CCNP Security Practice Test | Secure Mobility (SIMOS)

What would cause the req-failed field to be a number greater than zero on a spoke? (Choose two)

A. Matching network IDs

B. Next-hop server issue

C. SA keepalives failed

D. Authentication key mismatch

What should you consider when defining an IP address pool? (Choose two)

A. By default, no assignment methods are enabled

B. IP addresses that are assigned to the VPN clients will be used as the inner AnyConnect IP addresses

C. The virtual VPN adapter is created during the VPN establishment phase in addition to any physical adapters on the client endpoint

D. The inner IP address is applied to the virtual VPN adapter on the server

What should you consider when configuring split tunneling in a Group Policy? (Choose two)

A. You can select the traffic that the clients will forward through the tunnel

B. By default, all traffic is forwarded through the tunnel using the exclude network list

C. It causes all the client traffic to go through the VPN tunnel

D. It permits the clients the direct access to external resources

You want to display NHRP next-hop server information. Which command should you use?

A. show dmvpn detail

B. show interface tunnel

C. show ip nhrp

D. show ip nhrp nhs detail

Which statements best describe dynamic point-to-point VTI tunnels? (Choose two)

A. They simplify the configuration complexity of the VPN hub router

B. They are used to provision hubs in hub-and-spoke VPNs

C. It requires a static mapping of IPSec sessions to a physical interface

D. On the spoke, a dynamic VTI is used to provision its tunnel to the hub

You are configuring Cisco SSL VPN plugins. Once you have imported the plugins to the Cisco Adaptive Security Appliance.
What further actions can you take? (Choose two)

A. If you are using bookmarks, you can add protocols

B. You can confirm them in the SSL VPN portal

C. You can apply the bookmarks list using the import webvpn url-list command

D. You need to authorize plugin use in group policies

How can Cisco ASA assign IP addresses in an SSL VPN full tunnel solution? (Choose three)

A. Use an IP address connection profile that is configured on the Cisco ASA, and assign the profile to a default or custom address pool

B. Use a Group Policy that is configured on the Cisco ASA, and assign the policy to an IP address pool

C. Use an IP address pool that is configured on the Cisco ASA, and assign the pool to a default or custom Group Policy

D. Use an IP address pool that is configured on the Cisco ASA, and assign the pool to a default or custom connection profile

E. Configure the IP addresses as a part of the user account in the local user database, and enable per-user IP addresses

Which attribute is used to push WebVPN ACEs to clientless SSL VPN sessions?

A. cisco-av-pair=ip:inacl

B. cisco-av-pair=webvpn:inacl

C. IE-Proxy-Exception-List

D. IETF-Radius-Class

What are the benefits of the clientless remote access SSL VPN architecture? (Choose two)

A. It requires a special-purpose desktop VPN client software

B. It supports all IP applications

C. It can traverse most firewalls and NAT devices

D. It uses the native SSL encryption of a web browser to provide data confidentiality

Which statements regarding the verification of DMVPN full-mesh routing and IKE peering are true? (Choose two)

A. Multiple IKE sessions are established.

B. Direct routes to other spokes exist from the spoke.

C. A single IKE session is created.

D. Spokes are reachable over the hub.

What steps are required to configure transmission protection? (Choose three)

A. Configure the IKE policy

B. Choose the transform set

C. Choose the VPN peer

D. Enable IKE for each interface

E. Choose traffic for the VPN

What is the purpose of a connection profile? (Choose two)

A. It defines the client privileges

B. It defines prelogin behavior

C. It is a reference to the Group Policy

D. It includes the split tunneling configuration

Identify the multiple client-side authentication options in clientless SSL VPN. (Choose three)

A. Certificate-based and one AAA authentication

B. Double AAA authentication (no certificate) with optional username reuse

C. Double AAA authentication (with certificate) with optional username reuse

D. Certificate-based and two AAA authentication

E. Certificate-based and one AAA authentication, where the username for AAA authentication can be extracted from the certificate subject field and hidden from users

Which statement regarding the FLEX VPN IKEv2 Smart Defaults feature is true?

A. The default mode for the default transform set is tunnel.

B. The default parameters can be modified.

C. The default configuration is displayed by running the show running-config command.

D. Disabling this feature will retain any user modification.

Which statements best describe the NHRP client-server protocol? (Choose two)

A. It is designed to manage the transportation of multiprotocol and IP multicast traffic between two or more sites, which may only have IP connectivity

B. It creates a mapping for a tunnel IP address to the physical interface IP address for each spoke at the hub

C. It is typically used for simple point-to-point tunnels that emulate a point-to-point WAN link, or on spoke routers in hub-and-spoke VPNs

D. It is used by routers to determine the IP address of the next hop in IP tunneling networks

The Cisco ASA uses a hierarchical policy inheritance model.
Which user policies would have the highest priority using this model?

A. Group Policy attached to the connection profile

B. User profile

C. DfltGrpPolicy settings

D. DAP rules

E. Group Policy attached to the user profile

What are the three fields in an X.509v3 certificate? (Choose three)

A. Serial Number

B. Validity Period

C. Owner Full Name

D. Version

E. Usage Order

You are testing an application plugin for a clientless SSL VPN session; however, it will not start. What should be done?

