CCNP Security Practice Test | Secure Mobility (SIMOS)

What are the descriptions that can be applied to a digital signature? (Choose two)

A. Digital signature algorithms provide integrity

B. They use a combination of a hash function and an asymmetric algorithm

C. They are a combination of an HMAC algorithm and a symmetric function

D. They use a public signing key and a private shared key

How do nonrepudiation methods provide cryptographic proof of a transaction? (Choose three)

A. The signature can be generated only by the private key owner

B. The hashing algorithm secures the key

C. Digital signatures are used

D. The signature is stored by the receiver as a proof

When configuring router-to-ASA FlexVPN, what match statement rules should you keep in mind? (Choose two)

A. An IKEv2 policy can match multiple FVRF statements

B. An IKEv2 policy can have only one match address local statement

C. An IKEv2 policy can have only one match FVRF statement

D. There is no precedence between match statements of different types

Which component is responsible for group key and SA management in a GET VPN deployment?

A. Perfect Forward Secrecy

B. Group Member

C. Key Server

D. Group Domain of Interpretation

What is the purpose of a connection profile? (Choose two)

A. It defines the client privileges

B. It defines prelogin behavior

C. It is a reference to the Group Policy

D. It includes the split tunneling configuration

Which three statements are true regarding clientless SSL VPN solutions? (Choose three)

A. They do not require any special software.

B. They can be used to access CIFS file shares.

C. They can use IPSec VPN connections.

D. They provide browser-based access to resources.

E. They cannot access applications that use static TCP ports.

Which SSL VPN portal home page view enables you to verify smart tunnels when they have been configured to start manually?

A. Web Applications

B. VNC Connections

C. Application Access

D. Browse Networks

Which secure posture module component is a package that installs on the remote device after the user connects to the Cisco Adaptive Security Appliance and before the user logs in?

A. Integration with dynamic access policies

B. Prelogin assessment

C. Host scan

D. Prelogin policies

Which command can be used to prompt remote SSL VPN Client users to download the client and remain until the user responds?

A. svc ask enable default webvpn

B. svc ask enable default webvpn timeout value

C. svc ask enable

D. svc ask enable default svc timeout value

E. svc ask enable default svc

Which statements best describe dynamic access policies in Cisco clientless SSL VPNs? (Choose two)

A. They are available for remote access VPNs

B. They are manually generated by aggregating attributes from one or more DAP records

C. They are defined as a collection of access control attributes

D. They are generated and then applied to the user tunnel or session

What client authentication options are available in the basic AnyConnect SSL VPN? (Choose two)

A. Locally configured static passwords

B. Local user database

C. Connection profile local pool

D. Group Policy

Which command is used to verify that the certificate has successfully been imported and that ECDSA is used?

A. show crypto isakmp sa

B. show crypto ipsec sa

C. show crypto key

D. show crypto pki certificates verbose

Which troubleshooting command can be used to monitor an active view of AnyConnect client web browser SSL sessions?

A. debug webvpn util

B. debug webvpn html

C. debug webvpn url

D. debug webvpn svc

What are the three VPN connection technologies? (Choose three)

A. Full-tunnel client-based IPSec VPN

B. Clientless SSL VPN

C. Full-tunnel clientless LTO VPN

D. Full-tunnel client-based SSL VPN

What improvements does IKEv2 provide to IKEv1? (Choose three)

A. Supports dynamically addressed peers with PKI-facilitated authentication

B. Built-in DPD

C. Supports PFS to ensure that a given IPSec SA key is not derived from another secret

D. Better rekeying and collision handling

E. Requires fewer round trips

Which set of commands will correctly configure the local authorization policy?

A. Router(config)#crypto ikev2 authorization policy policy1
Router(config-ikev2-author-policy)#pool flex-pool
Router(config-ikev2-author-policy)#def-domain brocadero.com
Router(config-ikev2-author-policy)#route set interface
Rout

B. Router(config-ikev2-profile)#virtual-template 1

C. Router(config)#crypto ipsec profile default
Router(ipsec-profile)#set ikev2-profile default

D. Router(config)#aaa new-model
Router(config)#aaa authorization network list1 local

What is the purpose of FlexVPN? (Choose two)

A. To provide encapsulation

B. To convert cleartext to ciphertext

C. To simplify deployment of VPNs

D. To address the complexity of multiple solutions

When enabling smart tunnels in the clientless SSL VPN access, what kind of information can you specify? (Choose three)

A. Bookmarks for the security appliance to display

B. Application list entries

C. Smart tunnel session log off method

D. Auto sign-on server list entries

E. Port forwarding list entries

When verifying and troubleshooting Cisco AnyConnect IPSec VPN, which tab of the AnyConnect Secure Mobility Client window allows you to confirm that the client has used IPSec/IKEv2 to connect by viewing the transport information?

