The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
Vendor: Cisco Exam Code: 300-209 Exam Name: Implementing Cisco Secure Mobility Solutions (SIMOS) Version: 13.07 Q & As: 362
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 1 Refer to the exhibit. The IKEv2 site-to-site VPN tunnel between two routers is down. Based on the debug output, which type of mismatch might be the problem?
A. B. C. D.
PSK crypto policy peer identity transform set
Correct Answer: C
QUESTION 2 Which command identifies an AnyConnect profile that was uploaded to the router flash? A. B. C. D.
crypto vpn anyconnect profile SSL_profile flash:simos-profile.xml svc import profile SSL_profile flash:simos-profile.xml anyconnect profile SSL_profile flash:simos-profile.xml webvpn import profile SSL_profile flash:simos-profile.xml
Correct Answer: A
QUESTION 3 A user is trying to connect to a Cisco IOS device using clientless SSL VPN and cannot establish the connection. Which three commands can be used for troubleshooting of the AAA subsystem? (Choose three.) A. debug aaa authentication Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
B. C. D. E. F.
debug radius debug vpn authorization error debug ssl openssl errors debug webvpn aaa debug ssl error
Correct Answer: ABD
QUESTION 4 Refer to the exhibit. Which VPN solution does this configuration represent?
A. B. C. D.
Cisco AnyConnect IPsec L2TP SSL VPN
Correct Answer: B
QUESTION 5 Which is used by GETVPN, FlexVPN and DMVPN? A. B. C. D.
NHRP MPLS GRE ESP
Correct Answer: D
QUESTION 6 Which three parameters are specified in the isakmp (IKEv1) policy? (Choose three.) A. the hashing algorithm B. the authentication method C. the lifetime Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
D. the session key E. the transform-set F. the peer Correct Answer: ABC
QUESTION 7 Which statement about the hub in a DMVPN configuration with iBGP is true? A. B. C. D.
It must be a route reflector client. It must redistribute EIGRP from the spokes. It must be in a different AS. It must be a route reflector.
Correct Answer: D QUESTION 8 Refer to the exhibit. Which technology does this configuration demonstrate?
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
A. B. C. D.
AnyConnect SSL over IPv4+IPv6 AnyConnect FlexVPN over IPv4+IPv6 AnyConnect FlexVPN IPv6 over IPv4 AnyConnect SSL IPv6 over IPv4
Correct Answer: A QUESTION 9 Refer to the exhibit. While troubleshooting on a remote-access VPN application, a new NOC engineer received the message that is shown. What is the most likely cause of the problem?
A. The IP address that is assigned to the PC of the VPN user is not within the range of addresses that are assigned to the SVC connection. B. The IP address that is assigned to the PC of the VPN user is in use. The remote user needs to select a different host address within the range. C. The IP address that is assigned to the PC of the VPN user is in the wrong subnet. The remote user needs to select a different host number within the correct subnet. D. The IP address pool for contractors was not applied to their connection profile. Correct Answer: D
QUESTION 10 Which protocol can be used for better throughput performance when using Cisco AnyConnect VPN? A. B. C. D.
TLSv1 TLSv1.1 TLSv1.2 DTLSv1
Correct Answer: D
QUESTION 11 Which two features are required when configuring a DMVPN network? (Choose two.) A. B. C. D. E.
Dynamic routing protocol GRE tunnel interface Next Hop Resolution Protocol Dynamic crypto map IPsec encryption
Correct Answer: BC
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 12 Which technology can rate-limit the number of tunnels on a DMVPN hub when system utilization is above a specified percentage? A. B. C. D. E.
NHRP Event Publisher interface state control CAC NHRP Authentication ip nhrp connect
Correct Answer: C QUESTION 13 An engineer has integrated a new DMVPN to link remote offices across the internet using Cisco IOS routers. When connecting to remote sites, pings and voice data appear to flow properly and all tunnel stats seem to show that are up. However, when trying to connect to a remote server using RDP, the connection fails. Which action resolves this issue? A. B. C. D.
Change DMVPN timeout values. Adjust the MTU size within the routers. Replace certificate on the RDP server. Add RDP port to the extended ACL.
Correct Answer: C QUESTION 14 Which statement describes a prerequisite for single-sign-on Netegrity Cookie Support in an IOC SSL VPN? A. B. C. D.
The Cisco AnyConnect Secure Mobility Client must be installed in flash. A SiteMinder plug-in must be installed on the Cisco SSL VPN gateway. A Cisco plug-in must be installed on a SiteMinder server. The Cisco Secure Desktop software package must be installed in flash.
Correct Answer: C
QUESTION 15 Refer to the exhibit. Which technology is represented by this configuration?
A. B. C. D.
AAA for FlexVPN AAA for EzVPN TACACS+ command authorization local command authorization
Correct Answer: A Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 16 Which VPN type can be used to provide secure remote access from public internet cafes and airport kiosks? A. B. C. D.
site-to-site business-to-business Clientless SSL DMVPN
Correct Answer: C
QUESTION 17 Which cryptographic algorithms are approved to protect Top Secret information? A. B. C. D.
