1. Why must a network engineer avoid usage of the default X.

509 certificate when implementing

Clientless VPN on an ASA?

A. The certificate is too weak to provide adequate security

B. The default X.509 certificate is not supported for SSLVPN

C. The certificate is regenerated at each reboot

D. The certificate must be managed by the local CA

Ans C

2) Main differences between DMVPN &GetVPN

A. DMVPN can use IKEV1/IKEv2, but FlexVPN only ikev2
B. Flexvpn uses IKEV2,DMVPN uses IKEV1)
ANS: A

3) How you can see additional information about VPN clients(Anyconnect client SSL
VPN,CLientless)
A. show vpn-sessiondb
B. show vpn-sessiondb anyconnect
C. show vpn-sessiondb detail
ANS: C

4) what is this command mean :

R(config)#crypto pki enroll TRUST
A)enrolling of self-signed certificate
B)makes a signing request to CA server

C) to initiate enrollment to get certificate from CA Server

ANS: B

5) Which two changes must be made to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is
configured? (Choose two )

A. Disable EIGRP next-hop-self on the hub.

B. Enable EIGRP next-hop-self on the hub.
C. Add NHRP shortcuts on the hub.
D. Add NHRP redirects on the hub.
E. Add NHRP redirects on the spoke.
ANS: AD

6) Which three changes must be made to migrate from DMVPN Phase 2 to Phase 3 when EIGRP
is configured? (Choose three.)

A. Enable EIGRP next-hop-self on the hub.

B. Disable EIGRP next-hop-self on the hub.
C. Enable EIGRP split-horizon on the hub.
D. Add NHRP redirects on the hub.
E. Add NHRP shortcuts on the spoke.
F. Add NHRP shortcuts on the hub.
Ans: BDE
Section: (none)
Explanation
Initial BDE
Explanation/Reference:
http://f.usht.ru/Cisco/Info/DMVPN%20Phase%203%20mirgation.pdf

7) Which command configures IKEv2 symmetric identity authentication?

A. match identity remote address 0.0.0.0
B. authentication local pre-share
C. authentication pre-share
D. authentication remote rsa-sig

ANS:B

8) How to check encrypted/decrypted on ikev2/flexvpn.

A. show crypto session detail
B. show crypto session x
C. show crypto ikev2 sa
D. show crypto isakmp sa
E. x
ANS: A
Explanation
source
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-
s3.html#wp7173612400

9) What command in cli you have to use to capture IKEv1 phase 1

A.. capture match ip q 500 eq port 500
B. capture match gre q port 500 eq poort 500
C. capture match ah q poort 500 eq port 500
D. capture match udp eq port 153 eq port 153
E. capture match udp eq port 500 eq port 500

ANS: E

10) What is the configlet supposed to mean.....

crypto pki trustpoint TRIALTRUST4
A. Creates/declaring a name for the trustpoint
B. ?
C. ?
ANS: A

11) What means exhibit in IOS crypto pki profile enrollment TRUSTSET
A. Enrolling to CA TRUSTSET profile
B. enrolling to self signed certificate
C. to initiate enrollment to get certificate from CA Server
ANS: A
12) which way the customer use if he want to upgrade new version of anyconnect ?
A. Webdeploy
B. Clouddeploy
ANS: A

13) How is the context for a acive/active asa configuration.

A. PAT Context
B. NAT context
C. single context
D. multiple context
ANS: D

Explanation
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_
active.html

14) What is PFS group used for.

A. it makes rekey on Phase-1 from 1
B. It makes rekey on the 2nd Phase and the 2 phase
C. it makes reky fon phase 1 and the 2 phase
D. it makes rekay from the phase 2 and phase 1
ANS: B

15) About Site-to-site IPsec, 1st Phase works, but 2nd is not. What is possible reason:
A. Incorrect DH group
B. Incorrect PFS group
C. ACLs dont match
D. Certificate
ANS: C

16) a question about tunneling: tunnelless connecting between branch and headquarters should
be tunnel less.
A.ssl
B.dmvpn
C.getvpn
D.flexvpn
ANS: C

17) An engineer wants to troubleshoot ikev2 anyconnect from pc to asa what is required ?
A. profile and binary must be downloaded first
B. the client computer must have certificate contains server EKU
C. ..
D. The client should use EAP-Anyconnect
Answer: A

18) A site-to-site VPN is already working between the ASA and Cisco ISR router. There is a
requirement to make the ASA accessible via the VPN tunnel. Which command allows you to do
this,
A) management-access inteface <inft_name>

