CCNA Security Chapter 8

1.

1 point

Refer to the exhibit. Which pair of crypto isakmp key commands would correctly configure PSK on the two routers?

R1# crypto isakmp key cisco123 address 209.165.200.226 R2# crypto isakmp key secure address 209.165.200.227

R1# crypto isakmp key cisco123 address 209.165.200.226 R2# crypto isakmp key cisco123 address 209.165.200.227

R1# crypto isakmp key cisco123 address 209.165.200.227 R2# crypto isakmp key cisco123 address 209.165.200.226

R1# crypto isakmp key cisco123 hostname R1 R2# crypto isakmp key cisco123 hostname R2

2.

1 point

Which factor is a drawback of providing remote connectivity and work solutions to employees?

system security being maintained employees themselves.

Employee telecommuting provides benefits

through decreasing job-related stress and pollution

24/7 time zone business availability

job-related stresses

transportation-related pollution

3.

1 point

Which statement describes an important characteristic of a site-to-site VPN?

It must be statically set up.

It is commonly implemented over dialup and cable modem networks.

It is ideally suited for use by mobile workers.

After the initial connection is established, it can dynamically change connection information.

It requires using a VPN client on the host PC.

4.

1 point

When using ESP tunnel mode, which portion of the packet is not authenticated?

new IP header

original IP header

ESP header

ESP trailer

5.

1 point

The use of 3DES within the IPsec framework is an example of which of the five IPsec building blocks?

nonrepudiation

integrity

confidentiality

authentication

Diffie-Hellman

6.

1 point

Which action do IPsec peers take during the IKE Phase 2 exchange?

negotiation of IKE policy sets

exchange of DH keys

verification of peer identity

negotiation of IPsec policy

7.

1 point

Which authentication method is available when specifying a method list for group policy lookup using the CCP Easy VPN Server wizard?

Certificate Authority

RADIUS

Active Directory

Kerberos

TACACS+

8.

1 point

Refer to the exhibit. How will traffic that does not match that defined by access list 101 be treated by the router?

It will be sent unencrypted.

It will be blocked.

It will be sent encrypted.

It will be discarded.

9.

1 point

When CCP Quick Setup is used to configure a VPN-capable router, what is the strongest level of encryption allowed?

3DES

DES

SEAL

AES

10.

1 point

What is the default IKE policy value for encryption?

256-bit AES

192-bit AES

128-bit AES

DES/3DES

11.

1 point

What are two benefits of an SSL VPN? (Choose two.)

It is compatible with DMVPNs, Cisco IOS Firewall, IPsec, IPS, Cisco Easy VPN, and NAT.

The thin client mode functions without requiring any downloads or software.

It supports the same level of cryptographic security as an IPsec VPN.

It supports all client/server applications.

It has the option of only requiring an SSL-enabled web browser.

12.

1 point

Refer to the exhibit. Based on the CCP settings that are shown, which Easy VPN Server component is being configured?

IKE proposal

group policy

user authentication

transform set

13.

1 point

Which two statements accurately describe characteristics of IPsec? (Choose two.)

IPsec works at the transport layer and protects data at the network layer.

IPsec works at the application layer and protects all application data.

IPsec works at the network layer and operates over all Layer 2 protocols.

IPsec is a framework of open standards that relies on existing algorithms.

IPsec is a framework of standards developed by Cisco that relies on OSI algorithms.

IPsec is a framework of proprietary standards that depend on Cisco specific algorithms.

14.

1 point

When verifying IPsec configurations, which show command displays the encryption algorithm, hash algorithm, authentication method, and Diffie-Hellman group configured, as well as default settings?

show crypto map

show crypto isakmp policy

show crypto ipsec transform-set

show crypto ipsec sa

15.

1 point

What protocol is used by IPsec to calculate shared keys and to negotiate the parameters to be used by IPsec SAs?

IKE

NTP

ESP

AH

16.

1 point

Which two authentication methods can be configured when using the CCP Site-to-Site VPN wizard? (Choose two.)

digital certificates

encrypted nonces

pre-shared keys

SHA

MD5

17.

1 point

What are two characteristics of SSL VPNs? (Choose two.)

They can use strong two-way authentication via shared secrets or digital certificates.

They require only a web browser on the client computer.

They protect all IP-based applications.

They can use noncompany-managed devices.

They require specific client software installed on the client device.

18.

1 point

What can be used as a VPN gateway when setting up a site-to-site VPN?

Cisco Unified Communications Manager

Cisco router

Cisco AnyConnect

Cisco Catalyst switch

19.

1 point

With the Cisco Easy VPN feature, which process ensures that a static route is created on the Cisco Easy VPN Server for the internal IP address of each VPN client?

On-Demand Routing

Cisco Express Forwarding

Network Access Control

Reverse Path Forwarding

Reverse Route Injection

20.

