Tested 300-209 Exam Questions 2021

NEW QUESTION 1
Which technology can you implement to reduce latency issues associated with a Cisco AnyConnect VPN?

• A. DTLS
• B. SCTP
• C. DCCP
• D. SRTP

Answer: A

NEW QUESTION 2
Which statement about CRL configuration is correct?

• A. CRL checking is enabled by default.
• B. The Cisco ASA relies on HTTPS access to procure the CRL list.
• C. The Cisco ASA relies on LDAP access to procure the CRL list.
• D. The Cisco Secure ACS can be configured as the CRL server.

Answer: C

Explanation: ASA SSLVPN deployment guide:
The security appliance supports various authentication methods: RSA one-time passwords, Radius, Kerberos, LDAP, NT Domain, TACACS, Local/Internal, digital certificates, and a combination of both
authentication and certificates.

NEW QUESTION 3
What is a valid reason for configuring a list of backup servers on the Cisco AnyConnect VPN Client profile?

• A. to access a backup authentication server
• B. to access a backup DHCP server
• C. to access a backup VPN server
• D. to access a backup CA server

Answer: C

NEW QUESTION 4
Where is split-tunneling defined for remote access clients on an ASA?

• A. Group-policy
• B. Tunnel-group
• C. Crypto-map
• D. Web-VPN Portal
• E. ISAKMP client

Answer: A

NEW QUESTION 5
In FlexVPN, what is the role of a NHRP resolution request?

• A. It allows these entities to directly communicate without requiring traffic to use an intermediate hop
• B. It dynamically assigns VPN users to a group
• C. It blocks these entities from to directly communicating with each other
• D. It makes sure that each VPN spoke directly communicates with the hub

Answer: A

NEW QUESTION 6
A spoke has two Internet connections for failover. How can you achieve optimum failover without affecting any other router in the DMVPN cloud?

• A. Create another DMVPN cloud by configuring another tunnel interface that is sourced from the second ISP link.
• B. Use another router at the spoke site, because two ISP connections on the same router for the same hub is not allowed.
• C. Configure SLA tracking, and when the primary interface goes down, manually change the tunnel source of the tunnel interface.
• D. Create another tunnel interface with same configuration except the tunnel source, and configure the if-state nhrp and backup interface commands on the primary tunnel interface.

Answer: D

NEW QUESTION 7
In DMVPN phase 2, which two EIGRP features need to be disabled on the hub to allow spoke-to-spoke communication? (Choose two.)

• A. autosummary
• B. split horizon
• C. metric calculation using bandwidth
• D. EIGRP address family
• E. next-hop-self
• F. default administrative distance

Answer: BE

NEW QUESTION 8
Which way to send OSPF routing updates over a site-to-site IPsec tunnel is true?

• A. Set the network type for the inside interface to nonbroadcast mode, and add the remote end as an OSPF neighbor.
• B. Set the network type for the outside interface to broadcast mode, and add the headend device as an OSPF neighbor.
• C. Set the network type for the DMZ interface to nonbroadcast mode, add the headend as an OSPF neighbor.
• D. Set the network type for the outside interface to nonbroadcast mode, and add the remote end as an OSPF neighbor.

Answer: D

NEW QUESTION 9
You are troubleshooting a DMVPN NHRP registration failure. Which command can you use to view request counters?

• A. show ip nhrp nhs detail
• B. show ip nhrp tunnel
• C. show ip nhrp incomplete
• D. show ip nhrp incomplete tunnel tunnel_interface_number

Answer: A

NEW QUESTION 10
In a FlexVPN deployment, the spokes are successfully connecting to the hub. However, spoke-to- spoke tunnels do not form. Which trouble shooting step is valid for this issue?

• A. Verify the spoke configuration to check if the NHRP redirect is enabled.
• B. Verify the hub configuration to check if the NHRP shortcut is enabled.
• C. Verify the tunnel interface is contained within a VRF.
• D. Verify the spoke receives redirect messages and send resolution requests

Answer: B

NEW QUESTION 11
Which option is a possible solution if you cannot access a URL through clientless SSL VPN with Internet Explorer, while other browsers work fine?

