Remote network IP address Answer: B, E, F Q.12 Which statement about the Cisco VPN client software update is true.. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator,
Trang 221certify.com
Study Tips
This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts Try to understand the concepts behind the questions instead of cramming the questions Go through the entire document at least twice so that you make sure that you are not missing anything
Latest Version
We are constantly reviewing our products New material is added and old material is revised Free updates are available for 365 days after the purchase You should check the products page on the www.21certify.com web site for an update 3-4 days before the scheduled exam date
Important Note:
Please Read Carefully
This 21certify Exam has been carefully written and compiled by 21certify Exams experts It is
designed to help you learn the concepts behind the questions rather than be a strict memorization tool Repeated readings will increase your comprehension
We continually add to and update our 21certify Exams with new questions, so check that you have the latest version of this 21certify Exam right before you take your exam
For security purposes, each PDF file is encrypted with a unique serial number associated with your 21certify Exams account information In accordance with International Copyright Law, 21certify Exams reserves the right to take legal action against you should we find copies of this PDF file has been distributed to other parties
Please tell us what you think of this 21certify Exam We appreciate both positive and critical
comments as your feedback helps us improve future versions
We thank you for buying our 21certify Exams and look forward to supplying you with all your
Certification training needs
Good studying!
21certify Exams Technical and Support Team
Trang 321certify.com
Note 1:
Section A contains 93 questions Section B contains 126
questions Section C contains 171 questions The total
number of questions is 390
Note 2: First customer, if any, to beat 21certify in providing answers to the unanswered questions will receive a
free 21certify product Send answers to feedback@21certify.com
Section A
Q.1 If the central Concentrator configured for interactive unit authentication, a VPN 3002 will prompt for username/password before establishing a tunnel In how many ways can you make a VPN 3002 prompt for the username/pasword?
Q.2 Performing Quick configuration on a VPN 3002 Hardware, under “Private Interface”
what options are available to the administrator? (Choose all that apply)
A Do not use the DHCP server to provide address
B Do you want to use DHCP server on Interface 1 to provide addresses for the local LAN?
C Do not use DHCP client to request address
D Do you want to use DHCP client to request addresses for the local LAN?
Answer: A, B
Q.3 A VPN 3000 Concentrator is configured for Optional as Firewall Setting and the expected Firewall is set to ICE BlackICE Defender A client connects without any Firewall
A The tunnel will establish as normal
B There is no optional firewall setting in the AYT configuration on a Cisco 3000
Concentrator
Trang 421certify.com
C All answers are incorrect
D The tunnel will establish, AYT will fail, the tunnel will be removed and the client will get disconnected
E The Tunnel will establish, but the administrator will receive a notification message that the client did not match any of the Concentrator’s configured firewalls
Answer: C
Q.4 Trojan horses fall into which of the following methods?
A Denial of Service Methods
B Reconnaissance Methods
C Stealth Methods
D Access Methods
Answer: D
Q.5 What are the two purposes of X.509 certificate serial numbers?
A It is a unique certificate numerical identifier in the certificate authority domain
B It identifies the certificate authority public key and hashing algorithm
C Includes subject’s public key and hashing algorithm
D It is the number used to identify certificates in CRLs
E It specifies start and expiration dates on the certificate
Answer: A, D
Q.6 Which of the following statements is true in defining RSA signature system?
A An RSA signature is formed when data is encrypted with a user’s private key and the receiver verifies the signature by decrypting the message with the sender’s private key
B An RSA signature is formed when data is encrypted with a user’s public key and the receiver verifies the signature by decrypting the message with the sender’s private key,
C An RSA signature is formed when data is encrypted with a user’s private key and the receiver verifies the signature by decrypting the message with the sender’s public key
D An RSA signature is formed when data is encrypted with a user’s public key and the receiver verifies the signature by decrypting the message with the sender’s public key
Answer: C
Trang 5Q.11 If the LAN-to-LAN tunnel is not established, which three IPSec LAN-to-LAN configuration
parameters should the administrator verify at both ends of the tunnel? (Choose three)
Trang 6E Local network IP address
F Remote network IP address
Answer: B, E, F
Q.12 Which statement about the Cisco VPN client software update is true?
