Cisco 300-209 Dumps Questions 2021

NEW QUESTION 1
Which IKEv2 feature minimizes the configuration of a FlexVPN on Cisco IOS devices?

• A. IKEv2 Suite-B
• B. IKEv2 proposals
• C. IKEv2 profiles
• D. IKEv2 Smart Defaults

Answer: D

NEW QUESTION 2
From the CLI of a Cisco ASA 5520, which command shows specific information about current clientless and Cisco Anyconnect SSL VPN users only?

• A. show crypto ikve1 sa detail
• B. show vpn-sessiondb remote
• C. show vpn-sessiondb
• D. show von-sessiondb detail

Answer: D

NEW QUESTION 3
Refer to the exhibit.

Which type of VPN implementation is displayed?

• A. IKEv2 reconnect
• B. IKEv1 cluster
• C. IKEv2 load balancer
• D. IKEv1 client
• E. IPsec high availability
• F. IKEv2 backup gateway

Answer: C

NEW QUESTION 4
An engineer is using DMVPN to provide secure connectivity between a data center and remote sites. Which two routing protocols are recommended for use between the routers? (Choose two.)

• A. EIGRP
• B. IS-IS
• C. RIPv2
• D. BGP
• E. OSPF

Answer: AE

NEW QUESTION 5
A temporary worker must use clientless SSL VPN with an SSH plug-in, in order to access the console of an internal corporate server, the projects.xyz.com server. For security reasons, the network security auditor insists that the temporary user is restricted to the one internal corporate server, 10.0.4.18. You are the network engineer who is responsible for the network access of the temporary user.
What should you do to restrict SSH access to the one projects.xyz.com server?

• A. Configure access-list temp_user_acl extended permit TCP any host 10.0.4.18 eq 22.
• B. Configure access-list temp_user_acl standard permit host 10.0.4.18 eq 22.
• C. Configure access-list temp_acl webtype permit url ssh://10.0.4.18.
• D. Configure a plug-in SSH bookmark for host 10.0.4.18, and disable network browsing on the clientless SSL VPN portal of the temporary worker.

Answer: C

Explanation: Web ACLs
The Web ACLs table displays the filters configured on the security appliance applicable to Clientless SSL VPN traffic. The table shows the name of each access control list (ACL), and below and indented to the right of the ACL name, the access control entries (ACEs) assigned to the ACL. Each ACL permits or denies access permits or denies access to specific networks, subnets, hosts, and web servers. Each ACE specifies one rule that serves the function of the ACL. You can
configure ACLs to apply to Clientless SSL VPN traffic. The following rules apply: • If you do not configure any filters, all connections are permitted. • The security appliance supports only an inbound ACL on an interface. • At the end of each ACL, an implicit, unwritten rule denies all traffic that is not explicitly permitted. You can use the following wildcard characters to define more than one wildcard in the Webtype access list entry: • Enter an asterisk “*” to match no characters or any number of characters. • Enter a question mark “?” to match any one character exactly. • Enter square brackets “[]” to create a range operator that matches any one character in a range. The following examples show how to use wildcards in Webtype access lists. • The following example matches URLs such as http://www.cisco.com/ and http://wwz.caco.com/: access-list test webtype permit url
http://ww?.c*co*/

NEW QUESTION 6

Answer:

Explanation: Here are the steps as below:
Step 1: configure key ring crypto ikev2 keyring mykeys peer SiteB.cisco.com
address 209.161.201.1
pre-shared-key local $iteA pre-shared key remote $iteB Step 2: Configure IKEv2 profile Crypto ikev2 profile default
identity local fqdn SiteA.cisco.com
Match identity remote fqdn SiteB.cisco.com Authentication local pre-share Authentication remote pre-share
Keyring local mykeys
Step 3: Create the GRE Tunnel and apply profile
crypto ipsec profile default set ikev2-profile default Interface tunnel 0
ip address 10.1.1.1 255.255.255.0 Tunnel source eth 0/0
Tunnel destination 209.165.201.1 tunnel protection ipsec profile default end

NEW QUESTION 7
Which three types of web resources or protocols are enabled by default on the Cisco ASAClientless SSL VPN portal? (Choose three.)

• A. HTTP
• B. VNC
• C. CIFS
• D. RDP
• E. HTTPS
• F. ICA (Citrix)

Answer: ACE

NEW QUESTION 8
Which three parameters are specified in the isakmp (IKEv1) policy? (Choose three.)

• A. the hashing algorithm
• B. the authentication method
• C. the lifetime
• D. the session key
• E. the transform-set
• F. the peer

Answer: ABC

NEW QUESTION 9
What are the three primary components of a GET VPN network? (Choose three.)

