300-209 | Practical 300-209 Study Guides 2021

We provide ccnp security simos 300 209 official cert guide pdf which are the best for clearing 300-209 test, and to get certified by Cisco Implementing Cisco Secure Mobility Solutions (SIMOS). The ccnp security simos 300 209 official cert guide pdf covers all the knowledge points of the real 300-209 exam. Crack your Cisco 300-209 Exam with latest dumps, guaranteed!

Free demo questions for Cisco 300-209 Exam Dumps Below:

NEW QUESTION 1
Your corporate finance department purchased a new non-web-based TCP application tool to run on one of its servers. Certain finance employees need remote access to the software during nonbusiness hours. These employees do not have "admin" privileges to their PCs.
What is the correct way to configure the SSL VPN tunnel to allow this application to run?

  • A. Configure a smart tunnel for the application.
  • B. Configure a "finance tool" VNC bookmark on the employee clientless SSL VPN portal.
  • C. Configure the plug-in that best fits the application.
  • D. Configure the Cisco ASA appliance to download the Cisco AnyConnect SSL VPN Client to the finance employee each time an SSL VPN tunnel is established.

Answer: A

Explanation: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html
A smart tunnel is a connection between a TCP-based application and a private site, using a clientless (browser based) SSL VPN session with the security appliance as the pathway, and the security appliance as a proxy server. You can identify applications to which you want to grant smart tunnel access, and specify the local path to each application. For applications running on Microsoft Windows, you can also require a match of the SHA-1 hash of the checksum as a condition for granting smart tunnel access.
Lotus SameTime and Microsoft Outlook Express are examples of applications to which you might want to grant smart tunnel access.
Configuring smart tunnels requires one of the following procedures, depending on whether the application is a client or is a web-enabled application:
•Create one or more smart tunnel lists of the client applications, then assign the list to the group policies or local user policies for whom you want to provide smart tunnel access.
•Create one or more bookmark list entries that specify the URLs of the web-enabled applications eligible for smart tunnel access, then assign the list to the DAPs, group policies, or local user policies for whom you want to provide smart tunnel access.
You can also list web-enabled applications for which to automate the submission of login credentials in smart tunnel connections over clientless SSL VPN sessions.
Why Smart Tunnels?
Smart tunnel access lets a client TCP-based application use a browser-based VPN connection to connect to a service. It offers the following advantages to users, compared to plug-ins and the legacy technology, port forwarding:
•Smart tunnel offers better performance than plug-ins.
•Unlike port forwarding, smart tunnel simplifies the user experience by not requiring the user connection of the local application to the local port.
•Unlike port forwarding, smart tunnel does not require users to have administrator privileges.
The advantage of a plug-in is that it does not require the client application to be installed on the remote computer.
Smart Tunnel Requirements, Restrictions, and Limitations
The following sections categorize the smart tunnel requirements and limitations. General Requirements and Limitations
Smart tunnel has the following general requirements and limitations:
•The remote host originating the smart tunnel must be running a 32-bit version of Microsoft Windows Vista, Windows XP, or Windows 2000; or Mac OS 10.4 or 10.5.
•Smart tunnel auto sign-on supports only Microsoft Internet Explorer on Windows.
•The browser must be enabled with Java, Microsoft ActiveX, or both.
•Smart tunnel supports only proxies placed between computers running Microsoft Windows and the security appliance. Smart tunnel uses the Internet Explorer configuration (that is, the one intended for system-wide use in Windows). If the remote computer requires a proxy server to reach the security appliance, the URL of the terminating end of the connection must be in the list of URLs excluded from proxy services. If the proxy configuration specifies that traffic destined for the ASA goes through a proxy, all smart tunnel traffic goes through the proxy.
In an HTTP-based remote access scenario, sometimes a subnet does not provide user access to the VPN gateway. In this case, a proxy placed in front of the ASA to route traffic between the web and the end user's location provides web access. However, only VPN users can configure proxies placed in front of the ASA.
When doing so, they must make sure these proxies support the CONNECT method. For proxies that require authentication, smart tunnel supports only the basic digest authentication type.
•When smart tunnel starts, the security appliance by default passes all browser traffic through the VPN session if the browser process is the same. The security appliance also does this if a tunnel-all policy applies. If the user starts another instance of the browser process, it passes all traffic through the VPN session. If the browser process is the same and the security appliance does not provide access to a URL, the user cannot open it. As a workaround, assign a tunnel policy that is not tunnel-all.
•A stateful failover does not retain smart tunnel connections. Users must reconnect following a failover.

