CCNP Security Practice Test | Secure Mobility (SIMOS)

When configuring router-to-ASA FlexVPN, what match statement rules should you keep in mind? (Choose two)

A. An IKEv2 policy can match multiple FVRF statements

B. An IKEv2 policy can have only one match address local statement

C. An IKEv2 policy can have only one match FVRF statement

D. There is no precedence between match statements of different types

You are configuring DMVPN on a spoke router. The configurations in the output given below have been made on the router.
Which command or set of commands will complete the next step in the configuration on the spoke router?

You are configuring DMVPN on a spoke router. The configurations in the output given below have been made on the router.<br />Which command or set of commands will complete the next step in the configuration on the spoke router?

A. Router1(config-if)#tunnel protection ipsec profile MYIPSECPROFILE

B. Router1(config-if)#ip nhrp network-id 1
Router1(config-if)#ip nhrp authentication HdRtKqX5ZdYaZQjSYPqb
Router1(config-if)#ip nhrp nhs 10.1.1.1
Router1(config-if)#ip nhrp map multicast 172.17.0.1
Router1(config-if)#ip nhrp map

C. Router1(config)#interface Tunnel 0
Router1(config-if)#tunnel mode gre multipoint
Router1(config-if)#tunnel source GigabitEthernet0/0
Router1(config-if)#tunnel key 12345

D. Router1(config-if)#ip address 10.1.1.2 255.255.0.0
Router1(config-if)#ip mtu 1400

You want to display NHRP next-hop server information. Which command should you use?

A. show dmvpn detail

B. show interface tunnel

C. show ip nhrp

D. show ip nhrp nhs detail

What are the characteristics of symmetric algorithms? (Choose three)

A. Efficient, fast, and simple to accelerate in hardware

B. Typical key lengths are in thousands of bits

C. Examples are RSA and ECC

D. Suitable for real-time bulk encryption

E. Generally used for digital signatures or key exchanges

F. Examples are 3DES, RC4, SEAL, AES, and Blowfish

What are the three VPN connection technologies? (Choose three)

A. Full-tunnel client-based IPSec VPN

B. Clientless SSL VPN

C. Full-tunnel clientless LTO VPN

D. Full-tunnel client-based SSL VPN

When configuring an IPSec profile to support IKEv2 and Cisco AnyConnect, what should you do immediately after enabling IKEv2 on the outside interface, choosing an interface certificate, and enabling Client Services?

A. Create an IKEv2 group

B. Connect and update the client profile

C. Create and edit a Cisco AnyConnect connection profile

D. Create and edit a client connection profile

How is external authorization in AnyConnect SSL VPNs monitored? (Choose two)

A. You can view the downloaded ACL in the ASDM or CLI

B. The Cisco ISE authorization policy selects an authorization profile

C. ISE uses a connection profile to authenticate a user against the ASA

D. The authorization profile is based on the cisco-av-pair=ip:acl attribute

Which command can be used to prompt remote SSL VPN Client users to download the client and remain until the user responds?

A. svc ask enable default webvpn

B. svc ask enable default webvpn timeout value

C. svc ask enable

D. svc ask enable default svc timeout value

E. svc ask enable default svc

What does SSL/TLS provide? (Choose two)

A. Data integrity to ensure that data hasn't been modified in transit

B. Endpoint authentication on the server only

C. Support for native application clients

D. Encryption to ensure data is only readable by the intended recipient

Which statement regarding the FLEX VPN IKEv2 Smart Defaults feature is true?

A. The default mode for the default transform set is tunnel.

B. The default parameters can be modified.

C. The default configuration is displayed by running the show running-config command.

D. Disabling this feature will retain any user modification.

What should you consider when using a hub-and-spoke FlexVPN deployment model? (Choose two)

A. An external AAA server should be used on the hub site

B. The configured payload feature is required

C. All traffic between spoke networks must flow through the hub router

D. Each spoke router must be configured with a point-to-point interface to the hub

Which steps are required to configure basic peer authentication for point-to-point tunnels on the Cisco ASA? (Choose three)

A. Choose the transform set and VPN peer

B. Enable IKEv1, IKEv2, or both on an interface

C. Choose traffic for the VPN

D. Configure PSKs

E. Configure IKE policy

How does the Cisco ASA enables a user to choose connection profiles? (Choose two)

A. By choosing a connection profile from a drop-down list and then successfully authenticating it against the profile to obtain network access

B. By connecting to a VPN group URL that is associated with the connection profile

C. By using a field in a digital certificate

D. By mapping the user to the default connection profile

What limitations should you consider when using GRE tunneling? (Choose two)

A. There is no standard method to determine the end-to-end state of a GRE tunnel

B. Proprietary GRE keepalives are not supported

C. It provides limited cryptographic traffic protection

D. Tunnels can exhibit MTU and IP fragmentation-related issues

Which secure posture module component is a package that installs on the remote device after the user connects to the Cisco Adaptive Security Appliance and before the user logs in?

