CCNP Security Practice Test | Secure Mobility (SIMOS)

All client traffic is utilizing the VPN tunnel. Clients accessing the Internet should have direct access to external data. What should be enabled?

A. AnyConnect SSL VPN

B. Identity NAT

C. SCEP

D. Split tunneling

What should you keep in mind when using client authentication with an external CA? (Choose two)

A. The users must have the root certificate preinstalled in their browsers

B. The security appliance receives the root certificate of the external CA and enrolls with the CA to obtain its identity certificate

C. The enterprise can manage its own CA so users do not need to enroll with the CA to obtain their identity certificates

D. The entities use the self-signed root certificate to verify the authenticity of the peer certificate

Which of the following are potential issues when troubleshooting FlexVPN spoke-to-spoke shortcut switching? (Choose two)

A. Unsupported tunnel encapsulation modes

B. Incorrect spoke authorization

C. Failure of virtual template and virtual access interfaces on the hub

D. Inconsistent or missing NHRP configuration

What is the purpose of a connection profile? (Choose two)

A. It defines the client privileges

B. It defines prelogin behavior

C. It is a reference to the Group Policy

D. It includes the split tunneling configuration

Which statements regarding the verification of DMVPN full-mesh routing and IKE peering are true? (Choose two)

A. Multiple IKE sessions are established.

B. Direct routes to other spokes exist from the spoke.

C. A single IKE session is created.

D. Spokes are reachable over the hub.

What command can be used to verify whether the ASA device holds the proper license to activate HostScan?

A. show activation-key

B. show license

Which two set of commands will correctly configure EIGRP on the hub in a full mesh DMVPN network? (Choose two)

A. router(config)# router interface tunnel 0
router(config-if)# no ip split-horizon eigrp 1

B. router(config)# router eigrp 1
router(config-router)# no auto-summary

C. router(config)# router interface tunnel 0
router(config-if)# no ip next-hop-self eigrp
router(config-if)# no ip split-horizon eigrp 1

D. router(config)# router interface tunnel0
router(config-if)# no ip next-hop-self eigrp 1

E. router(config)# no auto-summary

When configuring a site-to-site VPN using the Cisco Adaptive Security Device Manager, which two options will require you to manually enable IKE on the required interface? (Choose two)

A. Site-to-Site VPN |�Connection Profiles

B. Site-to-Site VPN Wizard

C. Site-to-Site VPN || Interface Profiles

D. Site-to-Site VPN || Advanced

Which two VPN types are preferred for larger environments that are partially meshed? (Choose two)

A. Dynamic VTI-based

B. GET VPN

C. DMVPN

D. Static VTI-based

Which information is used to determine whether a tunnel negotiated via Phase 2 is operating?

A. Inbound ESP SA

B. IKE state

C. Encrypted and decrypted packets

D. Local and remote Crypto endpoints

Which component encrypts and decrypts the traffic in a GET VPN deployment?

A. Group Member

B. Group Domain of Interpretation

C. Perfect Forward Secrecy

D. Key Server

Which statements regarding the verification of DMVPN hub-and-spoke routing and IKE peering are true? (Choose two)

A. Multiple IKE sessions are established.

B. Routes are reachable over the spoke

C. A single IKE session is created.

D. Spokes are reachable over the hub.

Which three security algorithms are minimally recommended when configuring IKE VPN technologies? (Choose three)

A. SHA-1

B. DES

C. MD5

D. 3DES

E. Group 5

F. Group 14

G. AES-CBC-128

H. SHA-256

How are clientless password-based users handled in SSL VPN authentication? (Choose two)

A. It is mandatory to use AAA authentication

B. If no profile is chosen, the Cisco ASA will assign them to the DefaultWEBVPNGroup connection profile

C. If no profile is chosen, the Cisco ASA will assign them to the DefaultRAGroup connection profile

D. They may be permitted to select a connection profile from the selection menu or group URL

Which two statements are true regarding GET VPN compatibility with network devices? (Choose two)

A. Cisco IOS routers do not support GET VPN

B. Cisco ASA security appliances support GET VPN

C. Cisco ASA security appliances does not support GET VPN.

D. Cisco IOS routers support GET VPN.

A connection is not forming between the spoke and the hub. Enter the command that you would use to verify SA states on hub and spoke. (Choose two)

A. show crypto session

B. show crypto session detail

Which of the protocols transmit data in plaintext and are susceptible to man-in-the-middle attacks? (Choose three)

A. Telnet

B. HTTP

C. HTTPS

D. FTP

What happens in the second step of verifying multiple client authentication when the SSL VPN server requests the user credentials? (Choose two)

A. A browser connects to the SSL VPN

B. The browser submits the certificate-based authentication

C. If the username field is unavailable, then the client cannot alter the username

D. If the username prefill feature is enabled, then the username field is already filled in (the name is pulled from the certificate subject field) and made unavailable

What are the three fields in an X.509v3 certificate? (Choose three)

A. Serial Number

B. Validity Period

C. Owner Full Name

D. Version

E. Usage Order

Which statement best describes the purpose of Cisco IPSec VTI?