HIPPA DES AES-128 RC4-128 AES-256
Correct Answer: D QUESTION 18 An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation headquarters, tried to access the XYZ sales demonstration folder to transfer a demonstration via FTP from an ABC conference room behind the firewall. The engineer could not reach XYZ through the remote-access VPN tunnel. From home the previous day, however, the engineer did connect to the XYZ sales demonstration folder and transferred the demonstration via IPsec over DSL. To get the connection to work and transfer the demonstration, what should the engineer do? A. Change the MTU size on the IPsec client to account for the change from DSL to cable transmission. B. Enable the local LAN access option on the IPsec client. C. Enable the IPsec over TCP option on the IPsec client. D. Enable the clientless SSL VPN option on the PC. Correct Answer: C Explanation: IP Security (IPSec) over Transmission Control Protocol (TCP) enables a VPN Client to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, User Datagram Protocol (UDP) 500) cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and it enables secure tunneling through both Network Address Translation (NAT) and Port Address Translation (PAT) devices and firewalls
QUESTION 19 You have been using pre-shared keys for IKE authentication on your VPN. Your network has grown rapidly, and now you need to create VPNs with numerous IPsec peers. How can you enable scaling to numerous IPsec peers? A. Migrate to external CA-based digital certificate authentication. B. Migrate to a load-balancing server. Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
C. Migrate to a shared license server. D. Migrate from IPsec to SSL VPN client extended authentication. Correct Answer: A
QUESTION 20 Which three configurations are prerequisites for stateful failover for IPsec? (Choose three.) A. Only the IKE configuration that is set up on the active device must be duplicated on the standby device; the IPsec configuration is copied automatically. B. Only crypto map configuration that is set up on the active device must be duplicated on the standby device. C. The IPsec configuration that is set up on the active device must be duplicated on the standby device. D. The active and standby devices can run different versions of the Cisco IOS software but need to be the same type of device. E. The active and standby devices must run the same version of the Cisco IOS software and should be the same type of device. F. Only the IPsec configuration that is set up on the active device must be duplicated on the standby device; the IKE configuration is copied automatically. G. The IKE configuration that is set up on the active device must be duplicated on the standby device. Correct Answer: CEG
QUESTION 21 Which are two main use cases for Clientless SSL VPN? (Choose two.) A. B. C. D.
In kiosks that are part of a shared environment When the users do not have admin rights to install a new VPN client When full tunneling is needed to support applications that use TCP, UDP, and ICMP To create VPN site-to-site tunnels in combination with remote access
Correct Answer: AB QUESTION 22 Which protocol does DTLS use for its transport? A. B. C. D.
TCP UDP IMAP DDE
Correct Answer: B
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 23 Which encryption and authentication algorithms does Cisco recommend when deploying a Cisco NGE supported VPN solution? A. B. C. D.
AES-GCM and SHA-2 3DES and DH AES-CBC and SHA-1 3DES and SHA-1
Correct Answer: A
QUESTION 24 What are three benefits of deploying a GET VPN? (Choose three.) A. B. C. D. E. F.
It provides highly scalable point-to-point topologies. It allows replication of packets after encryption. It is suited for enterprises running over a DMVPN network. It preserves original source and destination IP address information. It simplifies encryption management through use of group keying. It supports non-IP protocols.
Correct Answer: BDE
QUESTION 25 Refer to the exhibit. Which type of mismatch is causing the problem with the IPsec VPN tunnel?
A. B. C. D.
PSK Phase 1 policy transform set crypto access list
Correct Answer: A
QUESTION 26 A rogue static route is installed in the routing table of a Cisco FlexVPN and is causing traffic to be blackholed. Which command should be used to identify the peer from which that route originated? A. B. C. D.
show crypto ikev2 sa detail show crypto route show crypto ikev2 client flexvpn show ip route eigrp Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
E. show crypto isakmp sa detail Correct Answer: B
QUESTION 27 Refer to the exhibit. A new NOC engineer, while viewing a real-time log from an SSL VPN tunnel, has a question about a line in the log. The IP address 172.26.26.30 is attached to which interface in the network?
A. B. C. D.
the Cisco ASA physical interface the physical interface of the end user the Cisco ASA SSL VPN tunnel interface the SSL VPN tunnel interface of the end user
Correct Answer: B
QUESTION 28 A user with IP address 10.10.10.10 is unable to access a HTTP website at IP address 209.165.200.225 through a Cisco ASA. Which two features and commands will help troubleshoot the issue? (Choose two.) A. Capture user traffic using command capture capin interface inside match ip host 10.10.10.10 any B. After verifying that user traffic reaches the firewall using syslogs or captures, use packet tracer command packet-tracer input inside tcp 10.10.10.10 1234 209.165.200.225 80 C. Enable logging at level 1 and check the syslogs using commands logging enable, logging buffered 1 and show logging | include 10.10.10.10 D. Check if an access-list on the firewall is blocking the user by using command show running-config access-list | include 10.10.10.10 E. Use packet tracer command packet-tracer input inside udp 0.10.10.10 1234192.168.1.3 161 to see what the firewall is doing with the user's traffic Correct Answer: AB
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 29 Which benefit of FlexVPN is not offered by DMVPN using IKEv1? A. B. C. D.
