CCNP Security Practice Test | Secure Mobility (SIMOS)

A tunnel is not forming between two spokes. Which of the following should you verify? (Choose two)

A. NHRP redirect is enabled on the hub

B. NHRP shortcut is enabled on the spoke

C. SA states on the hub and spoke

D. Connectivity between the hub and the spoke

Which statements best describe FlexVPN? (Choose two)

A. It is designed to provide interoperable, high-quality, and cryptographically based transmission security to IP traffic

B. It supports per-peer configurations of service parameters, such as QoS, firewall mechanisms, policies, and VRF-related settings

C. It offers a simple but modular framework that extensively uses the tunnel interface paradigm, while remaining compatible with legacy VPN implementations using crypto maps

D. It is used for performing mutual authentication and establishing and maintaining SAs

How is external authorization in AnyConnect SSL VPNs monitored? (Choose two)

A. You can view the downloaded ACL in the ASDM or CLI

B. The Cisco ISE authorization policy selects an authorization profile

C. ISE uses a connection profile to authenticate a user against the ASA

D. The authorization profile is based on the cisco-av-pair=ip:acl attribute

Which two statements are true regarding GET VPN compatibility with network devices? (Choose two)

A. Cisco IOS routers do not support GET VPN

B. Cisco ASA security appliances support GET VPN

C. Cisco ASA security appliances does not support GET VPN.

D. Cisco IOS routers support GET VPN.

What are the two aspects of effectively managing the VPN users and their access privileges in any remote access VPN design? (Choose two)

A. Authentication is achieved by using a user's organization group information and other attributes, such as endpoint security posture and time of day

B. A scalable and secure solution to authenticate users

C. Assignments allow an SSL VPN gateway to assign the user to a policy group

D. Decisions on what access privilege to grant to the users based on various user and security attributes

When troubleshooting a connectivity issue, what information can be obtained using the Route Details tab of the Cisco AnyConnect Secure Mobility Client?

A. The tunneling protocol that is in use

B. User configured settings

C. The networks that are reachable through the tunnel

D. Errors that occurred during a connection attempt

What should you consider when using a hub-and-spoke FlexVPN deployment model? (Choose two)

A. An external AAA server should be used on the hub site

B. The configured payload feature is required

C. All traffic between spoke networks must flow through the hub router

D. Each spoke router must be configured with a point-to-point interface to the hub

Refer to the output. Which statements regarding the output are true? (Choose two)

Refer to the output. Which statements regarding the output are true?

A. SAs have been negotiated.

B. Packet compression is non-operational.

C. The tunnel is operational.

D. The SA has expired.

Which of the following are potential issues when troubleshooting FlexVPN spoke-to-spoke shortcut switching? (Choose two)

A. Unsupported tunnel encapsulation modes

B. Incorrect spoke authorization

C. Failure of virtual template and virtual access interfaces on the hub

D. Inconsistent or missing NHRP configuration

Your company is planning to implement HostScan to provide high availability. Clients run MAC OS X operating systems. What would prevent you from being able to use HostScan?

A. Only Windows operating systems are supported

B. Only Linux operating systems are supported

C. Expired digital certificates

D. Incorrect licensing

What improvements does IKEv2 provide to IKEv1? (Choose three)

A. Supports dynamically addressed peers with PKI-facilitated authentication

B. Built-in DPD

C. Supports PFS to ensure that a given IPSec SA key is not derived from another secret

D. Better rekeying and collision handling

E. Requires fewer round trips

Which commands can be used to restore the original IKEv2 Smart Defaults values? (Choose two)

A. default crypto ipsec transform-set

B. default crypto ikev2 proposal

C. no crypto ipsec transform-set default

D. no crypto ikev2 proposal default

What are the characteristics of split tunneling on Cisco AnyConnect SSL VPN clients? (Choose two)

A. It uses access control for nontunneled destinations

B. It allows some traffic to bypass the tunnel

C. It increases performance

D. It allows all the traffic to bypass the VPN tunnel

Which three statements regarding the FlexVPN Architecture are true? (Choose three)

A. It provides a modular framework.

B. It is a legacy technology.

C. It is backward compatible with IKEv1.

D. It provides a single configuration approach for all VPN types.

E. It provides features such as QoS.

A DMVPN cloud topology can support either a hub-and-spoke or a spoke-to-spoke deployment model. What are characteristics of the hub-and-spoke model? (Choose two)

