Ensurepass.com : Ensure you pass the IT Exams
2018 Aug Cisco Official New Released 300-209
100% Free Download! 100% Pass Guaranteed!
Implementing Cisco Secure Mobility Solutions
Question No: 161
You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the debug crypto ipsec command on the headend router, you see the following output. What does this output suggest?
1d00h: IPSec (validate_proposal): transform proposal (port 3, trans 2, hmac_alg 2) not supported
1d00h: ISAKMP (0:2) : atts not acceptable. Next payload is 0 1d00h: ISAKMP (0:2) SA not acceptable
-
Phase 1 policy does not match on both sides.
-
The Phase 2 transform set does not match on both sides.
-
ISAKMP is not enabled on the remote peer.
-
The crypto map is not applied on the remote peer.
-
The Phase 1 transform set does not match on both sides.
Answer: B
Question No: 162
Refer to the exhibit.
A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based on the syslog message, which action can bring up the VPN tunnel?
-
Increase the maximum SA limit on the local Cisco ASA.
-
Correct the crypto access list on both Cisco ASA devices.
-
Remove the maximum SA limit on the remote Cisco ASA.
-
Reduce the maximum SA limit on the local Cisco ASA.
-
Correct the IP address in the local and remote crypto maps.
-
Increase the maximum SA limit on the remote Cisco ASA.
Answer: A
Question No: 163
An IOS SSL VPN is configured to forward TCP ports. A remote user cannot access the corporate FTP site with a Web browser. What is a possible reason for the failure?
-
The user#39;s FTP application is not supported.
-
The user is connecting to an IOS VPN gateway configured in Thin Client Mode.
-
The user is connecting to an IOS VPN gateway configured in Tunnel Mode.
-
The user#39;s operating system is not supported.
Answer: B
Reference:
http://www.cisco.com/c/en/us/support/docs/security/ssl-vpn-client/70664-IOSthinclient.html Thin-Client SSL VPN (Port Forwarding)
A remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported. Examples include access to POP3, SMTP, IMAP, SSH, and Telnet. The user needs local administrative privileges
because changes are made to files on the local machine. This method of SSL VPN does not work with applications that use dynamic port assignments, for example, several FTP applications.
Question No: 164
Which command can you use to monitor the phase 1 establishment of a FlexVPN tunnel?
-
show crypto ipsec sa
-
show crypto isakmp sa
-
show crypto ikev2 sa
-
show ip nhrp
Answer: C
Question No: 165
Which alogrithm is an example of asymmetric encryption?
-
RC4
-
AES
-
ECDSA
-
3DES
Answer: C
Question No: 166
What does NHRP stand for?
-
Next Hop Resolution Protocol
-
Next Hop Registration Protocol
-
Next Hub Routing Protocol
-
Next Hop Routing Protocol
Answer: A
Question No: 167
Refer to the exhibit.
You are configuring a laptop with the Cisco VPN Client, which uses digital certificates for authentication.
Which protocol does the Cisco VPN Client use to retrieve the digital certificate from the CA server?
-
FTP
-
LDAP
-
HTTPS
-
SCEP
-
OCSP
Answer: D Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html
About CRLs
Certificate Revocation Lists provide the security appliance with one means of determining whether a certificate that is within its valid time range has been revoked by its issuing CA. CRL configuration is a part of the configuration of a trustpoint.
You can configure the security appliance to make CRL checks mandatory when authenticating a certificate (revocation-check crl command). You can also make the CRL check optional by adding the none argument (revocation-check crl none command), which allows the certificate authentication to succeed when the CA is unavailable to provide updated CRL data.
The security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a length of time configurable for each trustpoint. When the security appliance has cached a CRL for more than the length of time it is configured to cache CRLs, the security appliance considers the CRL too old to be reliable, or quot;stalequot;. The security appliance attempts to retrieve a newer version of the CRL the next time a certificate authentication requires checking the stale CRL.
Question No: 168
Refer to the exhibit.
Which two characteristics of the VPN implementation are evident? (Choose two.)
-
dual DMVPN cloud setup with dual hub
-
DMVPN Phase 3 implementation
-
single DMVPN cloud setup with dual hub
-
DMVPN Phase 1 implementation
-
quad DMVPN cloud with quadra hub
-
DMVPN Phase 2 implementation
Answer: B,C
Question No: 169
Which two GDOI encryption keys are used within a GET VPN network? (Choose two.)
-
key encryption key
-
group encryption key
-
user encryption key
-
traffic encryption key
Answer: A,D
Question No: 170
To change the title panel on the logon page of the Cisco IOS WebVPN portal, which file must you configure?
-
Cisco IOS WebVPN customization template
-
Cisco IOS WebVPN customization general
-
web-access-hlp.inc
-
app-access-hlp.inc
Answer: A
100% Ensurepass Free Download!
–Download Free Demo:300-209 Demo PDF
100% Ensurepass Free Guaranteed!
–300-209 Dumps
EnsurePass | ExamCollection | Testking | |
---|---|---|---|
Lowest Price Guarantee | Yes | No | No |
Up-to-Dated | Yes | No | No |
Real Questions | Yes | No | No |
Explanation | Yes | No | No |
PDF VCE | Yes | No | No |
Free VCE Simulator | Yes | No | No |
Instant Download | Yes | No | No |