Cisco 300-209 Online Practice Questions and Exam Preparation

Cisco 300-209 Online Questions & Answers

• Question 291:

  An Network Engineer is troubleshooting a VPN tunnel configured on an ASA and has found that Phase 1 is not completing. Which configuration parameter must match for IKE Phae 1 tunnel to get successfully negotiated?

  A. SA lifetime
  B. transform-set
  C. DH group
  D. idle timeout
  C. DH group

• Question 292:

  Which IKEv2 feature minimizes the configuration of a FlexVPN on Cisco IOS devices?

  A. IKEv2 Suite-B
  B. IKEv2 proposals
  C. IKEv2 profiles
  D. IKEv2 Smart Defaults
  D. IKEv2 Smart Defaults

• Question 293:

  SIMULATION

  Scenario

  You are the network security administrator for your organization. Your company is growing and a remote branch office is being created. You are tasked with configuring your headquarters Cisco ASA to create a site-to-site IPsec VPN

  connection to the branch office Cisco ISR. The branch office ISR has already been deployed and configured and you need to complete the IPsec connectivity configurations on the HQ ASA to bring the new office online.

  Use the following parameters to complete your configuration using ASDM. For this exercise, not all ASDM screens are active.

  Enable IKEv1 on outside I/F for Site-to-site VPN

  Add a Connection Profile with the following parameters:

  -Peer IP: 203.0.113.1

  -Connection name: 203.0.113.1

  -Local protected network: 10.10.9.0/24

  -Remote protected network: 10.11.11.0/24

  -Group Policy Name: use the default policy name supplied

  -Preshared key: cisco

  -Disable IKEv2

  -Encryption Algorithms: use the ASA defaults Disable pre-configured NAT for testing of the IPsec tunnel

  -

  Disable the outside NAT pool rule Establish the IPsec tunnel by sending ICMP pings from the Employee PC to the Branch Server at IP address 10.11.11.20 Verify tunnel establishment in ASDM VPN Statistics> Sessions window pane

  A. Check the explanation You have completed this exercise when you have successfully configured, established, and verified site-to-site IPsec connectivity between the ASA and the Branch ISR. Topology
  A. Check the explanation You have completed this exercise when you have successfully configured, established, and verified site-to-site IPsec connectivity between the ASA and the Branch ISR. Topology

  ---

  Correct Answer: Review the explanation for detailed answer steps. First, click on Configuration ->Site-to-Site VPN to bring up this screen:

  

  Click on "allow IKE v1 Access" for the outside per the instructions as shown below:

  

  Then click apply at the bottom of the page. This will bring up the following pop up message:

  

  Click on Send.

  Next, we need to set up the connection profile. From the connection profile tab, click on "Add"

  

  Then, fill in the information per the instructions as shown below:

  

  Hit OK and you should see this:

  

  To test this, we need to disable NAT. Go to Configuration -> Firewall -> NAT rules and you should see this:

  

  Click on Rule 1 to get the details and you will see this:

  

  We need to uncheck the "Enable rule" button on the bottom. It might also be a good idea to uncheck the "Translate DNS replies that match the rule" but it should not be needed. Then, go back to the topology:

  

  Click on Employee PC, and you will see a desktop with a command prompt shortcut. Use this to ping the IP address of 10.11.11.20 and you should see replies:

  

  We can also verify by viewing the VPN Statistics -> Sessions and see the bytes in/out incrementing as shown below:

  

  

• Question 294:

  Refer to the exhibit. What technology does the given configuration demonstrate?

  

  A. Keyring used to encrypt IPSec traffic
  B. FlexVPN with IPV6
  C. FlexVPN with AnyConnect
  D. Crypto Policy to enable IKEv2
  B. FlexVPN with IPV6

• Question 295:

  Which two parameters are specified in the isakmp (IKEv1) policy? (Choose two.)

  A. the peer
  B. the hashing algorithm
  C. the session key
  D. the authentication method
  E. the transform-set
  B. the hashing algorithm
  D. the authentication method

• Question 296:

  Which two examples of transform sets are contained in the IKEv2 default proposal? (Choose two.)

  A. aes-cbc-192, sha256, 14
  B. 3des, md5, 5
  C. 3des, sha1, 1
  D. aes-cbc-128, sha, 5
  B. 3des, md5, 5
  D. aes-cbc-128, sha, 5

• Question 297:

  A network administrator is configuring AES encryption for the ISAKMP policy on an IOS router. Which two configurations are valid? (Choose two.)

  A. crypto isakmp policy 10 encryption aes 254
  B. crypto isakmp policy 10 encryption aes 192
  C. crypto isakmp policy 10 encryption aes 256
  D. crypto isakmp policy 10 encryption aes 196
  E. crypto isakmp policy 10 encryption aes 198
  F. crypto isakmp policy 10 encryption aes 64
  B. crypto isakmp policy 10 encryption aes 192
  C. crypto isakmp policy 10 encryption aes 256

• Question 298:

  An engineer is configuring an IP VPN with IKEv2. Which two components are part of the IKEv2 proposal for this implementation? (Choose two.)

  A. Key ring
  B. Encryption
  C. Tunnel mode
  D. Peer name
  E. integrity
  B. Encryption
  E. integrity

• Question 299:

  A company's remote locations connect to data centers via MPLS.

  A new request requires that unicast traffic that exist the remote location be encrypted.

  Which no tunneled technology can be used to satisfy this requirement?

  A. SSL
  B. GET VPN
  C. DMVPN
  D. EzVPN
  B. GET VPN

• Question 300:

  Which Cisco ASDM option configures forwarding syslog messages to email?

  A. Configuration > Device Management > Logging > E-Mail Setup
  B. Configuration > Device Management > E-Mail Setup > Logging Enable
  C. Select the syslogs to email, click Edit, and select the Forward Messages option.
  D. Select the syslogs to email, click Settings, and specify the Destination Email Address option.
  A. Configuration > Device Management > Logging > E-Mail Setup