CCNP SECURITY Cisco 300-209

Implementing Cisco Secure Mobility Solutions (300-209) Real Exams
1. Which two are characteristics of GETVPN? (Choose two.)
A. The IP header of the encrypted packet is preserved
B. A key server is elected among all configured Group Members
C. Unique encryption keys are computed for each Group Member
D. The same key encryption and traffic encryption keys are distributed to all Group
Members
Answer: A and D
2. A company has decided to migrate an existing IKEv1 VPN tunnel to IKEv2. Which two are
valid configurations constructs on a Cisco IOS router? (Choose two.)
A. crypto ikev2 keyring keyringname
peer peer1
address 209.165.201.1 255.255.255.255
presharedkey
local key1
presharedkey
remote key2
B. crypto ikev2 transformset
transformsetname
esp3des
espmd5hmac
espaes
espshahmac
C. crypto ikev2 map cryptomapname
set crypto ikev2 tunnelgroup
tunnelgroupname
set crypto ikev2 transformset
transformsetname
D. crypto ikev2 tunnelgroup
tunnelgroupname
match identity remote address 209.165.201.1
authentication local preshare
E. crypto ikev2 profile profilename
match identity remote address 209.165.201.1
authentication local preshare
authentication remote preshare
Answer: A and E
1|Page

tayeforever@gmail.com
Gonder, Ethiopia

3. Which four activities does the Key Server perform in a GETVPN deployment? (Choose
four.)
A. authenticates group members
B. manages security policy
C. creates group keys
D. distributes policy/keys
E. encrypts endpoint traffic
F. receives policy/keys
G. defines group members
Answer: A, B, C, D
4. Where is split tunneling defined for remote access clients on an ASA?
A. Grouppolicy
B. Tunnelgroup
C. Cryptomap
D. WebVPN Portal
E. ISAKMP client
Answer: A
5. Which of the following could be used to configure remote access VPN Hosts can and pre
login policies?
A. ASDM
B. Connection profile CLI command
C. Hosts can CLI command under the VPN group policy
D. Pre login check CLI command
Answer: A
6. In FlexVPN, what command can an administrator use to create a virtual template interface
that can be configured and applied dynamically to create virtual access interfaces?
A. interface virtual template
number type template
B. interface virtual template
number type tunnel
C. interface template number type virtual
D. interface tunnel template number
Answer: B
Explanation:
Hello – here is a reference an explanation that can be included with this test.
http://www.cisco.com/en/US/docs/iosxml/ios/sec_conn_ike2vpn/configuration/152mt/
secflexspoke.html#GUID4A10927D4C6A4202B01CDA7E462F5D8A
Configuring the Virtual Tunnel Interface on FlexVPN Spoke
SUMMARY STEPS
1. Enable
2. Configure terminal
2|Page

tayeforever@gmail.com
Gonder, Ethiopia

3. Interface virtual template number type tunnel
4. Ip unnumbered tunnel number
5. Ip nhrp network id number
6. ip nhrp shortcut virtual templatenumber
7. ip nhrp redirect [timeout seconds]
8. exit
7. In FlexVPN, what is the role of a NHRP resolution request?
A. It allows these entities to directly communicate without requiring traffic to use an
intermediate hop
B. It dynamically assigns VPN users to a group
C. C .It blocks these entities from to directly communicating with each other
D. It makes sure that each VPN spoke directly communicates with the hub
Answer: A
8. What are three benefits of deploying a GET VPN? (Choose three.)
A. It provides highly scalable point to point topologies.
B. It allows replication of packets after encryption.
C. It is suited for enterprises running over a DMVPN network.
D. It preserves original source and destination IP address information.
E. It simplifies encryption management through use of group keying.
F. It supports non IP protocols.
Answer: B, D, E
9. What is the default topology type for a GET VPN?
A. Point to point
B. hub and spoke
C. full mesh
D. on demand spoke to spoke
Answer: C
10. Which two GDOI encryption keys are used within a GET VPN network? (Choose two.)
A. key encryption key
B. group encryption key
C. user encryption key
D. traffic encryption key
Answer: A, D
11. What are the three primary components of a GET VPN network? (Choose three.)
A. Group Domain of Interpretation protocol
B. Simple Network Management Protocol
C. server load balancer
D. accounting server
E. group member
3|Page

tayeforever@gmail.com
Gonder, Ethiopia

a device with an identity type of IPv4 address of 209. In a spoke to spoke DMVPN topology.165.155 or a certificate with subject name of “cisco. Point to point GRE interface D. C 13. hash algorithm C. Ethiopia . C 14.com” 4|Page tayeforever@gmail.F. Virtual tunnel interface B. session lifetime E. PRF algorithm Answer: B. which combination of devices can connect? A. which type of interface does a branch router require? A. Encryption C.202.) A. integrity D. Loopback interface Answer: B 15. key server Answer: A. authentication B. encryption algorithm D. Multipoint GRE interface C. Which two IKEv1 policy options must match on each peer when you configure an IPsec site to site VPN? (Choose two. E.) A. F 12. Lifetime Answer: B. priority number B. Which two parameters are configured within an IKEv2 proposal on an IOS router? (Choose two.225 or 209.200.165. Refer to the exhibit. After the configuration is performed.com Gonder.

165. the certificate has changed and the connection fails. Consider this scenario. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy B.165. port forwarding C.165. A network is configured to allow clientless access to resources inside the network. The Trusted Root Store is configured incorrectly. Which feature must be enabled and configured to allow SSH applications to respond on the specified port 8889? A. An invalid modulus was used to generate the initial key.225 and 209.B. What is a possible cause of the connection failure? A.202. a device with an identity type of IPv4 address of both 209. HTTP proxy Answer: B 18.com” D. a device with an identity type of IPv4 address of 209.225 and 209. set security association level per host Answer: A. a device with an identity type of IPv4 address of both 209. where do you enable the DTLS protocol setting? A. Web type ACL D.155 or a certificate with subject name containing “cisco.com Gonder. The VPN is using an expired certificate.165.165. The Cisco ASA appliance was reloaded.200. set security association lifetime E.202. Ethiopia . When users attempt to connect via a Cisco Any Connect VPN session.) A. match address B.202. Which three settings are required for crypto map configuration? (Choose three. Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client 5|Page tayeforever@gmail.200. B. D.165. Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit C.225 or 209.155 or a certificate with subject name containing “cisco.com” Answer: D 16.200. Answer: C 19. set peer C. set transform set D. auto applet download B.155 and a certificate with subject name containing “cisco. C.com” C. B. C 17. In the Cisco ASDM interface.

