Answer Key Explanations

Question 1

The correct answers are A, B, C, and D. Unstructured threat consists of inexperienced individuals who are motivated by an intellectual challenge rather than a malicious intent. B is correct because structured threat consists of hackers who are highly motivated and technically competent. C is correct because external threats are individuals and organizations that work outside your organization and do not have authorized access to your network. D is correct because internal threats occur when someone has authorized access to the network with either a user account or physical access. E is incorrect because there is no such thing as non-filterable threat.

Question 2

The correct answer is A. A reconnaissance attack is classified as an attack where the intruder attempts to discover and map systems, services, and vulnerabilities. B is incorrect because access attack refers to data manipulation, system access, or privilege escalation. C is incorrect because a denial of service attack disables or corrupts networks, systems, and services with a malicious intent to deny service to authorized and intended users. D is incorrect because a virus is a program or piece of code intended to initiate other malicious programs or corrupt programs and file systems.

Question 3

The correct answer is A. Remote access VPN is classified as a VPN that supports the needs of telecommuters, mobile users, and extranet consumer-to-business environments. B is incorrect because site-to-site VPNs are used to connect corporate sites and are classified as an extension of WANs. C is incorrect because firewall-based VPNs are inherently site-to-site VPNs that use a firewall as the tunnel termination point. D is incorrect because it is not a type of VPN.

Question 4

The correct answers are A and B. Only the 3005 and 3015 support software encryption. C, D, and E are incorrect because 3030, 3060, and 3080 all support HW encryption. Hardware encryption is done using the Scalable Encryption Processor (SEP2) modules and the Programmable Digital Security Processor (DSP) based security accelerator.

Question 5

The correct answers are A and B. Cisco 3005 and 3015 both support up to 100 simultaneous sessions. C is incorrect because the 3030 supports 1500 simultaneous sessions. D is incorrect because the 3060 is more robust and it supports 5000 simultaneous sessions. E is incorrect as well because the 3080 is the top of the line and it supports 10000 simultaneous sessions.

Question 6

The correct answer is C. The Cisco 3005 Concentrator supports up to 100 VPN tunnels. They could be 100 remote access tunnels or 100 site-to-site tunnels. In an environment that caters to remote-access as well as the site-to-site VPN tunnels, you will have to subtract the total number of site-to-site VPN tunnels from the total tunneling capability of the VPN Concentrator to derive the number of remote access tunnels that can be established. In this case, the answer would be 100 36=64. In the given scenario, you will be able to establish 64 remote access VPN tunnels.

Question 7

The correct answer is A. As a minimum, you need release 2.5(2) software on the VPN concentrator and release 5.2 software on the PIX firewall to establish a VPN tunnel between a PIX and a VPN concentrator. B is incorrect because the minimum requirement is release 2.5(2) on the concentrator. C is incorrect because it defines the requirements for setting up a site-to-site tunnel between a VPN Concentrator and a Cisco IOS Router. D is incorrect because it is a distracter.

Question 8

The correct answers are B, C, D, and E. IPSec provides a secure path between a pair of gateways, pair of hosts, or gateways and hosts. A is incorrect because IPSec operates on the Network layer of the OSI model.

Question 9

The correct answer is B. Symmetric keys are manually configured on both source and destination tunnel endpoints and have to be identical. A is incorrect because there is no such thing as an analog key. C is incorrect because asymmetric keys use one key to encrypt the traffic and the remote end uses another key to decrypt it. An example of asymmetric keys would be RSA Digital Signatures. D is a fictitious answer.

Question 10

The correct answer is B. With RSA encryption, the receiver decrypts data using its own private key. The sender can then encrypt the message using the sender's public key. Note that the private key does not leave the sender's machine. A is incorrect because a public key is used to encrypt data. C is incorrect because AH is a protocol that is used when data confidentiality is not required. D is not correct because DES is a symmetric key cryptosystem algorithm and is used for data confidentiality.

Question 11

The correct answer is B. DH group 2 uses a key size of 1024 bits. A is incorrect because DH group 1 uses a key size of 768 bits. C is incorrect because DH group 5 uses a key size of 1536 bits. D is incorrect because DH group 7 uses elliptic curve cryptography.

