CCNP Security Practice Test | Secure Mobility (SIMOS)

When configuring a site-to-site VPN using the Cisco Adaptive Security Device Manager, which two options will require you to manually enable IKE on the required interface? (Choose two)

A. Site-to-Site VPN |�Connection Profiles

B. Site-to-Site VPN Wizard

C. Site-to-Site VPN || Interface Profiles

D. Site-to-Site VPN || Advanced

Your company is planning to implement HostScan to provide high availability. Clients run MAC OS X operating systems. What would prevent you from being able to use HostScan?

A. Only Windows operating systems are supported

B. Only Linux operating systems are supported

C. Expired digital certificates

D. Incorrect licensing

Which statements best describe shortcut switching? (Choose two)

A. DMVPN provides a scalable configuration model for all involved devices

B. Each spoke router must be configured with a point-to-point interface to the hub

C. All traffic between spoke networks must flow through the hub router

D. Each branch must be configured with a tunnel interface in which dynamic Spoke-to-Spoke tunnels are used for the spoke-to-spoke traffic

What are the prerequisites for the AnyConnect SSL VPN deployment? (Choose two)

A. Configure support for DTLS

B. Enable the SSL VPN function on the interface

C. Install the Cisco AnyConnect client software image on the Cisco ASA

D. Provision an identity server SSL/TLS certificate to the Cisco ASA

In a basic IKEv2 message exchange, with only the minimal four messages, which messages represent the IKE_SA_INIT phase and exchange IKEv2 proposals and key material information? (Choose two)

A. Third message

B. Fourth message

C. First message

D. Second message

Which statements regarding the verification of DMVPN hub-and-spoke routing and IKE peering are true? (Choose two)

A. Multiple IKE sessions are established.

B. Routes are reachable over the spoke

C. A single IKE session is created.

D. Spokes are reachable over the hub.

When an SSL client is authenticated, in addition to the server, which additional exchanges are required? (Choose two)

A. After the server sends its certificate to the client, the server will request that the client sends its certificate in return

B. The server sends a change cipher specification message that tells the client that all subsequent messages from the server will use the negotiated security

C. The client sends a change cipher specification message that tells the server to activate the negotiated cipher suite

D. After the client sends the client key exchange, the client sends a certificate verify message

Which of the following are potential issues when troubleshooting FlexVPN spoke-to-spoke shortcut switching? (Choose two)

A. Unsupported tunnel encapsulation modes

B. Incorrect spoke authorization

C. Failure of virtual template and virtual access interfaces on the hub

D. Inconsistent or missing NHRP configuration

The Cisco ASA requires a server identity certificate, which the appliance sends to remote SSL VPN clients in order for remote clients to authenticate the Cisco ASA. By default, the security appliance will create a self-signed X.509 certificate on each reboot, resulting in many client warnings when attempting SSL VPN access, as the certificate cannot be verified by any means.
How can you address this issue? (Choose two)

A. By creating a permanent self-signed certificate that is persistent across reboots, by having the remote users initially accessing the Cisco ASA over a trusted network, and by saving the identity certificate of the Cisco ASA.

B. By enrolling your Cisco ASA with an internal CA. Your clients can obtain the root certificate of the CA from this internal CA and then authenticate the identity of the certificate that is installed on the Cisco ASA.

C. By creating a permanent self-signed certificate that is persistent across reboots, and which you can save on the client, if the remote users have the option of initially accessing the Cisco ASA over a trusted network and saving the identity certificate of

D. By enrolling your Cisco ASA with an external CA. Your clients can obtain the root certificate of the CA from this external CA and then authenticate the identity of the certificate that is installed on the Cisco ASA.

What happens in the second step of verifying multiple client authentication when the SSL VPN server requests the user credentials? (Choose two)

A. A browser connects to the SSL VPN

B. The browser submits the certificate-based authentication

C. If the username field is unavailable, then the client cannot alter the username

D. If the username prefill feature is enabled, then the username field is already filled in (the name is pulled from the certificate subject field) and made unavailable

Which statements best describe the NHRP client-server protocol? (Choose two)

A. It is designed to manage the transportation of multiprotocol and IP multicast traffic between two or more sites, which may only have IP connectivity

B. It creates a mapping for a tunnel IP address to the physical interface IP address for each spoke at the hub

C. It is typically used for simple point-to-point tunnels that emulate a point-to-point WAN link, or on spoke routers in hub-and-spoke VPNs

D. It is used by routers to determine the IP address of the next hop in IP tunneling networks

Which set of commands will correctly configure the local authorization policy?