user attributes Answer: A 22. CSCO_WEBVPN_RADIUS_USER Answer: B. C 23. CSCO_WEBVPN_INTERNAL_PASSWORD C. dynamic access policy attributes B. CSCO_WEBVPN_OTP_PASSWORD B. Cisco IOS Web VPN D.cisco.D. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit Answer: C Explanation: The reference: http://www. connection profile attributes D. Full Tunnel Mode C. What are two variables for configuring clientless SSL VPN single sign on? (Choose two. When Cisco ASA applies VPN permissions. To change the title panel on the logon page of the Cisco IOS Web VPN portal. Cisco IOS Web VPN customization template 6|Page tayeforever@gmail.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect20/administrati ve/ guide/admin/admin5. CSCO_WEBVPN_USERNAME D.) A. what is the first set of attributes that it applies? A. What are two forms of SSL VPN? (Choose two.html Shows where DTLS can be configured as: • Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client • Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client •Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client 20. group policy attributes C. Ethiopia . Cisco Any Connect Answer: A. B 21. which file must you configure? A. port forwarding B.) A.com Gonder.

migrate remote access ikev2 C.inc Answer: A 24.B. RDP2 C. On the command line. enter the migrate command: migrate {l2l | remoteaccess {ikev2 | ssl} | overwrite} Things of note: Keyword definitions: l2l – This converts current IKEv1 l2l tunnels to IKEv2. appaccesshlp.html If your IKEv1. or even SSL.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/ 113597ptn113597. webaccesshlp. then this keyword converts the current IKEv1 configuration and removes the superfluous IKEv2 configuration. SQLNET Answer: B. Ethiopia .inc D. Which three plug ins are available for clientless SSL VPN? (Choose three. migrate remote access ssl Answer: A Explanation: Below is a reference for this question: http://www. configuration already exists. Cisco IOS Web VPN customization general C. migrate remote access ssl overwrite B. CIFS B. SSH D.) A. You can convert either the IKEv1 or the SSL tunnel groups to IKEv2. remote access – This converts the remote access configuration. Which command simplifies the task of converting an SSL VPN to an IKEv2 VPN on a Cisco ASA appliance that has an invalid IKEv2 configuration? A. migrate l2l D. overwrite – If you have a IKEv2 configuration that you wish to overwrite.cisco. C. D 25. VNC E. 7|Page tayeforever@gmail.com Gonder. the ASA makes the migration process simple.

The Cisco Secure Desktop software package must be installed in flash.26. Which statement describes a prerequisite for single Sign on Netegrity Cookie Support in an IOC SSL VPN? A. When using the RealTime Log viewer within ASDM to troubleshoot the issue. The client initiates a VPN connection upon detection of a trusted network. The Cisco AnyConnect Secure Mobility Client must be installed in flash.exe Answer: B 29. A Site Minder plugin must be installed on the Cisco SSL VPN gateway. A Cisco plugin must be installed on a Site Minder server.) A. Which three remote access VPN methods in an ASA appliance provide support for Cisco Secure Desktop? (Choose three. Answer: A. IKEv2 C. A user is unable to establish an Any Connect VPN connection to an ASA. C. B. The client does not automatically initiate any VPN connection. B. appl ssh putty. Ethiopia . SSL clientless E. The client initiates a VPN connection upon detection of an untrusted network. L2TP Answer: B.exe windows C. Which two statements describe effects of the DoNothing option within the untrusted network policy on a Cisco AnyConnect profile? (Choose two.com Gonder. ESP F. D. C. D 28. D. appl ssh putty. D 30. appl ssh putty. SSL client D. Which command enables IOS SSL VPN Smart Tunnel support for PuTTY? A. Answer: C 27. E. IKEv1 B. which two filter options 8|Page tayeforever@gmail. The always on feature is disabled. appl ssh putty D. C.exe win B.) A. The always on feature is enabled.

Which two features and commands will help troubleshoot the issue? (Choose two.10.would the administrator choose to show only sys log messages relevant to the VPN connection? (Choose two.10.10 D.10.3 161 to see what the firewall is doing with the user’s traffic Answer: A. Which Cisco ASDM option configures forwarding sys log messages to email? A. click Edit. logging buffered 1 and show logging | include 10.165.10. Configuration > Remote Access VPN > Clientless SSL VPN Access C.168. Select the sys logs to email. Check if an accesslist on the firewall is blocking the user by using command show running config access list | include 10. After verifying that user traffic reaches the firewall using syslogs or captures.1. Which Cisco ASDM option configures Web VPN access on a Cisco ASA? A. D.10 is unable to access a HTTP website at IP address 209. Client’s operating system C.com Gonder. Ethiopia . Configuration > Device Management > Logging > Email Setup B. Configuration > Device Management > Email Setup > Logging Enable C. Client’s username E.10 E.) A. Client’s default gateway IP address D.10. Enable logging at level 1 and check the syslogs using commands logging enable. Capture user traffic using command capture capin interface inside match ip host 10.10.10 1234 209.225 80 C.165.10 1234192. ASA’s public IP address Answer: A.10.10.10.10. Client’s public IP address B.10 any B. Use packet tracer command packet tracer input inside udp 0. Select the sys logs to email. Configuration > Web VPN > Web VPN Config D. D 31. and select the Forward Messages option.200.200.10.) A. and specify the Destination Email Address option. Configuration > Web VPN > Web VPN Access B. click Settings.10.225 through a Cisco ASA. B 9|Page tayeforever@gmail. use packet tracer command packet tracer input inside tcp 10. Answer: A 32. A user with IP address 10. Configuration > VPN > WebVPN Access Answer: B 33.

B 36. and check for fan failure logs using “show logging” D. FlexVPN Client E. What troubleshooting steps would verify the issue without causing additional risks? A. Crypto map based Site to Site IPsec VPNs E. Ethiopia . DMVPN C. and check for fan failure logs using “show logging” C. “logging trap 2″. Configure logging using commands “logging host 10. Configure logging using commands “logging on”. AnyConnect Client using IKEv2 D. Windows builtin PPTP client 10 | P a g e tayeforever@gmail. SHA2HMAC D. RSA Certificates C. A multimedia application is used that relies on multicast for communication. Configure logging using commands “logging on”. The end users use public kiosk computers and a wide range of devices.11.11. Diffie Helman Key Generation Answer: C 37.11 Answer: A 35. Configure logging using commands “logging on”. 3DES E. Any Connect VPN Answer: A. “logging buffered 6″. Which two VPN solutions meet the application’s network requirement? (Choose two. A private wan connection is suspected of intermittently corrupting data. and check for fan failure logs using “show logging” B. and check for fan failure logs at the sys log server 10. Clientless SSLVPN B. A Cisco router may have a fan issue that could increase its temperature and trigger a failure. “logging discriminator msglog1 console 7″. Group Encrypted Transport VPN D.) A. AnyConnect Client using SSLVPN C. AES128 B. A company needs to provide secure access to its remote workforce. Flex VPN B.10. They will be accessing only an internal web application.com Gonder.34. Which VPN solution satisfies these requirements? A.10.11″. “logging buffered 4″. An internet based VPN solution is being considered to replace an existing private WAN connecting remote offices. Which technology can a network administrator use to detect and drop the altered data traffic? A.

