Get Full Version of the Exam
http://www.EnsurePass.com/300-209.html
Question No.181
Refer to the exhibit. You have implemented an SSL VPN as shown. Which type of communication takes place between the secure gateway R1 and the Cisco Secure ACS?
-
HTTP proxy
-
AAA
-
policy
-
port forwarding
Correct Answer: B
Question No.182
Refer to the exhibit. Which exchange does this debug output represent?
-
IKE Phase 1
-
IKE Phase 2
-
symmetric key exchange
-
certificate exchange
Correct Answer: A
Question No.183
Which two are characteristics of GETVPN? (Choose two.)
-
The IP header of the encrypted packet is preserved
-
A key server is elected among all configured Group Members
-
Unique encryption keys are computed for each Group Member
-
The same key encryption and traffic encryption keys are distributed to all Group Members
Correct Answer: AD
Question No.184
What is the Cisco recommended TCP maximum segment on a DMVPN tunnel interface when the MTU is set to 1400 bytes?
-
1160 bytes
-
1260 bytes
-
1360 bytes
-
1240 bytes
Correct Answer: C
Question No.185
An administrator wishes to limit the networks reachable over the Anyconnect VPN tunnels. Which configuration on the ASA will correctly limit the networks reachable to 209.165.201.0/27 and 209.165.202.128/27?
-
access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit 209.165.202.128 255.255.255.224
!
group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value splitlist
-
access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit 209.165.202.128 255.255.255.224
!
group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes split-tunnel-policy tunnelall
split-tunnel-network-list value splitlist
-
group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes split-tunnel-policy tunnelspecified
split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224
split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224
-
access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit 209.165.202.128 255.255.255.224
!
crypto anyconnect vpn-tunnel-policy tunnelspecified crypto anyconnect vpn-tunnel-network-list splitlist
-
crypto anyconnect vpn-tunnel-policy tunnelspecified
crypto anyconnect split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224
crypto anyconnect split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224
Correct Answer: A
Question No.186
When Cisco ASA applies VPN permissions, what is the first set of attributes that it applies?
-
dynamic access policy attributes
-
group policy attributes
-
connection profile attributes
-
user attributes
Correct Answer: A
Question No.187
An administrator desires that when work laptops are not connected to the corporate network, they should automatically initiate an AnyConnect VPN tunnel back to headquarters. Where does the administrator configure this?
-
Via the svc trusted-network command under the group-policy sub-configuration mode on the ASA
-
Under the quot;Automatic VPN Policyquot; section inside the Anyconnect Profile Editor within ASDM
-
Under the TNDPolicy XML section within the Local Preferences file on the client computer
-
Via the svc trusted-network command under the global webvpn sub-configuration mode on the ASA
Correct Answer: B
Question No.188
After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune the IPsec policy parameters. Where is the correct place to tune the IPsec policy parameters in Cisco ASDM?
-
IPsec user profile
-
Crypto Map
-
Group Policy
-
IPsec Policy
-
IKE Policy
Correct Answer: B
Question No.189
Refer to the exhibit. The quot;level_2quot; digital certificate was installed on a laptop. What can cause an quot;invalid not activequot; status message?
-
On first use, a CA server-supplied passphrase is entered to validate the certificate.
-
A quot;newly installedquot; digital certificate does not become active until it is validated by the peer device upon its first usage.
-
The user has not clicked the Verify button within the Cisco VPN Client.
-
The CA server and laptop PC clocks are out of sync.
Correct Answer: D
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html
Certificates have a date and time that they become valid and that they expire. When the security appliance enrolls with a CA and gets a certificate, the security appliance checks that the current time is within the valid range for the certificate. If it is outside that range, enrollment fails.
Same would apply to communication between ASA and PC
Question No.190
You are troubleshooting a DMVPN NHRP registration failure. Which command can you use to view request counters?
-
show ip nhrp nhs detail
-
show ip nhrp tunnel
-
show ip nhrp incomplete
-
show ip nhrp incomplete tunnel tunnel_interface_number
Correct Answer: A
Get Full Version of the Exam
300-209 Dumps
300-209 VCE and PDF