Dynamic routing protocols can be configured. IKE implementation can install routes in routing table. GRE encapsulation allows for forwarding of non-IP traffic. NHRP authentication provides enhanced security.
Correct Answer: B
QUESTION 30 Which command is used to determine how many GMs have registered in a GETVPN environment? A. B. C. D. E.
show crypto isakmp sa show crypto gdoi ks members show crypto gdoi gm show crypto ipsec sa show crypto isakmp sa count
Correct Answer: B
QUESTION 31 Which option describes the purpose of the command show derived-config interface virtualaccess 1? A. B. C. D.
It verifies that the virtual access interface is cloned correctly with per-user attributes. It verifies that the virtual template created the tunnel interface. It verifies that the virtual access interface is of type Ethernet. It verifies that the virtual access interface is used to create the tunnel interface.
Correct Answer: A
QUESTION 32 Which hash algorithm is required to protect classified information? A. B. C. D.
MD5 SHA-1 SHA-256 SHA-384
Correct Answer: D
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 33 Refer to the exhibit. Which two characteristics of the VPN implementation are evident? (Choose two.)
A. B. C. D. E. F.
dual DMVPN cloud setup with dual hub DMVPN Phase 3 implementation single DMVPN cloud setup with dual hub DMVPN Phase 1 implementation quad DMVPN cloud with quadra hub DMVPN Phase 2 implementation
Correct Answer: BC
QUESTION 34 If Web VPN bookmarks are grayed out on the home screen, which action should you take to begin troubleshooting? A. B. C. D.
Determine whether the Cisco ASA can resolve the DNS names. Determine whether the Cisco ASA has DNS forwarders set up. Determine whether an ACL is present to permit DNS forwarding. Replace the DNS name with an IP address.
Correct Answer: A
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 35 Which option is a possible solution if you cannot access a URL through clientless SSL VPN with Internet Explorer, while other browsers work fine? A. B. C. D.
Verify the trusted zone and cookies settings in your browser. Make sure that you specified the URL correctly. Try the URL from another operating system. Move to the IPsec client.
Correct Answer: A
QUESTION 36 Which statement regarding GET VPN is true? A. TEK rekeys can be load-balanced between two key servers operating in COOP. B. When you implement GET VPN with VRFs, all VRFs must be defined in the GDOI group configuration on the key server. C. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration. D. The configuration that defines which traffic to encrypt is present only on the key server. E. The pseudotime that is used for replay checking is synchronized via NTP. Correct Answer: D QUESTION 37 What must be enabled in the web browser of the client computer to support Clientless SSL VPN? A. B. C. D.
cookies ActiveX Silverlight popups
Correct Answer: A
QUESTION 38 Refer to the exhibit. After the configuration is performed, which combination of devices can connect?
A. a device with an identity type of IPv4 address of 209.165.200.225 or 209.165.202.155 or a Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
certificate with subject name of "cisco.com" B. a device with an identity type of IPv4 address of both 209.165.200.225 and 209.165.202.155 or a certificate with subject name containing "cisco.com" C. a device with an identity type of IPv4 address of both 209.165.200.225 and 209.165.202.155 and a certificate with subject name containing "cisco.com" D. a device with an identity type of IPv4 address of 209.165.200.225 or 209.165.202.155 or a certificate with subject name containing "cisco.com" Correct Answer: D
QUESTION 39 When you configure IPsec VPN High Availability Enhancements, which technology does Cisco recommend that you enable to make reconvergence faster? A. B. C. D.
EOT IP SLAs periodic IKE keepalives VPN fast detection
Correct Answer: C QUESTION 40 When troubleshooting established clientless SSL VPN issues, which three steps should be taken? (Choose three.) A. B. C. D. E. F.
Clear the browser history. Clear the browser and Java cache. Collect the information from the computer event log. Enable and use HTML capture tools. Gather crypto debugs on the adaptive security appliance. Use Wireshark to capture network traffic.
Correct Answer: BEF
QUESTION 41 Which three remote access VPN methods in an ASA appliance provide support for Cisco Secure Desktop? (Choose three.) A. B. C. D. E. F.
IKEv1 IKEv2 SSL client SSL clientless ESP L2TP
Correct Answer: BCD
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 42 Refer to the exhibit. An administrator is adding IPv6 addressing to an already functioning tunnel. The administrator is unable to ping 2001:DB8:100::2 but can ping 209.165.200.226. Which configuration needs to be added or changed?
A. B. C. D. E.
No configuration change is necessary. Everything is working correctly. OSPFv3 needs to be configured on the interface. NHRP needs to be configured to provide NBMA mapping. Tunnel mode needs to be changed to GRE IPv4. Tunnel mode needs to be changed to GRE IPv6.
Correct Answer: E
QUESTION 43 A Cisco IOS SSL VPN gateway is configured to operate in clientless mode so that users can access file shares on a Microsoft Windows 2003 server. Which protocol is used between the Cisco IOS router and the Windows server? A. B. C. D.
HTTPS NetBIOS CIFS HTTP
Correct Answer: C
QUESTION 44 The Cisco AnyConnect client fails to connect via IKEv2 but works with SSL. The following error message is displayed: "Login Denied, unauthorized connection mechanism, contact your administrator" What is the most possible cause of this problem? A. B. C. D. E.
