You are on page 1of 65

CCNP SECURITY Cisco 300-209

Implementing Cisco Secure Mobility Solutions (300-209) Real Exams
1. Which two are characteristics of GETVPN? (Choose two.)
A. The IP header of the encrypted packet is preserved
B. A key server is elected among all configured Group Members
C. Unique encryption keys are computed for each Group Member
D. The same key encryption and traffic encryption keys are distributed to all Group
Members
Answer: A and D
2. A company has decided to migrate an existing IKEv1 VPN tunnel to IKEv2. Which two are
valid configurations constructs on a Cisco IOS router? (Choose two.)
A. crypto ikev2 keyring keyringname
peer peer1
address 209.165.201.1 255.255.255.255
presharedkey
local key1
presharedkey
remote key2
B. crypto ikev2 transformset
transformsetname
esp3des
espmd5hmac
espaes
espshahmac
C. crypto ikev2 map cryptomapname
set crypto ikev2 tunnelgroup
tunnelgroupname
set crypto ikev2 transformset
transformsetname
D. crypto ikev2 tunnelgroup
tunnelgroupname
match identity remote address 209.165.201.1
authentication local preshare
E. crypto ikev2 profile profilename
match identity remote address 209.165.201.1
authentication local preshare
authentication remote preshare
Answer: A and E
1|Page

tayeforever@gmail.com
Gonder, Ethiopia

3. Which four activities does the Key Server perform in a GETVPN deployment? (Choose
four.)
A. authenticates group members
B. manages security policy
C. creates group keys
D. distributes policy/keys
E. encrypts endpoint traffic
F. receives policy/keys
G. defines group members
Answer: A, B, C, D
4. Where is split tunneling defined for remote access clients on an ASA?
A. Grouppolicy
B. Tunnelgroup
C. Cryptomap
D. WebVPN Portal
E. ISAKMP client
Answer: A
5. Which of the following could be used to configure remote access VPN Hosts can and pre
login policies?
A. ASDM
B. Connection profile CLI command
C. Hosts can CLI command under the VPN group policy
D. Pre login check CLI command
Answer: A
6. In FlexVPN, what command can an administrator use to create a virtual template interface
that can be configured and applied dynamically to create virtual access interfaces?
A. interface virtual template
number type template
B. interface virtual template
number type tunnel
C. interface template number type virtual
D. interface tunnel template number
Answer: B
Explanation:
Hello – here is a reference an explanation that can be included with this test.
http://www.cisco.com/en/US/docs/iosxml/ios/sec_conn_ike2vpn/configuration/152mt/
secflexspoke.html#GUID4A10927D4C6A4202B01CDA7E462F5D8A
Configuring the Virtual Tunnel Interface on FlexVPN Spoke
SUMMARY STEPS
1. Enable
2. Configure terminal
2|Page

tayeforever@gmail.com
Gonder, Ethiopia

3. Interface virtual template number type tunnel
4. Ip unnumbered tunnel number
5. Ip nhrp network id number
6. ip nhrp shortcut virtual templatenumber
7. ip nhrp redirect [timeout seconds]
8. exit
7. In FlexVPN, what is the role of a NHRP resolution request?
A. It allows these entities to directly communicate without requiring traffic to use an
intermediate hop
B. It dynamically assigns VPN users to a group
C. C .It blocks these entities from to directly communicating with each other
D. It makes sure that each VPN spoke directly communicates with the hub
Answer: A
8. What are three benefits of deploying a GET VPN? (Choose three.)
A. It provides highly scalable point to point topologies.
B. It allows replication of packets after encryption.
C. It is suited for enterprises running over a DMVPN network.
D. It preserves original source and destination IP address information.
E. It simplifies encryption management through use of group keying.
F. It supports non IP protocols.
Answer: B, D, E
9. What is the default topology type for a GET VPN?
A. Point to point
B. hub and spoke
C. full mesh
D. on demand spoke to spoke
Answer: C
10. Which two GDOI encryption keys are used within a GET VPN network? (Choose two.)
A. key encryption key
B. group encryption key
C. user encryption key
D. traffic encryption key
Answer: A, D
11. What are the three primary components of a GET VPN network? (Choose three.)
A. Group Domain of Interpretation protocol
B. Simple Network Management Protocol
C. server load balancer
D. accounting server
E. group member
3|Page

tayeforever@gmail.com
Gonder, Ethiopia

C 14. Which two parameters are configured within an IKEv2 proposal on an IOS router? (Choose two.225 or 209. In a spoke to spoke DMVPN topology. PRF algorithm Answer: B. E. After the configuration is performed. C 13. which combination of devices can connect? A.165.) A.com” 4|Page tayeforever@gmail.155 or a certificate with subject name of “cisco. F 12. Loopback interface Answer: B 15. session lifetime E.202. hash algorithm C.com Gonder. Encryption C. Ethiopia . Point to point GRE interface D.200. priority number B. authentication B. integrity D. Virtual tunnel interface B. Which two IKEv1 policy options must match on each peer when you configure an IPsec site to site VPN? (Choose two.165.) A. key server Answer: A. which type of interface does a branch router require? A. a device with an identity type of IPv4 address of 209.F. Refer to the exhibit. encryption algorithm D. Lifetime Answer: B. Multipoint GRE interface C.

B. Consider this scenario.com” C. a device with an identity type of IPv4 address of 209. set security association level per host Answer: A. Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit C. The VPN is using an expired certificate.202.202.165. Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client 5|Page tayeforever@gmail.155 and a certificate with subject name containing “cisco.225 and 209.165.com” Answer: D 16. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy B.200. set transform set D.165. Ethiopia . When users attempt to connect via a Cisco Any Connect VPN session.225 or 209. C.165. the certificate has changed and the connection fails. set peer C. auto applet download B.165.com” D. What is a possible cause of the connection failure? A.155 or a certificate with subject name containing “cisco. HTTP proxy Answer: B 18. An invalid modulus was used to generate the initial key. a device with an identity type of IPv4 address of both 209. A network is configured to allow clientless access to resources inside the network.) A. The Trusted Root Store is configured incorrectly. port forwarding C.com Gonder.200.200. match address B. B. Answer: C 19.202. Which feature must be enabled and configured to allow SSH applications to respond on the specified port 8889? A. where do you enable the DTLS protocol setting? A. B. C 17. D. Web type ACL D.225 and 209. Which three settings are required for crypto map configuration? (Choose three. a device with an identity type of IPv4 address of both 209.155 or a certificate with subject name containing “cisco.165. The Cisco ASA appliance was reloaded. In the Cisco ASDM interface. set security association lifetime E.

com Gonder. CSCO_WEBVPN_OTP_PASSWORD B. dynamic access policy attributes B. what is the first set of attributes that it applies? A. Cisco IOS Web VPN customization template 6|Page tayeforever@gmail. user attributes Answer: A 22.cisco. Cisco Any Connect Answer: A. B 21.html Shows where DTLS can be configured as: • Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client • Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client •Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client 20. which file must you configure? A. What are two forms of SSL VPN? (Choose two. When Cisco ASA applies VPN permissions. To change the title panel on the logon page of the Cisco IOS Web VPN portal. connection profile attributes D. CSCO_WEBVPN_RADIUS_USER Answer: B. CSCO_WEBVPN_USERNAME D.) A. group policy attributes C. Ethiopia . Full Tunnel Mode C. Cisco IOS Web VPN D. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit Answer: C Explanation: The reference: http://www.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect20/administrati ve/ guide/admin/admin5. CSCO_WEBVPN_INTERNAL_PASSWORD C.D. What are two variables for configuring clientless SSL VPN single sign on? (Choose two. port forwarding B.) A. C 23.

