Implementing Cisco Secure Mobility Solutions
Question No: 41
You are troubleshooting a DMVPN NHRP registration failure. Which command can you use to view request counters?
show ip nhrp nhs detail
show ip nhrp tunnel
show ip nhrp incomplete
show ip nhrp incomplete tunnel tunnel_interface_number
Question No: 42
Refer to the exhibit.
Which type of mismatch is causing the problem with the IPsec VPN tunnel?
Phase 1 policy
crypto access list
Question No: 43
Which feature is available in IKEv1 but not IKEv2?
Layer 3 roaming
Question No: 44
Your corporate finance department purchased a new non-web-based TCP application tool to run on one of its servers. Certain finance employees need remote access to the software during nonbusiness hours. These employees do not have quot;adminquot; privileges to their PCs.
What is the correct way to configure the SSL VPN tunnel to allow this application to run?
Configure a smart tunnel for the application.
Configure a quot;finance toolquot; VNC bookmark on the employee clientless SSL VPN portal.
Configure the plug-in that best fits the application.
Configure the Cisco ASA appliance to download the Cisco AnyConnect SSL VPN Client to the finance employee each time an SSL VPN tunnel is established.
Answer: A Explanation:
A smart tunnel is a connection between a TCP-based application and a private site, using a clientless (browser based) SSL VPN session with the security appliance as the pathway, and the security appliance as a proxy server. You can identify applications to which you want to grant smart tunnel access, and specify the local path to each application. For applications running on Microsoft Windows, you can also require a match of the SHA-1 hash of the checksum as a condition for granting smart tunnel access.
Lotus SameTime and Microsoft Outlook Express are examples of applications to which you might want to grant smart tunnel access.
Configuring smart tunnels requires one of the following procedures, depending on whether the application is a client or is a web-enabled application:
鈥reate one or more smart tunnel lists of the client applications, then assign the list to the group policies or local user policies for whom you want to provide smart tunnel access.
鈥reate one or more bookmark list entries that specify the URLs of the web-enabled applications eligible for smart tunnel access, then assign the list to the DAPs, group policies, or local user policies for whom you want to provide smart tunnel access.
You can also list web-enabled applications for which to automate the submission of login credentials in smart tunnel connections over clientless SSL VPN sessions.
Why Smart Tunnels?
Smart tunnel access lets a client TCP-based application use a browser-based VPN connection to connect to a service. It offers the following advantages to users, compared to
plug-ins and the legacy technology, port forwarding:
鈥mart tunnel offers better performance than plug-ins.
鈥nlike port forwarding, smart tunnel simplifies the user experience by not requiring the user connection of the local application to the local port.
鈥nlike port forwarding, smart tunnel does not require users to have administrator privileges.
The advantage of a plug-in is that it does not require the client application to be installed on the remote computer.
Smart Tunnel Requirements, Restrictions, and Limitations
The following sections categorize the smart tunnel requirements and limitations. General Requirements and Limitations
Smart tunnel has the following general requirements and limitations:
鈥he remote host originating the smart tunnel must be running a 32-bit version of Microsoft Windows Vista, Windows XP, or Windows 2000; or Mac OS 10.4 or 10.5.
鈥mart tunnel auto sign-on supports only Microsoft Internet Explorer on Windows.
鈥he browser must be enabled with Java, Microsoft ActiveX, or both.
鈥mart tunnel supports only proxies placed between computers running Microsoft Windows and the security appliance. Smart tunnel uses the Internet Explorer configuration (that is, the one intended for system-wide use in Windows). If the remote computer requires a proxy server to reach the security appliance, the URL of the terminating end of the connection must be in the list of URLs excluded from proxy services. If the proxy configuration specifies that traffic destined for the ASA goes through a proxy, all smart tunnel traffic goes through the proxy.
In an HTTP-based remote access scenario, sometimes a subnet does not provide user access to the VPN gateway. In this case, a proxy placed in front of the ASA to route traffic between the web and the end user#39;s location provides web access. However, only VPN users can configure proxies placed in front of the ASA.
When doing so, they must make sure these proxies support the CONNECT method. For proxies that require authentication, smart tunnel supports only the basic digest authentication type.
鈥hen smart tunnel starts, the security appliance by default passes all browser traffic through the VPN session if the browser process is the same. The security appliance also does this if a tunnel-all policy applies. If the user starts another instance of the browser process, it passes all traffic through the VPN session. If the browser process is the same and the security appliance does not provide access to a URL, the user cannot open it. As a workaround, assign a tunnel policy that is not tunnel-all.
鈥 stateful failover does not retain smart tunnel connections. Users must reconnect
following a failover.
Question No: 45
As network security architect, you must implement secure VPN connectivity among company branches over a private IP cloud with any-to-any scalable connectivity.
Which technology should you use?
Question No: 46
What command in cli you have to use to capture IKEv1 phase 1
capture match ip q port 500 eq port 500
capture match gre q port 500 eq port 500
apture match ah q port 500 eq port 500
capture match udp eq port 153 eq port 153
capture match udp eq port 500 eq port 500
Question No: 47
A rogue static route is installed in the routing table of a Cisco FlexVPN and is causing traffic to be blackholed. Which command should be used to identify the peer from which that route originated?
show crypto ikev2 sa detail
show crypto route
show crypto ikev2 client flexvpn
show ip route eigrp
show crypto isakmp sa detail
Question No: 48
Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two.)
A. aes-cbc-192, sha256, 14
3des, md5, 5
3des, sha1, 1
aes-cbc-128, sha, 5
Question No: 49
What are three benefits of deploying a GET VPN? (Choose three.)
It provides highly scalable point-to-point topologies.
It allows replication of packets after encryption.
It is suited for enterprises running over a DMVPN network.
It preserves original source and destination IP address information.
It simplifies encryption management through use of group keying.
It supports non-IP protocols.
Question No: 50
In the Diffie-Hellman protocol, which type of key is the shared secret?
a symmetric key
an asymmetric key
a decryption key
an encryption key
100% Ensurepass Free Download!
–Download Free Demo:300-209 Demo PDF
100% Ensurepass Free Guaranteed!
–Download 2018 EnsurePass 300-209 Full Exam PDF and VCE
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|