crypto isakmp policy 10 encryption aes 199 F. B.com Gonder. SHA256 C. The router and the peer router must have NAT traversal enabled. Which two statements are true when designing a SSL VPN solution using Cisco Any Connect? (Choose two. crypto isakmp policy 10 encryption aes 254 B. The router must be configured with a dynamic crypto map. C 39. Which two qualify as Next Generation Encryption integrity algorithms? (Choose two.) A. A SSL group pre shared key must be configured on the server. SHA512 B.) A. Certificates are always used for phase 1 authentication.) A. crypto isakmp policy 10 encryption aes 196 E. SHA192 F. C. B 40. Ethiopia . The VPN IP address pool can overlap with the rest of the LAN networks. A network administrator is configuring AES encryption for the ISAKMP policy on an IOS router. Which two configurations are valid? (Choose two. The tunnel establishment will fail if the router is configured as a responder only. B. Server side certificate is optional if using AAA for client authentication. C. The VPN server must have a self signed certificate. SHA192 D. 11 | P a g e tayeforever@gmail. crypto isakmp policy 10 encryption aes 192 C. crypto isakmp policy 10 encryption aes 256 D. SHA196 Answer: A. D. D. SHA380 E.Answer: A 38. Answer: C 41. crypto isakmp policy 10 encryption aes 64 Answer: B. Which statement is true when implementing a router with a dynamic public IP address in a crypto map based site to site VPN? A.

) A. Answer: D. D. B. interface state control C. B 45. ip nhrp connect Answer: C 46. UDP. Which two features are required when configuring a DMVPN network? (Choose two. When the users do not have admin rights to install a new VPN client C. It introduces hierarchical DMVPN deployments. C. Answer: A. What are two benefits of DMVPN Phase 3? (Choose two. Dynamic routing protocol B. It introduces nonhierarchical DMVPN deployments.) A. Which technology can rate limit the number of tunnels on a DMVPN hub when system utilization is above a specified percentage? A. NHRP Event Publisher B. To create VPN site to site tunnels in combination with remote access Answer: A.E. C 43. Dynamic crypto map E. NHRP Authentication E. CAC D. Which technology supports tunnel interfaces while remaining compatible with legacy VPN implementations? A. GRE tunnel interface C. In kiosks that are part of a shared environment B.) A. FlexVPN B. Which are two main use cases for Clientless SSL VPN? (Choose two.com Gonder. It supports L2TP over IPSec as one of the VPN protocols. E 42. Next Hop Resolution Protocol D. Administrators can use summarization of routing protocol updates from hub to spokes. DTLS can be enabled for better performance. and ICMP D. IPsec encryption Answer: B. When full tunneling is needed to support applications that use TCP. B 44. Ethiopia . DMVPN 12 | P a g e tayeforever@gmail.

com/c/en/us/support/docs/security/sslvpnclient/70664IOSthinclient. ACL B. which technology processes traffic forwarding for encryption? A. Examples include access to POP3. IKEv2 Suite B B. Ethiopia . B.C. The user is connecting to an IOS VPN gateway configured in Thin Client Mode. IKEv2 Smart Defaults Answer: D 48. Answer: B Explanation: http://www. The user’s FTP application is not supported. IMAP. C. front door VPN routing and forwarding Answer: B 49. D. UDP is not supported. several FTP applications. The user’s operating system is not supported. This method of SSL VPN does not work with applications that use dynamic port assignments. IP routing C. SSL VPN Answer: A 47. SSH. What is a possible reason for the failure? A.cisco. for example. and Telnet.html Thin Client SSL VPN (Port Forwarding) A remote client must download a small. An IOS SSL VPN is configured to forward TCP ports. IKEv2 proposals C. Javabased applet for secure access of TCP applications that use static port numbers.com Gonder. IKEv2 profiles D. The user is connecting to an IOS VPN gateway configured in Tunnel Mode. When an IPsec SVTI is configured. SMTP. GET VPN D. Which IKEv2 feature minimizes the configuration of a FlexVPN on Cisco IOS devices? A. A remote user cannot access the corporate FTP site with a Web browser. RRI D. The user needs local administrative privileges because changes are made to files on the local machine. 13 | P a g e tayeforever@gmail.

ip unnumbered Answer: D 52. Which protocol is used between the Cisco IOS router and the Windows server? A. Which hash algorithm is required to protect classified information? A. HTTP Answer: C 51. When you configure IPsec VPN High Availability Enhancements. NetBIOS C. SHA1 C. HSRP B. periodic IKE keep alives D. ip virtual reassembly C.50. tunnel protection ipsec B. You are configuring a Cisco IOS SSL VPN gateway to operate with DVTI support. Which command must you configure on the virtual template? A. VRRP C. SHA384 Answer: D 55. EOT B. Ethiopia . Which cryptographic algorithms are approved to protect Top Secret information? 14 | P a g e tayeforever@gmail. CIFS D. A Cisco IOS SSL VPN gateway is configured to operate in clientless mode so that users can access file shares on a Microsoft Windows 2003 server. HTTPS B. tunnel mode ipsec D. which technology does Cisco recommend that you enable to make reconvergence faster? A. GLBP D. MD5 B. IRDP Answer: A 53. Which protocol supports high availability in a Cisco IOS SSL VPN environment? A. SHA256 D. VPN fast detection Answer: C 54.com Gonder. IP SLAs C.

201. Which Cisco firewall platform supports Cisco NGE? A. 3DES and SHA1 Answer: A 59.165.202.224 accesslist splitlist standard permit 209.202.224 ! grouppolicy GroupPolicy1 internal grouppolicy GroupPolicy1 attributes 15 | P a g e tayeforever@gmail. AESGCM and SHA2 B. Cisco ASA 5505 C.0/27 and 209.201. FWSM B.255.255. HIPPA DES AES128 RC4128 AES256 Answer: D 56. Cisco ASA 5525X Answer: D 57.165. Which configuration on the ASA will correctly limit the networks reachable to 209.255. B. Ethiopia . RSA Answer: D 58. 3DES and DH C. D.0 255.255. 3DES B. DES D. AES C.165.com Gonder. Which encryption and authentication algorithms does Cisco recommend when deploying a Cisco NGE supported VPN solution? A.A. An administrator wishes to limit the networks reachable over the Anyconnect VPN tunnels.165.128/27? A. AESCBC and SHA1 D.128 255. Which algorithm is replaced by elliptic curve cryptography in Cisco NGE? A. C. accesslist splitlist standard permit 209. Cisco ASA 5580 D.

