Answer Key Explanations

The correct answers are B and D. A person who has motivation and possesses the technical expertise to hack into a network system is classified as a structured threat. D is also correct because James, being an employee of the company, puts him in the internal threat category as well. Remember, unstructured threats consist of inexperienced people who are intellectually challenged rather than having malicious intent. External threats occur when someone outside your network tries to hack into your network.

The correct answer is C. Denial of Service is classified as an attack that disables or corrupts networks, systems, and services with a malicious intent to deny service to authorized and intended users. DoS can also be as simple as wiping out or corrupting information necessary for business. A is incorrect because a reconnaissance attack is classified as an attack where the intruder attempts to discover and map systems, services, and vulnerabilities. B is incorrect because an access attack involves data manipulation, system access, or privilege escalation.

The correct answer is A. To implement dedicated VPN with site-to-site tunnels and a few remote access VPNs, a VPN-enabled router, such as a Cisco 7100, would be the best choice. B is incorrect because VPN 3000 Concentrators can be implemented if the primary role is to perform remote access VPN with a few site-to-site VPNs. C is incorrect because a firewall would be classified as a firewall-based VPN solution. The primary role of the firewall would be to protect the internal network.

The correct answers are C, D, and E. Cisco 3030, 3060, and 3080 Concentrators all support HW encryption. Hardware encryption is done using the Scalable Encryption Processor (SEP2) modules that contain Programmable Digital Security Processor (DSP)-based security accelerator. A and B are incorrect because Cisco 3005 and 3015 Concentrators support software encryption.

The correct answer is C. Cisco 3030 VPN Concentrator supports up to 500 simultaneous site-to-site tunnels and would be the best bet. A and B are incorrect because the 3005 and 3015 VPN Concentrators support up to 100 site-to-site tunnels. D is incorrect because although the Cisco 3060 Concentrator supports up to 1000 site-to-site tunnels, Cisco 3030 would be the best choice because cost is the driving force.

The correct answer is E. The Cisco 3080 Concentrator supports up to a maximum of 10,000 remote access tunnels or 1,000 site-to-site tunnels. In an environment that caters to remote access as well as the site-to-site VPN tunnels, you have to subtract the total number of site-to-site VPN tunnels from the total tunneling capability of the VPN Concentrator to derive the number of remote access tunnels that can be established. In this case, the answer would be 10000 728=9272. In the given scenario, you can establish 9272 remote access VPN tunnels.

The correct answer is C. C is correct because you need minimum release 2.5(2) software on the VPN concentrator and release 12.1 software on the router to establish a site-to-site VPN tunnel between a router and a VPN concentrator. Answer A is incorrect because those would be the requirements for the concentrator connecting to the PIX firewall. B is incorrect because the minimal release for the concentrator is 2.5(2). E is incorrect because there is no release 5.2 for the concentrator.

The correct answer is D. Anti-replay verifies that each packet is unique and not duplicated. The packets are protected by comparing the sequence numbers of the received packets and the sliding window on the destination device. A is incorrect because confidentiality is associated with encryption of data packets that involves some kind of encryption algorithm. B is incorrect because data integrity is associated with the fact that the data that was transmitted was not changed or altered and is achieved by some kind of hashing mechanism. C is incorrect because origin authentication is linked with authentication of the source of the packet guaranteeing and certifying the source of the information, and it can be achieved by using authentication methods.

The correct answer is C. With asymmetric key encryption, the local end uses one key to encrypt, and the remote end uses another key to decrypt the traffic. A is incorrect because there is no such thing as an analog key. B is incorrect because symmetric keys are manually configured on both source and destination tunnel endpoints and have to be identical. With symmetric key encryption, each peer uses the same key to encrypt and decrypt the data. D is incorrect because there is no encryption method called auto-configurable.

The correct answer is A. With RSA encryption, the remote tunnel endpoint uses its own private key to encrypt data, and uses sender's public key to decrypt it. This technique is used in implementing digital certificates. B is incorrect because a private key is used only to encrypt data. C is incorrect because preshared keys are used in symmetrical encryption. D is incorrect because Diffie-Hellman is used to formulate a shared secret key to protect IKE exchanges and provide keying material for bulk encryption keys.

