CCNP Security Practice Test | Secure Mobility (SIMOS)

You are troubleshooting a failed clientless SSL VPN session establishment. Which two utilities can be used to query the DNS server to troubleshoot issues why the browser cannot resolve the SSL VPN portal's URL? (Choose two)

A. arp

B. dig

C. traceroute

D. ping

E. nslookup

Which tasks are the client generally responsible for in the SSL server authentication? (Choose three)

A. Sending a hello message informing of the preferred cipher suite

B. Sending a hello done message

C. Verifying the certificate to ensure it has been issued by a trusted CA

D. Generating random numbers to use as a shared session key

E. Starting the exchange by sending the client a hello message

When using smart tunnel-based application access with SSL VPN, what happens directly after a user connects and authenticates to the SSL VPN portal?

A. The SSL VPN gateway establishes a TCP connection with the real target server and acts as a data relay between the two TCP sessions

B. A smart tunnel configuration downloads and executes the smart tunnel agent on the client system

C. The smart tunnel applet intercepts the TCP connection of the Lotus Sametime client to the real server and forwards the TCP connection to the existing SSL VPN session

D. The SSL VPN gateway extracts the TCP session from the SSL VPN session

How can Cisco ASA assign IP addresses in an SSL VPN full tunnel solution? (Choose three)

A. Use an IP address connection profile that is configured on the Cisco ASA, and assign the profile to a default or custom address pool

B. Use a Group Policy that is configured on the Cisco ASA, and assign the policy to an IP address pool

C. Use an IP address pool that is configured on the Cisco ASA, and assign the pool to a default or custom Group Policy

D. Use an IP address pool that is configured on the Cisco ASA, and assign the pool to a default or custom connection profile

E. Configure the IP addresses as a part of the user account in the local user database, and enable per-user IP addresses

What improvements does IKEv2 provide to IKEv1? (Choose three)

A. Supports dynamically addressed peers with PKI-facilitated authentication

B. Built-in DPD

C. Supports PFS to ensure that a given IPSec SA key is not derived from another secret

D. Better rekeying and collision handling

E. Requires fewer round trips

Which command is used to verify NHRP mapping information on a DMVPN?

A. show dmvpn detail

B. show ip route

C. show ip nhrp nhs detail

D. show ip nhrp

E. show interface tunnel

When configuring router-to-ASA FlexVPN, what match statement rules should you keep in mind? (Choose two)

A. An IKEv2 policy can match multiple FVRF statements

B. An IKEv2 policy can have only one match address local statement

C. An IKEv2 policy can have only one match FVRF statement

D. There is no precedence between match statements of different types

Which Cisco ASA application plugin allows for connections to WinFrame-based terminal services?

A. SSH

B. RDP2

C. VNC

D. ICA

E. RDP

How do nonrepudiation methods provide cryptographic proof of a transaction? (Choose three)

A. The signature can be generated only by the private key owner

B. The hashing algorithm secures the key

C. Digital signatures are used

D. The signature is stored by the receiver as a proof

Which SSL VPN portal home page view enables you to verify smart tunnels when they have been configured to start manually?

A. Web Applications

B. VNC Connections

C. Application Access

D. Browse Networks

What are the three VPN connection technologies? (Choose three)

A. Full-tunnel client-based IPSec VPN

B. Clientless SSL VPN

C. Full-tunnel clientless LTO VPN

D. Full-tunnel client-based SSL VPN

Which information can be obtained using the ASDM when monitoring a Cisco AnyConnect VPN on a server? (Choose three)

A. Applied access rules

B. Applied group policy

C. Connection profile

D. Transport protocol

E. Botnet activity

Which three operating systems support the AnyConnect 3.1 IPv6 feature? (Choose three)

A. Windows XP (32-bit)

B. Red Hat Enterprise Linux 6.4 (64-bit)

C. Windows 8.1 (64-bit)

D. Windows Vista (64-bit)

E. Mac OS X 10.6

How is external authorization in AnyConnect SSL VPNs monitored? (Choose two)

A. You can view the downloaded ACL in the ASDM or CLI

B. The Cisco ISE authorization policy selects an authorization profile

C. ISE uses a connection profile to authenticate a user against the ASA

D. The authorization profile is based on the cisco-av-pair=ip:acl attribute

Which statement regarding the FLEX VPN IKEv2 Smart Defaults feature is true?

A. The default mode for the default transform set is tunnel.

B. The default parameters can be modified.

C. The default configuration is displayed by running the show running-config command.

D. Disabling this feature will retain any user modification.

Which command can be used to verify that DTLS is being used as the transport protocol for a Cisco AnyConnect VPN?

