CCNP Security Practice Test | Secure Mobility (SIMOS)

Which set of commands will correctly configure the local authorization policy?

A. Router(config)#crypto ikev2 authorization policy policy1
Router(config-ikev2-author-policy)#pool flex-pool
Router(config-ikev2-author-policy)#def-domain brocadero.com
Router(config-ikev2-author-policy)#route set interface
Rout

B. Router(config-ikev2-profile)#virtual-template 1

C. Router(config)#crypto ipsec profile default
Router(ipsec-profile)#set ikev2-profile default

D. Router(config)#aaa new-model
Router(config)#aaa authorization network list1 local

What information should you consider when monitoring AnyConnect SSL VPNs on the client? (Choose two)

A. Use the Details button to display additional information

B. Split tunneling routes show the subnets that are reachable through tunnel

C. You can select the appropriate access method in ASDM monitoring

D. The monitoring options are in the AnyConnect GUI

Which Cisco ASA application plugin allows for connections to WinFrame-based terminal services?

A. SSH

B. RDP2

C. VNC

D. ICA

E. RDP

What should you keep in mind in a configuration scenario that uses the local CA function on the Cisco ASA CA user accounts? (Choose two)

A. A certificate-to-connection profile map that binds the user certificate to a connection profile must exist

B. The FQDN includes information like the organizational unit

C. Certificate-based authentication in the required connection profiles is enabled by default

D. Organizational units contain values that are frequently mapped in identity certificates

Which three characteristics are common amongst asymmetric algorithms? (Choose three)

A. Simpler key management

B. Key management can be an issue

C. Suitable for key exchange

D. Fast compared with symmetric algorithms

E. Suitable for real-time bulk encryption

F. Slow compared to symmetric algorithms

Which of the following are potential issues when troubleshooting FlexVPN spoke-to-spoke shortcut switching? (Choose two)

A. Unsupported tunnel encapsulation modes

B. Incorrect spoke authorization

C. Failure of virtual template and virtual access interfaces on the hub

D. Inconsistent or missing NHRP configuration

Which command is used to verify that the certificate has successfully been imported and that ECDSA is used?

A. show crypto isakmp sa

B. show crypto ipsec sa

C. show crypto key

D. show crypto pki certificates verbose

A connection is not forming between the spoke and the hub. Enter the command that you would use to verify SA states on hub and spoke. (Choose two)

A. show crypto session

B. show crypto session detail

Which configuration will enable the hub router to provide IP addresses to spokes, in a hub-spoke configuration?

A. Crypto IKEv2 authorization policy

B. Crypto IKEv2 profile

C. Virtual template interface

D. Crypto ipsec profile

Review the output. Which type of VPN technology is being verified?

A. IPSec SA

B. NHRP next-hop server information

C. EC key pairs

D. Clientless SSL VPN

Which command would be used to verify the DMVPN NBMA address?

A. show ip nhrp nhs detail

B. show dmvpn detail

C. show ip nhrp

D. show interface tunnel

Which of the three tools are used with a VPN to combat man-in-the-middle attacks? (Choose three)

A. Packet integrity checking

B. Encryption

C. Device authentication

D. Sequence number randomizing

AES is an example of what?

A. Symmetric algorithm

B. Hash algorithm

C. Asymmetric algorithm

D. Diffie-Hellman algorithm

Which options best describe site-to-site VPN? (Choose two)

A. It always use IPSec for its cryptographic path protection

B. It connect as a replacement for a classic WAN

C. It require basic network traffic controls

D. It only work over controlled networks (MPLS)

Which statements best describe the NHRP client-server protocol? (Choose two)

A. It is designed to manage the transportation of multiprotocol and IP multicast traffic between two or more sites, which may only have IP connectivity

B. It creates a mapping for a tunnel IP address to the physical interface IP address for each spoke at the hub

C. It is typically used for simple point-to-point tunnels that emulate a point-to-point WAN link, or on spoke routers in hub-and-spoke VPNs

D. It is used by routers to determine the IP address of the next hop in IP tunneling networks

How are clientless password-based users handled in SSL VPN authentication? (Choose two)

A. It is mandatory to use AAA authentication

B. If no profile is chosen, the Cisco ASA will assign them to the DefaultWEBVPNGroup connection profile

C. If no profile is chosen, the Cisco ASA will assign them to the DefaultRAGroup connection profile

D. They may be permitted to select a connection profile from the selection menu or group URL

What should you consider when configuring split tunneling in a Group Policy? (Choose two)

A. You can select the traffic that the clients will forward through the tunnel

B. By default, all traffic is forwarded through the tunnel using the exclude network list

C. It causes all the client traffic to go through the VPN tunnel

D. It permits the clients the direct access to external resources

You are configuring split tunneling on the Cisco ASA device via the CLI. You have created an access list named "STACL". Enter the command to specify this access list to be used for split tunneling.