A. Route Details

B. Firewall

C. Statistics

D. Message History

E. Preferences

What are the three fields in an X.509v3 certificate? (Choose three)

A. Serial Number

B. Validity Period

C. Owner Full Name

D. Version

E. Usage Order

Which attribute would you use to apply an ACE to a user session?

A. cisco-av-pair=ip:inacl

B. cisco-av-pair=inacl:ip

C. cisco-av-pair=inacl:webvpn

D. cisco-av-pair=webvpn:inacl

How is external authorization in AnyConnect SSL VPNs monitored? (Choose two)

A. You can view the downloaded ACL in the ASDM or CLI

B. The Cisco ISE authorization policy selects an authorization profile

C. ISE uses a connection profile to authenticate a user against the ASA

D. The authorization profile is based on the cisco-av-pair=ip:acl attribute

You need to verify the presence of H and NHO routes added by NHRP on a spoke router. Which command will allow you to complete this task?

A. show ip route

B. show crypto key mypubkey ec

C. show ip interface brief

D. show ip nhrp

A user indicates that they are unable to access a file server share. You believe that you have misconfigured webtype ACLs.
What is the easiest method of verifying this?

A. View the Cisco ASA's logging output.

B. View predefined bookmarks.

C. View output from the traceroute command.

D. View DNS group configuration.

Which option correctly defines the action that takes place when a DTLS-based VPN loses a packet?

A. The VPN endpoints will retransmit the dropped datagram.

B. The TCP stack of the application endpoints will retransmit the datagrams.

C. Both the VPN and the TCP stack of the application endpoint will retransmit the datagram.

D. The datagram is not retransmitted to reduce latency.

You are configuring basic Cisco AnyConnect SSL VPN on the Cisco ASA.
During which step in the process would you configure split tunneling?

A. Configuring identity NAT for client access

B. Enabling Cisco AnyConnect SSL VPN on ASA

C. Edit the default connection profile or create a custom one

D. Edit the default Group Policy or create a custom one

When modifying the default DAP, what should you keep in mind? (Choose two)

A. Default DAP has the lowest priority and cannot be deleted

B. Terminate action will act like the default deny statement in an ACL

C. A user connection can match only one DAP record

D. The security appliance does not have a default DAP record

You are troubleshooting a failed clientless SSL VPN session establishment. Which two utilities can be used to query the DNS server to troubleshoot issues why the browser cannot resolve the SSL VPN portal's URL? (Choose two)

A. arp

B. dig

C. traceroute

D. ping

E. nslookup

You are configuring split tunneling on the Cisco ASA device via the CLI. You have created an access list named "STACL". Enter the command to specify this access list to be used for split tunneling.

A tunnel is not forming between two spokes. Which of the following should you verify? (Choose two)

A. NHRP redirect is enabled on the hub

B. NHRP shortcut is enabled on the spoke

C. SA states on the hub and spoke

D. Connectivity between the hub and the spoke

Refer to the output. To what is this message referring?

A. Mismatched IKE proposals

B. Mismatched IKE versions

C. Key configuration errors

D. Conflicting peer addresses

What actions are possible with the default Group Policy provided by the Cisco ASA? (Choose two)

A. It can ensure that policy inheritance is not necessary

B. It can be removed so that you can create your own

C. It can be customized to suit your needs

D. It can be disassociated from the two default connection profiles

You need to alter the effects of forwarding an HTTP applet proxy to the client. Which browser is required to complete this task?

A. Safari

B. Google Chrome

C. Microsoft Internet Explorer

D. Mozilla Firefox

How are clientless password-based users handled in SSL VPN authentication? (Choose two)

A. It is mandatory to use AAA authentication

B. If no profile is chosen, the Cisco ASA will assign them to the DefaultWEBVPNGroup connection profile

C. If no profile is chosen, the Cisco ASA will assign them to the DefaultRAGroup connection profile

D. They may be permitted to select a connection profile from the selection menu or group URL

Which statements regarding the verification of DMVPN hub-and-spoke routing and IKE peering are true? (Choose two)

A. Multiple IKE sessions are established.

B. Routes are reachable over the spoke

C. A single IKE session is created.

D. Spokes are reachable over the hub.

Which application access method is available with Cisco clientless SSL VPNs and is recommended for Linux?

A. Port forwarding

B. Full-tunnel VPN

C. Smart tunnels

D. Application plugins

Which command is used to verify that the ECDSA keys have been successfully generated?

