Cisco 300-730 Practice Test - Questions Answers, Page 12
Question list
List of questions
Related questions
A network engineer is configuring a server. The router will terminate encrypted VPN connections on g0/0, which is in the VRF "Internet". The clear-text traffic that must be encrypted before being sent out traverses g0/1, which is in the VRF
"Internal". Which two VRF-specific configurations allow VPN traffic to traverse the VRF-aware interfaces? (Choose two.)
Under the IKEv2 profile, add the ivrf Internal command.
Under the virtual-template interface, add the ip vrf forwarding Internet command.
Under the IKEv2 profile, add the match fvrf Internal command.
Under the IKEv2 profile, add the match fvrf Internet command.
Under the virtual-template interface, add the tunnel vrf Internet command.
What is a characteristic of GETVPN?
An ACL that defines interesting traffic must be configured and applied to the crypto map.
Quick mode is used to create an IPsec SA.
The remote peer for the IPsec session is configured as part of the crypto map.
All peers have one IPsec SPI for inbound and outbound communication.
Refer to the exhibit.
Users cannot connect via AnyConnect SSLVPN. Which action resolves this issue?
Configure the ASA to act as a DHCP server.
Configure the HTTP server to listen on port 443.
Add an IPsec preshared key to the group policy.
Add ssl-client to the allowed list of VPN protocols.
An administrator must guarantee that remote access users are able to reach printers on their local LAN after a VPN session is established to the headquarters. All other traffic should be sent over the tunnel. Which split-tunnel policy reduces the configuration on the ASA headend?
include specified
exclude specified
tunnel specified
dynamic exclude
Refer to the exhibit.
Given the output of the show ip route command, which remote access VPN technology is in use?
Reverse Route Injection
FlexVPN
Dynamic Crypto Map
DMVPN
A network engineer is installing Cisco AnyConnect on company laptops so that users can access corporate resources remotely. The VPN concentrator is a Cisco router running IOS-XE 16.9.1 code and configured as a FlexVPN server that uses local authentication and *$Cisc431089017$* as the key-id for the IKEv2 profile. Which two steps must be taken on the computer to allow a successful AnyConnect connection to the router? (Choose two.)
In the Cisco AnyConnect XML profile, set the IPsec Authentication method to EAP-AnyConnect.
In the Cisco AnyConnect XML profile, add the hostname and host address to the server list.
In the Cisco AnyConnect XML profile, set the user group field to DefaultAnyConnectClientGroup.
In the Cisco AnyConnect Local Policy, set the BypassDownloader option in the local to true.
In the Cisco AnyConnect Local Policy, add the router IP address to the Update Policy.
A network engineer is setting up Cisco AnyConnect 4.9 on a Cisco ASA running ASA software 9.1.
Cisco AnyConnect must connect to the Cisco ASA before the user logs on so that login scripts can work successfully. In addition, the VPN must connect without user intervention. Which two key steps accomplish this task? (Choose two.)
Create a Network Access Manager profile with a client policy set to connect before user logon.
Create a Cisco AnyConnect VPN profile with Start Before Logon set to true.
Issue an identity certificate to the trusted root CA folder in the machine store.
Create a Cisco AnyConnect VPN profile with Always On set to true.
Create a Cisco Anyconnect VPN Management Tunnel profile.
A network engineer has almost finished setting up a clientless VPN that allows remote users to access internal HTTP servers. Users must enter their username and password twice: once on the clientless VPN web portal and again to log in to internal HTTP servers. The Cisco ASA and the HTTP servers use the same Active Directory server to authenticate users. Which next step must be taken to allow users to enter their password only once?
Use LDAPS and add password management to the clientless tunnel group.
Configure auto-sign-on using NTLM authentication.
Set up the Cisco ASA to authenticate users via a SAML 2.0 IDP.
Create smart tunnels for the HTTP servers.
What must be configured in a FlexVPN deployment to allow for direct communication between spokes connected to different hubs?
EIGRP must be used as routing protocol.
Hub routers must be on same Layer 2 network.
Load balancing must be disabled.
A GRE tunnel must exist between hub routers.
Refer to the exhibit.
An engineer has configured a spoke to connect to a FlexVPN hub. The tunnel is up, but pings fail when the engineer attempts to reach host 192.168.200.10 behind the spoke, and traffic is sourced from host 192.168.100.3, which is behind the FlexVPN server. Based on packet captures, the engineer discovers that host 192.168.200.10 receives the icmp echo and sends an icmp reply that makes it to the inside interface of the spoke. Based on the output in the exhibit captured on the spoke by the engineer, which action resolves this issue?
Add the aaa authorization group cert list default default command to the spoke ikev2 profile.
Add the route set remote ipv4 192.168.200.0 255.255.255.0 command to the hub authorization policy.
Add the aaa authorization group cert list default default command to the hub ikev2 profile.
Add the route set remote ipv4 192.168.100.0 255.255.255.0 command to the spoke authorization policy.
Question