Which statements best describe shortcut switching? (Choose two)

A. DMVPN provides a scalable configuration model for all involved devices

B. Each spoke router must be configured with a point-to-point interface to the hub

C. All traffic between spoke networks must flow through the hub router

D. Each branch must be configured with a tunnel interface in which dynamic Spoke-to-Spoke tunnels are used for the spoke-to-spoke traffic

Which statements best describe dynamic access policies in Cisco clientless SSL VPNs? (Choose two)

A. They are available for remote access VPNs

B. They are manually generated by aggregating attributes from one or more DAP records

C. They are defined as a collection of access control attributes

D. They are generated and then applied to the user tunnel or session

What is the first troubleshooting step that should be taken when there is a clientless SSL VPN session establishment issue?

A. Verify user authentication

B. Verify clientless permissions

C. Verify that the SSL/TLS session establishes.

D. Verify user credentials

A tunnel is not forming between two spokes. Which of the following should you verify? (Choose two)

A. NHRP redirect is enabled on the hub

B. NHRP shortcut is enabled on the spoke

C. SA states on the hub and spoke

D. Connectivity between the hub and the spoke

When verifying and troubleshooting Cisco AnyConnect IPSec VPN, which tab of the AnyConnect Secure Mobility Client window allows you to confirm that the client has used IPSec/IKEv2 to connect by viewing the transport information?

A. Route Details

B. Firewall

C. Statistics

D. Message History

E. Preferences

Refer to the output. Which statements regarding the output are true? (Choose two)

Refer to the output. Which statements regarding the output are true?

A. SAs have been negotiated.

B. Packet compression is non-operational.

C. The tunnel is operational.

D. The SA has expired.

Which three statements are true regarding clientless SSL VPN solutions? (Choose three)

A. They do not require any special software.

B. They can be used to access CIFS file shares.

C. They can use IPSec VPN connections.

D. They provide browser-based access to resources.

E. They cannot access applications that use static TCP ports.

Which type of certificate is required for clientless SSL VPN connections to the Cisco ASA?

A. Code signing

B. User

C. Web server

D. Wildcard

When troubleshooting a connectivity issue, what can be used to verify that a Cisco AnyConnect connection is using IPSec/IKEv2?

A. IP Source Guard

B. Botnet Traffic Filter

C. HTTP Inspector

D. Cisco AnyConnect Secure Mobility Client Statistics tab

Refer to the output. Which statements regarding the output are true? (Choose two)

Refer to the output. Which statements regarding the output are true?

A. IKE Phase 2 was successful.

B. IPSec SAs were successfully completed.

C. IKE proposals are mismatched.

D. Conflicting group and IP addresses exist.

Which application access method is available with Cisco clientless SSL VPNs and is recommended for Linux?

A. Port forwarding

B. Full-tunnel VPN

C. Smart tunnels

D. Application plugins

Which statement best describes the purpose of Cisco IPSec VTI?

A. It is designed to provide a mix of security services in IPv4 and IPv6

B. It ensures that a given IPSec SA key was not derived from another secret

C. It is designed to provide crypto-graphically based transmission security to IP traffic

D. It can be used to configure IPSec-based VPNs between site-to-site devices

What steps are required to configure transmission protection? (Choose three)

A. Configure the IKE policy

B. Choose the transform set

C. Choose the VPN peer

D. Enable IKE for each interface

E. Choose traffic for the VPN

What is the purpose of FlexVPN? (Choose two)

A. To provide encapsulation

B. To convert cleartext to ciphertext

C. To simplify deployment of VPNs

D. To address the complexity of multiple solutions

You are testing an application plugin for a clientless SSL VPN session; however, it will not start. What should be done?

A. Verify that the browser's Java/ActiveX functions.

B. Verify that the smart tunnel agent starts.

C. Verify that the appropriate plugins are loaded.

D. Verify webtype ACLs.

Which two statements regarding the version of IKE used with FlexVPN are true? (Choose two)

A. It uses stateless cookies.

B. It can only be used with IPSec.

C. It operates over UDP port 4500.

D. It supports NAT traversal over UDP port 500.

E. Each peer maintains its own local policy.

What command can be used to verify whether the ASA device holds the proper license to activate HostScan?

A. show activation-key

B. show license

You need to verify the presence of H and NHO routes added by NHRP on a spoke router. Which command will allow you to complete this task?

