Implementing Cisco Secure Mobility Solutions

Question 1

Why must a network engineer avoid usage of the default X509 certificate when implementing clientless SSLVPN on an ASA?

A. The Certificate is too weak to provide adequate security.

B. The certificate must be managed by the local CA.

C. The certificate is regenerated at each reboot.

D. The default X 509 certificate is not supported for SSLVPN.

Correct Answer: C

Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).

Question 2

Which statement regarding GET VPN is true?

A. The configuration that defines which traffic to encrypt is present only on the key server.

B. TEK rekeys can be load-balanced between two key servers operating in COOP

C. When you implement GET VPN with VRFs, all VRFs must be defined in the GDOI group configuration on the key server.

D. The pseudotime that is used for replay checking is synchronized via NTP

E. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration

Correct Answer: A

Question 3

An administrator wishes to limit the networks reachable over the Anyconnect VPN tunnels. Which configuration on the ASA will correctly limit the networks reachable to 209.165.201.0/27 and
209.165.202.128/27?

A. group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224
split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224

B. access-list splitlist standard permit 209.165.201.0 255.255.255.224
access-list splitlist standard permit 209.165.202.128 255.255.255.224
!
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
split-tunnel-policy tunnelall
split-tunnel-network-list value splitlist

C. access-list splitlist standard permit 209.165.201.0 255.255.255.224
access-list splitlist standard permit 209.165.202.128 255.255.255.224
!
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitlist

D. crypto anyconnect vpn-tunnel-policy tunnelspecified
crypto anyconnect split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224 crypto anyconnect split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224

E. access-list splitlist standard permit 209.165.201.0 255.255.255.224
access-list splitlist standard permit 209.165.202.128 255.255.255.224
!
crypto anyconnect vpn-tunnel-policy tunnelspecified
crypto anyconnect vpn-tunnel-network-list splitlist

Correct Answer: C

Question 4

Refer to the exhibit.

The IKEv2 site-to-site VPN tunnel between two routers is down. Based on the debug output, which type of mismatch might be the problem?

A. PSK

B. crypto policy

C. peer identity

D. transform set

Correct Answer: B

Question 5

Refer to the exhibit.

All internal clients behind the ASA are port address translated to the public outside interface, which has an IP address of 3.3.3.3 Client 1 and Client 2 have established successful SSL VPN connections to the ASA. However, when ether client performs a browser search on their IP address, it shows up as 3.3.3.3. Why is this happening when both clients have a direct connection to the local internet service provider

A. Tunnel All Networks is configured under Group Policy

B. Same-security-traffic permit inter-interface has not been configured

C. Tunnel Network List Below is configured under Group Policy

D. Exclude Network List Below is configured under Group Policy

Correct Answer: A

Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).

Question 6

An engineer is configuring IPSec VPN and wants to choose an authentication protocol that is reliable and supports ACK and sequence. Which protocol accomplishes this goal?

A. ESP

B. AES-19

C. AES-256

D. IKEv1

Correct Answer: A

Question 7

An internet-based VPN solution is being considered to replace an existing private WAN connecting remote office. A multimedia application is used that relies on multiple for communication. Which two VPN solutions meet the application's network requirement? (Choose two.)

A. Crypto-map based site-to-site IPsec VPNs

B. AnyConnect VPN

C. FlexVPN

D. DMVPN

E. Group Encrypted Transport VPN

Correct Answer: C,D

Question 8

WhiCh customers are ideal for Cisco Stealthwatch?

A. customers who want to enhance remote access capab.l.ties

B. customers who want to assign security group tags

C. customers who want to improve cyrber securty and incident response

D. customers who want to implement protection at the DNS layer

Correct Answer: C

Question 9

Which three parameters are specified in the isakmp (IKv1) policy? (choose three)

A. The lifetime

B. The session key

C. The peer

D. The transform set

E. The hashing algorithm

F. The authentication method

Correct Answer: A,E,F

Question 10

Refer to the exhibit.

A network administrator is running DMVPN with EIGRP, when
the administrator looks at the routing table on spoke 1 it displays a route to the hub only. Which command is missing on the hub router which includes spoke2 and spoke 3 in the spoke 1 routing table?

A. Neighbor (ipaddress)

B. No ip split-horizon eigrp 1

C. No inverse arp

D. Redistribute static

Correct Answer: B

Question 11

An engineer has deployed Cisco IOS crypto-map based VPN and wants to ensure that state information is shared in an HA group. Which high availability technology must be used?

A. HSRP

B. VRRP

C. SSL

D. GLBP

Correct Answer: A

Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).

Question 12

Refer to the exhibit.

Which statement is accurate based on this configuration?

A. Spoke 2 fails the authentication because the remote authentication method is incorrect

B. Spoke 1 passes the authentication to the hub and successfully proceeds to phase 2

C. Spoke 2 passes the authentication to the hub and successfully proceeds to phase 2

D. Spoke 1 fails the authentication because the authentication methods are incorrect

Correct Answer: D

Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).

Question 13

An engineer is configuring SSL VPN for remote access. A real-time application that is sensitive to packet delays will be used. Which feature should the engineer confirm is enabled to avoid latency and bandwidth problem associated with SSL connections?

A. SVC

B. DTLS

C. IKEv2

D. DPD

Correct Answer: B

Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).

Question 14

Which two components are necessary for configuring spoke-to-spoke FlexVPN connections?(Choose two)

A. IKE version 2

B. NHRP redirect

C. HSRP group

D. IKE version 1

E. IVRF

Correct Answer: A,B

Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).

Cisco Implementing Cisco Secure Mobility Solutions - 300-209 Exam Practice Test

Latest Update

Useful Links

Contact Us