Cisco 300-209

Implementing Cisco Secure Mobility Solutions

Version: 6.0
 Cisco 300-209 Exam
QUESTION NO: 1

Which two are characteristics of GETVPN? (Choose two.)

A. The IP header of the encrypted packet is preserved

B. A key server is elected among all configured Group Members
C. Unique encryption keys are computed for each Group Member
D. The same key encryption and traffic encryption keys are distributed to all Group Members

Answer: A,D
Explanation:

QUESTION NO: 2

A company has decided to migrate an existing IKEv1 VPN tunnel to IKEv2. Which two are valid
configuration constructs on a Cisco IOS router? (Choose two.)

A. crypto ikev2 keyring keyring-name

peer peer1
address 209.165.201.1 255.255.255.255
pre-shared-key local key1
pre-shared-key remote key2
B. crypto ikev2 transform-set transform-set-name
esp-3des esp-md5-hmac
esp-aes esp-sha-hmac
C. crypto ikev2 map crypto-map-name
set crypto ikev2 tunnel-group tunnel-group-name
set crypto ikev2 transform-set transform-set-name
D. crypto ikev2 tunnel-group tunnel-group-name
match identity remote address 209.165.201.1
authentication local pre-share
authentication remote pre-share
E. crypto ikev2 profile profile-name
match identity remote address 209.165.201.1
authentication local pre-share
authentication remote pre-share

Answer: A,E
Explanation:

QUESTION NO: 3

"Pass Any Exam. Any Time." - www.actualtests.com 2

 Cisco 300-209 Exam
Which four activities does the Key Server perform in a GETVPN deployment? (Choose four.)

A. authenticates group members

B. manages security policy
C. creates group keys
D. distributes policy/keys
E. encrypts endpoint traffic
F. receives policy/keys
G. defines group members

Answer: A,B,C,D
Explanation:

QUESTION NO: 4

Where is split-tunneling defined for remote access clients on an ASA?

A. Group-policy
B. Tunnel-group
C. Crypto-map
D. Web-VPN Portal
E. ISAKMP client

Answer: A
Explanation:

QUESTION NO: 5

Which of the following could be used to configure remote access VPN Host-scan and pre-login
policies?

A. ASDM
B. Connection-profile CLI command
C. Host-scan CLI command under the VPN group policy
D. Pre-login-check CLI command

Answer: A
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 3

 Cisco 300-209 Exam
QUESTION NO: 6

In FlexVPN, what command can an administrator use to create a virtual template interface that
can be configured and applied dynamically to create virtual access interfaces?

A. interface virtual-template number type template

B. interface virtual-template number type tunnel
C. interface template number type virtual
D. interface tunnel-template number

Answer: B
Explanation: Hello - here is a reference an explanation that can be included with this test.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-
spoke.html#GUID-4A10927D-4C6A-4202-B01C-DA7E462F5D8A

Configuring the Virtual Tunnel Interface on FlexVPN Spoke

SUMMARY STEPS
1. enable
2. configure terminal
3. interface virtual-template number type tunnel
4. ip unnumbered tunnel number
5. ip nhrp network-id number
6. ip nhrp shortcut virtual-template-number
7. ip nhrp redirect [timeout seconds]
8. exit

QUESTION NO: 7

In FlexVPN, what is the role of a NHRP resolution request?

A. It allows these entities to directly communicate without requiring traffic to use an intermediate
hop
B. It dynamically assigns VPN users to a group
C. It blocks these entities from to directly communicating with each other
D. It makes sure that each VPN spoke directly communicates with the hub

Answer: A
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 4

 Cisco 300-209 Exam

QUESTION NO: 8

What are three benefits of deploying a GET VPN? (Choose three.)

A. It provides highly scalable point-to-point topologies.

B. It allows replication of packets after encryption.
C. It is suited for enterprises running over a DMVPN network.
D. It preserves original source and destination IP address information.
E. It simplifies encryption management through use of group keying.
F. It supports non-IP protocols.

Answer: B,D,E
Explanation:

QUESTION NO: 9

What is the default topology type for a GET VPN?

A. point-to-point
B. hub-and-spoke
C. full mesh
D. on-demand spoke-to-spoke

Answer: C
Explanation:

QUESTION NO: 10

Which two GDOI encryption keys are used within a GET VPN network? (Choose two.)

A. key encryption key

B. group encryption key
C. user encryption key
D. traffic encryption key

Answer: A,D
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 5

 Cisco 300-209 Exam

QUESTION NO: 11

What are the three primary components of a GET VPN network? (Choose three.)

A. Group Domain of Interpretation protocol

B. Simple Network Management Protocol
C. server load balancer
D. accounting server
E. group member
F. key server

Answer: A,E,F
Explanation:

QUESTION NO: 12

Which two IKEv1 policy options must match on each peer when you configure an IPsec site-to-site
VPN? (Choose two.)

A. priority number
B. hash algorithm
C. encryption algorithm
D. session lifetime
E. PRF algorithm

Answer: B,C
Explanation:

QUESTION NO: 13

Which two parameters are configured within an IKEv2 proposal on an IOS router? (Choose two.)

A. authentication
B. encryption
C. integrity
D. lifetime

Answer: B,C

"Pass Any Exam. Any Time." - www.actualtests.com 6

 Cisco 300-209 Exam
Explanation:

QUESTION NO: 14

In a spoke-to-spoke DMVPN topology, which type of interface does a branch router require?

A. Virtual tunnel interface

B. Multipoint GRE interface
C. Point-to-point GRE interface
D. Loopback interface

Answer: B
Explanation:

QUESTION NO: 15

Refer to the exhibit.

After the configuration is performed, which combination of devices can connect?

A. a device with an identity type of IPv4 address of 209.165.200.225 or 209.165.202.155 or a

certificate with subject name of "cisco.com"
B. a device with an identity type of IPv4 address of both 209.165.200.225 and 209.165.202.155 or
a certificate with subject name containing "cisco.com"
C. a device with an identity type of IPv4 address of both 209.165.200.225 and 209.165.202.155
and a certificate with subject name containing "cisco.com"
D. a device with an identity type of IPv4 address of 209.165.200.225 or 209.165.202.155 or a
certificate with subject name containing "cisco.com"

"Pass Any Exam. Any Time." - www.actualtests.com 7

 Cisco 300-209 Exam
Answer: D
Explanation:

QUESTION NO: 16

Which three settings are required for crypto map configuration? (Choose three.)

A. match address
B. set peer
C. set transform-set
D. set security-association lifetime
E. set security-association level per-host
F. set pfs

Answer: A,B,C
Explanation:

QUESTION NO: 17

A network is configured to allow clientless access to resources inside the network. Which feature
must be enabled and configured to allow SSH applications to respond on the specified port 8889?

A. auto applet download

B. port forwarding
C. web-type ACL
D. HTTP proxy

Answer: B
Explanation:

QUESTION NO: 18

Consider this scenario. When users attempt to connect via a Cisco AnyConnect VPN session, the
certificate has changed and the connection fails.

What is a possible cause of the connection failure?

"Pass Any Exam. Any Time." - www.actualtests.com 8

 Cisco 300-209 Exam
A. An invalid modulus was used to generate the initial key.
B. The VPN is using an expired certificate.
C. The Cisco ASA appliance was reloaded.
D. The Trusted Root Store is configured incorrectly.

Answer: C
Explanation:

QUESTION NO: 19

In the Cisco ASDM interface, where do you enable the DTLS protocol setting?

A. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit
> Add or Edit Internal Group Policy
B. Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users >
Add or Edit
C. Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account >
VPN Policy > SSL VPN Client
D. Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit

Answer: C
Explanation: The reference:
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect20/administrative/
guide/admin/admin5.html

Shows where DTLS can be configured as:

• Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit >
Add or Edit Internal Group Policy > Advanced > SSL VPN Client

• Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users >
Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client

•Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account >
VPN Policy > SSL VPN Client

QUESTION NO: 20

What are two forms of SSL VPN? (Choose two.)

"Pass Any Exam. Any Time." - www.actualtests.com 9

 Cisco 300-209 Exam
A. port forwarding
B. Full Tunnel Mode
C. Cisco IOS WebVPN
D. Cisco AnyConnect

Answer: A,B
Explanation:

QUESTION NO: 21

When Cisco ASA applies VPN permissions, what is the first set of attributes that it applies?

A. dynamic access policy attributes

B. group policy attributes
C. connection profile attributes
D. user attributes

Answer: A
Explanation:

QUESTION NO: 22

What are two variables for configuring clientless SSL VPN single sign-on? (Choose two.)

A. CSCO_WEBVPN_OTP_PASSWORD
B. CSCO_WEBVPN_INTERNAL_PASSWORD
C. CSCO_WEBVPN_USERNAME
D. CSCO_WEBVPN_RADIUS_USER

Answer: B,C
Explanation:

QUESTION NO: 23

To change the title panel on the logon page of the Cisco IOS WebVPN portal, which file must you
configure?

A. Cisco IOS WebVPN customization template

"Pass Any Exam. Any Time." - www.actualtests.com 10

 Cisco 300-209 Exam
B. Cisco IOS WebVPN customization general
C. web-access-hlp.inc
D. app-access-hlp.inc

Answer: A
Explanation:

QUESTION NO: 24

Which three plugins are available for clientless SSL VPN? (Choose three.)

A. CIFS
B. RDP2
C. SSH
D. VNC
E. SQLNET
F. ICMP

Answer: B,C,D
Explanation:

QUESTION NO: 25

Which command simplifies the task of converting an SSL VPN to an IKEv2 VPN on a Cisco ASA
appliance that has an invalid IKEv2 configuration?

A. migrate remote-access ssl overwrite

B. migrate remote-access ikev2
C. migrate l2l
D. migrate remote-access ssl

Answer: A
Explanation: Below is a reference for this question:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-
firewalls/113597-ptn-113597.html

If your IKEv1, or even SSL, configuration already exists, the ASA makes the migration process
simple. On the command line, enter the migrate command:

migrate {l2l | remote-access {ikev2 | ssl} | overwrite}

"Pass Any Exam. Any Time." - www.actualtests.com 11

 Cisco 300-209 Exam
Things of note:

Keyword definitions:

l2l - This converts current IKEv1 l2l tunnels to IKEv2.

remote access - This converts the remote access configuration. You can convert either the IKEv1
or the SSL tunnel groups to IKEv2.

overwrite - If you have a IKEv2 configuration that you wish to overwrite, then this keyword converts
the current IKEv1 configuration and removes the superfluous IKEv2 configuration.

QUESTION NO: 26

Which statement describes a prerequisite for single-sign-on Netegrity Cookie Support in an IOC
SSL VPN?

A. The Cisco AnyConnect Secure Mobility Client must be installed in flash.

B. A SiteMinder plug-in must be installed on the Cisco SSL VPN gateway.
C. A Cisco plug-in must be installed on a SiteMinder server.
D. The Cisco Secure Desktop software package must be installed in flash.

Answer: C
Explanation:

QUESTION NO: 27

Which two statements describe effects of the DoNothing option within the untrusted network policy
on a Cisco AnyConnect profile? (Choose two.)

A. The client initiates a VPN connection upon detection of an untrusted network.

B. The client initiates a VPN connection upon detection of a trusted network.
C. The always-on feature is enabled.
D. The always-on feature is disabled.
E. The client does not automatically initiate any VPN connection.

Answer: A,D
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 12

 Cisco 300-209 Exam

QUESTION NO: 28

Which command enables IOS SSL VPN Smart Tunnel support for PuTTY?

A. appl ssh putty.exe win

B. appl ssh putty.exe windows
C. appl ssh putty
D. appl ssh putty.exe

Answer: B
Explanation:

QUESTION NO: 29

Which three remote access VPN methods in an ASA appliance provide support for Cisco Secure
Desktop? (Choose three.)

A. IKEv1
B. IKEv2
C. SSL client
D. SSL clientless
E. ESP
F. L2TP

Answer: B,C,D
Explanation:

QUESTION NO: 30

A user is unable to establish an AnyConnect VPN connection to an ASA. When using the Real-
Time Log viewer within ASDM to troubleshoot the issue, which two filter options would the
administrator choose to show only syslog messages relevant to the VPN connection? (Choose
two.)

A. Client's public IP address

B. Client's operating system
C. Client's default gateway IP address
D. Client's username

"Pass Any Exam. Any Time." - www.actualtests.com 13

 Cisco 300-209 Exam
E. ASA's public IP address

Answer: A,D
Explanation:

QUESTION NO: 31

Which Cisco ASDM option configures forwarding syslog messages to email?

A. Configuration > Device Management > Logging > E-Mail Setup

B. Configuration > Device Management > E-Mail Setup > Logging Enable
C. Select the syslogs to email, click Edit, and select the Forward Messages option.
D. Select the syslogs to email, click Settings, and specify the Destination Email Address option.

Answer: A
Explanation:

QUESTION NO: 32

Which Cisco ASDM option configures WebVPN access on a Cisco ASA?

A. Configuration > WebVPN > WebVPN Access

B. Configuration > Remote Access VPN > Clientless SSL VPN Access
C. Configuration > WebVPN > WebVPN Config
D. Configuration > VPN > WebVPN Access

Answer: B
Explanation:

QUESTION NO: 33

A user with IP address 10.10.10.10 is unable to access a HTTP website at IP address

209.165.200.225 through a Cisco ASA. Which two features and commands will help troubleshoot
the issue? (Choose two.)

A. Capture user traffic using command capture capin interface inside match ip host 10.10.10.10
any
B. After verifying that user traffic reaches the firewall using syslogs or captures, use packet tracer

"Pass Any Exam. Any Time." - www.actualtests.com 14

 Cisco 300-209 Exam
command packet-tracer input inside tcp 10.10.10.10 1234 209.165.200.225 80
C. Enable logging at level 1 and check the syslogs using commands logging enable, logging
buffered 1 and show logging | include 10.10.10.10
D. Check if an access-list on the firewall is blocking the user by using command show running-
config access-list | include 10.10.10.10
E. Use packet tracer command packet-tracer input inside udp 0.10.10.10 1234192.168.1.3 161 to
see what the firewall is doing with the user's traffic

Answer: A,B
Explanation:

QUESTION NO: 34

A Cisco router may have a fan issue that could increase its temperature and trigger a failure. What
troubleshooting steps would verify the issue without causing additional risks?

A. Configure logging using commands "logging on", "logging buffered 4", and check for fan failure
logs using "show logging"
B. Configure logging using commands "logging on", "logging buffered 6", and check for fan failure
logs using "show logging"
C. Configure logging using commands "logging on", "logging discriminator msglog1 console 7",
and check for fan failure logs using "show logging"
D. Configure logging using commands "logging host 10.11.10.11", "logging trap 2", and check for
fan failure logs at the syslog server 10.11.10.11

Answer: A
Explanation:

QUESTION NO: 35

An internet-based VPN solution is being considered to replace an existing private WAN connecting
remote offices. A multimedia application is used that relies on multicast for communication.
Which two VPN solutions meet the application's network requirement? (Choose two.)

