Deck 27: Automating Cisco Security Solutions (SAUTO)

A) Spoke 1 fails the authentication because the authentication methods are incorrect.
B) Spoke 2 passes the authentication to the hub and successfully proceeds to phase 2.
C) Spoke 2 fails the authentication because the remote authentication method is incorrect.
D) Spoke 1 passes the authentication to the hub and successfully proceeds to phase 2.

A) tunnel-group (general-attributes)
B) tunnel-group (webvpn-attributes)
C) webvpn (group-policy)
D) webvpn (global configuration)

A) Reduce the maximum SA limit on the local Cisco ASA.
B) Increase the maximum in-negotiation SA limit on the local Cisco ASA.
C) Remove the maximum SA limit on the remote Cisco ASA.
D) Correct the crypto access list on both Cisco ASA devices.

A) interesting traffic
B) lifetime
C) preshared key
D) PFS

A) GLBR
B) HSRP
C) GRE
D) VRRP

A) The HostName is incorrect.
B) The IP address is incorrect.
C) Primary protocol should be SSL.
D) UserGroup must match connection profile.

A) The URL is being blocked by a WebACL.
B) The ASA cannot resolve the URL.
C) The bookmark has been disabled.
D) The user cannot access the URL.

A) SSO
B) GLBP
C) HSRP
D) VRRP

A) auto-upgrade
B) auto-connect
C) auto-start
D) auto-run

A) AnyConnect Auto Reconnect
B) AnyConnect Network Access Manager
C) AnyConnect Backup Servers
D) ASA failover
E) AnyConnect Always On

A) SSL AnyConnect
B) IKEv2 AnyConnect
C) crypto map
D) clientless

A)
B)
C)
D)

A) An authentication failure occurs on the remote peer.
B) A certificate fragmentation issue occurs between both sides.
C) UDP 4500 traffic from the peer does not reach the router.
D) An authentication failure occurs on the router.

A) *$SecureMobilityClient$*
B) *$AnyConnectClient$*
C) *$RemoteAccessVpnClient$*
D) *$DfltlkeldentityS*

A) preshared key
B) peer identity
C) transform set
D) ikev2 proposal

A) EAP configuration
B) multipoint GRE tunnel interface
C) IKEv1 policy
D) IKEv2 profile

A) use of certificates instead of username and password
B) EAP-AnyConnect
C) EAP query-identity
D) AnyConnect profile

A) policy-based routing
B) CEF
C) reverse route injection
D) route filtering

A) group-url https://172.16.31.10/General enable
B) group-policy General internal
C) authentication aaa
D) authentication certificate
E) group-alias General enable

A) ECDSA
B) ECDHE
C) AES-GCM
D) SHA

A)
B)
C)
D)

A) GRE over IPsec on IOS router
B) GRE over IPsec on FTD
C) IPsec tunnel on FTD
D) GRE tunnel on ASA

A) code version
B) highest IP address
C) highest-priority value
D) lowest IP address

A) AnyConnect images must be uploaded to both failover ASA devices.
B) The vpnsession-db must be cleared manually.
C) Configure a backup server in the XML profile.
D) AnyConnect client must point to the standby IP address.

A) Java or ActiveX must be enabled on the client machine.
B) Applications must be UDP.
C) Stateful failover must not be configured.
D) The user on the client machine must have admin access.

A) show crypto isakmp sa
B) show ip traffic
C) show crypto ipsec sa
D) show ip nhrp traffic
E) show dmvpn detail

A) Verify the spoke configuration to check if the NHRP redirect is enabled.
B) Verify that the spoke receives redirect messages and sends resolution requests.
C) Verify the hub configuration to check if the NHRP shortcut is enabled.
D) Verify that the tunnel interface is contained within a VRF.

A) sequence numbers that enable scalable replay checking
B) enabled use of ESP or AH
C) design for use over public or private WAN
D) no requirement for an overlay routing protocol

A) HTTP
B) ICA (Citrix)
C) VNC
D) RDP
E) CIFS

A) single sign-on
B) Smart Tunnel
C) WebType ACL
D) plug-ins

A) VTI
B) IPsec site-to-site tunnels
C) L2TP over IPsec
D) Cisco AnyConnect

A) SSL/TLS
B) L2TP
C) DTLS
D) IPsec IKEv1

A) Endpoint Assessment
B) Cisco Secure Desktop
C) Basic Host Scan
D) Advanced Endpoint Assessment

A) crypto map
B) DMVPN
C) GRE
D) FlexVPN
E) VTI

A) Add NHRP shortcuts on the hub.
B) Add NHRP redirects on the spoke.
C) Disable EIGRP next-hop-self on the hub.
D) Enable EIGRP next-hop-self on the hub.
E) Add NHRP redirects on the hub.

A) group-alias
B) certificate map
C) optimal gateway selection
D) group-url
E) AnyConnect client version

A) interface virtual-access
B) ip nhrp redirect
C) interface tunnel
D) interface virtual-template

A) FlexVPN client profile for IPv6
B) FlexVPN server to authorize groups by using an IPv6 external AAA
C) FlexVPN server for an IPv6 dVTI session
D) FlexVPN server to authenticate IPv6 peers by using EAP

A) GRE encapsulation allows for forwarding of non-IP traffic.
B) IKE implementation can install routes in routing table.
C) NHRP authentication provides enhanced security.
D) Dynamic routing protocols can be configured.

A) tunnel group lock
B) smart tunnel
C) port forwarding
D) webtype ACL

A) crypto access list
B) Phase 1 policy
C) transform set
D) preshared key

A) Adjust the MTU size within the routers.
B) Add RDP port to the extended ACL.
C) Replace certificate on the RDP server.
D) Change DMVPN timeout values.