165.201.255.splittunnelpolicy tunnelspecified splittunnelnetworklist value splitlist B. accesslist splitlist standard permit 209.128 255.0 255.224 D.202.255.255.255.165.224 ! grouppolicy GroupPolicy1 internal grouppolicy GroupPolicy1 attributes splittunnelpolicy tunnelall splittunnelnetworklist value splitlist C.0 255.0 255.128 255.255.165.255.com Gonder.255.165.255.201.255.0 255.255.224 accesslist splitlist standard permit 209. grouppolicy GroupPolicy1 internal grouppolicy GroupPolicy1 attributes splittunnelpolicy tunnelspecified splittunnelnetworklist ipv4 1 209.224 crypto anyconnect splittunnelnetworklist 16 | P a g e tayeforever@gmail.201.202.255.128 255.165.165.255.224 ! crypto anyconnect vpntunnelpolicy tunnelspecified crypto anyconnect vpntunnelnetworklist splitlist E. Ethiopia . accesslist splitlist standard permit 209.224 splittunnelnetworklist ipv4 2 209.224 accesslist splitlist standard permit 209.165. crypto anyconnect vpntunnelpolicy tunnelspecified crypto anyconnect splittunnelnetworklist ipv4 1 209.202.255.255.201.

255.202.0.0. group 5 D.com Gonder. dynamic routing C. group 20 Answer: D 61. authentication local pre share C. authentication pre share 17 | P a g e tayeforever@gmail.255. 1160 bytes B.0 B. SHA (HMAC variant) B. Which NGE IKE Diffie Hellman group identifier has the strongest cryptographic properties? A. CEF E. IPSec Answer: C 63.224 Answer: A 60. What is the Cisco recommended TCP maximum segment on a DMVPN tunnel interface when the MTU is set to 1400 bytes? A. MD5 (HMAC variant) Answer: A. B 64. group 10 B. 1360 bytes D.) A.165. match identity remote address 0. Which command configures IKEv2 symmetric identity authentication? A.ipv4 2 209. NHRP D. Which two cryptographic technologies are recommended for use with Flex VPN? (Choose two. Which technology does a multipoint GRE interface require to resolve endpoints? A. Ethiopia . 1240 bytes Answer: C 62. ESP B. DES D. DiffieHellman C. group 24 C.128 255. 1260 bytes C.

sha256. filter value ACLname Answer: C 68.com Gonder. D 66. sha. Which command will prevent a group policy from inheriting a filter ACL in a clientless SSL VPN? A. nvram:/webvpn/{context name}/ Answer: C 67.) A. disk0:/webvpn/{context name}/ B.D. 5 Answer: B. aescbc128. csd hostscan path D. flash:/webvpn/{context name}/ D. md5. 1 D. disk1:/webvpn/{context name}/ C. 5 C. Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two. authentication remote rsasig Answer: D 65. which one of the following Diffie Hellman groups is selected by the headquarter ASA during CREATE_CHILD_SA exchange? 18 | P a g e tayeforever@gmail. aescbc192. sha1. What is the default storage location of user level bookmarks in an IOS clientless SSL VPN? A. no vpnfilter C. 3des. csd host scan image path C. Ethiopia . Vpn filter none B. csd hostscan path image B. 3des. filter value none D. Which command specifies the path to the Host Scan package in an ASA Any Connect VPN? A. 14 B. When a tunnel is initiated by the headquarter ASA. hostscan image path Answer: B 69.

Ethiopia .com Gonder.19 | P a g e tayeforever@gmail.

D.A. 1 2 5 14 19 Answer: C Explanation: Traffic initiated by the HQ ASA is assigned to the static outside crypto map. Ethiopia .com Gonder. E. C. which shown below to use DH group 5. B. 20 | P a g e tayeforever@gmail.

com Gonder.70. 21 | P a g e tayeforever@gmail. Ethiopia .

Ethiopia .22.0/24 will not be automatically installed in the routing table C.Based on the provided ASDM configuration for the remote ASA. An access list must be configured on the outside interface to permit inbound VPN traffic B. which one of the following is correct? A. The ASA will use a window of 128 packets (64×2) to perform the anti replay check 22 | P a g e tayeforever@gmail.com Gonder.168. A route to 192.

but there are times when you may want to expand this window size. The tunnel can also be established on TCP port 10000 Answer: C Explanation: Cisco IP security (IPsec) authentication provides antireplay protection against an attacker Duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. 71. 23 | P a g e tayeforever@gmail. this number (window size) is sufficient. the default window size is 64 packets.com Gonder. Ethiopia . Generally. The IPsec AntiReplay Window: Expanding and Disabling feature allows you to expand the window size. allowing the decryptor to keep track of more than 64 packets.D. Currently.

which encryption algorithm would be used to encrypt traffic? A.If the IKEv2 tunnel were to establish successfully.com Gonder. AES 24 | P a g e tayeforever@gmail. 3DES C. Ethiopia . DES B.

com Gonder. Ethiopia . 25 | P a g e tayeforever@gmail. AES256 Answer: E Explanation: Both ASA’s are configured to support AES 256. AES192 E. 72.D. so during the IPSec negotiation they will use the strongest algorithm that is supported by each peer.

168.22.After implementing the IKEv2 tunnel. we just want to protect traffic from 192. 73.168.0.0/0 Answer: B Explanation: The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). Change the local traffic selector on the headquarter ASA to 0.33. when the headquarter ASA initiates the tunnel? 26 | P a g e tayeforever@gmail.0.0/24 C.0/24 to 192.0/24.0/24 network are unable to access the internet.168.33. Change the DiffieHellman group on the headquarter ASA to group5forthe dynamic crypto map B. Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers D. it was observed that remote users on the 192. Here. Change the remote traffic selector on the remote ASA to 192.168.0/0 E.0. We want this to be specific.0.22. Ethiopia .com Gonder. Change the remote traffic selector on the headquarter ASA to 0. Which option shows the correct traffic selectors for the child SA on the remote ASA. otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side. Which of the following can be done to resolve this problem? A.

com Gonder. Ethiopia .27 | P a g e tayeforever@gmail.

0/65535 Remote selector 192.22.22.0/0192.A. Local selector 0.168.255/ 65535 D.0/0192.255/ 65535 Remote selector 192.33.255/ 65535 Remote selector 192.168.0/0 – 0.0/0192.33.168.com Gonder.255/ 65535 C.0/0192.33.168.33.33.0.168.168.22.168.33.168.0.0.0/65535 E.0.168.255/65535 Answer: B Explanation: The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel).22.168.0.33.0.168.20. Local selector 192.33.22.168.0/0 – 0.255/ 65535 Remote selector 192. Local selector 192.0/0192.168.168.0/0192.255/ 65535 B.0.0/0 – 192. otherwise Internet traffic will also be sent over the 28 | P a g e tayeforever@gmail. Ethiopia .22.168. Local selector 192.0/0192.168.255/ 65535 Remote selector 0. Local selector 192. We want this to be specific.20.0.

tunnel and most likely dropped on the remote side. 29 | P a g e tayeforever@gmail. we just want to protect traffic from 192.22.168. Ethiopia .com Gonder. CORRECT TEXT You must use the IKE2 configuration blocks to accomplish this task.33. 74.0/24 (THE REMOTE SIDE).0/24 (THE LOCAL SIDE) to 192. Here.168.

