QUESTION 51
Hotspot Questions
Based on the provided ASDM configuration for the remote ASA, which one of the following is correct?
A. An access-list must be configured on the outside interfaceto permit inbound VPN traffic
B. A route to 192.168.22.0/24 will not be automatically installed in the routing table
C. The ASA will use a window of 128 packets (64×2) to perform the anti-replay check _
D. The tunnel can also be established on TCP port 10000
Answer: C
Explanation:
Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. Currently, the default window size is 64 packets. Generally, this number (window size) is sufficient, but there are times when you may want to expand this window size. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.
QUESTION 52
Hotspot Questions
If the IKEv2 tunnel were to establish successfully, which encryption algorithm would be used to encrypt traffic?
A. DES
B. 3DES
C. AES
D. AES192
E. AES256
Answer: E
Explanation:
Both ASA’s are configured to support AES 256, so during the IPSec negotiation they will use the strongest algorithm that is supported by each peer.
QUESTION 53
Hotspot Questions
After implementing the IKEv2 tunnel, it was observed that remote users on the 192.168.33.0/24 network are unable to access the internet. Which of the following can be done to resolve this problem?
A. Change the Diffie-Hellman group on the headquarter ASA to group5forthe dynamic crypto map
B. Change the remote traffic selector on the remote ASA to 192.168.22.0/24
C. Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers
D. Change the local traffic selector on the headquarter ASA to 0.0.0.0/0
E. Change the remote traffic selector on the headquarter ASA to 0.0.0.0/0
Answer: B
Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 to 192.168.22.0/24.
QUESTION 54
Hotspot Questions
Which option shows the correct traffic selectors for the child SA on the remote ASA, when the headquarter ASA initiates the tunnel?
– Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector
192.168.20.0/0-192.168.20.255/65535
– Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector
192.168.22.0/0-192.168.22.255/65535
– Local selector 192.168.22.0/0-192.168.22.255/65535 Remote selector
192.168.33.0/0-192.168.33.255/65535
– Remote selector 192.168.22.0/0 -192.168.22.255/65535
A. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 0.0.0.0/0 –
0.0.0.0/65535
B. Local selector 0.0.0.0/0 – 0.0.0.0/65535
Answer: B
Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 (THE LOCAL SIDE) to 192.168.22.0/24 (THE REMOTE SIDE).
QUESTION 55
Lab Simulation
Answer:
Step 1: configure key ring
crypto ikev2 keyring mykeys
peer SiteB.cisco.com
address 209.161.201.1
pre-shared-key local $iteA
pre-shared key remote $iteB
Step 2: Configure IKEv2 profile
Crypto ikev2 profile default
identity local fqdn SiteA.cisco.com
Match identity remote fqdn SiteB.cisco.com
Authentication local pre-share
Authentication remote pre-share
Keyring local mykeys
Step 3: Create the GRE Tunnel and apply profile
crypto ipsec profile default
set ikev2-profile default
Interface tunnel 1
ip address 10.1.1.1
Tunnel source eth 0/0
Tunnel destination 209.165.201.1
tunnel protection ipsec profile default
end
QUESTION 56
Which two are characteristics of GETVPN? (Choose two.)
A. The IP header of the encrypted packet is preserved
B. A key server is elected among all configured Group Members
C. Unique encryption keys are computed for each Group Member
D. The same key encryption and traffic encryption keys are distributed to all Group Members
Answer: AD
QUESTION 57
A company has decided to migrate an existing IKEv1 VPN tunnel to IKEv2. Which two arevalid configuration constructs on a Cisco IOS router? (Choose two.)
A. crypto ikev2 keyring keyring-name
peer peer1
address 209.165.201.1 255.255.255.255
pre-shared-key local key1
pre-shared-key remote key2
B. crypto ikev2 transform-set transform-set-name esp-3des esp-md5-hmac
esp-aes esp-sha-hmac
C. crypto ikev2 map crypto-map-name
set crypto ikev2 tunnel-group tunnel-group-name
set crypto ikev2 transform-set transform-set-name
D. crypto ikev2 tunnel-group tunnel-group-name
match identity remote address 209.165.201.1
authentication local pre-share
authentication remote pre-share
E. crypto ikev2 profile profile-name
match identity remote address 209.165.201.1
authentication local pre-share
authentication remote pre-share
Answer: AE
QUESTION 58
Guaranteed success with TestInsides practice guides 2 Cisco 300-209 : Practice Test
Which four activities does the Key Server perform in a GETVPN deployment? (Choose four.)
A. authenticates group members
B. manages security policy
C. creates group keys
D. distributes policy/keys
E. encrypts endpoint traffic
F. receives policy/keys
G. defines group members
Answer: ABCD
QUESTION 59
Where is split-tunneling defined for remote access clients on an ASA?
A. Group-policy
B. Tunnel-group
C. Crypto-map
D. Web-VPN Portal
E. ISAKMP client
Answer: A
QUESTION 60
Which of the following could be used to configure remote access VPN Host-scan and pre- login policies?
A. ASDM
B. Connection-profile CLI command
C. Host-scan CLI command under the VPN group policy
D. Pre-login-check CLI command
Answer: A
If you want to pass Cisco 300-209 successfully, donot missing to read latest lead2pass Cisco 300-209 exam questions.
If you can master all lead2pass questions you will able to pass 100% guaranteed.