Tài liệu Cisco Secure VPN Version 5.1 pptx

Reference: Cisco Secure Virtual Private Networks Ciscopress page 55 + 57 If you have multiple Cisco peers in a mesh topology, and wish to exchange IPSec traffic passing between all of th

9E0-121 (CSVPN)

Cisco Secure VPN

Version 5.1

Important Note, Please Read Carefully

Study Tips

This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts Try to understand the concepts behind the questions instead of cramming the questions Go through the entire document at least twice so that you make sure that you are not missing anything

Further Material

For this test TestKing also provides:

* Interactive Test Engine Examinator Check out an Examinator Demo at

http://www.testking.com/index.cfm?pageid=724

Latest Version

We are constantly reviewing our products New material is added and old material is revised Free updates are available for 90 days after the purchase You should check your member zone at TestKing an update 3-4 days before the scheduled exam date

Here is the procedure to get the latest version:

1 Go to www.testking.com

2 Click on Member zone/Log in

3 The latest versions of all purchased products are downloadable from here Just click the links

For most updates, it is enough just to print the new questions at the end of the new version, not the whole document

Note 1:

Section A contains 93 questions

Section B contains 126 questions

Section C contains 171 questions

The total number of questions is 390

Note 2: First customer, if any, to beat TestKing in providing answers to the unanswered

questions will receive a free TestKing product Send answers to feedback@testking.com

You access the interactive hardware client authentication and individual user authentication

login screens from the VPN 3002 Hardware Client Manager login screen

Note You cannot use the command-line interface to login if user authentication is enabled

You must use a browser

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a008015d019.html#1006934

QUESTION NO: 2

Performing Quick configuration on a VPN 3002 Hardware, under “Private Interface” what options are available to the administrator? (Choose all that apply)

A Do not use the DHCP server to provide address

B Do you want to use DHCP server on Interface 1 to provide addresses for the local LAN?

C Do not use DHCP client to request address

D Do you want to use DHCP client to request addresses for the local LAN?

Answer: A, B

Explanation:

Choose one of the menu options listed

• If you want to disable the DHCP server, at the prompt enter 1 Disable DHCP Server, and

continue with quick configuration

• If you want to enable and configure the DHCP server, at the prompt enter 2 Enable and Configure DHCP Server, and follow Steps 6 through 9 below

• If you want to enable the DHCP server with existing parameters, at the prompt enter 3 Reference:http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/4_0/gs/3002gs.pdf

QUESTION NO: 3

A VPN 3000 Concentrator is configured for Optional as Firewall Setting and the

expected Firewall is set to ICE BlackICE Defender A client connects without any

Firewall

Which of the following will happen?

A The tunnel will establish as normal

B There is no optional firewall setting in the AYT configuration on a Cisco 3000

Concentrator

C All answers are incorrect

D The tunnel will establish, AYT will fail, the tunnel will be removed and the client will get disconnected

E The Tunnel will establish, but the administrator will receive a notification message that the client did not match any of the Concentrator’s configured firewalls

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_release_note09186a008015ee05.html

QUESTION NO: 4

Trojan horses fall into which of the following methods?

A Denial of Service Methods

B Reconnaissance Methods

C Stealth Methods

to command.com (the primary interpreter for windows systems), which deletes certain files and infects any other versions of command.com that it can find A Trojan horse is different only in that the entire application was written to look like something else, when in fact it is an attack tool An example of a Trojan horse is a software application that runs a simple game on the user’s workstation While the user is occupied with the game, the Trojan horse mails a copy of itself to every user in the user’s address book Then other users get the game and play

it, thus spreading the Trojan horse

Reference: Safe White papers; Page 70

SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks

QUESTION NO: 5

What are the two purposes of X.509 certificate serial numbers?

A It is a unique certificate numerical identifier in the certificate authority domain

B It identifies the certificate authority public key and hashing algorithm

C Includes subject’s public key and hashing algorithm

D It is the number used to identify certificates in CRLs

E It specifies start and expiration dates on the certificate

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800d658e.shtml

QUESTION NO: 6

Which of the following statements is true in defining RSA signature system?

