Explore all topics
Start Free Trial
Need Help? Contact us
back arrowfull exam logo
search
ai logoChat with AI
Servicesarrow
Discoverarrow

Topics

Explore all topics
Discover more topics

Deck 27: Automating Cisco Security Solutions (SAUTO)

Full screen (f)
exit full mode
Question
<strong> Refer to the exhibit. An engineer is troubleshooting a new GRE over IPsec tunnel. The tunnel is established but the engineer cannot ping from spoke 1 to spoke 2. Which type of traffic is being blocked?</strong> A) ESP packets from spoke2 to spoke1 B) ISAKMP packets from spoke2 to spoke1 C) ESP packets from spoke1 to spoke2 D) ISAKMP packets from spoke1 to spoke2 <div style=padding-top: 35px> Refer to the exhibit. An engineer is troubleshooting a new GRE over IPsec tunnel. The tunnel is established but the engineer cannot ping from spoke 1 to spoke 2. Which type of traffic is being blocked?

A) ESP packets from spoke2 to spoke1
B) ISAKMP packets from spoke2 to spoke1
C) ESP packets from spoke1 to spoke2
D) ISAKMP packets from spoke1 to spoke2
Use Space or
up arrow
down arrow
to flip the card.
Question
<strong> Refer to the exhibit. What is a result of this configuration?</strong> A) Spoke 1 fails the authentication because the authentication methods are incorrect. B) Spoke 2 passes the authentication to the hub and successfully proceeds to phase 2. C) Spoke 2 fails the authentication because the remote authentication method is incorrect. D) Spoke 1 passes the authentication to the hub and successfully proceeds to phase 2. <div style=padding-top: 35px> Refer to the exhibit. What is a result of this configuration?

A) Spoke 1 fails the authentication because the authentication methods are incorrect.
B) Spoke 2 passes the authentication to the hub and successfully proceeds to phase 2.
C) Spoke 2 fails the authentication because the remote authentication method is incorrect.
D) Spoke 1 passes the authentication to the hub and successfully proceeds to phase 2.
Question
Under which section must a bookmark or URL list be configured on a Cisco ASA to be available for clientless SSLVPN users?

A) tunnel-group (general-attributes)
B) tunnel-group (webvpn-attributes)
C) webvpn (group-policy)
D) webvpn (global configuration)
Question
<strong> Refer to the exhibit. A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based on the syslog message, which action brings up the VPN tunnel?</strong> A) Reduce the maximum SA limit on the local Cisco ASA. B) Increase the maximum in-negotiation SA limit on the local Cisco ASA. C) Remove the maximum SA limit on the remote Cisco ASA. D) Correct the crypto access list on both Cisco ASA devices. <div style=padding-top: 35px> Refer to the exhibit. A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based on the syslog message, which action brings up the VPN tunnel?

A) Reduce the maximum SA limit on the local Cisco ASA.
B) Increase the maximum in-negotiation SA limit on the local Cisco ASA.
C) Remove the maximum SA limit on the remote Cisco ASA.
D) Correct the crypto access list on both Cisco ASA devices.
Question
<strong> Refer to the exhibit. Based on the debug output, which type of mismatch is preventing the VPN from coming up?</strong> A) interesting traffic B) lifetime C) preshared key D) PFS <div style=padding-top: 35px> Refer to the exhibit. Based on the debug output, which type of mismatch is preventing the VPN from coming up?

A) interesting traffic
B) lifetime
C) preshared key
D) PFS
Question
Which technology works with IPsec stateful failover?

A) GLBR
B) HSRP
C) GRE
D) VRRP
Question
<strong> Refer to the exhibit. The customer can establish a Cisco AnyConnect connection without using an XML profile. When the host ikev2 is selected in the AnyConnect drop down, the connection fails. What is the cause of this issue?</strong> A) The HostName is incorrect. B) The IP address is incorrect. C) Primary protocol should be SSL. D) UserGroup must match connection profile. <div style=padding-top: 35px> Refer to the exhibit. The customer can establish a Cisco AnyConnect connection without using an XML profile. When the host "ikev2" is selected in the AnyConnect drop down, the connection fails. What is the cause of this issue?

A) The HostName is incorrect.
B) The IP address is incorrect.
C) Primary protocol should be SSL.
D) UserGroup must match connection profile.
Question
<strong> Refer to the exhibit. Based on the exhibit, why are users unable to access CCNP Webserver bookmark?</strong> A) The URL is being blocked by a WebACL. B) The ASA cannot resolve the URL. C) The bookmark has been disabled. D) The user cannot access the URL. <div style=padding-top: 35px> Refer to the exhibit. Based on the exhibit, why are users unable to access CCNP Webserver bookmark?

A) The URL is being blocked by a WebACL.
B) The ASA cannot resolve the URL.
C) The bookmark has been disabled.
D) The user cannot access the URL.
Question
Which redundancy protocol must be implemented for IPsec stateless failover to work?

A) SSO
B) GLBP
C) HSRP
D) VRRP
Question
Which command automatically initiates a smart tunnel when a user logs in to the WebVPN portal page?

A) auto-upgrade
B) auto-connect
C) auto-start
D) auto-run
Question
Which two features provide headend resiliency for Cisco AnyConnect clients? (Choose two.)

A) AnyConnect Auto Reconnect
B) AnyConnect Network Access Manager
C) AnyConnect Backup Servers
D) ASA failover
E) AnyConnect Always On
Question
<strong> Refer to the exhibit. Which VPN technology is allowed for users connecting to the Employee tunnel group?</strong> A) SSL AnyConnect B) IKEv2 AnyConnect C) crypto map D) clientless <div style=padding-top: 35px> Refer to the exhibit. Which VPN technology is allowed for users connecting to the Employee tunnel group?

A) SSL AnyConnect
B) IKEv2 AnyConnect
C) crypto map
D) clientless
Question
<strong> Refer to the exhibit. The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?</strong> A) B) C) D) <div style=padding-top: 35px> Refer to the exhibit. The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?

A) <strong> Refer to the exhibit. The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?</strong> A) B) C) D) <div style=padding-top: 35px>
B) <strong> Refer to the exhibit. The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?</strong> A) B) C) D) <div style=padding-top: 35px>
C) <strong> Refer to the exhibit. The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?</strong> A) B) C) D) <div style=padding-top: 35px>
D) <strong> Refer to the exhibit. The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?</strong> A) B) C) D) <div style=padding-top: 35px>
Question
<strong> Refer to the exhibit. A site-to-site tunnel between two sites is not coming up. Based on the debugs, what is the cause of this issue?</strong> A) An authentication failure occurs on the remote peer. B) A certificate fragmentation issue occurs between both sides. C) UDP 4500 traffic from the peer does not reach the router. D) An authentication failure occurs on the router. <div style=padding-top: 35px> Refer to the exhibit. A site-to-site tunnel between two sites is not coming up. Based on the debugs, what is the cause of this issue?

A) An authentication failure occurs on the remote peer.
B) A certificate fragmentation issue occurs between both sides.
C) UDP 4500 traffic from the peer does not reach the router.
D) An authentication failure occurs on the router.
Question
Which IKE identity does an IOS/IOS-XE headend expect to receive if an IPsec Cisco AnyConnect client uses default settings?

A) *$SecureMobilityClient$*
B) *$AnyConnectClient$*
C) *$RemoteAccessVpnClient$*
D) *$DfltlkeldentityS*
Question
<strong> Refer to the exhibit. The IKEv2 site-to-site VPN tunnel between two routers is down. Based on the debug output, which type of mismatch is the problem?</strong> A) preshared key B) peer identity C) transform set D) ikev2 proposal <div style=padding-top: 35px> Refer to the exhibit. The IKEv2 site-to-site VPN tunnel between two routers is down. Based on the debug output, which type of mismatch is the problem?

A) preshared key
B) peer identity
C) transform set
D) ikev2 proposal
Question
Which configuration construct must be used in a FlexVPN tunnel?

