Question 1
Which command identifies a Cisco AnyConnect profile that was uploaded to the flash of an IOS
router?
- A. svc import profile SSL_profile flash:simos-profile.xml
- B. anyconnect profile SSL_profile flash:simos-profile.xml
- C. crypto vpn anyconnect profile SSL_profile flash:simos-profile.xml
- D. webvpn import profile SSL_profile flash:simos-profile.xml
Answer:
C
Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html
Comments
Question 2
Refer to the exhibit.
Which value must be configured in the User Group field when the Cisco AnyConnect Profile is created
to connect to an ASA headend with IPsec as the primary protocol?
- A. address-pool
- B. group-alias
- C. group-policy
- D. tunnel-group
Answer:
D
Explanation:
The user group is used in conjunction with Host Address to form a group-based URL. If you specify
the Primary Protocol as IPsec, the User Group must be the exact name of the connection profile
(tunnel group). For SSL, the user group is the group-url of the connection profile.
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-
0000026c
Reference: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1/configure-vpn.html
Comments
Question 3
Refer to the exhibit.
What is configured as a result of this command set?
- A. FlexVPN client profile for IPv6
- B. FlexVPN server to authorize groups by using an IPv6 external AAA
- C. FlexVPN server for an IPv6 dVTI session
- D. FlexVPN server to authenticate IPv6 peers by using EAP
Answer:
C
Explanation:
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116528-config-flexvpn-00.html
Comments
Question 4
Which two types of web resources or protocols are enabled by default on the Cisco ASA Clientless
SSL VPN portal? (Choose two.)
- A. HTTP
- B. ICA (Citrix)
- C. VNC
- D. RDP
- E. CIFS
Answer:
AE
Explanation:
HTTP (Hypertext Transfer Protocol) is used for transferring web resources, such as web pages and
HTML documents, across the internet. CIFS (Common Internet File System) is used for sharing files
and printers between computers on a network. ICA (Citrix), VNC (Virtual Network Computing), and
RDP (Remote Desktop Protocol) are not enabled by default on the Cisco ASA Clientless SSL VPN
portal.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/vpn/asa-94-vpn-config/webvpn-configure-gateway.html
Comments
Question 5
Which configuration construct must be used in a FlexVPN tunnel?
- A. EAP configuration
- B. multipoint GRE tunnel interface
- C. IKEv1 policy
- D. IKEv2 profile
Answer:
D
Explanation:
The correct answer is D. IKEv2 profile. A FlexVPN tunnel requires an IKEv2 profile to define the
parameters for the IKEv2 negotiation and the IPsec security association. The IKEv2 profile references
the IKEv2 keyring, the authentication method, the identity of the peers, and other options.
The IKEv2
profile is then applied to a virtual tunnel interface (VTI) or a dynamic virtual tunnel interface (DVTI)
to protect the tunnel with IPsec12
.
An EAP configuration is used for authentication with Extensible
Authentication Protocol (EAP), which is optional for FlexVPN3
. A multipoint GRE tunnel interface is
used for DMVPN, not FlexVPN. An IKEv1 policy is used for IKEv1, not IKEv2, which is the protocol for
FlexVPN.
Comments
Question 6
A Cisco AnyConnect client establishes a SSL VPN connection with an ASA at the corporate office. An
engineer must ensure that the client computer meets the enterprise security policy. Which feature
can update the client to meet an enterprise security policy?
- A. Endpoint Assessment
- B. Cisco Secure Desktop
- C. Basic Host Scan
- D. Advanced Endpoint Assessment
Answer:
D
Explanation:
"If the end user disables antivirus or personal firewall after successfully establishing the VPN
connection, our Advanced Endpoint Assessment feature attempts to re-enable that application
within approximately 60 seconds."
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-posture.html#ID-1407-00000047
Comments
Question 7
Which two features provide headend resiliency for Cisco AnyConnect clients? (Choose two.)
- A. AnyConnect Auto Reconnect
- B. AnyConnect Network Access Manager
- C. AnyConnect Backup Servers
- D. ASA failover
- E. AnyConnect Always On
Answer:
CD
Explanation:
According to the Implementing Secure Solutions with Virtual Private Networks (SVPN) documents
and learning resources available at cisco.com, the two features that provide headend resiliency for
Cisco AnyConnect clients are:
AnyConnect Backup Servers: This feature allows the AnyConnect client to automatically connect to a
backup server in case the primary server is unreachable or fails. The backup server list is configured
on the ASA or IOS headend and pushed to the client during the VPN connection establishment. The
client can also manually select a backup server from the list if needed.
This feature enhances the
availability and reliability of the VPN service for the clients12
.
ASA failover: This feature enables two identical ASAs to be paired together as an active/standby or
active/active pair. The ASAs synchronize their configuration and state information and monitor each
other’s health. If the active ASA fails or becomes unreachable, the standby ASA takes over the traffic
and VPN sessions without any disruption for the clients.
This feature provides high availability and
redundancy for the VPN headend34
.
1: AnyConnect Backup Servers 2
:
Redundancy options for IOS Headend for AnyConnect Clients 3: ASA
Failover 4
:
AnyConnect Implementation and Performance/Scaling Reference for COVID-19
Preparation
Comments
Question 8
Cisco AnyConnect Secure Mobility Client has been configured to use IKEv2 for one group of users and
SSL for another group. When the administrator configures a new AnyConnect release on the Cisco
ASA, the IKEv2 users cannot download it automatically when they connect. What might be the
problem?
- A. The XML profile is not configured correctly for the affected users.
- B. The new client image does not use the same major release as the current one.
- C. Client services are not enabled.
- D. Client software updates are not supported with IKEv2.
Answer:
C
Explanation:
https://community.cisco.com/t5/vpn/anyconnect-service-port-not-enabled/td-p/2968124
Comments
Question 9
Under which section must a bookmark or URL list be configured on a Cisco ASA to be available for
clientless SSLVPN users?
- A. tunnel-group (general-attributes)
- B. tunnel-group (webvpn-attributes)
- C. webvpn (group-policy)
- D. webvpn (global configuration)
Answer:
C
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/webvpn-configure-policy-groups.htmlsaysclearly:Ingroup-policywebvpnconfiguration
mode, you can specify (list of things, including url-list).
Comments
Question 10
Refer to the exhibit.
Based on the exhibit, why are users unable to access CCNP Webserver bookmark?
- A. The URL is being blocked by a WebACL.
- B. The ASA cannot resolve the URL.
- C. The bookmark has been disabled.
- D. The user cannot access the URL.
Answer:
B
Explanation:
https://community.cisco.com/t5/network-security/missing-ssl-vpn-bookmarks/td-p/1597023
Comments
Page 1 out of 17
Viewing questions 1-10 out of 175
page 2