A. FlexVPN
B. DMVPN
C. Group Encrypted Transport VPN
D. Crypto-map based Site-to-Site IPsec VPNs
E. AnyConnect VPN

Answer: A,B

"Pass Any Exam. Any Time." - www.actualtests.com 15

 Cisco 300-209 Exam
Explanation:

QUESTION NO: 36

A private wan connection is suspected of intermittently corrupting data. Which technology can a
network administrator use to detect and drop the altered data traffic?

A. AES-128
B. RSA Certificates
C. SHA2-HMAC
D. 3DES
E. Diffie-Helman Key Generation

Answer: C
Explanation:

QUESTION NO: 37

A company needs to provide secure access to its remote workforce. The end users use public
kiosk computers and a wide range of devices. They will be accessing only an internal web
application. Which VPN solution satisfies these requirements?

A. Clientless SSLVPN
B. AnyConnect Client using SSLVPN
C. AnyConnect Client using IKEv2
D. FlexVPN Client
E. Windows built-in PPTP client

Answer: A
Explanation:

QUESTION NO: 38

A network administrator is configuring AES encryption for the ISAKMP policy on an IOS router.
Which two configurations are valid? (Choose two.)

A. crypto isakmp policy 10

encryption aes 254

"Pass Any Exam. Any Time." - www.actualtests.com 16

 Cisco 300-209 Exam
B. crypto isakmp policy 10
encryption aes 192
C. crypto isakmp policy 10
encryption aes 256
D. crypto isakmp policy 10
encryption aes 196
E. crypto isakmp policy 10
encryption aes 199
F. crypto isakmp policy 10
encryption aes 64

Answer: B,C
Explanation:

QUESTION NO: 39

Which two qualify as Next Generation Encryption integrity algorithms? (Choose two.)

A. SHA-512
B. SHA-256
C. SHA-192
D. SHA-380
E. SHA-192
F. SHA-196

Answer: A,B
Explanation:

QUESTION NO: 40

Which statement is true when implementing a router with a dynamic public IP address in a crypto
map based site-to-site VPN?

A. The router must be configured with a dynamic crypto map.

B. Certificates are always used for phase 1 authentication.
C. The tunnel establishment will fail if the router is configured as a responder only.
D. The router and the peer router must have NAT traversal enabled.

Answer: C
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 17

 Cisco 300-209 Exam

QUESTION NO: 41

Which two statements are true when designing a SSL VPN solution using Cisco AnyConnect?
(Choose two.)

A. The VPN server must have a self-signed certificate.

B. A SSL group pre-shared key must be configured on the server.
C. Server side certificate is optional if using AAA for client authentication.
D. The VPN IP address pool can overlap with the rest of the LAN networks.
E. DTLS can be enabled for better performance.

Answer: D,E
Explanation:

QUESTION NO: 42

Which two features are required when configuring a DMVPN network? (Choose two.)

A. Dynamic routing protocol

B. GRE tunnel interface
C. Next Hop Resolution Protocol
D. Dynamic crypto map
E. IPsec encryption

Answer: B,C
Explanation:

QUESTION NO: 43

What are two benefits of DMVPN Phase 3? (Choose two.)

A. Administrators can use summarization of routing protocol updates from hub to spokes.
B. It introduces hierarchical DMVPN deployments.
C. It introduces non-hierarchical DMVPN deployments.
D. It supports L2TP over IPSec as one of the VPN protocols.

Answer: A,B
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 18

 Cisco 300-209 Exam

QUESTION NO: 44

Which are two main use cases for Clientless SSL VPN? (Choose two.)

A. In kiosks that are part of a shared environment

B. When the users do not have admin rights to install a new VPN client
C. When full tunneling is needed to support applications that use TCP, UDP, and ICMP
D. To create VPN site-to-site tunnels in combination with remote access

Answer: A,B
Explanation:

QUESTION NO: 45

Which technology can rate-limit the number of tunnels on a DMVPN hub when system utilization is
above a specified percentage?

A. NHRP Event Publisher

B. interface state control
C. CAC
D. NHRP Authentication
E. ip nhrp connect

Answer: C
Explanation:

QUESTION NO: 46

Which technology supports tunnel interfaces while remaining compatible with legacy VPN
implementations?

A. FlexVPN
B. DMVPN
C. GET VPN
D. SSL VPN

Answer: A

"Pass Any Exam. Any Time." - www.actualtests.com 19

 Cisco 300-209 Exam
Explanation:

QUESTION NO: 47

Which IKEv2 feature minimizes the configuration of a FlexVPN on Cisco IOS devices?

A. IKEv2 Suite-B
B. IKEv2 proposals
C. IKEv2 profiles
D. IKEv2 Smart Defaults

Answer: D
Explanation:

QUESTION NO: 48

When an IPsec SVTI is configured, which technology processes traffic forwarding for encryption?

A. ACL
B. IP routing
C. RRI
D. front door VPN routing and forwarding

Answer: B
Explanation:

QUESTION NO: 49

An IOS SSL VPN is configured to forward TCP ports. A remote user cannot access the corporate
FTP site with a Web browser. What is a possible reason for the failure?

A. The user's FTP application is not supported.

B. The user is connecting to an IOS VPN gateway configured in Thin Client Mode.
C. The user is connecting to an IOS VPN gateway configured in Tunnel Mode.
D. The user's operating system is not supported.

Answer: B
Explanation: http://www.cisco.com/c/en/us/support/docs/security/ssl-vpn-client/70664-

"Pass Any Exam. Any Time." - www.actualtests.com 20

 Cisco 300-209 Exam
IOSthinclient.html

Thin-Client SSL VPN (Port Forwarding)

A remote client must download a small, Java-based applet for secure access of TCP applications
that use static port numbers. UDP is not supported. Examples include access to POP3, SMTP,
IMAP, SSH, and Telnet. The user needs local administrative privileges because changes are
made to files on the local machine. This method of SSL VPN does not work with applications that
use dynamic port assignments, for example, several FTP applications.

QUESTION NO: 50

A Cisco IOS SSL VPN gateway is configured to operate in clientless mode so that users can
access file shares on a Microsoft Windows 2003 server. Which protocol is used between the Cisco
IOS router and the Windows server?

A. HTTPS
B. NetBIOS
C. CIFS
D. HTTP

Answer: C
Explanation:

QUESTION NO: 51

You are configuring a Cisco IOS SSL VPN gateway to operate with DVTI support. Which
command must you configure on the virtual template?

A. tunnel protection ipsec

B. ip virtual-reassembly
C. tunnel mode ipsec
D. ip unnumbered

Answer: D
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 21

 Cisco 300-209 Exam
QUESTION NO: 52

Which protocol supports high availability in a Cisco IOS SSL VPN environment?

A. HSRP
B. VRRP
C. GLBP
D. IRDP

Answer: A
Explanation:

QUESTION NO: 53

When you configure IPsec VPN High Availability Enhancements, which technology does Cisco
recommend that you enable to make reconvergence faster?

A. EOT
B. IP SLAs
C. periodic IKE keepalives
D. VPN fast detection

Answer: C
Explanation:

QUESTION NO: 54

Which hash algorithm is required to protect classified information?

A. MD5
B. SHA-1
C. SHA-256
D. SHA-384

Answer: D
Explanation:

QUESTION NO: 55

"Pass Any Exam. Any Time." - www.actualtests.com 22

 Cisco 300-209 Exam
Which cryptographic algorithms are approved to protect Top Secret information?

A. HIPPA DES
B. AES-128
C. RC4-128
D. AES-256

Answer: D
Explanation:

QUESTION NO: 56

Which Cisco firewall platform supports Cisco NGE?

A. FWSM
B. Cisco ASA 5505
C. Cisco ASA 5580
D. Cisco ASA 5525-X

Answer: D
Explanation:

QUESTION NO: 57

Which algorithm is replaced by elliptic curve cryptography in Cisco NGE?

