Q1. Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for this exercise.
Topology:
In what state is the IKE security association in on the Cisco ASA?
A. There are no security associations in place
B. MM_ACTIVE
C. ACTIVE(ACTIVE)
D. QM_IDLE
Answer: B
Explanation:
This can be seen from the "show crypto isa sa" command:
Q2. What is the default topology type for a GET VPN?
A. point-to-point
B. hub-and-spoke
C. full mesh
D. on-demand spoke-to-spoke
Answer: C
Q3. In the Diffie-Hellman protocol, which type of key is the shared secret?
A. a symmetric key
B. an asymmetric key
C. a decryption key
D. an encryption key
Answer: A
Q4. Which feature is enabled by the use of NHRP in a DMVPN network?
A. host routing with Reverse Route Injection
B. BGP multiaccess
C. host to NBMA resolution
D. EIGRP redistribution
Answer: C
Q5. You are configuring a Cisco IOS SSL VPN gateway to operate with DVTI support. Which command must you configure on the virtual template?
A. tunnel protection ipsec
B. ip virtual-reassembly
C. tunnel mode ipsec
D. ip unnumbered
Answer: D
Q6. Which option is one component of a Public Key Infrastructure?
A. the Registration Authority
B. Active Directory
C. RADIUS
D. TACACS+
Answer: A
Q7. An administrator wishes to limit the networks reachable over the Anyconnect VPN tunnels. Which configuration on the ASA will correctly limit the networks reachable to 209.165.201.0/27 and 209.165.202.128/27?
A. access-list splitlist standard permit 209.165.201.0 255.255.255.224
access-list splitlist standard permit 209.165.202.128 255.255.255.224
!
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitlist
B. access-list splitlist standard permit 209.165.201.0 255.255.255.224
access-list splitlist standard permit 209.165.202.128 255.255.255.224
!
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
split-tunnel-policy tunnelall
split-tunnel-network-list value splitlist
C. group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224
split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224
D. access-list splitlist standard permit 209.165.201.0 255.255.255.224
access-list splitlist standard permit 209.165.202.128 255.255.255.224
!
crypto anyconnect vpn-tunnel-policy tunnelspecified
crypto anyconnect vpn-tunnel-network-list splitlist
E. crypto anyconnect vpn-tunnel-policy tunnelspecified
crypto anyconnect split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224
crypto anyconnect split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224
Answer: A
Q8. A customer requires all traffic to go through a VPN. However, access to the local network is also required. Which two options can enable this configuration? (Choose two.)
A. split exclude
B. use of an XML profile
C. full tunnel by default
D. split tunnel
E. split include
Answer: A,B
Q9. Which encryption and authentication algorithms does Cisco recommend when deploying a Cisco NGE supported VPN solution?
A. AES-GCM and SHA-2
B. 3DES and DH
C. AES-CBC and SHA-1
D. 3DES and SHA-1
Answer: A
Q10. Which technology can you implement to reduce latency issues associated with a Cisco AnyConnect VPN?
A. DTLS
B. SCTP
C. DCCP
D. SRTP
Answer: A