A. Integration with dynamic access policies

B. Prelogin assessment

C. Host scan

D. Prelogin policies

Which command was used to view the data presented in the output given below?

A. show crypto ipsec sa

B. show interfaces virtual-access

C. show crypto isakmp sa detail

D. show crypto ikev2 sa

Which step of configuring Cisco AnyConnect Start Before Logon involves making changes to the AnyConnect profile, and enabling the Cisco ASA to download the AnyConnect module for SBL?

A. Enabling the PLAP capability in Windows

B. Adding the SBL components to Windows

C. Logging in to Windows using SBL

D. Configuring SBL in the client profile

You are creating an IKEv2 policy. Which command will ensure that a packet has not been modified during transit?

A. ASA(config-ikev2-policy)#integrity md5

B. ASA(config-ikev2-policy)#hash sha

C. ASA(config-ikev2-policy)#group 5

D. ASA(config-ikev2-policy)#encryption aes-256

How are clientless password-based users handled in SSL VPN authentication? (Choose two)

A. It is mandatory to use AAA authentication

B. If no profile is chosen, the Cisco ASA will assign them to the DefaultWEBVPNGroup connection profile

C. If no profile is chosen, the Cisco ASA will assign them to the DefaultRAGroup connection profile

D. They may be permitted to select a connection profile from the selection menu or group URL

Which statements best describe shortcut switching? (Choose two)

A. DMVPN provides a scalable configuration model for all involved devices

B. Each spoke router must be configured with a point-to-point interface to the hub

C. All traffic between spoke networks must flow through the hub router

D. Each branch must be configured with a tunnel interface in which dynamic Spoke-to-Spoke tunnels are used for the spoke-to-spoke traffic

You are testing an application plugin for a clientless SSL VPN session; however, it will not start. What should be done?

A. Verify that the browser's Java/ActiveX functions.

B. Verify that the smart tunnel agent starts.

C. Verify that the appropriate plugins are loaded.

D. Verify webtype ACLs.

What are the descriptions that can be applied to a digital signature? (Choose two)

A. Digital signature algorithms provide integrity

B. They use a combination of a hash function and an asymmetric algorithm

C. They are a combination of an HMAC algorithm and a symmetric function

D. They use a public signing key and a private shared key

What common clientless SSL VPN issue involves troubleshooting by analyzing the integration with an external server such as Cisco Identity Services Engine?

A. A clientless SSL VPN is not enabled on the interface

B. Mismatch between one supported SSL cipher and another supported SSL cipher

C. Mismatch between client-side and server-side SSL ports

D. Authentication, when offloaded to external databases

Review the output. Which type of VPN technology is being verified?

A. IPSec SA

B. NHRP next-hop server information

C. EC key pairs

D. Clientless SSL VPN

A connection is not forming between the spoke and the hub. Enter the command that you would use to verify SA states on hub and spoke. (Choose two)

A. show crypto session

B. show crypto session detail

What should you keep in mind in a configuration scenario that uses the local CA function on the Cisco ASA CA user accounts? (Choose two)

A. A certificate-to-connection profile map that binds the user certificate to a connection profile must exist

B. The FQDN includes information like the organizational unit

C. Certificate-based authentication in the required connection profiles is enabled by default

D. Organizational units contain values that are frequently mapped in identity certificates

You need to verify the operation of a GRE tunnel. Assuming a routing protocol is configured, what can you do to accomplish this task? (Choose two)

A. Ping the inner tunnel IP address of the remote peer.

B. Observe keepalive messages from logs.

C. Review neighbor adjacencies.

D. Review NHRP statistics

What is the first troubleshooting step that should be taken when there is a clientless SSL VPN session establishment issue?

A. Verify user authentication

B. Verify clientless permissions

C. Verify that the SSL/TLS session establishes.

D. Verify user credentials

What client authentication options are available in the basic AnyConnect SSL VPN? (Choose two)

A. Locally configured static passwords

B. Local user database

C. Connection profile local pool

D. Group Policy

All client traffic is utilizing the VPN tunnel. Clients accessing the Internet should have direct access to external data. What should be enabled?

A. AnyConnect SSL VPN

B. Identity NAT

C. SCEP

D. Split tunneling

Which three security algorithms are minimally recommended when configuring IKE VPN technologies? (Choose three)

A. SHA-1

B. DES

C. MD5

D. 3DES

E. Group 5

F. Group 14

G. AES-CBC-128

H. SHA-256

What is the first required step in configuring a DMVPN spoke?

