300-209 Implementing Cisco Secure Mobility Solutions

Page 1   
Question 1






Answer : configure key ring crypto ikev2 keyring mykeys peer SiteB.cisco.com address 209.161.201.1 pre-shared-key local $iteA pre-shared key remote $iteB Configure IKEv2 profile Crypto ikev2 profile default identity local fqdn SiteA.cisco.com Match identity remote fqdn SiteB.cisco.com Authentication local pre-share Authentication remote pre-share Keyring local mykeys Create the GRE Tunnel and apply profile crypto ipsec profile default set ikev2-profile default Interface tunnel 0 ip address 10.1.1.1 255.255.255.0 Tunnel source eth 0/0 Tunnel destination 209.165.201.1 tunnel protection ipsec profile default end

Question 2

You are configuring a Cisco IOS SSL VPN gateway to operate with DVTI support. Which
command must you configure on the virtual template?

  • A. tunnel protection ipsec
  • B. ip virtual-reassembly
  • C. tunnel mode ipsec
  • D. ip unnumbered


Answer : D

Question 3

Which are two main use cases for Clientless SSL VPN? (Choose two.)

  • A. In kiosks that are part of a shared environment
  • B. When the users do not have admin rights to install a new VPN client
  • C. When full tunneling is needed to support applications that use TCP, UDP, and ICMP
  • D. To create VPN site-to-site tunnels in combination with remote access


Answer : A,B

Question 4

Refer to the exhibit.


Which VPN solution does this configuration represent?

  • A. Cisco AnyConnect (IKEv2)
  • B. site-to-site
  • C. DMVPN
  • D. SSL VPN


Answer : D

Question 5

Refer to the exhibit.


A NOC engineer needs to tune some prelogin parameters on an SSL VPN tunnel.
From the information that is shown, where should the engineer navigate to find the prelogin
session attributes?

  • A. "engineering" Group Policy
  • B. "contractor" Connection Profile
  • C. "engineer1" AAA/Local Users
  • D. DfltGrpPolicy Group Policy


Answer : B

Explanation: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administrat ion/guide/ac05hostscanposture.html#wp1039696

Question 6

Which algorithm provides both encryption and authentication for plane communication?

  • A. RC4
  • B. SHA-384
  • C. AES-256
  • D. SHA-96
  • E. 3DES
  • F. AES-GCM


Answer : F

Question 7

Which Cisco adaptive security appliance command can be used to view the IPsec PSK of a
tunnel group in cleartext?

  • A. more system:running-config
  • B. show running-config crypto
  • C. show running-config tunnel-group
  • D. show running-config tunnel-group-map
  • E. clear config tunnel-group
  • F. show ipsec policy


Answer : A

Question 8

Which algorithm is replaced by elliptic curve cryptography in Cisco NGE?

  • A. 3DES
  • B. AES
  • C. DES
  • D. RSA


Answer : D

Question 9

Which protocols does the Cisco AnyConnect client use to build multiple connections to the
security appliance?

  • A. TLS and DTLS
  • B. IKEv1
  • C. L2TP over IPsec
  • D. SSH over TCP


Answer : A

Question 10

Refer to the exhibit.


Which authentication method was used by the remote peer to prove its identity?

  • A. Extensible Authentication Protocol
  • B. certificate authentication
  • C. pre-shared key
  • D. XAUTH


Answer : C

Question 11

An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation
headquarters, tried to access the XYZ sales demonstration folder to transfer a
demonstration via FTP from an ABC conference room behind the firewall. The engineer
could not reach XYZ through the remote-access VPN tunnel. From home the previous day,
however, the engineer did connect to the XYZ sales demonstration folder and transferred
the demonstration via IPsec over DSL.
To get the connection to work and transfer the demonstration, what should the engineer
do?

  • A. Change the MTU size on the IPsec client to account for the change from DSL to cable transmission.
  • B. Enable the local LAN access option on the IPsec client.
  • C. Enable the IPsec over TCP option on the IPsec client.
  • D. Enable the clientless SSL VPN option on the PC.


Answer : C

Explanation: IP Security (IPSec) over Transmission Control Protocol (TCP) enables a VPN Client to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, User Datagram Protocol (UDP) 500) cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and it enables secure tunneling through both Network Address Translation (NAT) and Port Address Translation (PAT) devices and firewalls Which benefit of FlexVPN is not offered by DMVPN using IKEv1? A. Dynamic routing protocols can be configured. B. IKE implementation can install routes in routing

Page 1