7|Page tayeforever@gmail. migrate remote access ssl Answer: A Explanation: Below is a reference for this question: http://www.html If your IKEv1. webaccesshlp. Cisco IOS Web VPN customization general C.inc Answer: A 24. migrate remote access ssl overwrite B. overwrite – If you have a IKEv2 configuration that you wish to overwrite. On the command line. enter the migrate command: migrate {l2l | remoteaccess {ikev2 | ssl} | overwrite} Things of note: Keyword definitions: l2l – This converts current IKEv1 l2l tunnels to IKEv2. SQLNET Answer: B.) A.inc D.B.com/c/en/us/support/docs/security/asa5500xseriesnextgenerationfirewalls/ 113597ptn113597. remote access – This converts the remote access configuration. configuration already exists. appaccesshlp. migrate l2l D. C. You can convert either the IKEv1 or the SSL tunnel groups to IKEv2. VNC E. CIFS B. or even SSL. Which three plug ins are available for clientless SSL VPN? (Choose three. SSH D.com Gonder. D 25. Which command simplifies the task of converting an SSL VPN to an IKEv2 VPN on a Cisco ASA appliance that has an invalid IKEv2 configuration? A.cisco. then this keyword converts the current IKEv1 configuration and removes the superfluous IKEv2 configuration. the ASA makes the migration process simple. Ethiopia . migrate remote access ikev2 C. RDP2 C.

appl ssh putty D.) A. SSL client D. The always on feature is enabled. B. The client does not automatically initiate any VPN connection. C. The Cisco AnyConnect Secure Mobility Client must be installed in flash. D. L2TP Answer: B. The always on feature is disabled. E. A user is unable to establish an Any Connect VPN connection to an ASA. D 28. A Cisco plugin must be installed on a Site Minder server.com Gonder. C. C.) A. appl ssh putty.exe win B. appl ssh putty.exe Answer: B 29. Which statement describes a prerequisite for single Sign on Netegrity Cookie Support in an IOC SSL VPN? A.exe windows C. SSL clientless E. The client initiates a VPN connection upon detection of an untrusted network. IKEv1 B. ESP F. Which two statements describe effects of the DoNothing option within the untrusted network policy on a Cisco AnyConnect profile? (Choose two. D 30. appl ssh putty. B. Answer: A. A Site Minder plugin must be installed on the Cisco SSL VPN gateway.26. which two filter options 8|Page tayeforever@gmail. The client initiates a VPN connection upon detection of a trusted network. IKEv2 C. Ethiopia . Which three remote access VPN methods in an ASA appliance provide support for Cisco Secure Desktop? (Choose three. The Cisco Secure Desktop software package must be installed in flash. Answer: C 27. When using the RealTime Log viewer within ASDM to troubleshoot the issue. D. Which command enables IOS SSL VPN Smart Tunnel support for PuTTY? A.

10.10.1.10 1234 209.) A.3 161 to see what the firewall is doing with the user’s traffic Answer: A. Configuration > VPN > WebVPN Access Answer: B 33.10 is unable to access a HTTP website at IP address 209.10. B 9|Page tayeforever@gmail.10 E.10 any B.) A.10. click Settings. Client’s username E.would the administrator choose to show only sys log messages relevant to the VPN connection? (Choose two.200. Which Cisco ASDM option configures Web VPN access on a Cisco ASA? A. ASA’s public IP address Answer: A.10. Client’s default gateway IP address D.10. Client’s operating system C. A user with IP address 10. Configuration > Remote Access VPN > Clientless SSL VPN Access C. D 31.10. Configuration > Device Management > Logging > Email Setup B.10. Use packet tracer command packet tracer input inside udp 0.165.10. and specify the Destination Email Address option. Select the sys logs to email. Answer: A 32. Check if an accesslist on the firewall is blocking the user by using command show running config access list | include 10. logging buffered 1 and show logging | include 10. Enable logging at level 1 and check the syslogs using commands logging enable. click Edit.10 1234192. Configuration > Web VPN > Web VPN Config D.10. Client’s public IP address B.10 D. Configuration > Device Management > Email Setup > Logging Enable C.com Gonder. After verifying that user traffic reaches the firewall using syslogs or captures.165.10.200. Ethiopia .168.225 80 C. Configuration > Web VPN > Web VPN Access B.10. Which Cisco ASDM option configures forwarding sys log messages to email? A.225 through a Cisco ASA. use packet tracer command packet tracer input inside tcp 10. Which two features and commands will help troubleshoot the issue? (Choose two. and select the Forward Messages option. D. Capture user traffic using command capture capin interface inside match ip host 10. Select the sys logs to email.

and check for fan failure logs using “show logging” C. AnyConnect Client using SSLVPN C. Which VPN solution satisfies these requirements? A. and check for fan failure logs using “show logging” B. AnyConnect Client using IKEv2 D. and check for fan failure logs using “show logging” D.10. A multimedia application is used that relies on multicast for communication. A private wan connection is suspected of intermittently corrupting data. A company needs to provide secure access to its remote workforce.11 Answer: A 35.11″. Configure logging using commands “logging on”. Group Encrypted Transport VPN D. RSA Certificates C. Flex VPN B.com Gonder. “logging discriminator msglog1 console 7″. An internet based VPN solution is being considered to replace an existing private WAN connecting remote offices.34.) A. What troubleshooting steps would verify the issue without causing additional risks? A. AES128 B. The end users use public kiosk computers and a wide range of devices. Diffie Helman Key Generation Answer: C 37. SHA2HMAC D.11. DMVPN C. “logging trap 2″. They will be accessing only an internal web application. Which technology can a network administrator use to detect and drop the altered data traffic? A. Configure logging using commands “logging on”. “logging buffered 6″. and check for fan failure logs at the sys log server 10. Any Connect VPN Answer: A. “logging buffered 4″. A Cisco router may have a fan issue that could increase its temperature and trigger a failure.11. Which two VPN solutions meet the application’s network requirement? (Choose two. Configure logging using commands “logging host 10. FlexVPN Client E. B 36. Windows builtin PPTP client 10 | P a g e tayeforever@gmail. Configure logging using commands “logging on”. Crypto map based Site to Site IPsec VPNs E.10. 3DES E. Clientless SSLVPN B. Ethiopia .

