You are on page 1of 65

CCNP SECURITY Cisco 300-209

Implementing Cisco Secure Mobility Solutions (300-209) Real Exams
1. Which two are characteristics of GETVPN? (Choose two.)
A. The IP header of the encrypted packet is preserved
B. A key server is elected among all configured Group Members
C. Unique encryption keys are computed for each Group Member
D. The same key encryption and traffic encryption keys are distributed to all Group
Members
Answer: A and D
2. A company has decided to migrate an existing IKEv1 VPN tunnel to IKEv2. Which two are
valid configurations constructs on a Cisco IOS router? (Choose two.)
A. crypto ikev2 keyring keyringname
peer peer1
address 209.165.201.1 255.255.255.255
presharedkey
local key1
presharedkey
remote key2
B. crypto ikev2 transformset
transformsetname
esp3des
espmd5hmac
espaes
espshahmac
C. crypto ikev2 map cryptomapname
set crypto ikev2 tunnelgroup
tunnelgroupname
set crypto ikev2 transformset
transformsetname
D. crypto ikev2 tunnelgroup
tunnelgroupname
match identity remote address 209.165.201.1
authentication local preshare
E. crypto ikev2 profile profilename
match identity remote address 209.165.201.1
authentication local preshare
authentication remote preshare
Answer: A and E
1|Page

tayeforever@gmail.com
Gonder, Ethiopia

3. Which four activities does the Key Server perform in a GETVPN deployment? (Choose
four.)
A. authenticates group members
B. manages security policy
C. creates group keys
D. distributes policy/keys
E. encrypts endpoint traffic
F. receives policy/keys
G. defines group members
Answer: A, B, C, D
4. Where is split tunneling defined for remote access clients on an ASA?
A. Grouppolicy
B. Tunnelgroup
C. Cryptomap
D. WebVPN Portal
E. ISAKMP client
Answer: A
5. Which of the following could be used to configure remote access VPN Hosts can and pre
login policies?
A. ASDM
B. Connection profile CLI command
C. Hosts can CLI command under the VPN group policy
D. Pre login check CLI command
Answer: A
6. In FlexVPN, what command can an administrator use to create a virtual template interface
that can be configured and applied dynamically to create virtual access interfaces?
A. interface virtual template
number type template
B. interface virtual template
number type tunnel
C. interface template number type virtual
D. interface tunnel template number
Answer: B
Explanation:
Hello – here is a reference an explanation that can be included with this test.
http://www.cisco.com/en/US/docs/iosxml/ios/sec_conn_ike2vpn/configuration/152mt/
secflexspoke.html#GUID4A10927D4C6A4202B01CDA7E462F5D8A
Configuring the Virtual Tunnel Interface on FlexVPN Spoke
SUMMARY STEPS
1. Enable
2. Configure terminal
2|Page

tayeforever@gmail.com
Gonder, Ethiopia

3. Interface virtual template number type tunnel
4. Ip unnumbered tunnel number
5. Ip nhrp network id number
6. ip nhrp shortcut virtual templatenumber
7. ip nhrp redirect [timeout seconds]
8. exit
7. In FlexVPN, what is the role of a NHRP resolution request?
A. It allows these entities to directly communicate without requiring traffic to use an
intermediate hop
B. It dynamically assigns VPN users to a group
C. C .It blocks these entities from to directly communicating with each other
D. It makes sure that each VPN spoke directly communicates with the hub
Answer: A
8. What are three benefits of deploying a GET VPN? (Choose three.)
A. It provides highly scalable point to point topologies.
B. It allows replication of packets after encryption.
C. It is suited for enterprises running over a DMVPN network.
D. It preserves original source and destination IP address information.
E. It simplifies encryption management through use of group keying.
F. It supports non IP protocols.
Answer: B, D, E
9. What is the default topology type for a GET VPN?
A. Point to point
B. hub and spoke
C. full mesh
D. on demand spoke to spoke
Answer: C
10. Which two GDOI encryption keys are used within a GET VPN network? (Choose two.)
A. key encryption key
B. group encryption key
C. user encryption key
D. traffic encryption key
Answer: A, D
11. What are the three primary components of a GET VPN network? (Choose three.)
A. Group Domain of Interpretation protocol
B. Simple Network Management Protocol
C. server load balancer
D. accounting server
E. group member
3|Page

tayeforever@gmail.com
Gonder, Ethiopia

Which two parameters are configured within an IKEv2 proposal on an IOS router? (Choose two. Ethiopia . After the configuration is performed. Lifetime Answer: B. encryption algorithm D. Encryption C.) A.F. Loopback interface Answer: B 15.200. C 14.165. In a spoke to spoke DMVPN topology. priority number B.) A.225 or 209.165. hash algorithm C.155 or a certificate with subject name of “cisco. C 13.com Gonder. Which two IKEv1 policy options must match on each peer when you configure an IPsec site to site VPN? (Choose two. a device with an identity type of IPv4 address of 209. E.202. F 12. session lifetime E. PRF algorithm Answer: B. Virtual tunnel interface B. which combination of devices can connect? A.com” 4|Page tayeforever@gmail. key server Answer: A. Point to point GRE interface D. authentication B. Multipoint GRE interface C. Refer to the exhibit. integrity D. which type of interface does a branch router require? A.

200. a device with an identity type of IPv4 address of both 209. Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client 5|Page tayeforever@gmail. The VPN is using an expired certificate. port forwarding C. a device with an identity type of IPv4 address of both 209.202. set security association lifetime E.155 and a certificate with subject name containing “cisco. B. Consider this scenario. where do you enable the DTLS protocol setting? A.165. A network is configured to allow clientless access to resources inside the network.200. set security association level per host Answer: A. The Cisco ASA appliance was reloaded. Which three settings are required for crypto map configuration? (Choose three. Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit C. a device with an identity type of IPv4 address of 209.165. B.165.165. In the Cisco ASDM interface. HTTP proxy Answer: B 18. C 17.225 and 209.165.155 or a certificate with subject name containing “cisco.225 or 209.com” Answer: D 16. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy B.225 and 209. Ethiopia .com Gonder. match address B. An invalid modulus was used to generate the initial key. the certificate has changed and the connection fails. The Trusted Root Store is configured incorrectly. When users attempt to connect via a Cisco Any Connect VPN session.com” D.202. Answer: C 19.B.155 or a certificate with subject name containing “cisco. D. Web type ACL D.165. Which feature must be enabled and configured to allow SSH applications to respond on the specified port 8889? A.202.200. auto applet download B.) A. What is a possible cause of the connection failure? A. set transform set D.com” C. C. set peer C.