A. 3DES
B. AES
C. DES
D. RSA

Answer: D
Explanation:

QUESTION NO: 58

Which encryption and authentication algorithms does Cisco recommend when deploying a Cisco
NGE supported VPN solution?

"Pass Any Exam. Any Time." - www.actualtests.com 23

 Cisco 300-209 Exam
A. AES-GCM and SHA-2
B. 3DES and DH
C. AES-CBC and SHA-1
D. 3DES and SHA-1

Answer: A
Explanation:

QUESTION NO: 59

An administrator wishes to limit the networks reachable over the Anyconnect VPN tunnels. Which
configuration on the ASA will correctly limit the networks reachable to 209.165.201.0/27 and
209.165.202.128/27?

A. access-list splitlist standard permit 209.165.201.0 255.255.255.224

access-list splitlist standard permit 209.165.202.128 255.255.255.224
!
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitlist
B. access-list splitlist standard permit 209.165.201.0 255.255.255.224
access-list splitlist standard permit 209.165.202.128 255.255.255.224
!
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
split-tunnel-policy tunnelall
split-tunnel-network-list value splitlist
C. group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224
split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224
D. access-list splitlist standard permit 209.165.201.0 255.255.255.224
access-list splitlist standard permit 209.165.202.128 255.255.255.224
!
crypto anyconnect vpn-tunnel-policy tunnelspecified
crypto anyconnect vpn-tunnel-network-list splitlist
E. crypto anyconnect vpn-tunnel-policy tunnelspecified
crypto anyconnect split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224
crypto anyconnect split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224

Answer: A
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 24

 Cisco 300-209 Exam

QUESTION NO: 60

Which NGE IKE Diffie-Hellman group identifier has the strongest cryptographic properties?

A. group 10
B. group 24
C. group 5
D. group 20

Answer: D
Explanation:

QUESTION NO: 61

What is the Cisco recommended TCP maximum segment on a DMVPN tunnel interface when the
MTU is set to 1400 bytes?

A. 1160 bytes
B. 1260 bytes
C. 1360 bytes
D. 1240 bytes

Answer: C
Explanation:

QUESTION NO: 62

Which technology does a multipoint GRE interface require to resolve endpoints?

A. ESP
B. dynamic routing
C. NHRP
D. CEF
E. IPSec

Answer: C
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 25

 Cisco 300-209 Exam

QUESTION NO: 63

Which two cryptographic technologies are recommended for use with FlexVPN? (Choose two.)

A. SHA (HMAC variant)

B. Diffie-Hellman
C. DES
D. MD5 (HMAC variant)

Answer: A,B
Explanation:

QUESTION NO: 64

Which command configures IKEv2 symmetric identity authentication?

A. match identity remote address 0.0.0.0

B. authentication local pre-share
C. authentication pre-share
D. authentication remote rsa-sig

Answer: D
Explanation:

QUESTION NO: 65

Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two.)

A. aes-cbc-192, sha256, 14
B. 3des, md5, 5
C. 3des, sha1, 1
D. aes-cbc-128, sha, 5

Answer: B,D
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 26

 Cisco 300-209 Exam
QUESTION NO: 66

What is the default storage location of user-level bookmarks in an IOS clientless SSL VPN?

A. disk0:/webvpn/{context name}/
B. disk1:/webvpn/{context name}/
C. flash:/webvpn/{context name}/
D. nvram:/webvpn/{context name}/

Answer: C
Explanation:

QUESTION NO: 67

Which command will prevent a group policy from inheriting a filter ACL in a clientless SSL VPN?

A. vpn-filter none
B. no vpn-filter
C. filter value none
D. filter value ACLname

Answer: C
Explanation:

QUESTION NO: 68

Which command specifies the path to the Host Scan package in an ASA AnyConnect VPN?

A. csd hostscan path image

B. csd hostscan image path
C. csd hostscan path
D. hostscan image path

Answer: B
Explanation:

QUESTION NO: 69

"Pass Any Exam. Any Time." - www.actualtests.com 27

 Cisco 300-209 Exam

When a tunnel is initiated by the headquarter ASA, which one of the following Diffie-Hellman

"Pass Any Exam. Any Time." - www.actualtests.com 28

 Cisco 300-209 Exam
groups is selected by the headquarter ASA during CREATE_CHILD_SA exchange?

A. 1
B. 2
C. 5
D. 14
E. 19

Answer: C
Explanation:
Traffic initiated by the HQ ASA is assigned to the static outside crypto map, which shown below to
use DH group 5.

QUESTION NO: 70

"Pass Any Exam. Any Time." - www.actualtests.com 29

 Cisco 300-209 Exam

Based on the provided ASDM configuration for the remote ASA, which one of the following is
correct?

A. An access-list must be configured on the outside interface to permit inbound VPN traffic
B. A route to 192.168.22.0/24 will not be automatically installed in the routing table
C. The ASA will use a window of 128 packets (64x2) to perform the anti-replay check _
D. The tunnel can also be established on TCP port 10000

Answer: C
Explanation:
Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker
duplicating encrypted packets by assigning a unique sequence number to each encrypted packet.
The decryptor keeps track of which packets it has seen on the basis of these numbers. Currently,

"Pass Any Exam. Any Time." - www.actualtests.com 30

 Cisco 300-209 Exam
the default window size is 64 packets. Generally, this number (window size) is sufficient, but there
are times when you may want to expand this window size. The IPsec Anti-Replay Window:
Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to
keep track of more than 64 packets.

QUESTION NO: 71

"Pass Any Exam. Any Time." - www.actualtests.com 31

 Cisco 300-209 Exam

If the IKEv2 tunnel were to establish successfully, which encryption algorithm would be used to
encrypt traffic?

A. DES
B. 3DES
C. AES
D. AES192
E. AES256

Answer: E
Explanation:
Both ASA’s are configured to support AES 256, so during the IPSec negotiation they will use the
strongest algorithm that is supported by each peer.

QUESTION NO: 72

"Pass Any Exam. Any Time." - www.actualtests.com 32

 Cisco 300-209 Exam

After implementing the IKEv2 tunnel, it was observed that remote users on the 192.168.33.0/24
network are unable to access the internet. Which of the following can be done to resolve this
problem?

A. Change the Diffie-Hellman group on the headquarter ASA to group5forthe dynamic crypto map
B. Change the remote traffic selector on the remote ASA to 192.168.22.0/24
C. Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers
D. Change the local traffic selector on the headquarter ASA to 0.0.0.0/0
E. Change the remote traffic selector on the headquarter ASA to 0.0.0.0/0

Answer: B
Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the
IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the

"Pass Any Exam. Any Time." - www.actualtests.com 33

 Cisco 300-209 Exam
tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from
192.168.33.0/24 to 192.168.22.0/24.

QUESTION NO: 73

"Pass Any Exam. Any Time." - www.actualtests.com 34

 Cisco 300-209 Exam

Which option shows the correct traffic selectors for the child SA on the remote ASA, when the
headquarter ASA initiates the tunnel?

A. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 192.168.20.0/0-

192.168.20.255/65535
B. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 192.168.22.0/0-
192.168.22.255/65535
C. Local selector 192.168.22.0/0-192.168.22.255/65535 Remote selector 192.168.33.0/0-
192.168.33.255/65535
D. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 0.0.0.0/0 - 0.0.0.0/65535
E. Local selector 0.0.0.0/0 - 0.0.0.0/65535 Remote selector 192.168.22.0/0 -
192.168.22.255/65535

Answer: B
Explanation: The traffic selector is used to determine which traffic should be protected (encrypted
over the IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over
the tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from
192.168.33.0/24 (THE LOCAL SIDE) to 192.168.22.0/24 (THE REMOTE SIDE).

