300-209 | Cisco 300-209 Study Guides 2021

NEW QUESTION 1
Which technology is FlexVPN based on?

• A. OER
• B. VRF
• C. IKEv2
• D. an RSA nonce

Answer: C

NEW QUESTION 2
Which two statements about the Cisco ASAClientless SSL VPN solution are true? (Choose two.)

• A. When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the client uses the local DNS to perform FQDN resolution.
• B. The rewriter enable command under the global webvpn configuration enables the rewriter functionality because that feature is disabled by default.
• C. ACisco ASA with an AnyConnect Premium Peers license can simultaneously allow Clientless SSL VPN sessions and AnyConnect client sessions.
• D. Content rewriter functionality in the Clientless SSL VPN portal is not supported on Apple mobile devices.
• E. Clientless SSLVPN provides Layer 3 connectivity into the secured network.

Answer: CD

NEW QUESTION 3
Which technology supports tunnel interfaces while remaining compatible with legacy VPN implementations?

• A. FlexVPN
• B. DMVPN
• C. GET VPN
• D. SSL VPN

Answer: A

NEW QUESTION 4
Refer to the exhibit:

Which statement about this output is true?

• A. Identity between endpoints is verified using a certificate authority
• B. The tunnel is not functional because NAT-T is not configured.
• C. This router has sent the first packet to establish the Flex VPN tunnel
• D. The remote device encrypts IKEv2 packets using key “282FE"0B3B5C99A2B”.

Answer: C

NEW QUESTION 5
A user with IP address 10.10.10.10 is unable to access a HTTP website at IP address 209.165.200.225 through a Cisco ASA. Which two features and commands will help troubleshoot the issue? (Choose two.)

• A. Capture user traffic using command capture capin interface inside match ip host 10.10.10.10 any
• B. After verifying that user traffic reaches the firewall using syslogs or captures, use packet tracer command packet-tracer input inside tcp 10.10.10.10 1234 209.165.200.225 80
• C. Enable logging at level 1 and check the syslogs using commands logging enable, logging buffered 1 and show logging | include 10.10.10.10
• D. Check if an access-list on the firewall is blocking the user by using command show running-config access-list | include 10.10.10.10
• E. Use packet tracer command packet-tracer input inside udp 0.10.10.10 1234192.168.1.3 161 to see what the firewall is doing with the user's traffic

Answer: AB

NEW QUESTION 6
Refer to the exhibit:

Which description of the status of this VPN tunnel is true?

• A. The pre shared key in phase 1 is mismatched between tunnel endpoints
• B. The phase 1 is complete, phase 2 status is unknown
• C. The integrity algorithm does not match between the two endpoints.
• D. The tunnel is up and waiting for traffic to flow across it

Answer: A

NEW QUESTION 7
Which cryptographic algorithms are a part of the Cisco NGE suite?

• A. HIPPADES
• B. AES-CBC-128
• C. RC4-128
• D. AES-GCM-256

Answer: D

Explanation:
Reference: https://www.cisco.com/web/learning/le21/le39/docs/tdw166_prezo.pdf

NEW QUESTION 8
Scenario
Your organization has just implemented a Cisco AnyConnect SSL VPN solution. Using Cisco ASDM, answer the questions regarding the implementation.
Note: Not all screens or option selections are active for this exercise.

Topology

Default_Home


















What two actions will be taken on translated packets when the AnyConnect users connect to the ASA? (Choose two.)

• A. No action will be taken, they will keep their original assigned addresses
• B. The source address will use the outside-nat-pool
• C. The source NAT type will be a static translation
• D. The source NAT type will be a dynamic translation
• E. DNS will be translated on rule matches

Answer: AC

Explanation: First, navigate to the Configuration ->NAT Rules tab to see this:


Here we see that NAT rule 2 applies to the AnyConnect clients, click on this rule for more details to see the following:

Here we see that it is a static source NAT entry, but that the Source and Destination addresses remain the original IP address so they are not translated.

NEW QUESTION 9
Refer to the exhibit.

A NOC engineer is in the process of entering information into the Create New VPN Connection Entry fields. Which statement correctly describes how to do this?

• A. In the Connection Entry field, enter the name of the connection profile as it is specified on the Cisco ASA appliance.
• B. In the Host field, enter the IP address of the remote client device.
• C. In the Authentication tab, click the Group Authentication or Mutual Group Authentication radio button to enable symmetrical pre-shared key authentication.
• D. In the Name field, enter the name of the connection profile as it is specified on the Cisco ASA appliance.

Answer: D

Explanation: http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/win/user/guide/vc4.html#
Step 1 Start the VPN Client by choosing Start > Programs > Cisco Systems VPN Client > VPN Client.
Step 2 The VPN Client application starts and displays the advanced mode main window (Figure 4-1). If you are not already there, open the Options menu in simple mode and choose Advanced Mode or press Ctrl-M.