DAP is terminating the connection because IKEv2 is the protocol that is being used. The client endpoint does not have the correct user profile to initiate an IKEv2 connection. The AAA server that is being used does not authorize IKEv2 as the connection mechanism. The administrator is restricting access to this specific user. The IKEv2 protocol is not enabled in the group policy of the VPN headend. Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
Correct Answer: E
QUESTION 45 Which command can you use to monitor the phase 1 establishment of a FlexVPN tunnel? A. B. C. D.
show crypto ipsec sa show crypto isakmp sa show crypto ikev2 sa show ip nhrp
Correct Answer: C
QUESTION 46 Refer to the exhibit. An engineer is troubleshooting a new GRE over IPSEC tunnel. The tunnel is established, but the engineer cannot ping from spoke 1 to spoke 2. Which type of traffic is being blocked?
A. B. C. D.
ESP packets from spoke1 to spoke2 ISAKMP packets from spoke2 to spoke1 ESP packets from spoke2 to spoke1 ISAKMP packets from spoke1 to spoke2
Correct Answer: C
QUESTION 47 Which two options are purposes of the key server in Cisco IOS GETVPN? (Choose two.) A. B. C. D.
to define group members. to distribute static routing information. to distribute dynamic routing information. to encrypt transit traffic.
Correct Answer: AD Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 48 Which cryptographic algorithms are a part of the Cisco NGE suite? A. B. C. D.
HIPPA DES AES-CBC-128 RC4-128 AES-GCM-256
Correct Answer: D
QUESTION 49 Which configuration is used to build a tunnel between a Cisco ASA and ISR? A. B. C. D. E.
crypto map DMVPN GET VPN GRE with IPsec GRE without IPsec
Correct Answer: A
QUESTION 50 Which command enables IOS SSL VPN Smart Tunnel support for PuTTY? A. B. C. D.
appl ssh putty.exe win appl ssh putty.exe windows appl ssh putty appl ssh putty.exe
Correct Answer: B
QUESTION 51 Authorization of a clientless SSL VPN defines the actions that a user may perform within a clientless SSL VPN session. Which statement is correct concerning the SSL VPN authorization process? A. Remote clients can be authorized by applying a dynamic access policy, which is configured on an external AAA server. B. Remote clients can be authorized externally by applying group parameters from an external database. C. Remote client authorization is supported by RADIUS and TACACS+ protocols. D. To configure external authorization, you must configure the Cisco ASA for cut-through proxy. Correct Answer: B Explanation: CISCO SSL VPN guide The aaa authentication command is entered to specify an authentication list or server group under a SSL VPN context configuration. If this command is not configured and AAA is configured globally on the router, global authentication will be applied to the context configuration. The database that is configured for remote-user authentication on the SSL VPN gateway can be Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
a local database, or the database can be accessed through any RADIUS or TACACS+ AAA server. We recommend that you use a separate AAA server, such as a Cisco Access Control Server (ACS). A separate AAA server provides a more robust security solution. It allows you to configure unique passwords for each remote user and accounting and logging for remote-user sessions. QUESTION 52 Which two statements comparing ECC and RSA are true? (Choose two.) A. B. C. D. E.
ECC can have the same security as RSA but with a shorter key size. ECC lags in performance when compared with RSA. Key generation in ECC is slower and less CPU intensive. ECC cannot have the same security as RSA, even with an increased key size. Key generation in ECC is faster and less CPU intensive.
Correct Answer: AE
QUESTION 53 Which technology must be installed on the client computer to enable users to launch applications from a Clientless SSL VPN? A. B. C. D.
Java QuickTime plug-in Silverlight Flash
Correct Answer: A
QUESTION 54 What are two variables for configuring clientless SSL VPN single sign-on? (Choose two.) A. B. C. D.
CSCO_WEBVPN_OTP_PASSWORD CSCO_WEBVPN_INTERNAL_PASSWORD CSCO_WEBVPN_USERNAME CSCO_WEBVPN_RADIUS_USER
Correct Answer: BC QUESTION 55 Which command enables the router to form EIGRP neighbor adjacencies with peers using a different subnet than the ingress interface? A. B. C. D.
ip unnumbered interface eigrp router-id passive-interface interface name ip split-horizon eigrp as number
Correct Answer: A
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 56 Which of the following could be used to configure remote access VPN Host-scan and pre-login policies? A. B. C. D.
ASDM Connection-profile CLI command Host-scan CLI command under the VPN group policy Pre-login-check CLI command
Correct Answer: A
QUESTION 57 Which statement is true when implementing a router with a dynamic public IP address in a crypto map based site-to-site VPN? A. B. C. D.
The router must be configured with a dynamic crypto map. Certificates are always used for phase 1 authentication. The tunnel establishment will fail if the router is configured as a responder only. The router and the peer router must have NAT traversal enabled.
