Special Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Cisco 300-730 Implementing Secure Solutions with Virtual Private Networks (SVPN) Exam Practice Test

Page: 1 / 18
Total 175 questions

Implementing Secure Solutions with Virtual Private Networks (SVPN) Questions and Answers

Question 1

In order to enable FlexVPN to use a AAA attribute list, which two tasks must be performed? (Choose two.)

Options:

A.

Define the RADIUS server.

B.

Verify that clients are using the correct authorization policy.

C.

Define the AAA server.

D.

Assign the list to an authorization policy.

E.

Set the maximum segment size.

Question 2

Refer to the exhibit.

Question # 2

Which type of VPN is being configured, based on the partial configuration snippet?

Options:

A.

GET VPN with COOP key server

B.

GET VPN with dual group member

C.

FlexVPN load balancer

D.

FlexVPN backup gateway

Question 3

Question # 3

Which component must be configured on routers for a GETVPN deployment work properly?

Options:

A.

PE3: Key Server – Customer 2 CEs: Group Members

B.

Customer 1 CE1: Key Server – R1 and Customer 1 CE2: Group Members

C.

R1: Key Server – Customer 1 CEs: Group Members

D.

PE3: Key Server – all CEs: Group Members

Question 4

A network engineer is setting up a clientless SSLVPN on a Cisco ASA. Remote users must be able to access an internal webserver via the URL example.com. Which two steps accomplish this task? (Choose two.)

Options:

A.

Configure a bookmark for the webserver.

B.

Configure routing so that the user's computer can reach the webserver.

C.

Configure a DNS server that can resolve the webserver URL.

D.

Configure a browser plugin on the Cisco ASA.

E.

Configure routing so that the Cisco ASA can reach the webserver.

Question 5

A network engineer has set up a FlexVPN server to terminate multiple FlexVPN clients. The VPN tunnels are established without issue. However, when a Change of Authorization is issued by the RADIUS server, the FlexVPN server does not update the authorization of connected FlexVPN clients. Which action resolves this issue?

Options:

A.

Add the aaa server radius dynamic-author command on the FlexVPN clients.

B.

Fix the RADIUS key mismatch between the RADIUS server and FlexVPN server.

C.

Add the aaa server radius dynamic-author command on the FlexVPN server.

D.

Fix the RADIUS key mismatch between the RADIUS server and FlexVPN clients.

Question 6

An engineer is configuring clientless SSL VPN. The finance department has a database server that only they should access, but the sales department can currently access it. The finance and the sales departments are configured as separate group-policies. What must be added to the configuration to make sure the users in the sales department cannot access the finance department server?

Options:

A.

tunnel group lock

B.

smart tunnel

C.

port forwarding

D.

webtype ACL

Question 7

An engineer is building an IKEv1 tunnel to a peer Cisco ASA, but the tunnel is failing. Based on the configuration in the exhibit, which action must be taken to allow the VPN tunnel to come up?

Question # 7

Options:

A.

Add a route for the 10.7.7.0/24 network to egress the outside interface.

B.

Enable IKEv1 on the outside interface.

C.

Change the IKEv1 policy number to be at least 256.

D.

Change the transform set mode to transport.

Question 8

An organization wants to implement a site-to-site VPN solution that must be able to support 350 sites with direct communications between all sites, fully encrypt the packet header and payload, and support propagation of routing information over IPsec. Which solution meets these requirements?

Options:

A.

IPsec full mesh

B.

DMVPN

C.

GETVPN

D.

FlexVPN

Question 9

Which command shows the smart default configuration for an IPsec profile?

Options:

A.

show run all crypto ipsec profile

B.

ipsec profile does not have any smart default configuration

C.

show smart-defaults ipsec profile

D.

show crypto ipsec profile default

Question 10

An administrator is deciding which authentication protocol should be implemented for their upcoming Cisco AnyConnect deployment. A list of the security requirements from upper management are: the ability to force AnyConnect users to use complex passwords such as C1$c0451035084!, warn users a few days before their password expires, and allow users to change their password during a remote access session. Which authentication protocol must be used to meet these requirements?

Options:

A.

LDAPS

B.

RADIUS

C.

Kerberos

D.

TACACS+

Question 11

Question # 11

VPN tunnels between a spoke and two DMVPN hubs are not coming up. The network administrator has verified that the encryption, hashing, and DH group proposals for Phase 1 and Phase 2 match on both ends. What is the solution to this issue?

Options:

A.

Ensure bidirectional UDP 500/4500 traffic.

B.

Increase the isakmp phase 1 lifetime.

C.

Add NAT statements for VPN traffic.

D.

Enable shared tunnel protection.

Question 12

Refer to the exhibit.

Question # 12

The IKEv2 site-to-site VPN tunnel between two routers is down. Based on the debug output, which type of mismatch is the problem?

Options:

A.

preshared key

B.

peer identity

C.

transform set

D.

ikev2 proposal

Question 13

An engineer is troubleshooting a new DMVPN setup on a Cisco IOS router. After the show crypto isakmp sa command is issued, a response is returned of "MM_NO_STATE." Why does this failure occur?

