Implementing Secure Solutions with Virtual

Private Networks

Certification Provider: Cisco

Exam Code: SVPN 300-730
Number of questions: 107
Exam Version: August 31, 2021
Question #1Topic 1
DRAG DROP -
Drag and drop the correct commands from the right onto the blanks within the code on
the left to implement a design that allow for dynamic spoke-to-spoke communication.
Not all commands are used.
Select and Place:

Correct
Answer:
Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-
16/sec-conn-dmvpn-xe-16-book/sec-conn-dmvpn-summ- maps.html
Question #2Topic 1
A second set of traffic selectors is negotiated between two peers using IKEv2. Which
IKEv2 packet will contain details of the exchange?

• A. IKEv2 IKE_SA_INIT
• B. IKEv2 INFORMATIONAL
• C. IKEv2 CREATE_CHILD_SA
• D. IKEv2 IKE_AUTH

Correct Answer: B

Question #3Topic 1

Refer to the exhibit. The DMVPN tunnel is dropping randomly and no tunnel protection
is configured. Which spoke configuration mitigates tunnel drops?
A.

B.
C.
D.

Correct Answer: D

Question #4Topic 1
On a FlexVPN hub-and-spoke topology where spoke-to-spoke tunnels are not allowed,
which command is needed for the hub to be able to terminate FlexVPN tunnels?

• A. interface virtual-access
• B. ip nhrp redirect
• C. interface tunnel
• D. interface virtual-template

Correct Answer: D
Question #5Topic 1
Which statement about GETVPN is true?

• A. The configuration that defines which traffic to encrypt originates from the key
server.
• B. TEK rekeys can be load-balanced between two key servers operating in
COOP.
• C. The pseudotime that is used for replay checking is synchronized via NTP.
• D. Group members must acknowledge all KEK and TEK rekeys, regardless of
configuration.

Correct Answer: A
Question #6Topic 1

Refer to the exhibit. Which two tunnel types produce the show crypto ipsec sa output
seen in the exhibit? (Choose two.)

• A. crypto map
• B. DMVPN
• C. GRE
• D. FlexVPN
• E. VTI

Correct Answer: BE

Question #7Topic 1
Which two changes must be made in order to migrate from DMVPN Phase 2 to Phase 3
when EIGRP is configured? (Choose two.)

• A. Add NHRP shortcuts on the hub.

• B. Add NHRP redirects on the spoke.
• C. Disable EIGRP next-hop-self on the hub.
• D. Enable EIGRP next-hop-self on the hub.
• E. Add NHRP redirects on the hub.

Correct Answer: CE
Question #8Topic 1

Refer to the exhibit. A customer cannot establish an IKEv2 site-to-site VPN tunnel
between two Cisco ASA devices. Based on the syslog message, which action brings up
the VPN tunnel?

• A. Reduce the maximum SA limit on the local Cisco ASA.

• B. Increase the maximum in-negotiation SA limit on the local Cisco ASA.
• C. Remove the maximum SA limit on the remote Cisco ASA.
• D. Correct the crypto access list on both Cisco ASA devices.

Correct Answer: B
Question #9Topic 1
Which two parameters help to map a VPN session to a tunnel group without using the
tunnel-group list? (Choose two.)

• A. group-alias
• B. certificate map
• C. optimal gateway selection
• D. group-url
• E. AnyConnect client version

Correct Answer: BD

Question #10Topic 1
Which method dynamically installs the network routes for remote tunnel endpoints?

• A. policy-based routing
• B. CEF
• C. reverse route injection
• D. route filtering

Correct Answer: C
Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/12-
4t/sec-vpn-availability-12-4t-book/sec-rev-rte-inject.html
Question #11Topic 1
Which command identifies a Cisco AnyConnect profile that was uploaded to the flash of
an IOS router?

• A. svc import profile SSL_profile flash:simos-profile.xml

• B. anyconnect profile SSL_profile flash:simos-profile.xml
• C. crypto vpn anyconnect profile SSL_profile flash:simos-profile.xml
• D. webvpn import profile SSL_profile flash:simos-profile.xml

Correct Answer: C
Reference:
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-
client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html
Question #12Topic 1

Refer to the exhibit. Which value must be configured in the User Group field when the
Cisco AnyConnect Profile is created to connect to an ASA headend with
IPsec as the primary protocol?

• A. address-pool
• B. group-alias
• C. group-policy
• D. tunnel-group

Correct Answer: D
Reference:
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/ad
ministration/guide/b_AnyConnect_Administrator_Guide_4-1/ configure-vpn.html
Question #13Topic 1

Refer to the exhibit. What is configured as a result of this command set?