CSCO_WEBVPN_INTERNAL_PASSWORD C. To change the title panel on the logon page of the Cisco IOS Web VPN portal. user attributes Answer: A 22. dynamic access policy attributes B. CSCO_WEBVPN_OTP_PASSWORD B. group policy attributes C. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit Answer: C Explanation: The reference: http://www.html Shows where DTLS can be configured as: • Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client • Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client •Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client 20. What are two forms of SSL VPN? (Choose two. C 23.com Gonder. When Cisco ASA applies VPN permissions. connection profile attributes D. Full Tunnel Mode C. which file must you configure? A.D. Cisco IOS Web VPN customization template 6|Page tayeforever@gmail.cisco. Cisco Any Connect Answer: A.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect20/administrati ve/ guide/admin/admin5. port forwarding B. Cisco IOS Web VPN D.) A. Ethiopia . CSCO_WEBVPN_RADIUS_USER Answer: B. CSCO_WEBVPN_USERNAME D. what is the first set of attributes that it applies? A.) A. What are two variables for configuring clientless SSL VPN single sign on? (Choose two. B 21.

inc Answer: A 24. then this keyword converts the current IKEv1 configuration and removes the superfluous IKEv2 configuration. Which command simplifies the task of converting an SSL VPN to an IKEv2 VPN on a Cisco ASA appliance that has an invalid IKEv2 configuration? A. or even SSL. configuration already exists. remote access – This converts the remote access configuration. You can convert either the IKEv1 or the SSL tunnel groups to IKEv2. 7|Page tayeforever@gmail. webaccesshlp.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/ 113597ptn113597. SSH D. overwrite – If you have a IKEv2 configuration that you wish to overwrite. migrate remote access ssl overwrite B. On the command line. C. CIFS B. migrate l2l D. RDP2 C. enter the migrate command: migrate {l2l | remoteaccess {ikev2 | ssl} | overwrite} Things of note: Keyword definitions: l2l – This converts current IKEv1 l2l tunnels to IKEv2. Which three plug ins are available for clientless SSL VPN? (Choose three. Ethiopia .B. migrate remote access ssl Answer: A Explanation: Below is a reference for this question: http://www. Cisco IOS Web VPN customization general C.inc D.) A. D 25. SQLNET Answer: B. migrate remote access ikev2 C. appaccesshlp.cisco. VNC E.com Gonder.html If your IKEv1. the ASA makes the migration process simple.

C.exe windows C. B. C. The Cisco AnyConnect Secure Mobility Client must be installed in flash. which two filter options 8|Page tayeforever@gmail. The client does not automatically initiate any VPN connection. appl ssh putty. Answer: A.) A. D. A Site Minder plugin must be installed on the Cisco SSL VPN gateway.com Gonder. A Cisco plugin must be installed on a Site Minder server. B. When using the RealTime Log viewer within ASDM to troubleshoot the issue. ESP F. appl ssh putty. Ethiopia . Which command enables IOS SSL VPN Smart Tunnel support for PuTTY? A. A user is unable to establish an Any Connect VPN connection to an ASA. The Cisco Secure Desktop software package must be installed in flash. Which three remote access VPN methods in an ASA appliance provide support for Cisco Secure Desktop? (Choose three.26.exe Answer: B 29. Which statement describes a prerequisite for single Sign on Netegrity Cookie Support in an IOC SSL VPN? A. The always on feature is enabled. The always on feature is disabled. appl ssh putty. SSL clientless E.) A. Which two statements describe effects of the DoNothing option within the untrusted network policy on a Cisco AnyConnect profile? (Choose two. SSL client D. D 30.exe win B. IKEv1 B. Answer: C 27. IKEv2 C. D 28. D. The client initiates a VPN connection upon detection of a trusted network. C. E. L2TP Answer: B. appl ssh putty D. The client initiates a VPN connection upon detection of an untrusted network.

Select the sys logs to email. Which two features and commands will help troubleshoot the issue? (Choose two. and specify the Destination Email Address option.10. click Settings. Client’s public IP address B. Which Cisco ASDM option configures forwarding sys log messages to email? A.165.10.com Gonder.225 80 C. Enable logging at level 1 and check the syslogs using commands logging enable.10.10.) A. Client’s username E.168.10.10 any B. Which Cisco ASDM option configures Web VPN access on a Cisco ASA? A. B 9|Page tayeforever@gmail. Configuration > Device Management > Logging > Email Setup B.10 1234 209. Answer: A 32. Client’s operating system C. Client’s default gateway IP address D. Ethiopia . Configuration > Device Management > Email Setup > Logging Enable C. Configuration > Web VPN > Web VPN Access B.10.225 through a Cisco ASA. logging buffered 1 and show logging | include 10.10.200. D. Configuration > VPN > WebVPN Access Answer: B 33.10.would the administrator choose to show only sys log messages relevant to the VPN connection? (Choose two. Check if an accesslist on the firewall is blocking the user by using command show running config access list | include 10.10.10. and select the Forward Messages option. Capture user traffic using command capture capin interface inside match ip host 10. After verifying that user traffic reaches the firewall using syslogs or captures.10. ASA’s public IP address Answer: A.10 D.200.) A. Configuration > Remote Access VPN > Clientless SSL VPN Access C. click Edit. Use packet tracer command packet tracer input inside udp 0. Configuration > Web VPN > Web VPN Config D. use packet tracer command packet tracer input inside tcp 10.165.10.10 1234192.10 E.10 is unable to access a HTTP website at IP address 209.1.3 161 to see what the firewall is doing with the user’s traffic Answer: A. A user with IP address 10. D 31. Select the sys logs to email.

SHA2HMAC D. What troubleshooting steps would verify the issue without causing additional risks? A. “logging buffered 4″. “logging trap 2″. A multimedia application is used that relies on multicast for communication. Which VPN solution satisfies these requirements? A. and check for fan failure logs using “show logging” B.34. AnyConnect Client using SSLVPN C. Windows builtin PPTP client 10 | P a g e tayeforever@gmail. B 36. Configure logging using commands “logging on”.11″. “logging discriminator msglog1 console 7″. Clientless SSLVPN B. They will be accessing only an internal web application. A Cisco router may have a fan issue that could increase its temperature and trigger a failure. “logging buffered 6″. Crypto map based Site to Site IPsec VPNs E. A company needs to provide secure access to its remote workforce. AES128 B.com Gonder. FlexVPN Client E. Group Encrypted Transport VPN D. and check for fan failure logs using “show logging” C. DMVPN C. Ethiopia . Which two VPN solutions meet the application’s network requirement? (Choose two.) A. Which technology can a network administrator use to detect and drop the altered data traffic? A. and check for fan failure logs using “show logging” D. An internet based VPN solution is being considered to replace an existing private WAN connecting remote offices. Any Connect VPN Answer: A. Configure logging using commands “logging on”. Configure logging using commands “logging host 10. RSA Certificates C. Diffie Helman Key Generation Answer: C 37. and check for fan failure logs at the sys log server 10.11 Answer: A 35.11.11. Flex VPN B. AnyConnect Client using IKEv2 D. A private wan connection is suspected of intermittently corrupting data. Configure logging using commands “logging on”.10. 3DES E. The end users use public kiosk computers and a wide range of devices.10.