QUESTION NO: 74 CORRECT TEXT

"Pass Any Exam. Any Time." - www.actualtests.com 35

 Cisco 300-209 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 36

 Cisco 300-209 Exam
Answer: Here are the steps as below:
Step 1: configure key ring
crypto ikev2 keyring mykeys
peer SiteB.cisco.com
address 209.161.201.1
pre-shared-key local $iteA
pre-shared key remote $iteB
Step 2: Configure IKEv2 profile
Crypto ikev2 profile default
identity local fqdn SiteA.cisco.com
Match identity remote fqdn SiteB.cisco.com
Authentication local pre-share
Authentication remote pre-share
Keyring local mykeys
Step 3: Create the GRE Tunnel and apply profile
crypto ipsec profile default
set ikev2-profile default
Interface tunnel 0
ip address 10.1.1.1 255.255.255.0
Tunnel source eth 0/0
Tunnel destination 209.165.201.1
tunnel protection ipsec profile default
end

QUESTION NO: 75

A custom desktop application needs to access an internal server. An administrator is tasked with
configuring the company's SSL VPN gateway to allow remote users to work. Which two
technologies would accommodate the company's requirement? (Choose two).

A. AnyConnect client
B. Smart Tunnels
C. Email Proxy
D. Content Rewriter
E. Portal Customizations

Answer: A,B
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 37

 Cisco 300-209 Exam
QUESTION NO: 76

A rogue static route is installed in the routing table of a Cisco FlexVPN and is causing traffic to be
blackholed. Which command should be used to identify the peer from which that route originated?

A. show crypto ikev2 sa detail

B. show crypto route
C. show crypto ikev2 client flexvpn
D. show ip route eigrp
E. show crypto isakmp sa detail

Answer: A
Explanation:

QUESTION NO: 77

Refer to the exhibit.

Which authentication method was used by the remote peer to prove its identity?

A. Extensible Authentication Protocol

B. certificate authentication
C. pre-shared key
D. XAUTH

Answer: C
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 38

 Cisco 300-209 Exam

QUESTION NO: 78

Refer to the exhibit.

An IPsec peer is exchanging routes using IKEv2, but the routes are not installed in the RIB. Which
configuration error is causing the failure?

A. IKEv2 routing requires certificate authentication, not pre-shared keys.

B. An invalid administrative distance value was configured.
C. The match identity command must refer to an access list of routes.
D. The IKEv2 authorization policy is not referenced in the IKEv2 profile.

Answer: B
Explanation:

QUESTION NO: 79

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 39

 Cisco 300-209 Exam

An administrator is adding IPv6 addressing to an already functioning tunnel. The administrator is

unable to ping 2001:DB8:100::2 but can ping 209.165.200.226. Which configuration needs to be
added or changed?

A. No configuration change is necessary. Everything is working correctly.

B. OSPFv3 needs to be configured on the interface.
C. NHRP needs to be configured to provide NBMA mapping.
D. Tunnel mode needs to be changed to GRE IPv4.
E. Tunnel mode needs to be changed to GRE IPv6.

Answer: D
Explanation:

QUESTION NO: 80

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 40

 Cisco 300-209 Exam

The IKEv2 tunnel between Router1 and Router2 is failing during session establishment. Which
action will allow the session to establish correctly?

A. The address command on Router2 must be narrowed down to a /32 mask.

B. The local and remote keys on Router2 must be switched.
C. The pre-shared key must be altered to use only lowercase letters.
D. The local and remote keys on Router2 must be the same.

Answer: B
Explanation:

QUESTION NO: 81

You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing
the debug crypto isakmp command on the headend router, you see the following output. What
does this output suggest?

1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0

"Pass Any Exam. Any Time." - www.actualtests.com 41

 Cisco 300-209 Exam
1d00h: ISAKMP (0:1); no offers accepted!

1d00h: ISAKMP (0:1): SA not acceptable!

1d00h: %CRYPTO-6-IKMP_MODE_FAILURE. Processing of Main Mode failed with peer at

10.10.10.10

A. Phase 1 policy does not match on both sides.

B. The transform set does not match on both sides.
C. ISAKMP is not enabled on the remote peer.
D. There is a mismatch in the ACL that identifies interesting traffic.

Answer: A
Explanation:

QUESTION NO: 82

You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing
the debug crypto ipsec command on the headend router, you see the following output. What does
this output suggest?

1d00h: IPSec (validate_proposal): transform proposal

(port 3, trans 2, hmac_alg 2) not supported

1d00h: ISAKMP (0:2) : atts not acceptable. Next payload is 0

1d00h: ISAKMP (0:2) SA not acceptable

A. Phase 1 policy does not match on both sides.

B. The Phase 2 transform set does not match on both sides.
C. ISAKMP is not enabled on the remote peer.
D. The crypto map is not applied on the remote peer.
E. The Phase 1 transform set does not match on both sides.

Answer: B
Explanation:

QUESTION NO: 83

Which adaptive security appliance command can be used to see a generic framework of the

"Pass Any Exam. Any Time." - www.actualtests.com 42

 Cisco 300-209 Exam
requirements for configuring a VPN tunnel between an adaptive security appliance and a Cisco
IOS router at a remote office?

A. vpnsetup site-to-site steps

B. show running-config crypto
C. show vpn-sessiondb l2l
D. vpnsetup ssl-remote-access steps

Answer: A
Explanation:

QUESTION NO: 84

After completing a site-to-site VPN setup between two routers, application performance over the
tunnel is slow. You issue the show crypto ipsec sa command and see the following output. What
does this output suggest?

interfacE. Tunnel100

Crypto map tag: Tunnel100-head-0, local addr 10.10.10.10

protected vrF. (none)

local ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (10.20.20.20/255.255.255.255/47/0)

current_peer 209.165.200.230 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 34836, #pkts encrypt: 34836, #pkts digest: 34836

#pkts decaps: 26922, #pkts decrypt: 19211, #pkts verify: 19211

#pkts compresseD. 0, #pkts decompresseD. 0

#pkts not compresseD. 0, #pkts compr. faileD. 0

#pkts not decompresseD. 0, #pkts decompress faileD. 0

#send errors 0, #recv errors 0

"Pass Any Exam. Any Time." - www.actualtests.com 43

 Cisco 300-209 Exam
A. The VPN has established and is functioning normally.
B. There is an asymmetric routing issue.
C. The remote peer is not receiving encrypted traffic.
D. The remote peer is not able to decrypt traffic.
E. Packet corruption is occurring on the path between the two peers.

Answer: E
Explanation:

QUESTION NO: 85

Which Cisco adaptive security appliance command can be used to view the count of all active
VPN sessions?

A. show vpn-sessiondb summary

B. show crypto ikev1 sa
C. show vpn-sessiondb ratio encryption
D. show iskamp sa detail
E. show crypto protocol statistics all

Answer: A
Explanation:

QUESTION NO: 86

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 44

 Cisco 300-209 Exam

An administrator had the above configuration working with SSL protocol, but as soon as the
administrator specified IPsec as the primary protocol, the Cisco AnyConnect client was not able to
connect. What is the problem?

A. IPsec will not work in conjunction with a group URL.

B. The Cisco AnyConnect implementation does not allow the two group URLs to be the same.
SSL does allow this.
C. If you specify the primary protocol as IPsec, the User Group must be the exact name of the
connection profile (tunnel group).
D. A new XML profile should be created instead of modifying the existing profile, so that the clients
force the update.

Answer: C
Explanation:

QUESTION NO: 87

The Cisco AnyConnect client fails to connect via IKEv2 but works with SSL. The following error
message is displayed:

"Login Denied, unauthorized connection mechanism, contact your administrator"

"Pass Any Exam. Any Time." - www.actualtests.com 45

 Cisco 300-209 Exam
What is the most possible cause of this problem?