A. It is designed to provide a mix of security services in IPv4 and IPv6

B. It ensures that a given IPSec SA key was not derived from another secret

C. It is designed to provide crypto-graphically based transmission security to IP traffic

D. It can be used to configure IPSec-based VPNs between site-to-site devices

What limitations should you consider when using GRE tunneling? (Choose two)

A. There is no standard method to determine the end-to-end state of a GRE tunnel

B. Proprietary GRE keepalives are not supported

C. It provides limited cryptographic traffic protection

D. Tunnels can exhibit MTU and IP fragmentation-related issues

Which Cisco ASA application plugin allows for connections to WinFrame-based terminal services?

A. SSH

B. RDP2

C. VNC

D. ICA

E. RDP

Which statements best describe FlexVPN? (Choose two)

A. It is designed to provide interoperable, high-quality, and cryptographically based transmission security to IP traffic

B. It supports per-peer configurations of service parameters, such as QoS, firewall mechanisms, policies, and VRF-related settings

C. It offers a simple but modular framework that extensively uses the tunnel interface paradigm, while remaining compatible with legacy VPN implementations using crypto maps

D. It is used for performing mutual authentication and establishing and maintaining SAs

You are configuring split tunneling on the Cisco ASA device via the CLI. You have created an access list named "STACL". Enter the command to specify this access list to be used for split tunneling.

Which two modes identify the phase one ISAKMP operation modes? (Choose two)

A. SA mode

B. Main mode

C. Aggressive mode

D. Transport mode

What are the two aspects of effectively managing the VPN users and their access privileges in any remote access VPN design? (Choose two)

A. Authentication is achieved by using a user's organization group information and other attributes, such as endpoint security posture and time of day

B. A scalable and secure solution to authenticate users

C. Assignments allow an SSL VPN gateway to assign the user to a policy group

D. Decisions on what access privilege to grant to the users based on various user and security attributes

Which statements best describe the NHRP client-server protocol? (Choose two)

A. It is designed to manage the transportation of multiprotocol and IP multicast traffic between two or more sites, which may only have IP connectivity

B. It creates a mapping for a tunnel IP address to the physical interface IP address for each spoke at the hub

C. It is typically used for simple point-to-point tunnels that emulate a point-to-point WAN link, or on spoke routers in hub-and-spoke VPNs

D. It is used by routers to determine the IP address of the next hop in IP tunneling networks

Which statements best describe dynamic point-to-point VTI tunnels? (Choose two)

A. They simplify the configuration complexity of the VPN hub router

B. They are used to provision hubs in hub-and-spoke VPNs

C. It requires a static mapping of IPSec sessions to a physical interface

D. On the spoke, a dynamic VTI is used to provision its tunnel to the hub

Refer to the output. To what is this message referring?

A. Mismatched IKE proposals

B. Mismatched IKE versions

C. Key configuration errors

D. Conflicting peer addresses

What improvements does IKEv2 provide to IKEv1? (Choose three)

A. Supports dynamically addressed peers with PKI-facilitated authentication

B. Built-in DPD

C. Supports PFS to ensure that a given IPSec SA key is not derived from another secret

D. Better rekeying and collision handling

E. Requires fewer round trips

When configuring router-to-ASA FlexVPN, what match statement rules should you keep in mind? (Choose two)

A. An IKEv2 policy can match multiple FVRF statements

B. An IKEv2 policy can have only one match address local statement

C. An IKEv2 policy can have only one match FVRF statement

D. There is no precedence between match statements of different types

What are the five fundamental components of security that cryptography provides for VPNs? (Choose five)

A. Authentication

B. Confidentiality

C. Key Management

D. Address Management

E. Integrity

F. Nonrepudiation

When an SSL client is authenticated, in addition to the server, which additional exchanges are required? (Choose two)

A. After the server sends its certificate to the client, the server will request that the client sends its certificate in return

B. The server sends a change cipher specification message that tells the client that all subsequent messages from the server will use the negotiated security

C. The client sends a change cipher specification message that tells the server to activate the negotiated cipher suite

D. After the client sends the client key exchange, the client sends a certificate verify message

Which SSL VPN portal home page view enables you to verify smart tunnels when they have been configured to start manually?

