The ACL was configured incorrectly. The ACL was applied incorrectly or was not applied. Network browsing was not restricted on the temporary worker group policy. Network browsing was not restricted on the temporary worker user policy. Correct Answer: B Explanation. IKEv1 B. IKEv2 C. SSL client D. SSL clientless E. ESP F. How can you enable scaling to numerous IPsec peers? Migrate to external CA-based digital certificate authentication.
Migrate to a load-balancing server. Migrate to a shared license server. DHCP configuration C. Reverse Route Injection B. When connecting to remote sites, pings and voice data appear to flow properly and all tunnel stats seem to show that are up. However, when trying to connect to a remote server using RDP, the connection fails.
Which action resolves this issue? Adjust the MTU size within the routers. Replace certificate on the RDP server. Correct Answer: C Explanation. An access-list must be configured on the outside interface to permit inbound VPN traffic B.
A route to The decryptor keeps track of which packets it has seen on the basis of these numbers. Currently, the default window size is 64 packets. Generally, this number window size is sufficient, but there are times when you may want to expand this window size. The IPsec Anti-Replay Window: Expanding and Disabling feature allows you to expand the window size, allowing the decryptor to keep track of more than 64 packets.
SAML B. NTLM E. Kerberos F. OAuth 2. Reset user login credentials. Disable the HTTP server. Correct the URL address. NHRP B. MPLS C. GRE D. The client endpoint does not have the correct user profile to initiate an IKEv2 connection. The administrator is restricting access to this specific user. Correct Answer: E Explanation.
IKEv2 proposal B. IKEv2 policy E. PKI certificate authority F. IKEv2 profile description H. The ability of the client to send packets transparently and unencrypted through the tunnel for test purposes is turned off. The customer can establish an AnyConnect connection on the first attempt only.
Subsequent attempts fail. What might be the issue? IKEv2 is blocked over the path. UserGroup must be different than the name of the connection profile. The primary protocol should be SSL. UserGroup must be the same as the name of the connection profile. Correct Answer: D Explanation. Which three components are part of the IKEv2 proposal for this implementation?
Choos three. DH group C. Configure a static pat rule for TCP port 2. Configure an inbound access-list to allow traffic from remote users to the servers 3. Assign this access-list rule to the group policy B.
Enable Smart tunnel on this bookmark 3. Assign the bookmark to the desired group policy C. Configure a Smart Tunnel application list 2. Add the rdp. Assign the Smart Tunnel application list to the desired group policy D. Assign the bookmark list to the desired group policy Correct Answer: D Explanation. Choose four. SHA B. SHA C. AES E. Refer to the exhibit. An engineer encounters a debug message. Which action can the engineer take to eliminate this error message?
Use stronger encryption suite. Correct the VPN peer address. Make adjustment to IPSec replay window. Change the preshared key to match. You can identify applications to which you want to grant smart tunnel access, and specify the local path to each application. For applications running on Microsoft Windows, you can also require a match of the SHA-1 hash of the checksum as a condition for granting smart tunnel access. Lotus SameTime and Microsoft Outlook Express are examples of applications to which you might want to grant smart tunnel access.
You can also list web-enabled applications for which to automate the submission of login credentials in smart tunnel connections over clientless SSL VPN sessions. Why Smart Tunnels? The advantage of a plug-in is that it does not require the client application to be installed on the remote computer.
Smart Tunnel Requirements, Restrictions, and Limitations The following sections categorize the smart tunnel requirements and limitations. Smart tunnel uses the Internet Explorer configuration that is, the one intended for system-wide use in Windows.
If the remote computer requires a proxy server to reach the security appliance, the URL of the terminating end of the connection must be in the list of URLs excluded from proxy services.
If the proxy configuration specifies that traffic destined for the ASA goes through a proxy, all smart tunnel traffic goes through the proxy. For proxies that require authentication, smart tunnel supports only the basic digest authentication type. The security appliance also does this if a tunnel-all policy applies. If the user starts another instance of the browser process, it passes all traffic through the VPN session. If the browser process is the same and the security appliance does not provide access to a URL, the user cannot open it.
As a workaround, assign a tunnel policy that is not tunnel-all. Users must reconnect following a failover. Correct Answer: AD. Choose two. AnyConnect client B. Smart Tunnels C. Email Proxy D. Content Rewriter E. A junior network engineer configured the corporate Cisco ASA appliance to accommodate a new temporary worker. For security reasons, the IT department wants to restrict the internal network access of the new temporary worker to the corporate server, with an IP address of After the junior network engineer finished the configuration, an IT security specialist tested the account of the temporary worker.
What did the junior network engineer configure incorrectly? The ACL was configured incorrectly. The ACL was applied incorrectly or was not applied. Network browsing was not restricted on the temporary worker group policy. Network browsing was not restricted on the temporary worker user policy. IKEv1 B. IKEv2 C. SSL client D. SSL clientless E. ESP F. How can you enable scaling to numerous IPsec peers?
0コメント