B) access-list vpn permit esp any any

C) crypto map vpnmap 10 access-list 101
D) access-list 101 permit ah any any
E) access-list 101 permit icmp any any

ANS: A

19? An engineer needs to select a protocol to securely implementing Cisco VPN solution that is
reliable and offering acknowledgement of packets. Which of the following protocol is best suited
to consider,
A) IKEv1

B) ESP
C) 3DES
D) AES-256
D) RSA

ANS: B

20) Branch routers at remote sites need to connect securely to the data center. Which protocols
(select two) are best suited to this situation,
1) OSPF
2) EIGRP
3) ISIS
4) RIPv2
5) BGP

ANS: 2) 5)

21) What routing protocol is recommended by Cisco in DMVPN between company router and ISP
router?
A. OSPF
B. RIPv2
C. ISIS
D. BGP
E. EIGRP

ANS: D, E
22) Employee working from home sends all traffic to company server. Is there policy for him to
use his local internet provider and VPN only for company data?
A. tunnelall
B. No such policy exist
C. tunnelspecified
D. Tunnelexclude

ANS: C
23) Similar question as 3. how is the name of feature that enables it?
A. Kerberos
B. Dart
C. Nat exceptions
D. Split tunnelling

ANS: D
24) Another question about PKI like what is required to make it work.
A. RADIUS
B. NTP
C. FTP/HTTP
D. Certificate Authority
E. x

ANS: B, D
25) Which algorithm is more reliable and i dont remember the whole questions
A-AES 128
B-AES 192
C-AES 256
D-RC4

ANS: C

26) Which algorithm does Isakmp use for derive encryption key and integrity
A-RSA
B-3DES
C-HMAC
D-AES
E-Diffie Hellman

ANS: E

27) Alan is a remote worker who uses AnyConnect VPN to connect to the corporate network.
While connected using AnyConnect VPN, he cannot use Team Viewer, a web-based screen-
sharing application. Once he disconnects the VPN connection, he can successfully share-screen
using Team Viewer application. What could be the issue?
A. Team Viewer is using an incorrect Network Interface.
B. Corporate ASA Firewall is blocking Team Viewer connections.
C. Team Viewer and AnyConnect use same the network ports.
D. Split tunneling is not configured on Cisco ASA.

NEW QUESTION 293

A company has a Flex VPN solution for remote access and one of their Cisco any Connect
remote clients is having trouble connecting property. Which command verifies that packets
are being encrypted and decrypted?

A. show crypto session active

B. show crypto ikev2 stats
C. show crypto ikev1 sa
D. show crypto ikev2 sa
E. show crypto session detail

Answer: E

NEW QUESTION 294

Refer to the exhibit, which result of this command is true?

A. Makes the router generate a certificate signing request

B. Generates an RSA key called TRIALFOUR
C. It displays the RSA public keys of the router
D. It specifies self- signed enrollment for a trust point
Answer: A

NEW QUESTION 295

An engineer is attempting to establish a new site-to-site VPN connection. The tunnel
terminates on an ASA 5506-X which is behind an ASA 5515-X. The engineer notices that the
tunnel is not establishing. Which option is a potential cause?

A. Certificates were not configured

B. Diffie Helman Group is not set
C. Access lists were not applied
D. NAT traversal is not configured

Answer: D

NEW QUESTION 296

Which algorithm does ISAKMP use to securely derive encryption and integrity keys?

A. Diffie Hellman
B. AES
C. ECDSA
D. RSA
E. 3DES

Answer: A

NEW QUESTION 297

Which purpose of configuring perfect Forward secret is true?

A. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase
2 keys.
B. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase
1 keys.
C. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase
1 keys.
D. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase
2 keys.

Answer: B

NEW QUESTION 298

An engineer has successfully established a phase 1 tunnel, but notices that no packets are
decrypted on the head end side of the tunnel. What is a potential cause for this issue?

A. different phase 2 encryption

B. misconfigured DH group
C. disabled PFS
D. firewall blocking Phase 2 ESP or AH

Answer: A

NEW QUESTION 299

Which option describes traffic that will initiate a VPN connection?

A. trusted
B. external
C. internal
D. interesting

Answer: D

NEW QUESTION 300

14. Which command will allow a referenced ASA interface to become accessible across a
site-to- site VPN?

A. access-list 101 extended permit ICMP any any

B. crypto map vpn 10 match address 101

c. crypto map vpn interface inside

D. management-access <interface name>

ANSWER:B/D???