A. DAP is terminating the connection because IKEv2 is the protocol that is being used.
B. The client endpoint does not have the correct user profile to initiate an IKEv2 connection.
C. The AAA server that is being used does not authorize IKEv2 as the connection mechanism.
D. The administrator is restricting access to this specific user.
E. The IKEv2 protocol is not enabled in the group policy of the VPN headend.

Answer: E
Explanation:

QUESTION NO: 88

The Cisco AnyConnect client is unable to download an updated user profile from the ASA
headend using IKEv2. What is the most likely cause of this problem?

A. User profile updates are not allowed with IKEv2.

B. IKEv2 is not enabled on the group policy.
C. A new profile must be created so that the adaptive security appliance can push it to the client
on the next connection attempt.
D. Client Services is not enabled on the adaptive security appliance.

Answer: D
Explanation:

QUESTION NO: 89

Which two troubleshooting steps should be taken when Cisco AnyConnect cannot establish an
IKEv2 connection, while SSL works fine? (Choose two.)

A. Verify that the primary protocol on the client machine is set to IPsec.
B. Verify that AnyConnect is enabled on the correct interface.
C. Verify that the IKEv2 protocol is enabled on the group policy.
D. Verify that ASDM and AnyConnect are not using the same port.
E. Verify that SSL and IKEv2 certificates are not referencing the same trustpoint.

Answer: A,C
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 46

 Cisco 300-209 Exam
QUESTION NO: 90

Regarding licensing, which option will allow IKEv2 connections on the adaptive security
appliance?

A. AnyConnect Essentials can be used for Cisco AnyConnect IKEv2 connections.

B. IKEv2 sessions are not licensed.
C. The Advanced Endpoint Assessment license must be installed to allow Cisco AnyConnect
IKEv2 sessions.
D. Cisco AnyConnect Mobile must be installed to allow AnyConnect IKEv2 sessions.

Answer: A
Explanation:

QUESTION NO: 91

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 47

 Cisco 300-209 Exam
The network administrator is adding a new spoke, but the tunnel is not passing traffic. What could
cause this issue?

A. DMVPN is a point-to-point tunnel, so there can be only one spoke.

B. There is no EIGRP configuration, and therefore the second tunnel is not working.
C. The NHRP authentication is failing.
D. The transform set must be in transport mode, which is a requirement for DMVPN.
E. The NHRP network ID is incorrect.

Answer: C
Explanation:

QUESTION NO: 92

What action does the hub take when it receives a NHRP resolution request from a spoke for a
network that exists behind another spoke?

A. The hub sends back a resolution reply to the requesting spoke.

B. The hub updates its own NHRP mapping.
C. The hub forwards the request to the destination spoke.
D. The hub waits for the second spoke to send a request so that it can respond to both spokes.

Answer: C
Explanation:

QUESTION NO: 93

A spoke has two Internet connections for failover. How can you achieve optimum failover without
affecting any other router in the DMVPN cloud?

A. Create another DMVPN cloud by configuring another tunnel interface that is sourced from the
second ISP link.
B. Use another router at the spoke site, because two ISP connections on the same router for the
same hub is not allowed.
C. Configure SLA tracking, and when the primary interface goes down, manually change the
tunnel source of the tunnel interface.
D. Create another tunnel interface with same configuration except the tunnel source, and
configure the if-state nhrp and backup interface commands on the primary tunnel interface.

Answer: D

"Pass Any Exam. Any Time." - www.actualtests.com 48

 Cisco 300-209 Exam
Explanation:

QUESTION NO: 94

In DMVPN phase 2, which two EIGRP features need to be disabled on the hub to allow spoke-to-
spoke communication? (Choose two.)

A. autosummary
B. split horizon
C. metric calculation using bandwidth
D. EIGRP address family
E. next-hop-self
F. default administrative distance

Answer: B,E
Explanation:

QUESTION NO: 95

What does NHRP stand for?

A. Next Hop Resolution Protocol

B. Next Hop Registration Protocol
C. Next Hub Routing Protocol
D. Next Hop Routing Protocol

Answer: A
Explanation:

QUESTION NO: 96

When troubleshooting established clientless SSL VPN issues, which three steps should be taken?
(Choose three.)

A. Clear the browser history.

B. Clear the browser and Java cache.
C. Collect the information from the computer event log.
D. Enable and use HTML capture tools.

"Pass Any Exam. Any Time." - www.actualtests.com 49

 Cisco 300-209 Exam
E. Gather crypto debugs on the adaptive security appliance.
F. Use Wireshark to capture network traffic.

Answer: B,D,F
Explanation:

QUESTION NO: 97

A user is trying to connect to a Cisco IOS device using clientless SSL VPN and cannot establish
the connection. Which three commands can be used for troubleshooting of the AAA subsystem?
(Choose three.)

A. debug aaa authentication

B. debug radius
C. debug vpn authorization error
D. debug ssl openssl errors
E. debug webvpn aaa
F. debug ssl error

Answer: A,B,E
Explanation:

QUESTION NO: 98

Which option is a possible solution if you cannot access a URL through clientless SSL VPN with
Internet Explorer, while other browsers work fine?

A. Verify the trusted zone and cookies settings in your browser.

B. Make sure that you specified the URL correctly.
C. Try the URL from another operating system.
D. Move to the IPsec client.

Answer: A
Explanation:

QUESTION NO: 99

Which cryptographic algorithms are a part of the Cisco NGE suite?

"Pass Any Exam. Any Time." - www.actualtests.com 50

 Cisco 300-209 Exam
A. HIPPA DES
B. AES-CBC-128
C. RC4-128
D. AES-GCM-256

Answer: D
Explanation:

QUESTION NO: 100

Which transform set is contained in the IKEv2 default proposal?

A. aes-cbc-192, sha256, group 14

B. 3des, md5, group 7
C. 3des, sha1, group 1
D. aes-cbc-128, sha, group 5

Answer: D
Explanation:

QUESTION NO: 101

Which command clears all crypto configuration from a Cisco Adaptive Security Appliance?

A. clear configure crypto

B. clear configure crypto ipsec
C. clear crypto map
D. clear crypto ikev2 sa

Answer: A
Explanation:

QUESTION NO: 102

Which Cisco adaptive security appliance command can be used to view the IPsec PSK of a tunnel
group in cleartext?

A. more system:running-config

"Pass Any Exam. Any Time." - www.actualtests.com 51

 Cisco 300-209 Exam
B. show running-config crypto
C. show running-config tunnel-group
D. show running-config tunnel-group-map
E. clear config tunnel-group
F. show ipsec policy

Answer: A
Explanation:

QUESTION NO: 103

An administrator desires that when work laptops are not connected to the corporate network, they
should automatically initiate an AnyConnect VPN tunnel back to headquarters. Where does the
administrator configure this?

A. Via the svc trusted-network command under the group-policy sub-configuration mode on the
ASA
B. Under the "Automatic VPN Policy" section inside the Anyconnect Profile Editor within ASDM
C. Under the TNDPolicy XML section within the Local Preferences file on the client computer
D. Via the svc trusted-network command under the global webvpn sub-configuration mode on the
ASA

Answer: B
Explanation:

QUESTION NO: 104

The following configuration steps have been completeD.

• WebVPN was enabled on the ASA outside interface.

• SSL VPN client software was loaded to the ASA.

• A DHCP scope was configured and applied to a WebVPN Tunnel Group.

What additional step is required if the client software fails to load when connecting to the ASA SSL
page?

