9E0-121 (CSVPN) Cisco Secure VPN Version 5.1 9E0 - 121 Important Note, Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts Try to understand the concepts behind the questions instead of cramming the questions Go through the entire document at least twice so that you make sure that you are not missing anything Further Material For this test TestKing also provides: * Interactive Test Engine Examinator Check out an Examinator Demo at http://www.testking.com/index.cfm?pageid=724 Latest Version We are constantly reviewing our products New material is added and old material is revised Free updates are available for 90 days after the purchase You should check your member zone at TestKing an update 3-4 days before the scheduled exam date Here is the procedure to get the latest version: Go to www.testking.com Click on Member zone/Log in The latest versions of all purchased products are downloadable from here Just click the links For most updates, it is enough just to print the new questions at the end of the new version, not the whole document Feedback Feedback on specific questions should be send to feedback@testking.com You should state: Exam number and version, question number, and login ID Our experts will answer your mail promptly Copyright Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws Leading the way in IT testing and certification tools, www.testking.com - 2- 9E0 - 121 Note 1: Section A contains 93 questions Section B contains 126 questions Section C contains 171 questions The total number of questions is 390 Note 2: First customer, if any, to beat TestKing in providing answers to the unanswered questions will receive a free TestKing product Send answers to feedback@testking.com Section A http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/csvpnsg/icpdf.pdf QUESTION NO: If the central Concentrator configured for interactive unit authentication, a VPN 3002 will prompt for username/password before establishing a tunnel In how many ways can you make a VPN 3002 prompt for the username/password? A B C D E Answer: A Explanation: You access the interactive hardware client authentication and individual user authentication login screens from the VPN 3002 Hardware Client Manager login screen Note You cannot use the command-line interface to login if user authentication is enabled You must use a browser Reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter0918 6a008015d019.html#1006934 QUESTION NO: Performing Quick configuration on a VPN 3002 Hardware, under “Private Interface” what options are available to the administrator? (Choose all that apply) A Do not use the DHCP server to provide address B Do you want to use DHCP server on Interface to provide addresses for the local LAN? C Do not use DHCP client to request address D Do you want to use DHCP client to request addresses for the local LAN? Leading the way in IT testing and certification tools, www.testking.com - 3- 9E0 - 121 Answer: A, B Explanation: Choose one of the menu options listed • If you want to disable the DHCP server, at the prompt enter Disable DHCP Server, and continue with quick configuration • If you want to enable and configure the DHCP server, at the prompt enter Enable and Configure DHCP Server, and follow Steps through below • If you want to enable the DHCP server with existing parameters, at the prompt enter Reference:http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/4_0/gs/3002gs.pdf QUESTION NO: A VPN 3000 Concentrator is configured for Optional as Firewall Setting and the expected Firewall is set to ICE BlackICE Defender A client connects without any Firewall Which of the following will happen? A The tunnel will establish as normal B There is no optional firewall setting in the AYT configuration on a Cisco 3000 Concentrator C All answers are incorrect D The tunnel will establish, AYT will fail, the tunnel will be removed and the client will get disconnected E The Tunnel will establish, but the administrator will receive a notification message that the client did not match any of the Concentrator’s configured firewalls Answer: C Explanation: Network ICE's BlackICE Defender is a traffic monitoring security product If you properly configure it, BlackICE Defender can work with the VPN Client You must configure BlackICE Defender for Trusting, Nervous, or Cautious mode If you use Nervous or Cautious mode, add the public IP address of the VPN Concentrator to the list of trusted addresses You can now configure the VPN Client to work with BlackICE Defender configured for Paranoid mode when in Tunnel-everything mode Split Tunneling requires BlackICE to be in Trusting, Nervous, or Cautious mode Reference: http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_release_note09186a008015ee 05.html QUESTION NO: Trojan horses fall into which of the following methods? A Denial of Service Methods B Reconnaissance Methods C Stealth Methods Leading the way in IT testing and certification tools, www.testking.com - 4- 9E0 - 121 D Access Methods Answer: D Explanation: The primary vulnerabilities for end-user workstations are viruses and Trojan horse attacks Viruses refer to malicious software that is attached to another program to execute a particular unwanted