A. show version

B. show traffic

C. show ssh sessions

D. show vpn-sessiondb

Which of the protocols transmit data in plaintext and are susceptible to man-in-the-middle attacks? (Choose three)

A. Telnet

B. HTTP

C. HTTPS

D. FTP

Which statements regarding the verification of DMVPN full-mesh routing and IKE peering are true? (Choose two)

A. Multiple IKE sessions are established.

B. Direct routes to other spokes exist from the spoke.

C. A single IKE session is created.

D. Spokes are reachable over the hub.

Which command would be used to verify the number of encrypted and decrypted packets?

A. show crypto ipsec sa

B. show ip route

C. show interface ipsec tunnel

D. show interface tunnel

Which commands can be used to restore the original IKEv2 Smart Defaults values? (Choose two)

A. default crypto ipsec transform-set

B. default crypto ikev2 proposal

C. no crypto ipsec transform-set default

D. no crypto ikev2 proposal default

What is the role of the responder in IKEv2 DoS prevention? (Choose two)

A. Limiting the resources that it is willing to devote to new connections

B. Consuming CPU resources by doing the cryptography

C. Allocating no memory until the initiator has proven that it can receive messages at the address that it claims to be sending from

D. Consuming memory resources by remembering the state of the "half open" connections until they time out

Which two protocols are used for full client and clientless connections by Cisco VPNs? (Choose two)

A. SSL

B. Site-to-site

C. SHA

D. IPSec

What should you keep in mind in a configuration scenario that uses the local CA function on the Cisco ASA CA user accounts? (Choose two)

A. A certificate-to-connection profile map that binds the user certificate to a connection profile must exist

B. The FQDN includes information like the organizational unit

C. Certificate-based authentication in the required connection profiles is enabled by default

D. Organizational units contain values that are frequently mapped in identity certificates

A tunnel is not forming between two spokes. Which of the following should you verify? (Choose two)

A. NHRP redirect is enabled on the hub

B. NHRP shortcut is enabled on the spoke

C. SA states on the hub and spoke

D. Connectivity between the hub and the spoke

What are the features of DTLS? (Choose two)

A. It provides a low-latency data path using TCP

B. It is based on the stream-oriented TLS protocol

C. It is defined in RFC 4345

D. It mitigates latency and bandwidth problems that are associated with some SSL-only connections

When configuring HA headended designs, at least how many tunnels should be configured on each branch?

A. One

B. Three

C. Four

D. Two

AES is an example of what?

A. Symmetric algorithm

B. Hash algorithm

C. Asymmetric algorithm

D. Diffie-Hellman algorithm

Which steps are required to configure basic peer authentication for point-to-point tunnels on the Cisco ASA? (Choose three)

A. Choose the transform set and VPN peer

B. Enable IKEv1, IKEv2, or both on an interface

C. Choose traffic for the VPN

D. Configure PSKs

E. Configure IKE policy

When implementing a basic Cisco AnyConnect SSL VPN solution, what is used to specify whether all IP traffic is protected?

A. Local address pool

B. Self-signed certificate

C. Split tunneling

D. Local user database

Which statements best describe the handshake phase of SSL connections? (Choose two)

A. SSL encrypts the data traffic and ensures data confidentiality and integrity

B. It typically uses RSA as the public key algorithm

C. It ensures authentication of the server and, optionally, of the client

D. Data integrity is achieved using message digest algorithms such as MD5 and SHA-1

Which information is used to determine whether a tunnel negotiated via Phase 2 is operating?

A. Inbound ESP SA

B. IKE state

C. Encrypted and decrypted packets

D. Local and remote Crypto endpoints

Which two protocols can be used for IPSec VTI encapsulation? (Choose two)

A. IKE

B. ISAKMP

C. AH

D. ESP

You need to verify the presence of H and NHO routes added by NHRP on a spoke router. Which command will allow you to complete this task?

A. show ip route

B. show crypto key mypubkey ec

C. show ip interface brief

D. show ip nhrp

Which type of certificate is required for clientless SSL VPN connections to the Cisco ASA?

A. Code signing

B. User

C. Web server

D. Wildcard

You are configuring basic Cisco AnyConnect SSL VPN on the Cisco ASA.
During which step in the process would you configure split tunneling?

A. Configuring identity NAT for client access

B. Enabling Cisco AnyConnect SSL VPN on ASA

C. Edit the default connection profile or create a custom one

D. Edit the default Group Policy or create a custom one

A DMVPN cloud topology can support either a hub-and-spoke or a spoke-to-spoke deployment model. What are characteristics of the hub-and-spoke model? (Choose two)

A. It provides a scalable configuration model for all involved devices

B. It requires each branch to be configured with an mGRE interface in which dynamic spoke-to-spoke tunnels are used for the spoke-to-spoke traffic

C. It provides scalable configuration to the hub router

D. It requires each branch to be configured with a point-to-point GRE interface to the hub

Which statements best describe shortcut switching? (Choose two)

A. DMVPN provides a scalable configuration model for all involved devices

B. Each spoke router must be configured with a point-to-point interface to the hub

C. All traffic between spoke networks must flow through the hub router

D. Each branch must be configured with a tunnel interface in which dynamic Spoke-to-Spoke tunnels are used for the spoke-to-spoke traffic

Which statement best describes the purpose of Cisco IPSec VTI?