A. It provides a scalable configuration model for all involved devices

B. It requires each branch to be configured with an mGRE interface in which dynamic spoke-to-spoke tunnels are used for the spoke-to-spoke traffic

C. It provides scalable configuration to the hub router

D. It requires each branch to be configured with a point-to-point GRE interface to the hub

What are the benefits of the clientless remote access SSL VPN architecture? (Choose two)

A. It requires a special-purpose desktop VPN client software

B. It supports all IP applications

C. It can traverse most firewalls and NAT devices

D. It uses the native SSL encryption of a web browser to provide data confidentiality

Which three statements are true regarding the use of DART to troubleshoot AnyConnect VPN? (Choose three)

A. It works independently of any installed AnyConnect client software.

B. It is available as a standalone installation.

C. It is integrated into the AnyConnect client package.

D. It requires administrator privileges.

E. It is only available for Windows clients.

Which step of configuring Cisco AnyConnect Start Before Logon involves making changes to the AnyConnect profile, and enabling the Cisco ASA to download the AnyConnect module for SBL?

A. Enabling the PLAP capability in Windows

B. Adding the SBL components to Windows

C. Logging in to Windows using SBL

D. Configuring SBL in the client profile

Which statements regarding the verification of DMVPN hub-and-spoke routing and IKE peering are true? (Choose two)

A. Multiple IKE sessions are established.

B. Routes are reachable over the spoke

C. A single IKE session is created.

D. Spokes are reachable over the hub.

The Cisco ASA requires a server identity certificate, which the appliance sends to remote SSL VPN clients in order for remote clients to authenticate the Cisco ASA. By default, the security appliance will create a self-signed X.509 certificate on each reboot, resulting in many client warnings when attempting SSL VPN access, as the certificate cannot be verified by any means.
How can you address this issue? (Choose two)

A. By creating a permanent self-signed certificate that is persistent across reboots, by having the remote users initially accessing the Cisco ASA over a trusted network, and by saving the identity certificate of the Cisco ASA.

B. By enrolling your Cisco ASA with an internal CA. Your clients can obtain the root certificate of the CA from this internal CA and then authenticate the identity of the certificate that is installed on the Cisco ASA.

C. By creating a permanent self-signed certificate that is persistent across reboots, and which you can save on the client, if the remote users have the option of initially accessing the Cisco ASA over a trusted network and saving the identity certificate of

D. By enrolling your Cisco ASA with an external CA. Your clients can obtain the root certificate of the CA from this external CA and then authenticate the identity of the certificate that is installed on the Cisco ASA.

What is the role of the responder in IKEv2 DoS prevention? (Choose two)

A. Limiting the resources that it is willing to devote to new connections

B. Consuming CPU resources by doing the cryptography

C. Allocating no memory until the initiator has proven that it can receive messages at the address that it claims to be sending from

D. Consuming memory resources by remembering the state of the "half open" connections until they time out

You are configuring basic Cisco AnyConnect SSL VPN on the Cisco ASA.
During which step in the process would you configure split tunneling?

A. Configuring identity NAT for client access

B. Enabling Cisco AnyConnect SSL VPN on ASA

C. Edit the default connection profile or create a custom one

D. Edit the default Group Policy or create a custom one

What are the features of DTLS? (Choose two)

A. It provides a low-latency data path using TCP

B. It is based on the stream-oriented TLS protocol

C. It is defined in RFC 4345

D. It mitigates latency and bandwidth problems that are associated with some SSL-only connections

Which statements regarding the verification of DMVPN full-mesh routing and IKE peering are true? (Choose two)

A. Multiple IKE sessions are established.

B. Direct routes to other spokes exist from the spoke.

C. A single IKE session is created.

D. Spokes are reachable over the hub.

How are clientless password-based users handled in SSL VPN authentication? (Choose two)

A. It is mandatory to use AAA authentication

B. If no profile is chosen, the Cisco ASA will assign them to the DefaultWEBVPNGroup connection profile

C. If no profile is chosen, the Cisco ASA will assign them to the DefaultRAGroup connection profile

D. They may be permitted to select a connection profile from the selection menu or group URL

What statements accurately describe the similarities and differences between IKEv1 and IKEv2? (Choose two)

A. Both protocols support NAT traversal using UDP port 4500

B. Both protocols utilize two phases

C. IKEv1 is written specifically for IPSec

D. IKEv2 introduces retransmission and acknowledgement functions

The Cisco ASA uses a hierarchical policy inheritance model.
Which user policies would have the highest priority using this model?