A. show crypto key

B. show crypto ipsec sa detail

C. show crypto ipsec sa

D. show crypto pki certificates verbose

Which command is used to merge site-to-site IKEv1 with IKEv2 configuration?

A. migrate remote-access ikev2

B. crypto ikev2 remote-access trust-point

C. migrate remote-access ikev2 overwrite

D. migrate l2l ikev2

Based on the output, what is the IP address of the local interface used to access the connected spoke network?

A. 192.0.10.1

B. 198.51.100.1

C. 203.0.133.1

D. 192.0.2.3

When a clientless SSL VPN user successfully authenticates to the Cisco Adaptive Security Appliance, the user is presented with a web portal where they can access protected resources behind the Cisco ASA.
What types of applications can a user access by default? (Choose two)

A. File shares using CIFS and FTP

B. Internal web pages and web-based applications using HTTP and HTTPS

C. File shares using TFTP

D. Internal web pages and web-based applications using HTTP and NNTP

Which step of configuring Cisco AnyConnect Start Before Logon involves making changes to the AnyConnect profile, and enabling the Cisco ASA to download the AnyConnect module for SBL?

A. Enabling the PLAP capability in Windows

B. Adding the SBL components to Windows

C. Logging in to Windows using SBL

D. Configuring SBL in the client profile

What should you consider when using a PKI obtained certificate for server authentication? (Choose two)

A. The appliance will create a self-signed certificate to sign certificates that are issued to clients

B. You can configure the Cisco ASA to obtain an identity certificate from the external PKI

C. The self-signed certificate authentication method is recommended

D. Clients should have a CA certificate that is installed locally

What command can be used to verify whether the ASA device holds the proper license to activate HostScan?

A. show activation-key

B. show license

Which statements best describe the NHRP client-server protocol? (Choose two)

A. It is designed to manage the transportation of multiprotocol and IP multicast traffic between two or more sites, which may only have IP connectivity

B. It creates a mapping for a tunnel IP address to the physical interface IP address for each spoke at the hub

C. It is typically used for simple point-to-point tunnels that emulate a point-to-point WAN link, or on spoke routers in hub-and-spoke VPNs

D. It is used by routers to determine the IP address of the next hop in IP tunneling networks

Identify the features of TND. (Choose two)

A. It disconnects the tunnel if the user is in the trusted network

B. It is configured in the client profile

C. It can map and unmap network drives

D. It automatically starts user applications

Which statements regarding the use of parallel DTLS and TLS tunnels are true? (Choose two)

A. The SSL tunnel is used to negotiate and establish the DTLS tunnel.

B. The DTLS tunnel is used to negotiate and establish the SSL/TLS tunnel.

C. Enabling DPD allows for DTLS-to-TLS automatic fallback.

D. DTLS-to-TLS automatic fallback requires IKEv2.

What steps are required to configure transmission protection? (Choose three)

A. Configure the IKE policy

B. Choose the transform set

C. Choose the VPN peer

D. Enable IKE for each interface

E. Choose traffic for the VPN

Which two site-to-site VPN technologies natively support IP Multicasts? (Choose two)

A. IPSec VPN

B. DMVPN

C. FlexVPN

D. GETVPN

When an SSL client is authenticated, in addition to the server, which additional exchanges are required? (Choose two)

A. After the server sends its certificate to the client, the server will request that the client sends its certificate in return

B. The server sends a change cipher specification message that tells the client that all subsequent messages from the server will use the negotiated security

C. The client sends a change cipher specification message that tells the server to activate the negotiated cipher suite

D. After the client sends the client key exchange, the client sends a certificate verify message

Which functions applied to cryptographic keys deal with Key Management? (Choose five)

A. Revocation

B. Composition

C. Destructions

D. Arrangement

E. Generation

F. Verification

G. Mutability

H. Exchange

Which options best describe site-to-site VPN? (Choose two)

A. It always use IPSec for its cryptographic path protection

B. It connect as a replacement for a classic WAN

C. It require basic network traffic controls

D. It only work over controlled networks (MPLS)

The output below contains logging messages of unsuccessful IKE Phase 1. What is the cause of this problem?

A. Key configuration errors

B. Different DH groups

C. Wrong version of IKE

D. Unacceptable SA proposals

Which Cisco ASA-supported application plugin supports the Citrix servers?

A. ICA

B. SSH

C. RDP

D. VNC

Which method of certificate enrollment using SCEP automates the enrollment of Cisco AnyConnect users?

A. Simple Certificate Enrollment Protocol Proxy

B. Direct Simple Certificate Enrollment Protocol

C. Manual

D. Microsoft Active Directory Certificate Services

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?