A) The configuration that defines which traffic to encrypt originates from the key server.
B) TEK rekeys can be load-balanced between two key servers operating in COOP.
C) The pseudotime that is used for replay checking is synchronized via NTP.
D) Group members must acknowledge all KEK and TEK rekeys, regardless of configuration.

A) Change the spoke nhs to 172.16.18.1 and the nbma to 10.0.0.1.
B) Change the transform set to mode tunnel.
C) Change the ISAKMP policy authentication on the spoke to pre-shared.
D) Change the ISAKMP key address on the spoke to 0.0.0.0.
E) Change the nhrp authentication key on the spoke to cisco123.

A) GETVPN
B) VTI
C) DMVPN
D) Cisco AnyConnect

A) show run all crypto ipsec profile
B) ipsec profile does not have any smart default configuration
C) show smart-defaults ipsec profile
D) show crypto ipsec profile default

A) isakmp policy
B) group policy
C) crypto map
D) tunnel group

A) Same-security-traffic permit inter-interface under Group Policy
B) Exclude Network List Below under Group Policy
C) Tunnel All Networks under Group Policy
D) Tunnel Network List Below under Group Policy

A) address-pool
B) group-alias
C) group-policy
D) tunnel-group

A) GRE tunnel key
B) NHRP network ID
C) tunnel VRF
D) EIGRP split-horizon setting

A) phase 9: rpf-check
B) phase 5: NAT
C) phase 4: ACCESS-LIST
D) phase 3: UN-NAT

A) When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the client uses the local DNS to perform FQDN resolution.
B) The rewriter enable command under the global webvpn configuration enables the rewriter functionality because that feature is disabled by default. The rewriter enable command under the global webvpn configuration enables the rewriter functionality because that feature is disabled by default.
C) A Cisco ASA can simultaneously allow Clientless SSL VPN sessions and AnyConnect client sessions.
D) When a client connects to the Cisco ASA WebVPN portal and tries to access HTTP resources through the URL bar, the ASA uses its configured DNS servers to perform FQDN resolution.
E) Clientless SSLVPN provides Layer 3 connectivity into the secured network.

A) DVTI
B) VTI
C) DMVPN
D) GRE

A) IKEv2 AnyConnect
B) Clientless
C) Port forwarding
D) SSL AnyConnect

A) GLBP
B) HSRP
C) GRE
D) VRRP

A) dns-server value 10.1.1.2
B) same-security-traffic permit intra-interface
C) same-security-traffic permit inter-interface
D) dns-server value 10.1.1.3

A) nonrepudiation
B) revocation
C) digital signature
D) key exchange
E) encryption

A) IKEv2 authorization policy
B) Group Policy
C) virtual template
D) webvpn context

A) Cisco AnyConnect Client VPN
B) DMVPN
C) Clientless SSLVPN
D) GETVPN

A) DMVPN with ISAKMP
B) GETVPN with ISAKMP
C) DMVPN with NHRP
D) GETVPN with NHRP

A) Next-hop-self is required.
B) EIGRP neighbor adjacency will fail.
C) EIGRP is used as the dynamic routing protocol.
D) EIGRP route redistribution is not allowed.
E) Spoke-to-spoke communication is allowed.

A) HSRP stateless failover
B) DNS-based hub resolution
C) reactivate primary peer
D) tunnel pivot
E) need distractor

A) Apply the bookmark to the correct group policy.
B) Specify the correct port for the web server under the bookmark.
C) Configure a DNS server on the Cisco ASA and verify it has a record for the web server.
D) Verify HTTP/HTTPS connectivity between the Cisco ASA and the web server.

A) routing
B) WebACL
C) split tunnel
D) VPN filter

A) SAML
B) NTLM
C) Kerberos
D) OAuth 2.0
E) HTTP Basic

A) Verify that the ISAKMP proposals match.
B) Ensure that UDP 500 is not being blocked between the devices.
C) Correct the peer's IP address on the crypto map.
D) Confirm that the pre-shared keys match on both devices.

A)
B)
C)
D)

A) GETVPN
B) clientless SSL VPN
C) Cisco Easy VPN
D) Cisco AnyConnect SSL VPN

A) Add the address 192.168.0.12 255.255.255.255 command to the keyring configuration. Add the address 192.168.0.12 255.255.255.255 command to the keyring configuration.
B) Add the match fvrf any command to the IKEv2 policy. match fvrf any command to the IKEv2 policy.
C) Add the aaa authorization group psk list Flex_AAA Flex_Auth command to the IKEv2 profile configuration. aaa authorization group psk list Flex_AAA Flex_Auth command to the IKEv2 profile configuration.
D) Add the tunnel mode gre ip command to the tunnel configuration. tunnel mode gre ip command to the tunnel configuration.

A) tunnelall
B) excludeall
C) tunnelspecified
D) excludespecified

A) Enable the client protocol in the Cisco AnyConnect profile.
B) Configure a AAA server group to authenticate the client.
C) Change the authentication method to local.
D) Configure the group policy to force local authentication.

A) Set up a smart tunnel with the IP address of the web server.
B) Set up a NAT rule that translates the ASA public address to the web server private address on port 80.
C) Set up Cisco AnyConnect with a split tunnel that has the IP address of the web server.
D) Set up a WebACL to permit the IP address of the web server.

A) IKEv1 cluster
B) IKEv2 backup gateway
C) IKEv2 load balancer
D) IKEv2 reconnect

A) Ensure crypto IPsec policy matches on both VPN devices.
B) Install the correct certificate to validate the peer.
C) Correct crypto access list on both VPN devices.
D) Specify the peer IP address in the tunnel group name.