2017 Apr 300-209 free exam questions

Q31. Refer to the exhibit. 

The customer needs to launch AnyConnect in the RDP machine. Which configuration is correct? 

A. crypto vpn anyconnect profile test flash:RDP.xml 

policy group default 

svc profile test 

B. crypto vpn anyconnect profile test flash:RDP.xml 

webvpn context GW_1 

browser-attribute import flash:/swj.xml 

C. crypto vpn anyconnect profile test flash:RDP.xml 

policy group default 

svc profile flash:RDP.xml 

D. crypto vpn anyconnect profile test flash:RDP.xml 

webvpn context GW_1 

browser-attribute import test 


Q32. Which Cisco adaptive security appliance command can be used to view the count of all active VPN sessions? 

A. show vpn-sessiondb summary 

B. show crypto ikev1 sa 

C. show vpn-sessiondb ratio encryption 

D. show iskamp sa detail 

E. show crypto protocol statistics all 


Q33. Which statement describes a prerequisite for single-sign-on Netegrity Cookie Support in an IOC SSL VPN? 

A. The Cisco AnyConnect Secure Mobility Client must be installed in flash. 

B. A SiteMinder plug-in must be installed on the Cisco SSL VPN gateway. 

C. A Cisco plug-in must be installed on a SiteMinder server. 

D. The Cisco Secure Desktop software package must be installed in flash. 


Q34. An IOS SSL VPN is configured to forward TCP ports. A remote user cannot access the corporate FTP site with a Web browser. What is a possible reason for the failure? 

A. The user's FTP application is not supported. 

B. The user is connecting to an IOS VPN gateway configured in Thin Client Mode. 

C. The user is connecting to an IOS VPN gateway configured in Tunnel Mode. 

D. The user's operating system is not supported. 




Thin-Client SSL VPN (Port Forwarding) 

A remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported. Examples include access to POP3, SMTP, IMAP, SSH, and Telnet. The user needs local administrative privileges because changes are made to files on the local machine. This method of SSL VPN does not work with applications that use dynamic port assignments, for example, several FTP applications. 

Q35. The Cisco AnyConnect client is unable to download an updated user profile from the ASA headend using IKEv2. What is the most likely cause of this problem? 

A. User profile updates are not allowed with IKEv2. 

B. IKEv2 is not enabled on the group policy. 

C. A new profile must be created so that the adaptive security appliance can push it to the client on the next connection attempt. 

D. Client Services is not enabled on the adaptive security appliance. 


Q36. Scenario: 

You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. 

You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites. 

NOTE: the show running-config command cannot be used for this exercise. 


at is being used as the authentication method on the branch ISR? 

A. Certifcates 

B. Pre-shared keys 

C. RSA public keys 

D. Diffie-Hellman Group 2 



The show crypto isakmp key command shows the preshared key of “cisco”. 

Q37. A user is trying to connect to a Cisco IOS device using clientless SSL VPN and cannot establish the connection. Which three commands can be used for troubleshooting of the AAA subsystem? (Choose three.) 

A. debug aaa authentication 

B. debug radius 

C. debug vpn authorization error 

D. debug ssl openssl errors 

E. debug webvpn aaa 

F. debug ssl error 

Answer: A,B,D 

Q38. The Cisco AnyConnect client fails to connect via IKEv2 but works with SSL. The following error message is displayed: 

"Login Denied, unauthorized connection mechanism, contact your administrator" 

What is the most possible cause of this problem? 

A. DAP is terminating the connection because IKEv2 is the protocol that is being used. 

B. The client endpoint does not have the correct user profile to initiate an IKEv2 connection. 

C. The AAA server that is being used does not authorize IKEv2 as the connection mechanism. 

D. The administrator is restricting access to this specific user. 

E. The IKEv2 protocol is not enabled in the group policy of the VPN headend. 


Q39. Remote users want to access internal servers behind an ASA using Microsoft terminal services. Which option outlines the steps required to allow users access via the ASA clientless VPN portal? 

A. 1. Configure a static pat rule for TCP port 3389 

2. Configure an inbound access-list to allow traffic from remote users to the servers 

3. Assign this access-list rule to the group policy 

B. 1. Configure a bookmark of the type http:// server-IP :3389 

2. Enable Smart tunnel on this bookmark 

3. Assign the bookmark to the desired group policy 

C. 1. Configure a Smart Tunnel application list 

2. Add the rdp.exe process to this list 

3. Assign the Smart Tunnel application list to the desired group policy 

D. 1. Upload an RDP plugin to the ASA 

2. Configure a bookmark of the type rdp:// server-IP 

3. Assign the bookmark list to the desired group policy 


Q40. Refer to the exhibit. 

Which action is demonstrated by this debug output? 

A. NHRP initial registration by a spoke. 

B. NHRP registration acknowledgement by the hub. 

C. Disabling of the DMVPN tunnel interface. 

D. IPsec ISAKMP phase 1 negotiation.