CCNP Security Practice Test | Secure Mobility (SIMOS)

Which command can be used to verify that DTLS is being used as the transport protocol for a Cisco AnyConnect VPN?

A. show version

B. show traffic

C. show ssh sessions

D. show vpn-sessiondb

Which statements regarding the verification of DMVPN full-mesh routing and IKE peering are true? (Choose two)

A. Multiple IKE sessions are established.

B. Direct routes to other spokes exist from the spoke.

C. A single IKE session is created.

D. Spokes are reachable over the hub.

You are trying to verify the ISAKMP tunnel using the command output below. Which options regarding this information are true? (Choose two)

You are trying to verify the ISAKMP tunnel using the command output below. Which options regarding this information are true?

A. Main mode was used to set up the tunnel.

B. The tunnel is operational.

C. The aggressive mode was used to set up the tunnel.

D. No tunnel exists, as there should be two peers listed.

You have configured Cisco ASA to allow users to choose a connection profile when connecting to the full-tunnel IKEv2 VPN.
What will occur if the user does not select a connection profile?

A. Users will not be authenticated.

B. Users are assigned to the DefaultRAGroup connection profile.

C. Users are assigned to the DefaultWEBVPNGroup connection profile.

D. Users are assigned to the DefaultL2LGroup connection profile.

A tunnel is not forming between two spokes. Which of the following should you verify? (Choose two)

A. NHRP redirect is enabled on the hub

B. NHRP shortcut is enabled on the spoke

C. SA states on the hub and spoke

D. Connectivity between the hub and the spoke

Which step of configuring Cisco AnyConnect Start Before Logon involves making changes to the AnyConnect profile, and enabling the Cisco ASA to download the AnyConnect module for SBL?

A. Enabling the PLAP capability in Windows

B. Adding the SBL components to Windows

C. Logging in to Windows using SBL

D. Configuring SBL in the client profile

What command is used to enable authentication, authorization, and accounting?

How is external authorization in AnyConnect SSL VPNs monitored? (Choose two)

A. You can view the downloaded ACL in the ASDM or CLI

B. The Cisco ISE authorization policy selects an authorization profile

C. ISE uses a connection profile to authenticate a user against the ASA

D. The authorization profile is based on the cisco-av-pair=ip:acl attribute

Which statements best describe dynamic access policies in Cisco clientless SSL VPNs? (Choose two)

A. They are available for remote access VPNs

B. They are manually generated by aggregating attributes from one or more DAP records

C. They are defined as a collection of access control attributes

D. They are generated and then applied to the user tunnel or session

You need to alter the effects of forwarding an HTTP applet proxy to the client. Which browser is required to complete this task?

A. Safari

B. Google Chrome

C. Microsoft Internet Explorer

D. Mozilla Firefox

Which attribute is used to push WebVPN ACEs to clientless SSL VPN sessions?

A. cisco-av-pair=ip:inacl

B. cisco-av-pair=webvpn:inacl

C. IE-Proxy-Exception-List

D. IETF-Radius-Class

You need to verify the presence of H and NHO routes added by NHRP on a spoke router. Which command will allow you to complete this task?

A. show ip route

B. show crypto key mypubkey ec

C. show ip interface brief

D. show ip nhrp

Which command is used to verify NHRP mapping information on a DMVPN?

A. show dmvpn detail

B. show ip route

C. show ip nhrp nhs detail

D. show ip nhrp

E. show interface tunnel

What are the prerequisites for the AnyConnect SSL VPN deployment? (Choose two)

A. Configure support for DTLS

B. Enable the SSL VPN function on the interface

C. Install the Cisco AnyConnect client software image on the Cisco ASA

D. Provision an identity server SSL/TLS certificate to the Cisco ASA

Which statement is true regarding a Cisco ASA security appliance and IPSec?

A. AH is not supported.

B. IKEv2 is supported but IKEv1 is not supported.

C. ISAKMP is supported but IKE is not supported.

D. ESP is not supported.

You need to implement NGE. Which options would be viable? (Choose three)

A. HMAC-MD5

B. AES-CBC

C. SHA-256

D. ECDH-384

E. AES-GCM

Which command can be used to disconnect all AnyConnect VPN clients using a web browser from the ASA?

A. vpnclient disconnect

B. vpn-session-timeout

C. vpn-sessiondb logoff svc

D. vpn-sessiondb logoff webvpn

Which command would be used to verify the number of encrypted and decrypted packets?

A. show crypto ipsec sa

B. show ip route

C. show interface ipsec tunnel

D. show interface tunnel

What client authentication options are available in the basic AnyConnect SSL VPN? (Choose two)

A. Locally configured static passwords

B. Local user database

C. Connection profile local pool

D. Group Policy

What is the first required step in configuring a DMVPN spoke?