Step 3 Select New from the toolbar or the Connection Entries menu. The VPN Client displays a form

Step 4 Enter a unique name for this new connection. You can use any name to identify this connection; for example, Engineering. This name can contain spaces, and it is not case-sensitive.
Step 5 Enter a description of this connection. This field is optional, but it helps further identify this connection. For example, Connection to Engineering remote server.
Step 6 Enter the hostname or IP address of the remote VPN device you want to access. Group Authentication
Your network administrator usually configures group authentication for you. If this is not the case, use the following procedure:
Step 1 Click the Group Authentication radio button.
Step 2 In the Name field, enter the name of the IPSec group to which you belong. This entry is case-sensitive. Step 3 In the Password field, enter the password (which is also case-sensitive) for your IPSec group. The field
displays only asterisks.
Step 4 Verify your password by entering it again in the Confirm Password field.

NEW QUESTION 10
Which option describes what address preservation with IPsec Tunnel Mode allows when GETVPN is used?

• A. stronger encryption methods
• B. Network Address Translation of encrypted traffic
• C. traffic management based on original source and destination addresses
• D. Tunnel Endpoint Discovery

Answer: C

NEW QUESTION 11
Which encryption and authentication algorithms does Cisco recommend when deploying a Cisco NGE supported VPN solution?

• A. AES-GCM and SHA-2
• B. 3DES and DH
• C. AES-CBC and SHA-1
• D. 3DES and SHA-1

Answer: A

NEW QUESTION 12

Refer to the exhibit. In this tunnel mode GRE multipoint example, which command on the hub router distinguishes one spoken form the other?

• A. no ip route
• B. ip nhrp map
• C. ip frame-relay
• D. tunnel mode gre multipoint

Answer: D

NEW QUESTION 13
Refer to the exhibit.

For the ABC Corporation, members of the NOC need the ability to select tunnel groups from a drop-down menu on the Cisco WebVPN login page.
As the Cisco ASA administrator, how would you accomplish this task?

• A. Define a special identity certificate with multiple groups, which are defined in the certificate OU field, that will grant the certificate holder access to the named groups on the login page.
• B. Under Group Policies, define a default group that encompasses the required individual groups that will appear on the login page.
• C. Under Connection Profiles, define a NOC profile that encompasses the required individual profiles that will appear on the login page.
• D. Under Connection Profiles, enable "Allow user to select connection profile."

Answer: D

Explanation: Cisco ASDM User Guide Version 6.1
Add or Edit SSL VPN Connections > Advanced > SSL VPN
This dialog box lets you configure attributes that affect what the remote user sees upon login. Fields • Login Page Customization—Configures the look and feel of the user login page by specifying which preconfigured customization attributes to apply. The default is DfltCustomization. • Manage—Opens the Configure GUI Customization Objects window. • Connection Aliases—Lists in a table the existing connection aliases and their status and lets you add or delete items in that table. A connection alias appears on the user login page if the connection is configured to allow users to select a particular connection (tunnel group) at login. – Add—Opens the Add Connection Alias window, on which you can add and enable a connection alias. – Delete—Removes the selected row from the connection alias table. There is no confirmation or undo. • Group URLs—Lists in a table the existing group URLs and their status and lets you add or delete items in that table. A group URL appears on the user login page if the connection is configured to allow users to select a particular group at login. – Add—Opens the Add Group URL window, on which you can add and enable a group URL. – Delete—Removes the selected row from the connection alias table. There is no confirmation or undo.

NEW QUESTION 14
The Cisco AnyConnect client fails to connect via IKEv2 but works with SSL. The following error message is displayed:
"Login Denied, unauthorized connection mechanism, contact your administrator" What is the most possible cause of this problem?

• A. DAP is terminating the connection because IKEv2 is the protocol that is being used.
• B. The client endpoint does not have the correct user profile to initiate an IKEv2 connection.
• C. The AAA server that is being used does not authorize IKEv2 as the connection mechanism.
• D. The administrator is restricting access to this specific user.
• E. The IKEv2 protocol is not enabled in the group policy of the VPN headend.

Answer: E

NEW QUESTION 15
Refer to the exhibit.

A new NOC engineer, while viewing a real-time log from an SSL VPN tunnel, has a question about a line in the log.
The IP address 172.26.26.30 is attached to which interface in the network?

• A. the Cisco ASA physical interface
• B. the physical interface of the end user
• C. the Cisco ASA SSL VPN tunnel interface
• D. the SSL VPN tunnel interface of the end user

Answer: B

NEW QUESTION 16
Which technology does a multipoint GRE interface require to resolve endpoints?

• A. ESP
• B. dynamic routing
• C. NHRP
• D. CEF
• E. IPSec

Answer: C

NEW QUESTION 17
Which option is a possible solution if you cannot access a URL through clientless SSL VPN with Internet Explorer, while other browsers work fine?

• A. Verify the trusted zone and cookies settings in your browser.
• B. Make sure that you specified the URL correctly.
• C. Try the URL from another operating system.
• D. Move to the IPsec client.

Answer: A