A. Group Policy attached to the connection profile

B. User profile

C. DfltGrpPolicy settings

D. DAP rules

E. Group Policy attached to the user profile

Which statements best describe dynamic point-to-point VTI tunnels? (Choose two)

A. They simplify the configuration complexity of the VPN hub router

B. They are used to provision hubs in hub-and-spoke VPNs

C. It requires a static mapping of IPSec sessions to a physical interface

D. On the spoke, a dynamic VTI is used to provision its tunnel to the hub

How can Cisco ASA assign IP addresses in an SSL VPN full tunnel solution? (Choose three)

A. Use an IP address connection profile that is configured on the Cisco ASA, and assign the profile to a default or custom address pool

B. Use a Group Policy that is configured on the Cisco ASA, and assign the policy to an IP address pool

C. Use an IP address pool that is configured on the Cisco ASA, and assign the pool to a default or custom Group Policy

D. Use an IP address pool that is configured on the Cisco ASA, and assign the pool to a default or custom connection profile

E. Configure the IP addresses as a part of the user account in the local user database, and enable per-user IP addresses

Which steps are required to configure basic peer authentication for point-to-point tunnels on the Cisco ASA? (Choose three)

A. Choose the transform set and VPN peer

B. Enable IKEv1, IKEv2, or both on an interface

C. Choose traffic for the VPN

D. Configure PSKs

E. Configure IKE policy

Identify the multiple client-side authentication options in clientless SSL VPN. (Choose three)

A. Certificate-based and one AAA authentication

B. Double AAA authentication (no certificate) with optional username reuse

C. Double AAA authentication (with certificate) with optional username reuse

D. Certificate-based and two AAA authentication

E. Certificate-based and one AAA authentication, where the username for AAA authentication can be extracted from the certificate subject field and hidden from users

What should you consider when configuring split tunneling in a Group Policy? (Choose two)

A. You can select the traffic that the clients will forward through the tunnel

B. By default, all traffic is forwarded through the tunnel using the exclude network list

C. It causes all the client traffic to go through the VPN tunnel

D. It permits the clients the direct access to external resources

When modifying the default DAP, what should you keep in mind? (Choose two)

A. Default DAP has the lowest priority and cannot be deleted

B. Terminate action will act like the default deny statement in an ACL

C. A user connection can match only one DAP record

D. The security appliance does not have a default DAP record

When enabling smart tunnels in the clientless SSL VPN access, what kind of information can you specify? (Choose three)

A. Bookmarks for the security appliance to display

B. Application list entries

C. Smart tunnel session log off method

D. Auto sign-on server list entries

E. Port forwarding list entries

Which statements best describe the handshake phase of SSL connections? (Choose two)

A. SSL encrypts the data traffic and ensures data confidentiality and integrity

B. It typically uses RSA as the public key algorithm

C. It ensures authentication of the server and, optionally, of the client

D. Data integrity is achieved using message digest algorithms such as MD5 and SHA-1

How do nonrepudiation methods provide cryptographic proof of a transaction? (Choose three)

A. The signature can be generated only by the private key owner

B. The hashing algorithm secures the key

C. Digital signatures are used

D. The signature is stored by the receiver as a proof

You are creating an IKEv2 policy. Which command will ensure that a packet has not been modified during transit?

A. ASA(config-ikev2-policy)#integrity md5

B. ASA(config-ikev2-policy)#hash sha

C. ASA(config-ikev2-policy)#group 5

D. ASA(config-ikev2-policy)#encryption aes-256

Using an SSL VPN full-tunnel solution, you want to have the Cisco ASA assign IP addresses that will allow you to identify which users are connecting to the VPN.
Which IP address assignment solution should be implemented?

A. Configure the IP addresses as part of the user account in the local user database and enable per-user IP addresses.

B. Use a DHCP server that the Cisco ASA security appliance queries to obtain an IP address for remote clients.

C. Use an IP address pool that is configured on the Cisco ASA and assign the pool to a default or custom group policy.

D. Use an IP address pool that is configured on the Cisco ASA and assign the pool to a default or custom connection profile.

When troubleshooting a FlexVPN spoke configuration, which command is used to verify whether both spokes have a virtual-access interface present?

A. show ip nhrp traffic

B. show ip nhrp

C. show ip interface brief

D. show crypto session

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?