QUESTION 91 On which type of encrypted traffic can a Cisco ASA appliance running software version 8.4.1 perform application inspection and control?
A. IPsec B. SSL C. IPsec or SSL D. Cisco Unified Communications E. Secure FTP
QUESTION 92 The Cisco ASA software image has been erased from flash memory. Which two statements about the process to recover the Cisco ASA software image are true? (Choose two.)
A. Access to the ROM monitor mode is required. B. The Cisco ASA appliance must have connectivity to the TFTP server where the Cisco ASA image is stored through the Management 0/0 interface. C. The copy tftp flash command is necessary to start the TFTP file transfer. D. The server command is necessary to set the TFTP server IP address. E. Cisco ASA password recovery must be enabled Answer: AD
QUESTION 93 Which two Cisco ASA licensing features are correct with Cisco ASA Software Version 8.3 and later? (Choose two.)
A. Identical licenses are not required on the primary and secondary Cisco ASA appliance. B. Cisco ASA appliances configured as failover pairs disregard the time-based activation keys. C. Time-based licenses are stackable in duration but not in capacity. D. A time-based license completely overrides the permanent license, ignoring all permanently licensed features until the time-based license is uninstalled.
QUESTION 94 Which three actions can be applied to a traffic class within a type inspect policy map? (Choose three.)
A. drop B. priority C. log D. pass E. inspect F. reset
QUESTION 95 Which Cisco ASA platform should be selected if the requirements are to support 35,000 connections per second, 600,000 maximum connections, and traffic shaping?
A. 5540 B. 5550 C. 5580-20 D. 5580-40
QUESTION 96 Authorization of a clientless SSL VPN defines the actions that a user may perform within a clientless SSL VPN session. Which statement is correct concerning the SSL VPN authorization process?
A. Remote clients can be authorized by applying a dynamic access policy, which is configured on an external AAA server. B. Remote clients can be authorized externally by applying group parameters from an external database. C. Remote client authorization is supported by RADIUS and TACACS+ protocols. D. To configure external authorization, you must configure the Cisco ASA for cut-through proxy.
QUESTION 97 Which Cisco ASA SSL VPN feature provides support for PCI compliance by allowing for the validation of two sets of username and password credentials on the SSL VPN login page?
A. Single Sign-On B. Certificate to Profile Mapping C. Double Authentication D. RSA OTP
QUESTION 98 Which option is a possible solution if you cannot access a URL through clientless SSL VPN with Internet Explorer, while other browsers work fine?
A. Verify the trusted zone and cookies settings in your browser. B. Make sure that you specified the URL correctly. C. Try the URL from another operating system. D. Move to the IPsec client.
QUESTION 99 Which cryptographic algorithms are a part of the Cisco NGE suite?
A. HIPPA DES B. AES-CBC-128 C. RC4-128 D. AES-GCM-256
QUESTION 100 Which transform set is contained in the IKEv2 default proposal?
A. aes-cbc-192, sha256, group 14 B. 3des, md5, group 7 C. 3des, sha1, group 1 D. aes-cbc-128, sha, group 5
QUESTION 83 Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN hub router?
A. Only one tunnel can be created per tunnel source interface. B. Only one tunnel can be created and should be associated with a loopback interface for dynamic redundancy C. The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub. D. You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a unique tunnel key.
QUESTION 84 When you are configuring a hub-and-spoke DMVPN network, which tunnel mode should you use for the spoke router configuration?
A. GRE multipoint B. Classis point-to-point GRE C. IPsec multipoint D. Nonbroadcast multiaccess
QUESTION 85 With Cisco ASA active/standby failover, by default, how many monitored interface failures will cause failover to occur?
A. 1 B. 2 C. 3 D. 4 E. 5
QUESTION 86 Which two statements about the running configuration of the Cisco ASA are true? (Choose Two)
A. The auto NAT configuration causes all traffic arriving on the inside interface destined to any outside destinations to be translated with dynamic port address transmission using the outside interface IP address. B. The Cisco ASA is using the Cisco ASDM image from disk1:/asdm-642.bin C. The Cisco ASA is setup as the DHCP server for hosts that are on the inside and outside interfaces. D. SSH and Cisco ASDM access to the Cisco ASA requires AAA authentication using the LOCAL user database. E. The Cisco ASA is using a persistent self-signed certified so users can authenticate the Cisco ASA when accessing it via ASDM
QUESTION 87 Which option lists the main tasks in the correct order to configure a new Layer 3 and 4 inspection policy on the Cisco ASA appliance using the Cisco ASDM Configuration > Firewall > Service Policy Rules pane?