Which two attributes can be matched from the identify of the remote peer when using IKEv2
Name Manager? (choose two)

A. fqdn

B. hostname

C. IP address

D. kerberos

ANSWER:BD???

Which two statements describe effects of the DoNothing option within the untrusted network
policy on a Cisco AnyConnect profile? (Choose two.)

A. The client initiates a VPN connection upon detection of an untrusted network.

B. The client initiates a VPN connection upon detection of a trusted network.

C. The always-on feature is enabled.

D. The always-on feature is disabled.

E. The client does not automatically initiate any VPN connection.

Answer:AD

The following configuration steps have been completed:

WebVPN was enabled on the ASA outside interface.
SSL VPN client software was loaded to the ASA.
A DHCP scope was configured and applied to a WebVPN Tunnel Group.
What additional step is required if the client software fails to load when connecting to the
ASA SSL page?
A.The SSL client must be loaded to the client by an ASA administrator

B.The SSL client must be downloaded to the client via FTP

C.The SSL VPN client must be enabled on the ASA after loading

D.The SSL client must be enabled on the client machine before loading

Answer in dumps A I think C

Answer:C

What are two forms of SSL VPN? (Choose two.)

A. port forwarding
B. Full Tunnel Mode
C. Cisco IOS WebVPN
D. Cisco AnyConnect
Answer: CD
18) A site-to-site VPN is already working between the ASA and Cisco ISR router. There is a
requirement to make the ASA accessible via the VPN tunnel. Which command allows you to
do this,
A) management-access inteface <inft_name>
B) access-list vpn permit esp any any
C) crypto map vpnmap 10 access-list 101
D) access-list 101 permit ah any any
E) access-list 101 permit icmp any any
ANS: A

1 Which technology supports tunnel interfaces while remaining compatible with legacy VPN
implementations?

A. FlexVPN
B. DMVPN
C. GET VPN
D. SSL VPN

Correct Answer: A

2 When attempting to tunnel FTP traffic through a stateful firewall that might be performing NAT or
PAT, which type of VPN tunneling should you use to allow the VPN traffic through the stateful
firewall?

A. clientless SSL VPN

B. IPsec over TCP
C. smart tunnel
D. SSL VPN plug-ins

Correct Answer: B

3 Which technology supports tunnel interfaces while remaining compatible with legacy VPN
implementations?

A. FlexVPN
B. DMVPN
C. GET VPN
D. SSL VPN

Correct Answer: A
Where is split-tunneling defined for remote access clients on an ASA?

A. Group-policy
B. Tunnel-group
C. Crypto-map
D. Web-VPN Portal
E. ISAKMP client

Correct Answer: A

Using the Next Generation Encryption technologies, which is the minimum acceptable encryption level
to protect sensitive information?

A. AES 92 bits
B. AES 128 bits
C. AES 256 bits
D. AES 512 bits

Correct Answer: B

What is being used as the authentication method on Die branch ISR?---SIM Question
A. Certificates
B. Pre-shared keys
C. RSA public keys
D. Diffie-Hellman Group 2

Correct Answer: D

What is being used as the authentication method on the branch ISR?---SIM Question
A. Certifcates
B. Pre-shared keys
C. RSA public keys
D. Diffie-Hellman Group 2
Correct Answer: B

Which VPN type can be used to provide secure remote access from public internet cafes and airport
kiosks?
A. site-to-site
B. business-to-business

C. Clientless SSL
D. DMVPN

Correct Answer: C

As network security architect, you must implement secure VPN connectivity among company
branches over a private IP cloud with any-to-any scalable connectivity. Which technology should you
use?

A. IPsec DVTI
B. FlexVPN
C. DMVPN
D. IPsec SVTI
E. GET VPN

Correct Answer: E

As network consultant, you are asked to suggest a VPN technology that can support a multivendor
environment and secure traffic between sites. Which technology should you recommend?

A. DMVPN
B. FlexVPN
C. GET VPN
D. SSL VPN

Correct Answer: B
After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune the
IPsec policy parameters.
Where is the correct place to tune the IPsec policy parameters in Cisco ASDM?

A. IPsec user profile

B. Crypto Map
C. Group Policy
D. IPsec Policy
E. IKE Policy

Correct Answer: B

Which VPN solution is best for a collection of branch offices connected by MPLS that frequenty make
VoIP calls between branches?
A. GETVPN
B. Cisco AnyConnect
C. site-to-site
D. DMVPN

Correct Answer: A