161.cisco.Answer: Answer: See the explanation. Ethiopia . Explanation: Here are the steps as below: Step 1: configure key ring crypto ikev2 keyring mykeys peer SiteB.201.1 presharedkey local $iteA preshared key remote $iteB Step 2: Configure IKEv2 profile Crypto ikev2 profile default identity local fqdn SiteA.com address 209.cisco.com Authentication local preshare Authentication remote preshare Keyring local mykeys Step 3: Create the GRE Tunnel and apply profile crypto ipsec profile default set ikev2profile 30 | P a g e tayeforever@gmail.com Gonder.cisco.com Match identity remote fqdn SiteB.

0 Tunnel source eth 0/0 Tunnel destination 209. Refer to the exhibit. Any Connect client B. show crypto ikev2 client flexvpn D. Content Rewriter E. A custom desktop application needs to access an internal server.1 tunnel protection ipsec profile default end 75.1 255.255. Which command should be used to identify the peer from which that route originated? A. Portal Customizations Answer: A. Ethiopia .com Gonder. B 76. Smart Tunnels C.165. Which two technologies would accommodate the company’s requirement? (Choose two). show crypto route C. show crypto isakmp sa detail Answer: A 77.1. show crypto ikev2 sa detail B. A.255. 31 | P a g e tayeforever@gmail. Email Proxy D.201.default Interface tunnel 0 ip address 10. show ip route eigrp E. An administrator is tasked with configuring the company’s SSL VPN gateway to allow remote users to work.1. A rogue static route is installed in the routing table of a Cisco FlexVPN and is causing traffic to be blackholed.

not pre shared keys.com Gonder. Preshared key D. The IKEv2 authorization policy is not referenced in the IKEv2 profile. Which configuration error is causing the failure? A. Ethiopia . IKEv2 routing requires certificate authentication. An IPsec peer is exchanging routes using IKEv2. The match identity command must refer to an access list of routes. Refer to the exhibit. B. Answer: B 32 | P a g e tayeforever@gmail. An invalid administrative distance value was configured. but the routes are not installed in the RIB. Extensible Authentication Protocol B.Which authentication method was used by the remote peer to prove its identity? A. certificate authentication C. XAUTH Answer: C 78. D. C.

C. Refer to the exhibit.com Gonder. Answer: D 80. OSPFv3 needs to be configured on the interface. D. E.165.79. Refer to the exhibit. No configuration change is necessary. An administrator is adding IPv6 addressing to an already functioning tunnel.226.200. Ethiopia . Tunnel mode needs to be changed to GRE IPv4. Which configuration needs to be added or changed? A. NHRP needs to be configured to provide NBMA mapping. Tunnel mode needs to be changed to GRE IPv6. B. The administrator is unable to ping 2001:DB8:100::2 but can ping 209. Everything is working correctly. 33 | P a g e tayeforever@gmail.

Which adaptive security appliance command can be used to see a generic framework of the requirements for configuring a VPN tunnel between an adaptive security appliance and a Cisco IOS router at a remote office? A. The transform set does not match on both sides. The address command on Router2 must be narrowed down to a /32 mask. What does this output suggest? 1d00h: IPSec (validate_proposal): transform proposal (port 3. There is a mismatch in the ACL that identifies interesting traffic. B. Phase 1 policy does not match on both sides. C. Vpn setup site to site steps B. Phase 1 policy does not match on both sides. The Phase 1 transform set does not match on both sides. hmac_alg 2) not supported 1d00h: ISAKMP (0:2) : atts not acceptable.10 A. Answer: A 82. C. The crypto map is not applied on the remote peer. After issuing the debug crypto ipsec command on the head end router. B. E. The local and remote keys on Router2 must be the same. Next payload is 0 1d00h: ISAKMP (0:1). D. Answer: B 81. The Phase 2 transform set does not match on both sides. What does this output suggest? 1d00h: ISAKMP (0:1): atts are not acceptable. Processing of Main Mode failed with peer at 10.com Gonder. show running config crypto 34 | P a g e tayeforever@gmail.10. B. The local and remote keys on Router2 must be switched. Next payload is 0 1d00h: ISAKMP (0:2) SA not acceptable A.10. no offers accepted! 1d00h: ISAKMP (0:1): SA not acceptable! 1d00h: %CRYPTO6IKMP_ MODE_FAILURE. Which action will allow the session to establish correctly? A. trans 2. you see the following output. Answer: B 83. ISAKMP is not enabled on the remote peer.The IKEv2 tunnel between Router1 and Router2 is failing during session establishment. Ethiopia . You are troubleshooting a site to site VPN issue where the tunnel is not establishing. you see the following output. The pre shared key must be altered to use only lowercase letters. After issuing the debug crypto isakmp command on the head end router. ISAKMP is not enabled on the remote peer. You are troubleshooting a site to site VPN issue where the tunnel is not establishing. D. C. D.

255.255. show vpnsessiondb ratio encryption D.} #pkts encaps: 34836. #pkts compr.10. The VPN has established and is functioning normally.255.C. C.20. The remote peer is not receiving encrypted traffic.10 protected vrF. Answer: E 85. 0 #pkts not compresseD.230 port 500 PERMIT. The remote peer is not able to decrypt traffic.20/255. #pkts digest: 34836 #pkts decaps: 26922. You issue the show crypto ipsec sa command and see the following output.10. #pkts encrypt: 34836.200. Packet corruption is occurring on the path between the two peers. flags={origin_is_acl. Vpn setup ssl remote access steps Answer: A 84.255/47/0) remote ident (addr/mask/prot/port): (10. show vpn session db l2l D. Tunnel100 Crypto map tag: Tunnel100head0. show crypto ikev1 sa C. #pkts decompress faileD. Refer to the exhibit. Ethiopia . show vpn session db summary B. faileD.10/255.10. show iskamp sa detail E.com Gonder. B. (none) local ident (addr/mask/prot/port): (10. Which Cisco adaptive security appliance command can be used to view the count of all active VPN sessions? A.165. 0. #pkts verify: 19211 #pkts compresseD. D. 35 | P a g e tayeforever@gmail. What does this output suggest? interfacE. There is an asymmetric routing issue.10.20. local addr 10. #pkts decrypt: 19211. After completing a site to site VPN setup between two routers.255. #pkts decompresseD. E.255/47/0) current_peer 209. show crypto protocol statistics all Answer: A 86. 0 #send errors 0. 0. application performance over the tunnel is slow. 0 #pkts not decompresseD. 0. #recv errors 0 A.