Question 12

The correct answer is B. HMAC-MD5 uses a 128-bit hashing algorithm. A is incorrect because DES is an encryption algorithm that uses 56 bits. C is also incorrect because 3DES is another encryption algorithm that used 168 bits. D is incorrect because HMAC-SHA-1 uses a 160-bit hash algorithm. HMAC-SHA-1 is the recommended hashing algorithm and is considered more secure than HMAC-MD5 because it is cryptographically stronger.

Question 13

The correct answers are A, B, D, and E. AH provides data integrity and origin authentication for IP packets that pass between source and destination tunnel endpoints. AH also uses a hashing algorithm and provides anti-replay protection. AH does not provide data encryption and all data is sent in clear text only.

Question 14

The correct answers are A, C, and D. A is correct because ESP encrypts the entire IP datagram. B is incorrect because the original datagram is protected by ESP encryption. C is correct because ESP adds a new header and trailer to the original datagram. D is correct because an IP header is always appended to the front of the authenticated payload and a new IP address is used to route packets through the Internet. E is incorrect because the ESP header is placed in front of the encrypted original payload, whereas the ESP trailer is placed at the end of the encrypted data payload.

Question 15

The correct answers are B and D. Main mode has three two-way exchanges between the initiator and receiver. Aggressive mode, on the other hand, has fewer exchanges that are done with fewer packets. A and E are incorrect because they are not valid names for IKE modes. B is incorrect because Quick mode is used in IKE phase 2 negotiations.

Question 16

The correct answer is C. IKE phase 2 has only one mode called Quick Mode (QM). QM occurs after IKE phase 1 is complete and a secure IKE phase 1 tunnel has been established. QM is used to renegotiate a new IPSec SA when the IPSec SA lifetime expires and is also used to refresh the Diffie-Hellman shared secret keys that were derived in IKE phase 1. Answers A and B are incorrect because Main Mode and Aggressive Mode are used for establishing IKE SAs, for performing device-level authentication, and for secret key calculation via Diffie-Hellman. Answer D is incorrect because Passive Mode is not an actual mode of IKE negotitations.

Question 17

The correct answers are A, B, C, D, and E. IPSec SA constitutes a Security Policy database and a Security Association database. The information included in these parameters IPSEC protocols (AH and ESP), encryption algorithms, authorization algorithm , hash algorithm, encapsulation mode (tunnel or transport), DH group number, SA lifetime (in seconds and/or in KBs).

Question 18

The correct answer is B. VRRP manages automatic switchover from one Concentrator to another in a redundant installation. Load balancing, on the other hand, is performed on active sessions at connection time. The VPN Concentrator can perform either VRRP or load balancing, not both.

Question 19

The correct answer is D. The non-master sends load information to the master in a form of "keepalive" messages. Load is calculated as a percentage of current active sessions divided by the configured maximum allowed connections. A, C, and E are incorrect because the calculation is based upon the percentage of the maximum as opposed to the total or average. B is incorrect because it uses the maximum allowed connections as opposed to minimum connections.

Question 20

The correct answers are A, B, and C. A is correct because the AYT feature verifies the presence of a firewall and reports that information back to the concentrator. B is correct because when you implement a stateful firewall module, a default firewall policy is loaded on the firewall and the default filter blocks all traffic inbound that is not related to the outbound session. C is correct because the Cisco Pushed Policy (CPP) feature enables the administrator to create a set of rules that allow or disallow traffic on connected VPN clients. Remember, the CPP policies are pushed from the concentrator down to the clients. D is incorrect because there is no firewall mode.

Question 21

The correct answer is D. The Are You There feature verifies the presence of a firewall and reports that information back to the concentrator. This feature works very well if the network administrator may require the remote client to be running a specific firewall before establishing the tunnel. Depending on the response sent by the remote client, the concentrator can permit or deny the IPSec connection. Answer A is wrong because smartcards are not a firewall feature. Answers B and C are incorrect because the Stateful Firewall and the CPP firewall policy do not report back to the concentrator if a firewall is active.

