Tips to Pass 300-209 Exam (21 to 30)

★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 300-209 Exam Dumps (PDF & VCE):
Available on: https://www.certleader.com/300-209-dumps.html

Q21. Refer to the exhibit. 

The customer needs to launch AnyConnect in the RDP machine. Which configuration is correct? 

A. crypto vpn anyconnect profile test flash:RDP.xml 

policy group default 

svc profile test 

B. crypto vpn anyconnect profile test flash:RDP.xml 

webvpn context GW_1 

browser-attribute import flash:/swj.xml 

C. crypto vpn anyconnect profile test flash:RDP.xml 

policy group default 

svc profile flash:RDP.xml 

D. crypto vpn anyconnect profile test flash:RDP.xml 

webvpn context GW_1 

browser-attribute import test 

Answer: A 

Q22. Which three remote access VPN methods in an ASA appliance provide support for Cisco Secure Desktop? (Choose three.) 

A. IKEv1 

B. IKEv2 

C. SSL client 

D. SSL clientless 

E. ESP 

F. L2TP 

Answer: B,C,D 

Q23. The Cisco AnyConnect client is unable to download an updated user profile from the ASA headend using IKEv2. What is the most likely cause of this problem? 

A. User profile updates are not allowed with IKEv2. 

B. IKEv2 is not enabled on the group policy. 

C. A new profile must be created so that the adaptive security appliance can push it to the client on the next connection attempt. 

D. Client Services is not enabled on the adaptive security appliance. 

Answer: C 

Q24. Which feature do you include in a highly available system to account for potential site failures? 

A. geographical separation of redundant devices 

B. hot/standby failover pairs 

C. Cisco ACE load-balancing with VIP 

D. dual power supplies 

Answer: A 

Q25. CORRECT TEXT 

Answer: Here are the steps as below: 

Step 1: configure key ring 

crypto ikev2 keyring mykeys 

peer SiteB.cisco.com 

address 209.161.201.1 

pre-shared-key local $iteA 

pre-shared key remote $iteB 

Step 2: Configure IKEv2 profile 

Crypto ikev2 profile default 

identity local fqdn SiteA.cisco.com 

Match identity remote fqdn SiteB.cisco.com 

Authentication local pre-share 

Authentication remote pre-share 

Keyring local mykeys 

Step 3: Create the GRE Tunnel and apply profile 

crypto ipsec profile default 

set ikev2-profile default 

Interface tunnel 0 

ip address 10.1.1.1 255.255.255.0 

Tunnel source eth 0/0 

Tunnel destination 209.165.201.1 

tunnel protection ipsec profile default 

end 

Q26. Which cryptographic algorithms are a part of the Cisco NGE suite? 

A. HIPPA DES 

B. AES-CBC-128 

C. RC4-128 

D. AES-GCM-256 

Answer: D 

Explanation: Reference: 

https://www.cisco.com/web/learning/le21/le39/docs/tdw166_prezo.pdf 

Q27. Which protocol does DTLS use for its transport? 

A. TCP 

B. UDP 

C. IMAP 

D. DDE 

Answer: B 

Q28. Refer to the exhibit. 

You executed the show crypto ipsec sa command to troubleshoot an IPSec issue. What problem does the given output indicate? 

A. IKEv2 failed to establish a phase 2 negotiation. 

B. The Crypto ACL is different on the peer device. 

C. ISAKMP was unable to find a matching SA. 

D. IKEv2 was used in aggressive mode. 

Answer: B 

Q29. A company has decided to migrate an existing IKEv1 VPN tunnel to IKEv2. Which two are valid configuration constructs on a Cisco IOS router? (Choose two.) 

A. crypto ikev2 keyring keyring-name 

peer peer1 

address 209.165.201.1 255.255.255.255 

pre-shared-key local key1 

pre-shared-key remote key2 

B. crypto ikev2 transform-set transform-set-name 

esp-3des esp-md5-hmac 

esp-aes esp-sha-hmac 

C. crypto ikev2 map crypto-map-name 

set crypto ikev2 tunnel-group tunnel-group-name 

set crypto ikev2 transform-set transform-set-name 

D. crypto ikev2 tunnel-group tunnel-group-name 

match identity remote address 209.165.201.1 

authentication local pre-share 

authentication remote pre-share 

E. crypto ikev2 profile profile-name 

match identity remote address 209.165.201.1 

authentication local pre-share 

authentication remote pre-share 

Answer: A,E 

Q30. An administrator wishes to limit the networks reachable over the Anyconnect VPN tunnels. Which configuration on the ASA will correctly limit the networks reachable to 209.165.201.0/27 and 209.165.202.128/27? 

A. access-list splitlist standard permit 209.165.201.0 255.255.255.224 

access-list splitlist standard permit 209.165.202.128 255.255.255.224 

! 

group-policy GroupPolicy1 internal 

group-policy GroupPolicy1 attributes 

split-tunnel-policy tunnelspecified 

split-tunnel-network-list value splitlist 

B. access-list splitlist standard permit 209.165.201.0 255.255.255.224 

access-list splitlist standard permit 209.165.202.128 255.255.255.224 

! 

group-policy GroupPolicy1 internal 

group-policy GroupPolicy1 attributes 

split-tunnel-policy tunnelall 

split-tunnel-network-list value splitlist 

C. group-policy GroupPolicy1 internal 

group-policy GroupPolicy1 attributes 

split-tunnel-policy tunnelspecified 

split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224 

split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224 

D. access-list splitlist standard permit 209.165.201.0 255.255.255.224 

access-list splitlist standard permit 209.165.202.128 255.255.255.224 

! 

crypto anyconnect vpn-tunnel-policy tunnelspecified 

crypto anyconnect vpn-tunnel-network-list splitlist 

E. crypto anyconnect vpn-tunnel-policy tunnelspecified 

crypto anyconnect split-tunnel-network-list ipv4 1 209.165.201.0 255.255.255.224 

crypto anyconnect split-tunnel-network-list ipv4 2 209.165.202.128 255.255.255.224 

Answer: A