QUESTION 91 On which type of encrypted traffic can a Cisco ASA appliance running software version 8.4.1 perform application inspection and control?
A. IPsec B. SSL C. IPsec or SSL D. Cisco Unified Communications E. Secure FTP
QUESTION 92 The Cisco ASA software image has been erased from flash memory. Which two statements about the process to recover the Cisco ASA software image are true? (Choose two.)
A. Access to the ROM monitor mode is required. B. The Cisco ASA appliance must have connectivity to the TFTP server where the Cisco ASA image is stored through the Management 0/0 interface. C. The copy tftp flash command is necessary to start the TFTP file transfer. D. The server command is necessary to set the TFTP server IP address. E. Cisco ASA password recovery must be enabled Answer: AD
QUESTION 93 Which two Cisco ASA licensing features are correct with Cisco ASA Software Version 8.3 and later? (Choose two.)
A. Identical licenses are not required on the primary and secondary Cisco ASA appliance. B. Cisco ASA appliances configured as failover pairs disregard the time-based activation keys. C. Time-based licenses are stackable in duration but not in capacity. D. A time-based license completely overrides the permanent license, ignoring all permanently licensed features until the time-based license is uninstalled.
QUESTION 94 Which three actions can be applied to a traffic class within a type inspect policy map? (Choose three.)
A. drop B. priority C. log D. pass E. inspect F. reset
QUESTION 95 Which Cisco ASA platform should be selected if the requirements are to support 35,000 connections per second, 600,000 maximum connections, and traffic shaping?
A. 5540 B. 5550 C. 5580-20 D. 5580-40
QUESTION 96 Authorization of a clientless SSL VPN defines the actions that a user may perform within a clientless SSL VPN session. Which statement is correct concerning the SSL VPN authorization process?
A. Remote clients can be authorized by applying a dynamic access policy, which is configured on an external AAA server. B. Remote clients can be authorized externally by applying group parameters from an external database. C. Remote client authorization is supported by RADIUS and TACACS+ protocols. D. To configure external authorization, you must configure the Cisco ASA for cut-through proxy.
QUESTION 97 Which Cisco ASA SSL VPN feature provides support for PCI compliance by allowing for the validation of two sets of username and password credentials on the SSL VPN login page?
A. Single Sign-On B. Certificate to Profile Mapping C. Double Authentication D. RSA OTP
QUESTION 98 Which option is a possible solution if you cannot access a URL through clientless SSL VPN with Internet Explorer, while other browsers work fine?
A. Verify the trusted zone and cookies settings in your browser. B. Make sure that you specified the URL correctly. C. Try the URL from another operating system. D. Move to the IPsec client.
QUESTION 99 Which cryptographic algorithms are a part of the Cisco NGE suite?
A. HIPPA DES B. AES-CBC-128 C. RC4-128 D. AES-GCM-256
QUESTION 100 Which transform set is contained in the IKEv2 default proposal?
A. aes-cbc-192, sha256, group 14 B. 3des, md5, group 7 C. 3des, sha1, group 1 D. aes-cbc-128, sha, group 5
QUESTION 83 Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN hub router?
A. Only one tunnel can be created per tunnel source interface. B. Only one tunnel can be created and should be associated with a loopback interface for dynamic redundancy C. The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub. D. You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a unique tunnel key.
QUESTION 84 When you are configuring a hub-and-spoke DMVPN network, which tunnel mode should you use for the spoke router configuration?
A. GRE multipoint B. Classis point-to-point GRE C. IPsec multipoint D. Nonbroadcast multiaccess
QUESTION 85 With Cisco ASA active/standby failover, by default, how many monitored interface failures will cause failover to occur?