Correct Answer: C QUESTION 58 After completing a site-to-site VPN setup between two routers, application performance over the tunnel is slow. You issue the show crypto ipsec sa command and see the following output. What does this output suggest? interface. Tunnel100 Crypto map tag: Tunnel100-head-0, local addr 10.10.10.10 protected vrf. (none) local ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.20.20.20/255.255.255.255/47/0) current_peer 209.165.200.230 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 34836, #pkts encrypt: 34836, #pkts digest: 34836 #pkts decaps: 26922, #pkts decrypt: 19211, #pkts verify: 19211 #pkts compressed. 0, #pkts decompressed. 0 #pkts not compressed. 0, #pkts compr. failed. 0 #pkts not decompressed. 0, #pkts decompress failed. 0 #send errors 0, #recv errors 0 Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
A. B. C. D. E.
The VPN has established and is functioning normally. There is an asymmetric routing issue. The remote peer is not receiving encrypted traffic. The remote peer is not able to decrypt traffic. Packet corruption is occurring on the path between the two peers.
Correct Answer: E
QUESTION 59 Which command can be used to troubleshoot an IPv6 FlexVPN spoke-to-hub connectivity failure? A. B. C. D.
show crypto lkev2 client flexvpn show crypto identity show crypto isakmp sa show crypto gkm
Correct Answer: A
QUESTION 60 An IOS SSL VPN is configured to forward TCP ports. A remote user cannot access the corporate FTP site with a Web browser. What is a possible reason for the failure? A. B. C. D.
The user's FTP application is not supported. The user is connecting to an IOS VPN gateway configured in Thin Client Mode. The user is connecting to an IOS VPN gateway configured in Tunnel Mode. The user's operating system is not supported.
Correct Answer: B Explanation: http://www.cisco.com/c/en/us/support/docs/security/ssl-vpn-client/70664-IOSthinclient.html Thin-Client SSL VPN (Port Forwarding) A remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported. Examples include access to POP3, SMTP, IMAP, SSH, and Telnet. The user needs local administrative privileges because changes are made to files on the local machine. This method of SSL VPN does not work with applications that use dynamic port assignments, for example, several FTP applications. QUESTION 61 Refer to the exhibit. The customer needs to launch AnyConnect in the RDP machine. Which configuration is correct?
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
A. crypto vpn anyconnect profile test flash:RDP.xml policy group default svc profile test B. crypto vpn anyconnect profile test flash:RDP.xml webvpn context GW_1 browser-attribute import flash:/swj.xml C. crypto vpn anyconnect profile test flash:RDP.xml policy group default svc profile flash:RDP.xml D. crypto vpn anyconnect profile test flash:RDP.xml webvpn context GW_1 browser-attribute import test Correct Answer: A
QUESTION 62 Which technology supports tunnel interfaces while remaining compatible with legacy VPN implementations? A. B. C. D.
FlexVPN DMVPN GET VPN SSL VPN
Correct Answer: A
QUESTION 63 Which protocol supports high availability in a Cisco IOS SSL VPN environment? A. B. C. D.
HSRP VRRP GLBP IRDP
Correct Answer: A QUESTION 64 Which algorithm provides both encryption and authentication for data plane communication? A. B. C. D. E. F.
SHA-96 SHA-384 3DES AES-256 AES-GCM RC4
Correct Answer: E
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 65 Which two commands are include in the command show dmvpn detail? (Choose two.) A. B. C. D. E.
Show ip nhrp Show ip nhrp nhs Show crypto ipsec sa detail Show crypto session detail Show crypto sockets
Correct Answer: BD QUESTION 66 An administrator received a report that a user cannot connect to the headquarters site using Cisco AnyConnect and receives this error. The installer was not able to start the Cisco VPN client, clientless access is not available, Which option is a possible cause for this error? A. B. C. D.
The client version of Cisco AnyConnect is not compatible with the Cisco ASA software image. The operating system of the client machine is not supported by Cisco AnyConnect. The driver for Cisco AnyConnect is outdatate. The installed version of Java is not compatible with Cisco AnyConnect.
Correct Answer: C QUESTION 67 Which statement regarding hashing is correct? A. B. C. D.
MD5 produces a 64-bit message digest. SHA-1 produces a 160-bit message digest. MD5 takes more CPU cycles to compute than SHA-1. Changing 1 bit of the input to SHA-1 can change up to 5 bits in the output.
Correct Answer: B
QUESTION 68 Which type of NHRP packet is unique to Phase 3 DMVPN topologies? A. B. C. D. E. F.
resolution request resolution reply redirect registration request registration reply error indication
Correct Answer: C
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 69 Refer to the exhibit. You are configuring a laptop with the Cisco VPN Client, which uses digital certificates for authentication. Which protocol does the Cisco VPN Client use to retrieve the digital certificate from the CA server?
