CCNP Security Practice Test | Secure Mobility (SIMOS)

When modifying the default DAP, what should you keep in mind? (Choose two)

A. Default DAP has the lowest priority and cannot be deleted

B. Terminate action will act like the default deny statement in an ACL

C. A user connection can match only one DAP record

D. The security appliance does not have a default DAP record

Which configuration will enable the hub router to provide IP addresses to spokes, in a hub-spoke configuration?

A. Crypto IKEv2 authorization policy

B. Crypto IKEv2 profile

C. Virtual template interface

D. Crypto ipsec profile

Which command can be used to prompt remote SSL VPN Client users to download the client and remain until the user responds?

A. svc ask enable default webvpn

B. svc ask enable default webvpn timeout value

C. svc ask enable

D. svc ask enable default svc timeout value

E. svc ask enable default svc

Which SSL VPN portal home page view enables you to verify smart tunnels when they have been configured to start manually?

A. Web Applications

B. VNC Connections

C. Application Access

D. Browse Networks

When using smart tunnel-based application access with SSL VPN, what happens directly after a user connects and authenticates to the SSL VPN portal?

A. The SSL VPN gateway establishes a TCP connection with the real target server and acts as a data relay between the two TCP sessions

B. A smart tunnel configuration downloads and executes the smart tunnel agent on the client system

C. The smart tunnel applet intercepts the TCP connection of the Lotus Sametime client to the real server and forwards the TCP connection to the existing SSL VPN session

D. The SSL VPN gateway extracts the TCP session from the SSL VPN session

Which two protocols are used for full client and clientless connections by Cisco VPNs? (Choose two)

A. SSL

B. Site-to-site

C. SHA

D. IPSec

Refer to the output. To what is this message referring?

A. Mismatched IKE proposals

B. Mismatched IKE versions

C. Key configuration errors

D. Conflicting peer addresses

What are the three fields in an X.509v3 certificate? (Choose three)

A. Serial Number

B. Validity Period

C. Owner Full Name

D. Version

E. Usage Order

What is involved when configuring basic IKE peering using PSKs? (Choose two)

A. Using a RSA exchange of an appropriate strength (group) to provide keying material to IKE and IPSec

B. Using appropriate session lifetimes

C. Using an encryption and hashing algorithm to guarantee confidentiality and authentication of the key management session

D. Using PSKs for mutual authentication

Which of the following are potential issues when troubleshooting FlexVPN spoke-to-spoke shortcut switching? (Choose two)

A. Unsupported tunnel encapsulation modes

B. Incorrect spoke authorization

C. Failure of virtual template and virtual access interfaces on the hub

D. Inconsistent or missing NHRP configuration

Which statements best describe shortcut switching? (Choose two)

A. DMVPN provides a scalable configuration model for all involved devices

B. Each spoke router must be configured with a point-to-point interface to the hub

C. All traffic between spoke networks must flow through the hub router

D. Each branch must be configured with a tunnel interface in which dynamic Spoke-to-Spoke tunnels are used for the spoke-to-spoke traffic

You need to verify the operation of a GRE tunnel. Assuming a routing protocol is configured, what can you do to accomplish this task? (Choose two)

A. Ping the inner tunnel IP address of the remote peer.

B. Observe keepalive messages from logs.

C. Review neighbor adjacencies.

D. Review NHRP statistics

Which statements regarding the verification of DMVPN hub-and-spoke routing and IKE peering are true? (Choose two)

A. Multiple IKE sessions are established.

B. Routes are reachable over the spoke

C. A single IKE session is created.

D. Spokes are reachable over the hub.

Identify the features of TND. (Choose two)

A. It disconnects the tunnel if the user is in the trusted network

B. It is configured in the client profile

C. It can map and unmap network drives

D. It automatically starts user applications

Which commands can be used to restore the original IKEv2 Smart Defaults values? (Choose two)

A. default crypto ipsec transform-set

B. default crypto ikev2 proposal

C. no crypto ipsec transform-set default

D. no crypto ikev2 proposal default

What is required when establishing a connection using AnyConnect in Standalone mode? (Choose two)

A. A browser using HTTPS

B. Permanent installation of AnyConnect on the client

C. ASA URL address

D. Username and password

What should you consider when configuring split tunneling in a Group Policy? (Choose two)

A. You can select the traffic that the clients will forward through the tunnel

B. By default, all traffic is forwarded through the tunnel using the exclude network list

C. It causes all the client traffic to go through the VPN tunnel

D. It permits the clients the direct access to external resources

You are troubleshooting a failed clientless SSL VPN session establishment. Which two utilities can be used to query the DNS server to troubleshoot issues why the browser cannot resolve the SSL VPN portal's URL? (Choose two)

A. arp

B. dig

C. traceroute

D. ping

E. nslookup

Review the output. Which type of VPN technology is being verified?