A An RSA signature is formed when data is encrypted with a user’s private key and the receiver verifies the signature by decrypting the message with the sender’s private key

B An RSA signature is formed when data is encrypted with a user’s public key and the receiver verifies the signature by decrypting the message with the sender’s private key,

C An RSA signature is formed when data is encrypted with a user’s private key and the receiver verifies the signature by decrypting the message with the sender’s public key

D An RSA signature is formed when data is encrypted with a user’s public key and the receiver verifies the signature by decrypting the message with the sender’s public key

Answer: D

Explanation:

With a CA, a peer authenticates itself to the remote peer by sending a certificate to the remote peer and performing some public key cryptography Each peer must send its own unique certificate which was issued and validated by the CA This process works because each peer's certificate encapsulates the peer's public key, each certificate is authenticated by the CA, and all participating peers recognize the CA as an authenticating authority This is called IKE with

an RSA signature

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a0080106f63.html

QUESTION NO: 7

Which model of the VPN 3000 Concentrator matches the following descriptions:

- 256 MB of SRAM

- Hardware Based Encryption

- Programmable DSP-based security accelerator

- Supports up to 5000 simultaneous remote connections

• Appropriate for a large central site

• Supports up to 5000 simultaneous sessions

• Supports two SEP2 hardware modules-up to 5000 sessions

• Upgradeable

• Memory – 256 MB SRAM standard

• Encryption – Hardware-based SEP2 - Programmable DSP-based security accelerator

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 55 + 57

If you have multiple Cisco peers in a mesh topology, and wish to exchange IPSec traffic passing between all of the peers, you must first configure shared keys or RSA public keys between all of the peers

Every time a new peer is added to the IPSec network, you must configure keys between the new peer and each of the existing peers

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a0080089901.html

QUESTION NO: 9

VPN is the most cost-effective method of establishing a point-to-point connection

between remote users and the enterprise network Cisco categorizes VPN in three types: (Choose three)

QUESTION NO: 10

To troubleshoot SCEP enrollment, the administrator should scrutinize what event class

in the event log?

• CA and RA public key distribution

If the LAN-to-LAN tunnel is not established, which three IPSec LAN-to-LAN

configuration parameters should the administrator verify at both ends of the tunnel? (Choose three)

A Name

B Pre-shared key

C Authentication

D Routing

E Local network IP address

F Remote network IP address

Answer: C, E, F C

Explanation:

A continuation of step 2 includes going to the configuration | System | Tunneling Protocols |

IPSec LAN-to-LAN and clicking ADD to configure the IPSec parameters as follows:

Step1 Enter the name for the LAN-to-LAN connection

Step2 Set the peer value to be the IP address assigned to the outside interface of the remote

PIX Firewall

Step3 Enter an alphanumeric string value for the preshared key to match that of the peer or select a digital certificate

Step4 Select the authentication and encryption values to match the IPSec policy Select the IKE policy configured in Step1

Step5 Set the local network to be the network address that the private interface is on

Step6 Set the destination network to be a network on the peer’s network

Set the wildcard mask to be a network’s subnet mask

Step7 Click Add

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 324

QUESTION NO: 12

Which statement about the Cisco VPN client software update is true?

A As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote Cisco VPN Client automatically downloads a new version of code from a configured web site

B As remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote Cisco VPN Client automatically downloads a new version of code from a TFTP server

C As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco VPN Concentrator automatically downloads a new version of the software

D As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco VPN Concentrator only sends an update notification to the remove Cisco VPN client

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00800dc6fe.html

QUESTION NO: 13

To clear the ARP cache on a Cisco VPN Concentrator, which status screen should the administrator access?

A Monitor | Routing Table

B Monitor | ARP cache

C Monitor | Statistics | MIB-II

D Monitor | System Statistics

Answer: C

Explanation:

Monitoring | Statistics | MIB-II | ARP Table

This screen shows entries in the Address Resolution Protocol mapping table since the VPN

3002 was last booted or reset ARP matches IP addresses with physical MAC addresses, so the system can forward traffic to computers on its network RFC 2011 defines MIB entries in the ARP table

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00800bcd4e.html#1889235

QUESTION NO: 14

When first installing the Cisco VPN Concentrator, why should you use CLI?

A To configure the Cisco VPN Concentrator

B To configure the private LAN port

C To connect to the Internet

D To configure serial ports

Answer: B

Explanation:

The private LAN on the Cisco VPN 3000 Concentrator series initially must be configured with the CLI Once the private interface is configured, you can use the browser management interface

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 235

QUESTION NO: 15

Choose the two ways and administrator can set up user authentication and IP address assignment (Choose two)

A Per user

Configuring Address Assignment

You can select prioritized methods for assigning IP addresses to clients as a tunnel is established The methods are tried in the order listed You must select at least one method You can select any and all methods:

Reference:http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/gs/gs.pdf

QUESTION NO: 16

Which three are Cisco VPN Client firewall features? (Choose three)

A Are you there

• Support for firewalls

• Centralized Protection Policy

• Stateful Firewall

• ICMP permission

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_chapter09186a008015e26e.html

D Automated enrollment process

E Out-of-band enrollment process

F Certified enrollment process

Answer: A B

Explanation:

Cisco Secure VPN Client interoperates with Cisco networking devices using digital

certificates in certification authority (CA) and Registration Authority (RA) modes with based enrollment and Simple Certificate Enrollment Protocol (SCEP)

file-Reference: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/csvpnsg/icpdf.pdf

QUESTION NO: 19

When the IPSec client-to-LAN applications are changed from pre-shared keys to digital certificates, what is true about the IPSec SA?