C. The VPN server must have a self signed certificate. Which two statements are true when designing a SSL VPN solution using Cisco Any Connect? (Choose two. SHA192 D. D. SHA196 Answer: A. A network administrator is configuring AES encryption for the ISAKMP policy on an IOS router.com Gonder. crypto isakmp policy 10 encryption aes 196 E. C. Certificates are always used for phase 1 authentication. The VPN IP address pool can overlap with the rest of the LAN networks. crypto isakmp policy 10 encryption aes 254 B. crypto isakmp policy 10 encryption aes 256 D.Answer: A 38. Answer: C 41. The tunnel establishment will fail if the router is configured as a responder only. 11 | P a g e tayeforever@gmail.) A. D. C 39. SHA256 C. B 40. The router must be configured with a dynamic crypto map. Which statement is true when implementing a router with a dynamic public IP address in a crypto map based site to site VPN? A. SHA380 E. SHA192 F. SHA512 B. Which two configurations are valid? (Choose two. crypto isakmp policy 10 encryption aes 64 Answer: B. B. The router and the peer router must have NAT traversal enabled. Server side certificate is optional if using AAA for client authentication. Which two qualify as Next Generation Encryption integrity algorithms? (Choose two. crypto isakmp policy 10 encryption aes 192 C. A SSL group pre shared key must be configured on the server. Ethiopia .) A. B.) A. crypto isakmp policy 10 encryption aes 199 F.

) A. What are two benefits of DMVPN Phase 3? (Choose two.) A. NHRP Authentication E. It introduces nonhierarchical DMVPN deployments.com Gonder. Ethiopia . IPsec encryption Answer: B.E. Answer: D. DMVPN 12 | P a g e tayeforever@gmail. and ICMP D. B 45.) A. Which technology supports tunnel interfaces while remaining compatible with legacy VPN implementations? A. ip nhrp connect Answer: C 46. To create VPN site to site tunnels in combination with remote access Answer: A. DTLS can be enabled for better performance. C 43. When the users do not have admin rights to install a new VPN client C. Administrators can use summarization of routing protocol updates from hub to spokes. D. Dynamic crypto map E. B 44. In kiosks that are part of a shared environment B. interface state control C. CAC D. Dynamic routing protocol B. When full tunneling is needed to support applications that use TCP. Answer: A. NHRP Event Publisher B. FlexVPN B. C. Which technology can rate limit the number of tunnels on a DMVPN hub when system utilization is above a specified percentage? A. B. It supports L2TP over IPSec as one of the VPN protocols. UDP. GRE tunnel interface C. E 42. It introduces hierarchical DMVPN deployments. Which two features are required when configuring a DMVPN network? (Choose two. Which are two main use cases for Clientless SSL VPN? (Choose two. Next Hop Resolution Protocol D.

An IOS SSL VPN is configured to forward TCP ports. B. ACL B.com/c/en/us/support/docs/security/sslvpnclient/70664IOSthinclient. The user is connecting to an IOS VPN gateway configured in Tunnel Mode. SSH.C. several FTP applications. IKEv2 Suite B B. IP routing C. SSL VPN Answer: A 47. Examples include access to POP3. The user needs local administrative privileges because changes are made to files on the local machine. which technology processes traffic forwarding for encryption? A. GET VPN D. What is a possible reason for the failure? A. IKEv2 proposals C. 13 | P a g e tayeforever@gmail. UDP is not supported. IKEv2 Smart Defaults Answer: D 48. RRI D. Which IKEv2 feature minimizes the configuration of a FlexVPN on Cisco IOS devices? A.cisco. When an IPsec SVTI is configured. and Telnet. The user’s FTP application is not supported. front door VPN routing and forwarding Answer: B 49. Javabased applet for secure access of TCP applications that use static port numbers. C. Answer: B Explanation: http://www.com Gonder. D. IKEv2 profiles D. for example. IMAP. The user is connecting to an IOS VPN gateway configured in Thin Client Mode. SMTP. This method of SSL VPN does not work with applications that use dynamic port assignments. The user’s operating system is not supported.html Thin Client SSL VPN (Port Forwarding) A remote client must download a small. Ethiopia . A remote user cannot access the corporate FTP site with a Web browser.

MD5 B. HTTPS B. which technology does Cisco recommend that you enable to make reconvergence faster? A. A Cisco IOS SSL VPN gateway is configured to operate in clientless mode so that users can access file shares on a Microsoft Windows 2003 server. ip unnumbered Answer: D 52. IP SLAs C. Which command must you configure on the virtual template? A. SHA256 D. tunnel mode ipsec D. HSRP B.50. GLBP D. EOT B. SHA384 Answer: D 55. periodic IKE keep alives D. Which protocol supports high availability in a Cisco IOS SSL VPN environment? A. Ethiopia . Which cryptographic algorithms are approved to protect Top Secret information? 14 | P a g e tayeforever@gmail. CIFS D. Which protocol is used between the Cisco IOS router and the Windows server? A. When you configure IPsec VPN High Availability Enhancements. NetBIOS C. You are configuring a Cisco IOS SSL VPN gateway to operate with DVTI support. SHA1 C. ip virtual reassembly C. HTTP Answer: C 51. Which hash algorithm is required to protect classified information? A. VPN fast detection Answer: C 54. IRDP Answer: A 53. VRRP C.com Gonder. tunnel protection ipsec B.

255. accesslist splitlist standard permit 209.0 255.128/27? A. DES D.com Gonder. D.A. Cisco ASA 5580 D. An administrator wishes to limit the networks reachable over the Anyconnect VPN tunnels. Cisco ASA 5505 C.255. HIPPA DES AES128 RC4128 AES256 Answer: D 56. Which Cisco firewall platform supports Cisco NGE? A.165.201.0/27 and 209.165. AES C.202. RSA Answer: D 58. C.201.255. AESGCM and SHA2 B. FWSM B.255. AESCBC and SHA1 D. 3DES and DH C. Which algorithm is replaced by elliptic curve cryptography in Cisco NGE? A. Cisco ASA 5525X Answer: D 57.224 accesslist splitlist standard permit 209. Ethiopia . Which encryption and authentication algorithms does Cisco recommend when deploying a Cisco NGE supported VPN solution? A.128 255.202. Which configuration on the ASA will correctly limit the networks reachable to 209. B. 3DES B.165.224 ! grouppolicy GroupPolicy1 internal grouppolicy GroupPolicy1 attributes 15 | P a g e tayeforever@gmail. 3DES and SHA1 Answer: A 59.165.