A. Web Applications

B. VNC Connections

C. Application Access

D. Browse Networks

Which three operating systems support the AnyConnect 3.1 IPv6 feature? (Choose three)

A. Windows XP (32-bit)

B. Red Hat Enterprise Linux 6.4 (64-bit)

C. Windows 8.1 (64-bit)

D. Windows Vista (64-bit)

E. Mac OS X 10.6

What is the first required step in configuring a DMVPN spoke?

A. Configure an IPSec profile with an optional transform set

B. Create an mGRE tunnel interface

C. Generate or configure hub authentication credentials

D. Associate the IPSec profile with the mGRE interface

Based on the output, what is the IP address of the local interface used to access the connected spoke network?

A. 192.0.10.1

B. 198.51.100.1

C. 203.0.133.1

D. 192.0.2.3

You need to implement a PKI solution to protect compromised keys by verifying certificates against a revocation database in real-time. The solution needs to be integrated with common PKI revocation mechanisms.
What should be implemented?

A. SCEP

B. AAA

C. OCSP

D. CRL

Which statement is true regarding a Cisco ASA security appliance and IPSec?

A. AH is not supported.

B. IKEv2 is supported but IKEv1 is not supported.

C. ISAKMP is supported but IKE is not supported.

D. ESP is not supported.

Which command is used to verify that the ECDSA keys have been successfully generated?

A. show crypto key

B. show crypto ipsec sa detail

C. show crypto ipsec sa

D. show crypto pki certificates verbose

When troubleshooting a connectivity issue, what information can be obtained using the Route Details tab of the Cisco AnyConnect Secure Mobility Client?

A. The tunneling protocol that is in use

B. User configured settings

C. The networks that are reachable through the tunnel

D. Errors that occurred during a connection attempt

When troubleshooting a connectivity issue, what can be used to verify that a Cisco AnyConnect connection is using IPSec/IKEv2?

A. IP Source Guard

B. Botnet Traffic Filter

C. HTTP Inspector

D. Cisco AnyConnect Secure Mobility Client Statistics tab

You are creating an IKEv2 policy. Which command will ensure that a packet has not been modified during transit?

A. ASA(config-ikev2-policy)#integrity md5

B. ASA(config-ikev2-policy)#hash sha

C. ASA(config-ikev2-policy)#group 5

D. ASA(config-ikev2-policy)#encryption aes-256

What client authentication options are available in the basic AnyConnect SSL VPN? (Choose two)

A. Locally configured static passwords

B. Local user database

C. Connection profile local pool

D. Group Policy

How can Cisco ASA assign IP addresses in an SSL VPN full tunnel solution? (Choose three)

A. Use an IP address connection profile that is configured on the Cisco ASA, and assign the profile to a default or custom address pool

B. Use a Group Policy that is configured on the Cisco ASA, and assign the policy to an IP address pool

C. Use an IP address pool that is configured on the Cisco ASA, and assign the pool to a default or custom Group Policy

D. Use an IP address pool that is configured on the Cisco ASA, and assign the pool to a default or custom connection profile

E. Configure the IP addresses as a part of the user account in the local user database, and enable per-user IP addresses

Which secure posture module component is a package that installs on the remote device after the user connects to the Cisco Adaptive Security Appliance and before the user logs in?

A. Integration with dynamic access policies

B. Prelogin assessment

C. Host scan

D. Prelogin policies

Which feature enables users to use native client applications without administrative rights?

A. Smart tunnels

B. Clientless SSL VPN Plugins

C. Authentication using External CA

D. AAA

Which two statements regarding the version of IKE used with FlexVPN are true? (Choose two)

A. It uses stateless cookies.

B. It can only be used with IPSec.

C. It operates over UDP port 4500.

D. It supports NAT traversal over UDP port 500.

E. Each peer maintains its own local policy.

Review the output. Which type of VPN technology has been configured?

A. FlexVPN

B. DMVPN

C. IPSec VPN

D. GETVPN

Which type of certificate is required for clientless SSL VPN connections to the Cisco ASA?

A. Code signing

B. User

C. Web server

D. Wildcard

Which configuration will enable the hub router to provide IP addresses to spokes, in a hub-spoke configuration?

A. Crypto IKEv2 authorization policy

B. Crypto IKEv2 profile

C. Virtual template interface

D. Crypto ipsec profile

You want to display NHRP next-hop server information. Which command should you use?

A. show dmvpn detail

B. show interface tunnel

C. show ip nhrp

D. show ip nhrp nhs detail

Which component is responsible for group key and SA management in a GET VPN deployment?

A. Perfect Forward Secrecy

B. Group Member

C. Key Server

D. Group Domain of Interpretation

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?