A. Configure an IPSec profile with an optional transform set

B. Create an mGRE tunnel interface

C. Generate or configure hub authentication credentials

D. Associate the IPSec profile with the mGRE interface

Which commands can be used to restore the original IKEv2 Smart Defaults values? (Choose two)

A. default crypto ipsec transform-set

B. default crypto ikev2 proposal

C. no crypto ipsec transform-set default

D. no crypto ikev2 proposal default

Which statements regarding the verification of DMVPN full-mesh routing and IKE peering are true? (Choose two)

A. Multiple IKE sessions are established.

B. Direct routes to other spokes exist from the spoke.

C. A single IKE session is created.

D. Spokes are reachable over the hub.

A user indicates that they are unable to access a file server share. You believe that you have misconfigured webtype ACLs.
What is the easiest method of verifying this?

A. View the Cisco ASA's logging output.

B. View predefined bookmarks.

C. View output from the traceroute command.

D. View DNS group configuration.

The Cisco ASA uses a hierarchical policy inheritance model.
Which user policies would have the highest priority using this model?

A. Group Policy attached to the connection profile

B. User profile

C. DfltGrpPolicy settings

D. DAP rules

E. Group Policy attached to the user profile

What are the characteristics of split tunneling on Cisco AnyConnect SSL VPN clients? (Choose two)

A. It uses access control for nontunneled destinations

B. It allows some traffic to bypass the tunnel

C. It increases performance

D. It allows all the traffic to bypass the VPN tunnel

You are troubleshooting a failed clientless SSL VPN session establishment. Which two utilities can be used to query the DNS server to troubleshoot issues why the browser cannot resolve the SSL VPN portal's URL? (Choose two)

A. arp

B. dig

C. traceroute

D. ping

E. nslookup

Which three statements are true regarding the use of DART to troubleshoot AnyConnect VPN? (Choose three)

A. It works independently of any installed AnyConnect client software.

B. It is available as a standalone installation.

C. It is integrated into the AnyConnect client package.

D. It requires administrator privileges.

E. It is only available for Windows clients.

What is ESP encapsulation designed to provide? (Choose four)

A. Confidentiality

B. Authenticity

C. Overhead

D. Payload

E. Anti replay

F. Integrity

Which two statements regarding the version of IKE used with FlexVPN are true? (Choose two)

A. It uses stateless cookies.

B. It can only be used with IPSec.

C. It operates over UDP port 4500.

D. It supports NAT traversal over UDP port 500.

E. Each peer maintains its own local policy.

You need to alter the effects of forwarding an HTTP applet proxy to the client. Which browser is required to complete this task?

A. Safari

B. Google Chrome

C. Microsoft Internet Explorer

D. Mozilla Firefox

When using double or triple authentication for Cisco AnyConnect SSL VPN users, what combinations are possible? (Choose three)

A. RSA/SDI + LDAP authentication

B. LDAP authentication + RADIUS

C. RSA/SDI + RADIUS

D. Certificates + RADIUS + RSA/SDI

E. Certificates + RADIUS

When troubleshooting a FlexVPN spoke configuration, which command is used to verify whether both spokes have a virtual-access interface present?

A. show ip nhrp traffic

B. show ip nhrp

C. show ip interface brief

D. show crypto session

Which component is responsible for group key and SA management in a GET VPN deployment?

A. Perfect Forward Secrecy

B. Group Member

C. Key Server

D. Group Domain of Interpretation

What are the three main modules, from a design standpoint, where you would use VPN technologies? (Choose three)

A. Enterprise Branch Edge

B. WAN Edge

C. Enterprise Internet Edge

D. Campus Edge

E. Virtual User Edge

F. Enforce Edge

Which component encrypts and decrypts the traffic in a GET VPN deployment?

A. Group Member

B. Group Domain of Interpretation

C. Perfect Forward Secrecy

D. Key Server

Which feature enables users to use native client applications without administrative rights?

A. Smart tunnels

B. Clientless SSL VPN Plugins

C. Authentication using External CA

D. AAA

Which command is used to verify NHRP mapping information on a DMVPN?

A. show dmvpn detail

B. show ip route

C. show ip nhrp nhs detail

D. show ip nhrp

E. show interface tunnel

Which two statements are true regarding GET VPN compatibility with network devices? (Choose two)

A. Cisco IOS routers do not support GET VPN

B. Cisco ASA security appliances support GET VPN

C. Cisco ASA security appliances does not support GET VPN.

D. Cisco IOS routers support GET VPN.

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?