255.255. accesslist splitlist standard permit 209.224 crypto anyconnect splittunnelnetworklist 16 | P a g e tayeforever@gmail.224 ! grouppolicy GroupPolicy1 internal grouppolicy GroupPolicy1 attributes splittunnelpolicy tunnelall splittunnelnetworklist value splitlist C.255.224 splittunnelnetworklist ipv4 2 209.128 255.255.202.201.165.0 255.255.224 D. grouppolicy GroupPolicy1 internal grouppolicy GroupPolicy1 attributes splittunnelpolicy tunnelspecified splittunnelnetworklist ipv4 1 209.255.0 255.255. accesslist splitlist standard permit 209.201.255. Ethiopia .201.255.128 255.0 255.splittunnelpolicy tunnelspecified splittunnelnetworklist value splitlist B.165.165.255.165.202.224 accesslist splitlist standard permit 209.255.224 accesslist splitlist standard permit 209.255.255.com Gonder.165.128 255.165.255. crypto anyconnect vpntunnelpolicy tunnelspecified crypto anyconnect splittunnelnetworklist ipv4 1 209.224 ! crypto anyconnect vpntunnelpolicy tunnelspecified crypto anyconnect vpntunnelnetworklist splitlist E.165.0 255.202.201.

com Gonder. 1160 bytes B.202. B 64. Which technology does a multipoint GRE interface require to resolve endpoints? A. NHRP D. dynamic routing C. 1240 bytes Answer: C 62.255. ESP B. 1260 bytes C. Which NGE IKE Diffie Hellman group identifier has the strongest cryptographic properties? A.0 B.128 255.255. Which command configures IKEv2 symmetric identity authentication? A. What is the Cisco recommended TCP maximum segment on a DMVPN tunnel interface when the MTU is set to 1400 bytes? A. authentication local pre share C. match identity remote address 0. MD5 (HMAC variant) Answer: A. IPSec Answer: C 63. Which two cryptographic technologies are recommended for use with Flex VPN? (Choose two. group 24 C. group 10 B.0. SHA (HMAC variant) B.0. group 5 D. 1360 bytes D. DES D. authentication pre share 17 | P a g e tayeforever@gmail. Ethiopia .ipv4 2 209. CEF E.165. DiffieHellman C.) A.224 Answer: A 60. group 20 Answer: D 61.

3des. 5 Answer: B. nvram:/webvpn/{context name}/ Answer: C 67. csd hostscan path image B. Vpn filter none B. no vpnfilter C. Ethiopia . authentication remote rsasig Answer: D 65. aescbc192.D. hostscan image path Answer: B 69. What is the default storage location of user level bookmarks in an IOS clientless SSL VPN? A. md5. which one of the following Diffie Hellman groups is selected by the headquarter ASA during CREATE_CHILD_SA exchange? 18 | P a g e tayeforever@gmail. 5 C. 3des. 14 B. csd hostscan path D. aescbc128. filter value ACLname Answer: C 68. disk0:/webvpn/{context name}/ B. sha. Which command will prevent a group policy from inheriting a filter ACL in a clientless SSL VPN? A. sha256. When a tunnel is initiated by the headquarter ASA.) A. D 66. filter value none D. Which command specifies the path to the Host Scan package in an ASA Any Connect VPN? A. disk1:/webvpn/{context name}/ C. flash:/webvpn/{context name}/ D.com Gonder. Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two. csd host scan image path C. 1 D. sha1.

19 | P a g e tayeforever@gmail.com Gonder. Ethiopia .

20 | P a g e tayeforever@gmail. Ethiopia . which shown below to use DH group 5.com Gonder. C.A. B. D. E. 1 2 5 14 19 Answer: C Explanation: Traffic initiated by the HQ ASA is assigned to the static outside crypto map.

Ethiopia .70. 21 | P a g e tayeforever@gmail.com Gonder.

Ethiopia .168.Based on the provided ASDM configuration for the remote ASA. An access list must be configured on the outside interface to permit inbound VPN traffic B.com Gonder. which one of the following is correct? A. A route to 192.0/24 will not be automatically installed in the routing table C. The ASA will use a window of 128 packets (64×2) to perform the anti replay check 22 | P a g e tayeforever@gmail.22.

com Gonder. 23 | P a g e tayeforever@gmail.D. Ethiopia . 71. The IPsec AntiReplay Window: Expanding and Disabling feature allows you to expand the window size. allowing the decryptor to keep track of more than 64 packets. this number (window size) is sufficient. The tunnel can also be established on TCP port 10000 Answer: C Explanation: Cisco IP security (IPsec) authentication provides antireplay protection against an attacker Duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. the default window size is 64 packets. Currently. Generally. The decryptor keeps track of which packets it has seen on the basis of these numbers. but there are times when you may want to expand this window size.

com Gonder. which encryption algorithm would be used to encrypt traffic? A. 3DES C.If the IKEv2 tunnel were to establish successfully. Ethiopia . DES B. AES 24 | P a g e tayeforever@gmail.

AES192 E. so during the IPSec negotiation they will use the strongest algorithm that is supported by each peer.com Gonder. AES256 Answer: E Explanation: Both ASA’s are configured to support AES 256. 72. 25 | P a g e tayeforever@gmail.D. Ethiopia .

Which option shows the correct traffic selectors for the child SA on the remote ASA.168. Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers D. Which of the following can be done to resolve this problem? A. Change the local traffic selector on the headquarter ASA to 0. it was observed that remote users on the 192.com Gonder. Here.0.0/0 Answer: B Explanation: The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel).0/0 E.22.0. Ethiopia .22.0. Change the DiffieHellman group on the headquarter ASA to group5forthe dynamic crypto map B.168.168. We want this to be specific.0/24. when the headquarter ASA initiates the tunnel? 26 | P a g e tayeforever@gmail.0/24 network are unable to access the internet.0/24 to 192. 73.0. otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side.0/24 C. Change the remote traffic selector on the headquarter ASA to 0.33.33. we just want to protect traffic from 192.168. Change the remote traffic selector on the remote ASA to 192.After implementing the IKEv2 tunnel.

Ethiopia .27 | P a g e tayeforever@gmail.com Gonder.

Local selector 192.22.255/65535 Answer: B Explanation: The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel).168.0/0192.168.0.A.255/ 65535 Remote selector 192.168.0/0192.168.33.20.20. We want this to be specific.22.0/0192.com Gonder.255/ 65535 D.33.0/0 – 0.168.168.255/ 65535 Remote selector 0.33.0/65535 E.255/ 65535 C.168.0/0192.255/ 65535 B. Ethiopia .22.0. Local selector 192.0/0192.0.168.33.168.255/ 65535 Remote selector 192. Local selector 192. Local selector 192.0.255/ 65535 Remote selector 192.168.22.0/0192.33.22.168.0/0192.0/65535 Remote selector 192.33.168.168.0.168.0/0 – 192.168.33.168.0.0.22.0/0 – 0.0.33. otherwise Internet traffic will also be sent over the 28 | P a g e tayeforever@gmail. Local selector 0.