A. The SSL client must be loaded to the client by an ASA administrator

B. The SSL client must be downloaded to the client via FTP

"Pass Any Exam. Any Time." - www.actualtests.com 52

 Cisco 300-209 Exam
C. The SSL VPN client must be enabled on the ASA after loading
D. The SSL client must be enabled on the client machine before loading

Answer: A
Explanation:

QUESTION NO: 105

Remote users want to access internal servers behind an ASA using Microsoft terminal services.
Which option outlines the steps required to allow users access via the ASA clientless VPN portal?

A. 1. Configure a static pat rule for TCP port 3389

2. Configure an inbound access-list to allow traffic from remote users to the servers
3. Assign this access-list rule to the group policy
B. 1. Configure a bookmark of the type http:// server-IP :3389
2. Enable Smart tunnel on this bookmark
3. Assign the bookmark to the desired group policy
C. 1. Configure a Smart Tunnel application list
2. Add the rdp.exe process to this list
3. Assign the Smart Tunnel application list to the desired group policy
D. 1. Upload an RDP plugin to the ASA
2. Configure a bookmark of the type rdp:// server-IP
3. Assign the bookmark list to the desired group policy

Answer: D
Explanation:

QUESTION NO: 106

Which command is used to determine how many GMs have registered in a GETVPN
environment?

A. show crypto isakmp sa

B. show crypto gdoi ks members
C. show crypto gdoi gm
D. show crypto ipsec sa
E. show crypto isakmp sa count

Answer: B
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 53

 Cisco 300-209 Exam

QUESTION NO: 107

On which Cisco platform are dynamic virtual template interfaces available?

A. Cisco Adaptive Security Appliance 5585-X

B. Cisco Catalyst 3750X
C. Cisco Integrated Services Router Generation 2
D. Cisco Nexus 7000

Answer: C
Explanation:

QUESTION NO: 108

Refer to the exhibit.

Which statement about the given IKE policy is true?

A. The tunnel will be valid for 2 days, 88 minutes, and 00 seconds.

B. It will use encrypted nonces for authentication.
C. It has a keepalive of 60 minutes, checking every 5 minutes.
D. It uses a 56-bit encryption algorithm.

Answer: B
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 54

 Cisco 300-209 Exam
QUESTION NO: 109

Refer to the exhibit.

Which two statements about the given configuration are true? (Choose two.)

A. Defined PSK can be used by any IPSec peer.

B. Any router defined in group 2 will be allowed to connect.
C. It can be used in a DMVPN deployment
D. It is a LAN-to-LAN VPN ISAKMP policy.
E. It is an AnyConnect ISAKMP policy.
F. PSK will not work as configured

Answer: A,C
Explanation:

QUESTION NO: 110

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 55

 Cisco 300-209 Exam
What technology does the given configuration demonstrate?

A. Keyring used to encrypt IPSec traffic

B. FlexVPN with IPV6
C. FlexVPN with AnyConnect
D. Crypto Policy to enable IKEv2

Answer: B
Explanation:

QUESTION NO: 111

Which command enables the router to form EIGRP neighbor adjacencies with peers using a
different subnet than the ingress interface?

A. ip unnumbered interface
B. eigrp router-id
C. passive-interface interface name
D. ip split-horizon eigrp as number

Answer: A
Explanation:

QUESTION NO: 112

Which feature enforces the corporate policy for Internet access to Cisco AnyConnect VPN users?

A. Trusted Network Detection

B. Datagram Transport Layer Security
C. Cisco AnyConnect Customization
D. banner message

Answer: A
Explanation:

QUESTION NO: 113

In which situation would you enable the Smart Tunnel option with clientless SSL VPN?

"Pass Any Exam. Any Time." - www.actualtests.com 56

 Cisco 300-209 Exam
A. when a user is using an outdated version of a web browser
B. when an application is failing in the rewrite process
C. when IPsec should be used over SSL VPN
D. when a user has a nonsupported Java version installed
E. when cookies are disabled

Answer: B
Explanation:

QUESTION NO: 114

Refer to the exhibit.

You executed the show crypto ipsec sa command to troubleshoot an IPSec issue. What problem
does the given output indicate?

A. IKEv2 failed to establish a phase 2 negotiation.

B. The Crypto ACL is different on the peer device.
C. ISAKMP was unable to find a matching SA.
D. IKEv2 was used in aggressive mode.

Answer: B
Explanation:

QUESTION NO: 115

Which two types of authentication are supported when you use Cisco ASDM to configure site-to-
site IKEv2 with IPv6? (Choose two.)

A. preshared key
B. webAuth

"Pass Any Exam. Any Time." - www.actualtests.com 57

 Cisco 300-209 Exam
C. digital certificates
D. XAUTH
E. EAP

Answer: A,C
Explanation:

QUESTION NO: 116

Which option describes the purpose of the shared argument in the DMVPN interface command
tunnel protection IPsec profile ProfileName shared?

A. shares a single profile between multiple tunnel interfaces

B. allows multiple authentication types to be used on the tunnel interface
C. shares a single profile between a tunnel interface and a crypto map
D. shares a single profile between IKEv1 and IKEv2

Answer: A
Explanation:

QUESTION NO: 117

Which type of communication in a FlexVPN implementation uses an NHRP shortcut?

A. spoke to hub
B. spoke to spoke
C. hub to spoke
D. hub to hub

Answer: B
Explanation:

QUESTION NO: 118

Which technology is FlexVPN based on?

A. OER
B. VRF

"Pass Any Exam. Any Time." - www.actualtests.com 58

 Cisco 300-209 Exam
C. IKEv2
D. an RSA nonce

Answer: C
Explanation:

QUESTION NO: 119

Which application does the Application Access feature of Clientless VPN support?

A. TFTP
B. VoIP
C. Telnet
D. active FTP

Answer: C
Explanation:

QUESTION NO: 120

Where do you configure AnyConnect certificate-based authentication in ASDM?

A. group policies
B. AnyConnect Connection Profile
C. AnyConnect Client Profile
D. Advanced Network (Client) Access

Answer: B
Explanation:

QUESTION NO: 121

Which protocols does the Cisco AnyConnect client use to build multiple connections to the security
appliance?

A. TLS and DTLS

B. IKEv1
C. L2TP over IPsec

"Pass Any Exam. Any Time." - www.actualtests.com 59

 Cisco 300-209 Exam
D. SSH over TCP

Answer: A
Explanation:

QUESTION NO: 122

Which is used by GETVPN, FlexVPN and DMVPN?

A. NHRP
B. MPLS
C. GRE
D. ESP

Answer: D
Explanation:

QUESTION NO: 123

Which VPN solution is best for a collection of branch offices connected by MPLS that frequenty
make VoIP calls between branches?

A. GETVPN
B. Cisco AnyConnect
C. site-to-site
D. DMVPN

Answer: A
Explanation:

QUESTION NO: 124

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 60

 Cisco 300-209 Exam

Which VPN solution does this configuration represent?

A. DMVPN
B. GETVPN
C. FlexVPN
D. site-to-site

"Pass Any Exam. Any Time." - www.actualtests.com 61

 Cisco 300-209 Exam
Answer: C
Explanation:

QUESTION NO: 125

Refer to the exhibit.

You have implemented an SSL VPN as shown. Which type of communication takes place
between the secure gateway R1 and the Cisco Secure ACS?

A. HTTP proxy
B. AAA
C. policy
D. port forwarding

Answer: B
Explanation:

QUESTION NO: 126

Which technology can provide high availability for an SSL VPN?

A. DMVPN
B. a multiple-tunnel configuration
C. a Cisco ASA pair in active/passive failover configuration
D. certificate to tunnel group maps

"Pass Any Exam. Any Time." - www.actualtests.com 62

 Cisco 300-209 Exam
Answer: C
Explanation:

QUESTION NO: 127

Refer to the exhibit.