The router must be configured with a dynamic crypto map. crypto isakmp policy 10 encryption aes 256 D.) A. B. SHA192 D. C. C 39. Server side certificate is optional if using AAA for client authentication. Ethiopia . Which two qualify as Next Generation Encryption integrity algorithms? (Choose two. SHA196 Answer: A. Which two configurations are valid? (Choose two. A SSL group pre shared key must be configured on the server. crypto isakmp policy 10 encryption aes 196 E.com Gonder.Answer: A 38. D.) A. crypto isakmp policy 10 encryption aes 192 C. A network administrator is configuring AES encryption for the ISAKMP policy on an IOS router. Which statement is true when implementing a router with a dynamic public IP address in a crypto map based site to site VPN? A. Which two statements are true when designing a SSL VPN solution using Cisco Any Connect? (Choose two. SHA192 F. Certificates are always used for phase 1 authentication. B. Answer: C 41. SHA256 C. The tunnel establishment will fail if the router is configured as a responder only. The VPN server must have a self signed certificate. The router and the peer router must have NAT traversal enabled. crypto isakmp policy 10 encryption aes 254 B. SHA380 E. D. crypto isakmp policy 10 encryption aes 64 Answer: B. 11 | P a g e tayeforever@gmail. crypto isakmp policy 10 encryption aes 199 F. SHA512 B. C.) A. The VPN IP address pool can overlap with the rest of the LAN networks. B 40.

Answer: D. CAC D. When full tunneling is needed to support applications that use TCP. interface state control C. It introduces nonhierarchical DMVPN deployments. Which technology can rate limit the number of tunnels on a DMVPN hub when system utilization is above a specified percentage? A. B 45.) A. C. What are two benefits of DMVPN Phase 3? (Choose two. Dynamic crypto map E. It supports L2TP over IPSec as one of the VPN protocols.) A. DTLS can be enabled for better performance. Which are two main use cases for Clientless SSL VPN? (Choose two. Which two features are required when configuring a DMVPN network? (Choose two.) A. E 42. NHRP Authentication E. IPsec encryption Answer: B. ip nhrp connect Answer: C 46.com Gonder. and ICMP D. C 43. NHRP Event Publisher B. To create VPN site to site tunnels in combination with remote access Answer: A.E. UDP. In kiosks that are part of a shared environment B. DMVPN 12 | P a g e tayeforever@gmail. FlexVPN B. Administrators can use summarization of routing protocol updates from hub to spokes. Ethiopia . B 44. Answer: A. Next Hop Resolution Protocol D. When the users do not have admin rights to install a new VPN client C. Dynamic routing protocol B. Which technology supports tunnel interfaces while remaining compatible with legacy VPN implementations? A. B. It introduces hierarchical DMVPN deployments. GRE tunnel interface C. D.

SSL VPN Answer: A 47. An IOS SSL VPN is configured to forward TCP ports. Answer: B Explanation: http://www.com/c/en/us/support/docs/security/sslvpnclient/70664IOSthinclient. IKEv2 Suite B B. The user is connecting to an IOS VPN gateway configured in Thin Client Mode. GET VPN D. A remote user cannot access the corporate FTP site with a Web browser. IP routing C.html Thin Client SSL VPN (Port Forwarding) A remote client must download a small. IKEv2 profiles D.com Gonder. Examples include access to POP3. several FTP applications. RRI D. IMAP. for example. This method of SSL VPN does not work with applications that use dynamic port assignments. UDP is not supported. front door VPN routing and forwarding Answer: B 49. Which IKEv2 feature minimizes the configuration of a FlexVPN on Cisco IOS devices? A. The user’s FTP application is not supported. SMTP. and Telnet. C. IKEv2 Smart Defaults Answer: D 48. which technology processes traffic forwarding for encryption? A.C. IKEv2 proposals C. Javabased applet for secure access of TCP applications that use static port numbers.cisco. D. ACL B. What is a possible reason for the failure? A. Ethiopia . The user is connecting to an IOS VPN gateway configured in Tunnel Mode. When an IPsec SVTI is configured. SSH. 13 | P a g e tayeforever@gmail. The user needs local administrative privileges because changes are made to files on the local machine. B. The user’s operating system is not supported.

When you configure IPsec VPN High Availability Enhancements. NetBIOS C. which technology does Cisco recommend that you enable to make reconvergence faster? A. HTTP Answer: C 51. Which cryptographic algorithms are approved to protect Top Secret information? 14 | P a g e tayeforever@gmail. Which protocol supports high availability in a Cisco IOS SSL VPN environment? A. CIFS D. tunnel protection ipsec B. SHA384 Answer: D 55. Which command must you configure on the virtual template? A. A Cisco IOS SSL VPN gateway is configured to operate in clientless mode so that users can access file shares on a Microsoft Windows 2003 server. Ethiopia .50. ip virtual reassembly C. SHA256 D. IRDP Answer: A 53. ip unnumbered Answer: D 52. MD5 B. HSRP B. tunnel mode ipsec D. IP SLAs C. HTTPS B. Which hash algorithm is required to protect classified information? A. periodic IKE keep alives D. VRRP C. EOT B.com Gonder. Which protocol is used between the Cisco IOS router and the Windows server? A. You are configuring a Cisco IOS SSL VPN gateway to operate with DVTI support. VPN fast detection Answer: C 54. SHA1 C. GLBP D.

201. 3DES and SHA1 Answer: A 59. accesslist splitlist standard permit 209. AESGCM and SHA2 B. AES C. 3DES and DH C.202. HIPPA DES AES128 RC4128 AES256 Answer: D 56. AESCBC and SHA1 D.0 255. Which Cisco firewall platform supports Cisco NGE? A.224 accesslist splitlist standard permit 209.128 255.com Gonder. Ethiopia . D. Cisco ASA 5505 C. FWSM B.165.255.201. Cisco ASA 5580 D. DES D.165.255.165.202. RSA Answer: D 58. 3DES B. Which encryption and authentication algorithms does Cisco recommend when deploying a Cisco NGE supported VPN solution? A. Which configuration on the ASA will correctly limit the networks reachable to 209.0/27 and 209. An administrator wishes to limit the networks reachable over the Anyconnect VPN tunnels.224 ! grouppolicy GroupPolicy1 internal grouppolicy GroupPolicy1 attributes 15 | P a g e tayeforever@gmail.255. Cisco ASA 5525X Answer: D 57. Which algorithm is replaced by elliptic curve cryptography in Cisco NGE? A.165. C.128/27? A.A.255. B.