A As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote Cisco VPN Client automatically downloads a new version of code from a configured web site
B As remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote Cisco VPN Client automatically downloads a new version of code from a TFTP server
C As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco VPN Concentrator automatically downloads a new version of the software
D As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco VPN Concentrator only sends an update notification to the remove Cisco VPN client
Q.13 To clear the ARP cache on a Cisco VPN Concentrator, which status screen should the administrator access?
A Monitor | Routing Table
B Monitor | ARP cache
C Monitor | Statistics | MIB-II
D Monitor | System Statistics
Answer: C
Q.14 When first installing the Cisco VPN Concentrator, why should you use CLI?
A To configure the Cisco VPN Concentrator
B To configure the private LAN port
C To connect to the Internet
D To configure serial ports
Answer: B
Q.15 Choose the two ways and administrator can set up user authentication and IP address assignment
Trang 7D Automated enrollment process
E Out-of-band enrollment process
F Certified enrollment process
Trang 821certify.com
Answer: A, B
Q.19 When the IPSec client-to-LAN applications are changed from pre-shared keys to digital certificates, what is true about the IPSec SA?
A SA IKE authentication method should be changed
B SAP IPSec authentication method should be changed
C When the digital certificate is validated, the IPSec SA template automatically is updated
D When the digital certificate is activated, the IPSec SA template is automatically updated
Answer: A
Q.20 How did Cisco solve the PAT translation issue?
A Wrap a standard IKE packet with a UDP port number
B Wrap a standard IPSec packet with a UDP port number
C Change the IKE TCP port number from a well known to a dynamically assigned port number
D Change the IPSec TCP port number from a well known to a dynamically assigned port number
Answer: B
Q.21 How is user authentication enabled on the Cisco VPN 3002?
A Checked on the Cisco VPN Concentrator and pushed down to the Cisco VPN 3002
B Unchecked on the Cisco VPN Concentrator and pushed down to the Cisco VPN 3002
C Checked on the Cisco VPN 3002
D Unchecked on the Cisco VPN 3002
Answer: A
Q.22 What are the three steps in the auto-update configuration process? (Choose three)
A Enable the client update functionality in the Cisco VPN 3002
B Enable the client update functionality in the Cisco VPN Concentrator
C Modify the group-client, auto-update parameter
D Configure the IKE auto-update message parameters
E Send an update message
F Configure the IPSec auto-update message parameters
Trang 921certify.com
Answer: B, C, E Q.23 When two adjacent Cisco VPN Concentrators are configured for VRRP and the master Cisco VPN Concentrator fails, which statement is true?
A All sessions are lost
B Only remote access users need to re-establish their tunnels
C No sessions are lost
D Only site-to-site users need to re-establish their tunnels
A Virtual Termination Point (VTP)
B Virtual Designated Concentrator (VDC)
C Virtual Cluster Agent (VCA)
D Virtual Access Point (VAP)
Answer: C
Trang 10Q.28 Configuring a firewall policy:
A New filters are added to rules
B Unlike ACLs that have an implicit any all at the end of it statements, Filters do not have an implicit deny all
C New riles are added to filters
D Like ACLs that have an implicit deny all at the end of it statements, Filters also have an implicit deny all
Q.30 After you issue the “crypto ca enroll”, you are prompted to create a challenge password
Why should you remember this password?
A Because it is required if you intend to generate multiple certificates
B Because if you ever try to reboot, you will be prompted for this password
C Because it is required to generate RSA key pairs
D You must supply this challenge password if you ever ask the CA to revoke your certificate
Answer: D
Trang 1121certify.com
Q.31 You have received a brand new VPN 3030 Concentrator from Cisco You power it on, console to it from your laptop and configure the Private LAN port with your networks IP address as 172.29.10.44 Later, you ping the Concentrator and you get a successful response You make sure that your system
administration tasks and network permit a cleartext connection between the VPN Concentrator and your browser Then you inform your infamous MIS Director and give him the IP address, the Login name as
“admin” and the password as “admin” The Director points his browser to http://www.172.29.10.44 What will happen next?