A. show ip route

B. show crypto key mypubkey ec

C. show ip interface brief

D. show ip nhrp

What should you keep in mind when verifying the SSL VPN portal configuration and training users on how to use it? (Choose two)

A. All users can use the URL entry control to select URLs for protocols that are imported plugins enabled

B. Plugins can be launched in a new browser window

C. Users should use the parent browser navigation controls and not the plugin's controls

D. All bookmarks are listed by default

The output below contains logging messages of unsuccessful IKE Phase 1. What is the cause of this problem?

A. Key configuration errors

B. Different DH groups

C. Wrong version of IKE

D. Unacceptable SA proposals

Which troubleshooting command can be used to monitor an active view of AnyConnect client web browser SSL sessions?

A. debug webvpn util

B. debug webvpn html

C. debug webvpn url

D. debug webvpn svc

What are the benefits of the clientless remote access SSL VPN architecture? (Choose two)

A. It requires a special-purpose desktop VPN client software

B. It supports all IP applications

C. It can traverse most firewalls and NAT devices

D. It uses the native SSL encryption of a web browser to provide data confidentiality

How is external authorization in AnyConnect SSL VPNs monitored? (Choose two)

A. You can view the downloaded ACL in the ASDM or CLI

B. The Cisco ISE authorization policy selects an authorization profile

C. ISE uses a connection profile to authenticate a user against the ASA

D. The authorization profile is based on the cisco-av-pair=ip:acl attribute

In a basic IKEv2 message exchange, with only the minimal four messages, which messages represent the IKE_SA_INIT phase and exchange IKEv2 proposals and key material information? (Choose two)

A. Third message

B. Fourth message

C. First message

D. Second message

Which step of configuring Cisco AnyConnect Start Before Logon involves making changes to the AnyConnect profile, and enabling the Cisco ASA to download the AnyConnect module for SBL?

A. Enabling the PLAP capability in Windows

B. Adding the SBL components to Windows

C. Logging in to Windows using SBL

D. Configuring SBL in the client profile

You are configuring Cisco SSL VPN plugins. Once you have imported the plugins to the Cisco Adaptive Security Appliance.
What further actions can you take? (Choose two)

A. If you are using bookmarks, you can add protocols

B. You can confirm them in the SSL VPN portal

C. You can apply the bookmarks list using the import webvpn url-list command

D. You need to authorize plugin use in group policies

What is involved when configuring basic IKE peering using PSKs? (Choose two)

A. Using a RSA exchange of an appropriate strength (group) to provide keying material to IKE and IPSec

B. Using appropriate session lifetimes

C. Using an encryption and hashing algorithm to guarantee confidentiality and authentication of the key management session

D. Using PSKs for mutual authentication

What is the first required step in configuring a DMVPN spoke?

A. Configure an IPSec profile with an optional transform set

B. Create an mGRE tunnel interface

C. Generate or configure hub authentication credentials

D. Associate the IPSec profile with the mGRE interface

Which site-to-site technology combines IKE/IKEv2, AH, and ESP into a security framework?

A. DMVPN

B. IPSec

C. FlexVPN

D. GET VPN

What happens in the second step of verifying multiple client authentication when the SSL VPN server requests the user credentials? (Choose two)

A. A browser connects to the SSL VPN

B. The browser submits the certificate-based authentication

C. If the username field is unavailable, then the client cannot alter the username

D. If the username prefill feature is enabled, then the username field is already filled in (the name is pulled from the certificate subject field) and made unavailable

Which command is used to verify NHRP mapping information on a DMVPN?

A. show dmvpn detail

B. show ip route

C. show ip nhrp nhs detail

D. show ip nhrp

E. show interface tunnel

What are the three fields in an X.509v3 certificate? (Choose three)

A. Serial Number

B. Validity Period

C. Owner Full Name

D. Version

E. Usage Order

Which of the protocols transmit data in plaintext and are susceptible to man-in-the-middle attacks? (Choose three)

A. Telnet

B. HTTP

C. HTTPS

D. FTP

Which two VPN types are preferred for larger environments that are partially meshed? (Choose two)

A. Dynamic VTI-based

B. GET VPN

C. DMVPN

D. Static VTI-based

What limitations should you consider when using GRE tunneling? (Choose two)

A. There is no standard method to determine the end-to-end state of a GRE tunnel

B. Proprietary GRE keepalives are not supported

C. It provides limited cryptographic traffic protection

D. Tunnels can exhibit MTU and IP fragmentation-related issues

Which three statements regarding the FlexVPN Architecture are true? (Choose three)

A. It provides a modular framework.

B. It is a legacy technology.

C. It is backward compatible with IKEv1.

D. It provides a single configuration approach for all VPN types.

E. It provides features such as QoS.

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?