165. accesslist splitlist standard permit 209.201.com Gonder.224 ! grouppolicy GroupPolicy1 internal grouppolicy GroupPolicy1 attributes splittunnelpolicy tunnelall splittunnelnetworklist value splitlist C.255.202.255.255.224 D.255.165.0 255.165. crypto anyconnect vpntunnelpolicy tunnelspecified crypto anyconnect splittunnelnetworklist ipv4 1 209.165.255.255.128 255.201.224 crypto anyconnect splittunnelnetworklist 16 | P a g e tayeforever@gmail.255.165. accesslist splitlist standard permit 209.165.0 255.255.255.255.165.128 255.128 255.255.201.255.202.224 ! crypto anyconnect vpntunnelpolicy tunnelspecified crypto anyconnect vpntunnelnetworklist splitlist E.201.224 splittunnelnetworklist ipv4 2 209.255.0 255. grouppolicy GroupPolicy1 internal grouppolicy GroupPolicy1 attributes splittunnelpolicy tunnelspecified splittunnelnetworklist ipv4 1 209. Ethiopia .224 accesslist splitlist standard permit 209.0 255.splittunnelpolicy tunnelspecified splittunnelnetworklist value splitlist B.202.224 accesslist splitlist standard permit 209.255.

Which technology does a multipoint GRE interface require to resolve endpoints? A. DES D.165. B 64. NHRP D. CEF E.128 255. 1160 bytes B. ESP B.202. authentication local pre share C.0. 1240 bytes Answer: C 62. match identity remote address 0. dynamic routing C. IPSec Answer: C 63. What is the Cisco recommended TCP maximum segment on a DMVPN tunnel interface when the MTU is set to 1400 bytes? A. 1260 bytes C. authentication pre share 17 | P a g e tayeforever@gmail. group 20 Answer: D 61. SHA (HMAC variant) B.0 B.0. Which NGE IKE Diffie Hellman group identifier has the strongest cryptographic properties? A.com Gonder.224 Answer: A 60. Which two cryptographic technologies are recommended for use with Flex VPN? (Choose two. 1360 bytes D. group 5 D.ipv4 2 209. DiffieHellman C. group 10 B. Which command configures IKEv2 symmetric identity authentication? A. MD5 (HMAC variant) Answer: A. group 24 C.255. Ethiopia .) A.255.

md5. flash:/webvpn/{context name}/ D. When a tunnel is initiated by the headquarter ASA. disk1:/webvpn/{context name}/ C. which one of the following Diffie Hellman groups is selected by the headquarter ASA during CREATE_CHILD_SA exchange? 18 | P a g e tayeforever@gmail. csd hostscan path D. 5 C. What is the default storage location of user level bookmarks in an IOS clientless SSL VPN? A. filter value none D. Ethiopia . Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two. hostscan image path Answer: B 69. nvram:/webvpn/{context name}/ Answer: C 67.D. csd hostscan path image B. sha1. sha256. Vpn filter none B. 3des. Which command specifies the path to the Host Scan package in an ASA Any Connect VPN? A. sha. Which command will prevent a group policy from inheriting a filter ACL in a clientless SSL VPN? A.com Gonder. 3des. authentication remote rsasig Answer: D 65. 5 Answer: B. 1 D. D 66. no vpnfilter C.) A. disk0:/webvpn/{context name}/ B. aescbc192. 14 B. filter value ACLname Answer: C 68. csd host scan image path C. aescbc128.

com Gonder. Ethiopia .19 | P a g e tayeforever@gmail.

20 | P a g e tayeforever@gmail. D. Ethiopia . B.A. which shown below to use DH group 5.com Gonder. E. C. 1 2 5 14 19 Answer: C Explanation: Traffic initiated by the HQ ASA is assigned to the static outside crypto map.

Ethiopia . 21 | P a g e tayeforever@gmail.com Gonder.70.

168. A route to 192. The ASA will use a window of 128 packets (64×2) to perform the anti replay check 22 | P a g e tayeforever@gmail. Ethiopia . which one of the following is correct? A.0/24 will not be automatically installed in the routing table C. An access list must be configured on the outside interface to permit inbound VPN traffic B.Based on the provided ASDM configuration for the remote ASA.22.com Gonder.

The IPsec AntiReplay Window: Expanding and Disabling feature allows you to expand the window size. the default window size is 64 packets. allowing the decryptor to keep track of more than 64 packets. Generally. Currently. Ethiopia .com Gonder.D. The decryptor keeps track of which packets it has seen on the basis of these numbers. but there are times when you may want to expand this window size. The tunnel can also be established on TCP port 10000 Answer: C Explanation: Cisco IP security (IPsec) authentication provides antireplay protection against an attacker Duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. 71. this number (window size) is sufficient. 23 | P a g e tayeforever@gmail.

com Gonder. AES 24 | P a g e tayeforever@gmail. which encryption algorithm would be used to encrypt traffic? A. Ethiopia . DES B.If the IKEv2 tunnel were to establish successfully. 3DES C.

25 | P a g e tayeforever@gmail. AES256 Answer: E Explanation: Both ASA’s are configured to support AES 256.com Gonder. AES192 E.D. 72. Ethiopia . so during the IPSec negotiation they will use the strongest algorithm that is supported by each peer.

Here.168. we just want to protect traffic from 192.33. Which of the following can be done to resolve this problem? A.168. Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers D.com Gonder.0/24 C. when the headquarter ASA initiates the tunnel? 26 | P a g e tayeforever@gmail.After implementing the IKEv2 tunnel.0.168. 73. otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side.22. Ethiopia .0/0 E.0. Change the local traffic selector on the headquarter ASA to 0. it was observed that remote users on the 192.0/0 Answer: B Explanation: The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). Change the remote traffic selector on the remote ASA to 192.0.0. Change the remote traffic selector on the headquarter ASA to 0.22.168.0/24 to 192. Which option shows the correct traffic selectors for the child SA on the remote ASA.0/24.33.0/24 network are unable to access the internet. Change the DiffieHellman group on the headquarter ASA to group5forthe dynamic crypto map B. We want this to be specific.

com Gonder.27 | P a g e tayeforever@gmail. Ethiopia .

Local selector 192.22.0/0192.168.255/ 65535 C. Ethiopia .255/ 65535 B.255/ 65535 Remote selector 0.0.0.168.33.0/0 – 192.168.com Gonder.22.168.168. Local selector 0.168.168.255/65535 Answer: B Explanation: The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel).0/0192. otherwise Internet traffic will also be sent over the 28 | P a g e tayeforever@gmail.0.255/ 65535 Remote selector 192. Local selector 192.168.0/0192.33.0/65535 E.255/ 65535 D.255/ 65535 Remote selector 192.22.0.0.20.33.0.22.0/65535 Remote selector 192.20.168.0/0 – 0.0/0192.33.33.168.22. Local selector 192.168.168.22.33.168.0.255/ 65535 Remote selector 192.0/0 – 0.0.168.A.0/0192.33. Local selector 192.168.0/0192.33.0/0192.168. We want this to be specific.

we just want to protect traffic from 192. Here.22.168.168.tunnel and most likely dropped on the remote side.com Gonder.33.0/24 (THE LOCAL SIDE) to 192.0/24 (THE REMOTE SIDE). CORRECT TEXT You must use the IKE2 configuration blocks to accomplish this task. Ethiopia . 74. 29 | P a g e tayeforever@gmail.

