CCNP Security Practice Test | Secure Mobility (SIMOS)

When enabling smart tunnels in the clientless SSL VPN access, what kind of information can you specify? (Choose three)

A. Bookmarks for the security appliance to display

B. Application list entries

C. Smart tunnel session log off method

D. Auto sign-on server list entries

E. Port forwarding list entries

Which two site-to-site VPN technologies natively support IP Multicasts? (Choose two)

A. IPSec VPN

B. DMVPN

C. FlexVPN

D. GETVPN

What is the purpose of a connection profile? (Choose two)

A. It defines the client privileges

B. It defines prelogin behavior

C. It is a reference to the Group Policy

D. It includes the split tunneling configuration

Which tasks are the client generally responsible for in the SSL server authentication? (Choose three)

A. Sending a hello message informing of the preferred cipher suite

B. Sending a hello done message

C. Verifying the certificate to ensure it has been issued by a trusted CA

D. Generating random numbers to use as a shared session key

E. Starting the exchange by sending the client a hello message

When troubleshooting a connectivity issue, what information can be obtained using the Route Details tab of the Cisco AnyConnect Secure Mobility Client?

A. The tunneling protocol that is in use

B. User configured settings

C. The networks that are reachable through the tunnel

D. Errors that occurred during a connection attempt

You are trying to verify the ISAKMP tunnel using the command output below. Which options regarding this information are true? (Choose two)

You are trying to verify the ISAKMP tunnel using the command output below. Which options regarding this information are true?

A. Main mode was used to set up the tunnel.

B. The tunnel is operational.

C. The aggressive mode was used to set up the tunnel.

D. No tunnel exists, as there should be two peers listed.

What are the descriptions that can be applied to a digital signature? (Choose two)

A. Digital signature algorithms provide integrity

B. They use a combination of a hash function and an asymmetric algorithm

C. They are a combination of an HMAC algorithm and a symmetric function

D. They use a public signing key and a private shared key

How do nonrepudiation methods provide cryptographic proof of a transaction? (Choose three)

A. The signature can be generated only by the private key owner

B. The hashing algorithm secures the key

C. Digital signatures are used

D. The signature is stored by the receiver as a proof

What command is used to enable authentication, authorization, and accounting?

Identify the features of TND. (Choose two)

A. It disconnects the tunnel if the user is in the trusted network

B. It is configured in the client profile

C. It can map and unmap network drives

D. It automatically starts user applications

A user indicates that they are unable to access a file server share. You believe that you have misconfigured webtype ACLs.
What is the easiest method of verifying this?

A. View the Cisco ASA's logging output.

B. View predefined bookmarks.

C. View output from the traceroute command.

D. View DNS group configuration.

What are the two aspects of effectively managing the VPN users and their access privileges in any remote access VPN design? (Choose two)

A. Authentication is achieved by using a user's organization group information and other attributes, such as endpoint security posture and time of day

B. A scalable and secure solution to authenticate users

C. Assignments allow an SSL VPN gateway to assign the user to a policy group

D. Decisions on what access privilege to grant to the users based on various user and security attributes

When modifying the default DAP, what should you keep in mind? (Choose two)

A. Default DAP has the lowest priority and cannot be deleted

B. Terminate action will act like the default deny statement in an ACL

C. A user connection can match only one DAP record

D. The security appliance does not have a default DAP record

Which command is used to verify that the ECDSA keys have been successfully generated?

A. show crypto key

B. show crypto ipsec sa detail

C. show crypto ipsec sa

D. show crypto pki certificates verbose

Refer to the output. To what is this message referring?

A. Mismatched IKE proposals

B. Mismatched IKE versions

C. Key configuration errors

D. Conflicting peer addresses

Which two set of commands will correctly configure EIGRP on the hub in a full mesh DMVPN network? (Choose two)

A. router(config)# router interface tunnel 0
router(config-if)# no ip split-horizon eigrp 1

B. router(config)# router eigrp 1
router(config-router)# no auto-summary

C. router(config)# router interface tunnel 0
router(config-if)# no ip next-hop-self eigrp
router(config-if)# no ip split-horizon eigrp 1

D. router(config)# router interface tunnel0
router(config-if)# no ip next-hop-self eigrp 1

E. router(config)# no auto-summary

What does SSL/TLS provide? (Choose two)

A. Data integrity to ensure that data hasn't been modified in transit

B. Endpoint authentication on the server only

C. Support for native application clients

D. Encryption to ensure data is only readable by the intended recipient

Which two VPN types are preferred for larger environments that are partially meshed? (Choose two)

A. Dynamic VTI-based

B. GET VPN

C. DMVPN

D. Static VTI-based

What are the benefits of the clientless remote access SSL VPN architecture? (Choose two)