• A. FlexVPN client profile for IPv6

• B. FlexVPN server to authorize groups by using an IPv6 external AAA
• C. FlexVPN server for an IPv6 dVTI session
• D. FlexVPN server to authenticate IPv6 peers by using EAP

Correct Answer: A
Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-
3s/sec-flex-vpn-xe-3s-book/sec-cfg-flex-clnt.html
Question #14Topic 1
Which two types of web resources or protocols are enabled by default on the Cisco ASA
Clientless SSL VPN portal? (Choose two.)

• A. HTTP
• B. ICA (Citrix)
• C. VNC
• D. RDP
• E. CIFS

Correct Answer: DE
Reference:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/vpn/asa-94-
vpn-config/webvpn-configure-gateway.html
Question #15Topic 1
Which configuration construct must be used in a FlexVPN tunnel?

• A. EAP configuration
• B. multipoint GRE tunnel interface
• C. IKEv1 policy
• D. IKEv2 profile

Correct Answer: D

Question #16Topic 1
A Cisco AnyConnect client establishes a SSL VPN connection with an ASA at the
corporate office. An engineer must ensure that the client computer meets the enterprise
security policy. Which feature can update the client to meet an enterprise security
policy?

• A. Endpoint Assessment
• B. Cisco Secure Desktop
• C. Basic Host Scan
• D. Advanced Endpoint Assessment

Correct Answer: D
Question #17Topic 1
Which two features provide headend resiliency for Cisco AnyConnect clients? (Choose
two.)

• A. AnyConnect Auto Reconnect

• B. AnyConnect Network Access Manager
• C. AnyConnect Backup Servers
• D. ASA failover
• E. AnyConnect Always On

Correct Answer: CD

Question #18Topic 1
Cisco AnyConnect Secure Mobility Client has been configured to use IKEv2 for one
group of users and SSL for another group. When the administrator configures a new
AnyConnect release on the Cisco ASA, the IKEv2 users cannot download it
automatically when they connect. What might be the problem?

• A. The XML profile is not configured correctly for the affected users.
• B. The new client image does not use the same major release as the current
one.
• C. Client services are not enabled.
• D. Client software updates are not supported with IKEv2.

Correct Answer: C

Question #19Topic 1
Under which section must a bookmark or URL list be configured on a Cisco ASA to be
available for clientless SSLVPN users?

• A. tunnel-group (general-attributes)
• B. tunnel-group (webvpn-attributes)
• C. webvpn (group-policy)
• D. webvpn (global configuration)

Correct Answer: D
Question #20Topic 1

Refer to the exhibit. Based on the exhibit, why are users unable to access CCNP
Webserver bookmark?

• A. The URL is being blocked by a WebACL.

• B. The ASA cannot resolve the URL.
• C. The bookmark has been disabled.
• D. The user cannot access the URL.

Correct Answer: C
Question #21Topic 1
Which two statements about the Cisco ASA Clientless SSL VPN solution are true?
(Choose two.)

• A. When a client connects to the Cisco ASA WebVPN portal and tries to access
HTTP resources through the URL bar, the client uses the local DNS to perform
FQDN resolution.
• B. The rewriter enable command under the global webvpn configuration enables
the rewriter functionality because that feature is disabled by default.
• C. A Cisco ASA can simultaneously allow Clientless SSL VPN sessions and
AnyConnect client sessions.
• D. When a client connects to the Cisco ASA WebVPN portal and tries to access
HTTP resources through the URL bar, the ASA uses its configured DNS servers
to perform FQDN resolution.
• E. Clientless SSLVPN provides Layer 3 connectivity into the secured network.

Correct Answer: CD
Question #22Topic 1
Which feature allows the ASA to handle nonstandard applications and web resources
so that they display correctly over a clientless SSL VPN connection?

• A. single sign-on
• B. Smart Tunnel
• C. WebType ACL
• D. plug-ins

Correct Answer: B
Reference:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_c
li_config/vpn_clientless_ssl.html#29951
Question #23Topic 1
Which command automatically initiates a smart tunnel when a user logs in to the
WebVPN portal page?

• A. auto-upgrade
• B. auto-connect
• C. auto-start
• D. auto-run

Correct Answer: C
Reference:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vp
n_config/webvpn-configure-policy-group.html
Question #24Topic 1

Refer to the exhibit. The customer must launch Cisco AnyConnect in the RDP machine.
Which IOS configuration accomplishes this task?
A.

B.

C.

D.

Correct Answer: C
Reference:
https://community.cisco.com/t5/vpn/starting-anyconnect-vpn-through-rdp-session-on-
cisco-891/td-p/2128284
Question #25Topic 1

Refer to the exhibit. Which two commands under the tunnel-group webvpn-attributes
result in a Cisco AnyConnect user receiving the AnyConnect prompt in the exhibit?
(Choose two.)