A) EAP configuration
B) multipoint GRE tunnel interface
C) IKEv1 policy
D) IKEv2 profile
Question
Which requirement is needed to use local authentication for Cisco AnyConnect Secure Mobility Clients that connect to a FlexVPN server?

A) use of certificates instead of username and password
B) EAP-AnyConnect
C) EAP query-identity
D) AnyConnect profile
Question
Which method dynamically installs the network routes for remote tunnel endpoints?

A) policy-based routing
B) CEF
C) reverse route injection
D) route filtering
Question
<strong> Refer to the exhibit. Which two commands under the tunnel-group webvpn-attributes result in a Cisco AnyConnect user receiving the AnyConnect prompt in the exhibit? (Choose two.)</strong> A) group-url https://172.16.31.10/General enable B) group-policy General internal C) authentication aaa D) authentication certificate E) group-alias General enable <div style=padding-top: 35px> Refer to the exhibit. Which two commands under the tunnel-group webvpn-attributes result in a Cisco AnyConnect user receiving the AnyConnect prompt in the exhibit? (Choose two.)

A) group-url https://172.16.31.10/General enable
B) group-policy General internal
C) authentication aaa
D) authentication certificate
E) group-alias General enable
Question
What uses an Elliptic Curve key exchange algorithm?

A) ECDSA
B) ECDHE
C) AES-GCM
D) SHA
Question
<strong> Refer to the exhibit. The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?</strong> A) B) C) D) <div style=padding-top: 35px> Refer to the exhibit. The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?

A) <strong> Refer to the exhibit. The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?</strong> A) B) C) D) <div style=padding-top: 35px>
B) <strong> Refer to the exhibit. The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?</strong> A) B) C) D) <div style=padding-top: 35px>
C) <strong> Refer to the exhibit. The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?</strong> A) B) C) D) <div style=padding-top: 35px>
D) <strong> Refer to the exhibit. The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?</strong> A) B) C) D) <div style=padding-top: 35px>
Question
Which technology is used to send multicast traffic over a site-to-site VPN?

A) GRE over IPsec on IOS router
B) GRE over IPsec on FTD
C) IPsec tunnel on FTD
D) GRE tunnel on ASA
Question
Which parameter is initially used to elect the primary key server from a group of key servers?

A) code version
B) highest IP address
C) highest-priority value
D) lowest IP address
Question
A Cisco ASA is configured in active/standby mode. What is needed to ensure that Cisco AnyConnect users can connect after a failover event?

A) AnyConnect images must be uploaded to both failover ASA devices.
B) The vpnsession-db must be cleared manually.
C) Configure a backup server in the XML profile.
D) AnyConnect client must point to the standby IP address.
Question
What is a requirement for smart tunnels to function properly?

A) Java or ActiveX must be enabled on the client machine.
B) Applications must be UDP.
C) Stateful failover must not be configured.
D) The user on the client machine must have admin access.
Question
Which two commands help determine why the NHRP registration process is not being completed even after the IPsec tunnel is up? (Choose two.)

A) show crypto isakmp sa
B) show ip traffic
C) show crypto ipsec sa
D) show ip nhrp traffic
E) show dmvpn detail
Question
In a FlexVPN deployment, the spokes successfully connect to the hub, but spoke-to-spoke tunnels do not form. Which troubleshooting step solves the issue?

A) Verify the spoke configuration to check if the NHRP redirect is enabled.
B) Verify that the spoke receives redirect messages and sends resolution requests.
C) Verify the hub configuration to check if the NHRP shortcut is enabled.
D) Verify that the tunnel interface is contained within a VRF.
Question
Which feature of GETVPN is a limitation of DMVPN and FlexVPN?

A) sequence numbers that enable scalable replay checking
B) enabled use of ESP or AH
C) design for use over public or private WAN
D) no requirement for an overlay routing protocol
Question
Which two types of web resources or protocols are enabled by default on the Cisco ASA Clientless SSL VPN portal? (Choose two.)

A) HTTP
B) ICA (Citrix)
C) VNC
D) RDP
E) CIFS
Question
Which feature allows the ASA to handle nonstandard applications and web resources so that they display correctly over a clientless SSL VPN connection?

A) single sign-on
B) Smart Tunnel
C) WebType ACL
D) plug-ins
Question
Which VPN does VPN load balancing on the ASA support?

A) VTI
B) IPsec site-to-site tunnels
C) L2TP over IPsec
D) Cisco AnyConnect
Question
Cisco AnyConnect clients need to transfer large files over the VPN sessions. Which protocol provides the best throughput?

A) SSL/TLS
B) L2TP
C) DTLS
D) IPsec IKEv1
Question
A Cisco AnyConnect client establishes a SSL VPN connection with an ASA at the corporate office. An engineer must ensure that the client computer meets the enterprise security policy. Which feature can update the client to meet an enterprise security policy?

A) Endpoint Assessment
B) Cisco Secure Desktop
C) Basic Host Scan
D) Advanced Endpoint Assessment
Question
<strong> Refer to the exhibit. Which two tunnel types produce the show crypto ipsec sa output seen in the exhibit? (Choose two.)</strong> A) crypto map B) DMVPN C) GRE D) FlexVPN E) VTI <div style=padding-top: 35px> Refer to the exhibit. Which two tunnel types produce the show crypto ipsec sa output seen in the exhibit? (Choose two.)

A) crypto map
B) DMVPN
C) GRE
D) FlexVPN
E) VTI
Question
Which two changes must be made in order to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is configured? (Choose two.)

A) Add NHRP shortcuts on the hub.
B) Add NHRP redirects on the spoke.
C) Disable EIGRP next-hop-self on the hub.
D) Enable EIGRP next-hop-self on the hub.
E) Add NHRP redirects on the hub.
Question
Which two parameters help to map a VPN session to a tunnel group without using the tunnel-group list? (Choose two.)

A) group-alias
B) certificate map
C) optimal gateway selection
D) group-url
E) AnyConnect client version
Question
On a FlexVPN hub-and-spoke topology where spoke-to-spoke tunnels are not allowed, which command is needed for the hub to be able to terminate FlexVPN tunnels?

A) interface virtual-access
B) ip nhrp redirect
C) interface tunnel
D) interface virtual-template
Question
<strong> Refer to the exhibit. What is configured as a result of this command set?</strong> A) FlexVPN client profile for IPv6 B) FlexVPN server to authorize groups by using an IPv6 external AAA C) FlexVPN server for an IPv6 dVTI session D) FlexVPN server to authenticate IPv6 peers by using EAP <div style=padding-top: 35px> Refer to the exhibit. What is configured as a result of this command set?

A) FlexVPN client profile for IPv6
B) FlexVPN server to authorize groups by using an IPv6 external AAA
C) FlexVPN server for an IPv6 dVTI session
D) FlexVPN server to authenticate IPv6 peers by using EAP
Question
Which benefit of FlexVPN is a limitation of DMVPN using IKEv1?

A) GRE encapsulation allows for forwarding of non-IP traffic.
B) IKE implementation can install routes in routing table.
C) NHRP authentication provides enhanced security.
D) Dynamic routing protocols can be configured.
Question
An engineer is configuring clientless SSL VPN. The finance department has a database server that only they should access, but the sales department can currently access it. The finance and the sales departments are configured as separate group-policies. What must be added to the configuration to make sure the users in the sales department cannot access the finance department server?

A) tunnel group lock
B) smart tunnel
C) port forwarding
D) webtype ACL
Question
<strong> Refer to the exhibit. Which type of mismatch is causing the problem with the IPsec VPN tunnel?</strong> A) crypto access list B) Phase 1 policy C) transform set D) preshared key <div style=padding-top: 35px> Refer to the exhibit. Which type of mismatch is causing the problem with the IPsec VPN tunnel?

