN session to be established each t
ime they leave the trusted network. Which Cisco AnyConnect Trusted Network Polic
y option allows this ability?
A.
B.
C.
D.

Pause
Connect
Do Nothing
Disconnect

Aswer: A
QUESTION NO: 215
Refer to the exhibit. In this tunnel mode GRE multipoint example, which command
on the hub router distinguishes one spoken form the other?
A.
B.
C.
D.

no ip route
ip nhrp map
ip frame-relay
tunnel mode gre multipoint

Answer: B
QUESTION NO: 216
A network engineer must configure a now VPN tunnel Utilizing IKEv2 For with th
ree reasons would a configuration use IKEv2 instead d KEv1?
(Choose three.)
A.
B.
C.
D.
E.
F.

increased hash size


DOS protection
Preshared keys are used for authentication.
RSA-Sig used for authentication
native NAT traversal
asymmetric authentication

Answer:BEF
QUESTION NO: 217
A network engineer is troubleshooting a site VPN tunnel configured on a Cisco A
SA and wants to validate that the tunnel is sending and receiving traffic. Which
command accomplishes this task?
A. show crypto ikev1 sa peer
B. show crypto ikev2 sa peer
C. show crypto ipsec sa peer
D. show crypto isakmp sa peer
Answer: C
QUESTION NO: 218

When troubleshooting clientless SSL VPN connections, which option can be verifie
d on the client PC?
A.
B.
C.
D.

address assignment
DHCP configuration
tunnel group attributes
host file misconfiguration

Answer C
QUESTION NO: 219
Which two commands are include in the command show dmvpn detail? (Choose two.)
A.
B.
C.
D.
E.

Show
Show
Show
Show
Show

ip nhrp
ip nhrp nhs
crypto ipsec sa detail
crypto session detail
crypto sockets

Answer: BD
QUESTION NO: 220
An engineer has integrated a new DMVPN to link remote offices across the intern
et using Cisco IOS routers. When connecting to remote sites, pings and voice dat
a appear to flow properly and all tunnel stats seem to show that are up. However
, when trying to connect to a remote server using RDP, the connection fails. Whi
ch action resolves this issue?
A. Change DMVPN timeout values.
B. Adjust the MTU size within the routers.
C. Replace certificate on the RDP server.
D. Add RDP port to the extended ACL.
Answer: C
QUESTION NO: 221
Which feature is a benefit of Dynamic Multipoint VPN?
A.
B.
C.
D.

geographic filtering of spoke devices


translation PAT
rotating wildcard preshared keys
dynamic spoke-to spoke tunnel establishment

Answer: D
QUESTION NO: 222
An engineer has configured Cisco AnyConnect VPN using IKEv2 on a Cisco ISO rout
er. The user cannot connect in the Cisco AnyConnect client, but receives an aler
t message Use a browser to gain access. Which action does the engineer take to eli
minate this issue?
A.
B.
C.
D.

Reset user login credentials.


Disable the HTTP server.
Correct the URL address.
Connect using HTTPS.

Answer: C
QUESTION NO: 223
Refer to the exhibit. A network administrator is running DMVPN with EIGRP, when
the administrator looks at the routing table on spoken 1 it displays a route to
the hub only. Which command is missing on the hub router, which includes spoke 2
and spoke 3 in the spoke 1 routing table?
A.
B.
C.
D.

no inverse arp
neighbor (ip address)
no ip split-horizon egrp 1
redistribute static

Answer: A
QUESTION NO: 224
Which algorithm provides both encryption and authentication for plane communica
tion?
A.
B.
C.
D.
E.
F.

RC4
SHA-384
AES-256
SHA-96
3DES
AES-GCM

Answer: F
QUESTION NO: 225
Refer to the exhibit. Client 1 cannot communication with Client 2. Both clients
are using Cisco AnyConnect and have established a successful SSL VPN connection
to the hub ASA. Which command on the ASA is missing?
A.
B.
C.
D.

same-security-traffic permit inter-interface


same-security-traffic permit intera-interface
dns-server value 10.1.1.3
split-tunnel-network list

Answer: B
QUESTION NO: 226
Which statement regarding GET VPN is true?
A. When you implement GET VPN with VRFs, all VHFs must be defined in the GDOI gr
oup configuration on the key server.
B. T ne pseudotime that is used for replay checking is synchronized via NTP.
C. Group members must acknowledge all KEK and TEK rekeys, regardless of configur
ation.
D. TEK rekesys can be load-balanced between two key servers operating in COOP.
E. The configuration that defines which traffic to encrypt is present only on th
e key server.
Answer: E
?
QUESTION NO: 227
Which two statements comparing ECC and RSA are true? (Choose two.)