• A. group-url https://172.16.31.10/General enable

• B. group-policy General internal
• C. authentication aaa
• D. authentication certificate
• E. group-alias General enable

Correct Answer: BE
Question #26Topic 1
Which requirement is needed to use local authentication for Cisco AnyConnect Secure
Mobility Clients that connect to a FlexVPN server?

• A. use of certificates instead of username and password

• B. EAP-AnyConnect
• C. EAP query-identity
• D. AnyConnect profile

Correct Answer: D
Reference:
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-
AnyConnect-IKEv2-Remote-Access.html
Question #27Topic 1
Which IKE identity does an IOS/IOS-XE headend expect to receive if an IPsec Cisco
AnyConnect client uses default settings?

• A. *$SecureMobilityClient$*
• B. *$AnyConnectClient$*
• C. *$RemoteAccessVpnClient$*
• D. *$DfltlkeldentityS*

Correct Answer: B
Reference:
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-
AnyConnect-IKEv2-Remote-Access.html
Question #28Topic 1

Refer to the exhibit. Which VPN technology is allowed for users connecting to the
Employee tunnel group?

• A. SSL AnyConnect
• B. IKEv2 AnyConnect
• C. crypto map
• D. clientless

Correct Answer: B
Question #29Topic 1

Refer to the exhibit. An engineer is troubleshooting a new GRE over IPsec tunnel. The tunnel is
established, but the engineer cannot ping from spoke 1 to spoke
2. Which type of traffic is being blocked?

• A. ESP packets from spoke2 to spoke1

• B. ISAKMP packets from spoke2 to spoke1
• C. ESP packets from spoke1 to spoke2
• D. ISAKMP packets from spoke1 to spoke2

Correct Answer: A

Question #30Topic 1
Which command is used to troubleshoot an IPv6 FlexVPN spoke-to-hub connectivity failure?

• A. show crypto ikev2 sa

• B. show crypto isakmp sa
• C. show crypto gkm
• D. show crypto identity

Correct Answer: A
Reference:
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116413-configure-flexvpn-00.pdf
Question #31Topic 1
In a FlexVPN deployment, the spokes successfully connect to the hub, but spoke-to-spoke tunnels
do not form. Which troubleshooting step solves the issue?

• A. Verify the spoke configuration to check if the NHRP redirect is enabled.

• B. Verify that the spoke receives redirect messages and sends resolution requests.
• C. Verify the hub configuration to check if the NHRP shortcut is enabled.
• D. Verify that the tunnel interface is contained within a VRF.

Correct Answer: B
Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-
conn-dmvpn-15-mt-book/sec-conn-dmvpn-summ- maps.pdf
Question #32Topic 1
An engineer is troubleshooting a new DMVPN setup on a Cisco IOS router. After the show crypto
isakmp sa command is issued, a response is returned of
"MM_NO_STATE." Why does this failure occur?

• A. The ISAKMP policy priority values are invalid.

• B. ESP traffic is being dropped.
• C. The Phase 1 policy does not match on both devices.
• D. Tunnel protection is not applied to the DMVPN tunnel.

Correct Answer: B
Question #33Topic 1

Refer to the exhibit. The customer can establish a Cisco AnyConnect connection without using an
XML profile. When the host "ikev2" is selected in the
AnyConnect drop down, the connection fails. What is the cause of this issue?

• A. The HostName is incorrect.

• B. The IP address is incorrect.
• C. Primary protocol should be SSL.
• D. UserGroup must match connection profile.

Correct Answer: D
Reference:
https://community.cisco.com/t5/security-documents/anyconnect-xml-settings/ta-p/3157891
Question #34Topic 1

Refer to the exhibit. A site-to-site tunnel between two sites is not coming up. Based on the debugs,
what is the cause of this issue?

• A. An authentication failure occurs on the remote peer.

• B. A certificate fragmentation issue occurs between both sides.
• C. UDP 4500 traffic from the peer does not reach the router.
• D. An authentication failure occurs on the router.

Correct Answer: C
Question #35Topic 1

Refer to the exhibit. Based on the debug output, which type of mismatch is preventing the VPN
from coming up?

• A. interesting traffic
• B. lifetime
• C. preshared key
• D. PFS

Correct Answer: B
If the responder's policy does not allow it to accept any part of the proposed Traffic Selectors, it
responds with a TS_UNACCEPTABLE Notify message.
Question #36Topic 1

Refer to the exhibit. The IKEv2 site-to-site VPN tunnel between two routers is down. Based on the
debug output, which type of mismatch is the problem?

• A. preshared key
• B. peer identity
• C. transform set
• D. ikev2 proposal

Correct Answer: B
Question #37Topic 1

Refer to the exhibit. Which type of mismatch is causing the problem with the IPsec VPN tunnel?