Question 22

The correct answers are A, C, D, and E. To access the VPN concentrator using CLI, the terminal emulation program must be set to a speed of 9600bps. The concentrator can also be configured through a Web-based GUI interface. When connecting via the Web interface you can establish a session via an HTTP or HTTPS (HTTP over SSL) connection. To configure the concentrator via HTML, you must at least assign an IP address to the private interface. Answer B is incorrect because the speed setting should be 9600bps.

Question 23

The correct answer is C. The Configuration | Quick Configuration submenu exists only in the VPN 3002 Hardware Client. Answers A, B, and C are wrong because Quick Configuration can be run only once. To run it again, you have to reboot the VPN Concentrator to factory default configuration. Quick Configuration is a setup process that enables the minimal parameters necessary to initialize and utilize the VPN Concentrator.

Question 24

The correct answers are A, B, C, and D. All the four methods that have been specified can be used to obtain the virtual IP address. Remember, on the remote access PC, there are two IP addresses: the IP address assigned to the NIC and the inside virtual IP address. You use the Configuration | Quick | Address Management window to define how all remote access PCs would receives the virtual IP address.

Question 25

The correct answer is C. Configuring NT Domain authentication requires the use of the computer name only. Answers A, B, and D are wrong because any other option, such as FQDN, IP address of the domain controller, and administrative password, does not work.

Question 26

The correct answers are A, B, and D. In addition to max connect time, filter, and idle timeout, you can also configure access hours, simultaneous logins, minimum password length, inheritance parameters, and use of non-alphabetic passwords. C is incorrect because the General tab in the Configuration | User Management | Groups | Modify Group window does not define maximum password length.

Question 27

The correct answer is A. The minimum password length is 4, and the maximum is 32 characters. The password for the group name is the shared secret key that is used to authenticate the peer during IKE phase 1. Answers B, C, and D are incorrect because the password lengths stated are not the correct lengths of 4 and 32.

Question 28

The correct answer is B. Maximum Connect Time defines the time after which the system will terminate the connection. Remember, you can set the Maximum Connect Time value to 0 to allow unlimited connection time. However, this is not good practice. A is incorrect because Access Hours defines when users can access the Concentrator. C is incorrect because it is a distracter. Answer D is wrong because the Idle Timeout field is configured with the group idle timeout period in minutes. The VPN Concentrator terminates the connection in case of inactivity on this connection for the configured period of time.

Question 29

The correct answer is D. The Client Config tab is used to configure IPSec client parameters on a group basis. The Client Config tab has three sections: one section for parameters specific to Cisco clients, a second one for Microsoft clients, and a third for common client parameters. Answers A, B, and C are incorrect because these parameter sections do not exist on those tabs.

Question 30

The correct answers are A, B, and D. Split tunneling can be configured in three ways. The three split tunneling parameters are Tunnel Everything (which is the default), Allow Networks in the List to Bypass the Network, and Only Tunnel Networks in List. C is incorrect because that option does not exist.

Question 31

The correct answers are A, B, and D. After the software or hardware client receives the 0.0.0.0/0.0.0.0 network list, it then routes all 172.31.100.0 traffic in clear text. All other traffic is encrypted and sent over the tunnel. C is incorrect because the network list is configured as a wildcard (reverse of subnet mask), where 0s in the bit positions to match the corresponding IP bit positions and 1s in the bit position to ignore the corresponding IP bit positions. E is incorrect because local traffic is sent in clear text rather than encrypted.

Question 32

The correct answer is D. Split DNS configuration governs how software clients resolve a DNS query packet to be sent in clear text to the ISP-assigned DNS server or encrypted and sent over the tunnel to the corporate DNS server. A is incorrect because DDNS is used in networks to coordinate hostname information between DHCP and DNS servers. B and C are incorrect because they are distracters.

Question 33

The correct answers are B and C. DDNS was supported from Release 3.6. The DDNS feature applies only to the software client connections that are being assigned IP address through a DHCP server. A is incorrect because DDNS was supported starting with Release 3.6. Answer D is incorrect because DDNS applies only to DHCP assigned IP addresses.

