Q1. Which protocols does the Cisco AnyConnect client use to build multiple connections to the security appliance?
A. TLS and DTLS
B. IKEv1
C. L2TP over IPsec
D. SSH over TCP
Answer: A
Q2. Which command clears all crypto configuration from a Cisco Adaptive Security Appliance?
A. clear configure crypto
B. clear configure crypto ipsec
C. clear crypto map
D. clear crypto ikev2 sa
Answer: A
Q3. On which Cisco platform are dynamic virtual template interfaces available?
A. Cisco Adaptive Security Appliance 5585-X
B. Cisco Catalyst 3750X
C. Cisco Integrated Services Router Generation 2
D. Cisco Nexus 7000
Answer: C
Q4. Which three configurations are required for both IPsec VTI and crypto map-based VPNs? (Choose three.)
A. transform set
B. ISAKMP policy
C. ACL that defines traffic to encrypt
D. dynamic routing protocol
E. tunnel interface
F. IPsec profile
G. PSK or PKI trustpoint with certificate
Answer: A,B,G
Q5. Which of the following could be used to configure remote access VPN Host-scan and pre-login policies?
A. ASDM
B. Connection-profile CLI command
C. Host-scan CLI command under the VPN group policy
D. Pre-login-check CLI command
Answer: A
Q6. What are two benefits of DMVPN Phase 3? (Choose two.)
A. Administrators can use summarization of routing protocol updates from hub to spokes.
B. It introduces hierarchical DMVPN deployments.
C. It introduces non-hierarchical DMVPN deployments.
D. It supports L2TP over IPSec as one of the VPN protocols.
Answer: A,B
Q7. Which protocol can be used for better throughput performance when using.Cisco AnyConnect VPN?
A. TLSv1
B. TLSv1.1
C. TLSv1.2
D. DTLSv1
Answer: D
Q8. You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the debug crypto ipsec command on the headend router, you see the following output. What does this output suggest?
1d00h: IPSec (validate_proposal): transform proposal
(port 3, trans 2, hmac_alg 2) not supported
1d00h: ISAKMP (0:2) : atts not acceptable. Next payload is 0
1d00h: ISAKMP (0:2) SA not acceptable
A. Phase 1 policy does not match on both sides.
B. The Phase 2 transform set does not match on both sides.
C. ISAKMP is not enabled on the remote peer.
D. The crypto map is not applied on the remote peer.
E. The Phase 1 transform set does not match on both sides.
Answer: B
Q9. Scenario
Your organization has just implemented a Cisco AnyConnect SSL VPN solution. Using Cisco ASDM, answer the questions regarding the implementation.
Note: Not all screens or option selections are active for this exercise.
Topology
Default_Home
Which address range will be assigned to the AnyConnect users?
A. 10.10.15.40-50/24
B. 209.165.201.20-30/24
C. 192.168.1.100-150/24
D. 10.10.15.20-30/24
Answer: D
Explanation:
First Navigate to the Configuration -> Remote Access VPN tab and then choose the “AnyConnect Connection Profile as shown below:
C:\Users\danielkeller\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Capture. png
Then, clicking on the AnyConnect Profile at the bottom will bring you to the edit page shown below:
C:\Users\danielkeller\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Capture. png
From here, click the Select button on the “VPN_Address_Pool” and you will see the following pools defined:
Here we see that the VPN_Address_Pool contains the IP address range of 10.10.15.20-10.10.15.30/24.
Q10. Which three types of SSO functionality are available on the Cisco ASA without any external SSO servers? (Choose three.)
A. SAML
B. HTTP POST
C. HTTP Basic
D. NTLM
E. Kerberos
F. OAuth 2.0
Answer: B,C,D