Options:

A.

The ISAKMP policy priority values are invalid.

B.

ESP traffic is being dropped.

C.

The Phase 1 policy does not match on both devices.

D.

Tunnel protection is not applied to the DMVPN tunnel.

Question 14

Which command is used to troubleshoot an IPv6 FlexVPN spoke-to-hub connectivity failure?

Options:

A.

show crypto ikev2 sa

B.

show crypto isakmp sa

C.

show crypto gkm

D.

show crypto identity

Question 15

Refer to the exhibit.

Question # 15

A site-to-site tunnel between two sites is not coming up. Based on the debugs, what is the cause of this issue?

Options:

A.

An authentication failure occurs on the remote peer.

B.

A certificate fragmentation issue occurs between both sides.

C.

UDP 4500 traffic from the peer does not reach the router.

D.

An authentication failure occurs on the router.

Question 16

Refer to the exhibit.

Question # 16

Client 1 cannot communicate with client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which command on the ASA is missing?

Options:

A.

dns-server value 10.1.1.2

B.

same-security-traffic permit intra-interface

C.

same-security-traffic permit inter-interface

D.

dns-server value 10.1.1.3

Question 17

In a FlexVPN deployment, the spokes successfully connect to the hub, but spoke-to-spoke tunnels do not form. Which troubleshooting step solves the issue?

Options:

A.

Verify the spoke configuration to check if the NHRP redirect is enabled.

B.

Verify that the spoke receives redirect messages and sends resolution requests.

C.

Verify the hub configuration to check if the NHRP shortcut is enabled.

D.

Verify that the tunnel interface is contained within a VRF.

Question 18

Refer to the exhibit.

Question # 18

The customer can establish a Cisco AnyConnect connection without using an XML profile. When the host "ikev2" is selected in the AnyConnect drop down, the connection fails. What is the cause of this issue?

Options:

A.

The HostName is incorrect.

B.

The IP address is incorrect.

C.

Primary protocol should be SSL.

D.

UserGroup must match connection profile.

Question 19

Refer to the exhibit.

Question # 19

Based on the debug output, which type of mismatch is preventing the VPN from coming up?

Options:

A.

interesting traffic

B.

lifetime

C.

preshared key

D.

PFS

Question 20

Refer to the exhibit.

Question # 20

An engineer is troubleshooting a new GRE over IPsec tunnel. The tunnel is established but the engineer cannot ping from spoke 1 to spoke 2. Which type of traffic is being blocked?

Options:

A.

ESP packets from spoke2 to spoke1

B.

ISAKMP packets from spoke2 to spoke1

C.

ESP packets from spoke1 to spoke2

D.

ISAKMP packets from spoke1 to spoke2

Question 21

Refer to the exhibit.

Question # 21

Which type of mismatch is causing the problem with the IPsec VPN tunnel?

Options:

A.

crypto access list

B.

Phase 1 policy

C.

transform set

D.

preshared key

Question 22

Refer to the exhibit.

Question # 22

What is a result of this configuration?

Options:

A.

Spoke 1 fails the authentication because the authentication methods are incorrect.

B.

Spoke 2 passes the authentication to the hub and successfully proceeds to phase 2.

C.

Spoke 2 fails the authentication because the remote authentication method is incorrect.

D.

Spoke 1 passes the authentication to the hub and successfully proceeds to phase 2.

Question 23

Which two parameters help to map a VPN session to a tunnel group without using the tunnel-group list? (Choose two.)

Options:

A.

group-alias

B.

certificate map

C.

optimal gateway selection

D.

group-url

E.

AnyConnect client version

Question 24

On a FlexVPN hub-and-spoke topology where spoke-to-spoke tunnels are not allowed, which command is needed for the hub to be able to terminate FlexVPN tunnels?

Options:

A.

interface virtual-access

B.

ip nhrp redirect

C.

interface tunnel

D.

interface virtual-template

Question 25

Which statement about GETVPN is true?

Options:

A.

The configuration that defines which traffic to encrypt originates from the key server.

B.

TEK rekeys can be load-balanced between two key servers operating in COOP.

C.

The pseudotime that is used for replay checking is synchronized via NTP.

D.

Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.

Question 26

Refer to the exhibit.

Question # 26

The DMVPN tunnel is dropping randomly and no tunnel protection is configured. Which spoke configuration mitigates tunnel drops?

Question # 26

Question # 26

Question # 26

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 27

A second set of traffic selectors is negotiated between two peers using IKEv2. Which IKEv2 packet will contain details of the exchange?

Options:

A.

IKEv2 IKE_SA_INIT

B.

IKEv2 INFORMATIONAL

C.

IKEv2 CREATE_CHILD_SA

D.

IKEv2 IKE_AUTH

Question 28

Refer to the exhibit.

Question # 28

Which two tunnel types produce the show crypto ipsec sa output seen in the exhibit? (Choose two.)