A.
B.
C.
D.
E.

Key
ECC
Key
ECC
ECC

generation in FCC is slower and more CPU intensive than RSA.


can have the same security as RSA but with a shorter key size
generation in ECC is faster and less CPU intensive than RSA.
cannot have the same security as RSA. even with an increased key size.
lags m performance when compared with RSA.

Answer: BC
QUESTION NO: 228
Which two options arc purposes of the key server in Cisco IOS GETVPN? (Choose t
wo.)
A.
B.
C.
D.

to
to
to
to

define group members.


distribute static routing information.
distribute dynamic routing information.
encrypt transit traffic.

Answer: AD
QUESTION NO: 229
Refer to the exhibit
What is the purpose of the given configuration?
A.
B.
C.
D.

Enabling IPSec to decrypt fragmented packets.


Establishing a GRE tunnel.
Resolving access issues caused by large packet sizes.
Adding the spoke to the routing table.

Answer: C
QUESTION NO: 230
Refer to the exhibit. The IKEv2 site-to-site VPN tunnel between two routers is d
own. Based on the debug output, which type of mismatch might be the problem?
A. transform set
B. peer identity
C. PSK
D. Crypto policy
Answer: B
QUESTION NO: 231
What URL do you use to download a packet capture file in a format which can be
used by a packet analyzer?
A.
B.
C.
D.

https://<hostname>/<capture_name>/pcap
ftp://<hostname>/<capture_name>/
https: //<asdm_enabled_interface:port>/<capture_name>
https://<asdm_enabled_interface:port>/admin/capture/<capture_name>/pcap

Answer: D
QUESTION NO: 232
Refer to the exhibit. An engineer is troubleshooting a new GRE over IPSEC tunnel
. The tunnel is established, but the engineer cannot ping from spoke 1 to spoke
2. Which type of traffic is being blocked?

A.
B.
C.
D.

ESP packets from spoke1 to


ISAKMP packets from spoke2
ESP packets from spoke2 to
ISAKMP packets from spoke1

spoke2
to spoke1
spoke1
to spoke2

Answer: C
QUESTION NO: 233
A user is experiencing issues connecting to a Cisco AnyConnect VPN and receives
this error message:
The AnyConnect package on the secure gateway could not be located. You may be ex
periencing network connectivity issues. Please try connecting again.
Which option is the likely cause of this issue?
A.
B.
C.
.
D.

This Cisco ASA firewall has experienced a failure.


The user is entering an incorrect password.
The user s operating system is not supported with the ASA s current configuration
The user laptop clock is not synchronized with NTP.

Answer: C
QUESTION NO: 234
Which two operational advantages does GetVPN offer over site-to-site IPsec tunn
el in a private MPLS-based core network? (Choose two.)
A. Key servers perform encryption and decryption of all the data in the network,
which allows for tight security policies.
B. Traffic uses one VRF to encrypt data and a different on to decrypt data, whic
h allows for multicast traffic isolation.
C. GETVPN is tunnel-less, which allows any group member to perform decryption an
d routing around network failures.
D. Packets carry original source and destination IP addresses, which allows for
optimal routing of encrypted traffic.
E. Group Domain of Interpretation protocol allows for homomorphic encryption, wh
ich allows group members to operate on messages without decrypting them
Answer: BC
QUESTION NO: 235
What are two benefits of DMVPN Phase 3 (Choose two.)
A. It introduces hierarchical DMVPN deployments.
B. It introduces non-hierarchical DMVPN deployments.
C. Administrators can use summarization of routing protocol updates from hum to
spokes.
D. It supports L2TP over IPSec as one of the VPN protocols.
Answer: AC
QUESTION NO: 236
Which command identifies an AnyConnect profile that was uploaded to an IOS rout
er's flash?
A.
B.
C.
D.

svc import profile SSL_profile flash:simo-profile.xml


anyconnect profile SSL_profile flash:simos-profile_xml
webvpn import profile SSL_profile_flash:simos-profile.xml
crypto vpn anyconnect profile SSL_proflle flasbsimos-profifexml