A) crypto access list
B) Phase 1 policy
C) transform set
D) preshared key
Question
An engineer has integrated a new DMVPN to link remote offices across the internet using Cisco IOS routers. When connecting to remote sites, pings and voice data appear to flow properly, and all tunnel stats show that they are up. However, when trying to connect to a remote server using RDP, the connection fails. Which action resolves this issue?

A) Adjust the MTU size within the routers.
B) Add RDP port to the extended ACL.
C) Replace certificate on the RDP server.
D) Change DMVPN timeout values.
Question
Which statement about GETVPN is true?

A) The configuration that defines which traffic to encrypt originates from the key server.
B) TEK rekeys can be load-balanced between two key servers operating in COOP.
C) The pseudotime that is used for replay checking is synchronized via NTP.
D) Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.
Question
<strong> Refer to the exhibit. The DMVPN spoke is not establishing a session with the hub. Which two actions resolve this issue? (Choose two.)</strong> A) Change the spoke nhs to 172.16.18.1 and the nbma to 10.0.0.1. B) Change the transform set to mode tunnel. C) Change the ISAKMP policy authentication on the spoke to pre-shared. D) Change the ISAKMP key address on the spoke to 0.0.0.0. E) Change the nhrp authentication key on the spoke to cisco123. <div style=padding-top: 35px> Refer to the exhibit. The DMVPN spoke is not establishing a session with the hub. Which two actions resolve this issue? (Choose two.)

A) Change the spoke nhs to 172.16.18.1 and the nbma to 10.0.0.1.
B) Change the transform set to mode tunnel.
C) Change the ISAKMP policy authentication on the spoke to pre-shared.
D) Change the ISAKMP key address on the spoke to 0.0.0.0.
E) Change the nhrp authentication key on the spoke to cisco123.
Question
Which VPN solution uses TBAR?

A) GETVPN
B) VTI
C) DMVPN
D) Cisco AnyConnect
Question
Which command shows the smart default configuration for an IPsec profile?

A) show run all crypto ipsec profile
B) ipsec profile does not have any smart default configuration
C) show smart-defaults ipsec profile
D) show crypto ipsec profile default
Question
Where must an engineer configure a preshared key for a site-to-site VPN tunnel configured on a Cisco ASA?

A) isakmp policy
B) group policy
C) crypto map
D) tunnel group
Question
<strong> Refer to the exhibit. All internal clients behind the ASA are port address translated to the public outside interface that has an IP address of 3.3.3.3. Client 1 and client 2 have established successful SSL VPN connections to the ASA. What must be implemented so that 3.3.3.3 is returned from a browser search on the IP address?</strong> A) Same-security-traffic permit inter-interface under Group Policy B) Exclude Network List Below under Group Policy C) Tunnel All Networks under Group Policy D) Tunnel Network List Below under Group Policy <div style=padding-top: 35px> Refer to the exhibit. All internal clients behind the ASA are port address translated to the public outside interface that has an IP address of 3.3.3.3. Client 1 and client 2 have established successful SSL VPN connections to the ASA. What must be implemented so that "3.3.3.3" is returned from a browser search on the IP address?

A) Same-security-traffic permit inter-interface under Group Policy
B) Exclude Network List Below under Group Policy
C) Tunnel All Networks under Group Policy
D) Tunnel Network List Below under Group Policy
Question
<strong> Refer to the exhibit. Which value must be configured in the User Group field when the Cisco AnyConnect Profile is created to connect to an ASA headend with IPsec as the primary protocol?</strong> A) address-pool B) group-alias C) group-policy D) tunnel-group <div style=padding-top: 35px> Refer to the exhibit. Which value must be configured in the User Group field when the Cisco AnyConnect Profile is created to connect to an ASA headend with IPsec as the primary protocol?

A) address-pool
B) group-alias
C) group-policy
D) tunnel-group
Question
Which parameter must match on all routers in a DMVPN Phase 3 cloud?

A) GRE tunnel key
B) NHRP network ID
C) tunnel VRF
D) EIGRP split-horizon setting
Question
<strong> Refer to the exhibit. An SSL client is connecting to an ASA headend. The session fails with the message Connection attempt has timed out. Please verify Internet connectivity. Based on how the packet is processed, which phase is causing the failure?</strong> A) phase 9: rpf-check B) phase 5: NAT C) phase 4: ACCESS-LIST D) phase 3: UN-NAT <div style=padding-top: 35px> Refer to the exhibit. An SSL client is connecting to an ASA headend. The session fails with the message "Connection attempt has timed out. Please verify Internet connectivity." Based on how the packet is processed, which phase is causing the failure?

A) phase 9: rpf-check
B) phase 5: NAT
C) phase 4: ACCESS-LIST
D) phase 3: UN-NAT
Question
Which two statements about the Cisco ASA Clientless SSL VPN solution are true? (Choose two.)

A) When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the client uses the local DNS to perform FQDN resolution.
B) The rewriter enable command under the global webvpn configuration enables the rewriter functionality because that feature is disabled by default. The rewriter enable command under the global webvpn configuration enables the rewriter functionality because that feature is disabled by default.
C) A Cisco ASA can simultaneously allow Clientless SSL VPN sessions and AnyConnect client sessions.
D) When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the ASA uses its configured DNS servers to perform FQDN resolution.
E) Clientless SSLVPN provides Layer 3 connectivity into the secured network.
Question
<strong> Refer to the exhibit. Which VPN technology is used in the exhibit?</strong> A) DVTI B) VTI C) DMVPN D) GRE <div style=padding-top: 35px> Refer to the exhibit. Which VPN technology is used in the exhibit?

A) DVTI
B) VTI
C) DMVPN
D) GRE
Question
A network engineer must design a remote access solution to allow contractors to access internal servers. These contractors do not have permissions to install applications on their computers. Which VPN solution should be used in this design?

A) IKEv2 AnyConnect
B) Clientless
C) Port forwarding
D) SSL AnyConnect
Question
Which technology works with IPsec stateful failover?

A) GLBP
B) HSRP
C) GRE
D) VRRP
Question
<strong> Refer to the exhibit. Client 1 cannot communicate with client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which command on the ASA is missing?</strong> A) dns-server value 10.1.1.2 B) same-security-traffic permit intra-interface C) same-security-traffic permit inter-interface D) dns-server value 10.1.1.3 <div style=padding-top: 35px> Refer to the exhibit. Client 1 cannot communicate with client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which command on the ASA is missing?

A) dns-server value 10.1.1.2
B) same-security-traffic permit intra-interface
C) same-security-traffic permit inter-interface
D) dns-server value 10.1.1.3
Question
What are two functions of ECDH and ECDSA? (Choose two.)

A) nonrepudiation
B) revocation
C) digital signature
D) key exchange
E) encryption
Question
Where is split tunneling defined for IKEv2 remote access clients on a Cisco router?

A) IKEv2 authorization policy
B) Group Policy
C) virtual template
D) webvpn context
Question
<strong> Refer to the exhibit. Which type of Cisco VPN is shown for group Cisc012345678?</strong> A) Cisco AnyConnect Client VPN B) DMVPN C) Clientless SSLVPN D) GETVPN <div style=padding-top: 35px> Refer to the exhibit. Which type of Cisco VPN is shown for group Cisc012345678?

A) Cisco AnyConnect Client VPN
B) DMVPN
C) Clientless SSLVPN
D) GETVPN
Question
Which technology and VPN component allows a VPN headend to dynamically learn post NAT IP addresses of remote routers at different sites?

A) DMVPN with ISAKMP
B) GETVPN with ISAKMP
C) DMVPN with NHRP
D) GETVPN with NHRP
Question
<strong> Refer to the exhibit. Which two conclusions should be drawn from the DMVPN phase 2 configuration? (Choose two.)</strong> A) Next-hop-self is required. B) EIGRP neighbor adjacency will fail. C) EIGRP is used as the dynamic routing protocol. D) EIGRP route redistribution is not allowed. E) Spoke-to-spoke communication is allowed. <div style=padding-top: 35px> Refer to the exhibit. Which two conclusions should be drawn from the DMVPN phase 2 configuration? (Choose two.)