A SA IKE authentication method should be changed

B SAP IPSec authentication method should be changed

C When the digital certificate is validated, the IPSec SA template automatically is updated

D When the digital certificate is activated, the IPSec SA template is automatically updated

Answer: A

Explanation:

Using digital certificates, clients establish a secure tunnel over the Internet to the enterprise A certification authority (CA) issues a digital certificate to each client for device authentication VPN Clients may either use static IP addressing with manual configuration or dynamic IP addressing with IKE Mode Configuration The CA server checks the identity of remote users, then authorizes remote users to access information relevant to their function Extranet VPNs with the Cisco Secure VPN Client are addressed in "Configuring Digital Certification." Static and dynamic IP addressing is addressed in "Configuring Dynamic IP Addressing."

Reference:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/csvpnsg/icdcs.htm#18263

QUESTION NO: 20

How did Cisco solve the PAT translation issue?

A Wrap a standard IKE packet with a UDP port number

B Wrap a standard IPSec packet with a UDP port number

C Change the IKE TCP port number from a well known to a dynamically assigned port number

D Change the IPSec TCP port number from a well known to a dynamically assigned port number

Answer: B

QUESTION NO: 21

How is user authentication enabled on the Cisco VPN 3002?

A Checked on the Cisco VPN Concentrator and pushed down to the Cisco VPN 3002

B Unchecked on the Cisco VPN Concentrator and pushed down to the Cisco VPN 3002

C Checked on the Cisco VPN 3002

D Unchecked on the Cisco VPN 3002

What are the three steps in the auto-update configuration process? (Choose three)

A Enable the client update functionality in the Cisco VPN 3002

B Enable the client update functionality in the Cisco VPN Concentrator

C Modify the group-client, auto-update parameter

D Configure the IKE auto-update message parameters

E Send an update message

F Configure the IPSec auto-update message parameters

Answer: B, C, E

Explanation:

This process uploads the executable system software to the VPN Concentrator, which then verifies the

integrity of the software image

The new image file must be accessible by the workstation you are using to manage the VPN

Concentrator Software image files ship on the Cisco VPN 3000 Concentrator CD-ROM Updated or

patched versions are available from the Cisco website, www.cisco.com, under Service & Support >

Software Center

It takes a few minutes to upload and verify the software, and the system displays the progress Please

wait for the operation to finish

To run the new software image, you must reboot the VPN Concentrator The system prompts you to

reboot when the update is finished

Reference: VPN 3000 Concentrator Ref Vol 2 Config 4.0.pdf

QUESTION NO: 23

When two adjacent Cisco VPN Concentrators are configured for VRRP and the master Cisco VPN Concentrator fails, which statement is true?

A All sessions are lost

B Only remote access users need to re-establish their tunnels

C No sessions are lost

D Only site-to-site users need to re-establish their tunnels

Answer: B

Explanation:

These functions apply only to installations where two or more VPN Concentrators are in parallel One VPN Concentrator is the master system, and the other(s) are backup systems A backup system acts as a virtual master system when a switchover occurs

Reference: VPN 3000 Concentrator Ref Volume 1 Configuration 4.0.pdf

IP ESP seeks to provide confidentiality and integrity by encrypting data to be protected and

placing the encrypted data in the data portion of the IP ESP Depending on the user's security requirements, this mechanism can be used to encrypt either a transport-layer segment (such as TCP, UDP, ICMP, IGMP) or an entire IP datagram Encapsulating the protected data is necessary to provide confidentiality for the entire original datagram Use of this specification will increase the IP protocol processing costs in participating systems and will also increase the communications latency The increased latency is primarily due to the encryption and decryption required for each IP datagram containing an ESP

Reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094628.shtml

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 55 + 57

QUESTION NO: 26

What is the name of the application that must be added to the Concentrator to perform load balancing?

