We provide real 300-209 exam questions and answers braindumps in two formats. Download PDF & Practice Tests. Pass Cisco 300-209 Exam quickly & easily. The 300-209 PDF type is available for reading and printing. You can print more and practice many times. With the help of our Cisco 300-209 dumps pdf and vce product and material, you can easily pass the 300-209 exam.

Q111. Scenario: 

You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office. 

You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites. 

NOTE: the show running-config command cannot be used for this exercise. 


Which crypto map tag is being used on the Cisco ASA? 

A. outside_cryptomap 

B. VPN-to-ASA 

C. L2L_Tunnel 

D. outside_map1 



This is seen from the “show crypto ipsec sa” command on the ASA. 

Q112. In a spoke-to-spoke DMVPN topology, which type of interface does a branch router require? 

A. Virtual tunnel interface 

B. Multipoint GRE interface 

C. Point-to-point GRE interface 

D. Loopback interface 


Q113. Which protocols does the Cisco AnyConnect client use to build multiple connections to the security appliance? 

A. TLS and DTLS 

B. IKEv1 

C. L2TP over IPsec 

D. SSH over TCP 


Q114. Which four activities does the Key Server perform in a GETVPN deployment? (Choose four.) 

A. authenticates group members 

B. manages security policy 

C. creates group keys 

D. distributes policy/keys 

E. encrypts endpoint traffic 

F. receives policy/keys 

G. defines group members 

Answer: A,B,C,D 

Q115. Which command can you use to monitor the phase 1 establishment of a FlexVPN tunnel? 

A. show crypto ipsec sa 

B. show crypto isakmp sa 

C. show crypto ikev2 sa 

D. show ip nhrp 


Q116. Which group-policy subcommand installs the Diagnostic AnyConnect Report Tool on user computers when a Cisco AnyConnect user logs in? 

A. customization value dart 

B. file-browsing enable 

C. smart-tunnel enable dart 

D. anyconnect module value dart 


Q117. Refer to the exhibit. 

Which technology is represented by this configuration? 

A. AAA for FlexVPN 

B. AAA for EzVPN 

C. TACACS+ command authorization 

D. local command authorization 


Q118. Which VPN type can be used to provide secure remote access from public internet cafes and airport kiosks? 

A. site-to-site 

B. business-to-business 

C. Clientless SSL 




Answer: Here are the steps as below: 

Step 1: configure key ring 

crypto ikev2 keyring mykeys 

peer SiteB.cisco.com 


pre-shared-key local $iteA 

pre-shared key remote $iteB 

Step 2: Configure IKEv2 profile 

Crypto ikev2 profile default 

identity local fqdn SiteA.cisco.com 

Match identity remote fqdn SiteB.cisco.com 

Authentication local pre-share 

Authentication remote pre-share 

Keyring local mykeys 

Step 3: Create the GRE Tunnel and apply profile 

crypto ipsec profile default 

set ikev2-profile default 

Interface tunnel 0 

ip address 

Tunnel source eth 0/0 

Tunnel destination 

tunnel protection ipsec profile default 


Q120. Which algorithm provides both encryption and authentication for data plane communication? 

A. SHA-96 

B. SHA-384 

C. 3DES 

D. AES-256 


F. RC4