A. IPSec SA

B. NHRP next-hop server information

C. EC key pairs

D. Clientless SSL VPN

Which three characteristics are common amongst asymmetric algorithms? (Choose three)

A. Simpler key management

B. Key management can be an issue

C. Suitable for key exchange

D. Fast compared with symmetric algorithms

E. Suitable for real-time bulk encryption

F. Slow compared to symmetric algorithms

How can Cisco ASA assign IP addresses in an SSL VPN full tunnel solution? (Choose three)

A. Use an IP address connection profile that is configured on the Cisco ASA, and assign the profile to a default or custom address pool

B. Use a Group Policy that is configured on the Cisco ASA, and assign the policy to an IP address pool

C. Use an IP address pool that is configured on the Cisco ASA, and assign the pool to a default or custom Group Policy

D. Use an IP address pool that is configured on the Cisco ASA, and assign the pool to a default or custom connection profile

E. Configure the IP addresses as a part of the user account in the local user database, and enable per-user IP addresses

Which command can be used to verify that DTLS is being used as the transport protocol for a Cisco AnyConnect VPN?

A. show version

B. show traffic

C. show ssh sessions

D. show vpn-sessiondb

Which command would be used to verify the DMVPN NBMA address?

A. show ip nhrp nhs detail

B. show dmvpn detail

C. show ip nhrp

D. show interface tunnel

When configuring a site-to-site VPN using the Cisco Adaptive Security Device Manager, which two options will require you to manually enable IKE on the required interface? (Choose two)

A. Site-to-Site VPN |�Connection Profiles

B. Site-to-Site VPN Wizard

C. Site-to-Site VPN || Interface Profiles

D. Site-to-Site VPN || Advanced

Identify the multiple client-side authentication options in clientless SSL VPN. (Choose three)

A. Certificate-based and one AAA authentication

B. Double AAA authentication (no certificate) with optional username reuse

C. Double AAA authentication (with certificate) with optional username reuse

D. Certificate-based and two AAA authentication

E. Certificate-based and one AAA authentication, where the username for AAA authentication can be extracted from the certificate subject field and hidden from users

Which three pieces of information are required for the client side of a challenge/response authentication using HMAC? (Choose three)

A. Hash function

B. Random number generator

C. Password

D. Challenge data

E. User DB

What are the descriptions that can be applied to a digital signature? (Choose two)

A. Digital signature algorithms provide integrity

B. They use a combination of a hash function and an asymmetric algorithm

C. They are a combination of an HMAC algorithm and a symmetric function

D. They use a public signing key and a private shared key

What should you consider when defining an IP address pool? (Choose two)

A. By default, no assignment methods are enabled

B. IP addresses that are assigned to the VPN clients will be used as the inner AnyConnect IP addresses

C. The virtual VPN adapter is created during the VPN establishment phase in addition to any physical adapters on the client endpoint

D. The inner IP address is applied to the virtual VPN adapter on the server

Which set of commands will correctly configure the local authorization policy?

A. Router(config)#crypto ikev2 authorization policy policy1
Router(config-ikev2-author-policy)#pool flex-pool
Router(config-ikev2-author-policy)#def-domain brocadero.com
Router(config-ikev2-author-policy)#route set interface
Rout

B. Router(config-ikev2-profile)#virtual-template 1

C. Router(config)#crypto ipsec profile default
Router(ipsec-profile)#set ikev2-profile default

D. Router(config)#aaa new-model
Router(config)#aaa authorization network list1 local

Which attribute would you use to apply an ACE to a user session?

A. cisco-av-pair=ip:inacl

B. cisco-av-pair=inacl:ip

C. cisco-av-pair=inacl:webvpn

D. cisco-av-pair=webvpn:inacl

Which application access method is available with Cisco clientless SSL VPNs and is recommended for Linux?

A. Port forwarding

B. Full-tunnel VPN

C. Smart tunnels

D. Application plugins

What is the purpose of FlexVPN? (Choose two)

A. To provide encapsulation

B. To convert cleartext to ciphertext

C. To simplify deployment of VPNs

D. To address the complexity of multiple solutions

Using an SSL VPN full-tunnel solution, you want to have the Cisco ASA assign IP addresses that will allow you to identify which users are connecting to the VPN.
Which IP address assignment solution should be implemented?

A. Configure the IP addresses as part of the user account in the local user database and enable per-user IP addresses.

B. Use a DHCP server that the Cisco ASA security appliance queries to obtain an IP address for remote clients.

C. Use an IP address pool that is configured on the Cisco ASA and assign the pool to a default or custom group policy.

D. Use an IP address pool that is configured on the Cisco ASA and assign the pool to a default or custom connection profile.

When configuring local VPN authorization, how can you configure the Group Policy with the required restrictions? (Choose two)

A. Define separate Group Policies for clientless and full tunnel users

B. Define one Group Policy for a set of users with similar privileges

C. Define one Group Policy for clientless and full tunnel users

D. Define separate Group Policies for a set of users with similar privileges

Based on the output, what is the IP address of the local interface used to access the connected spoke network?

A. 192.0.10.1

B. 198.51.100.1

C. 203.0.133.1

D. 192.0.2.3

What are the features of DTLS? (Choose two)

A. It provides a low-latency data path using TCP

B. It is based on the stream-oriented TLS protocol

C. It is defined in RFC 4345

D. It mitigates latency and bandwidth problems that are associated with some SSL-only connections

Which of the three tools are used with a VPN to combat man-in-the-middle attacks? (Choose three)

A. Packet integrity checking

B. Encryption

C. Device authentication

D. Sequence number randomizing

Refer to the output. Which statements regarding the output are true? (Choose two)

Refer to the output. Which statements regarding the output are true?