A. 1. Create a class map to identify which traffic to match. 2. Create a policy map and apply action(s) to the traffic class(es). 3. Apply the policy map to an interface or globally using a service policy. B. 1. Create a service policy rule. 2. Identify which traffic to match. 3. Apply action(s) to the traffic. C. 1. Create a Layer 3 and 4 type inspect policy map. 2. Create class map(s) within the policy map to identify which traffic to match. 3. Apply the policy map to an interface or globally using a service policy. D. 1. Identify which traffic to match. 2. Apply action(s) to the traffic. 3. Create a policy map. 4. Apply the policy map to an interface or globally using a service policy.
QUESTION 88 By default, how does a Cisco ASA appliance process IP fragments?
A. Each fragment passes through the Cisco ASA appliance without any inspections. B. Each fragment is blocked by the Cisco ASA appliance. C. The Cisco ASA appliance verifies each fragment and performs virtual IP re-assembly before the full IP packet is forwarded out. D. The Cisco ASA appliance forwards the packet out as soon as all of the fragments of the packet have been received.
QUESTION 89 Which other match command is used with the match flow ip destination-address command within the class map configurations of the Cisco ASA MPF?
A. match tunnel-group B. match access-list C. match default-inspection-traffic D. match port E. match dscp
QUESTION 90 Which Cisco ASA configuration is used to configure the TCP intercept feature?
A. a TCP map B. an access list C. the established command D. the set connection command with the embryonic-conn-max option E. a type inspect policy map
QUESTION 71 In the Cisco ASDM interface, where do you enable the DTLS protocol setting?
A. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy B. Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit C. Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client D. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit
QUESTION 72 What are two forms of SSL VPN? (Choose two.)
A. port forwarding B. Full Tunnel Mode C. Cisco IOS WebVPN D. Cisco AnyConnect
QUESTION 73 When Cisco ASA applies VPN permissions, what is the first set of attributes that it applies?
A. dynamic access policy attributes B. group policy attributes C. connection profile attributes D. user attributes
QUESTION 74 What are two variables for configuring clientless SSL VPN single sign-on? (Choose two.)
A. CSCO_WEBVPN_OTP_PASSWORD B. CSCO_WEBVPN_INTERNAL_PASSWORD C. CSCO_WEBVPN_USERNAME D. CSCO_WEBVPN_RADIUS_USER
QUESTION 75 Refer to the exhibit. Based on the partial configuration shown, which the GET VPN group member GDOI configuration?
A. key server IP address B. local priority C. mapping of the IPsec profile to the IPsec SA D. mapping of the IPsec transform set to the GDOI group
QUESTION 76 An internet-based VPN solution is being considered to replace anexisting private WAN connectingremote offices. A multimedia application is used that relies on multicast for communication. Which two VPN solutions meet the application’s network requirement? (Choose two.)
A. FlexVPN B. DMVPN C. Group Encrypted Transport VPN D. Crypto-map based Site-to-Site IPsec VPNs E. AnyConnect VPN
QUESTION 77 In a GET VPN solution, which two ways can the key server distribute the new keys to the group members during the rekey process? (Choose two.)
A. multicast UDP transmission B. multicast TCP transmission C. unicast UDP transmission D. unicast TCP transmission
QUESTION 78 An IOS SSL VPN is configured to forward TCP ports. A remote user cannot access the corporate FTP site with a Web browser. What is a possible reason for the failure?
A. The user’s FTP application is not supported. B. The user is connecting to an IOS VPN gateway configured in Thin Client Mode. C. The user is connecting to an IOS VPN gateway configured in Tunnel Mode. D. The user’s operating system is not supported.
QUESTION 79 When implementing GET VPN, which of these is a characteristic of GDOI IKE?
A. GDOI IKE sessions are established between all peers in the network B. GDOI IKE uses UDP port 500 C. Security associations do not need to linger between members once a group member has authenticated to the key server and obtained the group policy D. Each pair of peers has a private set of IPsec security associations that is only shared between the two peers
QUESTION 80 Which two features are required when configuring a DMVPN network? (Choose two.)
A. Dynamic routing protocol B. GRE tunnel interface C. Next Hop Resolution Protocol D. Dynamic crypto map E. IPsec encryption
QUESTION 61 In FlexVPN, what command can an administrator use to create a virtual template interface that can be configured and applied dynamically to create virtual access interfaces?