A Virtual Termination Point (VTP)

B Virtual Designated Concentrator (VDC)

C Virtual Cluster Agent (VCA)

D Virtual Access Point (VAP)

Answer: C

Explanation:

Before you can configure load balancing on a VPN Concentrator, you must do the following:

• Configure the private and public interfaces

• Configure the filters for the private and public interfaces to allow the Virtual Cluster Agent (VCA) load balancing protocol

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce26.html

QUESTION NO: 27

On a VPN 3002 hardware, what are the three levels of GUI Access rights? (Choose three)

A Admin

The Access Rights determine access to and rights in VPN Concentrator Manager functional

areas (Authentication or General), or via SNMP Click the Access Rights drop-down menu

button and choose the access rights:

• None = No access or rights

• Stats Only = Access to only the Monitoring section of the VPN Concentrator Manager No

rights to change parameters

• View Config = Access to permitted functional areas of the VPN Concentrator Manager, but

no rights to change parameters

• Modify Config = Access to permitted functional areas of the VPN Concentrator Manager, and rights to change parameters

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_administration_guide_chapter09186a008015c519.html

QUESTION NO: 28

Configuring a firewall policy:

A New filters are added to rules

B Unlike ACLs that have an implicit any all at the end of it statements, Filters do not have an implicit deny all

C New rules are added to filters

D Like ACLs that have an implicit deny all at the end of it statements, Filters also have

an implicit deny all

Answer: B, C

Explanation:

When you want the VPN Concentrator to push the firewall policy to the VPN Client, you

must first define the policy on the VPN Concentrator To do this you need to create a filter

and add rules to the filter on the public network The VPN 3000 Concentrator provides a

default filter you can use for CPP by selecting it from the menu The name of this filter is

“Firewall Filter for VPN Client (Default)” This filter allows all outbound traffic and drops

all inbound traffic Firewall filters are session filters, rather than packet filters This

means that for an “allow all outbound/drop all inbound” rule, the CPP policy lets inbound

responses come from outbound sessions only from IP protocols TCP, UDP, and ICMP These

protocols are the only protocols that are “stateful.”

Most administrators will want to use a rule that blocks all inbound traffic and either permits all outbound traffic or limits outbound traffic to specific TCP and UDP ports For complete

information on creating filters and adding rules in general, see VPN 3000 Series Concentrator

Network reconnaissance refers to the overall act of learning information about a target

network by using publicly available information and applications When hackers attempt to penetrate a particular network, they often need to learn as much information as possible about

the network before launching attacks This can take the form of Domain Name System (DNS)

queries, ping sweeps, and port scans

Reference:SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks

QUESTION NO: 30

After you issue the “crypto ca enroll”, you are prompted to create a challenge password Why should you remember this password?

A Because it is required if you intend to generate multiple certificates

B Because if you ever try to reboot, you will be prompted for this password

C Because it is required to generate RSA key pairs

D You must supply this challenge password if you ever ask the CA to revoke your certificate

Answer: C

Explanation:

This command (crypto ca enroll) requests certificates from the CA for all of your router’s

RSA key pairs This task is also known as enrolling with the CA

During the enrollment process, you are prompted for a challenge password, which can be used

by the CA administrator to validate your identity

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 124

Then you inform your infamous MIS Director and give him the IP address, the Login name as “admin” and the password as “admin”

The Director points his browser to http://www.172.29.10.44

What will happen next?

A The browser will open but the log in it will fail because of wrong password

B The browser will open with the “VPN 3000 Concentrator Series Manager” GUI and ask for the username and password

C The browser will fail and say “The page can not be displayed”

D The browser will open but the log in will fail because of wrong Login

Answer: C

Explanation:

The MIS Director will not be able to connect using “http://www.172.29.10.44”, in the address bar of the browser and will then show the “this page can not be displayed” in the window The correct syntax is “http://172.29.10.44”

QUESTION NO: 32

IKE protocol supports multiple authentication methods during the phase one exchange The two entities must agree on a common authentication protocol through a negotiation process

In how many ways can IKE phase one authenticate IPSec peers?

Determine the authentication method- Choose the authentication method on the key

distribution method Cisco IOS software supports either preshared keys, RSA encrypted nonces, or RSA signatures to authenticated IPSec peers

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 69

Reference:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fipsenc/ cfencov.htm

QUESTION NO: 34

In the top section of the IPSec LAN-to-LAN screen, what is the peer value?

A System name of the remote Cisco VPN Concentrator

B Internal IP address of the remote Cisco VPN Concentrator

C Public Interface IP address of the remote peer

D Private interface IP address of the remote peer

QUESTION NO: 35

What are three steps in the file-based certificate enrollment process? (Choose three)

A The identity certificate is located into the Cisco VPN Concentrator first

B The CA generates the root and identity certificates

C The root certificate is loaded into the Cisco VPN Concentrator second

D The root certificate is loaded into the Cisco VPN Concentrator first

E Cisco VPN Concentrator generates a PKCS#7

F The Cisco VPN Concentrator generates a PKCS#10

Answer: B, D, F

QUESTION NO: 36

Exhibit:

For connection 3 of the firewall policy chart, choose the action and IP addresses

A action drop, destination address, any

B action forward, destination address, any

C action forward, destination address, www.cisco.com

D action drop, destination address, www.cisco.com

Answer: B

Explanation:

A firewall rule includes the following fields:

• Action—The action taken if the data traffic matches the rule:

o Drop = Discard the session

o Forward = Allow the session to go through

• Direction—The direction of traffic to be affected by the firewall:

o Inbound = traffic coming into the PC, also called local machine

o Outbound = traffic going out from the PC to all networks while the VPN Client

is connected to a secure gateway

• Source Address—The address of the traffic that this rule affects:

o Any = all traffic; for example, drop any inbound traffic

o This field can also contain a specific IP address and subnet mask

o Local = the local machine; if the direction is Outbound then the Source

Address is local

• Destination Address—The packet's destination address that this rule checks (the

address of the recipient)

o Any = all traffic; for example, forward any outbound traffic

o Local = The local machine; if the direction is Inbound, the Destination Address

is local

• Protocol—The Internet Assigned Number Authority (IANA) number of the protocol

that this rule concerns (6 for TCP; 17 for UDP and so on)

• Source Port—Source port used by TCP or UDP

• Destination Port—Destination port used by TCP or UDP

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_chapter09186a008015ce7d.html#1122639

Reference:VPN Client Administrator Guide 4.0

QUESTION NO: 38

What are two types of certificates in a central CA environment? (Choose two)

A Public key certificate

B Root certificate

C Private key certificate

QUESTION NO: 39

When should you change the administration password?

A Immediately upon installation

B At least weekly

C When the system crashes

D Every time someone leaves the company

Answer: A

Explanation:

You can change the password for the admin administrator user For ease of use during

startup, the default admin password supplied with the VPN 3002 is also admin Since the

admin user has full access to all management and administration functions on the device, we

strongly recommend you change this password to improve device security You can further

configure all administrators with the regular Administration menus

Reference:VPN 3002 Hardware Client Getting Started, Release 4.0

QUESTION NO: 40

When a VPN 3002 is configured to establish a tunnel to a load balancing cluster, what IP address should the administrator put in the VPN 3002 remote server field?

A Cluster’s virtual IP address

B Master the Cisco VPN Concentrator’s public interface IP address

C Master the Cisco VPN Concentrator’s private interface IP address

D Load balancing server’s virtual IP address

http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter091 6a00800ebfdf.html#xtocid3

QUESTION NO: 41

Which VCA filter statement is true?

A VCA filter must be enabled on the Cisco VPN Concentrator’s private interface

B VCA filter must be enabled on the Cisco VPN Concentrator public interface

C VCA filter must be enabled on both Cisco VPN Concentrator interfaces

D VCA filter is optional

QUESTION NO: 42

For the Cisco VPN Client to interoperate with the Cisco VPN 3000, what is the

minimum version of the Cisco VPN 3000?

A 2.5

B 2.6

C 3.0

D 3.1

Answer: C

Explanation:

To interoperate with a VPN 3002, the VPN 3000 Series Concentrator to which it

connects must:

• Be running software version 3.0 or later

• Configure IPSec group and user names and passwords for this VPN 3002

• For a VPN 3002 running in PAT mode, enable a method of address assignment: DHCP,

address pools, per user, or authentication server address

• For a VPN 3002 running in Network Extension mode, configure either a default gateway or

a static route to the private network of the VPN 3002

Reference:Release Notes for Cisco VPN 3002 Hardware Client Release 3.1

• Memory – 128 MB SRAM standard

• Encryption – Hardware-based SEP2 - Programmable DSP-based security accelerator

• Appropriate for a large central site

• Supports two SEP2 hardware modules-up to 1500 sessions

• Upgradeable

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 56

QUESTION NO: 45

The Backup Server feature can be configured on VPN 3002, as well as on the

Concentrator

Which of the following statements are true?

A In the backup server window of VPN 3002 you can define up to 10 backup servers

B The list of backup servers defined on VPN 3002 will not be overwritten if the

Concentrator sends a backup server list to the VPN 3002

C The list of backup servers defined on VPN 3002 will be overwritten if the

Concentrator sends a backup server list to the VPN 3002

D In the backup server window of VPN 3002 you can define up to 6 backup servers

• Client mode: Cisco VPN 3002 acts as client, receives IP address from a concentrator pool;

uses PAT to hide stations behind the Cisco VPN 3002; network behind the Cisco VPN 3002

is unroutable (invisible to central site and the world); provides few configuration parameters

• Network Extension mode: Cisco VPN 3002 acts as site-to-site device; uses PAT to hide

stations only to Internet (stations visible or routable to central site); network behind the Cisco VPN 3002 is routable; provides additional configuration parameters

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_data_sheet09186a00801089cf.html

QUESTION NO: 47

When installing Cisco VPN client, why are you urged to uninstall the older version?