A. Configure an IPSec profile with an optional transform set

B. Create an mGRE tunnel interface

C. Generate or configure hub authentication credentials

D. Associate the IPSec profile with the mGRE interface

What would cause the req-failed field to be a number greater than zero on a spoke? (Choose two)

A. Matching network IDs

B. Next-hop server issue

C. SA keepalives failed

D. Authentication key mismatch

Identify the features of TND. (Choose two)

A. It disconnects the tunnel if the user is in the trusted network

B. It is configured in the client profile

C. It can map and unmap network drives

D. It automatically starts user applications

When configuring router-to-ASA FlexVPN, what match statement rules should you keep in mind? (Choose two)

A. An IKEv2 policy can match multiple FVRF statements

B. An IKEv2 policy can have only one match address local statement

C. An IKEv2 policy can have only one match FVRF statement

D. There is no precedence between match statements of different types

Which three pieces of information are required for the client side of a challenge/response authentication using HMAC? (Choose three)

A. Hash function

B. Random number generator

C. Password

D. Challenge data

E. User DB

What actions are possible with the default Group Policy provided by the Cisco ASA? (Choose two)

A. It can ensure that policy inheritance is not necessary

B. It can be removed so that you can create your own

C. It can be customized to suit your needs

D. It can be disassociated from the two default connection profiles

Which information is used to determine whether a tunnel negotiated via Phase 2 is operating?

A. Inbound ESP SA

B. IKE state

C. Encrypted and decrypted packets

D. Local and remote Crypto endpoints

You need to implement a PKI solution to protect compromised keys by verifying certificates against a revocation database in real-time. The solution needs to be integrated with common PKI revocation mechanisms.
What should be implemented?

A. SCEP

B. AAA

C. OCSP

D. CRL

What command can be used to verify whether the ASA device holds the proper license to activate HostScan?

A. show activation-key

B. show license

What is the first troubleshooting step that should be taken when there is a clientless SSL VPN session establishment issue?

A. Verify user authentication

B. Verify clientless permissions

C. Verify that the SSL/TLS session establishes.

D. Verify user credentials

What steps are required to configure transmission protection? (Choose three)

A. Configure the IKE policy

B. Choose the transform set

C. Choose the VPN peer

D. Enable IKE for each interface

E. Choose traffic for the VPN

The Cisco ASA requires a server identity certificate, which the appliance sends to remote SSL VPN clients in order for remote clients to authenticate the Cisco ASA. By default, the security appliance will create a self-signed X.509 certificate on each reboot, resulting in many client warnings when attempting SSL VPN access, as the certificate cannot be verified by any means.
How can you address this issue? (Choose two)

A. By creating a permanent self-signed certificate that is persistent across reboots, by having the remote users initially accessing the Cisco ASA over a trusted network, and by saving the identity certificate of the Cisco ASA.

B. By enrolling your Cisco ASA with an internal CA. Your clients can obtain the root certificate of the CA from this internal CA and then authenticate the identity of the certificate that is installed on the Cisco ASA.

C. By creating a permanent self-signed certificate that is persistent across reboots, and which you can save on the client, if the remote users have the option of initially accessing the Cisco ASA over a trusted network and saving the identity certificate of

D. By enrolling your Cisco ASA with an external CA. Your clients can obtain the root certificate of the CA from this external CA and then authenticate the identity of the certificate that is installed on the Cisco ASA.

All client traffic is utilizing the VPN tunnel. Clients accessing the Internet should have direct access to external data. What should be enabled?

A. AnyConnect SSL VPN

B. Identity NAT

C. SCEP

D. Split tunneling

Which method of certificate enrollment using SCEP automates the enrollment of Cisco AnyConnect users?

A. Simple Certificate Enrollment Protocol Proxy

B. Direct Simple Certificate Enrollment Protocol

C. Manual

D. Microsoft Active Directory Certificate Services

What limitations should you consider when using GRE tunneling? (Choose two)

A. There is no standard method to determine the end-to-end state of a GRE tunnel

B. Proprietary GRE keepalives are not supported

C. It provides limited cryptographic traffic protection

D. Tunnels can exhibit MTU and IP fragmentation-related issues

Review the output. Which statement is true concerning the output?

A. The HostScan extension can be activated.

B. The HostScan extension cannot be activated.

C. HostScan should be enabled on a branch device, not on an HQ.

D. There is not enough information to determine whether the HostScan extension can be activated.

Which statements best describe dynamic point-to-point VTI tunnels? (Choose two)

A. They simplify the configuration complexity of the VPN hub router

B. They are used to provision hubs in hub-and-spoke VPNs

C. It requires a static mapping of IPSec sessions to a physical interface

D. On the spoke, a dynamic VTI is used to provision its tunnel to the hub

Which SSL VPN portal home page view enables you to verify smart tunnels when they have been configured to start manually?