A) Next-hop-self is required.
B) EIGRP neighbor adjacency will fail.
C) EIGRP is used as the dynamic routing protocol.
D) EIGRP route redistribution is not allowed.
E) Spoke-to-spoke communication is allowed.
Question
Which two features are valid backup options for an IOS FlexVPN client? (Choose two.)

A) HSRP stateless failover
B) DNS-based hub resolution
C) reactivate primary peer
D) tunnel pivot
E) need distractor
Question
After a user configures a connection profile with a bookmark list and tests the clientless SSLVPN connection, all of the bookmarks are grayed out. What must be done to correct this behavior?

A) Apply the bookmark to the correct group policy.
B) Specify the correct port for the web server under the bookmark.
C) Configure a DNS server on the Cisco ASA and verify it has a record for the web server.
D) Verify HTTP/HTTPS connectivity between the Cisco ASA and the web server.
Question
Which Cisco AnyConnect component ensures that devices in a specific internal subnet are only accessible using port 443?

A) routing
B) WebACL
C) split tunnel
D) VPN filter
Question
Which two types of SSO functionality are available on the Cisco ASA without any external SSO servers? (Choose two.)

A) SAML
B) NTLM
C) Kerberos
D) OAuth 2.0
E) HTTP Basic
Question
While troubleshooting, an engineer finds that the show crypto isakmp sa command indicates that the last state of the tunnel is MM_KEY_EXCH. What is the next step that should be taken to resolve this issue?

A) Verify that the ISAKMP proposals match.
B) Ensure that UDP 500 is not being blocked between the devices.
C) Correct the peer's IP address on the crypto map.
D) Confirm that the pre-shared keys match on both devices.
Question
A network engineer must implement an SSLVPN Cisco AnyConnect solution that supports 500 concurrent users, ensures all traffic from the client passes through the ASA, and allows users to access all devices on the inside interface subnet (192.168.0.0/24). Assuming all other configuration is set up appropriately, which configuration implements this solution?

A) <strong>A network engineer must implement an SSLVPN Cisco AnyConnect solution that supports 500 concurrent users, ensures all traffic from the client passes through the ASA, and allows users to access all devices on the inside interface subnet (192.168.0.0/24). Assuming all other configuration is set up appropriately, which configuration implements this solution?</strong> A) B) C) D) <div style=padding-top: 35px>
B) <strong>A network engineer must implement an SSLVPN Cisco AnyConnect solution that supports 500 concurrent users, ensures all traffic from the client passes through the ASA, and allows users to access all devices on the inside interface subnet (192.168.0.0/24). Assuming all other configuration is set up appropriately, which configuration implements this solution?</strong> A) B) C) D) <div style=padding-top: 35px>
C) <strong>A network engineer must implement an SSLVPN Cisco AnyConnect solution that supports 500 concurrent users, ensures all traffic from the client passes through the ASA, and allows users to access all devices on the inside interface subnet (192.168.0.0/24). Assuming all other configuration is set up appropriately, which configuration implements this solution?</strong> A) B) C) D) <div style=padding-top: 35px>
D) <strong>A network engineer must implement an SSLVPN Cisco AnyConnect solution that supports 500 concurrent users, ensures all traffic from the client passes through the ASA, and allows users to access all devices on the inside interface subnet (192.168.0.0/24). Assuming all other configuration is set up appropriately, which configuration implements this solution?</strong> A) B) C) D) <div style=padding-top: 35px>
Question
<strong> Refer to the exhibit. Which type of VPN is used?</strong> A) GETVPN B) clientless SSL VPN C) Cisco Easy VPN D) Cisco AnyConnect SSL VPN <div style=padding-top: 35px> Refer to the exhibit. Which type of VPN is used?

A) GETVPN
B) clientless SSL VPN
C) Cisco Easy VPN
D) Cisco AnyConnect SSL VPN
Question
<strong> Refer to the exhibit. The VPN tunnel between the FlexVPN spoke and FlexVPN hub 192.168.0.12 is failing. What should be done to correct this issue?</strong> A) Add the address 192.168.0.12 255.255.255.255 command to the keyring configuration. Add the address 192.168.0.12 255.255.255.255 command to the keyring configuration. B) Add the match fvrf any command to the IKEv2 policy. match fvrf any command to the IKEv2 policy. C) Add the aaa authorization group psk list Flex_AAA Flex_Auth command to the IKEv2 profile configuration. aaa authorization group psk list Flex_AAA Flex_Auth command to the IKEv2 profile configuration. D) Add the tunnel mode gre ip command to the tunnel configuration. tunnel mode gre ip command to the tunnel configuration. <div style=padding-top: 35px> Refer to the exhibit. The VPN tunnel between the FlexVPN spoke and FlexVPN hub 192.168.0.12 is failing. What should be done to correct this issue?

A) Add the address 192.168.0.12 255.255.255.255 command to the keyring configuration. Add the address 192.168.0.12 255.255.255.255 command to the keyring configuration.
B) Add the match fvrf any command to the IKEv2 policy. match fvrf any command to the IKEv2 policy.
C) Add the aaa authorization group psk list Flex_AAA Flex_Auth command to the IKEv2 profile configuration. aaa authorization group psk list Flex_AAA Flex_Auth command to the IKEv2 profile configuration.
D) Add the tunnel mode gre ip command to the tunnel configuration. tunnel mode gre ip command to the tunnel configuration.
Question
An engineer notices that while an employee is connected remotely, all traffic is being routed to the corporate network. Which split-tunnel policy allows a remote client to use their local provider for Internet access when working from home?

A) tunnelall
B) excludeall
C) tunnelspecified
D) excludespecified
Question
<strong> Refer to the exhibit. A network engineer is configuring a remote access SSLVPN and is unable to complete the connection using local credentials. What must be done to remediate this problem?</strong> A) Enable the client protocol in the Cisco AnyConnect profile. B) Configure a AAA server group to authenticate the client. C) Change the authentication method to local. D) Configure the group policy to force local authentication. <div style=padding-top: 35px> Refer to the exhibit. A network engineer is configuring a remote access SSLVPN and is unable to complete the connection using local credentials. What must be done to remediate this problem?

A) Enable the client protocol in the Cisco AnyConnect profile.
B) Configure a AAA server group to authenticate the client.
C) Change the authentication method to local.
D) Configure the group policy to force local authentication.
Question
A network engineer must design a clientless VPN solution for a company. VPN users must be able to access several internal web servers. When reachability to those web servers was tested, it was found that one website is not being rewritten correctly by the ASA. What is a potential solution for this issue while still allowing it to be a clientless VPN setup?

A) Set up a smart tunnel with the IP address of the web server.
B) Set up a NAT rule that translates the ASA public address to the web server private address on port 80.
C) Set up Cisco AnyConnect with a split tunnel that has the IP address of the web server.
D) Set up a WebACL to permit the IP address of the web server.
Question
<strong> Refer to the exhibit. Which type of VPN implementation is displayed?</strong> A) IKEv1 cluster B) IKEv2 backup gateway C) IKEv2 load balancer D) IKEv2 reconnect <div style=padding-top: 35px> Refer to the exhibit. Which type of VPN implementation is displayed?

A) IKEv1 cluster
B) IKEv2 backup gateway
C) IKEv2 load balancer
D) IKEv2 reconnect
Question
<strong> Refer to the exhibit. An IKEv2 site-to-site tunnel between an ASA and a remote peer is not building successfully. What will fix the problem based on the debug output?</strong> A) Ensure crypto IPsec policy matches on both VPN devices. B) Install the correct certificate to validate the peer. C) Correct crypto access list on both VPN devices. D) Specify the peer IP address in the tunnel group name. <div style=padding-top: 35px> Refer to the exhibit. An IKEv2 site-to-site tunnel between an ASA and a remote peer is not building successfully. What will fix the problem based on the debug output?

