CCNP Security Practice Test | Secure Mobility (SIMOS)

What common clientless SSL VPN issue involves troubleshooting by analyzing the integration with an external server such as Cisco Identity Services Engine?

A. A clientless SSL VPN is not enabled on the interface

B. Mismatch between one supported SSL cipher and another supported SSL cipher

C. Mismatch between client-side and server-side SSL ports

D. Authentication, when offloaded to external databases

Refer to the output. Which statements regarding the output are true? (Choose two)

Refer to the output. Which statements regarding the output are true?

A. IKE Phase 2 was successful.

B. IPSec SAs were successfully completed.

C. IKE proposals are mismatched.

D. Conflicting group and IP addresses exist.

Which command was used to view the data presented in the output given below?

A. show crypto ipsec sa

B. show interfaces virtual-access

C. show crypto isakmp sa detail

D. show crypto ikev2 sa

Which set of commands will correctly configure the local authorization policy?

A. Router(config)#crypto ikev2 authorization policy policy1
Router(config-ikev2-author-policy)#pool flex-pool
Router(config-ikev2-author-policy)#def-domain brocadero.com
Router(config-ikev2-author-policy)#route set interface
Rout

B. Router(config-ikev2-profile)#virtual-template 1

C. Router(config)#crypto ipsec profile default
Router(ipsec-profile)#set ikev2-profile default

D. Router(config)#aaa new-model
Router(config)#aaa authorization network list1 local

Which statements best describe the handshake phase of SSL connections? (Choose two)

A. SSL encrypts the data traffic and ensures data confidentiality and integrity

B. It typically uses RSA as the public key algorithm

C. It ensures authentication of the server and, optionally, of the client

D. Data integrity is achieved using message digest algorithms such as MD5 and SHA-1

You are testing an application plugin for a clientless SSL VPN session; however, it will not start. What should be done?

A. Verify that the browser's Java/ActiveX functions.

B. Verify that the smart tunnel agent starts.

C. Verify that the appropriate plugins are loaded.

D. Verify webtype ACLs.

What are the prerequisites for the AnyConnect SSL VPN deployment? (Choose two)

A. Configure support for DTLS

B. Enable the SSL VPN function on the interface

C. Install the Cisco AnyConnect client software image on the Cisco ASA

D. Provision an identity server SSL/TLS certificate to the Cisco ASA

Which two statements are true regarding GET VPN compatibility with network devices? (Choose two)

A. Cisco IOS routers do not support GET VPN

B. Cisco ASA security appliances support GET VPN

C. Cisco ASA security appliances does not support GET VPN.

D. Cisco IOS routers support GET VPN.

You are creating an IKEv2 policy. Which command will ensure that a packet has not been modified during transit?

A. ASA(config-ikev2-policy)#integrity md5

B. ASA(config-ikev2-policy)#hash sha

C. ASA(config-ikev2-policy)#group 5

D. ASA(config-ikev2-policy)#encryption aes-256

How is external authorization in AnyConnect SSL VPNs monitored? (Choose two)

A. You can view the downloaded ACL in the ASDM or CLI

B. The Cisco ISE authorization policy selects an authorization profile

C. ISE uses a connection profile to authenticate a user against the ASA

D. The authorization profile is based on the cisco-av-pair=ip:acl attribute

Which statement best describes the purpose of Cisco IPSec VTI?

A. It is designed to provide a mix of security services in IPv4 and IPv6

B. It ensures that a given IPSec SA key was not derived from another secret

C. It is designed to provide crypto-graphically based transmission security to IP traffic

D. It can be used to configure IPSec-based VPNs between site-to-site devices

Which statements best describe the NHRP client-server protocol? (Choose two)

A. It is designed to manage the transportation of multiprotocol and IP multicast traffic between two or more sites, which may only have IP connectivity

B. It creates a mapping for a tunnel IP address to the physical interface IP address for each spoke at the hub

C. It is typically used for simple point-to-point tunnels that emulate a point-to-point WAN link, or on spoke routers in hub-and-spoke VPNs