The correct answer is C. DH group 5 uses a key size of 1536 bits. A is incorrect because DH group 1 uses a key size of 768 bits. B is incorrect because DH group 2 uses a key size of 1024 bits. D is incorrect because DH group 7 uses elliptic curve cryptography for hand-held mobile devices.

The correct answers are A, B, and C. A is correct because a preshared key is a secret value that is manually entered on each peer to facilitate authentication. B is correct because RSA encrypted nonces use pseudo-random numbers that are generated at each peer. After these nonces are established, they are then used for authentication purposes. C is correct because RSA signatures rely on digital certificates to authenticate peers. D and E are incorrect because DES and 3DES are encryption algorithms.

The correct answers are A and D. A is correct because Authentication Header (AH) provides authentication and integrity. B and C are incorrect because these protocols do not exist. D is correct because Encapsulating Security Payload (ESP) can be used to provide both encryption and authentication.

The correct answers are B and C. In IKE Phase 1, a basic set of security services are negotiated and agreed upon to form an IKE SA. This basic set of security is used to protect all subsequent communications between peers. In IKE Phase 2, IPSec security parameters are exchanged and negotiated for bulk data encryption. A is incorrect because in this step you define interesting traffic. D is incorrect because data transfer happens based on the keys stored in the Security Association (SA) database. E is incorrect because SA is terminated in this step through deletion or timeout.

The correct answer is B. A security association (SA) is a one-way logical connection that provides security to all traffic passing through the connection. A is incorrect because Security Parameter Index (SPI) is what the VPN device uses to SA by associating it to a number. C is incorrect because Security Association Database (SAD) is a database that contains destination IP address, IPSec protocol, and SPI. D is incorrect because it does not exist.

The correct answer is C. In a cluster, this virtual IP address is not tied to a specific physical device in the VPN cluster but is serviced by the virtual cluster. Note that IP address is a valid routable IP address. A, B, and D are incorrect because a cluster is always known by a virtual IP address assigned to it.

The correct answer is C. Virtual cluster master maintains load information from all other non-masters. The non-master sends load information to the master in a form of a keepalive messages. As an administrator, you can limit the number of connections in a concentrator. A, B, and D are incorrect because the master maintains load information only from other non-master concentrators in the cluster.

The correct answers are A, B, C, D, and E. In addition to all the mentioned clients and protocols, Cisco VPN Concentrator also supports Windows and Solaris clients. The Cisco VPN Concentrator also supports PPTP clients in Windows dial-up networking 1.3 and L2TP over IPSec in Windows 2000 as the tunneling protocols.

The correct answer is A. When the stateful firewall module is enabled, a default firewall policy is loaded on the firewall and the default filter blocks all traffic inbound that is not related to the outbound session. B is incorrect because the AYT feature verifies the presence of a firewall and reports that information back to the concentrator. C is incorrect because the CPP feature enables the admin to create a set of rules that allow or disallow traffic on connected VPN Clients. D is incorrect because VRRP firewalls do not exist.

The correct answers are A and C. The Cisco 3002 VPN Hardware Client comes with one private interface, one public interface, and one console port. On the other hand, Cisco 3002-8E VPN Hardware Client comes with one public interface, one console port, and the private interface has a built-in 8-port 10/100BaseT Ethernet switch or a single private Ethernet interface. The private interface can be used to configure the HW client via HTTP, HTTPS, SSH, and Telnet. The console port can be used to access the CLI of the HW Client. B is incorrect because you cannot use the public interface to configure the device by default. You can change the configurations to allow this support, but doing so allows users on the Internet to gain access to the concentrator's operating system. D is incorrect because you can Telnet to the CLI interface of the Cisco 3002 Hardware Client though the private interface.

The correct answers are B and C. Quick Configuration enables you to configure the minimal parameters for operations. However, Quick Configuration installs only the minimal parameters to initialize the concentrator. You may require additional configurations in which you must use the VPN 3000 Concentrator Manager. A and D are both incorrect because there is nothing such as a Setup mode or Privilege mode on the concentrator.

