CCNP Security Practice Test | Secure Mobility (SIMOS)

A connection is not forming between the spoke and the hub. Enter the command that you would use to verify SA states on hub and spoke. (Choose two)

A. show crypto session

B. show crypto session detail

You are testing an application plugin for a clientless SSL VPN session; however, it will not start. What should be done?

A. Verify that the browser's Java/ActiveX functions.

B. Verify that the smart tunnel agent starts.

C. Verify that the appropriate plugins are loaded.

D. Verify webtype ACLs.

What is involved when configuring basic IKE peering using PSKs? (Choose two)

A. Using a RSA exchange of an appropriate strength (group) to provide keying material to IKE and IPSec

B. Using appropriate session lifetimes

C. Using an encryption and hashing algorithm to guarantee confidentiality and authentication of the key management session

D. Using PSKs for mutual authentication

You are configuring split tunneling on the Cisco ASA device via the CLI. You have created an access list named "STACL". Enter the command to specify this access list to be used for split tunneling.

Refer to the output. Which statements regarding the output are true? (Choose two)

Refer to the output. Which statements regarding the output are true?

A. IKE Phase 2 was successful.

B. IPSec SAs were successfully completed.

C. IKE proposals are mismatched.

D. Conflicting group and IP addresses exist.

You want to display NHRP next-hop server information. Which command should you use?

A. show dmvpn detail

B. show interface tunnel

C. show ip nhrp

D. show ip nhrp nhs detail

What is the first required step in configuring a DMVPN spoke?

A. Configure an IPSec profile with an optional transform set

B. Create an mGRE tunnel interface

C. Generate or configure hub authentication credentials

D. Associate the IPSec profile with the mGRE interface

Which attribute is used to push WebVPN ACEs to clientless SSL VPN sessions?

A. cisco-av-pair=ip:inacl

B. cisco-av-pair=webvpn:inacl

C. IE-Proxy-Exception-List

D. IETF-Radius-Class

You need to verify the presence of H and NHO routes added by NHRP on a spoke router. Which command will allow you to complete this task?

A. show ip route

B. show crypto key mypubkey ec

C. show ip interface brief

D. show ip nhrp

Which two modes identify the phase one ISAKMP operation modes? (Choose two)

A. SA mode

B. Main mode

C. Aggressive mode

D. Transport mode

What are the characteristics of symmetric algorithms? (Choose three)

A. Efficient, fast, and simple to accelerate in hardware

B. Typical key lengths are in thousands of bits

C. Examples are RSA and ECC

D. Suitable for real-time bulk encryption

E. Generally used for digital signatures or key exchanges

F. Examples are 3DES, RC4, SEAL, AES, and Blowfish

Which command is used to verify NHRP mapping information on a DMVPN?

A. show dmvpn detail

B. show ip route

C. show ip nhrp nhs detail

D. show ip nhrp

E. show interface tunnel

Which three statements regarding the FlexVPN Architecture are true? (Choose three)

A. It provides a modular framework.

B. It is a legacy technology.

C. It is backward compatible with IKEv1.

D. It provides a single configuration approach for all VPN types.

E. It provides features such as QoS.

How are clientless password-based users handled in SSL VPN authentication? (Choose two)

A. It is mandatory to use AAA authentication

B. If no profile is chosen, the Cisco ASA will assign them to the DefaultWEBVPNGroup connection profile

C. If no profile is chosen, the Cisco ASA will assign them to the DefaultRAGroup connection profile

D. They may be permitted to select a connection profile from the selection menu or group URL

Which application access method is available with Cisco clientless SSL VPNs and is recommended for Linux?

A. Port forwarding

B. Full-tunnel VPN

C. Smart tunnels

D. Application plugins

Which command is used to verify that the certificate has successfully been imported and that ECDSA is used?

A. show crypto isakmp sa

B. show crypto ipsec sa

C. show crypto key

D. show crypto pki certificates verbose

Which command is used to verify that the ECDSA keys have been successfully generated?

A. show crypto key

B. show crypto ipsec sa detail

C. show crypto ipsec sa

D. show crypto pki certificates verbose

Which command can be used to prompt remote SSL VPN Client users to download the client and remain until the user responds?

A. svc ask enable default webvpn

B. svc ask enable default webvpn timeout value

C. svc ask enable

D. svc ask enable default svc timeout value

E. svc ask enable default svc

What should you keep in mind when using client authentication with an external CA? (Choose two)

A. The users must have the root certificate preinstalled in their browsers

B. The security appliance receives the root certificate of the external CA and enrolls with the CA to obtain its identity certificate

C. The enterprise can manage its own CA so users do not need to enroll with the CA to obtain their identity certificates

D. The entities use the self-signed root certificate to verify the authenticity of the peer certificate

Refer to the output. To what is this message referring?