IPsec will not work in conjunction with a group URL. Answer: E 36 | P a g e tayeforever@gmail. SSL does allow this. The Cisco AnyConnect client fails to connect via IKEv2 but works with SSL. the Cisco Any Connect client was not able to connect. E. The Cisco AnyConnect implementation does not allow the two group URLs to be the same.com Gonder. contact your administrator” What is the most possible cause of this problem? A. The IKEv2 protocol is not enabled in the group policy of the VPN head end. A new XML profile should be created instead of modifying the existing profile. B. Answer: C 87. D. D. unauthorized connection mechanism. What is the problem? A. DAP is terminating the connection because IKEv2 is the protocol that is being used. If you specify the primary protocol as IPsec.An administrator had the above configuration working with SSL protocol. but as soon as the administrator specified IPsec as the primary protocol. Ethiopia . C. C. so that the clients force the update. the User Group must be the exact name of the connection profile (tunnel group). B. The AAA server that is being used does not authorize IKEv2 as the connection mechanism. The administrator is restricting access to this specific user. The client endpoint does not have the correct user profile to initiate an IKEv2 connection. The following error message is displayed: “Login Denied.

which option will allow IKEv2 connections on the adaptive security appliance? A. D.) A. AnyConnect Essentials can be used for Cisco AnyConnect IKEv2 connections. Ethiopia . Verify that AnyConnect is enabled on the correct interface.88. What is the most likely cause of this problem? A. Cisco AnyConnect Mobile must be installed to allow AnyConnect IKEv2 sessions. The Cisco AnyConnect client is unable to download an updated user profile from the ASA Head end using IKEv2. IKEv2 sessions are not licensed. Verify that the primary protocol on the client machine is set to IPsec. Verify that the IKEv2 protocol is enabled on the group policy. Client Services is not enabled on the adaptive security appliance. Regarding licensing. while SSL works fine? (Choose two. B. Answer: A.com Gonder. The Advanced Endpoint Assessment license must be installed to allow Cisco AnyConnect IKEv2 sessions. IKEv2 is not enabled on the group policy. B. User profile updates are not allowed with IKEv2. B. C 90. Answer: A 37 | P a g e tayeforever@gmail. Verify that SSL and IKEv2 certificates are not referencing the same trustpoint. D. Answer: D 89. C. Verify that ASDM and AnyConnect are not using the same port. E. C. C. D. A new profile must be created so that the adaptive security appliance can push it to the client on the next connection attempt. Which two troubleshooting steps should be taken when Cisco AnyConnect cannot establish an IKEv2 connection.

com Gonder. DMVPN is a point to point tunnel.91. Refer to the exhibit. B. C. but the tunnel is not passing traffic. What could cause this issue? A. The NHRP authentication is failing. The network administrator is adding a new spoke. There is no EIGRP configuration. Ethiopia . 38 | P a g e tayeforever@gmail. so there can be only one spoke. and therefore the second tunnel is not working.

Next Hop Routing Protocol 39 | P a g e tayeforever@gmail. Use another router at the spoke site. How can you achieve optimum failover without affecting any other router in the DMVPN cloud? A. A spoke has two Internet connections for failover. E 95. The transform set must be in transport mode.D.) A. In DMVPN phase 2. What action does the hub take when it receives a NHRP resolution request from a spoke for a network that exists behind another spoke? A. The hub forwards the request to the destination spoke. The hub waits for the second spoke to send a request so that it can respond to both spokes. and when the primary interface goes down. Next Hub Routing Protocol D. Next Hop Resolution Protocol B. metric calculation using bandwidth D. C. D.com Gonder. B. Auto summary B. Next Hop Registration Protocol C. C. The NHRP network ID is incorrect. which is a requirement for DMVPN. The hub updates its own NHRP mapping. B. D. Answer: C 93. Create another tunnel interface with same configuration except the tunnel source. Ethiopia . which two EIGRP features need to be disabled on the hub to allow spoke to spoke communication? (Choose two. E. default administrative distance Answer: B. because two ISP connections on the same router for the same hub is not allowed. manually change the tunnel source of the tunnel interface. Configure SLA tracking. and configure the if state nhrp and backup interface commands on the primary tunnel interface. What does NHRP stand for? A. Create another DMVPN cloud by configuring another tunnel interface that is sourced from the second ISP link. Next hop self F. Answer: D 94. The hub sends back a resolution reply to the requesting spoke. split horizon C. Answer: C 92. EIGRP address family E.

Move to the IPsec client. Collect the information from the computer event log. md5.) A. debug vpn authorization error D. Ethiopia . B. sha1. D. Use Wire shark to capture network traffic. A user is trying to connect to a Cisco IOS device using clientless SSL VPN and cannot establish the connection. D. sha256. D. debug aaa authentication B.) A. B.com Gonder. Answer: B. AESCBC128 C. Which three commands can be used for troubleshooting of the AAA subsystem? (Choose three. debug radius C. group 7 3des. C. F 97. debug ssl error Answer: A. group 1 40 | P a g e tayeforever@gmail. Which cryptographic algorithms are part of the Cisco NGE suite? A. B. Answer: A 99. Enable and use HTML capture tools. Clear the browser history. which three steps should be taken? (Choose three. group 14 3des. Clear the browser and Java cache. E.Answer: A 96. F. debug ssl openssl errors E. Make sure that you specified the URL correctly. Gather crypto debugs on the adaptive security appliance. C. AESGCM256 Answer: D 100. B. E 98. A. When troubleshooting established clientless SSL VPN issues. Verify the trusted zone and cookies settings in your browser. C. RC4128 D. Which option is a possible solution if you cannot access a URL through clientless SSL VPN with Internet Explorer. while other browsers work fine? A. Try the URL from another operating system. debug webvpn aaa F. HIPPA DES B. Which transform set is contained in the IKEv2 default proposal? aescbc192.

clear configure crypto ipsec C. Under the “Automatic VPN Policy” section inside the Anyconnect Profile Editor within ASDM C. What additional step is required if the client software fails to load when connecting to the ASA SSL page? A. show ipsec policy Answer: A 103.D. • SSL VPN client software was loaded to the ASA. show runningconfig tunnelgroup D. clear crypto ikev2 sa Answer: A 102.com Gonder. The following configuration steps have been completeD. show runningconfig crypto C. The SSL client must be loaded to the client by an ASA administrator B. sha. clear crypto map D. they should automatically initiate an AnyConnect VPN tunnel back to headquarters. show runningconfig tunnelgroupmap E. Ethiopia . group 5 Answer: D 101. more system:runningconfig B. Which command clears all crypto configuration from a Cisco Adaptive Security Appliance? A. clear config tunnelgroup F. An administrator desires that when work laptops are not connected to the corporate network. Via the svc trusted network command under the global web vpn sub configuration mode on the ASA Answer: B 104. clear configure crypto B. • A DHCP scope was configured and applied to a WebVPN Tunnel Group. Under the TNDPolicy XML section within the Local Preferences file on the client computer D. Which Cisco adaptive security appliance command can be used to view the IPsec PSK of a tunnel group in cleartext? A. • WebVPN was enabled on the ASA outside interface. aescbc128. Via the svc trusted network command under the group policy sub configuration mode on the ASA B. The SSL client must be downloaded to the client via FTP 41 | P a g e tayeforever@gmail. Where does the administrator configure this? A.

