[PDF&VCE] Cisco New Exam 300-209 VCE Files Free Instant Download (41-60)

2016 October Cisco Official New Released 300-209 Dumps in Lead2pass.com!

100% Free Download! 100% Pass Guaranteed!

Good news, Lead2pass has updated the 300-209 exam dumps. With all the questions and answers in your hands, you will pass the Cisco 300-209 exam easily.

Following questions and answers are all new published by Cisco Official Exam Center: http://www.lead2pass.com/300-209.html

Which NGE IKE Diffie-Hellman group identifier has the strongest cryptographic properties?

A.    group 10
B.    group 24
C.    group 5
D.    group 20

Answer: D

What is the Cisco recommended TCP maximum segment on a DMVPN tunnel interface when the MTU is set to 1400 bytes?

A.    1160 bytes
B.    1260 bytes
C.    1360 bytes
D.    1240 bytes

Answer: C

Which technology does a multipoint GRE interface require to resolve endpoints?

A.    ESP
B.    dynamic routing
C.    NHRP
D.    CEF
E.    IPSec

Answer: C

Which two cryptographic technologies are recommended for use with FlexVPN? (Choose two.)

A.    SHA (HMAC variant)
B.    Diffie-Hellman
C.    DES
D.    MD5 (HMAC variant)

Answer: AB

Which command configures IKEv2 symmetric identity authentication?

A.    match identity remote address
B.    authentication local pre-share
C.    authentication pre-share
D.    authentication remote rsa-sig

Answer: D

Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two.)

A.    aes-cbc-192, sha256, 14
B.    3des, md5, 5
C.    3des, sha1, 1
D.    aes-cbc-128, sha, 5

Answer: BD

What is the default storage location of user-level bookmarks in an IOS clientless SSL VPN?

A.    disk0:/webvpn/{context name}/
B.    disk1:/webvpn/{context name}/
C.    flash:/webvpn/{context name}/
D.    nvram:/webvpn/{context name}/

Answer: C

Which command will prevent a group policy from inheriting a filter ACL in a clientless SSL VPN?

A.    vpn-filter none
B.    no vpn-filter
C.    filter value none
D.    filter value ACLname

Answer: C

Which command specifies the path to the Host Scan package in an ASA AnyConnect VPN?

A.    csd hostscan path image
B.    csd hostscan image path
C.    csd hostscan path
D.    hostscan image path

Answer: B

Hotspot Questions
When a tunnel is initiated by the headquarter ASA, which one of the following Diffie- Hellman groups is selected by the headquarter ASA during CREATE_CHILD_SA exchange?

A.    1
B.    2
C.    5
D.    14
E.    19

Answer: C
Traffic initiated by the HQ ASA is assigned to the static outside crypto map, which shown below to use DH group 5.

Hotspot Questions


Based on the provided ASDM configuration for the remote ASA, which one of the following is correct?

A.    An access-list must be configured on the outside interfaceto permit inbound VPN traffic
B.    A route to will not be automatically installed in the routing table
C.    The ASA will use a window of 128 packets (64×2) to perform the anti-replay check _
D.    The tunnel can also be established on TCP port 10000

Answer: C
Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. Currently, the default window size is 64 packets. Generally, this number (window size) is sufficient, but there are times when you may want to expand this window size. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.

Hotspot Questions




If the IKEv2 tunnel were to establish successfully, which encryption algorithm would be used to encrypt traffic?

A.    DES
B.    3DES
C.    AES
D.    AES192
E.    AES256

Answer: E
Both ASA’s are configured to support AES 256, so during the IPSec negotiation they will use the strongest algorithm that is supported by each peer.

Hotspot Questions




After implementing the IKEv2 tunnel, it was observed that remote users on the network are unable to access the internet. Which of the following can be done to resolve this problem?

