NEW QUESTION 1
Which method dynamically installs the network routes for remote tunnel endpoints?

• A. policy-based routing
• B. CEF
• C. reverse route injection
• D. route filtering

Answer: C

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/12-4t/sec-vpn-availability-12-4t-book/sec-rev-rte-inject.html

NEW QUESTION 2
Which two types of web resources or protocols are enabled by default on the Cisco ASA Clientless SSL VPN portal? (Choose two.)

• A. HTTP
• B. ICA (Citrix)
• C. VNC
• D. RDP
• E. CIFS

Answer: DE

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/vpn/asa-94-vpn-config/webvpn-configure-gateway.html

NEW QUESTION 3
Refer to the exhibit.

Which VPN technology is used in the exhibit?

• A. DVTI
• B. VTI
• C. DMVPN
• D. GRE

Answer: B

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/zZ-Archive/IPsec_Virtual_Tunnel_Interface.html#GUID-EB8C433B-2394-42B9-997F-B40803E58A91

NEW QUESTION 4
Refer to the exhibit.
An SSL client is connecting to an ASA headend. The session fails with the message “Connection attempt has timed out. Please verify Internet connectivity.” Based on how the packet is processed, which phase is causing the failure?

• A. phase 9: rpf-check
• B. phase 5: NAT
• C. phase 4: ACCESS-LIST
• D. phase 3: UN-NAT

Answer: D

NEW QUESTION 5
Refer to the exhibit.

All internal clients behind the ASA are port address translated to the public outside interface that has an IP address of 3.3.3.3. Client 1 and client 2 have established successful SSL VPN connections to the ASA. What must be implemented so that "3.3.3.3" is returned from a browser search on the IP address?

• A. Same-security-traffic permit inter-interface under Group Policy
• B. Exclude Network List Below under Group Policy
• C. Tunnel All Networks under Group Policy
• D. Tunnel Network List Below under Group Policy

Answer: D

NEW QUESTION 6
Which requirement is needed to use local authentication for Cisco AnyConnect Secure Mobility Clients that connect to a FlexVPN server?

• A. use of certificates instead of username and password
• B. EAP-AnyConnect
• C. EAP query-identity
• D. AnyConnect profile

Answer: D

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

NEW QUESTION 7
What is a requirement for smart tunnels to function properly?

• A. Java or ActiveX must be enabled on the client machine.
• B. Applications must be UDP.
• C. Stateful failover must not be configured.
• D. The user on the client machine must have admin access.

Answer: A

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111007-smart-tunnel-asa-00.html

NEW QUESTION 8
Which command identifies a Cisco AnyConnect profile that was uploaded to the flash of an IOS router?

• A. svc import profile SSL_profile flash:simos-profile.xml
• B. anyconnect profile SSL_profile flash:simos-profile.xml
• C. crypto vpn anyconnect profile SSL_profile flash:simos-profile.xml
• D. webvpn import profile SSL_profile flash:simos-profile.xml

Answer: C

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html

NEW QUESTION 9
Refer to the exhibit.

The customer can establish a Cisco AnyConnect connection without using an XML profile. When the host "ikev2" is selected in the AnyConnect drop down, the connection fails. What is the cause of this issue?

• A. The HostName is incorrect.
• B. The IP address is incorrect.
• C. Primary protocol should be SSL.
• D. UserGroup must match connection profile.

Answer: D

Explanation:
Reference: https://community.cisco.com/t5/security-documents/anyconnect-xml-settings/ta-p/3157891

NEW QUESTION 10
Where is split tunneling defined for IKEv2 remote access clients on a Cisco router?

• A. IKEv2 authorization policy
• B. Group Policy
• C. virtual template
• D. webvpn context

Answer: B

NEW QUESTION 11
Cisco AnyConnect Secure Mobility Client has been configured to use IKEv2 for one group of users and SSL for another group. When the administrator configures a new AnyConnect release on the Cisco ASA, the IKEv2 users cannot download it automatically when they connect. What might be the problem?

• A. The XML profile is not configured correctly for the affected users.
• B. The new client image does not use the same major release as the current one.
• C. Client services are not enabled.
• D. Client software updates are not supported with IKEv2.