A. B. C. D. E.
FTP LDAP HTTPS SCEP OCSP
Correct Answer: D Explanation: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html About CRLs Certificate Revocation Lists provide the security appliance with one means of determining whether a certificate that is within its valid time range has been revoked by its issuing CA. CRL configuration is a part of the configuration of a trustpoint. You can configure the security appliance to make CRL checks mandatory when authenticating a certificate (revocation-check crl command). You can also make the CRL check optional by adding the none argument (revocation-check crl none command), which allows the certificate authentication to succeed when the CA is unavailable to provide updated CRL data. The security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a length of time configurable for each trustpoint. When the security appliance has cached a CRL for more than the length of time it is configured to cache CRLs, the security appliance considers the CRL too old to be reliable, or "stale". The security appliance attempts to retrieve a newer version of the CRL the next time a certificate authentication requires checking the stale CRL. Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 70 Regarding licensing, which option will allow IKEv2 connections on the adaptive security appliance? A. AnyConnect Essentials can be used for Cisco AnyConnect IKEv2 connections. B. IKEv2 sessions are not licensed. C. The Advanced Endpoint Assessment license must be installed to allow Cisco AnyConnect IKEv2 sessions. D. Cisco AnyConnect Mobile must be installed to allow AnyConnect IKEv2 sessions. Correct Answer: B
QUESTION 71 Which VPN solution is best for a collection of branch offices connected by MPLS that frequenty make VoIP calls between branches? A. B. C. D.
GETVPN Cisco AnyConnect site-to-site DMVPN
Correct Answer: A
QUESTION 72 Which Cisco adaptive security appliance command can be used to view the IPsec PSK of a tunnel group in cleartext? A. B. C. D. E. F.
more system:running-config show running-config crypto show running-config tunnel-group show running-config tunnel-group-map clear config tunnel-group show ipsec policy
Correct Answer: A
QUESTION 73 Which command will prevent a group policy from inheriting a filter ACL in a clientless SSL VPN? A. B. C. D.
vpn-filter none no vpn-filter filter value none filter value ACLname
Correct Answer: C Explanation: http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/TZ/cmdref4/v.html#pgfId-1842564
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 74 Which three configuration parameters are mandatory for an IKEv2 profile? (Choose three.) A. B. C. D. E. F. G. H.
IKEv2 proposal local authentication method match identity or certificate IKEv2 policy PKI certificate authority remote authentication method IKEv2 profile description virtual template
Correct Answer: BCF
QUESTION 75 Which option is most effective at preventing a remote access VPN user from bypassing the corporate transparent web proxy? A. using the proxy-server settings of the client computer to specify a PAC file for the client computer to download B. instructing users to use the corporate proxy server for all web browsing C. disabling split tunneling D. permitting local LAN access Correct Answer: C
QUESTION 76 A temporary worker must use clientless SSL VPN with an SSH plug-in, in order to access the console of an internal corporate server, the projects.xyz.com server. For security reasons, the network security auditor insists that the temporary user is restricted to the one internal corporate server, 10.0.4.18. You are the network engineer who is responsible for the network access of the temporary user. What should you do to restrict SSH access to the one projects.xyz.com server? A. B. C. D.
Configure access-list temp_user_acl extended permit TCP any host 10.0.4.18 eq 22. Configure access-list temp_user_acl standard permit host 10.0.4.18 eq 22. Configure access-list temp_acl webtype permit url ssh://10.0.4.18. Configure a plug-in SSH bookmark for host 10.0.4.18, and disable network browsing on the clientless SSL VPN portal of the temporary worker.
Correct Answer: C Explanation: Web ACLs The Web ACLs table displays the filters configured on the security appliance applicable to Clientless SSL VPN traffic. The table shows the name of each access control list (ACL), and below and indented to the right of the ACL name, the access control entries (ACEs) assigned to the ACL. Each ACL permits or denies access permits or denies access to specific networks, subnets, hosts, and web servers. Each ACE specifies one rule that serves the function of the ACL. You can configure ACLs to apply to Clientless SSL VPN traffic. The following rules apply: If you do not configure any filters, all connections are permitted. The security appliance supports only an inbound ACL on an interface. At the end of each ACL, an implicit, unwritten rule denies all traffic that is not explicitly permitted. Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
You can use the following wildcard characters to define more than one wildcard in the Webtype access list entry: Enter an asterisk "*" to match no characters or any number of characters. Enter a question mark "?" to match any one character exactly. Enter square brackets "[]" to create a range operator that matches any one character in a range. The following examples show how to use wildcards in Webtype access lists. The following example matches URLs such as http://www.cisco.com/ and http://wwz.caco.com/: access- list test webtype permit url http://ww?.c*co*/
QUESTION 77 Which three plugins are available for clientless SSL VPN? (Choose three.) A. B. C. D. E. F.
CIFS RDP2 SSH VNC SQLNET ICMP
Correct Answer: BCD
QUESTION 78 When troubleshooting clientless SSL VPN connections, which option can be verified on the client PC? A. B. C. D.
address assignment DHCP configuration tunnel group attributes host file misconfiguration
Correct Answer: D
QUESTION 79 Which two statements describe effects of the DoNothing option within the untrusted network policy on a Cisco AnyConnect profile? (Choose two.) A. B. C. D. E.
The client initiates a VPN connection upon detection of an untrusted network. The client initiates a VPN connection upon detection of a trusted network. The always-on feature is enabled. The always-on feature is disabled. The client does not automatically initiate any VPN connection.
Correct Answer: AD
QUESTION 80 An engineer is configuring an IPsec VPN with IKEv2. Which three components are part of the IKEv2 proposal for this implementation? (Choose three.) A. key ring Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
B. C. D. E.
DH group integrity tunnel name encryption
Correct Answer: BCE QUESTION 81 Refer to the exhibit. Which VPN solution does this configuration represent?
