Refined 300-209 Paper 2021

NEW QUESTION 1

Refer to the exhibit.

Which exchange does this debug output represent?

• A. IKE Phase 1
• B. IKE Phase 2
• C. symmetric key exchange
• D. certificate exchange

Answer: A

NEW QUESTION 2

What routing protocol is recommended by Cisco in DMVPN between company router and ISP router? (Choose Two)

• A. OSPF
• B. RIPv2
• C. ISIS
• D. BGP
• E. EIGRP

Answer: DE

NEW QUESTION 3

A user is trying to connect to a Cisco IOS device using clientless SSL VPN and cannot establish the connection. Which three commands can be used for troubleshooting of the AAA subsystem? (Choose three.)

• A. debug aaa authentication
• B. debug radius
• C. debug vpn authorization error
• D. debug ssl openssl errors
• E. debug webvpn aaa
• F. debug ssl error

Answer: ABD

NEW QUESTION 4

Which two changes must be made to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is configured? (Choose two )

• A. Disable EIGRP next-hop-self on the hub.
• B. Enable EIGRP next-hop-self on the hub.
• C. Acid NHRP shortcuts on the hub.
• D. Add NHRP redirects on the hub.
• E. Add NHRP redirects on the spoke.

Answer: BD

NEW QUESTION 5

Which feature is available in IKEv1 but not IKEv2?

• A. Layer 3 roaming
• B. aggressive mode
• C. EAP variants
• D. sequencing

Answer: B

NEW QUESTION 6

A custom desktop application needs to access an internal server. An administrator is tasked with configuring the company's SSL VPN gateway to allow remote users to work. Which two technologies would accommodate the company's requirement? (Choose two).

• A. AnyConnect client
• B. Smart Tunnels
• C. Email Proxy
• D. Content Rewriter
• E. Portal Customizations

Answer: AB

NEW QUESTION 7

Which NGE IKE Diffie-Hellman group identifier has the strongest cryptographic properties?

• A. group 10
• B. group 24
• C. group 5
• D. group 20

Answer: D

NEW QUESTION 8

Which three settings are required for crypto map configuration? (Choose three.)

• A. match address
• B. set peer
• C. set transform-set
• D. set security-association lifetime
• E. set security-association level per-host
• F. set pfs

Answer: ABC

NEW QUESTION 9

An engineer is configuring an IPsec VPN with IKEv2. Which three components are part of the IKEv2 proposal for this implementation? (Choos three.)

• A. key ring
• B. DH group
• C. integrity
• D. tunnel name
• E. encryption

Answer: BCE

NEW QUESTION 10

Which two option, are benefits of AES compared to 3DES? (Choose two.)

• A. switches encryption keys every 32 GB of data transfer
• B. faster encryption
• C. shorter encryption keys
• D. longer encryption block length
• E. repeating encryption keys

Answer: BD

NEW QUESTION 11

Which two commands are include in the command show dmvpn detail? (Choose two.)

• A. Show ip nhrp
• B. Show ip nhrp nhs
• C. Show crypto ipsec sa detail
• D. Show crypto session detail
• E. Show crypto sockets

Answer: DE

NEW QUESTION 12

Refer to the exhibit.

Which authentication method was used by the remote peer to prove its identity?

• A. Extensible Authentication Protocol
• B. certificate authentication
• C. pre-shared key
• D. XAUTH

Answer: C

NEW QUESTION 13


Refer to the exhibit. An engineer is troubleshooting a new GRE over IPSEC tunnel. The tunnel is established, but the engineer cannot ping from spoke 1 to spoke 2. Which type of traffic is being blocked?

• A. ESP packets from spoke1 to spoke2
• B. ISAKMP packets from spoke2 to spoke1
• C. ESP packets from spoke2 to spoke1
• D. ISAKMP packets from spoke1 to spoke2

Answer: C

NEW QUESTION 14

What is a valid reason for configuring a list of backup servers on the Cisco AnyConnect VPN Client profile?

• A. to access a backup authentication server
• B. to access a backup DHCP server
• C. to access a backup VPN server
• D. to access a backup CA server

Answer: C

NEW QUESTION 15

Which statement regarding hashing is correct?

• A. MD5 produces a 64-bit message digest.
• B. SHA-1 produces a 160-bit message digest.
• C. MD5 takes more CPU cycles to compute than SHA-1.
• D. Changing 1 bit of the input to SHA-1 can change up to 5 bits in the output.

Answer: B

NEW QUESTION 16

An engineer has integrated a new DMVPN to link remote offices across the internet using Cisco IOS routers. When connecting to remote sites, pings and voice data appear to flow properly and all tunnel stats seem to show that are up. However, when trying to connect to a remote server using RDP, the connection fails. Which action resolves this issue?

• A. Change DMVPN timeout values.
• B. Adjust the MTU size within the routers.
• C. Replace certificate on the RDP server.
• D. Add RDP port to the extended ACL.

Answer: C

NEW QUESTION 17

After completing a site-to-site VPN setup between two routers, application performance over the tunnel is slow. You issue the show crypto ipsec sa command and see the following output. What does this output suggest?
interfacE. Tunnel100
Crypto map tag: Tunnel100-head-0, local addr 10.10.10.10 protected vrF. (none)
local ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.20.20.20/255.255.255.255/47/0) current_peer 209.165.200.230 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 34836, #pkts encrypt: 34836, #pkts digest: 34836
#pkts decaps: 26922, #pkts decrypt: 19211, #pkts verify: 19211
#pkts compresseD. 0, #pkts decompresseD. 0
#pkts not compresseD. 0, #pkts compr. faileD. 0
#pkts not decompresseD. 0, #pkts decompress faileD. 0
#send errors 0, #recv errors 0

• A. The VPN has established and is functioning normally.
• B. There is an asymmetric routing issue.
• C. The remote peer is not receiving encrypted traffic.
• D. The remote peer is not able to decrypt traffic.
• E. Packet corruption is occurring on the path between the two peers.

