High quality of 300-209 exam answers materials and braindumps for Cisco certification for IT examinee, Real Success Guaranteed with Updated 300-209 pdf dumps vce Materials. 100% PASS Implementing Cisco Secure Mobility Solutions (SIMOS) exam Today!
♥♥ 2021 NEW RECOMMEND ♥♥
Free VCE & PDF File for Cisco 300-209 Real Exam (Full Version!)
★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
Free Instant Download NEW 300-209 Exam Dumps (PDF & VCE):
Available on:
http://www.surepassexam.com/300-209-exam-dumps.html
Q31. Which statement regarding GET VPN is true?
A. TEK rekeys can be load-balanced between two key servers operating in COOP.
B. When you implement GET VPN with VRFs, all VRFs must be defined in the GDOI group configuration on the key server.
C. Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.
D. The configuration that defines which traffic to encrypt is present only on the key server.
E. The pseudotime that is used for replay checking is synchronized via NTP.
Answer: D
Q32. When Cisco ASA applies VPN permissions, what is the first set of attributes that it applies?
A. dynamic access policy attributes
B. group policy attributes
C. connection profile attributes
D. user attributes
Answer: A
Q33. Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for this exercise.
Topology:
Which transform set is being used on the branch ISR?
A. Default
B. ESP-3DES ESP-SHA-HMAC
C. ESP-AES-256-MD5-TRANS mode transport
D. TSET
Answer: B
Explanation:
This can be seen from the “show crypto ipsec sa” command as shown below:
Q34. Refer to the exhibit.
Which type of mismatch is causing the problem with the IPsec VPN tunnel?
A. PSK
B. Phase 1 policy
C. transform set
D. crypto access list
Answer: A
Q35. Refer to the exhibit.
What is the purpose of the given configuration?
A. Establishing a GRE tunnel.
B. Enabling IPSec to decrypt fragmented packets.
C. Resolving access issues caused by large packet sizes.
D. Adding the spoke to the routing table.
Answer: C
Q36. Which technology does a multipoint GRE interface require to resolve endpoints?
A. ESP
B. dynamic routing
C. NHRP
D. CEF
E. IPSec
Answer: C
Q37. Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for this exercise.
Topology:
Which crypto map tag is being used on the Cisco ASA?
A. outside_cryptomap
B. VPN-to-ASA
C. L2L_Tunnel
D. outside_map1
Answer: D
Explanation:
This is seen from the “show crypto ipsec sa” command on the ASA.
Q38. Refer to the exhibit.
Which VPN solution does this configuration represent?
A. DMVPN
B. GETVPN
C. FlexVPN
D. site-to-site
Answer: C
Q39. Based on the provided ASDM configuration for the remote ASA, which one of the following is correct?
A. An access-list must be configured on the outside interface to permit inbound VPN traffic
B. A route to 192.168.22.0/24 will not be automatically installed in the routing table
C. The ASA will use a window of 128 packets (64x2) to perform the anti-replay check _
D. The tunnel can also be established on TCP port 10000
Answer: C
Explanation:
Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. Currently, the default window size is 64 packets. Generally, this number (window size) is sufficient, but there are times when you may want to expand this window size. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.
Q40. Which two statements.about the Cisco ASA Clientless SSL VPN smart tunnels feature are true? (Choose two.)
A. Smart tunnels are enabled on the secure gateway (Cisco ASA) for specific applications that run on the end client and work irrespective of which transport protocol the application uses.
B. Smart tunnels require Administrative privileges to run on the client machine.
C. A smart tunnel is a DLL that is pushed from the headend to the client machine after SSL VPN portal authentication and that is attached to smart-tunneled processes to route traffic through the SSL VPN session with the gateway.
D. Smart tunnels offer better performance than the client-server plugins.
E. Smart tunnels are supported on Windows, Mac, and Linux.
Answer: C,D