Answer: D or B
QUESTION NO: 237
An administrator received a report that a user cannot connect to the headquarte
rs site using Cisco AnyConnect and receives this error. The installer was not ab
le to start the Cisco VPN client, clientless access is not available, Which opti
on is a possible cause for this error?
A. The client version of Cisco AnyConnect is not compatible with the Cisco ASA s
oftware image.
B. The operating system of the client machine is not supported by Cisco AnyConne
ct.
C. The driver for Cisco AnyConnect is outdatate.
D. The installed version of Java is not compatible with Cisco AnyConnect.
Answer: A
QUESTION NO: 238

What is being used as the authentication method on Die branch ISR?


A.
B.
C.
D.

Certificates
Pre-shared keys
RSA public keys
Diffie-Hellman Group 2

Answer: B
QUESTION NO: 239
What is the name of the transform set being used on the ISR?
A.
B.
C.
D.

Default
ESP AES ESP-SHA HMAC
SP-AES-256-MD5-TRANS
TSET

Answer: B
QUESTION NO: 240
In what state is the IKE security association in on the Cisco ASA?
A.
B.
C.
D.

There are no security associations in place


MM_ACTIVE
ACTIVE(ACTIVE)
QM_IDLE

Answer: C
QUESTION NO: 241
Which crypto map tag is being used on the Cisco ASA?
A.
B.
C.
D.

outside_cryptomap
VPN-to-ASA
L2L-Tunnel
outside_map1

Answer: D

QUESTION NO: 242


An engineer is configuring an IPsec VPN with IKEv2. Which three components are
part of the IKEv2 proposal for this implementation? (Choos three.)
A.
B.
C.
D.
E.

key ring
DH group
integrity
tunnel name
encryption

Answer: BCE
QUESTION NO: 243
Which command can be used to troubleshoot an IPv6 FlexVPN spoke-to-hub connecti
vity failure?
A.
B.
C.
D.

show
show
show
show

crypto
crypto
crypto
crypto

lkev2 client flexvpn


identity
isakmp sa
gkm

Answer: A
QUESTION NO: 244
Refer to the exhibit. An engineer encounters a debug message. Which action can t
he engineer take to eliminate this error message?
A. Use stronger encryption suite.
B. Correct the VPN peer address.
C. Make adjustment to IPSec replay window.
D. Change the preshared key to match.
Answer: C
QUESTION NO: 245
Which three parameters are specified in the isakmp (IKEv1) policy? (Choose thre
e.)
A.
B.
C.
D.
E.
F.

the
the
the
the
the
the

authentication method
transform-set
hashing algorithm
session key
lifetime
peer

Answer: ACE
QUESTION NO: 246
Refer to the exhibit. What is the problem with the IKEv2 site-to-site VPN tunnel
?
A.
B.
C.
D.
E.

incorrect PSK
incorrect tunnel group
crypto access list mismatch
crypto policy mismatch
incorrect certificate

Answer: C
?

QUESTION NO: 247

Refer to the exhibit. A customer cannot establish an IKEv2 site-to-site VPN tunn
el between two Cisco ASA devices. Based on the syslog message, which action can
bring up the VPN tunnel?
A.
B.
C.
D.
E.
F.

Increase the maximum in-negotiation SA limit on the local Cisco ASA.


Remove the maximum SA limit on the remote Cisco ASA.
Correct the IP address in the local and remote crypto maps.
Increase the maximum SA limit on the remote Cisco ASA.
Reduce the maximum SA limit on the local Cisco ASA.
Correct the crypto access list on both Cisco ASA devices.

Answer: A
QUESTION NO: 248
Which three parameters must match on all routers in a DMVPN Phase 3 cloud? (Cho
ose three )
A.
B.
C.
D.
E.
F.

EIGRP process name


EIGRP split-horizon setting
tunnel VRF
NHRP authentication string
GRE tunnel Key
NHRP network ID

Answer: DEF
QUESTION NO: 249
Which option is an example of an asymmetric algorithm?
A.
B.
C.
D.