A. Verify that the browser's Java/ActiveX functions.

B. Verify that the smart tunnel agent starts.

C. Verify that the appropriate plugins are loaded.

D. Verify webtype ACLs.

Which two VPN types are preferred for larger environments that are partially meshed? (Choose two)

A. Dynamic VTI-based

B. GET VPN

C. DMVPN

D. Static VTI-based

A tunnel is not forming between two spokes. Which of the following should you verify? (Choose two)

A. NHRP redirect is enabled on the hub

B. NHRP shortcut is enabled on the spoke

C. SA states on the hub and spoke

D. Connectivity between the hub and the spoke

Review the output. Which type of VPN technology is being verified?

A. IPSec SA

B. NHRP next-hop server information

C. EC key pairs

D. Clientless SSL VPN

When verifying and troubleshooting Cisco AnyConnect IPSec VPN, which tab of the AnyConnect Secure Mobility Client window allows you to confirm that the client has used IPSec/IKEv2 to connect by viewing the transport information?

A. Route Details

B. Firewall

C. Statistics

D. Message History

E. Preferences

When configuring router-to-ASA FlexVPN, what match statement rules should you keep in mind? (Choose two)

A. An IKEv2 policy can match multiple FVRF statements

B. An IKEv2 policy can have only one match address local statement

C. An IKEv2 policy can have only one match FVRF statement

D. There is no precedence between match statements of different types

Which secure posture module component is a package that installs on the remote device after the user connects to the Cisco Adaptive Security Appliance and before the user logs in?

A. Integration with dynamic access policies

B. Prelogin assessment

C. Host scan

D. Prelogin policies

What statements accurately describe the similarities and differences between IKEv1 and IKEv2? (Choose two)

A. Both protocols support NAT traversal using UDP port 4500

B. Both protocols utilize two phases

C. IKEv1 is written specifically for IPSec

D. IKEv2 introduces retransmission and acknowledgement functions

You need to implement a PKI solution to protect compromised keys by verifying certificates against a revocation database in real-time. The solution needs to be integrated with common PKI revocation mechanisms.
What should be implemented?

A. SCEP

B. AAA

C. OCSP

D. CRL

You need to implement NGE. Which options would be viable? (Choose three)

A. HMAC-MD5

B. AES-CBC

C. SHA-256

D. ECDH-384

E. AES-GCM

What are the three VPN connection technologies? (Choose three)

A. Full-tunnel client-based IPSec VPN

B. Clientless SSL VPN

C. Full-tunnel clientless LTO VPN

D. Full-tunnel client-based SSL VPN

Before deploying a basic site-to-site VPN, what information should you have? (Choose three)

A. ISAKMP policy

B. Transmission protection

C. Transform set

D. PSK

E. Basic peer authentication

Which information can be obtained using the ASDM when monitoring a Cisco AnyConnect VPN on a server? (Choose three)

A. Applied access rules

B. Applied group policy

C. Connection profile

D. Transport protocol

E. Botnet activity

A connection is not forming between the spoke and the hub. Enter the command that you would use to verify SA states on hub and spoke. (Choose two)

A. show crypto session

B. show crypto session detail

What are the characteristics of split tunneling on Cisco AnyConnect SSL VPN clients? (Choose two)

A. It uses access control for nontunneled destinations

B. It allows some traffic to bypass the tunnel

C. It increases performance

D. It allows all the traffic to bypass the VPN tunnel

Refer to the output. Which statements regarding the output are true? (Choose two)

Refer to the output. Which statements regarding the output are true?

A. IKE Phase 2 was successful.

B. IPSec SAs were successfully completed.

C. IKE proposals are mismatched.

D. Conflicting group and IP addresses exist.

Which FlexVPN configuration block specifies an acceptable combination of security protocols and algorithms for the IPSec SA?

A. IKEv2 keyring

B. IPSec transform set

C. IPSec profile

D. IKEv2 proposal

How is external authorization in AnyConnect SSL VPNs monitored? (Choose two)

A. You can view the downloaded ACL in the ASDM or CLI

B. The Cisco ISE authorization policy selects an authorization profile

C. ISE uses a connection profile to authenticate a user against the ASA

D. The authorization profile is based on the cisco-av-pair=ip:acl attribute

Which site-to-site technology combines IKE/IKEv2, AH, and ESP into a security framework?

A. DMVPN

B. IPSec

C. FlexVPN

D. GET VPN

What is the purpose of FlexVPN? (Choose two)

A. To provide encapsulation

B. To convert cleartext to ciphertext

C. To simplify deployment of VPNs

D. To address the complexity of multiple solutions

You have configured Cisco ASA to allow users to choose a connection profile when connecting to the full-tunnel IKEv2 VPN.
What will occur if the user does not select a connection profile?