• A. crypto access list

• B. Phase 1 policy
• C. transform set
• D. preshared key

Correct Answer: D
Reference:
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-
ipsec-debug-00.html#ike
Question #38Topic 1

Refer to the exhibit. What is a result of this configuration?

• A. Spoke 1 fails the authentication because the authentication methods are incorrect.
• B. Spoke 2 passes the authentication to the hub and successfully proceeds to phase 2.
• C. Spoke 2 fails the authentication because the remote authentication method is incorrect.
• D. Spoke 1 passes the authentication to the hub and successfully proceeds to phase 2.

Correct Answer: A
Question #39Topic 1

Refer to the exhibit. Client 1 cannot communicate with client 2. Both clients are using Cisco
AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which
command on the ASA is missing?

• A. dns-server value 10.1.1.2

• B. same-security-traffic permit intra-interface
• C. same-security-traffic permit inter-interface
• D. dns-server value 10.1.1.3

Correct Answer: B
Question #40Topic 1

Refer to the exhibit. An SSL client is connecting to an ASA headend. The session fails with the
message ‫ג‬€Connection attempt has timed out. Please verify Internet connectivity.‫ג‬€ Based on how
the packet is processed, which phase is causing the failure?

• A. phase 9: rpf-check
• B. phase 5: NAT
• C. phase 4: ACCESS-LIST
• D. phase 3: UN-NAT

Correct Answer: D
Question #41Topic 1
Which redundancy protocol must be implemented for IPsec stateless failover to work?

• A. SSO
• B. GLBP
• C. HSRP
• D. VRRP

Correct Answer: C
Reference:
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-
protocols/17826-ipsec-feat.html
Question #42Topic 1
Which technology works with IPsec stateful failover?

• A. GLBP
• B. HSRP
• C. GRE
• D. VRRP

Correct Answer: B
Reference:
https://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2y/12_2yx11/feature/guide/ft_vpnha.html#
wp1122512
Question #43Topic 1
What are two functions of ECDH and ECDSA? (Choose two.)

• A. nonrepudiation
• B. revocation
• C. digital signature
• D. key exchange
• E. encryption

Correct Answer: CD
Reference:
https://tools.cisco.com/security/center/resources/next_generation_cryptography
Question #44Topic 1
What uses an Elliptic Curve key exchange algorithm?

• A. ECDSA
• B. ECDHE
• C. AES-GCM
• D. SHA

Correct Answer: B
Reference:
https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/
Question #45Topic 1
Which two remote access VPN solutions support SSL? (Choose two.)

• A. FlexVPN
• B. clientless
• C. EZVPN
• D. L2TP
• E. Cisco AnyConnect

Correct Answer: BE

Question #46Topic 1
Which VPN solution uses TBAR?

• A. GETVPN
• B. VTI
• C. DMVPN
• D. Cisco AnyConnect

Correct Answer: A
Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-
get-vpn-xe-3s-book/sec-get-vpn.html
Question #47Topic 1
Which two commands help determine why the NHRP registration process is not being completed
even after the IPsec tunnel is up? (Choose two.)

• A. show crypto isakmp sa

• B. show ip traffic
• C. show crypto ipsec sa
• D. show ip nhrp traffic
• E. show dmvpn detail

Correct Answer: AD

Question #48Topic 1

Refer to the exhibit. All internal clients behind the ASA are port address translated to the public
outside interface that has an IP address of 3.3.3.3. Client 1 and client 2 have established
successful SSL VPN connections to the ASA. What must be implemented so that "3.3.3.3" is
returned from a browser search on the IP address?

• A. Same-security-traffic permit inter-interface under Group Policy

• B. Exclude Network List Below under Group Policy
• C. Tunnel All Networks under Group Policy
• D. Tunnel Network List Below under Group Policy

Correct Answer: D
Question #49Topic 1
Cisco AnyConnect clients need to transfer large files over the VPN sessions. Which protocol
provides the best throughput?

• A. SSL/TLS
• B. L2TP
• C. DTLS
• D. IPsec IKEv1

Correct Answer: C

Question #50Topic 1

Refer to the exhibit. Which VPN technology is used in the exhibit?

• A. DVTI
• B. VTI
• C. DMVPN
• D. GRE

Correct Answer: B
Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/zZ-
Archive/IPsec_Virtual_Tunnel_Interface.html#GUID-EB8C433B-
2394-42B9-997F-B40803E58A91
Question #51Topic 1
Which VPN does VPN load balancing on the ASA support?

• A. VTI
• B. IPsec site-to-site tunnels
• C. L2TP over IPsec
• D. Cisco AnyConnect

Correct Answer: D

Question #52Topic 1
Which parameter must match on all routers in a DMVPN Phase 3 cloud?