A The browser will open but the log in it will fail because of wrong password
B The browser will open with the “VPN 3000 Concentrator Series Manager” GUI and ask for the
username and password
C The browser will fail and say “The page can not be displayed”
D The browser will open but the log in will fail because of wrong Login
Answer: C
Q.32 IKE protocol supports multiple authentication methods during the phase one exchange
The two entities must agree on a common authentication protocol through a negotiation
Trang 1221certify.com
Q.34 In the top section of the IPSec LAN-to-LAN screen, what is the peer value?
A System name of the remote Cisco VPN Concentrator
B Internal IP address of the remote Cisco VPN Concentrator
C Public Interface IP address of the remote peer
D Private interface IP address of the remote peer
Answer: C
Q.35 What are three steps in the file-based certificate enrollment process? (Choose three)
A The identity certificate is located into the Cisco VPN Concentrator first
B The CA generates the root and identity certificates
C The root certificate is loaded into the Cisco VPN Concentrator second
D The root certificate is loaded into the Cisco VPN Concentrator first
E Cisco VPN Concentrator generates a PKCS#7
F The Cisco VPN Concentrator generates a PKCS#10
Answer: B, D, F
For connection 3 of the firewall policy chart, choose the action and IP addresses
A action drop, destination address, any
B action forward, destination address, any
C action forward, destination address, www.cisco.com
D action drop, destination address, www.cisco.com
Answer: B
Trang 13Q.38 What are two types of certificates in a central CA environment? (Choose two)
A Public key certificate
Q.39 When should you change the administration password?
A Immediately upon installation
B At least weekly
C When the system crashes
D Every time someone leaves the company
Answer: A
Q.40 When a VPN 3002 is configured to establish a tunnel to a load balancing cluster, what IP address should the administrator put in the VPN 3002 remote server field?
A Cluster’s virtual IP address
B Master the Cisco VPN Concentrator’s public interface IP address
C Master the Cisco VPN Concentrator’s private interface IP address
D Load balancing server’s virtual IP address
Answer: A
Trang 1421certify.com
Q.41 Which VCA filter statement is true?
A VCA filter must be enabled on the Cisco VPN Concentrator’s private interface
B VCA filter must be enabled on the Cisco VPN Concentrator public interface
C VCA filter must be enabled on both Cisco VPN Concentrator interfaces
D VCA filter is optional
Trang 1521certify.com
Q.45 The Backup Server feature can be configured on VPN 3002, as well as on the Concentrator Which of the following statements are true?
A In the backup server window of VPN 3002 you can define up to 10 backup servers
B The list of backup servers defined on VPN 3002 will not be overwritten if the Concentrator sends a
backup server list to the VPN 3002
C The list of backup servers defined on VPN 3002 will be overwritten if the
Concentrator sends a backup server list to the VPN 3002
D In the backup server window of VPN 3002 you can define up to 6 backup servers
Q.47 When installing Cisco VPN client, why are you urged to uninstall the older version?
A Otherwise two identical icons in the system taskbar are created
B Otherwise you will be prompted to select the version whenever you launch the program
C Otherwise it will cause blue screen of death under Windows NT
D Otherwise the new version will be corrupted
Answer: A, D
Q.48 How do you configure users and groups on the Cisco VPN 3000 Concentrator Series as recommended
by Cisco?
A First the groups; second, the specific groups; and third, the users
B First the specific groups; second, the groups; and third, the users
C First the users; second, the groups; and third, the specific groups
D First the users; second, the specific groups; and third, the groups
Trang 1621certify.com
Answer: A
Q.49
A With ESP in tunnel mode and encryption selected, the entire original IP datagram is encrypted
B With ESP in tunnel mode and encryption selected, only the data is encrypted
C When both authentication and encryption is selected under ESP, encryption is
performed before authentication
D When both authentication and encryption is selected under ESP, authentication is performed before encryption
Answer: A, C
Q.50 The top section of the IPSec LAN-to-LAN screen, enables the administrator to configure what section
of the LAN-to-LAN tunnel?
A Tunnel information
B Local private network
C Remote private network
D Cisco VPN Concentrator endpoint information
Answer: A
Q.51 When loading a Cisco VPN Concentrator certificate, why MUST the root certificate be loaded into the Cisco VPN Concentrator first?