Assign this access list rule to the group policy B.C. 1. 1. D. Configure a static pat rule for TCP port 3389 2. show crypto isakmp sa count Answer: B 107. Configure an inbound access list to allow traffic from remote users to the servers 3. Assign the Smart Tunnel application list to the desired group policy D. 1. The SSL client must be enabled on the client machine before loading Answer: A 105. C. Configure a Smart Tunnel application list 2. The SSL VPN client must be enabled on the ASA after loading D.exe process to this list 3. On which Cisco platform are dynamic virtual template interfaces available? Cisco Adaptive Security Appliance 5585X Cisco Catalyst 3750X Cisco Integrated Services Router Generation 2 Cisco Nexus 7000 Answer: C 42 | P a g e tayeforever@gmail. Assign the bookmark list to the desired group policy Answer: D 106. Remote users want to access internal servers behind an ASA using Microsoft terminal services. Upload an RDP plugin to the ASA 2. Assign the bookmark to the desired group policy C. Add the rdp. Which command is used to determine how many GMs have registered in a GETVPN environment? A. Configure a bookmark of the type rdp:// serverIP 3. show crypto ipsec sa E. Configure a bookmark of the type http:// serverIP :3389 2. A. show crypto isakmp sa B. 1. show crypto gdoi gm D. Ethiopia . Which option outlines the steps required to allow users access via the ASA clientless VPN portal? A. B.com Gonder. Enable Smart tunnel on this bookmark 3. show crypto gdoi ks members C.

108. C. The tunnel will be valid for 2 days. 43 | P a g e tayeforever@gmail. Answer: B 109. B. Which two statements about the given configuration are true? (Choose two. Refer to the exhibit. C. C 110. It will use encrypted nonces for authentication. Refer to the exhibit. It is an AnyConnect ISAKMP policy. and 00 seconds. PSK will not work as configured Answer: A. Any router defined in group 2 will be allowed to connect.com Gonder. Ethiopia . It is a LAN to LAN VPN ISAKMP policy. Refer to the exhibit. F. Defined PSK can be used by any IPSec peer. 88 minutes. Which statement about the given IKE policy is true? A. D. It can be used in a DMVPN deployment D. E. It has a keepalive of 60 minutes.) A. checking every 5 minutes. B. It uses a 56bit encryption algorithm.

Refer to the exhibit. Which feature enforces the corporate policy for Internet access to Cisco AnyConnect VPN users? A.What technology does the given configuration demonstrate? A. D. Which command enables the router to form EIGRP neighbor adjacencies with peers using a different subnet than the ingress interface? A. C. banner message Answer: A 113. 44 | P a g e tayeforever@gmail. Ethiopia . Datagram Transport Layer Security C.com Gonder. eigrp routerid C. FlexVPN with IPV6 C. Keyring used to encrypt IPSec traffic B. Cisco AnyConnect Customization D. ip splithorizon eigrp as number Answer: A 112. Trusted Network Detection B. ip unnumbered interface B. Crypto Policy to enable IKEv2 Answer: B 111. B. FlexVPN with AnyConnect D. In which situation would you enable the Smart Tunnel option with clientless SSL VPN? when a user is using an outdated version of a web browser when an application is failing in the rewrite process when IPsec should be used over SSL VPN when a user has a nonsupported Java version installed Answer: B 114. Passiveinterface interface name D. A.

IKEv2 failed to establish a phase 2 negotiation. The Crypto ACL is different on the peer device. Which option describes the purpose of the shared argument in the DMVPN interface command tunnel protection IPsec profile ProfileName shared? A. C. B. B.com Gonder. What problem does the given output indicate? A. allows multiple authentication types to be used on the tunnel interface C. shares a single profile between IKEv1 and IKEv2 Answer:A 117. Answer: B 115. D. preshared key B. Ethiopia . C. Which type of communication in a FlexVPN implementation uses an NHRP shortcut? spoke to hub spoke to spoke hub to spoke hub to hub Answer: B 45 | P a g e tayeforever@gmail. EAP Answer: A. XAUTH E. webAuth C. A. digital certificates D.) A. Which two types of authentication are supported when you use Cisco ASDM to configure site to site IKEv2 with IPv6? (Choose two. shares a single profile between multiple tunnel interfaces B. IKEv2 was used in aggressive mode.You executed the show crypto ipsec sa command to troubleshoot an IPSec issue. D. C 116. shares a single profile between a tunnel interface and a crypto map D. ISAKMP was unable to find a matching SA.

Ethiopia . C.118. A. A. D. C. TLS and DTLS B. FlexVPN and DMVPN? NHRP MPLS GRE ESP Answer: D 123. Advanced Network (Client) Access 121. B. AnyConnect Client Profile D. sitetosite 46 | P a g e tayeforever@gmail. Which application does the Application Access feature of Clientless VPN support? TFTP VoIP Telnet active FTP Answer: C 120. SSH over TCP Answer:A 122. Which is used by GETVPN. Cisco AnyConnect C. group policies B. Where do you configure AnyConnect certificate based authentication in ASDM? A. B. AnyConnect Connection Profile C. A. D. Which technology is FlexVPN based on? OER VRF IKEv2 an RSA nonce Answer: C 119.com Gonder. D. GETVPN B. IKEv1 C. Which VPN solution is best for a collection of branch offices connected by MPLS that frequenty make VoIP calls between branches? A. L2TP over IPsec D. C. Which protocols does the Cisco AnyConnect client use to build multiple connections to the security appliance? A. B.

DMVPN Answer: A 124. DMVPN B. Refer to the exhibit. Which VPN solution does this configuration represent? A. GETVPN C. FlexVPN D.D. Ethiopia . Site to site 47 | P a g e tayeforever@gmail.com Gonder.

com Gonder. port forwarding Answer: B 126. AAA C. Which type of communication takes place between the secure gateway R1 and the Cisco Secure ACS? A. HTTP proxy B. A. C. B. policy D.Answer: C 125. You have implemented an SSL VPN as shown. Refer to the exhibit. D. Which technology can provide high availability for an SSL VPN? DMVPN a multiple tunnel configuration a Cisco ASA pair in active/passive failover configuration certificate to tunnel group maps Answer: C 48 | P a g e tayeforever@gmail. Ethiopia .