A. SAs have been negotiated.

B. Packet compression is non-operational.

C. The tunnel is operational.

D. The SA has expired.

Which three statements regarding the FlexVPN Architecture are true? (Choose three)

A. It provides a modular framework.

B. It is a legacy technology.

C. It is backward compatible with IKEv1.

D. It provides a single configuration approach for all VPN types.

E. It provides features such as QoS.

A connection is not forming between the spoke and the hub. Enter the command that you would use to verify SA states on hub and spoke. (Choose two)

A. show crypto session

B. show crypto session detail

Which items could prevent the encrypted and decrypted packet counters from increasing? (Choose two)

A. Routing

B. IPSec SAs

C. Keepalives

D. Neighbor adjacencies

Users are unable to establish clientless SSL VPN connections. The most basic requirements for a functional SSL VPN have been verified. Upon further investigation, you notice an SSL lib error recorded in the logging information.
What is the most likely reason why users are unable to establish connections?

A. There is a cipher mismatch.

B. The VPN server and client are using mismatched SSL ports.

C. There is no IP/TCP connectivity between the VPN server and client.

D. The SSL VPN is not enabled on the correct interface.

Which statement regarding the FLEX VPN IKEv2 Smart Defaults feature is true?

A. The default mode for the default transform set is tunnel.

B. The default parameters can be modified.

C. The default configuration is displayed by running the show running-config command.

D. Disabling this feature will retain any user modification.

What are the prerequisites for the AnyConnect SSL VPN deployment? (Choose two)

A. Configure support for DTLS

B. Enable the SSL VPN function on the interface

C. Install the Cisco AnyConnect client software image on the Cisco ASA

D. Provision an identity server SSL/TLS certificate to the Cisco ASA

You are testing an application plugin for a clientless SSL VPN session; however, it will not start. What should be done?

A. Verify that the browser's Java/ActiveX functions.

B. Verify that the smart tunnel agent starts.

C. Verify that the appropriate plugins are loaded.

D. Verify webtype ACLs.

You are creating an IKEv2 policy. Which command will ensure that a packet has not been modified during transit?

A. ASA(config-ikev2-policy)#integrity md5

B. ASA(config-ikev2-policy)#hash sha

C. ASA(config-ikev2-policy)#group 5

D. ASA(config-ikev2-policy)#encryption aes-256

When a clientless SSL VPN user successfully authenticates to the Cisco Adaptive Security Appliance, the user is presented with a web portal where they can access protected resources behind the Cisco ASA.
What types of applications can a user access by default? (Choose two)

A. File shares using CIFS and FTP

B. Internal web pages and web-based applications using HTTP and HTTPS

C. File shares using TFTP

D. Internal web pages and web-based applications using HTTP and NNTP

When troubleshooting a connectivity issue, what can be used to verify that a Cisco AnyConnect connection is using IPSec/IKEv2?

A. IP Source Guard

B. Botnet Traffic Filter

C. HTTP Inspector

D. Cisco AnyConnect Secure Mobility Client Statistics tab

You are configuring basic Cisco AnyConnect SSL VPN on the Cisco ASA.
During which step in the process would you configure split tunneling?

A. Configuring identity NAT for client access

B. Enabling Cisco AnyConnect SSL VPN on ASA

C. Edit the default connection profile or create a custom one

D. Edit the default Group Policy or create a custom one

Which troubleshooting command can be used to monitor an active view of AnyConnect client web browser SSL sessions?

A. debug webvpn util

B. debug webvpn html

C. debug webvpn url

D. debug webvpn svc

All client traffic is utilizing the VPN tunnel. Clients accessing the Internet should have direct access to external data. What should be enabled?

A. AnyConnect SSL VPN

B. Identity NAT

C. SCEP

D. Split tunneling

Which three operating systems support the AnyConnect 3.1 IPv6 feature? (Choose three)

A. Windows XP (32-bit)

B. Red Hat Enterprise Linux 6.4 (64-bit)

C. Windows 8.1 (64-bit)

D. Windows Vista (64-bit)

E. Mac OS X 10.6

Which attribute is used to push WebVPN ACEs to clientless SSL VPN sessions?

A. cisco-av-pair=ip:inacl

B. cisco-av-pair=webvpn:inacl

C. IE-Proxy-Exception-List

D. IETF-Radius-Class

Which statements best describe two-factor authentication? (Choose two)

A. It has a username prefill feature

B. ASA validates the certificate and then prompts for credentials

C. It is enabled in the Group Policy

D. You can combine machine certificate validation with user password authentication when using the username prefill feature

What limitations should you consider when using GRE tunneling? (Choose two)

A. There is no standard method to determine the end-to-end state of a GRE tunnel

B. Proprietary GRE keepalives are not supported

C. It provides limited cryptographic traffic protection

D. Tunnels can exhibit MTU and IP fragmentation-related issues

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?