A. B. C. D.
Cisco AnyConnect (IKEv2) site-to-site DMVPN SSL VPN
Correct Answer: D
QUESTION 82 Which two statements about the Cisco ASA Clientless SSL VPN solution are true? (Choose two.) A. When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the client uses the local DNS to perform FQDN resolution. B. The rewriter enable command under the global webvpn configuration enables the rewriter functionality because that feature is disabled by default. C. A Cisco ASA with an AnyConnect Premium Peers license can simultaneously allow Clientless SSL VPN sessions and AnyConnect client sessions. D. Content rewriter functionality in the Clientless SSL VPN portal is not supported on Apple mobile devices. E. Clientless SSLVPN provides Layer 3 connectivity into the secured network. Correct Answer: CD
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 83 Refer to the exhibit. The user "contractor" inherits which VPN group policy?
A. B. C. D. E.
employee management DefaultWEBVPNGroup DfltGrpPolicy new_hire
Correct Answer: D
QUESTION 84 Which three commands are included in the command show dmvpn detail? (Choose three.) A. B. C. D. E. F.
show ip nhrp nhs show dmvpn show crypto session detail show crypto ipsec sa detail show crypto sockets show ip nhrp
Correct Answer: BCE
QUESTION 85 Refer to the exhibit. An engineer encounters a debug message. Which action can the engineer take to eliminate this error message?
A. B. C. D.
Use stronger encryption suite. Correct the VPN peer address. Make adjustment to IPSec replay window. Change the preshared key to match.
Correct Answer: B
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 86 Which command simplifies the task of converting an SSL VPN to an IKEv2 VPN on a Cisco ASA appliance that has an invalid IKEv2 configuration? A. B. C. D.
migrate remote-access ssl overwrite migrate remote-access ikev2 migrate l2l migrate remote-access ssl
Correct Answer: A Explanation: Below is a reference for this question: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generationfirewalls/113597-ptn-113597.html If your IKEv1, or even SSL, configuration already exists, the ASA makes the migration process simple. On the command line, enter the migrate command: migrate {l2l | remote-access {ikev2 | ssl} | overwrite} Things of note: Keyword definitions: l2l - This converts current IKEv1 l2l tunnels to IKEv2. remote access - This converts the remote access configuration. You can convert either the IKEv1 or the SSL tunnel groups to IKEv2. overwrite - If you have a IKEv2 configuration that you wish to overwrite, then this keyword converts the current IKEv1 configuration and removes the superfluous IKEv2 configuration. QUESTION 87 Which statement about plug-ins is false? A. B. C. D.
Plug-ins do not require any installation on the remote system. Plug-ins require administrator privileges on the remote system. Plug-ins support interactive terminal access. Plug-ins are not supported on the Windows Mobile platform.
Correct Answer: B Explanation: http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/ deployhtml#wp1162435 Plug-ins The security appliance supports Java plug-ins for clientless SSL VPN connections. Plug-ins are Java programs that operate in a browser. These plug-ins include SSH/Telnet, RDP, VNC, and Citrix. Per the GNU General Public License (GPL), Cisco redistributes plug-ins without making any changes to them. Per the GPL, Cisco cannot directly enhance these plug-ins. To use plug-ins you must install Java Runtime Environment (JRE) 1.4.2.x or greater. You must also use a compatible browser specified here: http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpncompatibility.html Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
QUESTION 88 Refer to the exhibit. Which action is demonstrated by this debug output?
A. B. C. D.
NHRP initial registration by a spoke. NHRP registration acknowledgement by the hub. Disabling of the DMVPN tunnel interface. IPsec ISAKMP phase 1 negotiation.
Correct Answer: A
QUESTION 89 Which option describes the purpose of the shared argument in the DMVPN interface command tunnel protection IPsec profile ProfileName shared? A. B. C. D.
shares a single profile between multiple tunnel interfaces allows multiple authentication types to be used on the tunnel interface shares a single profile between a tunnel interface and a crypto map shares a single profile between IKEv1 and IKEv2
Correct Answer: A
QUESTION 90 Refer to the exhibit. While troubleshooting a remote-access application, a new NOC engineer received the logging message that is shown in the exhibit. Which configuration is most likely to be mismatched?
A. B. C. D.
IKE configuration extended authentication configuration IPsec configuration digital certificate configuration
Correct Answer: C Explanation: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml and %ASA-5-713259: Group = groupname, Username = username, IP = peerIP, Session is being torn down. Reason: reason Explanation The termination reason for the ISAKMP session appears, which occurs when the session is torn down through session management. groupname--The tunnel group of the session being terminated username--The username of the session being terminated peerIP--The peer address of the session being terminated reason--The RADIUS termination reason of the session being terminated. Reasons include the Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
following: Port Preempted (simultaneous logins) Idle Timeout Max Time Exceeded Administrator Reset QUESTION 91 Which two troubleshooting steps should be taken when Cisco AnyConnect cannot establish an IKEv2 connection, while SSL works fine? (Choose two.) A. B. C. D. E.