Explanation: Here are the steps as below: Step 1: configure key ring crypto ikev2 keyring mykeys peer SiteB.161.com Gonder.Answer: Answer: See the explanation.cisco.com address 209.com Authentication local preshare Authentication remote preshare Keyring local mykeys Step 3: Create the GRE Tunnel and apply profile crypto ipsec profile default set ikev2profile 30 | P a g e tayeforever@gmail.cisco.cisco.1 presharedkey local $iteA preshared key remote $iteB Step 2: Configure IKEv2 profile Crypto ikev2 profile default identity local fqdn SiteA.com Match identity remote fqdn SiteB. Ethiopia .201.

Refer to the exhibit.0 Tunnel source eth 0/0 Tunnel destination 209. show ip route eigrp E. Content Rewriter E.1. show crypto ikev2 client flexvpn D.1 255. A rogue static route is installed in the routing table of a Cisco FlexVPN and is causing traffic to be blackholed.255. Which command should be used to identify the peer from which that route originated? A. Which two technologies would accommodate the company’s requirement? (Choose two).201.default Interface tunnel 0 ip address 10. show crypto route C. An administrator is tasked with configuring the company’s SSL VPN gateway to allow remote users to work. show crypto ikev2 sa detail B. 31 | P a g e tayeforever@gmail. A. Email Proxy D. B 76. Smart Tunnels C. Any Connect client B.1.1 tunnel protection ipsec profile default end 75.165.255. A custom desktop application needs to access an internal server.com Gonder. Portal Customizations Answer: A. Ethiopia . show crypto isakmp sa detail Answer: A 77.

Answer: B 32 | P a g e tayeforever@gmail.com Gonder. The IKEv2 authorization policy is not referenced in the IKEv2 profile. B.Which authentication method was used by the remote peer to prove its identity? A. Preshared key D. Refer to the exhibit. C. IKEv2 routing requires certificate authentication. The match identity command must refer to an access list of routes. Ethiopia . Extensible Authentication Protocol B. D. An invalid administrative distance value was configured. An IPsec peer is exchanging routes using IKEv2. not pre shared keys. certificate authentication C. Which configuration error is causing the failure? A. but the routes are not installed in the RIB. XAUTH Answer: C 78.

The administrator is unable to ping 2001:DB8:100::2 but can ping 209. No configuration change is necessary. Tunnel mode needs to be changed to GRE IPv4. An administrator is adding IPv6 addressing to an already functioning tunnel. C.165.226. E. NHRP needs to be configured to provide NBMA mapping. Which configuration needs to be added or changed? A. Refer to the exhibit. Answer: D 80. OSPFv3 needs to be configured on the interface. D. Everything is working correctly. Tunnel mode needs to be changed to GRE IPv6. Ethiopia . B. Refer to the exhibit.com Gonder.79.200. 33 | P a g e tayeforever@gmail.

Which action will allow the session to establish correctly? A. you see the following output. Processing of Main Mode failed with peer at 10. After issuing the debug crypto ipsec command on the head end router. Ethiopia . The crypto map is not applied on the remote peer. D. B.The IKEv2 tunnel between Router1 and Router2 is failing during session establishment. Next payload is 0 1d00h: ISAKMP (0:1). The address command on Router2 must be narrowed down to a /32 mask. What does this output suggest? 1d00h: ISAKMP (0:1): atts are not acceptable. The Phase 1 transform set does not match on both sides. Next payload is 0 1d00h: ISAKMP (0:2) SA not acceptable A. Phase 1 policy does not match on both sides. The transform set does not match on both sides. hmac_alg 2) not supported 1d00h: ISAKMP (0:2) : atts not acceptable. Answer: B 81.10 A. D. The local and remote keys on Router2 must be switched. no offers accepted! 1d00h: ISAKMP (0:1): SA not acceptable! 1d00h: %CRYPTO6IKMP_ MODE_FAILURE. ISAKMP is not enabled on the remote peer. The local and remote keys on Router2 must be the same.10. ISAKMP is not enabled on the remote peer. You are troubleshooting a site to site VPN issue where the tunnel is not establishing. C.com Gonder. The pre shared key must be altered to use only lowercase letters. B. D. B. show running config crypto 34 | P a g e tayeforever@gmail. Answer: B 83. Which adaptive security appliance command can be used to see a generic framework of the requirements for configuring a VPN tunnel between an adaptive security appliance and a Cisco IOS router at a remote office? A. There is a mismatch in the ACL that identifies interesting traffic. Answer: A 82. The Phase 2 transform set does not match on both sides. you see the following output. After issuing the debug crypto isakmp command on the head end router. C. E. C.10. Phase 1 policy does not match on both sides. What does this output suggest? 1d00h: IPSec (validate_proposal): transform proposal (port 3. trans 2. Vpn setup site to site steps B. You are troubleshooting a site to site VPN issue where the tunnel is not establishing.

show crypto protocol statistics all Answer: A 86.10. #pkts decrypt: 19211. 0 #pkts not compresseD. Refer to the exhibit. Ethiopia .255/47/0) remote ident (addr/mask/prot/port): (10.230 port 500 PERMIT. 0. #pkts decompresseD.10 protected vrF.10. show crypto ikev1 sa C. Answer: E 85. application performance over the tunnel is slow. What does this output suggest? interfacE.C. Tunnel100 Crypto map tag: Tunnel100head0.200.255/47/0) current_peer 209. #pkts encrypt: 34836. E. There is an asymmetric routing issue.20/255. The remote peer is not receiving encrypted traffic. 35 | P a g e tayeforever@gmail.20. #pkts compr. show vpn session db l2l D.10/255. #pkts decompress faileD. show vpnsessiondb ratio encryption D. Vpn setup ssl remote access steps Answer: A 84. The remote peer is not able to decrypt traffic. faileD. You issue the show crypto ipsec sa command and see the following output. After completing a site to site VPN setup between two routers. 0. D. local addr 10. 0 #pkts not decompresseD. flags={origin_is_acl. show iskamp sa detail E.20. C.255. Packet corruption is occurring on the path between the two peers.10. show vpn session db summary B. 0 #send errors 0. 0. #recv errors 0 A. (none) local ident (addr/mask/prot/port): (10.255. Which Cisco adaptive security appliance command can be used to view the count of all active VPN sessions? A.10. #pkts verify: 19211 #pkts compresseD.255.165. #pkts digest: 34836 #pkts decaps: 26922.com Gonder. B.255. The VPN has established and is functioning normally.} #pkts encaps: 34836.