A Otherwise two identical icons in the system taskbar are created

B Otherwise you will be prompted to select the version whenever you launch the

program

C Otherwise it will cause blue screen of death under Windows NT

D Otherwise the new version will be corrupted

Answer: A, D

Explanation:

Note If you are upgrading from a previous version of SafeNet/SoftPK Client or Cisco Secure

VPN Client, uninstall the old version, then reboot, then install the new version If the old version is not uninstalled, two images and two identical icons in the system taskbar are created and the new version will be corrupted

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2138/prod_release_note09186a008007f5aa.html

QUESTION NO: 48

How do you configure users and groups on the Cisco VPN 3000 Concentrator Series as recommended by Cisco?

A First the groups; second, the specific groups; and third, the users

B First the specific groups; second, the groups; and third, the users

C First the users; second, the groups; and third, the specific groups

D First the users; second, the specific groups; and third, the groups

Answer: B

Explanation:

We recommend that you define groups when planning your VPN, and that you configure

groups and users on the VPN Concentrator in this order:

1 Base-group parameters

2 Group parameters

3 User parameters

Reference: VPN 3000 Series Concentrator Reference Volume I: Configuration 4.0

QUESTION NO: 49

Select the correct statements regarding the ESP tunnel mode? (Choose all that apply)

A With ESP in tunnel mode and encryption selected, the entire original IP datagram is encrypted

B With ESP in tunnel mode and encryption selected, only the data is encrypted

C When both authentication and encryption is selected under ESP, encryption is

performed before authentication

D When both authentication and encryption is selected under ESP, authentication is performed before encryption

B Local private network

C Remote private network

D Cisco VPN Concentrator endpoint information

Answer: A

Explanation:

LAN-to-LAN Sessions Table

This table shows parameters and statistics for all active IPSec LAN-to-LAN sessions Each session here identifies only the outer LAN-to-LAN connection or tunnel, not individual host-to-host sessions within the tunnel

Reference:http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/1256427

QUESTION NO: 51

When loading a Cisco VPN Concentrator certificate, why MUST the root certificate be loaded into the Cisco VPN Concentrator first?

A To validate the identity certificate

B To generate the identity certificate

Which firewall is supported by the Cisco VPN Client are you there feature?

A Cisco Integrated Client firewall

Reference: VPN Client Administrator Guide 4.0

QUESTION NO: 53

Which data is shown on the Monitor Sessions screen? (Choose three)

A Session summary

B LAN-to-LAN sessions

Session Summary Table

This table shows summary totals for LAN-to-LAN, remote access, and management sessions

A session is a VPN tunnel established with a specific peer In most cases, one user connection

= one tunnel = one session However, one IPSec LAN-to-LAN tunnel counts as one session, but it allows many host-to-host connections through the tunnel

• Active LAN-to-LAN Sessions - The number of IPSec LAN-to-LAN sessions that are

• Total Active Sessions - The total number of sessions of all types that are currently active

• Peak Concurrent Sessions - The highest number of sessions of all types that were

concurrently active since the VPN Concentrator was last booted or reset

• Concurrent Sessions Limit - The maximum number of concurrently active sessions

permitted on this VPN Concentrator This number is model-dependent, for example, model

3060 = 5000 sessions

• Total Cumulative Sessions - The total cumulative number of sessions of all types since the

VPN Concentrator was last booted or reset

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_administration_guide_chapter09186a008015c590.html#1256427

QUESTION NO: 54

Which statement is true of the Cisco VPN 3002 port address translation?

A The administrator can disable PAT when the default private interface address is changed

B PAT is always enabled on the Cisco VPN 3002 public interface

C PAT status is configured on the Cisco VPN Concentrator and then pushed to the Cisco VPN 3002 during tunnel establishment

D The Cisco VPN 3002 does not support PAT

Answer: A

Explanation:

Using a Browser to Configure the VPN 3002

1 Use a LAN cable to attach a PC to the private interface (3002) or switch port (3002-8E)

2 Enter the default IP address (192.168.10.1) in the browser Location or Address field

3 At the VPN 3002 Login prompt, enter the login name admin and the default password

admin Click Login

4 In the Main window, select Quick Configuration from the menu Follow the online

instructions for all subsequent screens Note that to configure Network Extension mode, you must change the private interface IP address and disable PAT

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_quick_start09186a0080163e2a.html

QUESTION NO: 55

What does the backup server feature enable the Cisco VPN 3002 to access?