Ethiopia . Here. we just want to protect traffic from 192.tunnel and most likely dropped on the remote side.168.com Gonder. CORRECT TEXT You must use the IKE2 configuration blocks to accomplish this task. 74.22.33. 29 | P a g e tayeforever@gmail.0/24 (THE REMOTE SIDE).168.0/24 (THE LOCAL SIDE) to 192.

1 presharedkey local $iteA preshared key remote $iteB Step 2: Configure IKEv2 profile Crypto ikev2 profile default identity local fqdn SiteA. Ethiopia .cisco.201.com Match identity remote fqdn SiteB.161.cisco.com Gonder.com Authentication local preshare Authentication remote preshare Keyring local mykeys Step 3: Create the GRE Tunnel and apply profile crypto ipsec profile default set ikev2profile 30 | P a g e tayeforever@gmail.cisco.Answer: Answer: See the explanation. Explanation: Here are the steps as below: Step 1: configure key ring crypto ikev2 keyring mykeys peer SiteB.com address 209.

com Gonder. Refer to the exhibit.1 255. show crypto ikev2 sa detail B.255. B 76. show ip route eigrp E. A rogue static route is installed in the routing table of a Cisco FlexVPN and is causing traffic to be blackholed.201.0 Tunnel source eth 0/0 Tunnel destination 209. An administrator is tasked with configuring the company’s SSL VPN gateway to allow remote users to work. A custom desktop application needs to access an internal server. show crypto isakmp sa detail Answer: A 77. 31 | P a g e tayeforever@gmail.165.1. Content Rewriter E.1 tunnel protection ipsec profile default end 75.1.255. Email Proxy D. show crypto route C. A. Which two technologies would accommodate the company’s requirement? (Choose two). show crypto ikev2 client flexvpn D. Smart Tunnels C.default Interface tunnel 0 ip address 10. Which command should be used to identify the peer from which that route originated? A. Portal Customizations Answer: A. Any Connect client B. Ethiopia .

An IPsec peer is exchanging routes using IKEv2.com Gonder. XAUTH Answer: C 78.Which authentication method was used by the remote peer to prove its identity? A. Answer: B 32 | P a g e tayeforever@gmail. Ethiopia . certificate authentication C. Refer to the exhibit. C. Which configuration error is causing the failure? A. IKEv2 routing requires certificate authentication. D. The match identity command must refer to an access list of routes. Preshared key D. but the routes are not installed in the RIB. The IKEv2 authorization policy is not referenced in the IKEv2 profile. An invalid administrative distance value was configured. B. Extensible Authentication Protocol B. not pre shared keys.

Which configuration needs to be added or changed? A. Everything is working correctly. Answer: D 80. Refer to the exhibit. E. An administrator is adding IPv6 addressing to an already functioning tunnel. Tunnel mode needs to be changed to GRE IPv6.com Gonder.200. NHRP needs to be configured to provide NBMA mapping.226. The administrator is unable to ping 2001:DB8:100::2 but can ping 209. B. 33 | P a g e tayeforever@gmail. Tunnel mode needs to be changed to GRE IPv4.79.165. OSPFv3 needs to be configured on the interface. No configuration change is necessary. Ethiopia . Refer to the exhibit. D. C.

you see the following output. There is a mismatch in the ACL that identifies interesting traffic. You are troubleshooting a site to site VPN issue where the tunnel is not establishing. B. D. The local and remote keys on Router2 must be the same. Which adaptive security appliance command can be used to see a generic framework of the requirements for configuring a VPN tunnel between an adaptive security appliance and a Cisco IOS router at a remote office? A. Answer: B 81.10 A. After issuing the debug crypto ipsec command on the head end router. What does this output suggest? 1d00h: IPSec (validate_proposal): transform proposal (port 3. The Phase 1 transform set does not match on both sides.The IKEv2 tunnel between Router1 and Router2 is failing during session establishment. Phase 1 policy does not match on both sides. The Phase 2 transform set does not match on both sides. ISAKMP is not enabled on the remote peer. C. Next payload is 0 1d00h: ISAKMP (0:1). The pre shared key must be altered to use only lowercase letters. Vpn setup site to site steps B. Which action will allow the session to establish correctly? A. Ethiopia . The address command on Router2 must be narrowed down to a /32 mask. C. Answer: B 83.10. D. ISAKMP is not enabled on the remote peer. B. The crypto map is not applied on the remote peer. you see the following output. E. What does this output suggest? 1d00h: ISAKMP (0:1): atts are not acceptable. D. Phase 1 policy does not match on both sides. trans 2. Processing of Main Mode failed with peer at 10. C. B. Answer: A 82.com Gonder. After issuing the debug crypto isakmp command on the head end router. The local and remote keys on Router2 must be switched. no offers accepted! 1d00h: ISAKMP (0:1): SA not acceptable! 1d00h: %CRYPTO6IKMP_ MODE_FAILURE. The transform set does not match on both sides. You are troubleshooting a site to site VPN issue where the tunnel is not establishing. Next payload is 0 1d00h: ISAKMP (0:2) SA not acceptable A.10. hmac_alg 2) not supported 1d00h: ISAKMP (0:2) : atts not acceptable. show running config crypto 34 | P a g e tayeforever@gmail.

230 port 500 PERMIT. You issue the show crypto ipsec sa command and see the following output.255/47/0) current_peer 209. #pkts decrypt: 19211. #recv errors 0 A. The remote peer is not able to decrypt traffic.10/255. #pkts encrypt: 34836. Which Cisco adaptive security appliance command can be used to view the count of all active VPN sessions? A.10. #pkts verify: 19211 #pkts compresseD. (none) local ident (addr/mask/prot/port): (10. 0 #pkts not compresseD. faileD.20/255. show crypto protocol statistics all Answer: A 86. #pkts decompress faileD. Ethiopia .165.255. local addr 10. 35 | P a g e tayeforever@gmail.10.255/47/0) remote ident (addr/mask/prot/port): (10.} #pkts encaps: 34836. Refer to the exhibit. Packet corruption is occurring on the path between the two peers. D.10.255. The VPN has established and is functioning normally. 0 #send errors 0. show vpn session db summary B. 0. show iskamp sa detail E. There is an asymmetric routing issue. What does this output suggest? interfacE. #pkts decompresseD. Answer: E 85. #pkts compr. C. B. 0 #pkts not decompresseD.255. show crypto ikev1 sa C.10.255.10 protected vrF. E.C. The remote peer is not receiving encrypted traffic. #pkts digest: 34836 #pkts decaps: 26922. Vpn setup ssl remote access steps Answer: A 84. show vpn session db l2l D. 0. show vpnsessiondb ratio encryption D. application performance over the tunnel is slow. flags={origin_is_acl. Tunnel100 Crypto map tag: Tunnel100head0. 0.com Gonder.20.20.200. After completing a site to site VPN setup between two routers.