A. It is designed to provide a mix of security services in IPv4 and IPv6

B. It ensures that a given IPSec SA key was not derived from another secret

C. It is designed to provide crypto-graphically based transmission security to IP traffic

D. It can be used to configure IPSec-based VPNs between site-to-site devices

Which two site-to-site VPN technologies natively support IP Multicasts? (Choose two)

A. IPSec VPN

B. DMVPN

C. FlexVPN

D. GETVPN

When enabling smart tunnels in the clientless SSL VPN access, what kind of information can you specify? (Choose three)

A. Bookmarks for the security appliance to display

B. Application list entries

C. Smart tunnel session log off method

D. Auto sign-on server list entries

E. Port forwarding list entries

Which troubleshooting command can be used to monitor an active view of AnyConnect client web browser SSL sessions?

A. debug webvpn util

B. debug webvpn html

C. debug webvpn url

D. debug webvpn svc

The Cisco ASA uses a hierarchical policy inheritance model.
Which user policies would have the highest priority using this model?

A. Group Policy attached to the connection profile

B. User profile

C. DfltGrpPolicy settings

D. DAP rules

E. Group Policy attached to the user profile

Which component is responsible for group key and SA management in a GET VPN deployment?

A. Perfect Forward Secrecy

B. Group Member

C. Key Server

D. Group Domain of Interpretation

Which two modes identify the phase one ISAKMP operation modes? (Choose two)

A. SA mode

B. Main mode

C. Aggressive mode

D. Transport mode

Which attribute is used to push WebVPN ACEs to clientless SSL VPN sessions?

A. cisco-av-pair=ip:inacl

B. cisco-av-pair=webvpn:inacl

C. IE-Proxy-Exception-List

D. IETF-Radius-Class

Which three statements are true regarding clientless SSL VPN solutions? (Choose three)

A. They do not require any special software.

B. They can be used to access CIFS file shares.

C. They can use IPSec VPN connections.

D. They provide browser-based access to resources.

E. They cannot access applications that use static TCP ports.

What are the two aspects of effectively managing the VPN users and their access privileges in any remote access VPN design? (Choose two)

A. Authentication is achieved by using a user's organization group information and other attributes, such as endpoint security posture and time of day

B. A scalable and secure solution to authenticate users

C. Assignments allow an SSL VPN gateway to assign the user to a policy group

D. Decisions on what access privilege to grant to the users based on various user and security attributes

What information should you consider when monitoring AnyConnect SSL VPNs on the client? (Choose two)

A. Use the Details button to display additional information

B. Split tunneling routes show the subnets that are reachable through tunnel

C. You can select the appropriate access method in ASDM monitoring

D. The monitoring options are in the AnyConnect GUI

Which of the three tools are used with a VPN to combat man-in-the-middle attacks? (Choose three)

A. Packet integrity checking

B. Encryption

C. Device authentication

D. Sequence number randomizing

What does SSL/TLS provide? (Choose two)

A. Data integrity to ensure that data hasn't been modified in transit

B. Endpoint authentication on the server only

C. Support for native application clients

D. Encryption to ensure data is only readable by the intended recipient

You have been notified by a user that they are unable to connect an application with a clientless SSL VPN smart tunnel. However, they can connect a different application. What should you do first to troubleshoot this issue?

A. Verify automatic start configuration.

B. Verify Cisco ASA access control.

C. Verify browser Java/ActiveX functions.

D. Verify the application name.

You are creating an IKEv2 policy. Which command will ensure that a packet has not been modified during transit?

A. ASA(config-ikev2-policy)#integrity md5

B. ASA(config-ikev2-policy)#hash sha

C. ASA(config-ikev2-policy)#group 5

D. ASA(config-ikev2-policy)#encryption aes-256

When verifying and troubleshooting Cisco AnyConnect IPSec VPN, which tab of the AnyConnect Secure Mobility Client window allows you to confirm that the client has used IPSec/IKEv2 to connect by viewing the transport information?

A. Route Details

B. Firewall

C. Statistics

D. Message History

E. Preferences

Which set of commands will correctly configure the local authorization policy?

A. Router(config)#crypto ikev2 authorization policy policy1
Router(config-ikev2-author-policy)#pool flex-pool
Router(config-ikev2-author-policy)#def-domain brocadero.com
Router(config-ikev2-author-policy)#route set interface
Rout

B. Router(config-ikev2-profile)#virtual-template 1

C. Router(config)#crypto ipsec profile default
Router(ipsec-profile)#set ikev2-profile default

D. Router(config)#aaa new-model
Router(config)#aaa authorization network list1 local

Which site-to-site technology combines IKE/IKEv2, AH, and ESP into a security framework?

A. DMVPN

B. IPSec

C. FlexVPN

D. GET VPN

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?