Options:

A.

crypto map

B.

DMVPN

C.

GRE

D.

FlexVPN

E.

VTI

Question 29

Which method dynamically installs the network routes for remote tunnel endpoints?

Options:

A.

policy-based routing

B.

CEF

C.

reverse route injection

D.

route filtering

Question 30

Drag and drop the correct commands from the night onto the blanks within the code on the left to implement a design that allow for dynamic spoke-to-spoke communication. Not all comments are used.

Question # 30

Options:

Question 31

Which two changes must be made in order to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is configured? (Choose two.)

Options:

A.

Add NHRP shortcuts on the hub.

B.

Add NHRP redirects on the spoke.

C.

Disable EIGRP next-hop-self on the hub.

D.

Enable EIGRP next-hop-self on the hub.

E.

Add NHRP redirects on the hub.

Question 32

Refer to the exhibit.

Question # 32

A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based on the syslog message, which action brings up the VPN tunnel?

Options:

A.

Reduce the maximum SA limit on the local Cisco ASA.

B.

Increase the maximum in-negotiation SA limit on the local Cisco ASA.

C.

Remove the maximum SA limit on the remote Cisco ASA.

D.

Correct the crypto access list on both Cisco ASA devices.

Question 33

Which redundancy protocol must be implemented for IPsec stateless failover to work?

Options:

A.

SSO

B.

GLBP

C.

HSRP

D.

VRRP

Question 34

Cisco AnyConnect Secure Mobility Client has been configured to use IKEv2 for one group of users and SSL for another group. When the administrator configures a new AnyConnect release on the Cisco ASA, the IKEv2 users cannot download it automatically when they connect. What might be the problem?

Options:

A.

The XML profile is not configured correctly for the affected users.

B.

The new client image does not use the same major release as the current one.

C.

Client services are not enabled.

D.

Client software updates are not supported with IKEv2.

Question 35

Which two statements about the Cisco ASA Clientless SSL VPN solution are true? (Choose two.)

Options:

A.

When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the client uses the local DNS to perform FQDN resolution.

B.

The rewriter enable command under the global webvpn configuration enables the rewriter functionality because that feature is disabled by default.

C.

A Cisco ASA can simultaneously allow Clientless SSL VPN sessions and AnyConnect client sessions.

D.

When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the ASA uses its configured DNS servers to perform FQDN resolution.

E.

Clientless SSLVPN provides Layer 3 connectivity into the secured network.

Question 36

Refer to the exhibit.

Question # 36

Which value must be configured in the User Group field when the Cisco AnyConnect Profile is created to connect to an ASA headend with IPsec as the primary protocol?

Options:

A.

address-pool

B.

group-alias

C.

group-policy

D.

tunnel-group

Question 37

Which feature allows the ASA to handle nonstandard applications and web resources so that they display correctly over a clientless SSL VPN connection?

Options:

A.

single sign-on

B.

Smart Tunnel

C.

WebType ACL

D.

plug-ins

Question 38

Which command identifies a Cisco AnyConnect profile that was uploaded to the flash of an IOS router?

Options:

A.

svc import profile SSL_profile flash:simos-profile.xml

B.

anyconnect profile SSL_profile flash:simos-profile.xml

C.

crypto vpn anyconnect profile SSL_profile flash:simos-profile.xml

D.

webvpn import profile SSL_profile flash:simos-profile.xml

Question 39

Which configuration construct must be used in a FlexVPN tunnel?

Options:

A.

EAP configuration

B.

multipoint GRE tunnel interface

C.

IKEv1 policy

D.

IKEv2 profile

Question 40

Refer to the exhibit.

Question # 40

Which two commands under the tunnel-group webvpn-attributes result in a Cisco AnyConnect user receiving the AnyConnect prompt in the exhibit? (Choose two.)

Options:

A.

group-url https://172.16.31.10/General enable

B.

group-policy General internal

C.

authentication aaa

D.

authentication certificate

E.

group-alias General enable

Question 41

Refer to the exhibit.

Question # 41

Which VPN technology is allowed for users connecting to the Employee tunnel group?

Options:

A.

SSL AnyConnect

B.

IKEv2 AnyConnect

C.

crypto map

D.

clientless

Question 42

Which two types of web resources or protocols are enabled by default on the Cisco ASA Clientless SSL VPN portal? (Choose two.)

Options:

A.

HTTP

B.

ICA (Citrix)

C.

VNC

D.

RDP

E.

CIFS

Question 43

Refer to the exhibit.

Question # 43

Based on the exhibit, why are users unable to access CCNP Webserver bookmark?

Options:

A.

The URL is being blocked by a WebACL.

B.

The ASA cannot resolve the URL.

C.

The bookmark has been disabled.

D.

The user cannot access the URL.

Question 44

Refer to the exhibit.

Question # 44

The customer must launch Cisco AnyConnect in the RDP machine. Which IOS configuration accomplishes this task?

Question # 44

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Page: 1 / 18
Total 175 questions