• A. Group Domain of Interpretation protocol
• B. Simple Network Management Protocol
• C. server load balancer
• D. accounting server
• E. group member
• F. key server

Answer: AEF

NEW QUESTION 10
Refer to the exhibit.

Which technology does this configuration demonstrate?

• A. AnyConnect SSL over IPv4+IPv6
• B. AnyConnect FlexVPN over IPv4+IPv6
• C. AnyConnect FlexVPN IPv6 over IPv4
• D. AnyConnect SSL IPv6 over IPv4

Answer: A

NEW QUESTION 11
Refer to the exhibit.

After the configuration is performed, which combination of devices can connect?

• A. a device with an identity type of IPv4 address of 209.165.200.225 or 209.165.202.155 or a certificate with subject name of "cisco.com"
• B. a device with an identity type of IPv4 address of both 209.165.200.225 and 209.165.202.155 or a certificate with subject name containing "cisco.com"
• C. a device with an identity type of IPv4 address of both 209.165.200.225 and 209.165.202.155 and a certificate with subject name containing "cisco.com"
• D. a device with an identity type of IPv4 address of 209.165.200.225 or 209.165.202.155 or a certificate with subject name containing "cisco.com"

Answer: D

NEW QUESTION 12
On which Cisco platform are dynamic virtual template interfaces available?

• A. Cisco Adaptive Security Appliance 5585-X
• B. Cisco Catalyst 3750X
• C. Cisco Integrated Services Router Generation 2
• D. Cisco Nexus 7000

Answer: C

NEW QUESTION 13
Refer to the exhibit.

You have implemented an SSL VPN as shown. Which type of communication takes place between the secure gateway R1 and the Cisco Secure ACS?

• A. HTTP proxy
• B. AAA
• C. policy
• D. port forwarding

Answer: B

NEW QUESTION 14
Refer to the exhibit.

Which statement about the given IKE policy is true?

• A. The tunnel will be valid for 2 days, 88 minutes, and 00 seconds.
• B. It will use encrypted nonces for authentication.
• C. It has a keepalive of 60 minutes, checking every 5 minutes.
• D. It uses a 56-bit encryption algorithm.

Answer: B

NEW QUESTION 15
An engineer has configured Cisco AnyConnect VPN using IKEv2 on a Cisco ISO router. The user cannot connect in the Cisco AnyConnect client, but receives an alert message “Use a browser to gain access.” Which action does the engineer take to eliminate this issue?

• A. Reset user login credentials.
• B. Disable the HTTP server.
• C. Correct the URL address.
• D. Connect using HTTPS.

Answer: B

NEW QUESTION 16
A customer has two ASAs configured in high availability and is experiencing connection drops that require re-establishment each time failover occurs.
Which type of failover has been implemented?

• A. Stateless
• B. routed
• C. trans parent
• D. stateful

Answer: D

NEW QUESTION 17
Why must a network engineer avoid usage of the default X509 certificate when implementing clientless SSLVPN on an ASA?

• A. The certificate is too weak to provide adequate security.
• B. The certificate is regenerated at each reboot.
• C. The certificate must be managed by the local CA.
• D. The default X.509 certificate is not supported for SSLVPN.

Answer: C

NEW QUESTION 18
An administrator wishes to limit the networks reachable over the Anyconnect VPN tunnels. Which configuration on the ASA will correctly limit the networks reachable to 209.165.201.0/27 and 209.165.202.128/27?

• A. access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit 209.165.202.128 255.255.255.224!group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes split-tunnel-policy tunnelspecifiedsplit-tunnel-network-list value splitlist
• B. access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit 209.165.202.128 255.255.255.224!group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes split-tunnel-policy tunnelallsplit-tunnel-network-list value splitlist
• C. group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes split-tunnel-policy tunnelspecifiedsplit-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224
• D. access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit 209.165.202.128 255.255.255.224!crypto anyconnect vpn-tunnel-policy tunnelspecified crypto anyconnect vpn-tunnel-network-list splitlist
• E. crypto anyconnect vpn-tunnel-policy tunnelspecifiedcrypto anyconnect split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224crypto anyconnect split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224

Answer: A

NEW QUESTION 19
Refer to the exhibit.

Which VPN solution does this configuration represent?

• A. DMVPN
• B. GETVPN
• C. FlexVPN
• D. site-to-site

Answer: B

NEW QUESTION 20
An engineer is troubleshooting network issues and wants to check the Layer 2 connectivity between routers. Which command must be run?

• A. show ip eigrp neighbors
• B. show cdp neighbor
• C. show crypto isakmp sa.
• D. show crypto issec sa.

Answer: B