unauthorized connection mechanism. The IKEv2 protocol is not enabled in the group policy of the VPN head end. C. A new XML profile should be created instead of modifying the existing profile. DAP is terminating the connection because IKEv2 is the protocol that is being used.An administrator had the above configuration working with SSL protocol. Ethiopia . If you specify the primary protocol as IPsec. C. Answer: E 36 | P a g e tayeforever@gmail. but as soon as the administrator specified IPsec as the primary protocol. What is the problem? A. contact your administrator” What is the most possible cause of this problem? A. Answer: C 87. The administrator is restricting access to this specific user. so that the clients force the update. B. B. The client endpoint does not have the correct user profile to initiate an IKEv2 connection. The AAA server that is being used does not authorize IKEv2 as the connection mechanism. The following error message is displayed: “Login Denied. the User Group must be the exact name of the connection profile (tunnel group). D. the Cisco Any Connect client was not able to connect. IPsec will not work in conjunction with a group URL. The Cisco AnyConnect implementation does not allow the two group URLs to be the same. E. SSL does allow this.com Gonder. D. The Cisco AnyConnect client fails to connect via IKEv2 but works with SSL.

C. What is the most likely cause of this problem? A. Answer: A. Answer: A 37 | P a g e tayeforever@gmail. Cisco AnyConnect Mobile must be installed to allow AnyConnect IKEv2 sessions. IKEv2 sessions are not licensed. D.88. B. which option will allow IKEv2 connections on the adaptive security appliance? A. AnyConnect Essentials can be used for Cisco AnyConnect IKEv2 connections. Ethiopia . while SSL works fine? (Choose two. Verify that AnyConnect is enabled on the correct interface. IKEv2 is not enabled on the group policy. C 90.) A. Regarding licensing. Verify that the IKEv2 protocol is enabled on the group policy. Verify that the primary protocol on the client machine is set to IPsec. C. Which two troubleshooting steps should be taken when Cisco AnyConnect cannot establish an IKEv2 connection. E. Verify that SSL and IKEv2 certificates are not referencing the same trustpoint. A new profile must be created so that the adaptive security appliance can push it to the client on the next connection attempt. D. Verify that ASDM and AnyConnect are not using the same port. The Cisco AnyConnect client is unable to download an updated user profile from the ASA Head end using IKEv2. The Advanced Endpoint Assessment license must be installed to allow Cisco AnyConnect IKEv2 sessions. D. Answer: D 89.com Gonder. C. Client Services is not enabled on the adaptive security appliance. B. User profile updates are not allowed with IKEv2. B.

38 | P a g e tayeforever@gmail.com Gonder. The network administrator is adding a new spoke. B. The NHRP authentication is failing. What could cause this issue? A. Refer to the exhibit.91. C. Ethiopia . so there can be only one spoke. DMVPN is a point to point tunnel. but the tunnel is not passing traffic. There is no EIGRP configuration. and therefore the second tunnel is not working.

Next hop self F. E. The hub waits for the second spoke to send a request so that it can respond to both spokes. and configure the if state nhrp and backup interface commands on the primary tunnel interface.) A. The transform set must be in transport mode. The NHRP network ID is incorrect. Next Hop Routing Protocol 39 | P a g e tayeforever@gmail. E 95. D. Create another tunnel interface with same configuration except the tunnel source. which is a requirement for DMVPN.com Gonder. C. Next Hop Registration Protocol C. Next Hub Routing Protocol D. Create another DMVPN cloud by configuring another tunnel interface that is sourced from the second ISP link. B. which two EIGRP features need to be disabled on the hub to allow spoke to spoke communication? (Choose two. Configure SLA tracking.D. The hub sends back a resolution reply to the requesting spoke. The hub updates its own NHRP mapping. Ethiopia . Use another router at the spoke site. C. In DMVPN phase 2. Answer: C 93. What does NHRP stand for? A. The hub forwards the request to the destination spoke. Answer: C 92. A spoke has two Internet connections for failover. default administrative distance Answer: B. B. because two ISP connections on the same router for the same hub is not allowed. D. metric calculation using bandwidth D. split horizon C. What action does the hub take when it receives a NHRP resolution request from a spoke for a network that exists behind another spoke? A. Next Hop Resolution Protocol B. Answer: D 94. manually change the tunnel source of the tunnel interface. and when the primary interface goes down. EIGRP address family E. Auto summary B. How can you achieve optimum failover without affecting any other router in the DMVPN cloud? A.

B. When troubleshooting established clientless SSL VPN issues. Which cryptographic algorithms are part of the Cisco NGE suite? A. Clear the browser and Java cache. F. F 97. AESGCM256 Answer: D 100. Ethiopia . Which option is a possible solution if you cannot access a URL through clientless SSL VPN with Internet Explorer. debug ssl openssl errors E. debug vpn authorization error D. sha1. A. debug ssl error Answer: A. E 98. Answer: A 99. Use Wire shark to capture network traffic. group 14 3des. Enable and use HTML capture tools. group 7 3des. while other browsers work fine? A. Which transform set is contained in the IKEv2 default proposal? aescbc192. Gather crypto debugs on the adaptive security appliance.com Gonder. Collect the information from the computer event log. Make sure that you specified the URL correctly. Answer: B. C. B. debug aaa authentication B. Try the URL from another operating system. C. Verify the trusted zone and cookies settings in your browser. group 1 40 | P a g e tayeforever@gmail. A user is trying to connect to a Cisco IOS device using clientless SSL VPN and cannot establish the connection. D. HIPPA DES B. Clear the browser history. Which three commands can be used for troubleshooting of the AAA subsystem? (Choose three. B.) A. debug radius C. AESCBC128 C. which three steps should be taken? (Choose three. RC4128 D. C. debug webvpn aaa F. D. md5. E. Move to the IPsec client.) A.Answer: A 96. B. sha256. D.

D. clear crypto ikev2 sa Answer: A 102. Which command clears all crypto configuration from a Cisco Adaptive Security Appliance? A. show ipsec policy Answer: A 103. they should automatically initiate an AnyConnect VPN tunnel back to headquarters. Where does the administrator configure this? A. clear configure crypto B. clear configure crypto ipsec C. sha. The SSL client must be loaded to the client by an ASA administrator B. Under the TNDPolicy XML section within the Local Preferences file on the client computer D. show runningconfig tunnelgroupmap E. show runningconfig tunnelgroup D. more system:runningconfig B. • A DHCP scope was configured and applied to a WebVPN Tunnel Group. The SSL client must be downloaded to the client via FTP 41 | P a g e tayeforever@gmail. clear config tunnelgroup F. An administrator desires that when work laptops are not connected to the corporate network.com Gonder. What additional step is required if the client software fails to load when connecting to the ASA SSL page? A. Via the svc trusted network command under the global web vpn sub configuration mode on the ASA Answer: B 104. Which Cisco adaptive security appliance command can be used to view the IPsec PSK of a tunnel group in cleartext? A. Via the svc trusted network command under the group policy sub configuration mode on the ASA B. • WebVPN was enabled on the ASA outside interface. group 5 Answer: D 101. Ethiopia . Under the “Automatic VPN Policy” section inside the Anyconnect Profile Editor within ASDM C. • SSL VPN client software was loaded to the ASA. show runningconfig crypto C. The following configuration steps have been completeD. clear crypto map D. aescbc128.

