| Question 1 | What are some essential components for a common IPSec tunnel? (Choose three.) A. PPP B. IPSec C. Unity Client D. NAT
|
| A1: | Answers A, B, and C are correct. The four components for a typical IPSec tunnel are the PPP and IPSec protocol, the Cisco Unity Client, and the VPN Concentrator. Answer D is incorrect because NAT is not a component for typical IPSec tunnels. |
| Question 2 |  | What group configuration tab allows you to define IPSec parameters for IPSec over NAT? |
|
| A2: | Answer B is correct. The Client config or Mode Config tab enables you to define the mode config extensions for parameters such as split tunneling, IPSec over NAT, and backup servers for the clients. Answer A is incorrect because the IPSec tab is used to define parameters such as IPSec SA, IKE validation, tunnel type, authentication and authorization, IP compression, and default preshared keys. Answer C is incorrect because there is no User Management tab called NAT. Answer D is incorrect because the PPTP/L2TP tab contains parameters for setting authentication protocols, encryption, and compression for PPTP and L2TP. |
| Question 3 | Which is the order in which Cisco recommends you define users and groups? A. Users, Base Group, Individual Groups B. Users, Individual Groups, Base Group C. Individual Groups, Base Group, Users D. Base Group, Individual Groups, Users
|
| A3: | Answer D is correct. Cisco recommends you define common parameters in the base group. If you need to configure characteristics that differ from the base group, you can create individual groups to inherit characteristics from the base group. The users are created last and are placed in either the base group (default) or the individual group. Answers A, B, and C are incorrect because they are not identified in the correct order. |
| Question 4 | What servers are available for authenticating users to the concentrator? (Choose four.) |
| A4: | Answers A, C, D, and E are correct. The VPN concentrator can authenticate users via its internal database server or externally by a RADIUS, SDI, Active Directory/Kerberos, and NT Domain server. Answer B is incorrect because TACACS servers cannot be utilized for user authentication; however, they can be used to authenticate administrators to gain access to the VPN Concentrator. Answer F is incorrect because a VTP server is used in Cisco switches not Cisco VPN Concentrators. |
| Question 5 | What is the name of the configuration dialog that enables you to define the minimum parameters necessary to initialize the concentrator? A. Concentrator Manager B. CLI C. Quick Configuration D. Fast Configuration
|
| A5: | Answer C is correct. The Quick Configuration dialog is utilized to configure the minimum parameters necessary to initialize the concentrator. Answers B and D are incorrect because they are not names of configuration modes. Answer A is also incorrect because the Concentrator Manger is the HTML-based configuration platform to configure all settings in the VPN Concentrator. Although Quick Configuration can be configured via the Concentrator Manager, the dialog itself is known as Quick Configuration. |
| Question 6 | At which user management tab can you assign usage hour restrictions to users or groups? A. General tab B. Policy tab C. Identity tab D. Group tab
|
| A6: | Answer A is correct. The General tab enables you to assign access hours in addition to password lengths, DNS and WINS parameters, supported tunneling protocols, SEP card assignment, and realm stripping. Answer C is incorrect because the Identity tab is used to define a username or individual group name, in addition to defining preshared keys and passwords. Answers B and D are incorrect because there are no such tabs. |
| Question 7 | What is the technology called that enables the concentrator to define a list of networks in which the client is instructed to specifically tunnel versus send in clear text? A. Split Tunneling B. Extended Authentication (XAUTH) C. Perfect Forward Secrecy D. Tunnel Policy Designator
|
| A7: | Answer A is correct. Split tunneling defines a centrally pushed policy that specifically indicates the network destinations that will receive clear text or encrypted traffic over the tunnel. Answer B is incorrect because Extended Authentication is an extension to the IKE exchanges in which the authenticating device prompts for user credentials for the private network access after IKE phase 1 device-level authentication. Answer C is incorrect because Perfect Forward Secrecy is an agreed property established during quick mode in IKE phase 2 in which both peers recalculate another Diffie-Hellman secret key in case the IKE phase 1 DH key was compromised. Answer D is incorrect because there is no such technology as Tunnel Policy Designator. |
| Question 8 | | Which is not a major division in the Web-based Concentrator Manager's Navigation Bar? |
A. Configuration B. Administration C. Support D. Monitoring
|
| A8: | Answer C is correct. The three major divisions in the Concentrator Manager are Configuration, Administration, and Monitoring. The support shortcut is in the Manager toolbar and is not one of the major divisions. |
| Question 9 | A user in California is complaining that he cannot connect to the VPN 3000 Concentrator located at the main office in New York. All remote access users are assigned login access time restrictions for business hours. It is only 3:00 p.m. in California. What would be the most likely cause of the problem? A. Incorrect IPSec group name on the VPN client. B. Incorrect username and password on the client. C. Wrong encryption algorithm selected for the VPN client. D. Access time restrictions are based upon the concentrator's system time.
|
| A9: | Answer D is correct. Because the concentrator is in a different time zone, the local time of the concentrator would be 7:00 p.m., which is not between the hours of 9:00 a.m., and 5:00 p.m. Answers A, B, and C could all be valid, but given the circumstances presented in the question, D is the most viable answer. |
| Question 10 | You have just applied a backup server list on the VPN 3000 Concentrator. Which of the following are true? (Choose two.) A. If the client has an existing list, the list from the concentrator overwrites the client's list. B. This feature is utilized to supply backup RADIUS servers in case the primary AAA server is not functioning. C. This list is to provide clients alternate concentrators to connect to if the primary is down. D. If a client has an existing list, he is merged with the concentrator list and is given priority.
|
| A10: | Answers A and C are correct. A backup server list is to provide connecting clients with IP addresses of concentrators in case the primary concentrator is not functioning. Answer B is incorrect because the backup server list is for concentrators, not RADIUS servers. Answer D is incorrect because the pushed values to the client override the client's existing list. |
| Question 11 | A user informs you that her PC and her preshared key have been compromised. Where do you change the preshared key in the Concentrator Manager for this user? A. The password field in the Identity tab for users B. The preshared key field in the Identity tab for users C. The preshared key field in the Configuration | System menu D. The password field in the Identity tab for individual groups
|
| A11: | Answer D is correct. Connecting clients use the password configured in the Identity tab of the Configuration | User Management | Groups | Modify or Add screen. Answer A is incorrect because the password field for the user identity is for user authentication to the concentrator's internal database. Answers B and C are incorrect because the preshared key field does not exist. |