• A. GRE tunnel key

• B. NHRP network ID
• C. tunnel VRF
• D. EIGRP split-horizon setting

Correct Answer: A

Question #53Topic 1
Which parameter is initially used to elect the primary key server from a group of key servers?

• A. code version
• B. highest IP address
• C. highest-priority value
• D. lowest IP address

Correct Answer: C
Reference:
https://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-
vpn/deployment_guide_c07_554713.html
Question #54Topic 1
A Cisco ASA is configured in active/standby mode. What is needed to ensure that Cisco
AnyConnect users can connect after a failover event?

• A. AnyConnect images must be uploaded to both failover ASA devices.

• B. The vpnsession-db must be cleared manually.
• C. Configure a backup server in the XML profile.
• D. AnyConnect client must point to the standby IP address.

Correct Answer: A
Reference:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_con
fig/ha_active_standby.html
Question #55Topic 1
Which benefit of FlexVPN is a limitation of DMVPN using IKEv1?

• A. GRE encapsulation allows for forwarding of non-IP traffic.

• B. IKE implementation can install routes in routing table.
• C. NHRP authentication provides enhanced security.
• D. Dynamic routing protocols can be configured.

Correct Answer: B

Question #56Topic 1
What is a requirement for smart tunnels to function properly?

• A. Java or ActiveX must be enabled on the client machine.

• B. Applications must be UDP.
• C. Stateful failover must not be configured.
• D. The user on the client machine must have admin access.

Correct Answer: A
Reference:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-
firewalls/111007-smart-tunnel-asa-00.html
Question #57Topic 1
Where is split tunneling defined for IKEv2 remote access clients on a Cisco router?

• A. IKEv2 authorization policy

• B. Group Policy
• C. virtual template
• D. webvpn context

Correct Answer: B

Question #58Topic 1
Which technology is used to send multicast traffic over a site-to-site VPN?

• A. GRE over IPsec on IOS router

• B. GRE over IPsec on FTD
• C. IPsec tunnel on FTD
• D. GRE tunnel on ASA

Correct Answer: B

Question #59Topic 1
Which feature of GETVPN is a limitation of DMVPN and FlexVPN?

• A. sequence numbers that enable scalable replay checking

• B. enabled use of ESP or AH
• C. design for use over public or private WAN
• D. no requirement for an overlay routing protocol

Correct Answer: D
Question #60Topic 1

Refer to the exhibit. Cisco AnyConnect must be set up on a router to allow users to access internal
servers 192.168.0.10 and 192.168.0.11. All other traffic should go out of the client's local NIC.
Which command accomplishes this configuration?

• A. svc split include 192.168.0.0 255.255.255.0

• B. svc split exclude 192.168.0.0 255.255.255.0
• C. svc split include acl CCNP
• D. svc split exclude acl CCNP

Correct Answer: C
Question #61Topic 1
An engineer is configuring clientless SSL VPN. The finance department has a database server that
only they should access, but the sales department can currently access it. The finance and the
sales departments are configured as separate group-policies. What must be added to the
configuration to make sure the users in the sales department cannot access the finance
department server?

• A. tunnel group lock

• B. smart tunnel
• C. port forwarding
• D. webtype ACL

Correct Answer: A
Question #62Topic 1
An engineer has integrated a new DMVPN to link remote offices across the internet using Cisco
IOS routers. When connecting to remote sites, pings and voice data appear to flow properly, and all
tunnel stats show that they are up. However, when trying to connect to a remote server using RDP,
the connection fails.
Which action resolves this issue?

• A. Adjust the MTU size within the routers.

• B. Add RDP port to the extended ACL.
• C. Replace certificate on the RDP server.
• D. Change DMVPN timeout values.

Correct Answer: A

Question #63Topic 1
Where must an engineer configure a preshared key for a site-to-site VPN tunnel configured on a
Cisco ASA?

• A. isakmp policy
• B. group policy
• C. crypto map
• D. tunnel group

Correct Answer: D

Question #64Topic 1
A network engineer has been tasked with configuring SSL VPN to provide remote users with
access to the corporate network. Traffic destined to the enterprise IP range should go through the
tunnel, and all other traffic should go directly to the Internet. Which feature should be configured to
achieve this?

• A. U-turning
• B. hairpinning
• C. split-tunnel
• D. dual-homing

Correct Answer: C
Question #65Topic 1

A network engineer must design a remote access solution to allow contractors to access internal
servers. These contractors do not have permissions to install applications on their computers.
Which VPN solution should be used in this design?

• A. IKEv2 AnyConnect
• B. Clientless
• C. Port forwarding
• D. SSL AnyConnect

Correct Answer: B

Question #66Topic 1

Refer to the exhibit. Which type of Cisco VPN is shown for group Cisc012345678?