A. Mismatched IKE proposals

B. Mismatched IKE versions

C. Key configuration errors

D. Conflicting peer addresses

What should you consider when using a PKI obtained certificate for server authentication? (Choose two)

A. The appliance will create a self-signed certificate to sign certificates that are issued to clients

B. You can configure the Cisco ASA to obtain an identity certificate from the external PKI

C. The self-signed certificate authentication method is recommended

D. Clients should have a CA certificate that is installed locally

Which two statements regarding the version of IKE used with FlexVPN are true? (Choose two)

A. It uses stateless cookies.

B. It can only be used with IPSec.

C. It operates over UDP port 4500.

D. It supports NAT traversal over UDP port 500.

E. Each peer maintains its own local policy.

You need to alter the effects of forwarding an HTTP applet proxy to the client. Which browser is required to complete this task?

A. Safari

B. Google Chrome

C. Microsoft Internet Explorer

D. Mozilla Firefox

Which component is responsible for group key and SA management in a GET VPN deployment?

A. Perfect Forward Secrecy

B. Group Member

C. Key Server

D. Group Domain of Interpretation

What does SSL/TLS provide? (Choose two)

A. Data integrity to ensure that data hasn't been modified in transit

B. Endpoint authentication on the server only

C. Support for native application clients

D. Encryption to ensure data is only readable by the intended recipient

Which statements best describe the handshake phase of SSL connections? (Choose two)

A. SSL encrypts the data traffic and ensures data confidentiality and integrity

B. It typically uses RSA as the public key algorithm

C. It ensures authentication of the server and, optionally, of the client

D. Data integrity is achieved using message digest algorithms such as MD5 and SHA-1

Which statements best describe shortcut switching? (Choose two)

A. DMVPN provides a scalable configuration model for all involved devices

B. Each spoke router must be configured with a point-to-point interface to the hub

C. All traffic between spoke networks must flow through the hub router

D. Each branch must be configured with a tunnel interface in which dynamic Spoke-to-Spoke tunnels are used for the spoke-to-spoke traffic

You are configuring basic Cisco AnyConnect SSL VPN on the Cisco ASA.
During which step in the process would you configure split tunneling?

A. Configuring identity NAT for client access

B. Enabling Cisco AnyConnect SSL VPN on ASA

C. Edit the default connection profile or create a custom one

D. Edit the default Group Policy or create a custom one

Identify the features of TND. (Choose two)

A. It disconnects the tunnel if the user is in the trusted network

B. It is configured in the client profile

C. It can map and unmap network drives

D. It automatically starts user applications

Which two VPN types are preferred for larger environments that are partially meshed? (Choose two)

A. Dynamic VTI-based

B. GET VPN

C. DMVPN

D. Static VTI-based

What is the first troubleshooting step that should be taken when there is a clientless SSL VPN session establishment issue?

A. Verify user authentication

B. Verify clientless permissions

C. Verify that the SSL/TLS session establishes.

D. Verify user credentials

Based on the output, what is the IP address of the local interface used to access the connected spoke network?

A. 192.0.10.1

B. 198.51.100.1

C. 203.0.133.1

D. 192.0.2.3

When verifying and troubleshooting Cisco AnyConnect IPSec VPN, which tab of the AnyConnect Secure Mobility Client window allows you to confirm that the client has used IPSec/IKEv2 to connect by viewing the transport information?

A. Route Details

B. Firewall

C. Statistics

D. Message History

E. Preferences

Why would you use the Cisco AnyConnect Start Before Logon feature? (Choose two)

A. It is best used when network connectivity depends on user login

B. It allows the client to start before the user logs in to Windows

C. It enables users to log in to Active Directory over a VPN connection

D. It lets you control the use of login scripts and password caching for Linux

What limitations should you consider when using GRE tunneling? (Choose two)

A. There is no standard method to determine the end-to-end state of a GRE tunnel

B. Proprietary GRE keepalives are not supported

C. It provides limited cryptographic traffic protection

D. Tunnels can exhibit MTU and IP fragmentation-related issues

What improvements does IKEv2 provide to IKEv1? (Choose three)

A. Supports dynamically addressed peers with PKI-facilitated authentication

B. Built-in DPD

C. Supports PFS to ensure that a given IPSec SA key is not derived from another secret

D. Better rekeying and collision handling

E. Requires fewer round trips

Before deploying a basic site-to-site VPN, what information should you have? (Choose three)

A. ISAKMP policy

B. Transmission protection

C. Transform set

D. PSK

E. Basic peer authentication

When configuring local VPN authorization, how can you configure the Group Policy with the required restrictions? (Choose two)

A. Define separate Group Policies for clientless and full tunnel users

B. Define one Group Policy for a set of users with similar privileges

C. Define one Group Policy for clientless and full tunnel users

D. Define separate Group Policies for a set of users with similar privileges

Review the output. Which statement is true concerning the output?