D. D. contact your administrator” What is the most possible cause of this problem? A. E. The client endpoint does not have the correct user profile to initiate an IKEv2 connection. B. If you specify the primary protocol as IPsec. the Cisco Any Connect client was not able to connect. C. A new XML profile should be created instead of modifying the existing profile. Answer: C 87. the User Group must be the exact name of the connection profile (tunnel group). IPsec will not work in conjunction with a group URL. What is the problem? A. C. B. The following error message is displayed: “Login Denied. The Cisco AnyConnect implementation does not allow the two group URLs to be the same. unauthorized connection mechanism.com Gonder.An administrator had the above configuration working with SSL protocol. SSL does allow this. so that the clients force the update. DAP is terminating the connection because IKEv2 is the protocol that is being used. The AAA server that is being used does not authorize IKEv2 as the connection mechanism. Answer: E 36 | P a g e tayeforever@gmail. Ethiopia . The IKEv2 protocol is not enabled in the group policy of the VPN head end. The Cisco AnyConnect client fails to connect via IKEv2 but works with SSL. The administrator is restricting access to this specific user. but as soon as the administrator specified IPsec as the primary protocol.

C. D. IKEv2 is not enabled on the group policy. A new profile must be created so that the adaptive security appliance can push it to the client on the next connection attempt. User profile updates are not allowed with IKEv2. The Advanced Endpoint Assessment license must be installed to allow Cisco AnyConnect IKEv2 sessions. C 90. Verify that the primary protocol on the client machine is set to IPsec. Which two troubleshooting steps should be taken when Cisco AnyConnect cannot establish an IKEv2 connection.) A. The Cisco AnyConnect client is unable to download an updated user profile from the ASA Head end using IKEv2. Verify that the IKEv2 protocol is enabled on the group policy. Ethiopia . AnyConnect Essentials can be used for Cisco AnyConnect IKEv2 connections. D. Client Services is not enabled on the adaptive security appliance. Answer: A. while SSL works fine? (Choose two. Cisco AnyConnect Mobile must be installed to allow AnyConnect IKEv2 sessions. IKEv2 sessions are not licensed. Answer: A 37 | P a g e tayeforever@gmail. which option will allow IKEv2 connections on the adaptive security appliance? A.88. D. C. Answer: D 89. Regarding licensing. Verify that AnyConnect is enabled on the correct interface. E. B. B. Verify that ASDM and AnyConnect are not using the same port. B. C.com Gonder. What is the most likely cause of this problem? A. Verify that SSL and IKEv2 certificates are not referencing the same trustpoint.

and therefore the second tunnel is not working. The network administrator is adding a new spoke.91. There is no EIGRP configuration.com Gonder. 38 | P a g e tayeforever@gmail. so there can be only one spoke. B. The NHRP authentication is failing. What could cause this issue? A. DMVPN is a point to point tunnel. but the tunnel is not passing traffic. C. Refer to the exhibit. Ethiopia .

Next Hop Registration Protocol C.D. The hub forwards the request to the destination spoke. Use another router at the spoke site. The hub waits for the second spoke to send a request so that it can respond to both spokes.com Gonder. The transform set must be in transport mode. EIGRP address family E. Create another DMVPN cloud by configuring another tunnel interface that is sourced from the second ISP link. and when the primary interface goes down. What does NHRP stand for? A. split horizon C. metric calculation using bandwidth D. E 95. which is a requirement for DMVPN. D. default administrative distance Answer: B. because two ISP connections on the same router for the same hub is not allowed. B. Answer: D 94. Ethiopia . which two EIGRP features need to be disabled on the hub to allow spoke to spoke communication? (Choose two. Next Hub Routing Protocol D. Next Hop Routing Protocol 39 | P a g e tayeforever@gmail. D. The hub updates its own NHRP mapping. The hub sends back a resolution reply to the requesting spoke. C. Auto summary B. How can you achieve optimum failover without affecting any other router in the DMVPN cloud? A. Answer: C 93. Next Hop Resolution Protocol B. Create another tunnel interface with same configuration except the tunnel source.) A. Configure SLA tracking. A spoke has two Internet connections for failover. In DMVPN phase 2. E. and configure the if state nhrp and backup interface commands on the primary tunnel interface. C. The NHRP network ID is incorrect. Next hop self F. manually change the tunnel source of the tunnel interface. B. What action does the hub take when it receives a NHRP resolution request from a spoke for a network that exists behind another spoke? A. Answer: C 92.

RC4128 D. D. debug webvpn aaa F. Gather crypto debugs on the adaptive security appliance. Use Wire shark to capture network traffic. B. A. Which cryptographic algorithms are part of the Cisco NGE suite? A. C. Which three commands can be used for troubleshooting of the AAA subsystem? (Choose three. B. debug aaa authentication B. When troubleshooting established clientless SSL VPN issues. B. debug ssl openssl errors E. Verify the trusted zone and cookies settings in your browser.) A. Ethiopia . D.com Gonder. AESGCM256 Answer: D 100.Answer: A 96. Move to the IPsec client. Try the URL from another operating system. Make sure that you specified the URL correctly. while other browsers work fine? A. Which transform set is contained in the IKEv2 default proposal? aescbc192. sha256. which three steps should be taken? (Choose three. group 14 3des. D. debug vpn authorization error D. group 7 3des. group 1 40 | P a g e tayeforever@gmail. A user is trying to connect to a Cisco IOS device using clientless SSL VPN and cannot establish the connection. E 98. HIPPA DES B. md5. Which option is a possible solution if you cannot access a URL through clientless SSL VPN with Internet Explorer. Answer: B. AESCBC128 C. E. Clear the browser and Java cache.) A. sha1. debug radius C. Answer: A 99. Clear the browser history. F. Collect the information from the computer event log. C. F 97. B. C. Enable and use HTML capture tools. debug ssl error Answer: A.

An administrator desires that when work laptops are not connected to the corporate network. Via the svc trusted network command under the group policy sub configuration mode on the ASA B. sha. The following configuration steps have been completeD. clear crypto map D. group 5 Answer: D 101. more system:runningconfig B. aescbc128. • A DHCP scope was configured and applied to a WebVPN Tunnel Group.com Gonder. Where does the administrator configure this? A. show runningconfig tunnelgroup D. clear crypto ikev2 sa Answer: A 102. Under the “Automatic VPN Policy” section inside the Anyconnect Profile Editor within ASDM C. Via the svc trusted network command under the global web vpn sub configuration mode on the ASA Answer: B 104. clear configure crypto B. Under the TNDPolicy XML section within the Local Preferences file on the client computer D. • WebVPN was enabled on the ASA outside interface. show ipsec policy Answer: A 103. Which Cisco adaptive security appliance command can be used to view the IPsec PSK of a tunnel group in cleartext? A. • SSL VPN client software was loaded to the ASA. The SSL client must be loaded to the client by an ASA administrator B. show runningconfig crypto C.D. clear config tunnelgroup F. they should automatically initiate an AnyConnect VPN tunnel back to headquarters. What additional step is required if the client software fails to load when connecting to the ASA SSL page? A. Ethiopia . show runningconfig tunnelgroupmap E. The SSL client must be downloaded to the client via FTP 41 | P a g e tayeforever@gmail. clear configure crypto ipsec C. Which command clears all crypto configuration from a Cisco Adaptive Security Appliance? A.