Answer: C

NEW QUESTION 12
Refer to the exhibit.

Which VPN technology is allowed for users connecting to the Employee tunnel group?

• A. SSL AnyConnect
• B. IKEv2 AnyConnect
• C. crypto map
• D. clientless

Answer: B

NEW QUESTION 13
Which IKE identity does an IOS/IOS-XE headend expect to receive if an IPsec Cisco AnyConnect client uses default settings?

• A. *$SecureMobilityClient$*
• B. *$AnyConnectClient$*
• C. *$RemoteAccessVpnClient$*
• D. *$DfltlkeldentityS*

Answer: B

Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

NEW QUESTION 14
Which feature allows the ASA to handle nonstandard applications and web resources so that they display correctly over a clientless SSL VPN connection?

• A. single sign-on
• B. Smart Tunnel
• C. WebType ACL
• D. plug-ins

Answer: B

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn_clientless_ssl.html#29951

NEW QUESTION 15
Refer to the exhibit.

Cisco AnyConnect must be set up on a router to allow users to access internal servers 192.168.0.10 and 192.168.0.11. All other traffic should go out of the client's local NIC. Which command accomplishes this configuration?

• A. svc split include 192.168.0.0 255.255.255.0
• B. svc split exclude 192.168.0.0 255.255.255.0
• C. svc split include acl CCNP
• D. svc split exclude acl CCNP

Answer: C

NEW QUESTION 16
Refer to the exhibit.

Which two commands under the tunnel-group webvpn-attributes result in a Cisco AnyConnect user receiving the AnyConnect prompt in the exhibit? (Choose two.)

• A. group-url https://172.16.31.10/General enable
• B. group-policy General internal
• C. authentication aaa
• D. authentication certificate
• E. group-alias General enable

Answer: BE

NEW QUESTION 17
An engineer is troubleshooting a new DMVPN setup on a Cisco IOS router. After the show crypto isakmp sa command is issued, a response is returned of "MM_NO_STATE." Why does this failure occur?

• A. The ISAKMP policy priority values are invalid.
• B. ESP traffic is being dropped.
• C. The Phase 1 policy does not match on both devices.
• D. Tunnel protection is not applied to the DMVPN tunnel.

Answer: B

NEW QUESTION 18
Which statement about GETVPN is true?

• A. The configuration that defines which traffic to encrypt originates from the key server.
• B. TEK rekeys can be load-balanced between two key servers operating in COOP.
• C. The pseudotime that is used for replay checking is synchronized via NTP.
• D. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.

Answer: A

NEW QUESTION 19
Which VPN does VPN load balancing on the ASA support?

• A. VTI
• B. IPsec site-to-site tunnels
• C. L2TP over IPsec
• D. Cisco AnyConnect

Answer: D

NEW QUESTION 20
Refer to the exhibit.

Which two tunnel types produce the show crypto ipsec sa output seen in the exhibit? (Choose two.)

• A. crypto map
• B. DMVPN
• C. GRE
• D. FlexVPN
• E. VTI

Answer: BE

NEW QUESTION 21
In a FlexVPN deployment, the spokes successfully connect to the hub, but spoke-to-spoke tunnels do not form. Which troubleshooting step solves the issue?

• A. Verify the spoke configuration to check if the NHRP redirect is enabled.
• B. Verify that the spoke receives redirect messages and sends resolution requests.
• C. Verify the hub configuration to check if the NHRP shortcut is enabled.
• D. Verify that the tunnel interface is contained within a VRF.

Answer: B

Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-summ-maps.pdf

NEW QUESTION 22
Refer to the exhibit.

Client 1 cannot communicate with client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which command on the ASA is missing?

• A. dns-server value 10.1.1.2
• B. same-security-traffic permit intra-interface
• C. same-security-traffic permit inter-interface
• D. dns-server value 10.1.1.3

Answer: B

NEW QUESTION 23
Refer to the exhibit.

The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?

• A.
• B.
• C.
• D.

Answer: C

Explanation:
Reference: https://community.cisco.com/t5/vpn/starting-anyconnect-vpn-through-rdp-session-on-cisco-891/td-p/2128284

NEW QUESTION 24
......