• A. Cisco AnyConnect Client VPN

• B. DMVPN
• C. Clientless SSLVPN
• D. GETVPN

Correct Answer: A
Question #67Topic 1

Which command shows the smart default configuration for an IPsec profile?

• A. show run all crypto ipsec profile

• B. ipsec profile does not have any smart default configuration
• C. show smart-defaults ipsec profile
• D. show crypto ipsec profile default

Correct Answer: D
Question #68Topic 1

DRAG DROP -
Drag and drop the code snippets from the right onto the blanks in the configuration to implement
FlexVPN. Not all snippets are used.
Select and Place:

Correct
Answer:
Question #69Topic 1

Refer to the exhibit. The DMVPN spoke is not establishing a session with the hub. Which two
actions resolve this issue? (Choose two.)

• A. Change the spoke nhs to 172.16.18.1 and the nbma to 10.0.0.1.

• B. Change the transform set to mode tunnel.
• C. Change the ISAKMP policy authentication on the spoke to pre-shared.
• D. Change the ISAKMP key address on the spoke to 0.0.0.0.
• E. Change the nhrp authentication key on the spoke to cisco123.

Correct Answer: DE
Question #70Topic 1

Refer to the exhibit. A network engineer is configuring a remote access SSLVPN and is unable to
complete the connection using local credentials. What must be done to remediate this problem?

• A. Enable the client protocol in the Cisco AnyConnect profile.

• B. Configure a AAA server group to authenticate the client.
• C. Change the authentication method to local.
• D. Configure the group policy to force local authentication.

Correct Answer: A
Question #71Topic 1

Which two NHRP functions are specific to DMVPN Phase 3 implementation? (Choose two.)

• A. registration reply
• B. redirect
• C. resolution reply
• D. registration request
• E. resolution request

Correct Answer: BC

Question #72Topic 1

A network engineer must implement an SSLVPN Cisco AnyConnect solution that supports 500
concurrent users, ensures all traffic from the client passes through the ASA, and allows users to
access all devices on the inside interface subnet (192.168.0.0/24). Assuming all other
configuration is set up appropriately, which configuration implements this solution?
A.

B.

C.

D.
Correct Answer: A

Question #73Topic 1
Which two features are valid backup options for an IOS FlexVPN client? (Choose two.)

• A. HSRP stateless failover

• B. DNS-based hub resolution
• C. reactivate primary peer
• D. tunnel pivot
• E. need distractor

Correct Answer: BC

Question #74Topic 1

Refer to the exhibit. Which type of VPN is used?

• A. GETVPN
• B. clientless SSL VPN
• C. Cisco Easy VPN
• D. Cisco AnyConnect SSL VPN

Correct Answer: C
Question #75Topic 1
An engineer would like Cisco AnyConnect users to be able to reach servers within the 10.10.0.0/16
subnet while all other traffic is sent out to the Internet. Which
IPsec configuration accomplishes this task?
A.

B.

C.

D.

Correct Answer: B

Question #76Topic 1
Which Cisco AnyConnect component ensures that devices in a specific internal subnet are only
accessible using port 443?

• A. routing
• B. WebACL
• C. split tunnel
• D. VPN filter

Correct Answer: D
Question #77Topic 1

Refer to the exhibit. Upon setting up a tunnel between two sites, users are complaining that
connections to applications over the VPN are not working consistently.
The output of show crypto ipsec sa was collected on one of the VPN devices. Based on this output,
what should be done to fix this issue?

• A. Lower the tunnel MTU.

• B. Enable perfect forward secrecy.
• C. Specify the application networks in the remote identity.
• D. Make an adjustment to IPSec replay window.

Correct Answer: A
Question #78Topic 1
After a user configures a connection profile with a bookmark list and tests the clientless SSLVPN
connection, all of the bookmarks are grayed out. What must be done to correct this behavior?

• A. Apply the bookmark to the correct group policy.

• B. Specify the correct port for the web server under the bookmark.
• C. Configure a DNS server on the Cisco ASA and verify it has a record for the web server.
• D. Verify HTTP/HTTPS connectivity between the Cisco ASA and the web server.

Correct Answer: C

Question #79Topic 1

Refer to the exhibit. Which type of VPN is being configured, based on the partial configuration
snippet?

• A. GET VPN with COOP key server

• B. GET VPN with dual group member
• C. FlexVPN load balancer
• D. FlexVPN backup gateway

Correct Answer: A

Question #80Topic 1
An administrator is designing a VPN with a partner's non-Cisco VPN solution. The partner's VPN
device will negotiate an IKEv2 tunnel that will only encrypt subnets 192.168.0.0/24 going to
10.0.0.0/24. Which technology must be used to meet these requirements?

