web analytics

Update 300-209 Dumps with VCE and PDF for Free (Question 41 – Question 55)

New 300-209 exam questions from PassLeader 300-209 dumps! Welcome to download the newest PassLeader 300-209 VCE and PDF dumps: http://www.passleader.com/300-209.html (237 Q&As)

P.S. Free 300-209 dumps are available on Google Drive shared by PassLeader: https://drive.google.com/open?id=0B-ob6L_QjGLpVTNFVTRPdC0zTnM

QUESTION 41
Which NGE IKE Diffie-Hellman group identifier has the strongest cryptographic properties?

A.    group 10
B.    group 24
C.    group 5
D.    group 20

Answer: D

QUESTION 42
What is the Cisco recommended TCP maximum segment on a DMVPN tunnel interface when the MTU is set to 1400 bytes?

A.    1160 bytes
B.    1260 bytes
C.    1360 bytes
D.    1240 bytes

Answer: C

QUESTION 43
Which technology does a multipoint GRE interface require to resolve endpoints?

A.    ESP
B.    dynamic routing
C.    NHRP
D.    CEF
E.    IPSec

Answer: C

QUESTION 44
Which two cryptographic technologies are recommended for use with FlexVPN? (Choose two.)

A.    SHA (HMAC variant)
B.    Diffie-Hellman
C.    DES
D.    MD5 (HMAC variant)

Answer: AB

QUESTION 45
Which command configures IKEv2 symmetric identity authentication?

A.    match identity remote address 0.0.0.0
B.    authentication local pre-share
C.    authentication pre-share
D.    authentication remote rsa-sig

Answer: D

QUESTION 46
Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two.)

A.    aes-cbc-192, sha256, 14
B.    3des, md5, 5
C.    3des, sha1, 1
D.    aes-cbc-128, sha, 5

Answer: BD

QUESTION 47
What is the default storage location of user-level bookmarks in an IOS clientless SSL VPN?

A.    disk0:/webvpn/{context name}/
B.    disk1:/webvpn/{context name}/
C.    flash:/webvpn/{context name}/
D.    nvram:/webvpn/{context name}/

Answer: C

QUESTION 48
Which command will prevent a group policy from inheriting a filter ACL in a clientless SSL VPN?

A.    vpn-filter none
B.    no vpn-filter
C.    filter value none
D.    filter value ACLname

Answer: C

QUESTION 49
Which command specifies the path to the Host Scan package in an ASA AnyConnect VPN?

A.    csd hostscan path image
B.    csd hostscan image path
C.    csd hostscan path
D.    hostscan image path

Answer: B

QUESTION 50
Hotspot Questions
passleader-300-209-dumps-501
passleader-300-209-dumps-502
passleader-300-209-dumps-503
When a tunnel is initiated by the headquarter ASA, which one of the following Diffie- Hellman groups is selected by the headquarter ASA during CREATE_CHILD_SA exchange?

A.    1
B.    2
C.    5
D.    14
E.    19

Answer: C

QUESTION 51
Hotspot Questions
passleader-300-209-dumps-511
passleader-300-209-dumps-512
passleader-300-209-dumps-513
Based on the provided ASDM configuration for the remote ASA, which one of the following is correct?

A.    An access-list must be configured on the outside interfaceto permit inbound VPN traffic
B.    A route to 192.168.22.0/24 will not be automatically installed in the routing table
C.    The ASA will use a window of 128 packets (64×2) to perform the anti-replay check _
D.    The tunnel can also be established on TCP port 10000

Answer: C

QUESTION 52
Hotspot Questions
passleader-300-209-dumps-521
passleader-300-209-dumps-522
passleader-300-209-dumps-523
If the IKEv2 tunnel were to establish successfully, which encryption algorithm would be used to encrypt traffic?

A.    DES
B.    3DES
C.    AES
D.    AES192
E.    AES256

Answer: E
Explanation:
Both ASA’s are configured to support AES 256, so during the IPSec negotiation they will use the strongest algorithm that is supported by each peer.

QUESTION 53
Hotspot Questions
passleader-300-209-dumps-531
passleader-300-209-dumps-532
passleader-300-209-dumps-533
After implementing the IKEv2 tunnel, it was observed that remote users on the 192.168.33.0/24 network are unable to access the internet. Which of the following can be done to resolve this problem?

A.    Change the Diffie-Hellman group on the headquarter ASA to group5forthe dynamic crypto map
B.    Change the remote traffic selector on the remote ASA to 192.168.22.0/24
C.    Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers
D.    Change the local traffic selector on the headquarter ASA to 0.0.0.0/0
E.    Change the remote traffic selector on the headquarter ASA to 0.0.0.0/0

Answer: B
Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 to 192.168.22.0/24.

QUESTION 54
Hotspot Questions
passleader-300-209-dumps-541
passleader-300-209-dumps-542
passleader-300-209-dumps-543
Which option shows the correct traffic selectors for the child SA on the remote ASA, when the headquarter ASA initiates the tunnel?

A.    Local selector 192.168.33.0/0-192.168.33.255/65535
Remote selector 192.168.20.0/0-192.168.20.255/65535
B.    Local selector 192.168.33.0/0-192.168.33.255/65535
Remote selector 192.168.22.0/0-192.168.22.255/65535
C.    Local selector 192.168.22.0/0-192.168.22.255/65535
Remote selector 192.168.33.0/0-192.168.33.255/65535
D.    Local selector 192.168.33.0/0-192.168.33.255/65535
Remote selector 0.0.0.0/0 – 0.0.0.0/65535
E.    Local selector 0.0.0.0/0 – 0.0.0.0/65535
Remote selector 192.168.22.0/0 -192.168.22.255/65535

Answer: B
Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 (THE LOCAL SIDE) to 192.168.22.0/24 (THE REMOTE SIDE).

QUESTION 55
Lab Simulation
passleader-300-209-dumps-551
passleader-300-209-dumps-552
passleader-300-209-dumps-553

Answer:
Step 1: configure key ring
crypto ikev2 keyring mykeys
peer SiteB.cisco.com
address 209.161.201.1
pre-shared-key local SiteA
pre-shared key remote SiteB
Step 2: Configure IKEv2 profile
Crypto ikev2 profile default
identity local fqdn SiteA.cisco.com
Match identity remote fqdn SiteB.cisco.com
Authentication local pre-share
Authentication remote pre-share
Keyring local mykeys
Step 3: Create the GRE Tunnel and apply profile
crypto ipsec profile default
set ikev2-profile default
Interface tunnel 1
ip address 10.1.1.1
Tunnel source eth 0/0
Tunnel destination 209.165.201.1
tunnel protection ipsec profile default
end


New 300-209 exam questions from PassLeader 300-209 dumps! Welcome to download the newest PassLeader 300-209 VCE and PDF dumps: http://www.passleader.com/300-209.html (237 Q&As)

P.S. Free 300-209 dumps are available on Google Drive shared by PassLeader: https://drive.google.com/open?id=0B-ob6L_QjGLpVTNFVTRPdC0zTnM