Cisco 300-209 Braindumps 2021

NEW QUESTION 1
An engineer is attempting to establish a new site-to-site VPN connection. The tunnel terminates on an ASA 5506-X which is behind an ASA 5515-X. The engineer notices that the tunnel is not establishing. Which option is a potential cause?

• A. Certificates were not configured
• B. Diffie – Helman Group is not set
• C. Access lists were not applied
• D. NAT – traversal is not configured

Answer: D

NEW QUESTION 2
Which two statements are true when designing a SSL VPN solution using Cisco AnyConnect? (Choose two.)

• A. The VPN server must have a self-signed certificate.
• B. A SSL group pre-shared key must be configured on the server.
• C. Server side certificate is optional if using AAA for client authentication.
• D. The VPN IP address pool can overlap with the rest of the LAN networks.
• E. DTLS can be enabled for better performance.

Answer: DE

NEW QUESTION 3
What are two variables for configuring clientless SSL VPN single sign-on? (Choose two.)

• A. CSCO_WEBVPN_OTP_PASSWORD
• B. CSCO_WEBVPN_INTERNAL_PASSWORD
• C. CSCO_WEBVPN_USERNAME
• D. CSCO_WEBVPN_RADIUS_USER

Answer: BC

NEW QUESTION 4
Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for this exercise.
Topology:



What is being used as the authentication method on the branch ISR?

• A. Certifcates
• B. Pre-shared keys
• C. RSA public keys
• D. Diffie-Hellman Group 2

Answer: B

Explanation: The show crypto isakmp key command shows the preshared key of “cisco”.

NEW QUESTION 5
Which two troubleshooting steps should be taken when Cisco AnyConnect cannot establish an IKEv2 connection, while SSL works fine? (Choose two.)

• A. Verify that the primary protocol on the client machine is set to IPsec.
• B. Verify that AnyConnect is enabled on the correct interface.
• C. Verify that the IKEv2 protocol is enabled on the group policy.
• D. Verify that ASDM and AnyConnect are not using the same port.
• E. Verify that SSL and IKEv2 certificates are not referencing the same trustpoint.

Answer: AC

NEW QUESTION 6
Which three configurations are required for both IPsec VTI and crypto map-based VPNs? (Choose three.)

• A. transform set
• B. ISAKMP policy
• C. ACL that defines traffic to encrypt
• D. dynamic routing protocol
• E. tunnel interface
• F. IPsec profile
• G. PSK or PKI trustpoint with certificate

Answer: ABG

NEW QUESTION 7
Regarding licensing, which option will allow IKEv2 connections on the adaptive security appliance?

• A. AnyConnect Essentials can be used for Cisco AnyConnect IKEv2 connections.
• B. IKEv2 sessions are not licensed.
• C. The Advanced Endpoint Assessment license must be installed to allow Cisco AnyConnect IKEv2 sessions.
• D. Cisco AnyConnect Mobile must be installed to allow AnyConnect IKEv2 sessions.

Answer: B

NEW QUESTION 8
An engineer is configuring high availability for crypto-map-based site-to-site VPNs on Cisco devices. Which protocol must be used?

• A. VRRP
• B. BFD
• C. ESP
• D. HSRP

Answer: D

NEW QUESTION 9
Authorization of a clientless SSL VPN defines the actions that a user may perform within a clientless SSL VPN session. Which statement is correct concerning the SSL VPN authorization process?

• A. Remote clients can be authorized by applying a dynamic access policy, which is configured on an external AAA server.
• B. Remote clients can be authorized externally by applying group parameters from an external database.
• C. Remote client authorization is supported by RADIUS and TACACS+ protocols.
• D. To configure external authorization, you must configure the Cisco ASA for cut-through proxy.

Answer: B

Explanation: CISCO SSL VPN guide
The aaa authentication command is entered to specify an authentication list or server group under a SSL VPN context configuration. If this command is not configured and AAA is configured globally on the router, global authentication will be applied to the context configuration.
The database that is configured for remote-user authentication on the SSL VPN gateway can be a local database, or the database can be accessed through any RADIUS or TACACS+ AAA server.
We recommend that you use a separate AAA server, such as a Cisco Access Control Server (ACS). A separate AAA server provides a more robust security solution. It allows you to configure unique passwords for each remote user and accounting and logging for remote-user sessions.

NEW QUESTION 10
A network is configured to allow clientless access to resources inside the network. Which feature must be enabled and configured to allow SSH applications to respond on the specified port 8889?

• A. auto applet download
• B. port forwarding
• C. web-type ACL
• D. HTTP proxy

Answer: B

NEW QUESTION 11



Which option shows the correct traffic selectors for the child SA on the remote ASA, when the headquarter ASA initiates the tunnel?

• A. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 192.168.20.0/0-192.168.20.255/65535
• B. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 192.168.22.0/0-192.168.22.255/65535
• C. Local selector 192.168.22.0/0-192.168.22.255/65535 Remote selector 192.168.33.0/0-192.168.33.255/65535
• D. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 0.0.0.0/0 - 0.0.0.0/65535
• E. Local selector 0.0.0.0/0 - 0.0.0.0/65535 Remote selector 192.168.22.0/0 -192.168.22.255/65535

Answer: B

Explanation: The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 (THE LOCAL SIDE) to 192.168.22.0/24 (THE REMOTE SIDE).