1 point

A user launches Cisco VPN Client software to connect remotely to a VPN service. What does the user select before entering the username and password?

the Cisco Encryption Technology to be applied

the desired preconfigured VPN server site

the IKE negotiation process

the SSL connection type

21.

1 point

What is the purpose of the “Generate Mirror…” button in site-to-site VPN wizard of CCP?

to test the VPN configuration and to verify operation

to automatically configure the router on the other side of the tunnel

to produce the required CLI commands to configure the router on the other side of the tunnel

to provide the VPN wizard setting required on the router on the other side of the tunnel

22.

1 point

What VPN solution uses a server to push IPsec policies to mobile clients so that they can access company resources over a secure IPsec tunnel?

Cisco Easy VPN

Cisco VPN Wizard

Step by Step Wizard

Cisco SSL VPN

23.

1 point

A network administrator is planning to implement centralized management of Cisco VPN devices to simplify VPN deployment for remote offices and teleworkers. Which Cisco IOS feature would provide this solution?

Cisco IOS SSL VPN

Cisco Easy VPN

Cisco VPN Client

Dynamic Multipoint VPN

24.

1 point

A network administrator plans to deploy an SSL VPN on a Cisco IOS router. Which SSL VPN mode would require the user to download a Java applet to connect to POP3, SMTP, and SSH services?

Easy VPN Remote

clientless access mode

thin client mode

full client access mode

25.

1 point

When configuring an IPsec VPN, what is used to define the traffic that is sent through the IPsec tunnel and protected by the IPsec process?

crypto ACL

ISAKMP policy

crypto map

IPsec transform set

26.

1 point

Refer to the exhibit. Which two IPsec framework components are valid options when configuring an IPsec VPN on a Cisco ISR router? (Choose two.)

Integrity options include MD5 and RSA.

Diffie-Hellman options include DH1, DH2, and DH5.

Authentication options include pre-shared key and SHA.

Confidentiality options include DES, 3DES, and AES.

IPsec protocol options include GRE and AH.

27.

1 point

Which UDP port must be permitted on any IP interface used to exchange IKE information between security gateways?

500

600

400

700

28.

1 point

Refer to the exhibit. A site-to-site VPN is required from R1 to R3. The administrator is using the CCP Site-to-Site VPN wizard on R1. Which IP address should the administrator enter in the highlighted field?

10.2.2.2

10.1.1.1

10.2.2.1

192.168.1.1

192.168.3.1

10.1.1.2

29.

1 point

A network administrator has acquired two different VPN-capable routers that will be installed in a network. Which factor must be verified between two routers prior to configuring a VPN tunnel?

device interoperability

quality of service

intrusion prevention

firewall configuration

30.

1 point

What is the purpose of configuring multiple crypto ACLs when building a VPN connection between remote sites?

When multiple combinations of IPsec protection are being chosen, multiple crypto ACLs can define different traffic types.

Multiple crypto ACLs can be configured to deny specific network traffic from crossing a VPN.

By applying the ACL on a public interface, multiple crypto ACLs can be built to prevent public users from connecting to the VPN-enabled router.

Multiple crypto ACLs can define multiple remote peers for connecting with a VPN-enabled router across the Internet or network.

31.

1 point

How many bytes of overhead are added to each IP packet while it is transported through a GRE tunnel?

8

24

32

16

32.

1 point

Which statement describes the operation of the IKE protocol?

It uses TCP port 50 to exchange IKE information between the security gateways.

It calculates shared keys based on the exchange of a series of data packets.

It uses IPsec to establish the key exchange process.

It uses sophisticated hashing algorithms to transmit keys directly across a network.

33.

1 point

Which three statements describe the IPsec protocol framework? (Choose three.)

AH provides integrity and authentication.

AH uses IP protocol 51.

AH provides encryption and integrity.

ESP requires both authentication and encryption.

ESP uses UDP protocol 50.

ESP provides encryption, authentication, and integrity.

34.

1 point

What is required for a host to use an SSL VPN to connect to a remote network device?

A web browser must be installed on the host.

A site-to-site VPN must be preconfigured.

VPN client software must be installed.

The host must be connected to a wired network.

35.

1 point

Refer to the exhibit. A network administrator is troubleshooting a GRE VPN tunnel between R1 and R2. Assuming the R2 GRE configuration is correct and based on the running configuration of R1, what must the administrator do to fix the problem?

Change the tunnel source interface to Fa0/0.

Change the tunnel destination to 209.165.200.225.

Change the tunnel IP address to 209.165.201.1.

Change the tunnel IP address to 192.168.3.1.

Change the tunnel destination to 192.168.5.1.

36.

1 point

Refer to the exhibit. Based on the CCP screen that is shown, which two conclusions can be drawn about the IKE policy that is being configured? (Choose two.)

It will be the default policy with the highest priority.

It will use a predefined key for authentication.

It is being created using the CCP VPN Quick Setup Wizard.

It will use a very strong encryption algorithm.

It will use digital certificates for authentication.