A. Router(config)#crypto ikev2 authorization policy policy1
Router(config-ikev2-author-policy)#pool flex-pool
Router(config-ikev2-author-policy)#def-domain brocadero.com
Router(config-ikev2-author-policy)#route set interface
Rout

B. Router(config-ikev2-profile)#virtual-template 1

C. Router(config)#crypto ipsec profile default
Router(ipsec-profile)#set ikev2-profile default

D. Router(config)#aaa new-model
Router(config)#aaa authorization network list1 local

What is required to enable a Cisco AnyConnect IPSec IKEv2 VPN deployment? (Choose two)

A. On the Cisco ASA, configure IKEv2 as the primary protocol.

B. In the client profile, configure IKEv2 as the primary protocol.

C. Deploy the IKEv2-enabled profile to the endpoint computer.

D. Ensure DTLS is enabled on the Cisco ASA's interfaces on which the appliance accepts connections.

What are the three main modules, from a design standpoint, where you would use VPN technologies? (Choose three)

A. Enterprise Branch Edge

B. WAN Edge

C. Enterprise Internet Edge

D. Campus Edge

E. Virtual User Edge

F. Enforce Edge

You are testing an application plugin for a clientless SSL VPN session; however, it will not start. What should be done?

A. Verify that the browser's Java/ActiveX functions.

B. Verify that the smart tunnel agent starts.

C. Verify that the appropriate plugins are loaded.

D. Verify webtype ACLs.

What should you consider when configuring split tunneling in a Group Policy? (Choose two)

A. You can select the traffic that the clients will forward through the tunnel

B. By default, all traffic is forwarded through the tunnel using the exclude network list

C. It causes all the client traffic to go through the VPN tunnel

D. It permits the clients the direct access to external resources

How is external authorization in AnyConnect SSL VPNs monitored? (Choose two)

A. You can view the downloaded ACL in the ASDM or CLI

B. The Cisco ISE authorization policy selects an authorization profile

C. ISE uses a connection profile to authenticate a user against the ASA

D. The authorization profile is based on the cisco-av-pair=ip:acl attribute

What improvements does IKEv2 provide to IKEv1? (Choose three)

A. Supports dynamically addressed peers with PKI-facilitated authentication

B. Built-in DPD

C. Supports PFS to ensure that a given IPSec SA key is not derived from another secret

D. Better rekeying and collision handling

E. Requires fewer round trips

Which three statements regarding the FlexVPN Architecture are true? (Choose three)

A. It provides a modular framework.

B. It is a legacy technology.

C. It is backward compatible with IKEv1.

D. It provides a single configuration approach for all VPN types.

E. It provides features such as QoS.

Identify the multiple client-side authentication options in clientless SSL VPN. (Choose three)

A. Certificate-based and one AAA authentication

B. Double AAA authentication (no certificate) with optional username reuse

C. Double AAA authentication (with certificate) with optional username reuse

D. Certificate-based and two AAA authentication

E. Certificate-based and one AAA authentication, where the username for AAA authentication can be extracted from the certificate subject field and hidden from users

You are configuring DMVPN on a spoke router. The configurations in the output given below have been made on the router.
Which command or set of commands will complete the next step in the configuration on the spoke router?

You are configuring DMVPN on a spoke router. The configurations in the output given below have been made on the router.<br />Which command or set of commands will complete the next step in the configuration on the spoke router?

A. Router1(config-if)#tunnel protection ipsec profile MYIPSECPROFILE

B. Router1(config-if)#ip nhrp network-id 1
Router1(config-if)#ip nhrp authentication HdRtKqX5ZdYaZQjSYPqb
Router1(config-if)#ip nhrp nhs 10.1.1.1
Router1(config-if)#ip nhrp map multicast 172.17.0.1
Router1(config-if)#ip nhrp map

C. Router1(config)#interface Tunnel 0
Router1(config-if)#tunnel mode gre multipoint
Router1(config-if)#tunnel source GigabitEthernet0/0
Router1(config-if)#tunnel key 12345

D. Router1(config-if)#ip address 10.1.1.2 255.255.0.0
Router1(config-if)#ip mtu 1400

When using double or triple authentication for Cisco AnyConnect SSL VPN users, what combinations are possible? (Choose three)

A. RSA/SDI + LDAP authentication

B. LDAP authentication + RADIUS

C. RSA/SDI + RADIUS

D. Certificates + RADIUS + RSA/SDI

E. Certificates + RADIUS

During which phase of the SSL/TLS session establishment and key management does data transfer begin?