NEW QUESTION 2
An engineer is troubleshooting DMVPN and wants to check if traffic flows in only one direction

  • A. show crypto ipsec sa
  • B. show crypto lkev2 sa
  • C. show crypto isakmp as
  • D. show crypto angina accelerator statistics

Answer: A

NEW QUESTION 3
Which two components are required a Cisco IOS-based PKI solution?

  • A. preshared key
  • B. NTP
  • C. RADIUS server
  • D. certificate authority
  • E. FT/HTTP server

Answer: AD

NEW QUESTION 4
Refer to the exhibit.
300-209 dumps exhibit
The network administrator is adding a new spoke, but the tunnel is not passing traffic. What could cause this issue?

  • A. DMVPN is a point-to-point tunnel, so there can be only one spoke.
  • B. There is no EIGRP configuration, and therefore the second tunnel is not working.
  • C. The NHRP authentication is failing.
  • D. The transform set must be in transport mode, which is a requirement for DMVPN.
  • E. The NHRP network ID is incorrect.

Answer: C

Explanation:
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html#wp1055049

NEW QUESTION 5
300-209 dumps exhibit
300-209 dumps exhibit
300-209 dumps exhibit
If the IKEv2 tunnel were to establish successfully, which encryption algorithm would be used to encrypt traffic?

  • A. DES
  • B. 3DES
  • C. AES
  • D. AES192
  • E. AES256

Answer: E

Explanation: Both ASA’s are configured to support AES 256, so during the IPSec negotiation they will use the strongest
algorithm that is supported by each peer.

NEW QUESTION 6
Which two features are required when configuring a DMVPN network? (Choose two.)

  • A. Dynamic routing protocol
  • B. GRE tunnel interface
  • C. Next Hop Resolution Protocol
  • D. Dynamic crypto map
  • E. IPsec encryption

Answer: BC

NEW QUESTION 7
A company needs to provide secure access to its remote workforce. The end users use public kiosk computers and a wide range of devices. They will be accessing only an internal web application. Which VPN solution satisfies these requirements?

  • A. Clientless SSLVPN
  • B. AnyConnect Client using SSLVPN
  • C. AnyConnect Client using IKEv2
  • D. FlexVPN Client
  • E. Windows built-in PPTP client

Answer: A

NEW QUESTION 8
Which option is a required element of Secure Device Provisioning communications?

  • A. the introducer
  • B. the certificate authority
  • C. the requestor
  • D. the registration authority

Answer: A

NEW QUESTION 9
When using clientless SSL VPN, you might not want some applications or web resources to go through the Cisco ASA appliance. For these application and web resources, as a Cisco ASA administrator, which configuration should you use?

  • A. Configure the Cisco ASA appliance for split tunneling.
  • B. Configure network access exceptions in the SSL VPN customization editor.
  • C. Configure the Cisco ASA appliance to disable content rewriting.
  • D. Configure the Cisco ASA appliance to enable URL Entry bypass.
  • E. Configure smart tunnel to bypass the Cisco ASA appliance proxy function.