The correct answers are A, C, and E. The Configuration | Quick | Protocols submenu can be used in configuring L2TP, PPTP, and IPSec remote access protocols. The VPN concentrator can support all the three protocols, but it is recommended that you turn on only those protocols that you will be using. B and D are incorrect because RIP and OSPF are routing protocols and not tunneling protocols.

The correct answer is B. It is highly recommended that you use this method if you are authenticating against an external or internal authentication server. A is incorrect because the Client Specified option is used to enable VPN Clients to specify their own IP addresses. C is incorrect because you would choose this option if you were using DHCP to assign IP addresses. D is incorrect because you would use this option if the concentrator would assign IP addresses from an internal pool.

The correct answers are A, C, D, and E. The Server Type field enables you to configure the RADIUS authentication server, NT domain authentication, SecurID server, and internal concentrator authentication server. The internal concentrator server is limited to a maximum of 100 groups and users. Answer B is not a valid option for a concentrator authentication server.

The correct answers are A, B, and D. A is correct because the Default Group is a default template and majority of access rights and privileges are defined in this group. B is correct because the Groups category allows you to define different rights and privileges to individual groups. D is correct because you can use the Users group to assign special privileges to certain users. C is incorrect because it does not exist in the User Management tree.

The correct answer is D. The Idle Timeout field is configured for the group idle timeout period in minutes. The VPN Concentrator terminates the connection in case of inactivity on this connection for the configured period of time. Remember, you can set the Idle Timeout value to 0 to allow unlimited connection time regardless of activity on the link. However, this is not a good practice. A is incorrect because Access Hours define when users can access the Concentrator. B is incorrect because Maximum Connect Time defines the time after which the system will terminate the connection. C is incorrect because it is a not an actual field in the Concentrator Manager.

The correct answer is B. Network Authentication is also known as extended authentication or XAUTH, and is used in corporate networks to provide a secondary level of authentication. A is incorrect because concentrator authentication is used to set up users'rights and privileges in conjunction with the concentrator. C and D are incorrect because they are not related to XAUTH.

The correct answer is D. Split tunneling parameters are configured under the Client Config tab. Split tunneling can be configured in three ways. The three split tunneling parameters are Tunnel Everything (which is the default), Allow Networks in the List to Bypass the Network, and Only Tunnel Networks in List. Answers A, B, and C are incorrect because the split tunneling parameters are configured only on the Client Config tab.

The correct answer is A. Split tunneling can be configured in three ways. To implement split tunneling, the concentrator pushes specific IP addresses to the Software Client. If the traffic is bound to one of these addresses, it is encrypted and sent back to the concentrator. All other IP addresses are sent in clear text and routed normally by the ISP. B is incorrect because the Tunnel Everything Except Local LAN Traffic option encrypts all traffic except the traffic destined for local LAN. C is incorrect because Tunnel Everything tunnels all traffic. D is incorrect because One-way tunneling does not exits.

The correct answers are A, C, and D. To configure split tunneling, you enable split tunneling by selecting the Only Tunnel Networks in the List option or Allow the Networks in List to Bypass the Tunnel option. After the option is selected, you can then choose the appropriate network list from the Split Tunneling Network List drop-down menu. Answer B is incorrect because Tunnel Everything is the default value, in which all traffic is encrypted and sent over the VPN tunnel. Split tunneling entails allowing other traffic to be sent in clear text to different destinations aside from the tunnel.

The correct answers are A, B, C, E, and F. Split DNS configuration governs how Software Clients resolve a DNS query packet to be sent in clear text to the ISP-assigned DNS server or encrypted and sent over the tunnel to the corporate DNS server. D is incorrect because Split DNS requires you to define the corporate DNS servers only.

The correct answer is B. IPSec fragmentation provides a way to handle issues where a router or NAT device between the client and the concentrator drops the packet because the packet size is greater than the configured MTU. A, C, and D are incorrect because they are not valid fragmentation techniques that are configured in the VPN Concentrator.

