Q1. Which command is used to determine how many GMs have registered in a GETVPN environment?
A. show crypto isakmp sa
B. show crypto gdoi ks members
C. show crypto gdoi gm
D. show crypto ipsec sa
E. show crypto isakmp sa count
Answer: B
Q2. CORRECT TEXT
Scenario
You are the network security administrator for your organization. Your company is growing and a remote branch office is being created. You are tasked with configuring your headquarters Cisco ASA to create a site-to-site IPsec VPN connection to the branch office Cisco ISR. The branch office ISR has already been deployed and configured and you need to complete the IPsec connectivity configurations on the HQ ASA to bring the new office online.
Use the following parameters to complete your configuration using ASDM. For this exercise, not all ASDM screens are active.
. Enable IKEv1 on outside I/F for Site-to-site VPN
. Add a Connection Profile with the following parameters:
. Peer IP: 203.0.113.1
. Connection name: 203.0.113.1
. Local protected network: 10.10.9.0/24
. Remote protected network: 10.11.11.0/24
. Group Policy Name: use the default policy name supplied
. Preshared key: cisco
. Disable IKEv2
. Encryption Algorithms: use the ASA defaults
. Disable pre-configured NAT for testing of the IPsec tunnel
. Disable the outside NAT pool rule
. Establish the IPsec tunnel by sending ICMP pings from the Employee PC to the Branch Server at IP address 10.11.11.20
. Verify tunnel establishment in ASDM VPN Statistics> Sessions window pane
You have completed this exercise when you have successfully configured, established, and verified site-to-site IPsec connectivity between the ASA and the Branch ISR.
Topology
Answer: Review the explanation for detailed answer steps.
Explanation:
First, click on Configuration ->Site-to-Site VPN to bring up this screen:
Click on “allow IKE v1 Access” for the outside per the instructions as shown below:
Then click apply at the bottom of the page. This will bring up the following pop up message:
Click on Send.
Next, we need to set up the connection profile. From the connection profile tab, click on “Add”
Then, fill in the information per the instructions as shown below:
Hit OK and you should see this:
To test this, we need to disable NAT. Go to Configuration -> Firewall -> NAT rules and you should see this:
Click on Rule 1 to get the details and you will see this:
We need to uncheck the “Enable rule” button on the bottom. It might also be a good idea to uncheck the “Translate DNS replies that match the rule” but it should not be needed. Then, go back to the topology:
Click on Employee PC, and you will see a desktop with a command prompt shortcut. Use this to ping the IP address of 10.11.11.20 and you should see replies:
We can also verify by viewing the VPN Statistics -> Sessions and see the bytes in/out incrementing as shown below:
Q3. Refer to the exhibit.
After the configuration is performed, which combination of devices can connect?
A. a device with an identity type of IPv4 address of 209.165.200.225 or 209.165.202.155 or a certificate with subject name of "cisco.com"
B. a device with an identity type of IPv4 address of both 209.165.200.225 and 209.165.202.155 or a certificate with subject name containing "cisco.com"
C. a device with an identity type of IPv4 address of both 209.165.200.225 and 209.165.202.155 and a certificate with subject name containing "cisco.com"
D. a device with an identity type of IPv4 address of 209.165.200.225 or 209.165.202.155 or a certificate with subject name containing "cisco.com"
Answer: D
Q4. Refer to the exhibit.
Which authentication method was used by the remote peer to prove its identity?
A. Extensible Authentication Protocol
B. certificate authentication
C. pre-shared key
D. XAUTH
Answer: C
Q5. Where is split-tunneling defined for remote access clients on an ASA?
A. Group-policy
B. Tunnel-group
C. Crypto-map
D. Web-VPN Portal
E. ISAKMP client
Answer: A
Q6. Which command identifies an AnyConnect profile that was uploaded to the router flash?
A. crypto vpn anyconnect profile SSL_profile flash:simos-profile.xml
B. svc import profile SSL_profile flash:simos-profile.xml
C. anyconnect profile SSL_profile flash:simos-profile.xml
D. webvpn import profile SSL_profile flash:simos-profile.xml
Answer: A
Q7. CORRECT TEXT
Scenario:
You are the network security manager for your organization. Your manager has received a request to allow an external user to access to your HQ and DM2 servers. You are given the following connection parameters for this task.
Using ASDM on the ASA, configure the parameters below and test your configuration by accessing the Guest PC. Not all AS DM screens are active for this exercise. Also, for this exercise, all changes are automatically applied to the ASA and you will not have to click APPLY to apply the changes manually.
. Enable Clientless SSL VPN on the outside interface
. Using the Guest PC, open an Internet Explorer window and test and verify the basic connection to the SSL VPN portal using address: https://vpn-secure-x.public
. a. You may notice a certificate error in the status bar, this can be ignored for this exercise
. b. Username: vpnuser
. c. Password: cisco123
. d. Logout of the portal once you have verified connectivity
. Configure two bookmarks with the following parameters:
. a. Bookmark List Name: MY-BOOKMARKS
. b. Use the: URL with GET or POST method
. c. Bookmark Title: HQ-Server
. i. http://10.10.3.20
. d. Bookmark Title: DMZ-Server-FTP
. i. ftp://172.16.1.50
. e. Assign the configured Bookmarks to:
. i. DfltGrpPolicy
. ii. DfltAccessPolicy
. iii. LOCAL User: vpnuser
. From the Guest PC, reconnect to the SSL VPN Portal
. Test both configured Bookmarks to ensure desired connectivity
You have completed this exercise when you have configured and successfully tested Clientless SSL VPN connectivity.
Topology:
Answer: Please find the solution in below explanation.
Explanation:
First, enable clientless VPN access on the outside interface by checking the box found below:
Then, log in to the given URL using the vpnuser/cisco123 credentials:
Logging in will take you to this page, which means you have now verified basic connectivity:
Now log out by hitting the logout button.
Now, go back to the ASDM and navigate to the Bookmarks portion:
Make the name MY-BOOKMARKS and use the “Add” tab and add the bookmarks per the instructions:
Ensure the “URL with GET of POST method” button is selected and hit OK:
Add the two bookmarks as given in the instructions:
You should now see the two bookmarks listed:
Hit OK and you will see this:
Select the MY-BOOKMARKS Bookmarks and click on the “Assign” button. Then, click on the appropriate check boxes as specified in the instructions and hit OK.
After hitting OK, you will now see this:
Then, go back to the Guest-PC, log back in and you should be able to test out the two new bookmarks.
Q8. Which technology must be installed on the client computer to enable users to launch applications from a Clientless SSL VPN?
A. Java
B. QuickTime plug-in
C. Silverlight
D. Flash
Answer: A
Q9. Which option describes the purpose of the shared argument in the DMVPN interface command tunnel protection IPsec profile ProfileName shared?
A. shares a single profile between multiple tunnel interfaces
B. allows multiple authentication types to be used on the tunnel interface
C. shares a single profile between a tunnel interface and a crypto map
D. shares a single profile between IKEv1 and IKEv2
Answer: A
Q10. A network is configured to allow clientless access to resources inside the network. Which feature must be enabled and configured to allow SSH applications to respond on the specified port 8889?
A. auto applet download
B. port forwarding
C. web-type ACL
D. HTTP proxy
Answer: B