Question 34

The correct answer is A. This option works very well in situations where packets are allowed through the tunnel without obstacles. A typical example would be when a client wants to initiate a GET request from an FTP server behind a concentrator for a large file. These large packets would be encapsulated and then fragmented at the IP layer for a successful transmission. B is incorrect because in this option the concentrator will drop large packets that don't have the Don't Fragment (DF) bit set. C is incorrect because in this option the concentrator will fragment tunnel packets that exceed the MTU before encapsulating them. D is incorrect because it does not exist.

Question 35

The correct answers are A, B, and D. The Authentication tab enables you to set your authentication parameters. The Group Access Information is case-sensitive and must match the parameters configured in the Identity tab in the Configuration| User Management| Group Management| Groups page. Answer C is incorrect because the password and group name are case sensitive.

Question 36

The correct answer is D. The purpose of the .pcf file is to create connection entries within the dialer application. Remember that each user profile has a .pcf file associated with it. A is incorrect because the oem.ini file is used to install the software client without user intervention. B is incorrect because the vpnclient.ini file can be used to automatically configure the software client global parameters. C and E are incorrect because they are not actual files in the Cisco Unity Client.

Question 37

The correct answer is C. Remote Access Sessions displays statistics on all remote access sessions. All users connecting to the VPN Concentrator via a VPN client are classified as remote access sessions. A is incorrect because the Session Summary section gives you an overview of all the sessions, as well as the total active, peak concurrent, and total concurrent sessions. B is incorrect because LAN-to-LAN Sessions displays individual LAN-to-LAN sessions. D is incorrect because Management Sessions displays information on all the current management users.

Question 38

The correct answers are B and D. Digital signatures tie a message to the sender's private key, and the sender's public key is used to decrypt the received hash. A is incorrect because the message is always signed by the sender's private key and not the public key. C is incorrect because the sender's public key is used to decrypt the message that was originally signed by the sender's private key.

Question 39

The correct answer is D. The root certificate is installed first on the concentrator because the concentrator uses the public key of the root certificate to authenticate the identity certificate. A is incorrect because the root certificate is required to authenticate the identity certificate. B and C are incorrect because PKCS#7 and PKCS#10 are a set of standard protocols used by different vendors to ensure secure information exchange on the Internet using a public key infrastructure. PKCS stands for public key cryptography standards.

Question 40

The correct answer is A. In a tiered approach, a single root CA signs all certificates. In a hierarchical model, subordinate CAs sign certificates for lower-level CAs. Subordinate CA can act as a Registration Authority or RA. B, C, D, and E are all true about the hierarchical public key infrastructure.

Question 41

The correct answer is C. The Organization Unit (OU) field must match the group attribute data configured on the concentrator. The group name is case-sensitive and acute caution must be used when configuring the OU field as well as the group name field. To establish the VPN tunnel, both the OU and the group name have to be identical. A is incorrect because the Organization field depicts the company name. B is incorrect because Subject Alternative Name defines the FQDN for the concentrator. D is incorrect because Key Size is used to define the key size of the RSA key pair. E is incorrect because Common Name is the unique name of the concentrator.

Question 42

The correct answer is D. Certificate serial number is a unique numerical identifier in the CA domain, and when the certificate is revoked, this certificate number is listed on the Certificate Revocation List. A is incorrect because Issuer specifies the distinguished name of the CA. B is incorrect because Public Key defines the public key and hashing algorithm. C is incorrect because CA Signature is used to sign the CA private key to ensure authenticity. E is incorrect because Validity Period defines the start and expiration period for the certificate.

Question 43

The correct answers are C and D. Digital certificate validation is dependant upon a trust model. For example, if you trust B and B trusts C, then you should trust C as well. This is the underlying principle when validating certificates. C is incorrect because A should trust C in a digital certificate trust model. D is incorrect because digital certificate validation is based on a trust model.

Question 44

The correct answer is A. File-based enrollment is a manual process. After this request file has been created with PKCS#10, you can either mail the file to the CA and receive a certificate back, or simply access the CA's Web site and cut and paste the enrollment request in the area that the CA provides. B is incorrect because network-based enrollment is an automated process that connects to the CA directly via Simple Certificate Enrollment Protocol (SCEP). C and D are incorrect because they are not certificate enrollment types.

