cisco 300-730 practice test
implementing secure solutions with virtual private networks (svpn 300-730)
Question 1
Which two changes must be made in order to migrate from DMVPN Phase 2 to Phase 3 when EIGRP is configured? (Choose two.)
- A. Add NHRP shortcuts on the hub.
- B. Add NHRP redirects on the spoke.
- C. Disable EIGRP next-hop-self on the hub.
- D. Enable EIGRP next-hop-self on the hub.
- E. Add NHRP redirects on the hub.
Answer:
ce
Question 2
Refer to the exhibit.
An engineer must allow Cisco AnyConnect users to access the outside interface using protocol UDP 500/4500. In addition, these clients must be able to establish an SSL connection to update Cisco AnyConnect software over the same connection. Which two actions must be taken to achieve this goal? (Choose two.)
- A. IPsec (IKEv2) Allow Access must be checked on the outside interface.
- B. SSL Enable DTLS must be checked on the outside interface.
- C. Bypass interface access lists for inbound VPN sessions must be unchecked.
- D. IPsec (IKEv2) Enable Client Services must be checked on the outside interface.
- E. SSL Allow Access must be checked on the outside interface.
Answer:
ae
Question 3
A network engineer is installing Cisco AnyConnect on company laptops so that users can access corporate resources remotely. The VPN concentrator is a Cisco router running IOS-XE 16.9.1 code and configured as a FlexVPN server that uses local authentication and *$Cisc431089017$* as the key-id for the IKEv2 profile. Which two steps must be taken on the computer to allow a successful AnyConnect connection to the router? (Choose two.)
- A. In the Cisco AnyConnect XML profile, set the IPsec Authentication method to EAP-AnyConnect.
- B. In the Cisco AnyConnect XML profile, add the hostname and host address to the server list.
- C. In the Cisco AnyConnect XML profile, set the user group field to DefaultAnyConnectClientGroup.
- D. In the Cisco AnyConnect Local Policy, set the BypassDownloader option in the local to true.
- E. In the Cisco AnyConnect Local Policy, add the router IP address to the Update Policy.
Answer:
ad
Question 4
What is a characteristic of GETVPN?
- A. An ACL that defines interesting traffic must be configured and applied to the crypto map.
- B. Quick mode is used to create an IPsec SA.
- C. The remote peer for the IPsec session is configured as part of the crypto map.
- D. All peers have one IPsec SPI for inbound and outbound communication.
Answer:
d
Question 5
Refer to the exhibit. A network administrator is setting up Cisco AnyConnect on an ASA headend. When users attempt to connect to the VPN, they are presented with this message. The administrator has replaced the ASA's self-signed certificate with a certificate enrolled with the internal CA and has confirmed that the certificate is not revoked. Which two tasks will the administrator need to do to prevent users from seeing this message? (Choose two.)
- A. Trust the issuing CA for the ASA identity certificate on the user's PC.
- B. Enroll and import an SSL certificate with the CN value example.cisco.com on the ASA.
- C. Add the CN example.cisco.com to the AnyConnect XML certificate matching section.
- D. Enable certificate authentication under the connection profile.
- E. Add example.cisco.com to the server name list within the AnyConnect Local Policy.
Answer:
ab
Question 6
Refer to the exhibit. A network administrator is setting up a phone VPN on a Cisco ASA. The phone cannot connect and the error is presented in a debug on the Cisco ASA. Which action fixes this issue?
- A. Enable web-deploy of the posture module so that the module can be downloaded from the Cisco ASA to an IP phone.
- B. Configure the Cisco ASA to present an RSA certificate to the phone for authentication.
- C. Disable Cisco Secure Desktop under the connection profile VPNPhone.
- D. Install the posture module on the Cisco ASA.
Answer:
c
Question 7
Refer to the exhibit. A network engineer is reconfiguring clientless SSLVPN during a maintenance window, and after testing the new configuration, is unable to establish the connection. What must be done to remediate this problem?
- A. Enable client services on the outside interface.
- B. Enable clientless protocol under the group policy.
- C. Enable DTLS under the group policy.
- D. Enable auto sign-on for the user's IP address.
Answer:
b
Question 8
Refer to the exhibit.
Which type of VPN tunnel is configured?
- A. Multipoint GRE
- B. DMVPN
- C. FlexVPN
- D. GRE over IPsec
Answer:
b
Question 9
Refer to the exhibit. A customer cannot establish an IKEv2 site-to-site VPN tunnel between two Cisco ASA devices. Based on the syslog message, which action brings up the VPN tunnel?
- A. Reduce the maximum SA limit on the local Cisco ASA.
- B. Increase the maximum in-negotiation SA limit on the local Cisco ASA.
- C. Remove the maximum SA limit on the remote Cisco ASA.
- D. Correct the crypto access list on both Cisco ASA devices.
Answer:
b
Question 10
A Cisco AnyConnect client establishes a SSL VPN connection with an ASA at the corporate office. An engineer must ensure that the client computer meets the enterprise security policy. Which feature can update the client to meet an enterprise security policy?
- A. Endpoint Assessment
- B. Cisco Secure Desktop
- C. Basic Host Scan
- D. Advanced Endpoint Assessment
Answer:
d