[Free] 2017(Nov) Dumps4cert Testinsides Cisco 300-209 Dumps with VCE and PDF Download 41-50

Dumps4cert 2017 Nov Cisco Official New Released 300-209
100% Free Download! 100% Pass Guaranteed!
http://www.Dumps4cert.com/300-209.html

Implementing Cisco Secure Mobility Solutions

Question No: 41

When attempting to tunnel FTP traffic through a stateful firewall that might be performing NAT or PAT, which type of VPN tunneling should you use to allow the VPN traffic through the stateful firewall?

  1. clientless SSL VPN

  2. IPsec over TCP

  3. smart tunnel

  4. SSL VPN plug-ins

Answer: B Explanation:

IP Security (IPSec) over Transmission Control Protocol (TCP) enables a VPN Client to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, User Datagram Protocol (UDP) 500) cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and it enables secure tunneling through both Network Address Translation (NAT) and Port Address Translation (PAT) devices and firewalls

Question No: 42

In DMVPN phase 2, which two EIGRP features need to be disabled on the hub to allow spoke-to-spoke communication? (Choose two.)

  1. autosummary

  2. split horizon

  3. metric calculation using bandwidth

  4. EIGRP address family

  5. next-hop-self

  6. default administrative distance

Answer: B,E

Question No: 43

Scenario:

You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office.

You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites.

NOTE: the show running-config command cannot be used for this exercise.

Topology:

Dumps4Cert 2017 PDF and VCE

Dumps4Cert 2017 PDF and VCE

Dumps4Cert 2017 PDF and VCE

In what state is the IKE security association in on the Cisco ASA?

  1. There are no security associations in place

  2. MM_ACTIVE

  3. ACTIVE(ACTIVE)

  4. QM_IDLE

Answer: B Explanation:

This can be seen from the “show crypto isa sa” command:

Dumps4Cert 2017 PDF and VCE

Question No: 44

Which two options are purposes of the key server in Cisco IOS GETVPN? (Choose two.)

  1. to define group members.

  2. to distribute static routing information.

  3. to distribute dynamic routing information.

  4. to encrypt transit traffic.

Answer: A,D

Question No: 45

Refer to the exhibit.

Dumps4Cert 2017 PDF and VCE

A NOC engineer needs to tune some postlogin parameters on an SSL VPN tunnel.

From the information shown, where should the engineer navigate to, in order to find all the postlogin session parameters?

  1. quot;engineeringquot; Group Policy

  2. quot;contractorquot; Connection Profile

  3. DefaultWEBVPNGroup Group Policy

  4. DefaultRAGroup Group Policy

  5. quot;engineer1quot; AAA/Local Users

Answer: A Explanation:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html#wp1054618

The policy group is a container that defines the presentation of the portal and the permissions for resources that are configured for a group of remote users. Entering the policy group command places the router in webvpn group policy configuration mode. After it is configured, the group policy is attached to the SSL VPN context configuration by configuring the default-group-policy command.

The following tasks are accomplished in this configuration:

->The presentation of the SSL VPN portal page is configured.

->A NetBIOS server list is referenced.

->A port-forwarding list is referenced.

->The idle and session timers are configured.

->A URL list is referenced.

Question No: 46

Refer to the exhibit.

Dumps4Cert 2017 PDF and VCE

In the CLI snippet that is shown, what is the function of the deny option in the access list?

  1. When set in conjunction with outbound connection-type bidirectional, its function is to prevent the specified traffic from being protected by the crypto map entry.

  2. When set in conjunction with connection-type originate-only, its function is to instruct the Cisco ASA to deny specific inbound traffic if it is not encrypted.

  3. When set in conjunction with outbound connection-type answer-only, its function is to instruct the Cisco ASA to deny specific outbound traffic if it is not encrypted.

  4. When set in conjunction with connection-type originate-only, its function is to cause all IP traffic that matches the specified conditions to be protected by the crypto map.

Answer: A

Question No: 47

What is the Cisco recommended TCP maximum segment on a DMVPN tunnel interface when the MTU is set to 1400 bytes?

  1. 1160 bytes

  2. 1260 bytes

  3. 1360 bytes

  4. 1240 bytes

Answer: C

Question No: 48

A user with IP address 10.10.10.10 is unable to access a HTTP website at IP address 209.165.200.225 through a Cisco ASA. Which two features and commands will help troubleshoot the issue? (Choose two.)

  1. Capture user traffic using command capture capin interface inside match ip host 10.10.10.10 any

  2. After verifying that user traffic reaches the firewall using syslogs or captures, use packet tracer command packet-tracer input inside tcp 10.10.10.10 1234 209.165.200.225 80

  3. Enable logging at level 1 and check the syslogs using commands logging enable, logging buffered 1 and show logging | include 10.10.10.10

  4. Check if an access-list on the firewall is blocking the user by using command show running-config access-list | include 10.10.10.10

  5. Use packet tracer command packet-tracer input inside udp 0.10.10.10 1234192.168.1.3 161 to see what the firewall is doing with the user#39;s traffic

Answer: A,B

Question No: 49

In the Diffie-Hellman protocol, which type of key is the shared secret?

  1. a symmetric key

  2. an asymmetric key

  3. a decryption key

  4. an encryption key

Answer: A

Question No: 50

The Cisco AnyConnect client is unable to download an updated user profile from the ASA headend using IKEv2. What is the most likely cause of this problem?

  1. User profile updates are not allowed with IKEv2.

  2. IKEv2 is not enabled on the group policy.

  3. A new profile must be created so that the adaptive security appliance can push it to the client on the next connection attempt.

  4. Client Services is not enabled on the adaptive security appliance.

Answer: C

100% Free Download!
Download Free Demo:300-209 Demo PDF
100% Pass Guaranteed!
Download 2017 Dumps4cert 300-209 Full Exam PDF and VCE

Dumps4cert ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

2017 Dumps4cert IT Certification PDF and VCE