Answer: C

Explanation: http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_web.html Content Rewrite
The Content Rewrite pane lists all applications for which content rewrite is enabled or disabled.
Clientless SSL VPN processes application traffic through a content transformation/rewriting engine that includes advanced elements such as JavaScript, VBScript, Java, and multi-byte characters to proxy HTTP traffic which may have different semantics and access control rules depending on whether the user is using an application within or independently of an SSL VPN device.
By default, the security appliance rewrites, or transforms, all clientless traffic. You might not want some applications and web resources (for example, public websites) to go through the security appliance. The security appliance therefore lets you create rewrite rules that let users browse certain sites and applications without going through the security appliance. This is similar to split-tunneling in an IPSec VPN connection.
You can create multiple rewrite rules. The rule number is important because the security appliance searches rewrite rules by order number, starting with the lowest, and applies the first rule that matches.

NEW QUESTION 10
Drag and drop the debug messages on the left onto the associated function during trouble shooting on the right.
300-209 dumps exhibit

    Answer:

    Explanation: 300-209 dumps exhibit

    NEW QUESTION 11
    An engineer is configuring IPsec VPN and wants to choose an authentication protocol that is reliable supports ACK and sequence. Which protocol accomplishes this goal?

    • A. ESP
    • B. AES-192
    • C. IKEv1
    • D. AES-256

    Answer: A

    NEW QUESTION 12
    What are two benefits of DMVPN Phase 3? (Choose two.)

    • A. Administrators can use summarization of routing protocol updates from hub to spokes.
    • B. It introduces hierarchical DMVPN deployments.
    • C. It introduces non-hierarchical DMVPN deployments.
    • D. It supports L2TP over IPSec as one of the VPN protocols.

    Answer: AB

    NEW QUESTION 13
    Which two commands are include in the command show dmvpn detail? (Choose two.)

    • A. Show ip nhrp
    • B. Show ip nhrp nhs
    • C. Show crypto ipsec sa detail
    • D. Show crypto session detail
    • E. Show crypto sockets

    Answer: DE

    NEW QUESTION 14
    An engineer is configuring clientless SSL VPN. The finance department has a database server that only they should access, but the sales department can currently access it. The finance and the sales departments are configured as separate group-policies. Which option must be added to the configuration to make sure the users in the sales department cannot access the finance department server?

    • A. Web type ACL
    • B. Port forwarding
    • C. Tunnel group lock
    • D. VPN filter ACL

    Answer: C

    NEW QUESTION 15
    300-209 dumps exhibit
    300-209 dumps exhibit
    300-209 dumps exhibit
    Which option shows the correct traffic selectors for the child SA on the remote ASA, when the headquarter ASA initiates the tunnel?

    • A. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 192.168.20.0/0-192.168.20.255/65535
    • B. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 192.168.22.0/0-192.168.22.255/65535
    • C. Local selector 192.168.22.0/0-192.168.22.255/65535 Remote selector 192.168.33.0/0-192.168.33.255/65535
    • D. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 0.0.0.0/0 - 0.0.0.0/65535
    • E. Local selector 0.0.0.0/0 - 0.0.0.0/65535 Remote selector 192.168.22.0/0 -192.168.22.255/65535

    Answer: B

    Explanation: The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 (THE LOCAL SIDE) to 192.168.22.0/24 (THE REMOTE SIDE).

    NEW QUESTION 16
    Which cryptographic algorithms are approved to protect Top Secret information?

    • A. HIPPADES
    • B. AES-128
    • C. RC4-128
    • D. AES-256

    Answer: D

    NEW QUESTION 17
    Which are two main use cases for Clientless SSL VPN? (Choose two.)

    • A. In kiosks that are part of a shared environment
    • B. When the users do not have admin rights to install a new VPN client
    • C. When full tunneling is needed to support applications that use TCP, UDP, and ICMP
    • D. To create VPN site-to-site tunnels in combination with remote access

    Answer: AB

    P.S. 2passeasy now are offering 100% pass ensure 300-209 dumps! All 300-209 exam questions have been updated with correct answers: https://www.2passeasy.com/dumps/300-209/ (333 New Questions)