• A. VTI
• B. crypto map
• C. GETVPN
• D. DMVPN

Correct Answer: B
Question #81Topic 1
A company's remote locations connect to the data centers via MPLS. A new request requires that
unicast and multicast traffic that exits in the remote locations be encrypted. Which non-tunneled
technology should be used to satisfy this requirement?

• A. SSL
• B. FlexVPN
• C. DMVPN
• D. GETVPN

Correct Answer: D

Question #82Topic 1
While troubleshooting, an engineer finds that the show crypto isakmp sa command indicates that
the last state of the tunnel is MM_KEY_EXCH. What is the next step that should be taken to resolve
this issue?

• A. Verify that the ISAKMP proposals match.

• B. Ensure that UDP 500 is not being blocked between the devices.
• C. Correct the peer's IP address on the crypto map.
• D. Confirm that the pre-shared keys match on both devices.

Correct Answer: C

Question #83Topic 1
Which VPN technology must be used to ensure that routers are able to dynamically form
connections with each other rather than sending traffic through a hub and be able to advertise
routes without the use of a dynamic routing protocol?

• A. FlexVPN
• B. DMVPN Phase 3
• C. DMVPN Phase 2
• D. GETVPN

Correct Answer: B
Question #84Topic 1
An administrator is setting up AnyConnect for the first time for a few users. Currently, the router
does not have access to a RADIUS server. Which AnyConnect protocol must be used to allow users
to authenticate?

• A. EAP-GTC
• B. EAP-MSCHAPv2
• C. EAP-MD5
• D. EAP-AnyConnect

Correct Answer: D
Question #85Topic 1

Refer to the exhibit. DMVPN spoke-to-spoke traffic works, but it passes through the hub, and never
sends direct spoke-to-spoke traffic. Based on the tunnel interface configuration shown, what must
be configured on the hub to solve the issue?

• A. Enable NHRP redirect.

• B. Enable split horizon.
• C. Enable IP redirects.
• D. Enable NHRP shortcut.

Correct Answer: D
Question #86Topic 1

Refer to the exhibit. A user is connecting from behind a PC with a private IP Address. Their ISP
provider is blocking TCP port 443. Which AnyConnect XML configuration will allow the user to
establish a connection with the ASA?
A.

B.

C.

D.

Correct Answer: D
Question #87Topic 1

Refer to the exhibit. Which two conclusions should be drawn from the DMVPN phase 2
configuration? (Choose two.)

• A. Next-hop-self is required.
• B. EIGRP neighbor adjacency will fail.
• C. EIGRP is used as the dynamic routing protocol.
• D. EIGRP route redistribution is not allowed.
• E. Spoke-to-spoke communication is allowed.

Correct Answer: CE
Question #88Topic 1

Refer to the exhibit. The VPN tunnel between the FlexVPN spoke and FlexVPN hub 192.168.0.12 is
failing. What should be done to correct this issue?

• A. Add the address 192.168.0.12 255.255.255.255 command to the keyring configuration.

• B. Add the match fvrf any command to the IKEv2 policy.
• C. Add the aaa authorization group psk list Flex_AAA Flex_Auth command to the IKEv2
profile configuration.
• D. Add the tunnel mode gre ip command to the tunnel configuration.

Correct Answer: C
Question #89Topic 1

Refer to the exhibit. An IKEv2 site-to-site tunnel between an ASA and a remote peer is not building
successfully. What will fix the problem based on the debug output?

• A. Ensure crypto IPsec policy matches on both VPN devices.

• B. Install the correct certificate to validate the peer.
• C. Correct crypto access list on both VPN devices.
• D. Specify the peer IP address in the tunnel group name.

Correct Answer: A
Question #90Topic 1

Refer to the exhibit. A network engineer is reconfiguring clientless SSLVPN during a maintenance
window, and after testing the new configuration, is unable to establish the connection. What must
be done to remediate this problem?

• A. Enable client services on the outside interface.

• B. Enable clientless protocol under the group policy.
• C. Enable DTLS under the group policy.
• D. Enable auto sign-on for the user‫ג‬€™s IP address.

Correct Answer: B
Question #91Topic 1
What are two purposes of the key server in Cisco IOS GETVPN? (Choose two.)

• A. to download encryption keys

• B. to maintain encryption policies
• C. to distribute routing information
• D. to encrypt data traffic
• E. to authenticate group members

Correct Answer: BE

Question #92Topic 1
An engineer notices that while an employee is connected remotely, all traffic is being routed to the
corporate network. Which split-tunnel policy allows a remote client to use their local provider for
Internet access when working from home?

• A. tunnelall
• B. excludeall
• C. tunnelspecified
• D. excludespecified

Correct Answer: C
Question #93Topic 1
In order to enable FlexVPN to use a AAA attribute list, which two tasks must be performed?
(Choose two.)

• A. Define the RADIUS server.