Remote users want to access internal servers behind an ASA using Microsoft terminal services. The SSL VPN client must be enabled on the ASA after loading D. Upload an RDP plugin to the ASA 2. The SSL client must be enabled on the client machine before loading Answer: A 105. show crypto isakmp sa count Answer: B 107. Configure an inbound access list to allow traffic from remote users to the servers 3.exe process to this list 3. show crypto isakmp sa B. show crypto ipsec sa E. show crypto gdoi gm D. Ethiopia . D.com Gonder. 1. Which option outlines the steps required to allow users access via the ASA clientless VPN portal? A. 1. Assign this access list rule to the group policy B. 1. Assign the Smart Tunnel application list to the desired group policy D. Assign the bookmark to the desired group policy C. On which Cisco platform are dynamic virtual template interfaces available? Cisco Adaptive Security Appliance 5585X Cisco Catalyst 3750X Cisco Integrated Services Router Generation 2 Cisco Nexus 7000 Answer: C 42 | P a g e tayeforever@gmail. B. Assign the bookmark list to the desired group policy Answer: D 106. Add the rdp. Configure a static pat rule for TCP port 3389 2. Which command is used to determine how many GMs have registered in a GETVPN environment? A. Enable Smart tunnel on this bookmark 3. Configure a bookmark of the type http:// serverIP :3389 2. 1. A. show crypto gdoi ks members C. C.C. Configure a Smart Tunnel application list 2. Configure a bookmark of the type rdp:// serverIP 3.

C. Refer to the exhibit. Which two statements about the given configuration are true? (Choose two. It has a keepalive of 60 minutes. C. B. and 00 seconds. Refer to the exhibit. C 110. It is a LAN to LAN VPN ISAKMP policy. Ethiopia . It can be used in a DMVPN deployment D. PSK will not work as configured Answer: A. The tunnel will be valid for 2 days. 43 | P a g e tayeforever@gmail.) A. F. It is an AnyConnect ISAKMP policy. E. Which statement about the given IKE policy is true? A.108.com Gonder. D. Answer: B 109. B. Defined PSK can be used by any IPSec peer. 88 minutes. checking every 5 minutes. It will use encrypted nonces for authentication. Refer to the exhibit. It uses a 56bit encryption algorithm. Any router defined in group 2 will be allowed to connect.

What technology does the given configuration demonstrate? A. eigrp routerid C. Trusted Network Detection B. FlexVPN with IPV6 C. ip unnumbered interface B. Refer to the exhibit. 44 | P a g e tayeforever@gmail. Datagram Transport Layer Security C. C. Passiveinterface interface name D. Crypto Policy to enable IKEv2 Answer: B 111. banner message Answer: A 113. ip splithorizon eigrp as number Answer: A 112. Ethiopia . A. FlexVPN with AnyConnect D.com Gonder. In which situation would you enable the Smart Tunnel option with clientless SSL VPN? when a user is using an outdated version of a web browser when an application is failing in the rewrite process when IPsec should be used over SSL VPN when a user has a nonsupported Java version installed Answer: B 114. Which command enables the router to form EIGRP neighbor adjacencies with peers using a different subnet than the ingress interface? A. B. Which feature enforces the corporate policy for Internet access to Cisco AnyConnect VPN users? A. Keyring used to encrypt IPSec traffic B. Cisco AnyConnect Customization D. D.

C. shares a single profile between a tunnel interface and a crypto map D. What problem does the given output indicate? A. digital certificates D. IKEv2 failed to establish a phase 2 negotiation. EAP Answer: A.com Gonder. C 116. D. A. Ethiopia .) A.You executed the show crypto ipsec sa command to troubleshoot an IPSec issue. IKEv2 was used in aggressive mode. Which option describes the purpose of the shared argument in the DMVPN interface command tunnel protection IPsec profile ProfileName shared? A. C. preshared key B. Answer: B 115. Which type of communication in a FlexVPN implementation uses an NHRP shortcut? spoke to hub spoke to spoke hub to spoke hub to hub Answer: B 45 | P a g e tayeforever@gmail. The Crypto ACL is different on the peer device. ISAKMP was unable to find a matching SA. Which two types of authentication are supported when you use Cisco ASDM to configure site to site IKEv2 with IPv6? (Choose two. shares a single profile between multiple tunnel interfaces B. allows multiple authentication types to be used on the tunnel interface C. XAUTH E. D. B. shares a single profile between IKEv1 and IKEv2 Answer:A 117. B. webAuth C.

C. B. D. group policies B. SSH over TCP Answer:A 122.com Gonder. C.118. Which protocols does the Cisco AnyConnect client use to build multiple connections to the security appliance? A. GETVPN B. Ethiopia . B. sitetosite 46 | P a g e tayeforever@gmail. A. C. Which VPN solution is best for a collection of branch offices connected by MPLS that frequenty make VoIP calls between branches? A. FlexVPN and DMVPN? NHRP MPLS GRE ESP Answer: D 123. A. D. AnyConnect Connection Profile C. A. Cisco AnyConnect C. Which technology is FlexVPN based on? OER VRF IKEv2 an RSA nonce Answer: C 119. D. Which application does the Application Access feature of Clientless VPN support? TFTP VoIP Telnet active FTP Answer: C 120. L2TP over IPsec D. Where do you configure AnyConnect certificate based authentication in ASDM? A. B. TLS and DTLS B. AnyConnect Client Profile D. Advanced Network (Client) Access 121. Which is used by GETVPN. IKEv1 C.

DMVPN Answer: A 124. DMVPN B. Site to site 47 | P a g e tayeforever@gmail. Which VPN solution does this configuration represent? A.com Gonder.D. Refer to the exhibit. Ethiopia . GETVPN C. FlexVPN D.

Which technology can provide high availability for an SSL VPN? DMVPN a multiple tunnel configuration a Cisco ASA pair in active/passive failover configuration certificate to tunnel group maps Answer: C 48 | P a g e tayeforever@gmail. A. port forwarding Answer: B 126. Which type of communication takes place between the secure gateway R1 and the Cisco Secure ACS? A.com Gonder. D. You have implemented an SSL VPN as shown. HTTP proxy B. Ethiopia . AAA C. Refer to the exhibit. C.Answer: C 125. policy D. B.