The correct answer is C. Checking the Allow Local LAN Access check box enables a user to access resources on his local LAN. The user can disable local LAN access when using an insecure local LAN. This would be a viable option for people who travel for work. A is incorrect because the Allow IPSec Over UDP (NAT/PAT) option enables the Unity Client to connect to the Concentrator using UDP through a firewall or a router that is running NAT. B is incorrect because the Use IPSec Over TCP (NAT/PAT/Firewall) option enables the Unity Client to connect to the Concentrator by using TCP through a firewall or a router that is running NAT. D is incorrect because Peer Response Timeout defines the number of seconds a Unity Client waits before deeming the peer as inactive.

The correct answer is B. The vpnclient.ini file can also be bundled with the Unity Client and when it is first installed. The vpnclient.ini file automatically configures the Cisco VPN Client's global parameters. A is incorrect because the oem.ini file is used to install the Cisco VPN Client without user intervention. C, E, and F are incorrect because these files do not exist in the VPN Client. D is incorrect because the purpose of the .pcf file is to create connection entries within the dialer application.

The correct answer is A. The Session Summary section gives you an overview of all the sessions, as well as the total active, peak concurrent, and total concurrent sessions. B is incorrect because LAN-to-LAN Sessions displays individual LAN-to-LAN sessions. C is incorrect because Remote Access Sessions displays statistics on all remote access sessions. D is incorrect because Management Sessions displays information on all the current management users.

The correct answer is E. To access detailed information on individual sessions, click on the Username hyperlink in the windows to bring up the Monitoring | Sessions | Detail screen. Session Details provides specific information about hashing algorithms, authentication modes, encapsulation modes, encryption algorithms, and more. A, B, and C are incorrect because they are not actual menus in the VPN Concentrator Manager. D is incorrect because the Monitoring | Sessions window displays basic information about individual sessions.

The correct answers are A, B, C, D, and E. Remember, only a specific private key will produce a matching digital signature. The private key never leaves the machine.

The correct answer is B. Public Key Infrastructure (PKI) makes it possible to generate and distribute keys within secure domains and enables a CA to issue keys, certificates, and certificate revocation lists in a secure manner. A, C, and D are incorrect because they are not valid infrastructures.

The correct answers are A, B, C, and E. The end-user must obtain a digital certificate from the CA to participate in certificate exchange. D is incorrect because a root certificate is always installed first. While installing the identity certificate, the user uses the public key of the root certificate to validate the signature of the identity certificate. This is also known as the enrollment process.

The correct answer is C. The Organization Unit (OU) field must match the group attribute data configured on the concentrator. The group name is case sensitive and acute caution must be used when configuring the OU field as well as the group name field. To establish the VPN tunnel, both the OU and the group name have to be identical. A is incorrect because the Organization field depicts the company name. B is incorrect because Subject Alternative Name defines the FQDN for the concentrator. D is incorrect because Key Size is used to define the key size of the RSA key pair. E is incorrect because Common Name is the unique name of the concentrator.

The correct answers are A, B, and D. Before installing the identity certificate, the concentrator must validate it by checking the expiration, revocation, and CA authentication parameters. After it is validated, the certificate is installed on the concentrator and the identity certificate can now be exchanged with a peer during the IPSec tunnel establishment. C is incorrect because PKCS#10 is a set of standard protocols used by different vendors to ensure secure information exchange on the Internet.

The correct answer is C because a CRL does not contain a list of newly issued certificates. Answers A, B, D, and E are incorrect because the CRL is the last validation check and the CRL is valid for a specific length of time. The CRL contains serial numbers of certificates that are not valid. This could be because of changes in user data, compromise of the private key, or voluntary or involuntary termination of employment. The CA periodically signs and sends these CAs to distribution points where they can be accessed via HTTP or LDAP.

The correct answer is B. Network-based enrollment is an automated process that connects to the CA directly via Simple Certificate Enrollment Protocol (SCEP). A is incorrect because DES is an encryption algorithm. C is incorrect because Diffie-Hellman is used to derive the shared secret during IKE phase 1 negotiations. D is incorrect because MD5 is a one-way hashing algorithm that is also used in tunnel establishment.