A. interface virtual-template number type template B. interface virtual-template number type tunnel C. interface template number type virtual D. interface tunnel-template number
QUESTION 62 In FlexVPN, what is the role of a NHRP resolution request?
A. It allows these entities to directly communicate without requiring traffic to use an intermediate hop B. It dynamically assigns VPN users to a group C. It blocks these entities from to directly communicating with each other D. It makes sure that each VPN spoke directly communicates with the hub
QUESTION 63 What are three benefits of deploying a GET VPN? (Choose three.)
A. It provides highly scalable point-to-point topologies. B. It allows replication of packets after encryption. C. It is suited for enterprises running over a DMVPN network. D. It preserves original source and destination IP address information. E. It simplifies encryption management through use of group keying. F. It supports non-IP protocols.
QUESTION 64 What is the default topology type for a GET VPN?
A. point-to-point B. hub-and-spoke C. full mesh D. on-demand spoke-to-spoke
QUESTION 65 Which two GDOI encryption keys are used within a GET VPN network? (Choose two.)
A. key encryption key B. group encryption key C. user encryption key D. traffic encryption key
QUESTION 66 What are the three primary components of a GET VPN network? (Choose three.)
A. Group Domain of Interpretation protocol B. Simple Network Management Protocol C. server load balancer D. accounting server E. group member F. key server
QUESTION 67 Refer to the exhibit. After the configuration is performed, which combination of devices can connect?
A. a device with an identity type of IPv4 address of 184.108.40.206 or 220.127.116.11 or a certificate with subject name of “cisco.com” B. a device with an identity type of IPv4 address of both 18.104.22.168 and 22.214.171.124 or a certificate with subject name containing “cisco.com” C. a device with an identity type of IPv4 address of both 126.96.36.199 and 188.8.131.52 and a certificate with subject name containing “cisco.com” D. a device with an identity type of IPv4 address of 184.108.40.206 or 220.127.116.11 or a certificate with subject name containing “cisco.com”
QUESTION 68 Which three settings are required for crypto map configuration? (Choose three.)
A. match address B. set peer C. set transform-set D. set security-association lifetime E. set security-association level per-host F. set pfs
QUESTION 69 A network is configured to allow clientless access to resources inside the network. Which feature must be enabled and configured to allow SSH applications to respond on the specified port 8889?
A. auto applet download B. port forwarding C. web-type ACL D. HTTP proxy
QUESTION 70 Consider this scenario. When users attempt to connect via a Cisco AnyConnect VPN session, the certificate has changed and the connection fails. What is a possible cause of the connection failure?
A. An invalid modulus was used to generate the initial key. B. The VPN is using an expired certificate. C. The Cisco ASA appliance was reloaded. D. The Trusted Root Store is configured incorrectly.
QUESTION 31 A Cisco IOS SSL VPN gateway is configured to operate in clientless mode so that users can access file shares on a Microsoft Windows 2003 server. Which protocol is used between the Cisco IOS router and the Windows server?
A. HTTPS B. NetBIOS C. CIFS D. HTTP
QUESTION 32 You are configuring a Cisco IOS SSL VPN gateway to operate with DVTI support. Which command must you configure on the virtual template?
A. tunnel protection ipsec B. ip virtual-reassembly C. tunnel mode ipsec D. ip unnumbered
QUESTION 33 Which protocol supports high availability in a Cisco IOS SSL VPN environment?
A. HSRP B. VRRP C. GLBP D. IRDP
QUESTION 34 When you configure IPsec VPN High Availability Enhancements, which technology does Cisco recommend that you enable to make reconvergence faster?
A. EOT B. IP SLAs C. periodic IKE keepalives D. VPN fast detection
QUESTION 35 Which hash algorithm is required to protect classified information?
A. MD5 B. SHA-1 C. SHA-256 D. SHA-384
QUESTION 36 Which cryptographic algorithms are approved to protect Top Secret information?
A. HIPPA DES B. AES-128 C. RC4-128 D. AES-256
QUESTION 37 Which Cisco firewall platform supports Cisco NGE?
A. FWSM B. Cisco ASA 5505 C. Cisco ASA 5580 D. Cisco ASA 5525-X
QUESTION 38 Which algorithm is replaced by elliptic curve cryptography in Cisco NGE?
