Verified 300-209 Study Guides 2021

NEW QUESTION 1
Which two changes must be made to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is configured? (Choose two )

• A. Disable EIGRP next-hop-self on the hub.
• B. Enable EIGRP next-hop-self on the hub.
• C. Acid NHRP shortcuts on the hub.
• D. Add NHRP redirects on the hub.
• E. Add NHRP redirects on the spoke.

Answer: BD

NEW QUESTION 2
An engineer has successfully established a phase 1 tunnel, but notices that no packets are decrypted on the head end side of the tunnel. What is a potential cause for this issue?

• A. different phase 2 encryption
• B. misconfigured DH group
• C. disabled PFS
• D. firewall blocking Phase 2 ESP or AH

Answer: A

NEW QUESTION 3
Refer to the exhibit.

A NOC engineer needs to tune some prelogin parameters on an SSL VPN tunnel.
From the information that is shown, where should the engineer navigate to find the prelogin session attributes?

• A. "engineering" Group Policy
• B. "contractor" Connection Profile
• C. "engineer1" AAA/Local Users
• D. DfltGrpPolicy Group Policy

Answer: B

Explanation: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac05hosts

NEW QUESTION 4
The Cisco AnyConnect client is unable to download an updated user profile from the ASA headend using IKEv2. What is the most likely cause of this problem?

• A. User profile updates are not allowed with IKEv2.
• B. IKEv2 is not enabled on the group policy.
• C. A new profile must be created so that the adaptive security appliance can push it to the client on the next connection attempt.
• D. Client Services is not enabled on the adaptive security appliance.

Answer: D

NEW QUESTION 5
Which is used by GETVPN, FlexVPN and DMVPN?

• A. NHRP
• B. MPLS
• C. GRE
• D. ESP

Answer: D

NEW QUESTION 6
What are two benefits of DMVPN Phase 3? (Choose two.)

• A. Administrators can use summarization of routing protocol updates from hub to spokes.
• B. It introduces hierarchical DMVPN deployments.
• C. It introduces non-hierarchical DMVPN deployments.
• D. It supports L2TP over IPSec as one of the VPN protocols.

Answer: AB

NEW QUESTION 7
Which command can be used to troubleshoot an IPv6 FlexVPN spoke-to-hub connectivity failure?

• A. show crypto lkev2 client flexvpn
• B. show crypto identity
• C. show crypto isakmp sa
• D. show crypto gkm

Answer: A

NEW QUESTION 8
Which command will allow a referenced ASA interface to become accessible across a site-to-site VPN?

• A. access-list 101 extended permit ICMP any any
• B. crypto map vpn 10 match address 101
• C. crypto map vpn interface inside
• D. management-access <interface name>

Answer: B

NEW QUESTION 9
ACisco IOS SSL VPN gateway is configured to operate in clientless mode so that users can access file shares on a Microsoft Windows 2003 server. Which protocol is used between the Cisco IOS router and the Windows server?

• A. HTTPS
• B. NetBIOS
• C. CIFS
• D. HTTP

Answer: C

NEW QUESTION 10
An engineer wants to ensure that Diffie-Helman keys are re-generated upon a pahse-2 rekey. What option can be configured to allow this?

• A. Aggressive mode
• B. Dead-peer detection
• C. Main mode
• D. Perfect-forward secrecy

Answer: D

NEW QUESTION 11
Which option is most effective at preventing a remote access VPN user from bypassing the corporate transparent web proxy?

• A. using the proxy-server settings of the client computer to specify a PAC file for the client computer to download
• B. instructing users to use the corporate proxy server for all web browsing
• C. disabling split tunneling
• D. permitting local LAN access

Answer: C

NEW QUESTION 12
A customer requires site-to-site VPNs to connect to third party business partners and has purchased two ASAs. The customer requests an active/active configuration.
Winch mode is needed to support and active/active solution?

• A. single context
• B. NAT context
• C. PAT context
• D. multiple context

Answer: D

NEW QUESTION 13
A company needs to provide secure access to its remote workforce. The end users use public kiosk computers and a wide range of devices. They will be accessing only an internal web application. Which VPN solution satisfies these requirements?

• A. Clientless SSLVPN
• B. AnyConnect Client using SSLVPN
• C. AnyConnect Client using IKEv2
• D. FlexVPN Client
• E. Windows built-in PPTP client

Answer: A

NEW QUESTION 14
Which VPN feature allows remote access clients to print documents to local network printers?

• A. Reverse Route Injection
• B. split tunneling
• C. loopback addressing
• D. dynamic virtual tunnels

Answer: B

NEW QUESTION 15
What routing protocol is recommended by Cisco in DMVPN between company router and ISP router? (Choose Two)

• A. OSPF
• B. RIPv2
• C. ISIS
• D. BGP
• E. EIGRP

Answer: DE

NEW QUESTION 16
When you configure IPsec VPN High Availability Enhancements, which technology does Cisco recommend that you enable to make reconvergence faster?

• A. EOT
• B. IP SLAs
• C. periodic IKE keepalives
• D. VPN fast detection

Answer: C

NEW QUESTION 17
Which PKI enrollment method allows the user to separate authentication and enrollment actions and also provides an option to specify HTTP/TFTP commands to perform file retrieval from the server?

• A. enrollment profile
• B. enrollment terminal
• C. enrollment url
• D. enrollment selfsigned

Answer: A

NEW QUESTION 18
Refer to the Exhibit:

An engineer must implement DMVPN phase 2 and two conclusions can be made from the configuration? (Choose two.)

• A. Spoke-to-spoke communication is allowed.
• B. Next-hop-self is required.
• C. EIGRP neighbor adjacency will fail.
• D. EIGRP route redistribution is not allowed
• E. EIGRP used as the dynamic routing protocol.

Answer: AE

NEW QUESTION 19
Which Cisco adaptive security appliance command can be used to view the count of all active VPN sessions?

• A. show vpn-sessiondb summary
• B. show crypto ikev1 sa
• C. show vpn-sessiondb ratio encryption
• D. show iskamp sa detail
• E. show crypto protocol statistics all

Answer: A

NEW QUESTION 20
A user is experiencing issues connecting to a Cisco AnyConnect VPN and receives this error message: The AnyConnect package on the secure gateway could not be located. You may be experiencing network
connectivity issues. Please try connecting again.
Which option is the likely cause of this issue?

• A. This Cisco ASA firewall has experienced a failure.
• B. The user is entering an incorrect password.
• C. The user’s operating system is not supported with the ASA’s current configuration.
• D. The user laptop clock is not synchronized with NTP.

Answer: A