Ensurepass.com : Ensure you pass the IT Exams
2018 Aug Cisco Official New Released 300-209
100% Free Download! 100% Pass Guaranteed!

Implementing Cisco Secure Mobility Solutions

Question No: 161

You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the debug crypto ipsec command on the headend router, you see the following output. What does this output suggest?

1d00h: IPSec (validate_proposal): transform proposal (port 3, trans 2, hmac_alg 2) not supported

1d00h: ISAKMP (0:2) : atts not acceptable. Next payload is 0 1d00h: ISAKMP (0:2) SA not acceptable

1. Phase 1 policy does not match on both sides.

2. The Phase 2 transform set does not match on both sides.

3. ISAKMP is not enabled on the remote peer.

4. The crypto map is not applied on the remote peer.

5. The Phase 1 transform set does not match on both sides.

Answer: B

Question No: 162

Refer to the exhibit.

A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based on the syslog message, which action can bring up the VPN tunnel?

1. Increase the maximum SA limit on the local Cisco ASA.

2. Correct the crypto access list on both Cisco ASA devices.

3. Remove the maximum SA limit on the remote Cisco ASA.

4. Reduce the maximum SA limit on the local Cisco ASA.

5. Correct the IP address in the local and remote crypto maps.

6. Increase the maximum SA limit on the remote Cisco ASA.

Answer: A

Question No: 163

An IOS SSL VPN is configured to forward TCP ports. A remote user cannot access the corporate FTP site with a Web browser. What is a possible reason for the failure?

1. The user#39;s FTP application is not supported.

2. The user is connecting to an IOS VPN gateway configured in Thin Client Mode.

3. The user is connecting to an IOS VPN gateway configured in Tunnel Mode.

4. The user#39;s operating system is not supported.

Answer: B

Reference:

http://www.cisco.com/c/en/us/support/docs/security/ssl-vpn-client/70664-IOSthinclient.html Thin-Client SSL VPN (Port Forwarding)

A remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported. Examples include access to POP3, SMTP, IMAP, SSH, and Telnet. The user needs local administrative privileges

because changes are made to files on the local machine. This method of SSL VPN does not work with applications that use dynamic port assignments, for example, several FTP applications.

Question No: 164

Which command can you use to monitor the phase 1 establishment of a FlexVPN tunnel?

1. show crypto ipsec sa

2. show crypto isakmp sa

3. show crypto ikev2 sa

4. show ip nhrp

Answer: C

Question No: 165

Which alogrithm is an example of asymmetric encryption?

1. RC4

2. AES

3. ECDSA

4. 3DES

Answer: C

Question No: 166

What does NHRP stand for?

1. Next Hop Resolution Protocol

2. Next Hop Registration Protocol

3. Next Hub Routing Protocol

4. Next Hop Routing Protocol

Answer: A

Question No: 167

Refer to the exhibit.

You are configuring a laptop with the Cisco VPN Client, which uses digital certificates for authentication.

Which protocol does the Cisco VPN Client use to retrieve the digital certificate from the CA server?

1. FTP

2. LDAP

3. HTTPS

4. SCEP

5. OCSP

Answer: D Explanation:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html

About CRLs

Certificate Revocation Lists provide the security appliance with one means of determining whether a certificate that is within its valid time range has been revoked by its issuing CA. CRL configuration is a part of the configuration of a trustpoint.

You can configure the security appliance to make CRL checks mandatory when authenticating a certificate (revocation-check crl command). You can also make the CRL check optional by adding the none argument (revocation-check crl none command), which allows the certificate authentication to succeed when the CA is unavailable to provide updated CRL data.

The security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a length of time configurable for each trustpoint. When the security appliance has cached a CRL for more than the length of time it is configured to cache CRLs, the security appliance considers the CRL too old to be reliable, or quot;stalequot;. The security appliance attempts to retrieve a newer version of the CRL the next time a certificate authentication requires checking the stale CRL.

Question No: 168

Refer to the exhibit.

Which two characteristics of the VPN implementation are evident? (Choose two.)

1. dual DMVPN cloud setup with dual hub

2. DMVPN Phase 3 implementation

3. single DMVPN cloud setup with dual hub

4. DMVPN Phase 1 implementation

5. quad DMVPN cloud with quadra hub

6. DMVPN Phase 2 implementation

Answer: B,C

Question No: 169

Which two GDOI encryption keys are used within a GET VPN network? (Choose two.)

1. key encryption key

2. group encryption key

3. user encryption key

4. traffic encryption key

Answer: A,D

Question No: 170

To change the title panel on the logon page of the Cisco IOS WebVPN portal, which file must you configure?

1. Cisco IOS WebVPN customization template

2. Cisco IOS WebVPN customization general

3. web-access-hlp.inc

4. app-access-hlp.inc

Answer: A

100% Ensurepass Free Download!
–Download Free Demo:300-209 Demo PDF
100% Ensurepass Free Guaranteed!
–300-209 Dumps

	EnsurePass	ExamCollection	Testking
Lowest Price Guarantee	Yes	No	No
Up-to-Dated	Yes	No	No
Real Questions	Yes	No	No
Explanation	Yes	No	No
PDF VCE	Yes	No	No
Free VCE Simulator	Yes	No	No
Instant Download	Yes	No	No