A To validate the identity certificate
B To generate the identity certificate
C To be downloaded to the PC
D To generate a root certificate
Answer: A
Q.52 Which firewall is supported by the Cisco VPN Client are you there feature?
A Cisco Integrated Client firewall
B Cyberguard
Trang 17Q.54 Which statement is true of the Cisco VPN 3002 port address translation?
A The administrator can disable PAT when the default private interface address is changed
B PAT is always enabled on the Cisco VPN 3002 public interface
C PAT status is configured on the Cisco VPN Concentrator and then pushed to the Cisco VPN 3002 during tunnel establishment
D The Cisco VPN 3002 does not support PAT
Answer: A
Q.55 What does the backup server feature enable the Cisco VPN 3002 to access?
A Backup DHCP server
B Backup Cisco VPN Concentrator
C Backup authentication server
D Backup certificate server
Answer: B
A Uses aggressive mode
B Uses main mode
C Optionally performs an additional DH exchange
D Verifies the other side’s identity
E Periodically renegotiates IPSec SAs to ensure security
Trang 1821certify.com
F Negotiates IPSec SA parameters protected by an existing IKE SA
Answer: C, E, F
Q.57 Which feature is supported on the Cisco VPN 3005?
A It supports up to 3 network ports
A IP phones are not allowed behind VPN 3002
B IP phones are exception to the rule
C IP phone should be authentication for each call
D User authentications is not allowed when IP phones exist behind the 3002 hardware
A show access list
B show crypto map
C tracert
D ping
Trang 1921certify.com
Answer: D
Q.61 IPSec uses this method to track all the particulars concerning a given IPSec communication session
A What is Transform Set
B What is Security Association
A Cancel a scheduled reboot
B Shutdown without automatic reboot
C Reboot without saving the active configuration
D Save the active configuration at time of reboot
Trang 20Q.66 When configuring address assignments, which method uses the Cisco VPN 300 Concentrator to assign
IP addresses from an internal pool?
A Remote client pool
Trang 2121certify.com
Q.69 Which three computer systems allow the Cisco VPN Client to use secure, reliable tunnel connections
to a host network? (Choose three)
What will happen next?
A You may choose between client mode and network extension mode, depending on your choice of PAT
B There is no such question in the confirmation process
C You are locked into the client mode
D You are locked into network extension mode
Q.72 Which of the following statements is not true regarding IKE phase one:
A Main mode is more secure than the aggressive mode
B Phase one can occur in two modes: main mode & aggressive mode
C Sets up a secure tunnel to negotiate IKE phase II parameters
D By default, Cisco products use aggressive mode to initiate an IKE exchange
Trang 2221certify.com
Answer: D
Q.73 Where can an administrator verify that the LAN-to-LAN tunnel was established?
A View | IPSec Tunnels
D Split tunnel policy
E Cisco VPN Client IP address
F Access priority level
Answer: B, D, E
Q.75 Which three tasks are required to add to the ACL? (Choose three)
A Assign IP mask
B Set session limit
C Enable the IP address
D Assign IP address
E Set session timeout
F Assign access group
Answer: A, D, F
Q.76 When the Cisco VPN 3002 is fully configured in client mode, what is the default status of the VPN tunnel?
A The tunnel is up automatically
B The tunnel must be manually initiated via the Monitoring-tunnel status screen
C The tunnel must be manually initiated via the Monitoring-system status screen
D The manual and automatic modes are defined on the Cisco VPN Concentrator and then pushed to the Cisco VPN 3002 during tunnel establishment
Trang 2321certify.com
Answer: C Q.77 What does IPSec do at the network layer?
A Enables Cisco VPN
B Generates a private DH key
C Encrypts traffic between secure IPSec gateways
D Protects and authenticates IP packets between IPSec devices
Answer: D
Q 77 What does IPSec do at the network layer?
A Enables Cisco VPN
B Generates a private DH key
C Encrypts traffic between secure IPSec gateways
D Protects and authenticates IP packets between IPSec devices
Q.78 You have just received a brand new VPN 3002 Hardware from Cisco You need to gain access to its VPN 3002 manager What command will you enter at the browser?
