300-209 | Cisco 300-209 Exam Questions 2021

NEW QUESTION 1
Which Cisco adaptive security appliance command can be used to view the IPsec PSK of a tunnel group in cleartext?

• A. more system:running-config
• B. show running-config crypto
• C. show running-config tunnel-group
• D. show running-config tunnel-group-map
• E. clear config tunnel-group
• F. show ipsec policy

Answer: A

NEW QUESTION 2
Which command will allow a referenced ASA interface to become accessible across a site-to-site VPN?

• A. access-list 101 extended permit ICMP any any
• B. crypto map vpn 10 match address 101
• C. crypto map vpn interface inside
• D. management-access <interface name>

Answer: B

NEW QUESTION 3
Scenario
Your organization has just implemented a Cisco AnyConnect SSL VPN solution. Using Cisco ASDM, answer the questions regarding the implementation.
Note: Not all screens or option selections are active for this exercise.

Topology

Default_Home


















Which two networks will be included in the secured VPN tunnel? (Choose two.)

• A. 10.10.0.0/16
• B. All networks will be securely tunneled
• C. Networks with a source of any4
• D. 10.10.9.0/24
• E. DMZ network

Answer: AE

Explanation: Navigate to the Configuration -> Remote Access -> Group Policies tab to observe the following:

Then, click on the DlftGrpPolicy to see the following:

On the left side, select “Split Tunneling” to get to this page:

Here you see that the Network List called “Inside Subnets” is being tunneled (secured). Select Manage to see the list of networks

Here we see that the 10.10.0.0/16 and DMZ networks are being secured over the tunnel.

NEW QUESTION 4
Refer to the Exhibit:
Router(config)#cypto pki enroll TRIALFOUR
Which result of this command is true?

• A. It displays the RSA public keys of the rooter
• B. Makes the router generate a certificate signing request
• C. It Specifies self-signed enrollment for a trust point
• D. Generates an RSA key called TRIAL FOUR

Answer: C

NEW QUESTION 5
Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for this exercise.
Topology:



In what state is the IKE security association in on the Cisco ASA?

• A. There are no security associations in place
• B. MM_ACTIVE
• C. ACTIVE(ACTIVE)
• D. QM_IDLE

Answer: B

Explanation: This can be seen from the “show crypto isa sa” command:

NEW QUESTION 6
Witch option is an advantage of using elliptic curve cryptography?

• A. Efficiency of operation
• B. Ease of implementation
• C. symmetrical key exchange
• D. resistance to quantum attacks.

Answer: A

NEW QUESTION 7
Refer to the exhibit.

What technology does the given configuration demonstrate?

• A. Keyring used to encrypt IPSec traffic
• B. FlexVPN with IPV6
• C. FlexVPN with AnyConnect
• D. Crypto Policy to enable IKEv2

Answer: B

NEW QUESTION 8
Refer to the exhibit.

Which VPN solution does this configuration represent?

• A. Cisco AnyConnect
• B. IPsec
• C. L2TP
• D. SSL VPN

Answer: B

NEW QUESTION 9
An administrator wishes to limit the networks reachable over the Anyconnect VPN tunnels. Which configuration on the ASA will correctly limit the networks reachable to 209.165.201.0/27 and 209.165.202.128/27?

• A. access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit 209.165.202.128 255.255.255.224!group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes split-tunnel-policy tunnelspecifiedsplit-tunnel-network-list value splitlist
• B. access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit 209.165.202.128 255.255.255.224!group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes split-tunnel-policy tunnelallsplit-tunnel-network-list value splitlist
• C. group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes split-tunnel-policy tunnelspecifiedsplit-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224
• D. access-list splitlist standard permit 209.165.201.0 255.255.255.224 access-list splitlist standard permit 209.165.202.128 255.255.255.224!crypto anyconnect vpn-tunnel-policy tunnelspecified crypto anyconnect vpn-tunnel-network-list splitlist
• E. crypto anyconnect vpn-tunnel-policy tunnelspecifiedcrypto anyconnect split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224crypto anyconnect split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224