Question 45

The correct answer is A. During IKE phase 1 negotiation, if CRL checking is enabled, the Concentrator verifies the revocation status of the certificate of the IKE peer before IPSec tunnel establishment. B, C, and D are incorrect because the CRL checking is done during IKE phase 1.

Question 46

The correct answers are A and C. When choosing HTTP, make sure that you assign HTTP rules to the public interface of the concentrator. However, if you are using LDAP, you have to configure LDAP DP default values. An example of a valid HTTP URL would be http://172.31.100.100/CertEnroll/THECA.cri. B, D, and E are incorrect because they are not utilized to retrieve a CRL from a distribution point.

Question 47

The correct answer is B. The Department Name field must match the group name configured on the concentrator. Remember, the Department Name and group names are case-sensitive. A is incorrect because Common Name refers to the unique name of this certificate. C is incorrect because the Company field identifies the company name. D is incorrect because IP Address is the IP address of your machine. E is incorrect because the Domain field refers to the FQDN of your machine. Only the Common Name and Department are required fields.

Question 48

The correct answers are A, B, C, and E. SCEP is an automated process and for SCEP to work, the CA must be able to communicate with the Certificate Manager on the Cisco VPN Client. If the CA is new, you will be required to add the URL or network address of the CA server, the domain to which it belong, and a password (if required). If you have used that CA before, you can use the pre-existing CA information as well. D is incorrect because you cannot configure the IKE proposal on the Cisco VPN Unity Client.

Question 49

The correct answers are A, B, C, and D. Cisco VPN Concentrator contains four firewall features that can be used to enhance system security on a Windows-based PC running Cisco Software Client.

Question 50

The correct answer is A. Are You There (AYT) verifies whether a specific firewall is operational on the client PC after tunnel establishment. B is incorrect because Stateful Firewall, if turned on, blocks all inbound traffic that is not related to an outbound session, with the exception of DHCP and ARP traffic. C is incorrect because Centralized Policy Protection (CPP) allows network administrators to centrally define firewall policies for the connected VPN clients. The CPP is always pushed down from the Concentrator to the software clients at connection time. D is incorrect because CIC is a firewall module integrated into the Cisco software client.

Question 51

The correct answer is C. AYT, CIC, and CPP can be configured under the Client FW tab. A is incorrect because the General tab lets you configure general security, access, performance, and tunneling protocol parameters that apply to an internally configured group. B is incorrect because the HW Client tab lets you configure interactive hardware client authentication and individual user authentication for a specific group. D is incorrect because the PPTP/L2TP tab lets you configure PPTP and L2TP parameters that apply to an internally configured group. E is incorrect because these parameters apply to a group's IPSec clients.

Question 52

The correct answers are B, D, and E. The default stateful firewall blocks all inbound traffic that is not related to the outbound session, with the exception of DHCP and ARP. A is incorrect because inbound traffic is blocked unless associated with an existing outbound session. Answer C is incorrect because ARP is allowed to pass through the stateful firewall. When the stateful firewall is enabled, it is always on. The firewall is active for both tunneled and non-tunneled traffic.

Question 53

The correct answers are A, B, C, and D. Building Custom CPP is a four-step process. In most cases, the default policy works just fine. If you want to control the outbound clear text traffic to a few protocols or to a handful of remote locations, you have to create a new policy. E is incorrect because the policy is not applied directly to the CIC client, but is pushed from the central concentrator.

Question 54

The correct answer is D. The AutoInitiationEnable parameter enables Auto-initiation. Auto-initiation is an automated process for establishing wireless VPN connections in a LAN environment. A is incorrect because the AutoInitiationList parameter is a list of Auto-initiation related sections in the vpnclient.ini. B is incorrect because AutoInitiationEnableNow is not a valid parameter. C is incorrect because AutoInitiationRetryInterval specifies the time to wait in minutes before retrying auto-initiation after a connection failure.

