Implementing Cisco Secure Mobility Solutions v15.1

Page:    1 / 2   
Exam contains 26 questions

When Cisco ASA applies VPN permissions, what is the first set of attributes that it applies?

  • A. dynamic access policy attributes
  • B. group policy attributes
  • C. connection profile attributes
  • D. user attributes


Answer : A

Which of the following could be used to configure remote access VPN Host-scan and pre- login policies?

  • A. ASDM
  • B. Connection-profile CLI command
  • C. Host-scan CLI command under the VPN group policy
  • D. Pre-login-check CLI command


Answer : A

Which two RADIUS attributes are needed for a VRF-aware FlexVPN hub? (Choose two.)

  • A. ip:interface-config=ip unnumbered loobackn
  • B. ip:interface-config=ip vrf forwarding ivrf
  • C. ip:interface-config=ip src route
  • D. ip:interface-config=ip next hop
  • E. ip:interface-config=ip neighbor 0.0.0.0


Answer : A,B

Which type of NHRP packet is unique to Phase 3 DMVPN topologies?

  • A. resolution request
  • B. resolution reply
  • C. redirect
  • D. registration request
  • E. registration reply
  • F. error indication


Answer : C

When using clientless SSL VPN, you might not want some applications or web resources to go through the Cisco ASA appliance. For these application and web resources, as a
Cisco ASA administrator, which configuration should you use?

  • A. Configure the Cisco ASA appliance for split tunneling.
  • B. Configure network access exceptions in the SSL VPN customization editor.
  • C. Configure the Cisco ASA appliance to disable content rewriting.
  • D. Configure the Cisco ASA appliance to enable URL Entry bypass.
  • E. Configure smart tunnel to bypass the Cisco ASA appliance proxy function.


Answer : C

Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_web.html

Content Rewrite -
The Content Rewrite pane lists all applications for which content rewrite is enabled or disabled.
Clientless SSL VPN processes application traffic through a content transformation/rewriting engine that includes advanced elements such as JavaScript, VBScript, Java, and multi- byte characters to proxy HTTP traffic which may have different semantics and access control rules depending on whether the user is using an application within or independently of an SSL VPN device.
By default, the security appliance rewrites, or transforms, all clientless traffic. You might not want some applications and web resources (for example, public websites) to go through the security appliance. The security appliance therefore lets you create rewrite rules that let users browse certain sites and applications without going through the security appliance.
This is similar to split-tunneling in an IPSec VPN connection.
You can create multiple rewrite rules. The rule number is important because the security appliance searches rewrite rules by order number, starting with the lowest, and applies the first rule that matches.

Which command enables the router to form EIGRP neighbor adjacencies with peers using a different subnet than the ingress interface?

  • A. ip unnumbered interface
  • B. eigrp router-id
  • C. passive-interface interface name
  • D. ip split-horizon eigrp as number


Answer : A

A user is experiencing issues connecting to a Cisco AnyConnect VPN and receives this error message:
The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again.
Which option is the likely cause of this issue?

  • A. This Cisco ASA firewall has experienced a failure.
  • B. The user is entering an incorrect password.
  • C. The user’s operating system is not supported with the ASA’s current configuration.
  • D. The user laptop clock is not synchronized with NTP.


Answer : A

Which transform set is contained in the IKEv2 default proposal?

  • A. aes-cbc-192, sha256, group 14
  • B. 3des, md5, group 7
  • C. 3des, sha1, group 1
  • D. aes-cbc-128, sha, group 5


Answer : D

Which technology can provide high availability for an SSL VPN?

  • A. DMVPN
  • B. a multiple-tunnel configuration
  • C. a Cisco ASA pair in active/passive failover configuration
  • D. certificate to tunnel group maps


Answer : C

Refer to the exhibit.


The user "contractor" inherits which VPN group policy?

  • A. employee
  • B. management
  • C. DefaultWEBVPNGroup
  • D. DfltGrpPolicy
  • E. new_hire


Answer : D

Which three settings are required for crypto map configuration? (Choose three.)

  • A. match address
  • B. set peer
  • C. set transform-set
  • D. set security-association lifetime
  • E. set security-association level per-host
  • F. set pfs


Answer : A,B,C

Which Cisco firewall platform supports Cisco NGE?

  • A. FWSM
  • B. Cisco ASA 5505
  • C. Cisco ASA 5580
  • D. Cisco ASA 5525-X


Answer : D

Refer to the exhibit.


The "level_2" digital certificate was installed on a laptop.
What can cause an "invalid not active" status message?

  • A. On first use, a CA server-supplied passphrase is entered to validate the certificate.
  • B. A "newly installed" digital certificate does not become active until it is validated by the peer device upon its first usage.
  • C. The user has not clicked the Verify button within the Cisco VPN Client.
  • D. The CA server and laptop PC clocks are out of sync.


Answer : D

Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html
Certificates have a date and time that they become valid and that they expire. When the security appliance enrolls with a CA and gets a certificate, the security appliance checks that the current time is within the valid range for the certificate. If it is outside that range, enrollment fails.
Same would apply to communication between ASA and PC

Which three types of web resources or protocols are enabled by default on the Cisco ASA
Clientless SSL VPN portal? (Choose three.)

  • A. HTTP
  • B. VNC
  • C. CIFS
  • D. RDP
  • E. HTTPS
  • F. ICA (Citrix)


Answer : A,C,E





An engineer wants to ensure that employees cannot access corporate resources on untrusted networks, but does not want a new VPN session to be established each time they leave the trusted network. Which Cisco AnyConnect Trusted Network Policy option allows this ability?

  • A. Pause
  • B. Connect
  • C. Do Nothing
  • D. Disconnect


Answer : A

Page:    1 / 2   
Exam contains 26 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us

Certlibrary doesn't offer Real Microsoft Exam Questions.
Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.