Verify that the primary protocol on the client machine is set to IPsec. Verify that AnyConnect is enabled on the correct interface. Verify that the IKEv2 protocol is enabled on the group policy. Verify that ASDM and AnyConnect are not using the same port. Verify that SSL and IKEv2 certificates are not referencing the same trustpoint.
Correct Answer: AC
QUESTION 92 Which adaptive security appliance command can be used to see a generic framework of the requirements for configuring a VPN tunnel between an adaptive security appliance and a Cisco IOS router at a remote office? A. B. C. D.
vpnsetup site-to-site steps show running-config crypto show vpn-sessiondb l2l vpnsetup ssl-remote-access steps
Correct Answer: A
QUESTION 93 When an IPsec SVTI is configured, which technology processes traffic forwarding for encryption? A. B. C. D.
ACL IP routing RRI front door VPN routing and forwarding
Correct Answer: B
QUESTION 94 Which two are features of GETVPN but not DMVPN and FlexVPN? (Choose two.) A. B. C. D. E. F.
one IPsec SA for all encrypted traffic no requirement for an overlay routing protocol design for use over public or private WAN sequence numbers that enable scalable replay checking enabled use of ESP or AH preservation of IP protocol in outer header Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
Correct Answer: AB
QUESTION 95 Refer to the exhibit. A network administrator is running DMVPN with EIGRP, when the administrator looks at the routing table on spoken 1 it displays a route to the hub only. Which command is missing on the hub router, which includes spoke 2 and spoke 3 in the spoke 1 routing table?
A. B. C. D.
no inverse arp neighbor (ip address) no ip split-horizon egrp 1 redistribute static
Correct Answer: C
QUESTION 96 Refer to the exhibit. A NOC engineer needs to tune some postlogin parameters on an SSL VPN tunnel. From the information shown, where should the engineer navigate to, in order to find all the postlogin session parameters?
A. B. C. D. E.
"engineering" Group Policy "contractor" Connection Profile DefaultWEBVPNGroup Group Policy DefaultRAGroup Group Policy "engineer1" AAA/Local Users
Guaranteed Success with EnsurePass VCE Software & PDF File
The Latest 300-209 Exam ☆ Instant Download ☆ Free Update for 180 Days
Correct Answer: A Explanation: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html#wp1054618 The policy group is a container that defines the presentation of the portal and the permissions for resources that are configured for a group of remote users. Entering the policy group command places the router in webvpn group policy configuration mode. After it is configured, the group policy is attached to the SSL VPN context configuration by configuring the default-group-policy command. The following tasks are accomplished in this configuration: The presentation of the SSL VPN portal page is configured. A NetBIOS server list is referenced. A port-forwarding list is referenced. The idle and session timers are configured. A URL list is referenced. QUESTION 97 Refer to the exhibit. Which VPN solution does this configuration represent?
Guaranteed Success with EnsurePass VCE Software & PDF File
EnsurePass.com Members Features: 1. 2. 3. 4. 5.
Verified Answers researched by industry experts. Q&As are downloadable in PDF and VCE format. 98% success Guarantee and Money Back Guarantee. Free updates for 180 Days. Instant Access to download the Items
View list of All Exam provided: http://www.ensurepass.com/certfications?index=A To purchase Lifetime Full Access Membership click here: http://www.ensurepass.com/user/register
Valid Discount Code 20% OFF for 2019: MMJ4-IGD8-X3QW To purchase the HOT Exams: Vendors Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco CompTIA CompTIA CompTIA CompTIA CompTIA CompTIA CompTIA CompTIA CompTIA CompTIA CompTIA Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft ISC
Hot Exams 100-105 200-105 200-125 200-310 200-355 300-101 300-115 300-135 300-320 400-101 220-1001 220-1002 220-901 220-902 CAS-003 LX0-103 LX0-104 N10-007 PK0-004 SK0-004 SY0-501 70-410 70-411 70-412 70-740 70-741 70-742 70-761 70-762 CISSP
Download http://www.ensurepass.com/100-105.html http://www.ensurepass.com/200-105.html http://www.ensurepass.com/200-125.html http://www.ensurepass.com/200-310.html http://www.ensurepass.com/200-355.html http://www.ensurepass.com/300-101.html http://www.ensurepass.com/300-115.html http://www.ensurepass.com/300-135.html http://www.ensurepass.com/300-320.html http://www.ensurepass.com/400-101.html http://www.ensurepass.com/220-1001.html http://www.ensurepass.com/220-1002.html http://www.ensurepass.com/220-901.html http://www.ensurepass.com/220-902.html http://www.ensurepass.com/CAS-003.html http://www.ensurepass.com/LX0-103.html http://www.ensurepass.com/LX0-104.html http://www.ensurepass.com/N10-007.html http://www.ensurepass.com/PK0-004.html http://www.ensurepass.com/SK0-004.html http://www.ensurepass.com/SY0-501.html http://www.ensurepass.com/70-410.html http://www.ensurepass.com/70-411.html http://www.ensurepass.com/70-412.html http://www.ensurepass.com/70-740.html http://www.ensurepass.com/70-741.html http://www.ensurepass.com/70-742.html http://www.ensurepass.com/70-761.html http://www.ensurepass.com/70-762.html http://www.ensurepass.com/CISSP.html