Trang 24Q.81 What are the two RRI features supported by the Cisco VPN Concentrator? (Choose two)
A Tunnel mode RRI
B Transport mode RRI
C Client RRI
D Network extension RRI
E LAN extension RRI
F Cisco VPN Concentrator RRI
Answer: C, D
Q.82 What type of keys does DES and 3DES require for encryption and decryption?
A Elliptical curve keys
B Exponentiation keys
C Symmetrical keys
D Asymmetrical keys
Answer: C
Q.83 Which of the following is not one of the tasks that a security policy needs to accomplish?
A Identify the resources that need to be protected
B Identify the organizations security objectives
C Identify the network infrastructure
D Document the Hierarchy and the organizational chart
E Document the resources to be protected
Answer: D
Trang 2521certify.com
Q.84 In the local network section of the IPSec LAN-to-LAN screen, what IP address is entered in the IP address field?
A Network, subnet, and host IP address of the remote Cisco VPN Concentrator’s private interface
B Network and subnet IP address of the remote private LAN
C Network, subnet, and host IP address of the local Cisco VPN Concentrator’s private interface
D Network and subnet IP address of the local private LAN
Answer: D
Q.85 Exhibit:
For connection 2 of the firewall policy chart, choose the action and IP addresses
A action drop, source and destination address, 10.0.1.0
B action forward, source and destination address, 10.0.1.0
C action forward, source and destination address, 10.0.1.10
D action drop, source and destination address, 10.0.1.10
Q.86 When configuring the Cisco VPN Client for IPSec over TCP, which statement is true?
A There is no configuration because the information is pushed down to the Cisco VPN Client
B There is no configuration needed because the feature is enabled by default
C IPSec over TCP must be enabled on the Cisco VPN Client
D IPSec over TCP and a TCP port number must be configured on the Cisco VPN Client
Answer: D
Trang 2621certify.com
Q.87 You bring up the VPN Client on the PC: select Start > Programs > Cisco Systems VPN 3000 Client > VPN Dialer Click New Name the connection, click Next, and enter the IP address of the public interface of the Concentrator You will be presented with the GUI ‘Properties for YourConnection’ What are the tabs you will find on this GUI? (Choose all that apply)
Q.88 What is the effect of enabling transparent tunneling on the Cisco VPN Client?
A Data packets are wrapped in UDP
B Encryption is disabled on the Cisco VPN Client
C Cisco VPN Client transmits traffic in clear text
D Split tunneling is enabled on the Cisco VPN Client
Answer: A
A Password
B User name
C Group priority
D Group access protocols
E Group server name
D Group access protocols
E Group server name F Group name
Trang 27Remote Access Network Diagram
The IP addressing scheme is as follows:
Home printer -172.26.26.100 Concentrator Public interface -192.168.1.5 Concentrator Private interface – 10.0.1.5 Corporate application server -10.0.1.100
Pre-configured network lists
Trang 2821certify.com
The available lists are as follows:
Client Network, Corporate Network, Concentrator Public, Concentrator Private
Click the Mode Config button to access the concentrator group configuration window
Your task is to configure the Cisco VPN 3000 Concentrator so the LMK home office
telemarketers VPN user's can access the following:
1 1 Corporate application server, 10.0.1.100, via encrypted tunnel
2 2 Home office printer, 172.26.26.100, via clear text
3 3 Web via clear text
Answer:
Q.92 Match each PKI model with its description
Trang 3021certify.com
Explanation:
First Exchange: Secure the IKE Communications using algorithms and hashes
Second Exchange: Uses DH exchange to generate shared secret keying material
Third Exchange: Verifies the other side’s identity
Main Mode
Main mode provides a way to establish the first phase of an IKE SA, which is then used to negotiate future communications The first step, securing an IKE SA, occurs in three two-way exchanges between the sender and the receiver In the first exchange, the sender and receiver agree on basic algorithms and hashes In the second exchange, public keys are sent for a Diffie-Hellman exchange Nonces (random numbers each party must sign and return to prove their identities) are then exchanged In the third exchange, identities are verified, and each party is assured that the exchange has been completed
Section B
Practice questions
Q.1 You notice that the Power Supply A LED on your VPN 3030 is amber This could
indicate:
A Power Supply A is operating normally
B Power Supply A is not installed
C Power Supply A is not providing the correct voltage
Answer: C
Q.2
Which Cisco VPN Concentrator requires 128 MB of SRAM memory?