Flash Answer: A 129.com Gonder. In the DiffieHellman protocol. QuickTime plugin C. B. Which technology must be installed on the client computer to enable users to launch applications from a Clientless SSL VPN? A. A. Refer to the exhibit. L2TP D. Silver light D. Java B. IPsec C. Refer to the exhibit. C. Cisco AnyConnect B. Which VPN solution does this configuration represent? A. SSL VPN Answer: B 128. Ethiopia .127. D. which type of key is the shared secret? a symmetric key an asymmetric key a decryption key an encryption key Answer: A 130. 49 | P a g e tayeforever@gmail.

Which exchange does this debug output represent?
A. IKE Phase 1
B. IKE Phase 2
C. symmetric key exchange
D. certificate exchange
Answer: A
131.
A.
B.
C.
D.
E.

Which two technologies are considered to be Suite B cryptography? (Choose two.)
MD5
SHA2
Elliptical Curve DiffieHellman
3DES
DES

Answer: B, C
132.
A.
B.
C.
D.

Which protocol does DTLS use for its transport?
TCP
UDP
IMAP
DDE

Answer: B
133. CORRECT TEXT
Scenario:
You are the network security manager for your organization. Your manager has received a
request to allow an external user to access to your HQ and DM2 servers. You are given the
following connection parameters for this task. Using ASDM on the ASA, configure the
parameters below and test your configuration by accessing the Guest PC. Not all AS DM screens
are active for this exercise. Also, for this exercise, all changes are automatically applied to the
ASA and you will not have to click APPLY to apply the changes manually.
• Enable Clientless SSL VPN on the outside interface
• Using the Guest PC, open an Internet Explorer window and test and verify the basic
connection to the SSL VPN portal using address: https://vpnsecurex.public
50 | P a g e

tayeforever@gmail.com
Gonder, Ethiopia

a) You may notice a certificate error in the status bar, this can be ignored for this
exercise
b) Username: vpnuser
c) Password: cisco123
d) Logout of the portal once you have verified connectivity
• Configure two bookmarks with the following parameters:
a) Bookmark List Name: MYBOOKMARKS
b) Use the: URL with GET or POST method
c) Bookmark Title: HQServer
i. http://10.10.3.20
d) Bookmark Title: DMZServerFTP
i. ftp://172.16.1.50
e) Assign the configured Bookmarks to:
i. DfltGrpPolicy
ii. DfltAccessPolicy
iii. . LOCAL User: vpnuser
• From the Guest PC, reconnect to the SSL VPN Portal
• Test both configured Bookmarks to ensure desired connectivity
You have completed this exercise when you have configured and successfully tested Clientless
SSL VPN connectivity.
Topology:

51 | P a g e

tayeforever@gmail.com
Gonder, Ethiopia

Answer: Please find the solution in below explanation.
Explanation:
First, enable clientless VPN access on the outside interface by checking the box found below:

52 | P a g e

tayeforever@gmail.com
Gonder, Ethiopia

Ethiopia . log in to the given URL using the vpnuser/cisco123 credentials: Logging in will take you to this page. which means you have now verified basic connectivity: 53 | P a g e tayeforever@gmail.Then.com Gonder.

Now.com Gonder.Now log out by hitting the logout button. Ethiopia . go back to the ASDM and navigate to the Bookmarks portion: Make the name MYBOOKMARKS and use the “Add” tab and add the bookmarks per the instructions: 54 | P a g e tayeforever@gmail.

Ensure the “URL with GET of POST method” button is selected and hit OK: Add the two bookmarks as given in the instructions: 55 | P a g e tayeforever@gmail.com Gonder. Ethiopia .

You should now see the two bookmarks listed: Hit OK and you will see this: 56 | P a g e tayeforever@gmail. Ethiopia .com Gonder.

com Gonder. click on the appropriate check boxes as specified in the instructions and hit OK.Select the MYBOOKMARKS Bookmarks and click on the “Assign” button. Then. Ethiopia . 57 | P a g e tayeforever@gmail. go back to the GuestPC. you will now see this: Then. After hitting OK. log back in and you should be able to test out the two new bookmarks.

Using the CLI on both the Cisco ASA and branch ISR. Verify the IPsec configuration is properly configured between the two sites.com Gonder. What is being used as the authentication method on the branch ISR? Scenario: You are the senior network security administrator for your organization. Recently and junior engineer configured a site to site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. NOTE: the show running config command cannot be used for the this exercise.134. Topology: 58 | P a g e tayeforever@gmail. Ethiopia . You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters.

Using the CLI on both the Cisco ASA and branch ISR. Certifcates B.What is being used as the authentication method on the branch ISR? A. You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Preshared keys C. Topology: 59 | P a g e tayeforever@gmail. RSA public keys D. Verify the IPsec configuration is properly configured between the two sites. NOTE: the show running config command cannot be used for the this exercise. Ethiopia .com Gonder. Recently and junior engineer configured a site to site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. Which transform set is being used on the branch ISR? Scenario: You are the senior network security administrator for your organization. DiffieHellman Answer: B Group 2 Explanation: The show crypto isakmp key command shows the preshared key of “cisco” 135.

Which transform set is being used on the branch ISR? A. Default B. ESPAES256MD5TRANS mode transport D.com Gonder. ESP3DES ESPSHAHMAC C. Ethiopia . TSET Answer: B 60 | P a g e tayeforever@gmail.

com Gonder. Using the CLI on both 61 | P a g e tayeforever@gmail. Ethiopia . Recently and junior engineer configured a site to site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office.Explanation: This can be seen from the “show crypto ipsec sa” command as shown below: 136. You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. what state is the IKE security association in on the Cisco ASA? Scenario: You are the senior network security administrator for your organization.

the Cisco ASA and branch ISR.com Gonder. Ethiopia . Topology: 62 | P a g e tayeforever@gmail. NOTE: the show running config command cannot be used for the this exercise. Verify the IPsec configuration is properly configured between the two sites.

MM_ACTIVE C. Ethiopia . Using the CLI on both 63 | P a g e tayeforever@gmail. QM_IDLE Answer: B Explanation: This can be seen from the “show crypto isa sa” command: 137. Recently and junior engineer configured a site to site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. There are no security associations in place B.In what state is the IKE security association in on the Cisco ASA? A. Which crypto map tag is being used on the Cisco ASA? Scenario: You are the senior network security administrator for your organization.com Gonder. ACTIVE(ACTIVE) D.

Topology: 64 | P a g e tayeforever@gmail. NOTE: the show running config command cannot be used for the this exercise. Ethiopia . Verify the IPsec configuration is properly configured between the two sites.the Cisco ASA and branch ISR.com Gonder.

Which crypto map tag is being used on the Cisco ASA? A. VPNtoASA C. outside_cryptomap B. 65 | P a g e tayeforever@gmail. Ethiopia . outside_map1 Answer: D Explanation: This is seen from the “show crypto ipsec sa” command on the ASA.com Gonder. L2L_Tunnel D.