A) Ensure crypto IPsec policy matches on both VPN devices.
B) Install the correct certificate to validate the peer.
C) Correct crypto access list on both VPN devices.
D) Specify the peer IP address in the tunnel group name.
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/75
auto play flashcards
Play
simple tutorial
Full screen (f)
exit full mode
Deck 27: Automating Cisco Security Solutions (SAUTO)
1
<strong> Refer to the exhibit. An engineer is troubleshooting a new GRE over IPsec tunnel. The tunnel is established but the engineer cannot ping from spoke 1 to spoke 2. Which type of traffic is being blocked?</strong> A) ESP packets from spoke2 to spoke1 B) ISAKMP packets from spoke2 to spoke1 C) ESP packets from spoke1 to spoke2 D) ISAKMP packets from spoke1 to spoke2 Refer to the exhibit. An engineer is troubleshooting a new GRE over IPsec tunnel. The tunnel is established but the engineer cannot ping from spoke 1 to spoke 2. Which type of traffic is being blocked?

A) ESP packets from spoke2 to spoke1
B) ISAKMP packets from spoke2 to spoke1
C) ESP packets from spoke1 to spoke2
D) ISAKMP packets from spoke1 to spoke2
ESP packets from spoke2 to spoke1
2
<strong> Refer to the exhibit. What is a result of this configuration?</strong> A) Spoke 1 fails the authentication because the authentication methods are incorrect. B) Spoke 2 passes the authentication to the hub and successfully proceeds to phase 2. C) Spoke 2 fails the authentication because the remote authentication method is incorrect. D) Spoke 1 passes the authentication to the hub and successfully proceeds to phase 2. Refer to the exhibit. What is a result of this configuration?

A) Spoke 1 fails the authentication because the authentication methods are incorrect.
B) Spoke 2 passes the authentication to the hub and successfully proceeds to phase 2.
C) Spoke 2 fails the authentication because the remote authentication method is incorrect.
D) Spoke 1 passes the authentication to the hub and successfully proceeds to phase 2.
Spoke 1 fails the authentication because the authentication methods are incorrect.
3
Under which section must a bookmark or URL list be configured on a Cisco ASA to be available for clientless SSLVPN users?

A) tunnel-group (general-attributes)
B) tunnel-group (webvpn-attributes)
C) webvpn (group-policy)
D) webvpn (global configuration)
webvpn (global configuration)
4
<strong> Refer to the exhibit. A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based on the syslog message, which action brings up the VPN tunnel?</strong> A) Reduce the maximum SA limit on the local Cisco ASA. B) Increase the maximum in-negotiation SA limit on the local Cisco ASA. C) Remove the maximum SA limit on the remote Cisco ASA. D) Correct the crypto access list on both Cisco ASA devices. Refer to the exhibit. A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based on the syslog message, which action brings up the VPN tunnel?

A) Reduce the maximum SA limit on the local Cisco ASA.
B) Increase the maximum in-negotiation SA limit on the local Cisco ASA.
C) Remove the maximum SA limit on the remote Cisco ASA.
D) Correct the crypto access list on both Cisco ASA devices.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
5
<strong> Refer to the exhibit. Based on the debug output, which type of mismatch is preventing the VPN from coming up?</strong> A) interesting traffic B) lifetime C) preshared key D) PFS Refer to the exhibit. Based on the debug output, which type of mismatch is preventing the VPN from coming up?

A) interesting traffic
B) lifetime
C) preshared key
D) PFS
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
6
Which technology works with IPsec stateful failover?

A) GLBR
B) HSRP
C) GRE
D) VRRP
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
7
<strong> Refer to the exhibit. The customer can establish a Cisco AnyConnect connection without using an XML profile. When the host ikev2 is selected in the AnyConnect drop down, the connection fails. What is the cause of this issue?</strong> A) The HostName is incorrect. B) The IP address is incorrect. C) Primary protocol should be SSL. D) UserGroup must match connection profile. Refer to the exhibit. The customer can establish a Cisco AnyConnect connection without using an XML profile. When the host "ikev2" is selected in the AnyConnect drop down, the connection fails. What is the cause of this issue?

A) The HostName is incorrect.
B) The IP address is incorrect.
C) Primary protocol should be SSL.
D) UserGroup must match connection profile.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
8
<strong> Refer to the exhibit. Based on the exhibit, why are users unable to access CCNP Webserver bookmark?</strong> A) The URL is being blocked by a WebACL. B) The ASA cannot resolve the URL. C) The bookmark has been disabled. D) The user cannot access the URL. Refer to the exhibit. Based on the exhibit, why are users unable to access CCNP Webserver bookmark?

A) The URL is being blocked by a WebACL.
B) The ASA cannot resolve the URL.
C) The bookmark has been disabled.
D) The user cannot access the URL.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
9
Which redundancy protocol must be implemented for IPsec stateless failover to work?

A) SSO
B) GLBP
C) HSRP
D) VRRP
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
10
Which command automatically initiates a smart tunnel when a user logs in to the WebVPN portal page?

A) auto-upgrade
B) auto-connect
C) auto-start
D) auto-run
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
11
Which two features provide headend resiliency for Cisco AnyConnect clients? (Choose two.)

A) AnyConnect Auto Reconnect
B) AnyConnect Network Access Manager
C) AnyConnect Backup Servers
D) ASA failover
E) AnyConnect Always On
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
12
<strong> Refer to the exhibit. Which VPN technology is allowed for users connecting to the Employee tunnel group?</strong> A) SSL AnyConnect B) IKEv2 AnyConnect C) crypto map D) clientless Refer to the exhibit. Which VPN technology is allowed for users connecting to the Employee tunnel group?

A) SSL AnyConnect
B) IKEv2 AnyConnect
C) crypto map
D) clientless
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
13
<strong> Refer to the exhibit. The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?</strong> A) B) C) D) Refer to the exhibit. The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?

A) <strong> Refer to the exhibit. The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?</strong> A) B) C) D)
B) <strong> Refer to the exhibit. The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?</strong> A) B) C) D)
C) <strong> Refer to the exhibit. The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?</strong> A) B) C) D)
D) <strong> Refer to the exhibit. The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?</strong> A) B) C) D)
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
14
<strong> Refer to the exhibit. A site-to-site tunnel between two sites is not coming up. Based on the debugs, what is the cause of this issue?</strong> A) An authentication failure occurs on the remote peer. B) A certificate fragmentation issue occurs between both sides. C) UDP 4500 traffic from the peer does not reach the router. D) An authentication failure occurs on the router. Refer to the exhibit. A site-to-site tunnel between two sites is not coming up. Based on the debugs, what is the cause of this issue?

A) An authentication failure occurs on the remote peer.
B) A certificate fragmentation issue occurs between both sides.
C) UDP 4500 traffic from the peer does not reach the router.
D) An authentication failure occurs on the router.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
15
Which IKE identity does an IOS/IOS-XE headend expect to receive if an IPsec Cisco AnyConnect client uses default settings?

A) *$SecureMobilityClient$*
B) *$AnyConnectClient$*
C) *$RemoteAccessVpnClient$*
D) *$DfltlkeldentityS*
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
16
<strong> Refer to the exhibit. The IKEv2 site-to-site VPN tunnel between two routers is down. Based on the debug output, which type of mismatch is the problem?</strong> A) preshared key B) peer identity C) transform set D) ikev2 proposal Refer to the exhibit. The IKEv2 site-to-site VPN tunnel between two routers is down. Based on the debug output, which type of mismatch is the problem?

A) preshared key
B) peer identity
C) transform set
D) ikev2 proposal
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
17
Which configuration construct must be used in a FlexVPN tunnel?