Answer: E

NEW QUESTION 18

An engineer is troubleshooting VPN connectivity issues between a PC and ASA using Cisco AnyConnect IPsec IKEv2. Which requirement must be satisfied for proper functioning?

• A. PC certificate must contain the server-auth EKU.
• B. The connection must use EAP-AnyConnect.
• C. The SAN must be used as the CN for the ASA-side certificates.
• D. profile and binary updates must be downloading over IPSec

Answer: A

NEW QUESTION 19

Which technology can you implement to reduce latency issues associated with a Cisco AnyConnect VPN?

• A. DTLS
• B. SCTP
• C. DCCP
• D. SRTP

Answer: A

NEW QUESTION 20

You have been using pre-shared keys for IKE authentication on your VPN. Your network has grown rapidly, and now you need to create VPNs with numerous IPsec peers. How can you enable scaling to numerous IPsec peers?

• A. Migrate to external CA-based digital certificate authentication.
• B. Migrate to a load-balancing server.
• C. Migrate to a shared license server.
• D. Migrate from IPsec to SSL VPN client extended authentication.

Answer: A

NEW QUESTION 21

Scenario
Your organization has just implemented a Cisco AnyConnect SSL VPN solution. Using Cisco ASDM, answer the questions regarding the implementation.
Note: Not all screens or option selections are active for this exercise.

Topology

Default_Home


















Which two networks will be included in the secured VPN tunnel? (Choose two.)

• A. 10.10.0.0/16
• B. All networks will be securely tunneled
• C. Networks with a source of any4
• D. 10.10.9.0/24
• E. DMZ network

Answer: AE

Explanation:
Navigate to the Configuration -> Remote Access -> Group Policies tab to observe the following:

Then, click on the DlftGrpPolicy to see the following:

On the left side, select “Split Tunneling” to get to this page:

Here you see that the Network List called “Inside Subnets” is being tunneled (secured). Select Manage to see the list of networks

Here we see that the 10.10.0.0/16 and DMZ networks are being secured over the tunnel.

NEW QUESTION 22

Which protocols does the Cisco AnyConnect client use to build multiple connections to the security appliance?

• A. TLS and DTLS
• B. IKEv1
• C. L2TP over IPsec
• D. SSH over TCP

Answer: A

NEW QUESTION 23

A customer requires site-to-site VPNs to connect to third party business partners and has purchased two ASAs. The customer requests an active/active configuration.
Winch mode is needed to support and active/active solution?

• A. single context
• B. NAT context
• C. PAT context
• D. multiple context

Answer: D

NEW QUESTION 24

After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune the IPsec policy parameters. Where is the correct place to tune the IPsec policy parameters in Cisco ASDM?

• A. IPsec user profile
• B. Crypto Map
• C. Group Policy
• D. IPsec Policy
• E. IKE Policy

Answer: B

NEW QUESTION 25

A company has decided to migrate an existing IKEv1 VPN tunnel to IKEv2. Which two are valid configuration constructs on a Cisco IOS router? (Choose two.)

• A. crypto ikev2 keyring keyring-name peer peer1address 209.165.201.1 255.255.255.255pre-shared-key local key1 pre-shared-key remote key2
• B. crypto ikev2 transform-set transform-set-name esp-3des esp-md5-hmacesp-aes esp-sha-hmac
• C. crypto ikev2 map crypto-map-nameset crypto ikev2 tunnel-group tunnel-group-name set crypto ikev2 transform-set transform-set-name
• D. crypto ikev2 tunnel-group tunnel-group-name match identity remote address 209.165.201.1 authentication local pre-shareauthentication remote pre-share
• E. crypto ikev2 profile profile-namematch identity remote address 209.165.201.1 authentication local pre-shareauthentication remote pre-share

Answer: AE

NEW QUESTION 26

Refer to the exhibit.

Which VPN solution does this configuration represent?

• A. DMVPN
• B. GETVPN
• C. FlexVPN
• D. site-to-site

Answer: B

NEW QUESTION 27

Which command enables the router to form EIGRP neighbor adjacencies with peers using a different subnet than the ingress interface?

• A. ip unnumbered interface
• B. eigrp router-id
• C. passive-interface interface name
• D. ip split-horizon eigrp as number

Answer: A

NEW QUESTION 28

What URL do you use to download a packet capture file in a format which can be used by a packet analyzer?

• A. ftp://<hostname>/capture/<capture_name>/
• B. https://<asdm_enabled _interface:port>/<capture_name>/
• C. https://<asdm_enabled_interface:port>/admin/capture/<capture_name>/pcap
• D. https://<hostname>/<capture_name>/pcap

Answer: C

NEW QUESTION 29

Which command identifies an AnyConnect profile that was uploaded to the router flash?

• A. crypto vpn anyconnect profile SSL_profile flash:simos-profile.xml
• B. svc import profile SSL_profile flash:simos-profile.xml
• C. anyconnect profile SSL_profile flash:simos-profile.xml
• D. webvpn import profile SSL_profile flash:simos-profile.xml

Answer: A

NEW QUESTION 30
......