A. It requires a special-purpose desktop VPN client software

B. It supports all IP applications

C. It can traverse most firewalls and NAT devices

D. It uses the native SSL encryption of a web browser to provide data confidentiality

Which of the three tools are used with a VPN to combat man-in-the-middle attacks? (Choose three)

A. Packet integrity checking

B. Encryption

C. Device authentication

D. Sequence number randomizing

When using double or triple authentication for Cisco AnyConnect SSL VPN users, what combinations are possible? (Choose three)

A. RSA/SDI + LDAP authentication

B. LDAP authentication + RADIUS

C. RSA/SDI + RADIUS

D. Certificates + RADIUS + RSA/SDI

E. Certificates + RADIUS

What should you consider when using a PKI obtained certificate for server authentication? (Choose two)

A. The appliance will create a self-signed certificate to sign certificates that are issued to clients

B. You can configure the Cisco ASA to obtain an identity certificate from the external PKI

C. The self-signed certificate authentication method is recommended

D. Clients should have a CA certificate that is installed locally

Which three statements regarding the FlexVPN Architecture are true? (Choose three)

A. It provides a modular framework.

B. It is a legacy technology.

C. It is backward compatible with IKEv1.

D. It provides a single configuration approach for all VPN types.

E. It provides features such as QoS.

Which statements best describe dynamic access policies in Cisco clientless SSL VPNs? (Choose two)

A. They are available for remote access VPNs

B. They are manually generated by aggregating attributes from one or more DAP records

C. They are defined as a collection of access control attributes

D. They are generated and then applied to the user tunnel or session

Which statements best describe the handshake phase of SSL connections? (Choose two)

A. SSL encrypts the data traffic and ensures data confidentiality and integrity

B. It typically uses RSA as the public key algorithm

C. It ensures authentication of the server and, optionally, of the client

D. Data integrity is achieved using message digest algorithms such as MD5 and SHA-1

What are the characteristics of symmetric algorithms? (Choose three)

A. Efficient, fast, and simple to accelerate in hardware

B. Typical key lengths are in thousands of bits

C. Examples are RSA and ECC

D. Suitable for real-time bulk encryption

E. Generally used for digital signatures or key exchanges

F. Examples are 3DES, RC4, SEAL, AES, and Blowfish

What is required to enable a Cisco AnyConnect IPSec IKEv2 VPN deployment? (Choose two)

A. On the Cisco ASA, configure IKEv2 as the primary protocol.

B. In the client profile, configure IKEv2 as the primary protocol.

C. Deploy the IKEv2-enabled profile to the endpoint computer.

D. Ensure DTLS is enabled on the Cisco ASA's interfaces on which the appliance accepts connections.

Which algorithms are considered next-generation encryption mechanisms? (Choose three)

A. MD5

B. RC4

C. SHA-2

D. 3DES

E. AES-GCM

F. ECDSA-384

Which statements regarding the use of parallel DTLS and TLS tunnels are true? (Choose two)

A. The SSL tunnel is used to negotiate and establish the DTLS tunnel.

B. The DTLS tunnel is used to negotiate and establish the SSL/TLS tunnel.

C. Enabling DPD allows for DTLS-to-TLS automatic fallback.

D. DTLS-to-TLS automatic fallback requires IKEv2.

How do both Cisco ASA and Cisco IOS routers facilitate resource and application access? (Choose two)

A. Thin-client connections

B. URL and CIFS file access

C. Application plugins

D. Smart tunnels

Which step of configuring Cisco AnyConnect Start Before Logon involves making changes to the AnyConnect profile, and enabling the Cisco ASA to download the AnyConnect module for SBL?

A. Enabling the PLAP capability in Windows

B. Adding the SBL components to Windows

C. Logging in to Windows using SBL

D. Configuring SBL in the client profile

Which statements best describe shortcut switching? (Choose two)

A. DMVPN provides a scalable configuration model for all involved devices

B. Each spoke router must be configured with a point-to-point interface to the hub

C. All traffic between spoke networks must flow through the hub router

D. Each branch must be configured with a tunnel interface in which dynamic Spoke-to-Spoke tunnels are used for the spoke-to-spoke traffic

Which component encrypts and decrypts the traffic in a GET VPN deployment?

A. Group Member

B. Group Domain of Interpretation

C. Perfect Forward Secrecy

D. Key Server

You need to implement NGE. Which options would be viable? (Choose three)

A. HMAC-MD5

B. AES-CBC

C. SHA-256

D. ECDH-384

E. AES-GCM

Which specific components of the secure posture module provide an OS scan? (Choose two)

A. Prelogin policies

B. Cache Cleaner

C. Prelogin assessment

D. Integration with Dynamic Access Policies

Users are unable to establish clientless SSL VPN connections. The most basic requirements for a functional SSL VPN have been verified. Upon further investigation, you notice an SSL lib error recorded in the logging information.
What is the most likely reason why users are unable to establish connections?

