Embed Size (px)
Citation preview
Cisco CCNA Security, chapter 8 Exam.
Questions and answers 100% correct.
What are two benefits of an SSL VPN? (Choose two.)
It supports all client/server applications.
It supports the same level of cryptographic security as an IPsec VPN.
It has the option of only requiring an SSL -enabled web browser.
The thin client mode functions without requiring any downloads or software.
1.
It is compatible with DMVPNs, Cisco IOS Firewall, IPsec, IPS, Cisco EasyVPN, and NAT.
When verifying IPsec configurations, which show command displays the encryptionalgorithm, hash algorithm, authent ication method, and Diffie-Hellman groupconfigured, as well as default settings?
show crypto mapshow crypto ipsec sa
show crypto isakmp policy
2.
show crypto ipsec transform-set
When configuring a site-to-site IPsec VPN using the CLI, the authentication pre-share command is configured in the ISAKMP policy. Which additional peerauthentication configuration is required?
Configure the message encryption algor ithm with the encryptiontypeISAKMP policy configuration command.
Configure the DH group identifier with the groupnumber ISAKMP policyconfiguration command.
Configure a hostname with the crypto isakmp identity hostname globalconfiguration command.
3.
Configure a PSK with the crypto isakmp key global configuration command.
Which action do IPsec peers take during the IKE Phase 2 exchange?
exchange of DH keys
negotiation of IPsec policy
verification of peer identity
4.
negotiation of IKE policy sets
A network administrator is planning to implement centralized management o f CiscoVPN devices to simplify VPN deployment for remote offices and teleworkers. WhichCisco IOS feature would provide this solution?
Cisco Easy VPN
Cisco VPN Client
Cisco IOS SSL VPN
5.
Dynamic Multipoint VPN
Which two statements accurately describe characteristics of IPsec? (Choose two.)
IPsec works at the application layer and protects all application data.
IPsec works at the transport layer and pro tects data at the network layer.
IPsec works at the network layer and operates over all Layer 2 protocols.
IPsec is a framework of proprietary standards that depend on Cisco specificalgorithms.
IPsec is a framework of standards developed by Cisco that relies on OSIalgorithms.
6.
IPsec is a framework of open standards that relies on existing algorithms.
Refer to the exhibit. Which two IPsec framework components are valid options whenconfiguring an IPsec VPN on a Cisco ISR router? (Choose two.)
Integrity options include MD5 and RSA.
IPsec protocol options include GRE and AH.
Confidentiality options include DES, 3DES, and AES.
Authentication options include pre -shared key and SHA.
7.
Diffie-Hellman options include DH1, DH2, and DH5.
With the Cisco Easy VPN feature, which process ensures that a static route is createdon the Cisco Easy VPN Server for the internal IP address of each VPN client?
Cisco Express Forwarding
Network Access Control
On-Demand Routing
Reverse Path Forwarding
8.
Reverse Route Injection
Refer to the exhibit. A site-to-site VPN is required from R1 to R3. The administratoris using the SDM Site-to-Site VPN Wizard on R1. Which IP address should t headministrator enter in the highlighted field?
10.1.1.1
10.1.1.2
10.2.2.1
10.2.2.2
192.168.1.1
9.
192.168.3.1
What is required for a host to use an SS L VPN?
VPN client software must be installed.
A site-to-site VPN must be preconfigured.
The host must be in a stationary location.
10.
A web browser must be installed on the host.
What are two authentication methods that can be configured usi ng the SDM Site-to-Site VPN Wizard? (Choose two.)
MD5
SHA
pre-shared keys
encrypted nonces
11.
digital certificates
Which UDP port must be permitted on any IP interface used to exchange IKEinformation between security gateways?
400
500
600
12.
700
Which requirement necessitates using the Step -by-Step option of the SDM Site-to-Site VPN wizard instead of the Quick Setup option?
AES encryption is required.
3DES encryption is required.
Pre-shared keys are to be used.
The remote peer is a Cisco router.
13.
The remote peer IP address is unknown.
Which IPsec protocol should be selected when confidentiality is required?
tunnel mode
transport mode
authentication header
encapsulating security payload
14.
generic routing encapsulation
Which statement describes an important characteristic of a site -to-site VPN?
It must be statically set up.
It is ideally suited for use by mobile workers.
It requires using a VPN client on the host PC.
It is commonly implemented over dialup and cable modem networks.
15.
After the initial connection is established, it can dynamically changeconnection information.
Refer to the exhibit. Based on the SDM screen, which Easy VPN Server componentis being configured?
group policy
transform set
IKE proposal
16.
user authentication
A user launches Cisco VPN Client software to connect remotely to a VPN service.What does the user select before entering the username and password?
the SSL connection type
the IKE negotiation process
the desired preconfigured VPN server site
17.
the Cisco Encryption Technology to be applied
What is the default IKE policy value for authentication?
MD5
SHA
RSA signatures
pre-shared keys
18.
RSA encrypted sconces
When using ESP tunnel mode, which portion of the packet is not authenticated?
ESP header
ESP trailer
new IP header
19.
original IP header
Refer to the exhibit. Under the ACL Editor, which o ption is used to specify thetraffic to be encrypted on a secure connection?
Access Rules
IPsec Rules
Firewall Rules
20.
SDM Default Rules
Refer to the exhibit. A network administrator is troubleshooting a GRE VPN tunnelbetween R1 and R2. Assuming the R2 GRE configuration is correct and based on th erunning configuration of R1, what must the administrator do to fix the problem?
change the tunnel source interface to Fa0/0
change the tunnel destination to 192.168.5.1
change the tunnel IP address to 192.168.3.1
change the tunnel destination to 209.165.200.225
21.
change the tunnel IP address to 209.165.201.1
How many bytes of overhead are added to each IP packet while it is transportedthrough a GRE tunnel?
8
16
24
22.
32