3DES
RSA
IDEA
AES

Answer: B
QUESTION NO: 250
Which VPN feature allows remote access clients to print documents lo local netw
ork printers?
A.
B.
C.
D.

loopback addressing
split tunneling
dynamic virtual tunnels
Reverse Route Injection

Answer: B
QUESTION NO: 251
Refer to the exhibit
sec VPIV tunnel?
A. Pre-Shared Key
B. transform set
C. crypto access list

Which type of mismatch is causing the problem with the IP

D. Phase 1 policy
Answer: A
?
?

QUESTION NO: 252


Which two changes must be made to migrate from DMVPN Phase 2 to Phase 3
1 when EIGRP is configured? (Choose two )

A.
B.
C.
D.
E.

Disable EIGRP next-hop-self on the hub.


Enable EIGRP next-hop-self on the hub.
Acid NHRP shortcuts on the hub.
Add NHRP redirects on the hub.
Add NHRP redirects on the spoke.

Answer: BD
QUESTION NO: 253
Which two features are required when configuring a DMVPN network? (Choose two.)
A. Dynamic crypto map
B. IPsec encryption
C. GRE tunnel interface
D. Next Hop Resolution Protocol
E. Dynamic routing protocol
Answer: CD
QUESTION NO: 254
Refer to the exhibit. VPN load balancing provides a way to distribute remote acc
ess, IPsec, and SSL VPN connections across multiple security appliances. Which r
emote access client types does the load balancing feature support?
A.
B.
C.
D.

IPsec site-to-site tunnels


L2TP over IPsec
OpenVPN
Cisco AnyConnect Secure Mobility Client

Answer: D
QUESTION NO: 255
Which two are features of GETVPN but not DMVPN and FlexVPN?
(Choose two.)
A.
B.
C.
D.
E.

sequence numbers that enable scalable replay checking CD protocol


no requirement for an overlay routing protocol.
design for use over public or private.
WAN enabled use of ESP or AH.
one IPsec SA for all encrypted traffic.

Answer: BE
QUESTION NO: 256
Using the Next Generation Encryption technologies, which is the minimum accepta
ble encryption level to protect sensitive information?
A.
B.
C.
D.

AES
AES
AES
AES

92 bits
128 bits
256 bits
512 bits

Answer: B
QUESTION NO: 257
An engineer is troubleshooting a DMVPN spoken router and sees a CRPTO-4-IKMP_BA
D_MESSAGE debug message that a spoke router failed its sanity check or is malform
ed Which issue does the error message indicate?
A.
B.
C.
D.

mismatched preshared key


unsupported transform propsal
invalid IP packet SPI
incompatible transform set

Answer: A
QUESTION NO: 258
You are troubleshooting DMVPN NHRP registration failure. Which command can you
use to view request counters?
A.
B.
C.
D.

show
show
show
show

ip
ip
ip
ip

nhrp
nhrp
nhrp
nhrp

tunntl
nhs detail
incomplete
incomplete tunnel tunnel_interfaceo number

Answer: B
QUESTION NO: 259
Refer to the exhibit. Which VPN solution does this configuration represent?
A.
B.
C.
D.

site-to-site
FlexVPN
GETVPN
DMVPN

Answer: C
QUESTION NO: 260
Refer to the exhibit. Which technology does this configuration demonstrate?
A. AnyConnect SSL over IPv4+IPv6
B. AnyConnect FlexVPN over IPv4+IPv6
C. AnyConnect SSL IPv6+IPv4
D. AnyConnect Flex VPN IPv6+IPv4
Answer: B
QUESTION NO: 261
If Web VPN bookmarks are grayed out on the home screen, which action should you
take to begin troubleshooting?
A.
B.
C.
D.

Determine whether an ACL is present to permit DNS forwarding.


Determine whether the Cisco ASA can resolve the DNS names.
Determine whether the Cisco ASA has DNS forwarders set up.
Replace the DNS name with an IP address.

Answer: B

QUESTION NO: 262

Which address pool is being assigned to the users connecting via the AnyConnecl
client?
A.
B.
C.
D.

AC_Address_Pool
Remote_Address
GutSide_Address_Pool
VPN_Address_Pool

Answer: D
QUESTION NO: 263

Which address range will be assigned to the AnyConnect users?


A.
B.
C.
D.

10/10.15.40-50/24
209.165 201.20-30/24
192 168.1 100-150/24
10.10.15 20-30/24

Answer: D
QUESTION NO: 264

Which two networks will be included in the secured VPN tunnel? (Choose two.)
A.
B.
C.
D.
E.

10.10. 9.0/16
All networks will be securely tunneled.
Networks with a source of any4
10.10.9.0/24
DM/network

Answer: AE

Вам также может понравиться