The correct answer is A. The concentrator retrieves up to 5 CRL-DPs from the CRL-DP extension of the certificate being verified. If the primary CRL-DP fails, the concentrator tries using the next available CRL-DP on the list until the CRL is retrieved or the list is exhausted. B is incorrect because when using static CRL-DP option, you must enter at least 1, with a maximum of 5, static CRL-DPs. C is incorrect because if the concentrator cannot find 5 CRL-DPs in the certificate, it adds static CRL-DPs, with a maximum of 5. D is incorrect because No CRL Checking disables CRL checking.

The correct answers are B, D, and E. The IKE proposal is configured to use digital certificates with extended authentication (XAUTH), MD5 as the authentication algorithm, 3DES as the encryption algorithm, and DH Group 2 to derive shared secret. The tunnel lifetime is based on time rather than data. A is incorrect because the proposal uses RSA digital certificates with XAUTH. C is incorrect because MD5 is an authentication algorithm and not an encryption algorithm. F is incorrect because lifetime parameter is configured to use time rather than data flow.

The correct answers are B and C. Microsoft CA supports Base 64 encoded PKCS#10 certificate requests only. Remember, the department name on the enrollment form must be identical to the group field on the concentrator. The department name and group names are case sensitive. A is incorrect because Microsoft CA does not support binary encoded PKCS#10. D is incorrect because the department name and group names are case sensitive and must be identical.

The correct answer is D. SCEP operates between the client and the CA server. The certificate process is the same, but the approval process could be different. Depending on the behavior, the CA could process the request and generate an identity certificate, or wait until the request is approved by the CA administrator. A and B are incorrect because the PKCS#10 request must be issued from the requesting device before the certificate is created. C is incorrect because the CA or RA certificate request must be followed by the CA or RA returning the requested RA or CA certificate before any other identity certificate steps can transpire.

The correct answer is C. The Centralized Policy Protection (CPP) allows network administrators to centrally define firewall policies for the connected VPN clients. The CPP is always pushed down from the concentrator to the Cisco VPN Clients at connection time. A is incorrect because Are You There (AYT) verifies whether a specific firewall is operational on the client PC. B is incorrect because Stateful Firewall, if turned on, blocks all inbound traffic that is not related to an outbound session, with the exception of DHCP and ARP traffic. D is incorrect because CIC is a firewall module integrated into the Cisco VPN Client.

The correct answers are B, C, and D. B is correct because No Firewall is the default setting and the remote user is not required to run a firewall on the PC that is being used to establish connection. C is correct because Firewall Required option requires all remote users in that particular group to have a designated firewall installed on their machines. Non-Windows VPN clients and users without the designated firewall cannot connect to the concentrator if the Firewall Required option has been selected. D is correct because all users in this group can establish the tunnel whether a firewall is running on the PC or not. A is incorrect because there is no option called Firewall Optional/Required.

The correct answer is B. Network ICE BlackICE Defender is not supported by Cisco Pushed Policy feature. CIC, ZoneAlarm, and ZoneAlarm Pro are supported by CPP. Answers A, C, and D are incorrect because ZoneAlarm, ZoneAlarm Pro, and the CIC client all support CPP.

The correct answers are B, D, and E. Configuring CPP is a two-step process where you first select the supported firewall and then choose the policy you want to push out to the Cisco Software Clients. A is incorrect because users in a group use a Zone Labs Integrity Server to configure and manage firewall parameters on the remote PCs. C is incorrect because NetworkICE is not a supported firewall.

The correct answer is B. The Automatic VPN Initiation feature provides secure connection within an on-site wireless LAN environment though a VPN Concentrator. A, C, and D are incorrect because they are not actual features of the Cisco Unity Client or the VPN Concentrator.

The correct answers are A, B, C, D, and E. Admin, config, isp, mis, and user are predefined administrators on the VPN concentrator. The user account has limited rights and with read and view privileges only. The config account and the mis account have all rights that an admin account has except SNMP access. The isp account has limited general configuration rights.