A) EAP configuration
B) multipoint GRE tunnel interface
C) IKEv1 policy
D) IKEv2 profile
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
18
Which requirement is needed to use local authentication for Cisco AnyConnect Secure Mobility Clients that connect to a FlexVPN server?

A) use of certificates instead of username and password
B) EAP-AnyConnect
C) EAP query-identity
D) AnyConnect profile
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
19
Which method dynamically installs the network routes for remote tunnel endpoints?

A) policy-based routing
B) CEF
C) reverse route injection
D) route filtering
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
20
<strong> Refer to the exhibit. Which two commands under the tunnel-group webvpn-attributes result in a Cisco AnyConnect user receiving the AnyConnect prompt in the exhibit? (Choose two.)</strong> A) group-url https://172.16.31.10/General enable B) group-policy General internal C) authentication aaa D) authentication certificate E) group-alias General enable Refer to the exhibit. Which two commands under the tunnel-group webvpn-attributes result in a Cisco AnyConnect user receiving the AnyConnect prompt in the exhibit? (Choose two.)

A) group-url https://172.16.31.10/General enable
B) group-policy General internal
C) authentication aaa
D) authentication certificate
E) group-alias General enable
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
21
What uses an Elliptic Curve key exchange algorithm?

A) ECDSA
B) ECDHE
C) AES-GCM
D) SHA
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
22
<strong> Refer to the exhibit. The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?</strong> A) B) C) D) Refer to the exhibit. The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?

A) <strong> Refer to the exhibit. The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?</strong> A) B) C) D)
B) <strong> Refer to the exhibit. The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?</strong> A) B) C) D)
C) <strong> Refer to the exhibit. The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?</strong> A) B) C) D)
D) <strong> Refer to the exhibit. The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?</strong> A) B) C) D)
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
23
Which technology is used to send multicast traffic over a site-to-site VPN?

A) GRE over IPsec on IOS router
B) GRE over IPsec on FTD
C) IPsec tunnel on FTD
D) GRE tunnel on ASA
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
24
Which parameter is initially used to elect the primary key server from a group of key servers?

A) code version
B) highest IP address
C) highest-priority value
D) lowest IP address
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
25
A Cisco ASA is configured in active/standby mode. What is needed to ensure that Cisco AnyConnect users can connect after a failover event?

A) AnyConnect images must be uploaded to both failover ASA devices.
B) The vpnsession-db must be cleared manually.
C) Configure a backup server in the XML profile.
D) AnyConnect client must point to the standby IP address.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
26
What is a requirement for smart tunnels to function properly?

A) Java or ActiveX must be enabled on the client machine.
B) Applications must be UDP.
C) Stateful failover must not be configured.
D) The user on the client machine must have admin access.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
27
Which two commands help determine why the NHRP registration process is not being completed even after the IPsec tunnel is up? (Choose two.)

A) show crypto isakmp sa
B) show ip traffic
C) show crypto ipsec sa
D) show ip nhrp traffic
E) show dmvpn detail
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
28
In a FlexVPN deployment, the spokes successfully connect to the hub, but spoke-to-spoke tunnels do not form. Which troubleshooting step solves the issue?

A) Verify the spoke configuration to check if the NHRP redirect is enabled.
B) Verify that the spoke receives redirect messages and sends resolution requests.
C) Verify the hub configuration to check if the NHRP shortcut is enabled.
D) Verify that the tunnel interface is contained within a VRF.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
29
Which feature of GETVPN is a limitation of DMVPN and FlexVPN?

A) sequence numbers that enable scalable replay checking
B) enabled use of ESP or AH
C) design for use over public or private WAN
D) no requirement for an overlay routing protocol
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
30
Which two types of web resources or protocols are enabled by default on the Cisco ASA Clientless SSL VPN portal? (Choose two.)

A) HTTP
B) ICA (Citrix)
C) VNC
D) RDP
E) CIFS
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
31
Which feature allows the ASA to handle nonstandard applications and web resources so that they display correctly over a clientless SSL VPN connection?

A) single sign-on
B) Smart Tunnel
C) WebType ACL
D) plug-ins
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
32
Which VPN does VPN load balancing on the ASA support?

A) VTI
B) IPsec site-to-site tunnels
C) L2TP over IPsec
D) Cisco AnyConnect
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
33
Cisco AnyConnect clients need to transfer large files over the VPN sessions. Which protocol provides the best throughput?

A) SSL/TLS
B) L2TP
C) DTLS
D) IPsec IKEv1
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
34
A Cisco AnyConnect client establishes a SSL VPN connection with an ASA at the corporate office. An engineer must ensure that the client computer meets the enterprise security policy. Which feature can update the client to meet an enterprise security policy?

A) Endpoint Assessment
B) Cisco Secure Desktop
C) Basic Host Scan
D) Advanced Endpoint Assessment
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
35
<strong> Refer to the exhibit. Which two tunnel types produce the show crypto ipsec sa output seen in the exhibit? (Choose two.)</strong> A) crypto map B) DMVPN C) GRE D) FlexVPN E) VTI Refer to the exhibit. Which two tunnel types produce the show crypto ipsec sa output seen in the exhibit? (Choose two.)

A) crypto map
B) DMVPN
C) GRE
D) FlexVPN
E) VTI
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
36
Which two changes must be made in order to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is configured? (Choose two.)

A) Add NHRP shortcuts on the hub.
B) Add NHRP redirects on the spoke.
C) Disable EIGRP next-hop-self on the hub.
D) Enable EIGRP next-hop-self on the hub.
E) Add NHRP redirects on the hub.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
37
Which two parameters help to map a VPN session to a tunnel group without using the tunnel-group list? (Choose two.)

A) group-alias
B) certificate map
C) optimal gateway selection
D) group-url
E) AnyConnect client version
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
38
On a FlexVPN hub-and-spoke topology where spoke-to-spoke tunnels are not allowed, which command is needed for the hub to be able to terminate FlexVPN tunnels?

A) interface virtual-access
B) ip nhrp redirect
C) interface tunnel
D) interface virtual-template
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
39
<strong> Refer to the exhibit. What is configured as a result of this command set?</strong> A) FlexVPN client profile for IPv6 B) FlexVPN server to authorize groups by using an IPv6 external AAA C) FlexVPN server for an IPv6 dVTI session D) FlexVPN server to authenticate IPv6 peers by using EAP Refer to the exhibit. What is configured as a result of this command set?

A) FlexVPN client profile for IPv6
B) FlexVPN server to authorize groups by using an IPv6 external AAA
C) FlexVPN server for an IPv6 dVTI session
D) FlexVPN server to authenticate IPv6 peers by using EAP
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
40
Which benefit of FlexVPN is a limitation of DMVPN using IKEv1?

A) GRE encapsulation allows for forwarding of non-IP traffic.
B) IKE implementation can install routes in routing table.
C) NHRP authentication provides enhanced security.
D) Dynamic routing protocols can be configured.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
41
An engineer is configuring clientless SSL VPN. The finance department has a database server that only they should access, but the sales department can currently access it. The finance and the sales departments are configured as separate group-policies. What must be added to the configuration to make sure the users in the sales department cannot access the finance department server?

A) tunnel group lock
B) smart tunnel
C) port forwarding
D) webtype ACL
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
42
<strong> Refer to the exhibit. Which type of mismatch is causing the problem with the IPsec VPN tunnel?</strong> A) crypto access list B) Phase 1 policy C) transform set D) preshared key Refer to the exhibit. Which type of mismatch is causing the problem with the IPsec VPN tunnel?

A) crypto access list
B) Phase 1 policy
C) transform set
D) preshared key
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
43
An engineer has integrated a new DMVPN to link remote offices across the internet using Cisco IOS routers. When connecting to remote sites, pings and voice data appear to flow properly, and all tunnel stats show that they are up. However, when trying to connect to a remote server using RDP, the connection fails. Which action resolves this issue?