Question 55

The correct answer is C. The Management Sessions table under the Monitoring | Sessions window shows parameters and statistics for all active administrator management sessions. A is incorrect because to view the active remote access sessions, you have to view the Remote Access Sessions table. B is incorrect because to view the active IPSec LAN-to-LAN sessions, you have to view the LAN-to-LAN session table. D is incorrect because the Session Summary table shows the summary total for LAN-to-LAN, remote access, and management sessions.

Question 56

The correct answer is C. The Severity to Log option can be used to select the range of severity values to enter on the log. A is incorrect because the Severity to Console option can be used to select the range of severity values to display on the console. B is incorrect because the Severity to Syslog option can be used to select the range of severity levels to be sent to a syslog server. D is incorrect because the Severity to Email option can be used to select the range of severity levels for emails to the recipient.

Question 57

The correct answer is C. The Monitoring | Live Event Log window displays events in the current event log and automatically refreshes every 5 seconds. Remember, if the Live Event Log window is active, the administrator session to the concentrator would never time out because each automatic window update would reset the inactivity timer. A is incorrect because the Monitoring | Statistics| NAT window shows statistics for NAT (Network Address Translation) activity on the VPN Concentrator since it was last booted or reset. B is incorrect because it is a distracter. D is incorrect because the Monitoring | Filterable Event Log window shows the events in the current event log and lets you filter, display, and manage events by various criteria.

Question 58

The correct answers are A, B, C, and D. The Monitoring | Filterable Event Log window enables GUI access to the current event log. The event log can hold up to 2048 events in the 3015 models and up and 256 in the 2005 model. When the event log is full, older events are overwritten by newer event entries.

Question 59

The correct answer is E. The User account has very limited rights. In this account you have view and read privileges only. A is incorrect because the admin account has full access to the system and is the only account that is enabled by default. B is incorrect because the config account has all rights of the admin account except SNMP access. C is incorrect because the isp account has very limited general configuration rights. D is incorrect because the mis account has the same rights as a config account.

Question 60

The correct answer is A. To use the default port number for TACACS+ authentication, you use 0. The default port number that TACACS+ uses is TCP port 49. Answers B, C, and D are incorrect because those numbers would be interpreted by the concentrator as the actual port number.

Question 61

The correct answer is D. Reboot, if you ignore the configuration file option, ignores the active configuration and reboots the system to factory defaults. A is incorrect because the Reboot option simply reboots the system. B is incorrect because this option saves the active configuration file and then reboots the system. C is incorrect because this option does not save the active configuration file and then reboot the system with the last saved configuration.

Question 62

The correct answers are A, B, D, and F. Client update information is entered in the Configuration | User Management | Groups | Client Update | Add window. The Client Type field identifies the type of client that needs to be updated. For example, windows can be used for all Windows clients. The URL field contains the location of the software. Revision number is used to ensure that if the client is not running the software version on the list, the update will not be carried out. Answers C and E are incorrect because those fields do not exist in the Client Update menus.

Question 63

The correct answers are A, C, and D. If the reserved bandwidth is 64Kbps on a 1.544Mbps link, you can have a total of 24 (1.544Mbps÷64K) concurrent connections. It is true that the first connection will have a reserved bandwidth of 64Kbps and it will also have access to the remainder of the bandwidth. As more connections are established to the concentrator, less bandwidth remains that can be used by these connections. B is incorrect because after 24 connections are established, the concentrator does not allow any more connections.

Question 64

The correct answers are A, B, and C. By default, network extension mode is not enabled on the HW Client. The IP address of the HW Client must be changed from 192.168.10.1 to any other IP address to use the network extension functionality. Network Extension mode must also be allowed on the group HW Client parameters on the VPN 3000 Concentrator for each group that contains the 3002 Hardware Clients. D is incorrect because the private interface already has an IP address of 192.168.10.1. Answer E is incorrect because the default mode is Client or PAT mode.