NEW QUESTION 12
Which two parameters help to map a VPN session to a tunnel group without using the tunnel-group list? (Choose two.)

• A. group-alias
• B. certificate map
• C. use gateway command
• D. group-url
• E. AnyConnect client version

Answer: BD

NEW QUESTION 13
Refer to the exhibit.

Which authentication method was used by the remote peer to prove its identity?

• A. Extensible Authentication Protocol
• B. certificate authentication
• C. pre-shared key
• D. XAUTH

Answer: C

NEW QUESTION 14
An administrator desires that when work laptops are not connected to the corporate network, they should automatically initiate an AnyConnect VPN tunnel back to headquarters. Where does the administrator configure this?

• A. Via the svc trusted-network command under the group-policy sub-configuration mode on the ASA
• B. Under the "Automatic VPN Policy" section inside the Anyconnect Profile Editor within ASDM
• C. Under the TNDPolicy XML section within the Local Preferences file on the client computer
• D. Via the svc trusted-network command under the global webvpn sub-configuration mode on the ASA

Answer: B

NEW QUESTION 15
If Web VPN bookmarks are grayed out on the home screen, which action should you take to begin troubleshooting?

• A. Determine whether the Cisco ASA can resolve the DNS names.
• B. Determine whether the Cisco ASA has DNS forwarders set up.
• C. Determine whether an ACL is present to permit DNS forwarding.
• D. Replace the DNS name with an IP address.

Answer: A

NEW QUESTION 16
Scenario:
You are the network security manager for your organization. Your manager has received a request to allow an external user to access to your HQ and DM2 servers. You are given the following connection parameters for this task.
Using ASDM on the ASA, configure the parameters below and test your configuration by accessing the Guest PC. Not all AS DM screens are active for this exercise. Also, for this exercise, all changes are automatically applied to the ASA and you will not have to click APPLY to apply the changes manually.
• Enable Clientless SSL VPN on the outside interface
• Using the Guest PC, open an Internet Explorer window and test and verify the basic connection to the SSL VPN portal using address: https://vpn-secure-x.public
• a. You may notice a certificate error in the status bar, this can be ignored for this exercise
• b. Username: vpnuser
• c. Password: cisco123
• d. Logout of the portal once you have verified connectivity
• Configure two bookmarks with the following parameters:
• a. Bookmark List Name: MY-BOOKMARKS
• b. Use the: URL with GET or POST method
• c. Bookmark Title: HQ-Server
• i. http://10.10.3.20
• d. Bookmark Title: DMZ-Server-FTP
• i. ftp://172.16.1.50
• e. Assign the configured Bookmarks to:
• i. DfltGrpPolicy
• ii. DfltAccessPolicy
• iii. LOCAL User: vpnuser
• From the Guest PC, reconnect to the SSL VPN Portal
• Test both configured Bookmarks to ensure desired connectivity
You have completed this exercise when you have configured and successfully tested Clientless SSL VPN connectivity.
Topology:

Answer:

Explanation: First, enable clientless VPN access on the outside interface by checking the box found below:

Then, log in to the given URL using the vpnuser/cisco123 credentials:

Logging in will take you to this page, which means you have now verified basic connectivity:

Now log out by hitting the logout button.
Now, go back to the ASDM and navigate to the Bookmarks portion:

Make the name MY-BOOKMARKS and use the “Add” tab and add the bookmarks per the instructions:

Ensure the “URL with GET of POST method” button is selected and hit OK:

Add the two bookmarks as given in the instructions:


You should now see the two bookmarks listed:

Hit OK and you will see this:

Select the MY-BOOKMARKS Bookmarks and click on the “Assign” button. Then, click on the appropriate check boxes as specified in the instructions and hit OK.

After hitting OK, you will now see this:

Then, go back to the Guest-PC, log back in and you should be able to test out the two new bookmarks.

NEW QUESTION 17
Which algorithm does ISAKMP use to securely derive encryption and integrity keys?

• A. Diffie – Hellman
• B. AES
• C. ECDSA
• D. RSA
• E. 3DES

Answer: D

NEW QUESTION 18



Based on the provided ASDM configuration for the remote ASA, which one of the following is correct?

• A. An access-list must be configured on the outside interface to permit inbound VPN traffic
• B. A route to 192.168.22.0/24 will not be automatically installed in the routing table
• C. The ASA will use a window of 128 packets (64x2) to perform the anti-replay check _
• D. The tunnel can also be established on TCP port 10000

Answer: C

Explanation: Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. Currently, the default window size is 64 packets. Generally, this number (window size) is sufficient, but there are times when you may want to expand this
window size. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.

NEW QUESTION 19
Consider this scenario. When users attempt to connect via a Cisco AnyConnect VPN session, the certificate has changed and the connection fails.
What is a possible cause of the connection failure?

• A. An invalid modulus was used to generate the initial key.
• B. The VPN is using an expired certificate.
• C. The Cisco ASA appliance was reloaded.
• D. The Trusted Root Store is configured incorrectly.

Answer: C

NEW QUESTION 20
What action does the hub take when it receives a NHRP resolution request from a spoke for a network that exists behind another spoke?

• A. The hub sends back a resolution reply to the requesting spoke.
• B. The hub updates its own NHRP mapping.
• C. The hub forwards the request to the destination spoke.
• D. The hub waits for the second spoke to send a request so that it can respond to both spokes.

Answer: C