Assign the bookmark to the desired group policy C. Configure a bookmark of the type rdp:// serverIP 3. 1. Configure an inbound access list to allow traffic from remote users to the servers 3. Assign the Smart Tunnel application list to the desired group policy D. C. D. The SSL VPN client must be enabled on the ASA after loading D. Add the rdp. Configure a bookmark of the type http:// serverIP :3389 2. Configure a Smart Tunnel application list 2. Assign the bookmark list to the desired group policy Answer: D 106. B. Assign this access list rule to the group policy B. The SSL client must be enabled on the client machine before loading Answer: A 105.com Gonder. show crypto gdoi ks members C. Which command is used to determine how many GMs have registered in a GETVPN environment? A.C. Remote users want to access internal servers behind an ASA using Microsoft terminal services. A. show crypto ipsec sa E. show crypto gdoi gm D. 1. show crypto isakmp sa count Answer: B 107.exe process to this list 3. show crypto isakmp sa B. Upload an RDP plugin to the ASA 2. Which option outlines the steps required to allow users access via the ASA clientless VPN portal? A. 1. Configure a static pat rule for TCP port 3389 2. On which Cisco platform are dynamic virtual template interfaces available? Cisco Adaptive Security Appliance 5585X Cisco Catalyst 3750X Cisco Integrated Services Router Generation 2 Cisco Nexus 7000 Answer: C 42 | P a g e tayeforever@gmail. Enable Smart tunnel on this bookmark 3. 1. Ethiopia .

It can be used in a DMVPN deployment D. It is a LAN to LAN VPN ISAKMP policy. C. Ethiopia . Which two statements about the given configuration are true? (Choose two. C 110. It has a keepalive of 60 minutes. Refer to the exhibit. Refer to the exhibit. B. Any router defined in group 2 will be allowed to connect. Defined PSK can be used by any IPSec peer. It is an AnyConnect ISAKMP policy. 43 | P a g e tayeforever@gmail. B. Refer to the exhibit. checking every 5 minutes. F. Which statement about the given IKE policy is true? A. 88 minutes. PSK will not work as configured Answer: A.) A. The tunnel will be valid for 2 days. and 00 seconds. Answer: B 109.com Gonder. It will use encrypted nonces for authentication. C. E. It uses a 56bit encryption algorithm. D.108.

Datagram Transport Layer Security C. Refer to the exhibit. D. FlexVPN with AnyConnect D. Which command enables the router to form EIGRP neighbor adjacencies with peers using a different subnet than the ingress interface? A. banner message Answer: A 113. ip splithorizon eigrp as number Answer: A 112. Which feature enforces the corporate policy for Internet access to Cisco AnyConnect VPN users? A. 44 | P a g e tayeforever@gmail.com Gonder. ip unnumbered interface B. Cisco AnyConnect Customization D.What technology does the given configuration demonstrate? A. B. Passiveinterface interface name D. A. Keyring used to encrypt IPSec traffic B. Crypto Policy to enable IKEv2 Answer: B 111. FlexVPN with IPV6 C. Ethiopia . C. In which situation would you enable the Smart Tunnel option with clientless SSL VPN? when a user is using an outdated version of a web browser when an application is failing in the rewrite process when IPsec should be used over SSL VPN when a user has a nonsupported Java version installed Answer: B 114. Trusted Network Detection B. eigrp routerid C.

XAUTH E. digital certificates D.com Gonder. What problem does the given output indicate? A. EAP Answer: A. webAuth C. C. IKEv2 failed to establish a phase 2 negotiation. shares a single profile between IKEv1 and IKEv2 Answer:A 117. shares a single profile between multiple tunnel interfaces B. B. C 116. D. preshared key B. shares a single profile between a tunnel interface and a crypto map D. Which two types of authentication are supported when you use Cisco ASDM to configure site to site IKEv2 with IPv6? (Choose two.) A.You executed the show crypto ipsec sa command to troubleshoot an IPSec issue. Answer: B 115. B. A. allows multiple authentication types to be used on the tunnel interface C. Which type of communication in a FlexVPN implementation uses an NHRP shortcut? spoke to hub spoke to spoke hub to spoke hub to hub Answer: B 45 | P a g e tayeforever@gmail. C. ISAKMP was unable to find a matching SA. IKEv2 was used in aggressive mode. Which option describes the purpose of the shared argument in the DMVPN interface command tunnel protection IPsec profile ProfileName shared? A. Ethiopia . The Crypto ACL is different on the peer device. D.

A.com Gonder. AnyConnect Client Profile D. L2TP over IPsec D. D. D. B. B. Which technology is FlexVPN based on? OER VRF IKEv2 an RSA nonce Answer: C 119. group policies B. B. GETVPN B.118. C. C. Where do you configure AnyConnect certificate based authentication in ASDM? A. A. Advanced Network (Client) Access 121. TLS and DTLS B. D. C. A. FlexVPN and DMVPN? NHRP MPLS GRE ESP Answer: D 123. Which application does the Application Access feature of Clientless VPN support? TFTP VoIP Telnet active FTP Answer: C 120. AnyConnect Connection Profile C. Ethiopia . Which VPN solution is best for a collection of branch offices connected by MPLS that frequenty make VoIP calls between branches? A. Cisco AnyConnect C. sitetosite 46 | P a g e tayeforever@gmail. SSH over TCP Answer:A 122. Which is used by GETVPN. Which protocols does the Cisco AnyConnect client use to build multiple connections to the security appliance? A. IKEv1 C.

DMVPN Answer: A 124.D. Which VPN solution does this configuration represent? A. Site to site 47 | P a g e tayeforever@gmail. Ethiopia . FlexVPN D. GETVPN C. DMVPN B.com Gonder. Refer to the exhibit.

A. Which type of communication takes place between the secure gateway R1 and the Cisco Secure ACS? A. B. HTTP proxy B.Answer: C 125. Refer to the exhibit. You have implemented an SSL VPN as shown. Ethiopia . policy D.com Gonder. Which technology can provide high availability for an SSL VPN? DMVPN a multiple tunnel configuration a Cisco ASA pair in active/passive failover configuration certificate to tunnel group maps Answer: C 48 | P a g e tayeforever@gmail. D. port forwarding Answer: B 126. AAA C. C.