The correct answer is B. The Session Summary table under the Monitoring | Sessions window shows the summary total for LAN-to-LAN, remote access, and management sessions. A is incorrect because to view the active, remote access sessions, you have to view the Remote Access Sessions table. C is incorrect because the Management Sessions table shows parameters and statistics for all active administrator management sessions. D is incorrect because the Summary Session table shows not only LAN-to-LAN sessions but also remote access and management sessions.

The correct answer is E. The Monitoring | Statistics | IPSec window displays the statistics for IPSec activity, including the tunnels currently established to the concentrator. A is incorrect because the Monitoring | Statistics | NAT window shows statistics for NAT (Network Address Translation) activity on the VPN Concentrator since it was last booted or reset. B is incorrect because it is not a valid menu in the Cisco VPN Concentrator Manager. C is incorrect because the Monitoring | Sessions window shows comprehensive data for all active user and administrator sessions on the VPN Concentrator. D is incorrect because the Monitoring | Statistics | L2TP window shows statistics for current L2TP sessions and L2TP activity on the VPN Concentrator since it was last booted or reset.

The correct answer is D. The Monitoring | Filterable Event Log window shows the events in the current event log and lets you filter, display, and manage events by various criteria. A is incorrect because the Monitoring | Statistics | NAT window shows statistics for NAT (Network Address Translation) activity on the VPN Concentrator since it was last booted or reset. B is incorrect because it is not a valid menu in the Cisco VPN Concentrator Manager. C is incorrect because the Monitoring | Live Event Log window displays events in the current event log and automatically refreshes every 5 seconds. Remember, if the Live Event Log window is active, the administrator session to the concentrator will never time out because each automatic window update would reset the inactivity timer.

The correct answers are A, B, and C. Event classes can be configured to handle specific events on the concentrator. Event classes are good for debugging special parameters at a more granular level. D and E are incorrect because selecting IKE parameters and setting administrative rights are not related to creating event classes.

The correct answers are B and D. The config and the mis accounts have all rights of the admin account except SNMP access. A is incorrect because the admin account has full access to the system and is the only account that is enabled by default. C is incorrect because the isp account has very limited general configuration rights. E is incorrect because the user account has very limited rights. In this account you have view and read privileges only.

The correct answer is D. To make the boot configuration the active configuration, you have to reload the VPN concentrator. This file (CONFIG) is loaded every time you boot the concentrator and the configuration contained in that file becomes the active configuration. A, B, and C are incorrect because they will not make the boot configuration file the active configuration.

The correct answer is B. The Administration | Software Update | Concentrator window enables you to update the software image on the Cisco VPN Concentrator. You must reboot the concentrator for the new image to be initiated. A is incorrect because the Administration | Software Update | Client window is used to update software and hardware clients only. C and D are incorrect because they are not valid menus in the Cisco VPN Concentrator Manager.

The correct answer is B. The formula to set the burst size is (policing rate in bits per second÷8)x1.5. If you use this formula, then (200000÷8)x1.5=37500 bytes. Any traffic below this 200Kbps is transmitted; traffic above this rate is dropped. 37500 bytes is the amount of data allowed in a burst before excess packets are dropped.

The correct answer is C. Client mode is also known as PAT mode and is used to deploy VPN quickly and easily in very small remote offices. The hardware client uses PAT to isolate its private network from the public network. A and B are incorrect because they are not actual modes for the VPN 3002 HW Client. D is incorrect because in Network Extension mode, all SOHO PCs on the hardware client network are uniquely addressable via the tunnel.

The correct answer is D. Unit authentication stores the username and password and forwards them automatically to the concentrator when the tunnel is established. A is incorrect because it is not a valid form of authentication. B is incorrect because interactive unit authentication does not store user password in the memory. When a tunnel is initiated the user behind the HW Client must supply username and password credentials. C is incorrect because user authentication is used when a first-time user tries to access the network over the tunnel. Both interactive and individual authentication are disabled by default and have to be enabled on the central VPN Concentrator.