A) Adjust the MTU size within the routers.
B) Add RDP port to the extended ACL.
C) Replace certificate on the RDP server.
D) Change DMVPN timeout values.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
44
Which statement about GETVPN is true?

A) The configuration that defines which traffic to encrypt originates from the key server.
B) TEK rekeys can be load-balanced between two key servers operating in COOP.
C) The pseudotime that is used for replay checking is synchronized via NTP.
D) Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
45
<strong> Refer to the exhibit. The DMVPN spoke is not establishing a session with the hub. Which two actions resolve this issue? (Choose two.)</strong> A) Change the spoke nhs to 172.16.18.1 and the nbma to 10.0.0.1. B) Change the transform set to mode tunnel. C) Change the ISAKMP policy authentication on the spoke to pre-shared. D) Change the ISAKMP key address on the spoke to 0.0.0.0. E) Change the nhrp authentication key on the spoke to cisco123. Refer to the exhibit. The DMVPN spoke is not establishing a session with the hub. Which two actions resolve this issue? (Choose two.)

A) Change the spoke nhs to 172.16.18.1 and the nbma to 10.0.0.1.
B) Change the transform set to mode tunnel.
C) Change the ISAKMP policy authentication on the spoke to pre-shared.
D) Change the ISAKMP key address on the spoke to 0.0.0.0.
E) Change the nhrp authentication key on the spoke to cisco123.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
46
Which VPN solution uses TBAR?

A) GETVPN
B) VTI
C) DMVPN
D) Cisco AnyConnect
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
47
Which command shows the smart default configuration for an IPsec profile?

A) show run all crypto ipsec profile
B) ipsec profile does not have any smart default configuration
C) show smart-defaults ipsec profile
D) show crypto ipsec profile default
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
48
Where must an engineer configure a preshared key for a site-to-site VPN tunnel configured on a Cisco ASA?

A) isakmp policy
B) group policy
C) crypto map
D) tunnel group
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
49
<strong> Refer to the exhibit. All internal clients behind the ASA are port address translated to the public outside interface that has an IP address of 3.3.3.3. Client 1 and client 2 have established successful SSL VPN connections to the ASA. What must be implemented so that 3.3.3.3 is returned from a browser search on the IP address?</strong> A) Same-security-traffic permit inter-interface under Group Policy B) Exclude Network List Below under Group Policy C) Tunnel All Networks under Group Policy D) Tunnel Network List Below under Group Policy Refer to the exhibit. All internal clients behind the ASA are port address translated to the public outside interface that has an IP address of 3.3.3.3. Client 1 and client 2 have established successful SSL VPN connections to the ASA. What must be implemented so that "3.3.3.3" is returned from a browser search on the IP address?

A) Same-security-traffic permit inter-interface under Group Policy
B) Exclude Network List Below under Group Policy
C) Tunnel All Networks under Group Policy
D) Tunnel Network List Below under Group Policy
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
50
<strong> Refer to the exhibit. Which value must be configured in the User Group field when the Cisco AnyConnect Profile is created to connect to an ASA headend with IPsec as the primary protocol?</strong> A) address-pool B) group-alias C) group-policy D) tunnel-group Refer to the exhibit. Which value must be configured in the User Group field when the Cisco AnyConnect Profile is created to connect to an ASA headend with IPsec as the primary protocol?

A) address-pool
B) group-alias
C) group-policy
D) tunnel-group
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
51
Which parameter must match on all routers in a DMVPN Phase 3 cloud?

A) GRE tunnel key
B) NHRP network ID
C) tunnel VRF
D) EIGRP split-horizon setting
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
52
<strong> Refer to the exhibit. An SSL client is connecting to an ASA headend. The session fails with the message Connection attempt has timed out. Please verify Internet connectivity. Based on how the packet is processed, which phase is causing the failure?</strong> A) phase 9: rpf-check B) phase 5: NAT C) phase 4: ACCESS-LIST D) phase 3: UN-NAT Refer to the exhibit. An SSL client is connecting to an ASA headend. The session fails with the message "Connection attempt has timed out. Please verify Internet connectivity." Based on how the packet is processed, which phase is causing the failure?

A) phase 9: rpf-check
B) phase 5: NAT
C) phase 4: ACCESS-LIST
D) phase 3: UN-NAT
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
53
Which two statements about the Cisco ASA Clientless SSL VPN solution are true? (Choose two.)

A) When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the client uses the local DNS to perform FQDN resolution.
B) The rewriter enable command under the global webvpn configuration enables the rewriter functionality because that feature is disabled by default. The rewriter enable command under the global webvpn configuration enables the rewriter functionality because that feature is disabled by default.
C) A Cisco ASA can simultaneously allow Clientless SSL VPN sessions and AnyConnect client sessions.
D) When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the ASA uses its configured DNS servers to perform FQDN resolution.
E) Clientless SSLVPN provides Layer 3 connectivity into the secured network.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
54
<strong> Refer to the exhibit. Which VPN technology is used in the exhibit?</strong> A) DVTI B) VTI C) DMVPN D) GRE Refer to the exhibit. Which VPN technology is used in the exhibit?

A) DVTI
B) VTI
C) DMVPN
D) GRE
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
55
A network engineer must design a remote access solution to allow contractors to access internal servers. These contractors do not have permissions to install applications on their computers. Which VPN solution should be used in this design?

A) IKEv2 AnyConnect
B) Clientless
C) Port forwarding
D) SSL AnyConnect
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
56
Which technology works with IPsec stateful failover?

A) GLBP
B) HSRP
C) GRE
D) VRRP
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
57
<strong> Refer to the exhibit. Client 1 cannot communicate with client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which command on the ASA is missing?</strong> A) dns-server value 10.1.1.2 B) same-security-traffic permit intra-interface C) same-security-traffic permit inter-interface D) dns-server value 10.1.1.3 Refer to the exhibit. Client 1 cannot communicate with client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which command on the ASA is missing?

A) dns-server value 10.1.1.2
B) same-security-traffic permit intra-interface
C) same-security-traffic permit inter-interface
D) dns-server value 10.1.1.3
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
58
What are two functions of ECDH and ECDSA? (Choose two.)

A) nonrepudiation
B) revocation
C) digital signature
D) key exchange
E) encryption
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
59
Where is split tunneling defined for IKEv2 remote access clients on a Cisco router?

A) IKEv2 authorization policy
B) Group Policy
C) virtual template
D) webvpn context
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
60
<strong> Refer to the exhibit. Which type of Cisco VPN is shown for group Cisc012345678?</strong> A) Cisco AnyConnect Client VPN B) DMVPN C) Clientless SSLVPN D) GETVPN Refer to the exhibit. Which type of Cisco VPN is shown for group Cisc012345678?

A) Cisco AnyConnect Client VPN
B) DMVPN
C) Clientless SSLVPN
D) GETVPN
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
61
Which technology and VPN component allows a VPN headend to dynamically learn post NAT IP addresses of remote routers at different sites?

A) DMVPN with ISAKMP
B) GETVPN with ISAKMP
C) DMVPN with NHRP
D) GETVPN with NHRP
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
62
<strong> Refer to the exhibit. Which two conclusions should be drawn from the DMVPN phase 2 configuration? (Choose two.)</strong> A) Next-hop-self is required. B) EIGRP neighbor adjacency will fail. C) EIGRP is used as the dynamic routing protocol. D) EIGRP route redistribution is not allowed. E) Spoke-to-spoke communication is allowed. Refer to the exhibit. Which two conclusions should be drawn from the DMVPN phase 2 configuration? (Choose two.)

A) Next-hop-self is required.
B) EIGRP neighbor adjacency will fail.
C) EIGRP is used as the dynamic routing protocol.
D) EIGRP route redistribution is not allowed.
E) Spoke-to-spoke communication is allowed.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
63
Which two features are valid backup options for an IOS FlexVPN client? (Choose two.)