QuickTime plugin C. D. C. Java B. Refer to the exhibit. Flash Answer: A 129. SSL VPN Answer: B 128. A.127. Silver light D. IPsec C. Which technology must be installed on the client computer to enable users to launch applications from a Clientless SSL VPN? A.com Gonder. L2TP D. Ethiopia . Which VPN solution does this configuration represent? A. B. which type of key is the shared secret? a symmetric key an asymmetric key a decryption key an encryption key Answer: A 130. In the DiffieHellman protocol. Refer to the exhibit. 49 | P a g e tayeforever@gmail. Cisco AnyConnect B.

Which exchange does this debug output represent?
A. IKE Phase 1
B. IKE Phase 2
C. symmetric key exchange
D. certificate exchange
Answer: A
131.
A.
B.
C.
D.
E.

Which two technologies are considered to be Suite B cryptography? (Choose two.)
MD5
SHA2
Elliptical Curve DiffieHellman
3DES
DES

Answer: B, C
132.
A.
B.
C.
D.

Which protocol does DTLS use for its transport?
TCP
UDP
IMAP
DDE

Answer: B
133. CORRECT TEXT
Scenario:
You are the network security manager for your organization. Your manager has received a
request to allow an external user to access to your HQ and DM2 servers. You are given the
following connection parameters for this task. Using ASDM on the ASA, configure the
parameters below and test your configuration by accessing the Guest PC. Not all AS DM screens
are active for this exercise. Also, for this exercise, all changes are automatically applied to the
ASA and you will not have to click APPLY to apply the changes manually.
• Enable Clientless SSL VPN on the outside interface
• Using the Guest PC, open an Internet Explorer window and test and verify the basic
connection to the SSL VPN portal using address: https://vpnsecurex.public
50 | P a g e

tayeforever@gmail.com
Gonder, Ethiopia

a) You may notice a certificate error in the status bar, this can be ignored for this
exercise
b) Username: vpnuser
c) Password: cisco123
d) Logout of the portal once you have verified connectivity
• Configure two bookmarks with the following parameters:
a) Bookmark List Name: MYBOOKMARKS
b) Use the: URL with GET or POST method
c) Bookmark Title: HQServer
i. http://10.10.3.20
d) Bookmark Title: DMZServerFTP
i. ftp://172.16.1.50
e) Assign the configured Bookmarks to:
i. DfltGrpPolicy
ii. DfltAccessPolicy
iii. . LOCAL User: vpnuser
• From the Guest PC, reconnect to the SSL VPN Portal
• Test both configured Bookmarks to ensure desired connectivity
You have completed this exercise when you have configured and successfully tested Clientless
SSL VPN connectivity.
Topology:

51 | P a g e

tayeforever@gmail.com
Gonder, Ethiopia

Answer: Please find the solution in below explanation.
Explanation:
First, enable clientless VPN access on the outside interface by checking the box found below:

52 | P a g e

tayeforever@gmail.com
Gonder, Ethiopia

which means you have now verified basic connectivity: 53 | P a g e tayeforever@gmail.Then.com Gonder. log in to the given URL using the vpnuser/cisco123 credentials: Logging in will take you to this page. Ethiopia .

Ethiopia .com Gonder. Now. go back to the ASDM and navigate to the Bookmarks portion: Make the name MYBOOKMARKS and use the “Add” tab and add the bookmarks per the instructions: 54 | P a g e tayeforever@gmail.Now log out by hitting the logout button.

Ensure the “URL with GET of POST method” button is selected and hit OK: Add the two bookmarks as given in the instructions: 55 | P a g e tayeforever@gmail.com Gonder. Ethiopia .

You should now see the two bookmarks listed: Hit OK and you will see this: 56 | P a g e tayeforever@gmail.com Gonder. Ethiopia .

Select the MYBOOKMARKS Bookmarks and click on the “Assign” button. go back to the GuestPC. click on the appropriate check boxes as specified in the instructions and hit OK. you will now see this: Then. Then. 57 | P a g e tayeforever@gmail. After hitting OK.com Gonder. Ethiopia . log back in and you should be able to test out the two new bookmarks.

Verify the IPsec configuration is properly configured between the two sites. Ethiopia .com Gonder.134. Recently and junior engineer configured a site to site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Topology: 58 | P a g e tayeforever@gmail. Using the CLI on both the Cisco ASA and branch ISR. NOTE: the show running config command cannot be used for the this exercise. What is being used as the authentication method on the branch ISR? Scenario: You are the senior network security administrator for your organization.

com Gonder. Using the CLI on both the Cisco ASA and branch ISR.What is being used as the authentication method on the branch ISR? A. RSA public keys D. You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Preshared keys C. Verify the IPsec configuration is properly configured between the two sites. Ethiopia . Topology: 59 | P a g e tayeforever@gmail. NOTE: the show running config command cannot be used for the this exercise. Recently and junior engineer configured a site to site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. Certifcates B. Which transform set is being used on the branch ISR? Scenario: You are the senior network security administrator for your organization. DiffieHellman Answer: B Group 2 Explanation: The show crypto isakmp key command shows the preshared key of “cisco” 135.

com Gonder. ESPAES256MD5TRANS mode transport D. Ethiopia . TSET Answer: B 60 | P a g e tayeforever@gmail. Default B. ESP3DES ESPSHAHMAC C.Which transform set is being used on the branch ISR? A.

what state is the IKE security association in on the Cisco ASA? Scenario: You are the senior network security administrator for your organization. You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both 61 | P a g e tayeforever@gmail. Ethiopia .com Gonder. Recently and junior engineer configured a site to site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office.Explanation: This can be seen from the “show crypto ipsec sa” command as shown below: 136.

Topology: 62 | P a g e tayeforever@gmail.the Cisco ASA and branch ISR. NOTE: the show running config command cannot be used for the this exercise.com Gonder. Ethiopia . Verify the IPsec configuration is properly configured between the two sites.

Ethiopia . There are no security associations in place B. Recently and junior engineer configured a site to site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters.In what state is the IKE security association in on the Cisco ASA? A.com Gonder. QM_IDLE Answer: B Explanation: This can be seen from the “show crypto isa sa” command: 137. MM_ACTIVE C. Using the CLI on both 63 | P a g e tayeforever@gmail. Which crypto map tag is being used on the Cisco ASA? Scenario: You are the senior network security administrator for your organization. ACTIVE(ACTIVE) D.

Ethiopia . Topology: 64 | P a g e tayeforever@gmail. Verify the IPsec configuration is properly configured between the two sites. NOTE: the show running config command cannot be used for the this exercise.the Cisco ASA and branch ISR.com Gonder.

outside_map1 Answer: D Explanation: This is seen from the “show crypto ipsec sa” command on the ASA.com Gonder. VPNtoASA C.Which crypto map tag is being used on the Cisco ASA? A. Ethiopia . L2L_Tunnel D. 65 | P a g e tayeforever@gmail. outside_cryptomap B.