A. Web Applications

B. VNC Connections

C. Application Access

D. Browse Networks

What is ESP encapsulation designed to provide? (Choose four)

A. Confidentiality

B. Authenticity

C. Overhead

D. Payload

E. Anti replay

F. Integrity

Which tasks are the client generally responsible for in the SSL server authentication? (Choose three)

A. Sending a hello message informing of the preferred cipher suite

B. Sending a hello done message

C. Verifying the certificate to ensure it has been issued by a trusted CA

D. Generating random numbers to use as a shared session key

E. Starting the exchange by sending the client a hello message

What is required when establishing a connection using AnyConnect in Standalone mode? (Choose two)

A. A browser using HTTPS

B. Permanent installation of AnyConnect on the client

C. ASA URL address

D. Username and password

What is the purpose of a connection profile? (Choose two)

A. It defines the client privileges

B. It defines prelogin behavior

C. It is a reference to the Group Policy

D. It includes the split tunneling configuration

Which feature enables users to use native client applications without administrative rights?

A. Smart tunnels

B. Clientless SSL VPN Plugins

C. Authentication using External CA

D. AAA

Which two VPN types are preferred for larger environments that are partially meshed? (Choose two)

A. Dynamic VTI-based

B. GET VPN

C. DMVPN

D. Static VTI-based

What should you consider when using a hub-and-spoke FlexVPN deployment model? (Choose two)

A. An external AAA server should be used on the hub site

B. The configured payload feature is required

C. All traffic between spoke networks must flow through the hub router

D. Each spoke router must be configured with a point-to-point interface to the hub

What are the features of DTLS? (Choose two)

A. It provides a low-latency data path using TCP

B. It is based on the stream-oriented TLS protocol

C. It is defined in RFC 4345

D. It mitigates latency and bandwidth problems that are associated with some SSL-only connections

Identify the multiple client-side authentication options in clientless SSL VPN. (Choose three)

A. Certificate-based and one AAA authentication

B. Double AAA authentication (no certificate) with optional username reuse

C. Double AAA authentication (with certificate) with optional username reuse

D. Certificate-based and two AAA authentication

E. Certificate-based and one AAA authentication, where the username for AAA authentication can be extracted from the certificate subject field and hidden from users

Which FlexVPN configuration block specifies an acceptable combination of security protocols and algorithms for the IPSec SA?

A. IKEv2 keyring

B. IPSec transform set

C. IPSec profile

D. IKEv2 proposal

Which key size is typically used by ECC?

A. 768

B. 2,048

C. 1,024

D. 224

Which two statements are true regarding GET VPN compatibility with network devices? (Choose two)

A. Cisco IOS routers do not support GET VPN

B. Cisco ASA security appliances support GET VPN

C. Cisco ASA security appliances does not support GET VPN.

D. Cisco IOS routers support GET VPN.

Which two statements regarding the version of IKE used with FlexVPN are true? (Choose two)

A. It uses stateless cookies.

B. It can only be used with IPSec.

C. It operates over UDP port 4500.

D. It supports NAT traversal over UDP port 500.

E. Each peer maintains its own local policy.

Which specific components of the secure posture module provide an OS scan? (Choose two)

A. Prelogin policies

B. Cache Cleaner

C. Prelogin assessment

D. Integration with Dynamic Access Policies

When using smart tunnel-based application access with SSL VPN, what happens directly after a user connects and authenticates to the SSL VPN portal?

A. The SSL VPN gateway establishes a TCP connection with the real target server and acts as a data relay between the two TCP sessions

B. A smart tunnel configuration downloads and executes the smart tunnel agent on the client system

C. The smart tunnel applet intercepts the TCP connection of the Lotus Sametime client to the real server and forwards the TCP connection to the existing SSL VPN session

D. The SSL VPN gateway extracts the TCP session from the SSL VPN session

Which command can be used to prompt remote SSL VPN Client users to download the client and remain until the user responds?

A. svc ask enable default webvpn

B. svc ask enable default webvpn timeout value

C. svc ask enable

D. svc ask enable default svc timeout value

E. svc ask enable default svc

You are creating an IKEv2 policy. Which command will ensure that a packet has not been modified during transit?

A. ASA(config-ikev2-policy)#integrity md5

B. ASA(config-ikev2-policy)#hash sha

C. ASA(config-ikev2-policy)#group 5

D. ASA(config-ikev2-policy)#encryption aes-256

Which Cisco IOS FlexVPN benefit provides three different models to implement it?

A. Failover redundancy

B. IP Multicast support

C. Transport network

D. Third-party compatibility

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?