Answer: A

NEW QUESTION 10
Scenario
You are the network security administrator for your organization. Your company is growing and a remote branch office is being created. You are tasked with configuring your headquarters Cisco ASA to create a site-to-site IPsec VPN connection to the branch office Cisco ISR. The branch office ISR has already been deployed and configured and you need to complete the IPsec connectivity configurations on the HQ ASA to bring the new office online.
Use the following parameters to complete your configuration using ASDM. For this exercise, not all ASDM screens are active.
✑ Enable IKEv1 on outside I/F for Site-to-site VPN
✑ Add a Connection Profile with the following parameters:
✑ Peer IP: 203.0.113.1
✑ Connection name: 203.0.113.1
✑ Local protected network: 10.10.9.0/24
✑ Remote protected network: 10.11.11.0/24
✑ Group Policy Name: use the default policy name supplied
✑ Preshared key: cisco
✑ Disable IKEv2
✑ Encryption Algorithms: use the ASA defaults
✑ Disable pre-configured NAT for testing of the IPsec tunnel
✑ Disable the outside NAT pool rule
✑ Establish the IPsec tunnel by sending ICMP pings from the Employee PC to the Branch Server at IP address 10.11.11.20
✑ Verify tunnel establishment in ASDM VPN Statistics> Sessions window pane
You have completed this exercise when you have successfully configured, established, and verified site-to-site IPsec connectivity between the ASA and the Branch ISR.
Topology

Answer:

Explanation: First, click on Configuration ->Site-to-Site VPN to bring up this screen:

Click on “allow IKE v1 Access” for the outside per the instructions as shown below:

Then click apply at the bottom of the page. This will bring up the following pop up message:

Click on Send.
Next, we need to set up the connection profile. From the connection profile tab, click on “Add”

Then, fill in the information per the instructions as shown below:

Hit OK and you should see this:

To test this, we need to disable NAT. Go to Configuration -> Firewall -> NAT rules and you should see this:

Click on Rule 1 to get the details and you will see this:

We need to uncheck the “Enable rule” button on the bottom. It might also be a good idea to uncheck the “Translate DNS replies that match the rule” but it should not be needed.
Then, go back to the topology:

Click on Employee PC, and you will see a desktop with a command prompt shortcut. Use this to ping the IP address of 10.11.11.20 and you should see replies:

We can also verify by viewing the VPN Statistics -> Sessions and see the bytes in/out incrementing as shown below:

NEW QUESTION 11
What is the default storage location of user-level bookmarks in an IOS clientless SSL VPN?

• A. disk0:/webvpn/{context name}/
• B. disk1:/webvpn/{context name}/
• C. flash:/webvpn/{context name}/
• D. nvram:/webvpn/{context name}/

Answer: C

NEW QUESTION 12
Which two parameters help to map a VPN session to a tunnel group without using the tunnel-group list? (Choose two.)

• A. group-alias
• B. certificate map
• C. use gateway command
• D. group-url
• E. AnyConnect client version

Answer: BD

NEW QUESTION 13
You have deployed new Cisco AnyConnect start before logon modules and set the configuration to download modules before logon, but all client connections continue to use the previous version of the module. Which action must you take to correct the problem?

• A. Configure start before logon in the client profile.
• B. Configure a group policy to prompt the user to download the updated module.
• C. Define the modules for download in the client profile.
• D. Define the modules for download in the group policy.

Answer: A

NEW QUESTION 14
An engineer is attempting to establish a new site-to-site VPN connection. The tunnel terminates on an ASA 5506-X which is behind an ASA 5515-X. The engineer notices that the tunnel is not establishing. Which option is a potential cause?

• A. Certificates were not configured
• B. Diffie – Helman Group is not set
• C. Access lists were not applied
• D. NAT – traversal is not configured

Answer: D

NEW QUESTION 15
Refer to the Exhibit:

A network security engineer is troubleshooting intermittent connectivity issues across a tunnel. Based on the output from the show crypto ipsec sa command, which cause is most likely?

• A. ISAKMP and/or IP sec may be bouncing up and down.
• B. The security association lifetimes are set to default values.
• C. Return traffic is not coming back from the other end of the tunnel.
• D. Traffic may flow in only one direction across this tunnel.

Answer: B

NEW QUESTION 16
Refer to the exhibit.

An administrator had the above configuration working with SSL protocol, but as soon as the administrator specified IPsec as the primary protocol, the Cisco AnyConnect client was not able to connect. What is the problem?

• A. IPsec will not work in conjunction with a group URL.
• B. The Cisco AnyConnect implementation does not allow the two group URLs to be the sam
• C. SSL does allow this.
• D. If you specify the primary protocol as IPsec, the User Group must be the exact name of the connection profile (tunnel group).
• E. A new XML profile should be created instead of modifying the existing profile, so that the clients force the update.

Answer: C

NEW QUESTION 17
Refer to the Exhibit:

An engineer must implement DMVPN phase 2 and two conclusions can be made from the configuration? (Choose two.)

• A. Spoke-to-spoke communication is allowed.
• B. Next-hop-self is required.
• C. EIGRP neighbor adjacency will fail.
• D. EIGRP route redistribution is not allowed
• E. EIGRP used as the dynamic routing protocol.

Answer: AE