A. Phase 2: server certificate and key exchange

B. Phase 3: client certificate (if required) and key exchange

C. Phase 4: finish

D. Phase 1: establish client-server security capabilities

What are the two aspects of effectively managing the VPN users and their access privileges in any remote access VPN design? (Choose two)

A. Authentication is achieved by using a user's organization group information and other attributes, such as endpoint security posture and time of day

B. A scalable and secure solution to authenticate users

C. Assignments allow an SSL VPN gateway to assign the user to a policy group

D. Decisions on what access privilege to grant to the users based on various user and security attributes

What should you consider when using a PKI obtained certificate for server authentication? (Choose two)

A. The appliance will create a self-signed certificate to sign certificates that are issued to clients

B. You can configure the Cisco ASA to obtain an identity certificate from the external PKI

C. The self-signed certificate authentication method is recommended

D. Clients should have a CA certificate that is installed locally

What common clientless SSL VPN issue involves troubleshooting by analyzing the integration with an external server such as Cisco Identity Services Engine?

A. A clientless SSL VPN is not enabled on the interface

B. Mismatch between one supported SSL cipher and another supported SSL cipher

C. Mismatch between client-side and server-side SSL ports

D. Authentication, when offloaded to external databases

The Cisco ASA uses a hierarchical policy inheritance model.
Which user policies would have the highest priority using this model?

A. Group Policy attached to the connection profile

B. User profile

C. DfltGrpPolicy settings

D. DAP rules

E. Group Policy attached to the user profile

When configuring router-to-ASA FlexVPN, what match statement rules should you keep in mind? (Choose two)

A. An IKEv2 policy can match multiple FVRF statements

B. An IKEv2 policy can have only one match address local statement

C. An IKEv2 policy can have only one match FVRF statement

D. There is no precedence between match statements of different types

What is the role of the responder in IKEv2 DoS prevention? (Choose two)

A. Limiting the resources that it is willing to devote to new connections

B. Consuming CPU resources by doing the cryptography

C. Allocating no memory until the initiator has proven that it can receive messages at the address that it claims to be sending from

D. Consuming memory resources by remembering the state of the "half open" connections until they time out

What should you keep in mind in a configuration scenario that uses the local CA function on the Cisco ASA CA user accounts? (Choose two)

A. A certificate-to-connection profile map that binds the user certificate to a connection profile must exist

B. The FQDN includes information like the organizational unit

C. Certificate-based authentication in the required connection profiles is enabled by default

D. Organizational units contain values that are frequently mapped in identity certificates

What is involved when configuring basic IKE peering using PSKs? (Choose two)

A. Using a RSA exchange of an appropriate strength (group) to provide keying material to IKE and IPSec

B. Using appropriate session lifetimes

C. Using an encryption and hashing algorithm to guarantee confidentiality and authentication of the key management session

D. Using PSKs for mutual authentication

When configuring an IPSec profile to support IKEv2 and Cisco AnyConnect, what should you do immediately after enabling IKEv2 on the outside interface, choosing an interface certificate, and enabling Client Services?

A. Create an IKEv2 group

B. Connect and update the client profile

C. Create and edit a Cisco AnyConnect connection profile

D. Create and edit a client connection profile

You are configuring Cisco SSL VPN plugins. Once you have imported the plugins to the Cisco Adaptive Security Appliance.
What further actions can you take? (Choose two)

A. If you are using bookmarks, you can add protocols

B. You can confirm them in the SSL VPN portal

C. You can apply the bookmarks list using the import webvpn url-list command

D. You need to authorize plugin use in group policies

Which statements best describe two-factor authentication? (Choose two)

A. It has a username prefill feature

B. ASA validates the certificate and then prompts for credentials

C. It is enabled in the Group Policy

D. You can combine machine certificate validation with user password authentication when using the username prefill feature

What should you consider when using a hub-and-spoke FlexVPN deployment model? (Choose two)

A. An external AAA server should be used on the hub site

B. The configured payload feature is required

C. All traffic between spoke networks must flow through the hub router

D. Each spoke router must be configured with a point-to-point interface to the hub

What should you consider when defining an IP address pool? (Choose two)

A. By default, no assignment methods are enabled

B. IP addresses that are assigned to the VPN clients will be used as the inner AnyConnect IP addresses

C. The virtual VPN adapter is created during the VPN establishment phase in addition to any physical adapters on the client endpoint

D. The inner IP address is applied to the virtual VPN adapter on the server

When troubleshooting a connectivity issue, what can be used to verify that a Cisco AnyConnect connection is using IPSec/IKEv2?

A. IP Source Guard

B. Botnet Traffic Filter

C. HTTP Inspector

D. Cisco AnyConnect Secure Mobility Client Statistics tab

What are the features of DTLS? (Choose two)

A. It provides a low-latency data path using TCP

B. It is based on the stream-oriented TLS protocol

C. It is defined in RFC 4345

D. It mitigates latency and bandwidth problems that are associated with some SSL-only connections

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?