Ethiopia . SSL VPN Answer: B 128. A. Java B. QuickTime plugin C. which type of key is the shared secret? a symmetric key an asymmetric key a decryption key an encryption key Answer: A 130. In the DiffieHellman protocol. C. Cisco AnyConnect B. Silver light D. L2TP D. Flash Answer: A 129. IPsec C. Which VPN solution does this configuration represent? A. 49 | P a g e tayeforever@gmail. Which technology must be installed on the client computer to enable users to launch applications from a Clientless SSL VPN? A. B.127. Refer to the exhibit.com Gonder. Refer to the exhibit. D.

Which exchange does this debug output represent?
A. IKE Phase 1
B. IKE Phase 2
C. symmetric key exchange
D. certificate exchange
Answer: A
131.
A.
B.
C.
D.
E.

Which two technologies are considered to be Suite B cryptography? (Choose two.)
MD5
SHA2
Elliptical Curve DiffieHellman
3DES
DES

Answer: B, C
132.
A.
B.
C.
D.

Which protocol does DTLS use for its transport?
TCP
UDP
IMAP
DDE

Answer: B
133. CORRECT TEXT
Scenario:
You are the network security manager for your organization. Your manager has received a
request to allow an external user to access to your HQ and DM2 servers. You are given the
following connection parameters for this task. Using ASDM on the ASA, configure the
parameters below and test your configuration by accessing the Guest PC. Not all AS DM screens
are active for this exercise. Also, for this exercise, all changes are automatically applied to the
ASA and you will not have to click APPLY to apply the changes manually.
• Enable Clientless SSL VPN on the outside interface
• Using the Guest PC, open an Internet Explorer window and test and verify the basic
connection to the SSL VPN portal using address: https://vpnsecurex.public
50 | P a g e

tayeforever@gmail.com
Gonder, Ethiopia

a) You may notice a certificate error in the status bar, this can be ignored for this
exercise
b) Username: vpnuser
c) Password: cisco123
d) Logout of the portal once you have verified connectivity
• Configure two bookmarks with the following parameters:
a) Bookmark List Name: MYBOOKMARKS
b) Use the: URL with GET or POST method
c) Bookmark Title: HQServer
i. http://10.10.3.20
d) Bookmark Title: DMZServerFTP
i. ftp://172.16.1.50
e) Assign the configured Bookmarks to:
i. DfltGrpPolicy
ii. DfltAccessPolicy
iii. . LOCAL User: vpnuser
• From the Guest PC, reconnect to the SSL VPN Portal
• Test both configured Bookmarks to ensure desired connectivity
You have completed this exercise when you have configured and successfully tested Clientless
SSL VPN connectivity.
Topology:

51 | P a g e

tayeforever@gmail.com
Gonder, Ethiopia

Answer: Please find the solution in below explanation.
Explanation:
First, enable clientless VPN access on the outside interface by checking the box found below:

52 | P a g e

tayeforever@gmail.com
Gonder, Ethiopia

Then. log in to the given URL using the vpnuser/cisco123 credentials: Logging in will take you to this page.com Gonder. which means you have now verified basic connectivity: 53 | P a g e tayeforever@gmail. Ethiopia .

com Gonder.Now log out by hitting the logout button. Now. Ethiopia . go back to the ASDM and navigate to the Bookmarks portion: Make the name MYBOOKMARKS and use the “Add” tab and add the bookmarks per the instructions: 54 | P a g e tayeforever@gmail.

Ensure the “URL with GET of POST method” button is selected and hit OK: Add the two bookmarks as given in the instructions: 55 | P a g e tayeforever@gmail.com Gonder. Ethiopia .

Ethiopia .com Gonder.You should now see the two bookmarks listed: Hit OK and you will see this: 56 | P a g e tayeforever@gmail.

Ethiopia . 57 | P a g e tayeforever@gmail. After hitting OK. log back in and you should be able to test out the two new bookmarks. go back to the GuestPC.com Gonder. you will now see this: Then.Select the MYBOOKMARKS Bookmarks and click on the “Assign” button. Then. click on the appropriate check boxes as specified in the instructions and hit OK.

134. What is being used as the authentication method on the branch ISR? Scenario: You are the senior network security administrator for your organization.com Gonder. Using the CLI on both the Cisco ASA and branch ISR. Ethiopia . You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Recently and junior engineer configured a site to site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. Verify the IPsec configuration is properly configured between the two sites. NOTE: the show running config command cannot be used for the this exercise. Topology: 58 | P a g e tayeforever@gmail.

Verify the IPsec configuration is properly configured between the two sites. You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. RSA public keys D. Recently and junior engineer configured a site to site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. Topology: 59 | P a g e tayeforever@gmail. DiffieHellman Answer: B Group 2 Explanation: The show crypto isakmp key command shows the preshared key of “cisco” 135. Which transform set is being used on the branch ISR? Scenario: You are the senior network security administrator for your organization.What is being used as the authentication method on the branch ISR? A. Preshared keys C. NOTE: the show running config command cannot be used for the this exercise. Certifcates B. Using the CLI on both the Cisco ASA and branch ISR.com Gonder. Ethiopia .

Default B. Ethiopia . ESPAES256MD5TRANS mode transport D.Which transform set is being used on the branch ISR? A. ESP3DES ESPSHAHMAC C. TSET Answer: B 60 | P a g e tayeforever@gmail.com Gonder.

You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Ethiopia .Explanation: This can be seen from the “show crypto ipsec sa” command as shown below: 136. Using the CLI on both 61 | P a g e tayeforever@gmail. Recently and junior engineer configured a site to site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. what state is the IKE security association in on the Cisco ASA? Scenario: You are the senior network security administrator for your organization.com Gonder.

NOTE: the show running config command cannot be used for the this exercise. Ethiopia . Topology: 62 | P a g e tayeforever@gmail.the Cisco ASA and branch ISR. Verify the IPsec configuration is properly configured between the two sites.com Gonder.

In what state is the IKE security association in on the Cisco ASA? A. Ethiopia . Which crypto map tag is being used on the Cisco ASA? Scenario: You are the senior network security administrator for your organization.com Gonder. You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. There are no security associations in place B. QM_IDLE Answer: B Explanation: This can be seen from the “show crypto isa sa” command: 137. ACTIVE(ACTIVE) D. Recently and junior engineer configured a site to site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. MM_ACTIVE C. Using the CLI on both 63 | P a g e tayeforever@gmail.

Verify the IPsec configuration is properly configured between the two sites. Topology: 64 | P a g e tayeforever@gmail. NOTE: the show running config command cannot be used for the this exercise.the Cisco ASA and branch ISR. Ethiopia .com Gonder.

outside_cryptomap B. VPNtoASA C. Ethiopia .com Gonder. 65 | P a g e tayeforever@gmail. L2L_Tunnel D.Which crypto map tag is being used on the Cisco ASA? A. outside_map1 Answer: D Explanation: This is seen from the “show crypto ipsec sa” command on the ASA.