aiotestking uk

300-209 Exam Questions - Online Test


300-209 Premium VCE File

Learn More 100% Pass Guarantee - Dumps Verified - Instant Download
150 Lectures, 20 Hours

Q1. Which option describes the purpose of the command show derived-config interface virtual-access 1? 

A. It verifies that the virtual access interface is cloned correctly with per-user attributes. 

B. It verifies that the virtual template created the tunnel interface. 

C. It verifies that the virtual access interface is of type Ethernet. 

D. It verifies that the virtual access interface is used to create the tunnel interface. 

Answer:

Q2. You are configuring a Cisco IOS SSL VPN gateway to operate with DVTI support. Which command must you configure on the virtual template? 

A. tunnel protection ipsec 

B. ip virtual-reassembly 

C. tunnel mode ipsec 

D. ip unnumbered 

Answer:

Q3. An administrator desires that when work laptops are not connected to the corporate network, they should automatically initiate an AnyConnect VPN tunnel back to headquarters. Where does the administrator configure this? 

A. Via the svc trusted-network command under the group-policy sub-configuration mode on the ASA 

B. Under the "Automatic VPN Policy" section inside the Anyconnect Profile Editor within ASDM 

C. Under the TNDPolicy XML section within the Local Preferences file on the client computer 

D. Via the svc trusted-network command under the global webvpn sub-configuration mode on the ASA 

Answer:

Q4. Refer to the exhibit. 

The network administrator is adding a new spoke, but the tunnel is not passing traffic. What 

could cause this issue? 

A. DMVPN is a point-to-point tunnel, so there can be only one spoke. 

B. There is no EIGRP configuration, and therefore the second tunnel is not working. 

C. The NHRP authentication is failing. 

D. The transform set must be in transport mode, which is a requirement for DMVPN. 

E. The NHRP network ID is incorrect. 

Answer:

Reference: 

http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html#w p1055049 

Q5. Which command simplifies the task of converting an SSL VPN to an IKEv2 VPN on a Cisco ASA appliance that has an invalid IKEv2 configuration? 

A. migrate remote-access ssl overwrite 

B. migrate remote-access ikev2 

C. migrate l2l 

D. migrate remote-access ssl 

Answer:

Explanation: 

Below is a reference for this question: 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html 

If your IKEv1, or even SSL, configuration already exists, the ASA makes the migration process simple. On the command line, enter the migrate command: 

migrate {l2l | remote-access {ikev2 | ssl} | overwrite} 

Things of note: 

Keyword definitions: 

l2l - This converts current IKEv1 l2l tunnels to IKEv2. 

remote access - This converts the remote access configuration. You can convert either the IKEv1 or the SSL tunnel groups to IKEv2. 

overwrite - If you have a IKEv2 configuration that you wish to overwrite, then this keyword converts the current IKEv1 configuration and removes the superfluous IKEv2 configuration. 

Q6. You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the debug crypto ipsec command on the headend router, you see the following output. What does this output suggest? 

1d00h: IPSec (validate_proposal): transform proposal 

(port 3, trans 2, hmac_alg 2) not supported 

1d00h: ISAKMP (0:2) : atts not acceptable. Next payload is 0 

1d00h: ISAKMP (0:2) SA not acceptable 

A. Phase 1 policy does not match on both sides. 

B. The Phase 2 transform set does not match on both sides. 

C. ISAKMP is not enabled on the remote peer. 

D. The crypto map is not applied on the remote peer. 

E. The Phase 1 transform set does not match on both sides. 

Answer:

Q7. Which feature enforces the corporate policy for Internet access to Cisco AnyConnect VPN users? 

A. Trusted Network Detection 

B. Datagram Transport Layer Security 

C. Cisco AnyConnect Customization 

D. banner message 

Answer:

Q8. Refer to the exhibit. 

Which authentication method was used by the remote peer to prove its identity? 

A. Extensible Authentication Protocol 

B. certificate authentication 

C. pre-shared key 

D. XAUTH 

Answer:

Q9. Which two RADIUS attributes are needed for a VRF-aware FlexVPN hub? (Choose two.) 

A. ip:interface-config=ip unnumbered loobackn 

B. ip:interface-config=ip vrf forwarding ivrf 

C. ip:interface-config=ip src route 

D. ip:interface-config=ip next hop 

E. ip:interface-config=ip neighbor 0.0.0.0 

Answer: A,B 

Q10. When Cisco ASA applies VPN permissions, what is the first set of attributes that it applies? 

A. dynamic access policy attributes 

B. group policy attributes 

C. connection profile attributes 

D. user attributes 

Answer: