aiotestking uk

300-209 Exam Questions - Online Test


300-209 Premium VCE File

Learn More 100% Pass Guarantee - Dumps Verified - Instant Download
150 Lectures, 20 Hours

Q1. Refer to the exhibit. 

Which type of VPN is being configured, based on the partial configuration snippet? 

A. DMVPN with dual hub 

B. GET VPN with dual group member 

C. FlexVPN backup gateway 

D. GET VPN with COOP key server 

E. FlexVPN load balancer 

Answer:

Q2. A user is unable to establish an AnyConnect VPN connection to an ASA. When using the Real-Time Log viewer within ASDM to troubleshoot the issue, which two filter options would the administrator choose to show only syslog messages relevant to the VPN connection? (Choose two.) 

A. Client's public IP address 

B. Client's operating system 

C. Client's default gateway IP address 

D. Client's username 

E. ASA's public IP address 

Answer: A,D 

Q3. Where is split-tunneling defined for remote access clients on an ASA? 

A. Group-policy 

B. Tunnel-group 

C. Crypto-map 

D. Web-VPN Portal 

E. ISAKMP client 

Answer:

Q4. Which statement is true when implementing a router with a dynamic public IP address in a crypto map based site-to-site VPN? 

A. The router must be configured with a dynamic crypto map. 

B. Certificates are always used for phase 1 authentication. 

C. The tunnel establishment will fail if the router is configured as a responder only. 

D. The router and the peer router must have NAT traversal enabled. 

Answer:

Q5. Scenario 

Your organization has just implemented a Cisco AnyConnect SSL VPN solution. Using Cisco ASDM, answer the questions regarding the implementation. 

Note: Not all screens or option selections are active for this exercise. 

Topology 

Default_Home 

What two actions will be taken on translated packets when the AnyConnect users connect to the ASA? (Choose two.) 

A. No action will be taken, they will keep their original assigned addresses 

B. The source address will use the outside-nat-pool 

C. The source NAT type will be a static translation 

D. The source NAT type will be a dynamic translation 

E. DNS will be translated on rule matches 

Answer: A,C 

Explanation: 

First, navigate to the Configuration ->NAT Rules tab to see this: 

Here we see that NAT rule 2 applies to the AnyConnect clients, click on this rule for more details to see the following: 

Here we see that it is a static source NAT entry, but that the Source and Destination addresses remain the original IP address so they are not translated. 

Q6. Which two statements describe effects of the DoNothing option within the untrusted network policy on a Cisco AnyConnect profile? (Choose two.) 

A. The client initiates a VPN connection upon detection of an untrusted network. 

B. The client initiates a VPN connection upon detection of a trusted network. 

C. The always-on feature is enabled. 

D. The always-on feature is disabled. 

E. The client does not automatically initiate any VPN connection. 

Answer: A,D 

Q7. Based on the provided ASDM configuration for the remote ASA, which one of the following is correct?

A. An access-list must be configured on the outside interface to permit inbound VPN traffic 

B. A route to 192.168.22.0/24 will not be automatically installed in the routing table 

C. The ASA will use a window of 128 packets (64x2) to perform the anti-replay check _ 

D. The tunnel can also be established on TCP port 10000 

Answer:

Explanation: 

Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. Currently, the default window size is 64 packets. Generally, this number (window size) is sufficient, but there are times when you may want to expand this window size. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets. 

Q8. In a spoke-to-spoke DMVPN topology, which type of interface does a branch router require? 

A. Virtual tunnel interface 

B. Multipoint GRE interface 

C. Point-to-point GRE interface 

D. Loopback interface 

Answer:

Q9. Refer to the exhibit. 

Which two statements about the given configuration are true? (Choose two.) 

A. Defined PSK can be used by any IPSec peer. 

B. Any router defined in group 2 will be allowed to connect. 

C. It can be used in a DMVPN deployment 

D. It is a LAN-to-LAN VPN ISAKMP policy. 

E. It is an AnyConnect ISAKMP policy. 

F. PSK will not work as configured 

Answer: A,C 

Q10. Which two troubleshooting steps should be taken when Cisco AnyConnect cannot establish an IKEv2 connection, while SSL works fine? (Choose two.) 

A. Verify that the primary protocol on the client machine is set to IPsec. 

B. Verify that AnyConnect is enabled on the correct interface. 

C. Verify that the IKEv2 protocol is enabled on the group policy. 

D. Verify that ASDM and AnyConnect are not using the same port. 

E. Verify that SSL and IKEv2 certificates are not referencing the same trustpoint. 

Answer: A,C