A. 3DES B. AES C. DES D. RSA
QUESTION 39 Which encryption and authentication algorithms does Cisco recommend when deploying a Cisco NGE supported VPN solution?
A. AES-GCM and SHA-2 B. 3DES and DH C. AES-CBC and SHA-1 D. 3DES and SHA-1
QUESTION 40 An administrator wishes to limit the networks reachable over the Anyconnect VPN tunnels. Which configuration on the ASA will correctly limit the networks reachable to 18.104.22.168/27 and 22.214.171.124/27?
A. access-list splitlist standard permit 126.96.36.199 255.255.255.224 access-list splitlist standard permit 188.8.131.52 255.255.255.224 ! group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value splitlist B. access-list splitlist standard permit 184.108.40.206 255.255.255.224 access-list splitlist standard permit 220.127.116.11 255.255.255.224 ! group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes split-tunnel-policy tunnelall split-tunnel-network-list value splitlist C. group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes split-tunnel-policy tunnelspecified split-tunnel-network-list ipv4 1 18.104.22.168 255.255.255.224 split-tunnel-network-list ipv4 2 22.214.171.124 255.255.255.224 D. access-list splitlist standard permit 126.96.36.199 255.255.255.224 access-list splitlist standard permit 188.8.131.52 255.255.255.224 ! crypto anyconnect vpn-tunnel-policy tunnelspecified crypto anyconnect vpn-tunnel-network-list splitlist E. crypto anyconnect vpn-tunnel-policy tunnelspecified crypto anyconnect split-tunnel-network-list ipv4 1 184.108.40.206 255.255.255.224 crypto anyconnect split-tunnel-network-list ipv4 2 220.127.116.11 255.255.255.224
QUESTION 21 Which statement is true when implementing a router with a dynamic public IP address in a crypto map based site-to-site VPN?
A. The router must be configured with a dynamic crypto map. B. Certificates are always used for phase 1 authentication. C. The tunnel establishment will fail if the router is configured as a responder only. D. The router and the peer router must have NAT traversal enabled.
QUESTION 22 Which two statements are true when designing a SSL VPN solution using Cisco AnyConnect? (Choose two.)
A. The VPN server must have a self-signed certificate. B. A SSL group pre-shared key must be configured on the server. C. Server side certificate is optional if using AAA for client authentication. D. The VPN IP address pool can overlap with the rest of the LAN networks. E. DTLS can be enabled for better performance.
QUESTION 23 Refer to the exhibit. Given the partial configuration shown, which two statements are correct? (Choose two.)
A. The tunnel will use the routing protocol configured for GigabitEthemet 1/1 for all tunnel communication with the peer. B. The IP route statement to reach the remote network behind the DMVPN peer is incorrect, it should be ip route 192.168.2.0 255.255.255.0 tunnel 0. C. This is an example of a static point-to-point VTI tunnel. D. The tunnel will use esp-sha-hmac encryption in ESP tunnel mode. E. The tunnel will use 128-bit AES encryption in ESP tunnel mode.
QUESTION 24 What are two benefits of DMVPN Phase 3? (Choose two.)
A. Administrators can use summarization of routing protocol updates from hub to spokes. B. It introduces hierarchical DMVPN deployments. C. It introduces non-hierarchical DMVPN deployments. D. It supports L2TP over IPSec as one of the VPN protocols.
QUESTION 25 Which are two main use cases for Clientless SSL VPN? (Choose two.)
A. In kiosks that are part of a shared environment B. When the users do not have admin rights to install a new VPN client C. When full tunneling is needed to support applications that use TCP, UDP, and ICMP D. To create VPN site-to-site tunnels in combination with remote access
QUESTION 26 Which technology can rate-limit the number of tunnels on a DMVPN hub when system utilization is above a specified percentage?
A. NHRP Event Publisher B. interface state control C. CAC D. NHRP Authentication E. ip nhrp connect
QUESTION 27 Which technology supports tunnel interfaces while remaining compatible with legacy VPN implementations?
A. FlexVPN B. DMVPN C. GET VPN D. SSL VPN
QUESTION 28 Which IKEv2 feature minimizes the configuration of a FlexVPN on Cisco IOS devices?
A. IKEv2 Suite-B B. IKEv2 proposals C. IKEv2 profiles D. IKEv2 Smart Defaults
QUESTION 29 When an IPsec SVTI is configured, which technology processes traffic forwarding for encryption?