A) HSRP stateless failover
B) DNS-based hub resolution
C) reactivate primary peer
D) tunnel pivot
E) need distractor
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
64
After a user configures a connection profile with a bookmark list and tests the clientless SSLVPN connection, all of the bookmarks are grayed out. What must be done to correct this behavior?

A) Apply the bookmark to the correct group policy.
B) Specify the correct port for the web server under the bookmark.
C) Configure a DNS server on the Cisco ASA and verify it has a record for the web server.
D) Verify HTTP/HTTPS connectivity between the Cisco ASA and the web server.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
65
Which Cisco AnyConnect component ensures that devices in a specific internal subnet are only accessible using port 443?

A) routing
B) WebACL
C) split tunnel
D) VPN filter
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
66
Which two types of SSO functionality are available on the Cisco ASA without any external SSO servers? (Choose two.)

A) SAML
B) NTLM
C) Kerberos
D) OAuth 2.0
E) HTTP Basic
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
67
While troubleshooting, an engineer finds that the show crypto isakmp sa command indicates that the last state of the tunnel is MM_KEY_EXCH. What is the next step that should be taken to resolve this issue?

A) Verify that the ISAKMP proposals match.
B) Ensure that UDP 500 is not being blocked between the devices.
C) Correct the peer's IP address on the crypto map.
D) Confirm that the pre-shared keys match on both devices.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
68
A network engineer must implement an SSLVPN Cisco AnyConnect solution that supports 500 concurrent users, ensures all traffic from the client passes through the ASA, and allows users to access all devices on the inside interface subnet (192.168.0.0/24). Assuming all other configuration is set up appropriately, which configuration implements this solution?

A) <strong>A network engineer must implement an SSLVPN Cisco AnyConnect solution that supports 500 concurrent users, ensures all traffic from the client passes through the ASA, and allows users to access all devices on the inside interface subnet (192.168.0.0/24). Assuming all other configuration is set up appropriately, which configuration implements this solution?</strong> A) B) C) D)
B) <strong>A network engineer must implement an SSLVPN Cisco AnyConnect solution that supports 500 concurrent users, ensures all traffic from the client passes through the ASA, and allows users to access all devices on the inside interface subnet (192.168.0.0/24). Assuming all other configuration is set up appropriately, which configuration implements this solution?</strong> A) B) C) D)
C) <strong>A network engineer must implement an SSLVPN Cisco AnyConnect solution that supports 500 concurrent users, ensures all traffic from the client passes through the ASA, and allows users to access all devices on the inside interface subnet (192.168.0.0/24). Assuming all other configuration is set up appropriately, which configuration implements this solution?</strong> A) B) C) D)
D) <strong>A network engineer must implement an SSLVPN Cisco AnyConnect solution that supports 500 concurrent users, ensures all traffic from the client passes through the ASA, and allows users to access all devices on the inside interface subnet (192.168.0.0/24). Assuming all other configuration is set up appropriately, which configuration implements this solution?</strong> A) B) C) D)
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
69
<strong> Refer to the exhibit. Which type of VPN is used?</strong> A) GETVPN B) clientless SSL VPN C) Cisco Easy VPN D) Cisco AnyConnect SSL VPN Refer to the exhibit. Which type of VPN is used?

A) GETVPN
B) clientless SSL VPN
C) Cisco Easy VPN
D) Cisco AnyConnect SSL VPN
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
70
<strong> Refer to the exhibit. The VPN tunnel between the FlexVPN spoke and FlexVPN hub 192.168.0.12 is failing. What should be done to correct this issue?</strong> A) Add the address 192.168.0.12 255.255.255.255 command to the keyring configuration. Add the address 192.168.0.12 255.255.255.255 command to the keyring configuration. B) Add the match fvrf any command to the IKEv2 policy. match fvrf any command to the IKEv2 policy. C) Add the aaa authorization group psk list Flex_AAA Flex_Auth command to the IKEv2 profile configuration. aaa authorization group psk list Flex_AAA Flex_Auth command to the IKEv2 profile configuration. D) Add the tunnel mode gre ip command to the tunnel configuration. tunnel mode gre ip command to the tunnel configuration. Refer to the exhibit. The VPN tunnel between the FlexVPN spoke and FlexVPN hub 192.168.0.12 is failing. What should be done to correct this issue?

A) Add the address 192.168.0.12 255.255.255.255 command to the keyring configuration. Add the address 192.168.0.12 255.255.255.255 command to the keyring configuration.
B) Add the match fvrf any command to the IKEv2 policy. match fvrf any command to the IKEv2 policy.
C) Add the aaa authorization group psk list Flex_AAA Flex_Auth command to the IKEv2 profile configuration. aaa authorization group psk list Flex_AAA Flex_Auth command to the IKEv2 profile configuration.
D) Add the tunnel mode gre ip command to the tunnel configuration. tunnel mode gre ip command to the tunnel configuration.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
71
An engineer notices that while an employee is connected remotely, all traffic is being routed to the corporate network. Which split-tunnel policy allows a remote client to use their local provider for Internet access when working from home?

A) tunnelall
B) excludeall
C) tunnelspecified
D) excludespecified
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
72
<strong> Refer to the exhibit. A network engineer is configuring a remote access SSLVPN and is unable to complete the connection using local credentials. What must be done to remediate this problem?</strong> A) Enable the client protocol in the Cisco AnyConnect profile. B) Configure a AAA server group to authenticate the client. C) Change the authentication method to local. D) Configure the group policy to force local authentication. Refer to the exhibit. A network engineer is configuring a remote access SSLVPN and is unable to complete the connection using local credentials. What must be done to remediate this problem?

A) Enable the client protocol in the Cisco AnyConnect profile.
B) Configure a AAA server group to authenticate the client.
C) Change the authentication method to local.
D) Configure the group policy to force local authentication.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
73
A network engineer must design a clientless VPN solution for a company. VPN users must be able to access several internal web servers. When reachability to those web servers was tested, it was found that one website is not being rewritten correctly by the ASA. What is a potential solution for this issue while still allowing it to be a clientless VPN setup?

A) Set up a smart tunnel with the IP address of the web server.
B) Set up a NAT rule that translates the ASA public address to the web server private address on port 80.
C) Set up Cisco AnyConnect with a split tunnel that has the IP address of the web server.
D) Set up a WebACL to permit the IP address of the web server.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
74
<strong> Refer to the exhibit. Which type of VPN implementation is displayed?</strong> A) IKEv1 cluster B) IKEv2 backup gateway C) IKEv2 load balancer D) IKEv2 reconnect Refer to the exhibit. Which type of VPN implementation is displayed?

A) IKEv1 cluster
B) IKEv2 backup gateway
C) IKEv2 load balancer
D) IKEv2 reconnect
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
75
<strong> Refer to the exhibit. An IKEv2 site-to-site tunnel between an ASA and a remote peer is not building successfully. What will fix the problem based on the debug output?</strong> A) Ensure crypto IPsec policy matches on both VPN devices. B) Install the correct certificate to validate the peer. C) Correct crypto access list on both VPN devices. D) Specify the peer IP address in the tunnel group name. Refer to the exhibit. An IKEv2 site-to-site tunnel between an ASA and a remote peer is not building successfully. What will fix the problem based on the debug output?

A) Ensure crypto IPsec policy matches on both VPN devices.
B) Install the correct certificate to validate the peer.
C) Correct crypto access list on both VPN devices.
D) Specify the peer IP address in the tunnel group name.
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Unlock Deck
k this deck
locked card icon
Unlock Deck
Unlock for access to all 75 flashcards in this deck.
Examlex
Examlex
Work With Us
Policies
Download the App
Scan to downloadDownload the App
qr-code
Links
Links
Work With Us
Download the App

Scan to downloadDownload the App
qr-code

Copyright © 2025 Examlex LLC.
  • facebook-footer
  • instagram-footer
  • x-footer
  • tiktok
  • Linktree