Question 65

The correct answers are A, B, and C. In Interactive unit authentication, if the Require Interactive Hardware Client Authentication box is selected, the HW Client does not save the user password and the user must supply username and password parameters. If the Require Interactive Hardware Client Authentication box is deselected, the HW Client saves the username and password information in the memory and this is the default setting. D is incorrect because the HW Client does not save the user password if selected. Answer E is incorrect because if deselected, the HW Client supplies the username and password from memory.

Question 66

The correct answer is C. When configuring Individual user authentication, navigate to the Configuration | User Management | Groups | HW Client tab and select Require Individual User Authentication. Answers A, B, and D are incorrect because the individual authentication is enabled only on the HW Client tab.

Question 67

The correct answers are A, B, and C. The Use Client Configured List option instructs the clients to use its own backup server list. The Disable and Clear Configured List option instructs the clients to clear its backup server list and disable the feature. The User List Below option (default) instructs the clients to use the backup server list supplied by the concentrator and overwrite its current entries. Answer D is incorrect because that option does not exist for the backup server options.

Question 68

The correct answers are A, B, C, and D. To configure load balancing, VCA capability must be configured on both private and public interfaces. VCA filter enables VCA messages to flow between cluster concentrators.

Question 69

The correct answer is D. Reverse Route Injection allows a concentrator to add static or host routes to its routing table and announce these routes to its internal network by using OSPF or outbound RIP. Answer A is not an actual feature. Answers B and C are incorrect because they are authentication modes for the VPN 3002 Hardware Client.

Question 70

The correct answer is B. The Network Extension RRI feature applies to only the HW Clients using network extension mode. You can enable Network Extension RRI by going to Configuration | System | IP Routing | Reverse Route Injection window and selecting the Network Extension Reverse Route Injection check box. Remember, the routes are deleted when the client disconnects from the VPN Concentrator. Answers A and C are incorrect because they are not actual RRI modes. Answer D is incorrect because Client RRI does not add network routes to the routing table. Client RRI adds the individual assigned private virtual addresses assigned by the Concentrator.

Question 71

The correct answer is C. The AUTOUPDATE event class enables you to view update-specific information in the Monitoring | Filterable Event Log window on the Cisco HW Client. If the HW Client release version in the notification message does not match the HW Clients current version, the HW Client automatically upgrades the software from the TFTP URL. Answers A, B, and D are incorrect because those event classes are used to troubleshoot authentication. Answer E is incorrect because that is not a valid event class.

Question 72

The correct answers are B and C. IPSec over UDP must be enabled on the concentrator. You can do that by selecting a specific group under Configuration | User Management | Groups and then navigate to the Client Config tab. UDP port 4500 is used for NAT-T and should not be chosen as a port number for IPSec over UDP. By default, IPSec over UDP uses UDP port 10000. Answer A is incorrect because IPSec over UDP is not enabled by default. Answer D is incorrect because the default UDP port is 10000. Answer E is incorrect because you should not use UDP port 4500 because it is used by NAT-T if it is globally enabled on the Concentrator.

Question 73

The correct answers are B and E. IPSec over TCP is a global parameter. After it is enabled, all frames are encapsulated in IPSec over TCP regardless of which group software clients belong to. You can supply up to 10 comma-delimited port addresses in IPSec over TCP so that different software clients can use different TCP port numbers. Answers A, C, and D are incorrect because these attributes of IPSec over TCP are true.

Question 74

The correct answers are D, E, and F. DES, 3DES, and AES are encryption options. Advanced Encryption Standard (AES) encryption (AES) provides greater security than DES and is more efficient than Triple DES. Support for AES has been incorporated on the concentrator from release 3.6. Answers A, B, and C are incorrect because None, HMAC-MD5-128, and HMAC-SHA-160 bit are authentication options.

Question 75

The correct answer is A. The Network Auto-Discovery (NAD) feature dynamically discovers and continuously updates the private network addresses on each side of the LAN-to-LAN connection. For NAD to work, inbound RIP has to be enabled on the private interface of both Concentrators. OSPF NAD is not supported. Answers B, C, and D are not features that automatically discover network for LAN-to-LAN connections.




CSVPN Exam Cram 2 (Exam 642-511)
CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)
ISBN: 078973026X
EAN: 2147483647
Year: 2002
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net