A. ACL B. IP routing C. RRI D. front door VPN routing and forwarding
QUESTION 30 Which Cisco IOS VPN feature simplifies IPsec VPN configuration and design by using on-demand virtual access interfaces that are cloned from a virtual template configuration?
A. GET VPN B. dynamic VTI C. static VTI D. GRE tunnels E. GRE over IPsec tunnels F. DMVPN
QUESTION 11 A user is unable to establish an AnyConnect VPN connection to an ASA. When using the Real-Time Log viewer within ASDM to troubleshoot the issue, which two filter options would the administrator choose to show only syslog messages relevant to the VPN connection? (Choose two.)
A. Client’s public IP address B. Client’s operating system C. Client’s default gateway IP address D. Client’s username E. ASA’s public IP address
QUESTION 12 Which Cisco ASDM option configures forwarding syslog messages to email?
A. Configuration > Device Management > Logging > E-Mail Setup B. Configuration > Device Management > E-Mail Setup > Logging Enable C. Select the syslogs to email, click Edit, and select the Forward Messages option. D. Select the syslogs to email, click Settings, and specify the Destination Email Address option.
QUESTION 13 Which Cisco ASDM option configures WebVPN access on a Cisco ASA?
A. Configuration > WebVPN > WebVPN Access B. Configuration > Remote Access VPN > Clientless SSL VPN Access C. Configuration > WebVPN > WebVPN Config D. Configuration > VPN > WebVPN Access
QUESTION 14 A user with IP address 10.10.10.10 is unable to access a HTTP website at IP address 18.104.22.168 through a Cisco ASA. Which two features and commands will help troubleshoot the issue? (Choose two.)
A. Capture user traffic using command capture capin interface inside match ip host 10.10.10.10 any B. After verifying that user traffic reaches the firewall using syslogs or captures, use packet tracer command packet-tracer input inside tcp 10.10.10.10 1234 22.214.171.124 80 C. Enable logging at level 1 and check the syslogs using commands logging enable, logging buffered 1 and show logging | include 10.10.10.10 D. Check if an access-list on the firewall is blocking the user by using command show running-config access-list | include 10.10.10.10 E. Use packet tracer command packet-tracer input inside udp 0.10.10.10 1234192.168.1.3 161 to see what the firewall is doing with the user’s traffic
QUESTION 15 A Cisco router may have a fan issue that could increase its temperature and trigger a failure. What troubleshooting steps would verify the issue without causing additional risks?
A. Configure logging using commands “logging on”, “logging buffered 4”, and check for fan failure logs using “show logging” B. Configure logging using commands “logging on”, “logging buffered 6”, and check for fan failure logs using “show logging” C. Configure logging using commands “logging on”, “logging discriminator msglog1 console 7”, and check for fan failure logs using “show logging” D. Configure logging using commands “logging host 10.11.10.11”, “logging trap 2”, and check for fan failure logs at the syslog server 10.11.10.11
QUESTION 16 Which of these are the two types of keys used when implementing GET VPN? (Choose two)
A. key encryption B. group encryption C. pre-shared key D. public key E. private key F. traffic encryption key
QUESTION 17 A private wan connection is suspected of intermittently corrupting data. Which technology can a network administrator use to detect and drop the altered data traffic?
A. AES-128 B. RSA Certificates C. SHA2-HMAC D. 3DES E. Diffie-Helman Key Generation
QUESTION 18 A company needs to provide secure access to its remote workforce. The end users use public kiosk computers and a wide range of devices. They will be accessing only an internal web application. Which VPN solution satisfies these requirements?
A. Clientless SSLVPN B. AnyConnect Client using SSLVPN C. AnyConnect Client using IKEv2 D. FlexVPN Client E. Windows built-in PPTP client
QUESTION 19 A network administrator is configuring AES encryption for the ISAKMP policy on an IOS router. Which two configurations are valid? (Choose two.)
A. crypto isakmp policy 10 encryption aes 254 B. crypto isakmp policy 10 encryption aes 192 C. crypto isakmp policy 10 encryption aes 256 D. crypto isakmp policy 10 encryption aes 196 E. crypto isakmp policy 10 encryption aes 198 F. crypto isakmp policy 10 encryption aes 64
QUESTION 20 Which two qualify as Next Generation Encryption integrity algorithms? (Choose two.)
A. SHA-512 B. SHA-256 C. SHA-192 D. SHA-380 E. SHA-192 F. SHA-196