A Backup DHCP server

B Backup Cisco VPN Concentrator

C Backup authentication server

D Backup certificate server

Answer: B

Explanation:

About Backup Servers

IPSec backup servers let a VPN 3002 connect to the central site when its primary central-site VPN Concentrator is unavailable You configure backup servers for a VPN 3002 either on the VPN 3002, or on a group basis at the central-site VPN Concentrator If you configure backup servers on the primary central-site VPN Concentrator, that VPN Concentrator pushes the backup server policy to the VPN 3002 hardware clients in the group By default, the policy is

to use the backup server list configured on the VPN 3002 Alternatively, the VPN

Concentrator can push a policy that supplies a list of backup servers in order of priority, replacing the backup server list on the VPN 3002 if one is configured It can also disable the feature and clear the backup server list on the VPN 3002 if one is configured

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00800ebfdf.html

QUESTION NO: 56

What are three functions of IKE Phase 2? (Choose three)

A Uses aggressive mode

B Uses main mode

C Optionally performs an additional DH exchange

D Verifies the other side’s identity

E Periodically renegotiates IPSec SAs to ensure security

F Negotiates IPSec SA parameters protected by an existing IKE SA

Answer: C, E, F

Explanation:

Step 2 Determine IPSec (IKE Phase Two) Policy

• Negotiates IPSec SA parameters protected by an existing IKE SA

• Establishes IPSec security associations

• Periodically renegotiates IPSec SAa to ensure security

• Optionally performs an additional Diffie-Hellman

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 28

QUESTION NO: 57

Which feature is supported on the Cisco VPN 3005?

A It supports up to 3 network ports

-Optional WAN interface module with dual T1/E1 ports

All systems feature:

• 10/100Base-T Ethernet interfaces (autosensing)

-Model 3005: Two interfaces

-Models 3015-3080: Three interfaces

• Motorola® PowerPC CPU

• SDRAM memory for normal operation

• Nonvolatile memory for critical system parameters

• Flash memory for file management

Reference:http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/ps2290/index.html

QUESTION NO: 58

The user behind VPN 3002 is an IP phone and the administrator of the central

Concentrator has configured the VPN 3002 for User Authentication

What will happen to the IP phone of it tries to call the corporate office?

A IP phones are not allowed behind VPN 3002

B IP phones are exception to the rule

C IP phone should be authentication for each call

D User authentications is not allowed when IP phones exist behind the 3002 hardware

Answer: C

Explanation:

Check the Cisco IP Phone Bypass check box to allow IP phones to bypass the interactive

individual user authentication processes Interactive hardware client authentication remains in effect if you have enabled it

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce2d.html

QUESTION NO: 59

The applications associated with Internet solutions are provided by Cisco AVVID which enables enterprise customers to move their traditional business models to Internet business models

A show access list

B show crypto map

C tracert

D ping

Answer: D

Explanation:

The router ping command can be used to test basic connectivity between IPSec peers

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 75

QUESTION NO: 61

IPSec uses this method to track all the particulars concerning a given IPSec

communication session

A What is Transform Set

B What is Security Association

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 30

Configuration | Policy Management | Traffic Management | Network Lists

This section of the Manager lets you configure network lists, which are lists of networks that are grouped as single objects Network lists make configuration easier: for example, you can use a network list to configure one filter rule for a set of networks rather than configuring separate rules for each network

You can use network lists in configuring filter rules (see Configuration | Policy Management | Traffic Management | Rules) You can also use them to configure split tunneling for groups and users (see Configuration | User Management), and to configure IPSec LAN-to-LAN connections (see Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN)

The Manager can automatically generate a network list containing the private networks reachable from the Ethernet 1 (Private) interface It generates this list by reading the routing table, and Inbound RIP must be enabled on that interface

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015c188.html#1112819

Reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

QUESTION NO: 64

Which reboot option shuts down the Cisco VPN 3000 Concentrator, terminates all sessions, and prevents new user sessions?

A Cancel a scheduled reboot

B Shutdown without automatic reboot

C Reboot without saving the active configuration

D Save the active configuration at time of reboot

Answer: B

Explanation:

• Reboot = Reboot the VPN Concentrator Rebooting terminates all sessions, resets the

hardware, loads and verifies the software image, executes system diagnostics, and initializes the system A reboot takes about 60-75 seconds (This is the default selection.)

• Shutdown without automatic reboot = Shut down the VPN Concentrator; that is, bring the

system to a halt so you can turn off the power Shutdown terminates all sessions and prevents new user sessions (but not administrator sessions) While the system is in a shutdown state, the System LED (Model 3005) or the blue usage LEDs (Models 3015–3080) blink on the front panel

• Cancel a scheduled reboot/shutdown = Cancel a reboot or shutdown that is waiting for a

certain time or for sessions to terminate (This is the default selection if a reboot or shutdown

Reference: VPN 3000 Configuration Reference 3.6.pdf

QUESTION NO: 66

When configuring address assignments, which method uses the Cisco VPN 300

Concentrator to assign IP addresses from an internal pool?