• B. Verify that clients are using the correct authorization policy.
• C. Define the AAA server.
• D. Assign the list to an authorization policy.
• E. Set the maximum segment size.

Correct Answer: BD
Question #94Topic 1
Which technology and VPN component allows a VPN headend to dynamically learn post NAT IP
addresses of remote routers at different sites?

• A. DMVPN with ISAKMP

• B. GETVPN with ISAKMP
• C. DMVPN with NHRP
• D. GETVPN with NHRP

Correct Answer: C

Question #95Topic 1
An engineer must configure remote desktop connectivity for offsite admins via clientless SSL VPN,
configured on a Cisco ASA to Windows Vista workstations.
Which two configurations provide the requested access? (Choose two.)

• A. Telnet bookmark via the Telnet plugin

• B. RDP2 bookmark via the RDP2 plugin
• C. VNC bookmark via the VNC plugin
• D. Citrix bookmark via the ICA plugin
• E. SSH bookmark via the SSH plugin

Correct Answer: BE

Question #96Topic 1
A network engineer must design a clientless VPN solution for a company. VPN users must be able
to access several internal web servers. When reachability to those web servers was tested, it was
found that one website is not being rewritten correctly by the ASA. What is a potential solution for
this issue while still allowing it to be a clientless VPN setup?

• A. Set up a smart tunnel with the IP address of the web server.

• B. Set up a NAT rule that translates the ASA public address to the web server private address
on port 80.
• C. Set up Cisco AnyConnect with a split tunnel that has the IP address of the web server.
• D. Set up a WebACL to permit the IP address of the web server.

Correct Answer: A
Question #97Topic 1
Which two types of SSO functionality are available on the Cisco ASA without any external SSO
servers? (Choose two.)

• A. SAML
• B. NTLM
• C. Kerberos
• D. OAuth 2.0
• E. HTTP Basic

Correct Answer: BE

Question #98Topic 1

Refer to the exhibit. Which type of VPN implementation is displayed?

• A. IKEv1 cluster
• B. IKEv2 backup gateway
• C. IKEv2 load balancer
• D. IKEv2 reconnect

Correct Answer: C
Question #99Topic 1

Which VPN technology must be used to ensure that routers are able to
dynamically form connections with each other rather than sending traffic
through a hub and be able to advertise routes without the use of a dynamic
routing protocol?
A. FlexVPN
B. DMVPN Phase 3
C. DMVPN Phase 2
D. GETVPN

Answer: B

Question #100 Topic 1

In order to enable FlexVPN to use a AAA attribute list, which two tasks
must be performed? (Choose two.)

A. Define the RADIUS server.

B. Verify that clients are using the correct authorization policy.
C. Define the AAA server.
D. Assign the list to an authorization policy.
E. Set the maximum segment size.

Answer: BD

Question #101 Topic 1

Which two types of SSO functionality are available on the Cisco ASA without any
external SSO servers? (Choose two.)

A. SAML
B. NTLM
C. Kerberos
D. OAuth 2.0
E. HTTP Basic

Answer: BE
Question #102 Topic 1

Drag and Drop

Drag and drop the code snippets from the right onto the blanks in the configuration
to implement FlexVPN. Not all snippets are used.

Answer:
Question #103 Topic 1

A Cisco ASA is configured in active/standby mode. What is needed to

ensure that Cisco AnyConnect users can connect after a failover event?
A. AnyConnect images must be uploaded to both failover ASA devices.
B. The vpnsession-db must be cleared manually.
C. Configure a backup server in the XML profile.
D. AnyConnect client must point to the standby IP address.

Answer: A
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_9
0_cli_config/ha_active_standby.html
Question #104 Topic 1

A network engineer must design a remote access solution to allow contractors to access internal servers. These
contractors do not have permissions to install applications on their computers. Which VPN solution should be
used in this design?

A. IKEv2 AnyConnect
B. Clientless
C. Port Forwarding
D. SSL AnyConnec

Answer: B

Question #105 Topic 1

Which command shows the smart default configuration for an IPsec profile?

A. show run all crypto ipsec profile

B. ipsec profile does not have any smart default configuration
C. show smart-defaults ipsec profile
D. show crypto ipsec profile default

Answer: D

Question #106 Topic 1

Which two NHRP functions are specific to DMVPN Phase 3 implementation? (Choose
two.)

A. registration reply
B. redirect
C. resolution reply
D. registration request
E. resolution request

Answer: BC
Question #107 Topic 1

An administrator is designing a VPN with a partner’s non-Cisco VPN solution. The

partner’s VPN device will negotiate an IKEv2 tunnel that will only encrypt subnets
192.168.0.0/24 going to 10.0.0.0/24. Which technology must be used to meet these
requirements?

A. VTI
B. crypto map
C. GETVPN
D. DMVPN

Answer: B