D. It is used by routers to determine the IP address of the next hop in IP tunneling networks

Which of the following are potential issues when troubleshooting FlexVPN spoke-to-spoke shortcut switching? (Choose two)

A. Unsupported tunnel encapsulation modes

B. Incorrect spoke authorization

C. Failure of virtual template and virtual access interfaces on the hub

D. Inconsistent or missing NHRP configuration

Identify the features of TND. (Choose two)

A. It disconnects the tunnel if the user is in the trusted network

B. It is configured in the client profile

C. It can map and unmap network drives

D. It automatically starts user applications

In a basic IKEv2 message exchange, with only the minimal four messages, which messages represent the IKE_SA_INIT phase and exchange IKEv2 proposals and key material information? (Choose two)

A. Third message

B. Fourth message

C. First message

D. Second message

The Cisco ASA requires a server identity certificate, which the appliance sends to remote SSL VPN clients in order for remote clients to authenticate the Cisco ASA. By default, the security appliance will create a self-signed X.509 certificate on each reboot, resulting in many client warnings when attempting SSL VPN access, as the certificate cannot be verified by any means.
How can you address this issue? (Choose two)

A. By creating a permanent self-signed certificate that is persistent across reboots, by having the remote users initially accessing the Cisco ASA over a trusted network, and by saving the identity certificate of the Cisco ASA.

B. By enrolling your Cisco ASA with an internal CA. Your clients can obtain the root certificate of the CA from this internal CA and then authenticate the identity of the certificate that is installed on the Cisco ASA.

C. By creating a permanent self-signed certificate that is persistent across reboots, and which you can save on the client, if the remote users have the option of initially accessing the Cisco ASA over a trusted network and saving the identity certificate of

D. By enrolling your Cisco ASA with an external CA. Your clients can obtain the root certificate of the CA from this external CA and then authenticate the identity of the certificate that is installed on the Cisco ASA.

Which secure posture module component is a package that installs on the remote device after the user connects to the Cisco Adaptive Security Appliance and before the user logs in?

A. Integration with dynamic access policies

B. Prelogin assessment

C. Host scan

D. Prelogin policies

Which three statements are true regarding the use of DART to troubleshoot AnyConnect VPN? (Choose three)

A. It works independently of any installed AnyConnect client software.

B. It is available as a standalone installation.

C. It is integrated into the AnyConnect client package.

D. It requires administrator privileges.

E. It is only available for Windows clients.

When troubleshooting a connectivity issue, what information can be obtained using the Route Details tab of the Cisco AnyConnect Secure Mobility Client?

A. The tunneling protocol that is in use

B. User configured settings

C. The networks that are reachable through the tunnel

D. Errors that occurred during a connection attempt

What should you consider when configuring split tunneling in a Group Policy? (Choose two)

A. You can select the traffic that the clients will forward through the tunnel

B. By default, all traffic is forwarded through the tunnel using the exclude network list

C. It causes all the client traffic to go through the VPN tunnel

D. It permits the clients the direct access to external resources

Which statements best describe two-factor authentication? (Choose two)

A. It has a username prefill feature

B. ASA validates the certificate and then prompts for credentials

C. It is enabled in the Group Policy

D. You can combine machine certificate validation with user password authentication when using the username prefill feature

Which two set of commands will correctly configure EIGRP on the hub in a full mesh DMVPN network? (Choose two)

A. router(config)# router interface tunnel 0
router(config-if)# no ip split-horizon eigrp 1

B. router(config)# router eigrp 1
router(config-router)# no auto-summary

C. router(config)# router interface tunnel 0
router(config-if)# no ip next-hop-self eigrp
router(config-if)# no ip split-horizon eigrp 1

D. router(config)# router interface tunnel0
router(config-if)# no ip next-hop-self eigrp 1

E. router(config)# no auto-summary

What should you keep in mind when verifying the SSL VPN portal configuration and training users on how to use it? (Choose two)

