209 New Corrected
209 New Corrected
209 New Corrected
Ans C
3) How you can see additional information about VPN clients(Anyconnect client SSL
VPN,CLientless)
A. show vpn-sessiondb
B. show vpn-sessiondb anyconnect
C. show vpn-sessiondb detail
ANS: C
5) Which two changes must be made to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is
configured? (Choose two )
6) Which three changes must be made to migrate from DMVPN Phase 2 to Phase 3 when EIGRP
is configured? (Choose three.)
ANS:B
ANS: E
11) What means exhibit in IOS crypto pki profile enrollment TRUSTSET
A. Enrolling to CA TRUSTSET profile
B. enrolling to self signed certificate
C. to initiate enrollment to get certificate from CA Server
ANS: A
12) which way the customer use if he want to upgrade new version of anyconnect ?
A. Webdeploy
B. Clouddeploy
ANS: A
Explanation
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_
active.html
15) About Site-to-site IPsec, 1st Phase works, but 2nd is not. What is possible reason:
A. Incorrect DH group
B. Incorrect PFS group
C. ACLs dont match
D. Certificate
ANS: C
16) a question about tunneling: tunnelless connecting between branch and headquarters should
be tunnel less.
A.ssl
B.dmvpn
C.getvpn
D.flexvpn
ANS: C
17) An engineer wants to troubleshoot ikev2 anyconnect from pc to asa what is required ?
A. profile and binary must be downloaded first
B. the client computer must have certificate contains server EKU
C. ..
D. The client should use EAP-Anyconnect
Answer: A
18) A site-to-site VPN is already working between the ASA and Cisco ISR router. There is a
requirement to make the ASA accessible via the VPN tunnel. Which command allows you to do
this,
A) management-access inteface <inft_name>
ANS: A
19? An engineer needs to select a protocol to securely implementing Cisco VPN solution that is
reliable and offering acknowledgement of packets. Which of the following protocol is best suited
to consider,
A) IKEv1
B) ESP
C) 3DES
D) AES-256
D) RSA
ANS: B
20) Branch routers at remote sites need to connect securely to the data center. Which protocols
(select two) are best suited to this situation,
1) OSPF
2) EIGRP
3) ISIS
4) RIPv2
5) BGP
ANS: 2) 5)
21) What routing protocol is recommended by Cisco in DMVPN between company router and ISP
router?
A. OSPF
B. RIPv2
C. ISIS
D. BGP
E. EIGRP
ANS: D, E
22) Employee working from home sends all traffic to company server. Is there policy for him to
use his local internet provider and VPN only for company data?
A. tunnelall
B. No such policy exist
C. tunnelspecified
D. Tunnelexclude
ANS: C
23) Similar question as 3. how is the name of feature that enables it?
A. Kerberos
B. Dart
C. Nat exceptions
D. Split tunnelling
ANS: D
24) Another question about PKI like what is required to make it work.
A. RADIUS
B. NTP
C. FTP/HTTP
D. Certificate Authority
E. x
ANS: B, D
25) Which algorithm is more reliable and i dont remember the whole questions
A-AES 128
B-AES 192
C-AES 256
D-RC4
ANS: C
26) Which algorithm does Isakmp use for derive encryption key and integrity
A-RSA
B-3DES
C-HMAC
D-AES
E-Diffie Hellman
ANS: E
27) Alan is a remote worker who uses AnyConnect VPN to connect to the corporate network.
While connected using AnyConnect VPN, he cannot use Team Viewer, a web-based screen-
sharing application. Once he disconnects the VPN connection, he can successfully share-screen
using Team Viewer application. What could be the issue?
A. Team Viewer is using an incorrect Network Interface.
B. Corporate ASA Firewall is blocking Team Viewer connections.
C. Team Viewer and AnyConnect use same the network ports.
D. Split tunneling is not configured on Cisco ASA.
Answer: E
Answer: D
A. Diffie Hellman
B. AES
C. ECDSA
D. RSA
E. 3DES
Answer: A
A. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase
2 keys.
B. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase
1 keys.
C. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase
1 keys.
D. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase
2 keys.
Answer: B
Answer: A
A. trusted
B. external
C. internal
D. interesting
Answer: D
14. Which command will allow a referenced ASA interface to become accessible across a
site-to- site VPN?
ANSWER:B/D???
Which two attributes can be matched from the identify of the remote peer when using IKEv2
Name Manager? (choose two)
A. fqdn
B. hostname
C. IP address
D. kerberos
ANSWER:BD???
Which two statements describe effects of the DoNothing option within the untrusted network
policy on a Cisco AnyConnect profile? (Choose two.)
Answer:AD
C.The SSL VPN client must be enabled on the ASA after loading
D.The SSL client must be enabled on the client machine before loading
Answer:C
1 Which technology supports tunnel interfaces while remaining compatible with legacy VPN
implementations?
A. FlexVPN
B. DMVPN
C. GET VPN
D. SSL VPN
Correct Answer: A
2 When attempting to tunnel FTP traffic through a stateful firewall that might be performing NAT or
PAT, which type of VPN tunneling should you use to allow the VPN traffic through the stateful
firewall?
Correct Answer: B
3 Which technology supports tunnel interfaces while remaining compatible with legacy VPN
implementations?
A. FlexVPN
B. DMVPN
C. GET VPN
D. SSL VPN
Correct Answer: A
Where is split-tunneling defined for remote access clients on an ASA?
A. Group-policy
B. Tunnel-group
C. Crypto-map
D. Web-VPN Portal
E. ISAKMP client
Correct Answer: A
Using the Next Generation Encryption technologies, which is the minimum acceptable encryption level
to protect sensitive information?
A. AES 92 bits
B. AES 128 bits
C. AES 256 bits
D. AES 512 bits
Correct Answer: B
What is being used as the authentication method on Die branch ISR?---SIM Question
A. Certificates
B. Pre-shared keys
C. RSA public keys
D. Diffie-Hellman Group 2
Correct Answer: D
What is being used as the authentication method on the branch ISR?---SIM Question
A. Certifcates
B. Pre-shared keys
C. RSA public keys
D. Diffie-Hellman Group 2
Correct Answer: B
Which VPN type can be used to provide secure remote access from public internet cafes and airport
kiosks?
A. site-to-site
B. business-to-business
C. Clientless SSL
D. DMVPN
Correct Answer: C
As network security architect, you must implement secure VPN connectivity among company
branches over a private IP cloud with any-to-any scalable connectivity. Which technology should you
use?
A. IPsec DVTI
B. FlexVPN
C. DMVPN
D. IPsec SVTI
E. GET VPN
Correct Answer: E
As network consultant, you are asked to suggest a VPN technology that can support a multivendor
environment and secure traffic between sites. Which technology should you recommend?
A. DMVPN
B. FlexVPN
C. GET VPN
D. SSL VPN
Correct Answer: B
After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune the
IPsec policy parameters.
Where is the correct place to tune the IPsec policy parameters in Cisco ASDM?
Correct Answer: B
Which VPN solution is best for a collection of branch offices connected by MPLS that frequenty make
VoIP calls between branches?
A. GETVPN
B. Cisco AnyConnect
C. site-to-site
D. DMVPN
Correct Answer: A