A. 1 B. 2 C. 3 D. 4 E. 5
QUESTION 86 Which two statements about the running configuration of the Cisco ASA are true? (Choose Two)
A. The auto NAT configuration causes all traffic arriving on the inside interface destined to any outside destinations to be translated with dynamic port address transmission using the outside interface IP address. B. The Cisco ASA is using the Cisco ASDM image from disk1:/asdm-642.bin C. The Cisco ASA is setup as the DHCP server for hosts that are on the inside and outside interfaces. D. SSH and Cisco ASDM access to the Cisco ASA requires AAA authentication using the LOCAL user database. E. The Cisco ASA is using a persistent self-signed certified so users can authenticate the Cisco ASA when accessing it via ASDM
QUESTION 87 Which option lists the main tasks in the correct order to configure a new Layer 3 and 4 inspection policy on the Cisco ASA appliance using the Cisco ASDM Configuration > Firewall > Service Policy Rules pane?
A. 1. Create a class map to identify which traffic to match. 2. Create a policy map and apply action(s) to the traffic class(es). 3. Apply the policy map to an interface or globally using a service policy. B. 1. Create a service policy rule. 2. Identify which traffic to match. 3. Apply action(s) to the traffic. C. 1. Create a Layer 3 and 4 type inspect policy map. 2. Create class map(s) within the policy map to identify which traffic to match. 3. Apply the policy map to an interface or globally using a service policy. D. 1. Identify which traffic to match. 2. Apply action(s) to the traffic. 3. Create a policy map. 4. Apply the policy map to an interface or globally using a service policy.
QUESTION 88 By default, how does a Cisco ASA appliance process IP fragments?
A. Each fragment passes through the Cisco ASA appliance without any inspections. B. Each fragment is blocked by the Cisco ASA appliance. C. The Cisco ASA appliance verifies each fragment and performs virtual IP re-assembly before the full IP packet is forwarded out. D. The Cisco ASA appliance forwards the packet out as soon as all of the fragments of the packet have been received.
QUESTION 89 Which other match command is used with the match flow ip destination-address command within the class map configurations of the Cisco ASA MPF?
A. match tunnel-group B. match access-list C. match default-inspection-traffic D. match port E. match dscp
QUESTION 90 Which Cisco ASA configuration is used to configure the TCP intercept feature?
A. a TCP map B. an access list C. the established command D. the set connection command with the embryonic-conn-max option E. a type inspect policy map
QUESTION 71 In the Cisco ASDM interface, where do you enable the DTLS protocol setting?
A. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy B. Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit C. Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client D. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit
QUESTION 72 What are two forms of SSL VPN? (Choose two.)
A. port forwarding B. Full Tunnel Mode C. Cisco IOS WebVPN D. Cisco AnyConnect
QUESTION 73 When Cisco ASA applies VPN permissions, what is the first set of attributes that it applies?
A. dynamic access policy attributes B. group policy attributes C. connection profile attributes D. user attributes
QUESTION 74 What are two variables for configuring clientless SSL VPN single sign-on? (Choose two.)
A. CSCO_WEBVPN_OTP_PASSWORD B. CSCO_WEBVPN_INTERNAL_PASSWORD C. CSCO_WEBVPN_USERNAME D. CSCO_WEBVPN_RADIUS_USER
QUESTION 75 Refer to the exhibit. Based on the partial configuration shown, which the GET VPN group member GDOI configuration?
A. key server IP address B. local priority C. mapping of the IPsec profile to the IPsec SA D. mapping of the IPsec transform set to the GDOI group
QUESTION 76 An internet-based VPN solution is being considered to replace anexisting private WAN connectingremote offices. A multimedia application is used that relies on multicast for communication. Which two VPN solutions meet the application’s network requirement? (Choose two.)
A. FlexVPN B. DMVPN C. Group Encrypted Transport VPN D. Crypto-map based Site-to-Site IPsec VPNs E. AnyConnect VPN
QUESTION 77 In a GET VPN solution, which two ways can the key server distribute the new keys to the group members during the rekey process? (Choose two.)