Which VPN solution does this configuration represent?

A. Cisco AnyConnect
B. IPsec
C. L2TP
D. SSL VPN

Answer: B
Explanation:

QUESTION NO: 128

Which technology must be installed on the client computer to enable users to launch applications
from a Clientless SSL VPN?

A. Java
B. QuickTime plug-in
C. Silverlight
D. Flash

"Pass Any Exam. Any Time." - www.actualtests.com 63

 Cisco 300-209 Exam
Answer: A
Explanation:

QUESTION NO: 129

In the Diffie-Hellman protocol, which type of key is the shared secret?

A. a symmetric key
B. an asymmetric key
C. a decryption key
D. an encryption key

Answer: A
Explanation:

QUESTION NO: 130

Refer to the exhibit.

Which exchange does this debug output represent?

A. IKE Phase 1
B. IKE Phase 2
C. symmetric key exchange
D. certificate exchange

Answer: A
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 64

 Cisco 300-209 Exam
QUESTION NO: 131

Which two technologies are considered to be Suite B cryptography? (Choose two.)

A. MD5
B. SHA2
C. Elliptical Curve Diffie-Hellman
D. 3DES
E. DES

Answer: B,C
Explanation:

QUESTION NO: 132

Which protocol does DTLS use for its transport?

A. TCP
B. UDP
C. IMAP
D. DDE

Answer: B
Explanation:

QUESTION NO: 133 CORRECT TEXT

Scenario:

You are the network security manager for your organization. Your manager has received a request
to allow an external user to access to your HQ and DM2 servers. You are given the following
connection parameters for this task.

Using ASDM on the ASA, configure the parameters below and test your configuration by
accessing the Guest PC. Not all AS DM screens are active for this exercise. Also, for this exercise,
all changes are automatically applied to the ASA and you will not have to click APPLY to apply the
changes manually.

• Enable Clientless SSL VPN on the outside interface

• Using the Guest PC, open an Internet Explorer window and test and verify the basic connection
to the SSL VPN portal using address: https://vpn-secure-x.public

"Pass Any Exam. Any Time." - www.actualtests.com 65

 Cisco 300-209 Exam
• a. You may notice a certificate error in the status bar, this can be ignored for this exercise

• b. Username: vpnuser

• c. Password: cisco123

• d. Logout of the portal once you have verified connectivity

• Configure two bookmarks with the following parameters:

• a. Bookmark List Name: MY-BOOKMARKS

• b. Use the: URL with GET or POST method

• c. Bookmark Title: HQ-Server

• i. http://10.10.3.20

• d. Bookmark Title: DMZ-Server-FTP

• i. ftp://172.16.1.50

• e. Assign the configured Bookmarks to:

• i. DfltGrpPolicy

• ii. DfltAccessPolicy

• iii. LOCAL User: vpnuser

• From the Guest PC, reconnect to the SSL VPN Portal

• Test both configured Bookmarks to ensure desired connectivity

You have completed this exercise when you have configured and successfully tested Clientless
SSL VPN connectivity.

Topology:

"Pass Any Exam. Any Time." - www.actualtests.com 66

 Cisco 300-209 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 67

 Cisco 300-209 Exam

Answer: Please find the solution in below explanation.

Explanation:

First, enable clientless VPN access on the outside interface by checking the box found below:

Then, log in to the given URL using the vpnuser/cisco123 credentials:

"Pass Any Exam. Any Time." - www.actualtests.com 68

 Cisco 300-209 Exam

Logging in will take you to this page, which means you have now verified basic connectivity:

Now log out by hitting the logout button.

Now, go back to the ASDM and navigate to the Bookmarks portion:

"Pass Any Exam. Any Time." - www.actualtests.com 69

 Cisco 300-209 Exam

Make the name MY-BOOKMARKS and use the “Add” tab and add the bookmarks per the
instructions:

Ensure the “URL with GET of POST method” button is selected and hit OK:

"Pass Any Exam. Any Time." - www.actualtests.com 70

 Cisco 300-209 Exam

Add the two bookmarks as given in the instructions:

"Pass Any Exam. Any Time." - www.actualtests.com 71

 Cisco 300-209 Exam

You should now see the two bookmarks listed:

Hit OK and you will see this:

"Pass Any Exam. Any Time." - www.actualtests.com 72

 Cisco 300-209 Exam

Select the MY-BOOKMARKS Bookmarks and click on the “Assign” button. Then, click on the
appropriate check boxes as specified in the instructions and hit OK.

After hitting OK, you will now see this:

"Pass Any Exam. Any Time." - www.actualtests.com 73

 Cisco 300-209 Exam

Then, go back to the Guest-PC, log back in and you should be able to test out the two new
bookmarks.

QUESTION NO: 134

Scenario:

You are the senior network security administrator for your organization. Recently and junior
engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA
and a remote branch office.

You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured
according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR. verify
the IPsec configuration is properly configured between the two sites.

NOTE: the show running-config command cannot be used for the this exercise.

Topology:

"Pass Any Exam. Any Time." - www.actualtests.com 74

 Cisco 300-209 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 75

 Cisco 300-209 Exam

What is being used as the authentication method on the branch ISR?

A. Certifcates
B. Pre-shared keys
C. RSA public keys
D. Diffie-Hellman Group 2

Answer: B
Explanation: The show crypto isakmp key command shows the preshared key of “cisco”

QUESTION NO: 135

Scenario:

You are the senior network security administrator for your organization. Recently and junior
engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA
and a remote branch office.

You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured

"Pass Any Exam. Any Time." - www.actualtests.com 76

 Cisco 300-209 Exam
according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR. verify
the IPsec configuration is properly configured between the two sites.

NOTE: the show running-config command cannot be used for the this exercise.

Topology:

"Pass Any Exam. Any Time." - www.actualtests.com 77

 Cisco 300-209 Exam

Which transform set is being used on the branch ISR?

A. Default
B. ESP-3DES ESP-SHA-HMAC
C. ESP-AES-256-MD5-TRANS mode transport
D. TSET

Answer: B
Explanation: This can be seen from the “show crypto ipsec sa” command as shown below:

"Pass Any Exam. Any Time." - www.actualtests.com 78

 Cisco 300-209 Exam

QUESTION NO: 136

Scenario:

You are the senior network security administrator for your organization. Recently and junior
engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA
and a remote branch office.

You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured
according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR. verify
the IPsec configuration is properly configured between the two sites.

NOTE: the show running-config command cannot be used for the this exercise.

Topology:

"Pass Any Exam. Any Time." - www.actualtests.com 79

 Cisco 300-209 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 80

 Cisco 300-209 Exam

In what state is the IKE security association in on the Cisco ASA?

A. There are no security associations in place

B. MM_ACTIVE
C. ACTIVE(ACTIVE)
D. QM_IDLE

Answer: B
Explanation: This can be seen from the “show crypto isa sa” command:

QUESTION NO: 137

Scenario:

"Pass Any Exam. Any Time." - www.actualtests.com 81

 Cisco 300-209 Exam
You are the senior network security administrator for your organization. Recently and junior
engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA
and a remote branch office.

You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured
according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR. verify
the IPsec configuration is properly configured between the two sites.

NOTE: the show running-config command cannot be used for the this exercise.

Topology:

"Pass Any Exam. Any Time." - www.actualtests.com 82

 Cisco 300-209 Exam

Which crypto map tag is being used on the Cisco ASA?

A. outside_cryptomap
B. VPN-to-ASA
C. L2L_Tunnel
D. outside_map1

Answer: D
Explanation:
This is seen from the “show crypto ipsec sa” command on the ASA.

"Pass Any Exam. Any Time." - www.actualtests.com 83

 Cisco 300-209 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 84