The Testking is probably the productive servers that provide the many efficient and also original Cisco Cisco 300-209 training materials. You are able to find all of the important contents that will enable you to be well prepared to the Cisco 300-209 exam. The main purpose associated with Testking is to enable you to get a higher mark which guarantees the wonderful success. In order to pass the Cisco 300-209 genuine test, utilize our Cisco exam preps with no wasting your time and cash. The 300-209 practice resources are developed by our sophisticated IT professionals who may have cutting-edge experience in making upward the Cisco certification exam dumps. Testking holds the distinctive placement in the same occupation. You can retain faith in our Cisco 300-209 products because all of us provide the very best and most up-to-date Cisco training materials.
2021 Mar 300-209 practice test
Q11. After implementing the IKEv2 tunnel, it was observed that remote users on the 192.168.33.0/24 network are unable to access the internet. Which of the following can be done to resolve this problem?
A. Change the Diffie-Hellman group on the headquarter ASA to group5forthe dynamic crypto map
B. Change the remote traffic selector on the remote ASA to 192.168.22.0/24
C. Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers
D. Change the local traffic selector on the headquarter ASA to 0.0.0.0/0
E. Change the remote traffic selector on the headquarter ASA to 0.0.0.0/0
Answer: B
Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 to 192.168.22.0/24.
Q12. Refer to the exhibit.
Which two characteristics of the VPN implementation are evident? (Choose two.)
A. dual DMVPN cloud setup with dual hub
B. DMVPN Phase 3 implementation
C. single DMVPN cloud setup with dual hub
D. DMVPN Phase 1 implementation
E. quad DMVPN cloud with quadra hub
F. DMVPN Phase 2 implementation
Answer: B,C
Q13. Which three configuration parameters are mandatory for an IKEv2 profile? (Choose three.)
A. IKEv2 proposal
B. local authentication method
C. match identity or certificate
D. IKEv2 policy
E. PKI certificate authority
F. remote authentication method
G. IKEv2 profile description
H. virtual template
Answer: B,C,F
Q14. CORRECT TEXT
Scenario
You are the network security administrator for your organization. Your company is growing and a remote branch office is being created. You are tasked with configuring your headquarters Cisco ASA to create a site-to-site IPsec VPN connection to the branch office Cisco ISR. The branch office ISR has already been deployed and configured and you need to complete the IPsec connectivity configurations on the HQ ASA to bring the new office online.
Use the following parameters to complete your configuration using ASDM. For this exercise, not all ASDM screens are active.
. Enable IKEv1 on outside I/F for Site-to-site VPN
. Add a Connection Profile with the following parameters:
. Peer IP: 203.0.113.1
. Connection name: 203.0.113.1
. Local protected network: 10.10.9.0/24
. Remote protected network: 10.11.11.0/24
. Group Policy Name: use the default policy name supplied
. Preshared key: cisco
. Disable IKEv2
. Encryption Algorithms: use the ASA defaults
. Disable pre-configured NAT for testing of the IPsec tunnel
. Disable the outside NAT pool rule
. Establish the IPsec tunnel by sending ICMP pings from the Employee PC to the Branch Server at IP address 10.11.11.20
. Verify tunnel establishment in ASDM VPN Statistics> Sessions window pane
You have completed this exercise when you have successfully configured, established, and verified site-to-site IPsec connectivity between the ASA and the Branch ISR.
Topology
Answer: Review the explanation for detailed answer steps.
Explanation:
First, click on Configuration ->Site-to-Site VPN to bring up this screen:
Click on “allow IKE v1 Access” for the outside per the instructions as shown below:
Then click apply at the bottom of the page. This will bring up the following pop up message:
Click on Send.
Next, we need to set up the connection profile. From the connection profile tab, click on “Add”
Then, fill in the information per the instructions as shown below:
Hit OK and you should see this:
To test this, we need to disable NAT. Go to Configuration -> Firewall -> NAT rules and you should see this:
Click on Rule 1 to get the details and you will see this:
We need to uncheck the “Enable rule” button on the bottom. It might also be a good idea to uncheck the “Translate DNS replies that match the rule” but it should not be needed. Then, go back to the topology:
Click on Employee PC, and you will see a desktop with a command prompt shortcut. Use this to ping the IP address of 10.11.11.20 and you should see replies:
We can also verify by viewing the VPN Statistics -> Sessions and see the bytes in/out incrementing as shown below:
Q15. Refer to the exhibit.
Which two statements about the given configuration are true? (Choose two.)
A. Defined PSK can be used by any IPSec peer.
B. Any router defined in group 2 will be allowed to connect.
C. It can be used in a DMVPN deployment
D. It is a LAN-to-LAN VPN ISAKMP policy.
E. It is an AnyConnect ISAKMP policy.
F. PSK will not work as configured
Answer: A,C
Up to the minute 300-209 answers:
Q16. Which protocol does DTLS use for its transport?
A. TCP
B. UDP
C. IMAP
D. DDE
Answer: B
Q17. Which statement describes a prerequisite for single-sign-on Netegrity Cookie Support in an IOC SSL VPN?
A. The Cisco AnyConnect Secure Mobility Client must be installed in flash.
B. A SiteMinder plug-in must be installed on the Cisco SSL VPN gateway.
C. A Cisco plug-in must be installed on a SiteMinder server.
D. The Cisco Secure Desktop software package must be installed in flash.
Answer: C
Q18. Scenario:
You are the senior network security administrator for your organization. Recently and junior engineer configured a site-to-site IPsec VPN connection between your headquarters Cisco ASA and a remote branch office.
You are now tasked with verifying the IKEvl IPsec installation to ensure it was properly configured according to designated parameters. Using the CLI on both the Cisco ASA and branch ISR, verify the IPsec configuration is properly configured between the two sites.
NOTE: the show running-config command cannot be used for this exercise.
Topology:
In what state is the IKE security association in on the Cisco ASA?
A. There are no security associations in place
B. MM_ACTIVE
C. ACTIVE(ACTIVE)
D. QM_IDLE
Answer: B
Explanation:
This can be seen from the "show crypto isa sa" command:
Q19. Which Cisco adaptive security appliance command can be used to view the IPsec PSK of a tunnel group in cleartext?
A. more system:running-config
B. show running-config crypto
C. show running-config tunnel-group
D. show running-config tunnel-group-map
E. clear config tunnel-group
F. show ipsec policy
Answer: A
Q20. Which cryptographic algorithms are approved to protect Top Secret information?
A. HIPPA DES
B. AES-128
C. RC4-128
D. AES-256
Answer: D