A. All users can use the URL entry control to select URLs for protocols that are imported plugins enabled

B. Plugins can be launched in a new browser window

C. Users should use the parent browser navigation controls and not the plugin's controls

D. All bookmarks are listed by default

What is the role of the responder in IKEv2 DoS prevention? (Choose two)

A. Limiting the resources that it is willing to devote to new connections

B. Consuming CPU resources by doing the cryptography

C. Allocating no memory until the initiator has proven that it can receive messages at the address that it claims to be sending from

D. Consuming memory resources by remembering the state of the "half open" connections until they time out

What are the three main modules, from a design standpoint, where you would use VPN technologies? (Choose three)

A. Enterprise Branch Edge

B. WAN Edge

C. Enterprise Internet Edge

D. Campus Edge

E. Virtual User Edge

F. Enforce Edge

How do nonrepudiation methods provide cryptographic proof of a transaction? (Choose three)

A. The signature can be generated only by the private key owner

B. The hashing algorithm secures the key

C. Digital signatures are used

D. The signature is stored by the receiver as a proof

Which statements best describe dynamic access policies in Cisco clientless SSL VPNs? (Choose two)

A. They are available for remote access VPNs

B. They are manually generated by aggregating attributes from one or more DAP records

C. They are defined as a collection of access control attributes

D. They are generated and then applied to the user tunnel or session

Which three characteristics are common amongst asymmetric algorithms? (Choose three)

A. Simpler key management

B. Key management can be an issue

C. Suitable for key exchange

D. Fast compared with symmetric algorithms

E. Suitable for real-time bulk encryption

F. Slow compared to symmetric algorithms

You have been notified by a user that they are unable to connect an application with a clientless SSL VPN smart tunnel. However, they can connect a different application. What should you do first to troubleshoot this issue?

A. Verify automatic start configuration.

B. Verify Cisco ASA access control.

C. Verify browser Java/ActiveX functions.

D. Verify the application name.

Which statements best describe shortcut switching? (Choose two)

A. DMVPN provides a scalable configuration model for all involved devices

B. Each spoke router must be configured with a point-to-point interface to the hub

C. All traffic between spoke networks must flow through the hub router

D. Each branch must be configured with a tunnel interface in which dynamic Spoke-to-Spoke tunnels are used for the spoke-to-spoke traffic

When using double or triple authentication for Cisco AnyConnect SSL VPN users, what combinations are possible? (Choose three)

A. RSA/SDI + LDAP authentication

B. LDAP authentication + RADIUS

C. RSA/SDI + RADIUS

D. Certificates + RADIUS + RSA/SDI

E. Certificates + RADIUS

What actions are possible with the default Group Policy provided by the Cisco ASA? (Choose two)

A. It can ensure that policy inheritance is not necessary

B. It can be removed so that you can create your own

C. It can be customized to suit your needs

D. It can be disassociated from the two default connection profiles

What should you consider when using a PKI obtained certificate for server authentication? (Choose two)

A. The appliance will create a self-signed certificate to sign certificates that are issued to clients

B. You can configure the Cisco ASA to obtain an identity certificate from the external PKI

C. The self-signed certificate authentication method is recommended

D. Clients should have a CA certificate that is installed locally

Which commands can be used to restore the original IKEv2 Smart Defaults values? (Choose two)

A. default crypto ipsec transform-set

B. default crypto ikev2 proposal

C. no crypto ipsec transform-set default

D. no crypto ikev2 proposal default

What does SSL/TLS provide? (Choose two)

A. Data integrity to ensure that data hasn't been modified in transit

B. Endpoint authentication on the server only

C. Support for native application clients

D. Encryption to ensure data is only readable by the intended recipient

What should you consider when defining an IP address pool? (Choose two)

A. By default, no assignment methods are enabled

B. IP addresses that are assigned to the VPN clients will be used as the inner AnyConnect IP addresses

C. The virtual VPN adapter is created during the VPN establishment phase in addition to any physical adapters on the client endpoint

D. The inner IP address is applied to the virtual VPN adapter on the server

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?