A. multicast UDP transmission B. multicast TCP transmission C. unicast UDP transmission D. unicast TCP transmission
QUESTION 78 An IOS SSL VPN is configured to forward TCP ports. A remote user cannot access the corporate FTP site with a Web browser. What is a possible reason for the failure?
A. The user’s FTP application is not supported. B. The user is connecting to an IOS VPN gateway configured in Thin Client Mode. C. The user is connecting to an IOS VPN gateway configured in Tunnel Mode. D. The user’s operating system is not supported.
QUESTION 79 When implementing GET VPN, which of these is a characteristic of GDOI IKE?
A. GDOI IKE sessions are established between all peers in the network B. GDOI IKE uses UDP port 500 C. Security associations do not need to linger between members once a group member has authenticated to the key server and obtained the group policy D. Each pair of peers has a private set of IPsec security associations that is only shared between the two peers
QUESTION 80 Which two features are required when configuring a DMVPN network? (Choose two.)
A. Dynamic routing protocol B. GRE tunnel interface C. Next Hop Resolution Protocol D. Dynamic crypto map E. IPsec encryption
QUESTION 61 In FlexVPN, what command can an administrator use to create a virtual template interface that can be configured and applied dynamically to create virtual access interfaces?
A. interface virtual-template number type template B. interface virtual-template number type tunnel C. interface template number type virtual D. interface tunnel-template number
QUESTION 62 In FlexVPN, what is the role of a NHRP resolution request?
A. It allows these entities to directly communicate without requiring traffic to use an intermediate hop B. It dynamically assigns VPN users to a group C. It blocks these entities from to directly communicating with each other D. It makes sure that each VPN spoke directly communicates with the hub
QUESTION 63 What are three benefits of deploying a GET VPN? (Choose three.)
A. It provides highly scalable point-to-point topologies. B. It allows replication of packets after encryption. C. It is suited for enterprises running over a DMVPN network. D. It preserves original source and destination IP address information. E. It simplifies encryption management through use of group keying. F. It supports non-IP protocols.
QUESTION 64 What is the default topology type for a GET VPN?
A. point-to-point B. hub-and-spoke C. full mesh D. on-demand spoke-to-spoke
QUESTION 65 Which two GDOI encryption keys are used within a GET VPN network? (Choose two.)
A. key encryption key B. group encryption key C. user encryption key D. traffic encryption key
QUESTION 66 What are the three primary components of a GET VPN network? (Choose three.)
A. Group Domain of Interpretation protocol B. Simple Network Management Protocol C. server load balancer D. accounting server E. group member F. key server
QUESTION 67 Refer to the exhibit. After the configuration is performed, which combination of devices can connect?
A. a device with an identity type of IPv4 address of 126.96.36.199 or 188.8.131.52 or a certificate with subject name of “cisco.com” B. a device with an identity type of IPv4 address of both 184.108.40.206 and 220.127.116.11 or a certificate with subject name containing “cisco.com” C. a device with an identity type of IPv4 address of both 18.104.22.168 and 22.214.171.124 and a certificate with subject name containing “cisco.com” D. a device with an identity type of IPv4 address of 126.96.36.199 or 188.8.131.52 or a certificate with subject name containing “cisco.com”
QUESTION 68 Which three settings are required for crypto map configuration? (Choose three.)
A. match address B. set peer C. set transform-set D. set security-association lifetime E. set security-association level per-host F. set pfs
QUESTION 69 A network is configured to allow clientless access to resources inside the network. Which feature must be enabled and configured to allow SSH applications to respond on the specified port 8889?
A. auto applet download B. port forwarding C. web-type ACL D. HTTP proxy
QUESTION 70 Consider this scenario. When users attempt to connect via a Cisco AnyConnect VPN session, the certificate has changed and the connection fails. What is a possible cause of the connection failure?
A. An invalid modulus was used to generate the initial key. B. The VPN is using an expired certificate. C. The Cisco ASA appliance was reloaded. D. The Trusted Root Store is configured incorrectly.