A. Users will not be authenticated.

B. Users are assigned to the DefaultRAGroup connection profile.

C. Users are assigned to the DefaultWEBVPNGroup connection profile.

D. Users are assigned to the DefaultL2LGroup connection profile.

Which statements best describe FlexVPN? (Choose two)

A. It is designed to provide interoperable, high-quality, and cryptographically based transmission security to IP traffic

B. It supports per-peer configurations of service parameters, such as QoS, firewall mechanisms, policies, and VRF-related settings

C. It offers a simple but modular framework that extensively uses the tunnel interface paradigm, while remaining compatible with legacy VPN implementations using crypto maps

D. It is used for performing mutual authentication and establishing and maintaining SAs

Which command would be used to verify the number of encrypted and decrypted packets?

A. show crypto ipsec sa

B. show ip route

C. show interface ipsec tunnel

D. show interface tunnel

What information should you consider when monitoring AnyConnect SSL VPNs on the client? (Choose two)

A. Use the Details button to display additional information

B. Split tunneling routes show the subnets that are reachable through tunnel

C. You can select the appropriate access method in ASDM monitoring

D. The monitoring options are in the AnyConnect GUI

Refer to the output. To what is this message referring?

A. Mismatched IKE proposals

B. Mismatched IKE versions

C. Key configuration errors

D. Conflicting peer addresses

What is the first troubleshooting step that should be taken when there is a clientless SSL VPN session establishment issue?

A. Verify user authentication

B. Verify clientless permissions

C. Verify that the SSL/TLS session establishes.

D. Verify user credentials

Which two set of commands will correctly configure EIGRP on the hub in a full mesh DMVPN network? (Choose two)

A. router(config)# router interface tunnel 0
router(config-if)# no ip split-horizon eigrp 1

B. router(config)# router eigrp 1
router(config-router)# no auto-summary

C. router(config)# router interface tunnel 0
router(config-if)# no ip next-hop-self eigrp
router(config-if)# no ip split-horizon eigrp 1

D. router(config)# router interface tunnel0
router(config-if)# no ip next-hop-self eigrp 1

E. router(config)# no auto-summary

Which steps are required to configure basic peer authentication for point-to-point tunnels on the Cisco ASA? (Choose three)

A. Choose the transform set and VPN peer

B. Enable IKEv1, IKEv2, or both on an interface

C. Choose traffic for the VPN

D. Configure PSKs

E. Configure IKE policy

Which component encrypts and decrypts the traffic in a GET VPN deployment?

A. Group Member

B. Group Domain of Interpretation

C. Perfect Forward Secrecy

D. Key Server

What should you keep in mind in a configuration scenario that uses the local CA function on the Cisco ASA CA user accounts? (Choose two)

A. A certificate-to-connection profile map that binds the user certificate to a connection profile must exist

B. The FQDN includes information like the organizational unit

C. Certificate-based authentication in the required connection profiles is enabled by default

D. Organizational units contain values that are frequently mapped in identity certificates

You are configuring DMVPN on a spoke router. The configurations in the output given below have been made on the router.
Which command or set of commands will complete the next step in the configuration on the spoke router?

You are configuring DMVPN on a spoke router. The configurations in the output given below have been made on the router.<br />Which command or set of commands will complete the next step in the configuration on the spoke router?

A. Router1(config-if)#tunnel protection ipsec profile MYIPSECPROFILE

B. Router1(config-if)#ip nhrp network-id 1
Router1(config-if)#ip nhrp authentication HdRtKqX5ZdYaZQjSYPqb
Router1(config-if)#ip nhrp nhs 10.1.1.1
Router1(config-if)#ip nhrp map multicast 172.17.0.1
Router1(config-if)#ip nhrp map

C. Router1(config)#interface Tunnel 0
Router1(config-if)#tunnel mode gre multipoint
Router1(config-if)#tunnel source GigabitEthernet0/0
Router1(config-if)#tunnel key 12345

D. Router1(config-if)#ip address 10.1.1.2 255.255.0.0
Router1(config-if)#ip mtu 1400

Which of the three tools are used with a VPN to combat man-in-the-middle attacks? (Choose three)

A. Packet integrity checking

B. Encryption

C. Device authentication

D. Sequence number randomizing

Which statements regarding the use of parallel DTLS and TLS tunnels are true? (Choose two)

A. The SSL tunnel is used to negotiate and establish the DTLS tunnel.

B. The DTLS tunnel is used to negotiate and establish the SSL/TLS tunnel.

C. Enabling DPD allows for DTLS-to-TLS automatic fallback.

D. DTLS-to-TLS automatic fallback requires IKEv2.

What should you consider when using a hub-and-spoke FlexVPN deployment model? (Choose two)

A. An external AAA server should be used on the hub site

B. The configured payload feature is required

C. All traffic between spoke networks must flow through the hub router

D. Each spoke router must be configured with a point-to-point interface to the hub

Which type of certificate is required for clientless SSL VPN connections to the Cisco ASA?

A. Code signing

B. User

C. Web server

D. Wildcard

During which phase of the SSL/TLS session establishment and key management does data transfer begin?

A. Phase 2: server certificate and key exchange

B. Phase 3: client certificate (if required) and key exchange

C. Phase 4: finish

D. Phase 1: establish client-server security capabilities

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?