Trang 31Select which answer best describes SEP
A Software Encryption Program
B Scalable Encryption Processor
C Secure Encryption Protocol
D Secure Encryption Process
Answer: B
Q.5 Your network contains 2000 users and a maximum of 1,000 simultaneous encrypted
sessions Select the lowest-cost Cisco VPN Concentrator that could address this scenario
Trang 32Q.7 can ease IPSec configuration and are recommended for use with
networks where the peers are not always predetermined
A Dynamic crypto maps
Trang 33Q.10 What command is used to view the certificates stored on your router?
A show crypto ca enroll
B show crypto ca identity
Trang 34Q.15 What does an amber light on the System LED indicate on a VPN 3000 Concentrator?
A System is powered off
B There is no amber light
C System has crashed and halted
D System is OK
Answer: C
Q.16 Select the true statements regarding Main Mode
A 3rd Exchange: Verified the delta of time between 1st and 2nd Exchange
B 3 two-way exchanges between the initiator and receiver
C 2nd Exchange: Proves the identity
D 1st Exchange: Proves the identity
E 2nd Exchange: Peers agree on a matching IKE SA
F 1st Exchange: Peers agree on a matching IKE SA
Answer: A, B, C, F
Q.17 What are the components of DES encryption?
Trang 35Q.21 What command is used to view the ISAKMP policies in a format similar to a write terminal command?
A show crypto ipsec security-association lifetime
B show isakmp
Trang 3621certify.com
C show crypto ipsec sa
D show crypto map secure interface inside
Answer: B
Q.22 What command is used to implicitly permit any packet that came from an IPSec tunnel?
A sysopt connection permit-ipsec
B permit ipsec tunnel
Q.23 Where can you find SCEP?
A Windows 2000 Advanced Server CD
B Windows 2000 Resource Kit
C Windows 2000 Server CD
D Cisco SCEP CD
Answer: B
Q.24 Order the steps to configure IPSec:
A Configure global IPSec SA lifetimes
B Create crypto access lists
C Configure transform set suites
D Apply crypto maps to interfaces, E Create crypto maps
Trang 37B Encryption is software based
C Hardware is not upgradeable
D 32MB SRAM
Answer: B, C D
Q.29 What does the RSA-encrypted nonces method use for authentication?
A Cert is the peer’s ID digital cert
Trang 3821certify.com
B IDi is IP address or FQDN of initiator
C IDr is IP address or FQDN of responder
D Each party generates a pseudorandom number and encrypts it with the other party’s RSA public key
Answer: D
Q.30 Select the true statements regarding ESP
A Data integrity
B Optional data origin authentication
C Limited traffic flow confidentiality
D Data confidentiality
E Anti-replay protection
F Protects IP header
Answer: A, B, C, D, E
Q.31 Select the true statements regarding Cisco Secure VPN 1.1 Client
A Provides VPN Capability on a desktop or laptop computer
B Enables secure client-to-gateway communications over TCP/IP networks
C Enables secure client-to-client communications over TCP/IP networks
D Based on the latest industry-standard IPSec recommendations
Trang 3921certify.com
Answer: B
Q.34 You notice that only 1 SEP2 module is plugged into a working Cisco VPN Concentrator
Which product are you looking at?
A Supports more simultaneous encrypted sessions
B Supports hardware-based encryption
C Comes with unlimited VPN client user licenses
D Can be upgraded into a VPN 3030
E Requires less memory
Trang 4021certify.com
Answer: B
Q.37 Order the steps to create a dynamic crypto map set on Cisco IOS:
A Assigndynamic crypto map to a regular crypto map
B Enter the crypto dynamic-map command
C Configure dynamic crypto map parameters
Q.38 What command is used to clear ISKAMP SAs on a PIX Firewall?
A clear crypto ipsec security-association
B clear isakmp
C clear crypto ipsec sa
D clear crypto map secure interface inside
Q.40 What command is used to show the transform-set?
A show crypto ca certificates
B write transform-set