A. There is a cipher mismatch.

B. The VPN server and client are using mismatched SSL ports.

C. There is no IP/TCP connectivity between the VPN server and client.

D. The SSL VPN is not enabled on the correct interface.

What client authentication options are available in the basic AnyConnect SSL VPN? (Choose two)

A. Locally configured static passwords

B. Local user database

C. Connection profile local pool

D. Group Policy

What are the five fundamental components of security that cryptography provides for VPNs? (Choose five)

A. Authentication

B. Confidentiality

C. Key Management

D. Address Management

E. Integrity

F. Nonrepudiation

Which items could prevent the encrypted and decrypted packet counters from increasing? (Choose two)

A. Routing

B. IPSec SAs

C. Keepalives

D. Neighbor adjacencies

You need to alter the effects of forwarding an HTTP applet proxy to the client. Which browser is required to complete this task?

A. Safari

B. Google Chrome

C. Microsoft Internet Explorer

D. Mozilla Firefox

Which method of certificate enrollment using SCEP automates the enrollment of Cisco AnyConnect users?

A. Simple Certificate Enrollment Protocol Proxy

B. Direct Simple Certificate Enrollment Protocol

C. Manual

D. Microsoft Active Directory Certificate Services

You are configuring basic Cisco AnyConnect SSL VPN on the Cisco ASA.
During which step in the process would you configure split tunneling?

A. Configuring identity NAT for client access

B. Enabling Cisco AnyConnect SSL VPN on ASA

C. Edit the default connection profile or create a custom one

D. Edit the default Group Policy or create a custom one

Which options best describe site-to-site VPN? (Choose two)

A. It always use IPSec for its cryptographic path protection

B. It connect as a replacement for a classic WAN

C. It require basic network traffic controls

D. It only work over controlled networks (MPLS)

Which two protocols are used for full client and clientless connections by Cisco VPNs? (Choose two)

A. SSL

B. Site-to-site

C. SHA

D. IPSec

Which feature enables users to use native client applications without administrative rights?

A. Smart tunnels

B. Clientless SSL VPN Plugins

C. Authentication using External CA

D. AAA

You have been notified by a user that they are unable to connect an application with a clientless SSL VPN smart tunnel. However, they can connect a different application. What should you do first to troubleshoot this issue?

A. Verify automatic start configuration.

B. Verify Cisco ASA access control.

C. Verify browser Java/ActiveX functions.

D. Verify the application name.

Which site-to-site technology combines IKE/IKEv2, AH, and ESP into a security framework?

A. DMVPN

B. IPSec

C. FlexVPN

D. GET VPN

What are the three VPN connection technologies? (Choose three)

A. Full-tunnel client-based IPSec VPN

B. Clientless SSL VPN

C. Full-tunnel clientless LTO VPN

D. Full-tunnel client-based SSL VPN

Which attribute is used to push WebVPN ACEs to clientless SSL VPN sessions?

A. cisco-av-pair=ip:inacl

B. cisco-av-pair=webvpn:inacl

C. IE-Proxy-Exception-List

D. IETF-Radius-Class

Which statement best describes the purpose of Cisco IPSec VTI?

A. It is designed to provide a mix of security services in IPv4 and IPv6

B. It ensures that a given IPSec SA key was not derived from another secret

C. It is designed to provide crypto-graphically based transmission security to IP traffic

D. It can be used to configure IPSec-based VPNs between site-to-site devices

When configuring HA headended designs, at least how many tunnels should be configured on each branch?

A. One

B. Three

C. Four

D. Two

When a clientless SSL VPN user successfully authenticates to the Cisco Adaptive Security Appliance, the user is presented with a web portal where they can access protected resources behind the Cisco ASA.
What types of applications can a user access by default? (Choose two)

A. File shares using CIFS and FTP

B. Internal web pages and web-based applications using HTTP and HTTPS

C. File shares using TFTP

D. Internal web pages and web-based applications using HTTP and NNTP

You are testing an application plugin for a clientless SSL VPN session; however, it will not start. What should be done?

A. Verify that the browser's Java/ActiveX functions.

B. Verify that the smart tunnel agent starts.

C. Verify that the appropriate plugins are loaded.

D. Verify webtype ACLs.

Based on the output, what is the IP address of the local interface used to access the connected spoke network?

A. 192.0.10.1

B. 198.51.100.1

C. 203.0.133.1

D. 192.0.2.3

Which option correctly defines the action that takes place when a DTLS-based VPN loses a packet?

A. The VPN endpoints will retransmit the dropped datagram.

B. The TCP stack of the application endpoints will retransmit the datagrams.

C. Both the VPN and the TCP stack of the application endpoint will retransmit the datagram.

D. The datagram is not retransmitted to reduce latency.

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?