A.    Change the Diffie-Hellman group on the headquarter ASA to group5forthe dynamic crypto map
B.    Change the remote traffic selector on the remote ASA to
C.    Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers
D.    Change the local traffic selector on the headquarter ASA to
E.    Change the remote traffic selector on the headquarter ASA to

Answer: B
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from to

Hotspot Questions




Which option shows the correct traffic selectors for the child SA on the remote ASA, when the headquarter ASA initiates the tunnel?

A.    Local selector
Remote selector
B.    Local selector
Remote selector
C.     Local selector
Remote selector
D.     Local selector
Remote selector –
E.     Local selector –
Remote selector -

Answer: B
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from (THE LOCAL SIDE) to (THE REMOTE SIDE).

Lab Simulation
Step 1: configure key ring
crypto ikev2 keyring mykeys
peer SiteB.cisco.com
pre-shared-key local SiteA
pre-shared key remote SiteB
Step 2: Configure IKEv2 profile
Crypto ikev2 profile default
identity local fqdn SiteA.cisco.com
Match identity remote fqdn SiteB.cisco.com
Authentication local pre-share
Authentication remote pre-share
Keyring local mykeys
Step 3: Create the GRE Tunnel and apply profile
crypto ipsec profile default
set ikev2-profile default
Interface tunnel 1
ip address
Tunnel source eth 0/0
Tunnel destination
tunnel protection ipsec profile default

Which two are characteristics of GETVPN? (Choose two.)

A.    The IP header of the encrypted packet is preserved
B.    A key server is elected among all configured Group Members
C.    Unique encryption keys are computed for each Group Member
D.    The same key encryption and traffic encryption keys are distributed to all Group Members

Answer: AD

A company has decided to migrate an existing IKEv1 VPN tunnel to IKEv2. Which two arevalid configuration constructs on a Cisco IOS router? (Choose two.)

A.    crypto ikev2 keyring keyring-name
peer peer1
pre-shared-key local key1
pre-shared-key remote key2
B.    crypto ikev2 transform-set transform-set-name esp-3des esp-md5-hmac
esp-aes esp-sha-hmac
C.    crypto ikev2 map crypto-map-name
set crypto ikev2 tunnel-group tunnel-group-name
set crypto ikev2 transform-set transform-set-name
D.    crypto ikev2 tunnel-group tunnel-group-name
match identity remote address
authentication local pre-share
authentication remote pre-share
E.    crypto ikev2 profile profile-name
match identity remote address
authentication local pre-share
authentication remote pre-share

Answer: AE

Which four activities does the Key Server perform in a GETVPN deployment? (Choose four.)

A.    authenticates group members
B.    manages security policy
C.    creates group keys
D.    distributes policy/keys
E.    encrypts endpoint traffic
F.    receives policy/keys
G.    defines group members

Answer: ABCD

Where is split-tunneling defined for remote access clients on an ASA?

A.    Group-policy
B.    Tunnel-group
C.    Crypto-map
D.    Web-VPN Portal
E.    ISAKMP client

Answer: A

Which of the following could be used to configure remote access VPN Host-scan and pre- login policies?

A.    ASDM
B.    Connection-profile CLI command
C.    Host-scan CLI command under the VPN group policy
D.    Pre-login-check CLI command

Answer: A

Once there are some changes on 300-209 exam questions, we will update the study materials timely to make sure that our customer can download the latest edition.

300-209 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDODI1TDlUT1lBV00

2016 Cisco 300-209 exam dumps (All 237 Q&As) from Lead2pass:

http://www.lead2pass.com/300-209.html [100% Exam Pass Guaranteed]

Why Choose Lead2pass?

If you want to pass the exam successfully in first attempt you have to choose the best IT study material provider, in my opinion, Lead2pass is one of the best way to prepare for the exam.

Lead2pass Testking Pass4sure Actualtests Others
$99.99 $124.99 $125.99 $189 $29.99-$49.99
Real Questions
Error Correction
Printable PDF
Premium VCE
VCE Simulator
One Time Purchase
Instant Download
Unlimited Install
100% Pass Guarantee
100% Money Back