The correct answers are A, C, and D. When the individual user authentication feature is enabled on the concentrator, a username and password must be supplied to the HW Client before a user can access the tunnel. HTTP access to the Hardware Client Manager will prompt the user for a login. Specifically, when you click on the System Status hyperlink at the Hardware Client Manager login screen, you can perform individual logins. In addition, if you try to open an HTTP session across the tunnel, it redirects you to a login page. B is incorrect because the Connection Status window is the statistics window for the Cisco Unity Client.

The correct answers are B, C, and D. If the HW Client does not receive an IKE reply from the concentrator within 8 seconds, it declares the packet lost and logs the entry. After four seconds, the HW Client then initiates a connection to the first configured backup server and traverses the list until the tunnel is established. After it reaches the end of the list, it terminates the process. The HW Client does not begin from the top of the list again. Answer A is incorrect because the HW Client tries to connect to the primary first, then the backup servers if the primary fails.

The correct answers are C and D. When a VPN Client makes a connection request, the master concentrator checks the load list for the least-loaded concentrator. Cisco VPN Software Client release 3 and above and VPN 3002 release 3.5 and above support load balancing. Answers A and B are incorrect because the Cisco VPN Client must be running release 3 and the VPN 3002 HW Client must be running 3.5 to receive redirect IKE messages from the VPN Concentrator.

The correct answer is B. VPN Virtual Cluster uses UDP port 9023 for load balancing. Answers A, C, and D are incorrect because they are using the wrong Layer 4 protocol or port.

The correct answer is D. After it is enabled, the Client RRI feature applies to all VPN software and HW Clients that are using the PAT mode. You can enable Client RRI by going to Configuration | System | IP Routing | Reverse Route Injection window and selecting the Client Reverse Route Injection check box. Remember, the routes are deleted when the client disconnects from the VPN Concentrator. Answers A and B are incorrect because those features are only for Cisco VPN 3002 Hardware Clients. Answer C is not an actual feature.

The correct answers are A and C. The Client Update feature can be enabled by going to Configuration | System | Client Update | Enable window and making sure that the Enable box is checked. The Revision field and the Client Type group update parameter are case and space sensitive as well. Answer B is incorrect because the client update is not enabled by default. Answers D and E are incorrect because the Revision field and the Client Type group update parameter are case and space sensitive.

The correct answers are A, B, and C. NAT-T is a global attribute and IPSec over UDP (proprietary) is a group attribute. On the other hand, IPSec over TCP is a system-wide feature and groups do not negotiate it. When enabled, it is on from the beginning of IKE negotiations. Answer D is incorrect because ISAKMP over UDP is not a valid NAT implementation.

The correct answer is B. The Configuration | System | Tunneling Protocols | IPSec | NAT Transparency window allows you to enable NAT-T on the concentrator. The NAT Transparency link allows you to configure IPSec over TCP and IPSec over NAT Traversal (NAT-T) parameters. This parameter is applied globally for the concentrator. Answer A in incorrect because the Configuration | System | Tunneling Protocols menu does not directly contain configuration parameters for NAT-T. You must click on the IPSec hyperlink to specifically enable NAT-T. Answers C and D are incorrect because they are not valid configuration pages in the VPN Concentrator Manager.

The correct answers are A, B, C, D, and E. In addition to the HMAC-MD5 and HMAC-SHA1 authentication options, the concentrator also supports no data authentication as well. Advanced Encryption Standard (AES) encryption (AES) provides greater security than DES and is more efficient than triple DES. Support for AES has been incorporated on the concentrator from Release 3.6.

The correct answers are A, C, and D. If the connection is successfully configured, the IPSec LAN-to-LAN wizard automatically configures the Group Name, SA Name, and Filter Name parameters. You can view or edit any parameters in these tables. Answer B is not correct because the Connection Name is not automatically supplied.

The correct answers are A, B, C, and D. Static translation rules define one-on-one mapping between networks. When configuring static LAN-to-LAN NAT translation rules, the specified local network address must be of the same class as the mapped address.

The correct answers are A, B, C, and D. The concentrator generates an RSA key pair and then creates a PKCS#10 request and sends it to the CA. The CA approves the request and sends the certificate back to the concentrator. Remember, the CA approval process can be either automatic or manual.