A. The HostScan extension can be activated.

B. The HostScan extension cannot be activated.

C. HostScan should be enabled on a branch device, not on an HQ.

D. There is not enough information to determine whether the HostScan extension can be activated.

Which statements best describe dynamic point-to-point VTI tunnels? (Choose two)

A. They simplify the configuration complexity of the VPN hub router

B. They are used to provision hubs in hub-and-spoke VPNs

C. It requires a static mapping of IPSec sessions to a physical interface

D. On the spoke, a dynamic VTI is used to provision its tunnel to the hub

What should you keep in mind in a configuration scenario that uses the local CA function on the Cisco ASA CA user accounts? (Choose two)

A. A certificate-to-connection profile map that binds the user certificate to a connection profile must exist

B. The FQDN includes information like the organizational unit

C. Certificate-based authentication in the required connection profiles is enabled by default

D. Organizational units contain values that are frequently mapped in identity certificates

How do both Cisco ASA and Cisco IOS routers facilitate resource and application access? (Choose two)

A. Thin-client connections

B. URL and CIFS file access

C. Application plugins

D. Smart tunnels

When enabling smart tunnels in the clientless SSL VPN access, what kind of information can you specify? (Choose three)

A. Bookmarks for the security appliance to display

B. Application list entries

C. Smart tunnel session log off method

D. Auto sign-on server list entries

E. Port forwarding list entries

How do nonrepudiation methods provide cryptographic proof of a transaction? (Choose three)

A. The signature can be generated only by the private key owner

B. The hashing algorithm secures the key

C. Digital signatures are used

D. The signature is stored by the receiver as a proof

How is external authorization in AnyConnect SSL VPNs monitored? (Choose two)

A. You can view the downloaded ACL in the ASDM or CLI

B. The Cisco ISE authorization policy selects an authorization profile

C. ISE uses a connection profile to authenticate a user against the ASA

D. The authorization profile is based on the cisco-av-pair=ip:acl attribute

Which information can be obtained using the ASDM when monitoring a Cisco AnyConnect VPN on a server? (Choose three)

A. Applied access rules

B. Applied group policy

C. Connection profile

D. Transport protocol

E. Botnet activity

Which statements best describe the NHRP client-server protocol? (Choose two)

A. It is designed to manage the transportation of multiprotocol and IP multicast traffic between two or more sites, which may only have IP connectivity

B. It creates a mapping for a tunnel IP address to the physical interface IP address for each spoke at the hub

C. It is typically used for simple point-to-point tunnels that emulate a point-to-point WAN link, or on spoke routers in hub-and-spoke VPNs

D. It is used by routers to determine the IP address of the next hop in IP tunneling networks

Which statements best describe dynamic access policies in Cisco clientless SSL VPNs? (Choose two)

A. They are available for remote access VPNs

B. They are manually generated by aggregating attributes from one or more DAP records

C. They are defined as a collection of access control attributes

D. They are generated and then applied to the user tunnel or session

What should you consider when using a hub-and-spoke FlexVPN deployment model? (Choose two)

A. An external AAA server should be used on the hub site

B. The configured payload feature is required

C. All traffic between spoke networks must flow through the hub router

D. Each spoke router must be configured with a point-to-point interface to the hub

You are troubleshooting a failed clientless SSL VPN session establishment. Which two utilities can be used to query the DNS server to troubleshoot issues why the browser cannot resolve the SSL VPN portal's URL? (Choose two)

A. arp

B. dig

C. traceroute

D. ping

E. nslookup

What command can be used to verify whether the ASA device holds the proper license to activate HostScan?

A. show activation-key

B. show license

Which statements regarding the use of parallel DTLS and TLS tunnels are true? (Choose two)

A. The SSL tunnel is used to negotiate and establish the DTLS tunnel.

B. The DTLS tunnel is used to negotiate and establish the SSL/TLS tunnel.

C. Enabling DPD allows for DTLS-to-TLS automatic fallback.

D. DTLS-to-TLS automatic fallback requires IKEv2.

Which three statements are true regarding the use of DART to troubleshoot AnyConnect VPN? (Choose three)

A. It works independently of any installed AnyConnect client software.

B. It is available as a standalone installation.

C. It is integrated into the AnyConnect client package.

D. It requires administrator privileges.

E. It is only available for Windows clients.

Which IPSec encryption mode is the most secure?

A. Tunnel mode

B. Main mode

C. Aggressive mode

D. Transport mode

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?