• A. Verify the trusted zone and cookies settings in your browser.
• B. Make sure that you specified the URL correctly.
• C. Try the URL from another operating system.
• D. Move to the IPsec client.

Answer: A

NEW QUESTION 12
Mobile work force client are using Cisco Encryption for AnyConnect for remote access to the corporate network. In a attempt to save bandwidth on the internet circuit, those working remotely are permitted use to their local connectivity for internet use white still connect to the corporate network. Which feature allows distinct destination to be encryption on the remote client?

• A. DART
• B. Split Tuning
• C. NAT Exempt
• D. Kerberos

Answer: B

NEW QUESTION 13
Which alogrithm is an example of asymmetric encryption?

• A. RC4
• B. AES
• C. ECDSA
• D. 3DES

Answer: C

NEW QUESTION 14
Which are two main use cases for Clientless SSL VPN? (Choose two.)

• A. In kiosks that are part of a shared environment
• B. When the users do not have admin rights to install a new VPN client
• C. When full tunneling is needed to support applications that use TCP, UDP, and ICMP
• D. To create VPN site-to-site tunnels in combination with remote access

Answer: AB

NEW QUESTION 15
A network engineer must configure a now VPN tunnel Utilizing IKEv2 For with three reasons would a configuration use IKEv2 instead d KEv1?
(Choose three.)

• A. increased hash size
• B. DOS protection
• C. Preshared keys are used for authentication.
• D. RSA-Sig used for authentication
• E. native NAT traversal
• F. asymmetric authentication

Answer: BEF

NEW QUESTION 16
Which two GDOI encryption keys are used within a GET VPN network? (Choose two.)

• A. key encryption key
• B. group encryption key
• C. user encryption key
• D. traffic encryption key

Answer: AD

NEW QUESTION 17
When using clientless SSL VPN, you might not want some applications or web resources to go through the Cisco ASA appliance. For these application and web resources, as a Cisco ASA administrator, which configuration should you use?

• A. Configure the Cisco ASA appliance for split tunneling.
• B. Configure network access exceptions in the SSL VPN customization editor.
• C. Configure the Cisco ASA appliance to disable content rewriting.
• D. Configure the Cisco ASA appliance to enable URL Entry bypass.
• E. Configure smart tunnel to bypass the Cisco ASA appliance proxy function.

Answer: C

Explanation: http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_web.html Content Rewrite
The Content Rewrite pane lists all applications for which content rewrite is enabled or disabled.
Clientless SSL VPN processes application traffic through a content transformation/rewriting engine that includes advanced elements such as JavaScript, VBScript, Java, and multi-byte characters to proxy HTTP traffic which may have different semantics and access control rules depending on whether the user is using an application within or independently of an SSL VPN device.
By default, the security appliance rewrites, or transforms, all clientless traffic. You might not want some applications and web resources (for example, public websites) to go through the security appliance. The security appliance therefore lets you create rewrite rules that let users browse certain sites and applications without going through the security appliance. This is similar to split-tunneling in an IPSec VPN connection.
You can create multiple rewrite rules. The rule number is important because the security appliance searches rewrite rules by order number, starting with the lowest, and applies the first rule that matches.

NEW QUESTION 18
Refer to the exhibit.

What is the problem with the IKEv2 site-to-site VPN tunnel?

• A. incorrect PSK
• B. crypto access list mismatch
• C. incorrect tunnel group
• D. crypto policy mismatch
• E. incorrect certificate

Answer: D

NEW QUESTION 19
Which option describes the purpose of the command show derived-config interface virtual-access 1?

• A. It verifies that the virtual access interface is cloned correctly with per-user attributes.
• B. It verifies that the virtual template created the tunnel interface.
• C. It verifies that the virtual access interface is of type Ethernet.
• D. It verifies that the virtual access interface is used to create the tunnel interface.

Answer: A

NEW QUESTION 20
What is the default storage location of user-level bookmarks in an IOS clientless SSL VPN?

• A. disk0:/webvpn/{context name}/
• B. disk1:/webvpn/{context name}/
• C. flash:/webvpn/{context name}/
• D. nvram:/webvpn/{context name}/

Answer: C