A Remote client pool

B Per-user

C Configured pool

D DHCP pool

Answer: C

Explanation:

Check the Use Address Pools check box to have the VPN Concentrator assign IP addresses

from an internally configured pool Internally configured address pools are the easiest method

of address pool assignment to configure If you use this method, configure the IP address pools on the Configuration | System | Address Management | Pools screens

Reference: VPN 3000 Configuration Reference 3.6.pdf

• For the VPN Client: To activate the Launch button on the VPN Client Notification, the URL

must include the protocol HTTP or HTTPS and the server address of the site that contains the

update The format of the URL is: http(s)://server_address:port/directory/filename The

server address can be either an IP address or a hostname if you have configured a DNS server For example:

http://10.10.99.70/vpnclient-win-3.5.Rel-k9.exe

The directory is optional You need the port number only if you use ports other than 80 for http or 443 for https

• For the VPN 3002 Hardware Client: The format of the URL is

tftp://server_address/directory/filename The server address can be either an IP address or a

hostname if you have configured a DNS server

For example:

tftp://10.10.99.70/vpn3002-3.5.Rel-k9.bin

The directory is optional

Reference: VPN 3000 Configuration Reference 3.6.pdf

Answer: B

Explanation:

Configure the VPN 3002 public interface, using DHCP, PPPoE, or static address assignment

Note that the DHCP client is enabled by default on the public interface

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_getting_started_guide_chapter09186a008012b46c.html

• Windows 95 (OSR2), 98, NT Version 4.0 (SP 3 or higher), 2000, XP, ME

• Linux (Red Hat Version 6.2)

• Solaris 2.6 or later

• Mac OS X Version 10.1.0 or later

Reference:

http://www.cisco.com/en/US/netsol/ns110/ns170/ns172/ns334/networking_solutions_design_guide_chapter09186a008017e6bf.html

QUESTION NO: 70

When configuring a VPN 3002 hardware, the GUI asks “Do you want to configure the

IP address of the Private interface” and you answer “no”

What will happen next?

A You may choose between client mode and network extension mode, depending on your choice of PAT

B There is no such question in the confirmation process

C You are locked into the client mode

D You are locked into network extension mode

Answer: C

Explanation:

Configure the DHCP server to assign IP addresses for PCs located on the private network The default IP address pool is 192.168.10.2-192.168.10.128 For Client mode, you do not need to modify this parameter

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_getting_started_guide_chapter09186a008012b46c.html

Diffie-Hellman (DH) is a public key cryptography protocol that enables two parties to

establish a shared secret over unsecured communications channels Select one of the

following DH groups to use in Internet Key Exchange (IKE) to establish session keys:

• DH_GROUP_1 - Available on all ISC supported platforms Specify to use 768-bit

Diffie-Hellman Group 1 cryptography

• DH_GROUP_2 - Cisco IOS and PIX Firewall devices only Specify to use 1024-bit

Diffie-Hellman Group 2 cryptography

• DH_GROUP_5 - Available on all ISC supported platforms if the software system

requirements for the platform are met Specify to use 1536-bit Diffie-Hellman (DH) Group

5 cryptography

• DH_GROUP_7 - VPN 3000 only Specify to use DH Group 7 Elliptic Curve Cryptography

(ECC), the 163-character Elliptic Curve Diffie-Hellman (ECDH) group

Reference:

http://www.cisco.com/en/US/products/sw/netmgtsw/ps5333/products_user_guide_chapter09186a00801a0b5f.html

QUESTION NO: 72

Which of the following statements is not true regarding IKE phase one:

A Main mode is more secure than the aggressive mode

B Phase one can occur in two modes: main mode & aggressive mode

C Sets up a secure tunnel to negotiate IKE phase II parameters

D By default, Cisco products use aggressive mode to initiate an IKE exchange

Answer: D

Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 27

QUESTION NO: 73

Where can an administrator verify that the LAN-to-LAN tunnel was established?

A View | IPSec Tunnels

Administration | Administer Sessions

This screen shows comprehensive statistics for all active sessions on the VPN Concentrator You can also click the name of a session to see detailed parameters and statistics for that session See Administration | Sessions | Detail

Group

Choose a group from the menu to monitor statistics for that group only The default is All which displays statistics for all groups

Logout All: PPTP User | L2TP User | IPSec User | L2TP/IPSec

User | IPSec/NAT User | IPSec/LAN-to-LAN

These active labels let you log out all active sessions of a given tunnel type at once:

• PPTP User = PPTP remote-access users

• L2TP User = L2TP remote-access users

• IPSec User = IPSec remote-access users

• L2TP/IPSec User = L2TP over IPSec users

• IPSec/NAT User = IPSec through NAT users

• IPSec/LAN-to-LAN = IPSec LAN-to-LAN

Reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_administration_guide_chapter09186a008015c5a0.html#1415548