function on a user's workstation An example of a virus is a program that is attached to command.com (the primary interpreter for windows systems), which deletes certain files and infects any other versions of command.com that it can find A Trojan horse is different only in that the entire application was written to look like something else, when in fact it is an attack tool An example of a Trojan horse is a software application that runs a simple game on the user’s workstation While the user is occupied with the game, the Trojan horse mails a copy of itself to every user in the user’s address book Then other users get the game and play it, thus spreading the Trojan horse Reference: Safe White papers; Page 70 SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks QUESTION NO: What are the two purposes of X.509 certificate serial numbers? A B C D E It is a unique certificate numerical identifier in the certificate authority domain It identifies the certificate authority public key and hashing algorithm Includes subject’s public key and hashing algorithm It is the number used to identify certificates in CRLs It specifies start and expiration dates on the certificate Answer: A, D Explanation: A certificate is normally expected to be valid for its entire validity period However, if a certificate becomes invalid due to such things as a name change, change of association between the subject and the CA, and security compromise, the CA revokes the certificate Under X.509, CAs revoke certificates by periodically issuing a signed CRL, where each revoked certificate is identified by its serial number Enabling CRL checking means that every time the VPN Concentrator uses the certificate for authentication, it also checks the CRL to ensure that the certificate being verified has not been revoked Reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example0 9186a00800d658e.shtml QUESTION NO: Leading the way in IT testing and certification tools, www.testking.com - 5- 9E0 - 121 Which of the following statements is true in defining RSA signature system? A An RSA signature is formed when data is encrypted with a user’s private key and the receiver verifies the signature by decrypting the message with the sender’s private key B An RSA signature is formed when data is encrypted with a user’s public key and the receiver verifies the signature by decrypting the message with the sender’s private key, C An RSA signature is formed when data is encrypted with a user’s private key and the receiver verifies the signature by decrypting the message with the sender’s public key D An RSA signature is formed when data is encrypted with a user’s public key and the receiver verifies the signature by decrypting the message with the sender’s public key Answer: D Explanation: With a CA, a peer authenticates itself to the remote peer by sending a certificate to the remote peer and performing some public key cryptography Each peer must send its own unique certificate which was issued and validated by the CA This process works because each peer's certificate encapsulates the peer's public key, each certificate is authenticated by the CA, and all participating peers recognize the CA as an authenticating authority This is called IKE with an RSA signature Reference: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter0918 6a0080106f63.html QUESTION NO: Which model of the VPN 3000 Concentrator matches the following descriptions: - 256 MB of SRAM - Hardware Based Encryption - Programmable DSP-based security accelerator - Supports up to 5000 simultaneous remote connections A B C D Model 3080 Model 3015 Model 3060 Model 3030 Answer: C Explanation: VPN 3060 • Appropriate for a large central site • Supports up to 5000 simultaneous sessions • Supports two SEP2 hardware modules-up to 5000 sessions • Upgradeable • Memory – 256 MB SRAM standard • Encryption – Hardware-based SEP2 - Programmable DSP-based security accelerator Leading the way in IT testing and certification tools, www.testking.com - 6- 9E0 - 121 Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 55 + 57 QUESTION NO: Each IPSec peer has how many keys? A B C D It depends Answer: B Explanation: Without a CA, if you want to enable IPSec services (such as encryption) between two peers, you must first ensure that each peer has the other's key (such as an RSA public key or a preshared key) If you have multiple Cisco peers in a mesh topology, and wish to exchange IPSec traffic passing between all of the peers, you must first configure shared keys or RSA public keys between all of the peers Every time a new peer is added to the IPSec network, you must configure keys between the new peer and each of the existing peers Reference: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter0918 6a0080089901.html QUESTION NO: VPN is the most cost-effective method of establishing a point-to-point connection between remote users and the enterprise network Cisco categorizes VPN in three types: (Choose three) A B C D E Hybrid VPN Access VPN Extranet VPN Direct VPN Intranet VPN Answer: B, C, E Explanation: virtual private network (VPN) routers-secure, scalable VPN platforms that provide enterprise customers with a comprehensive solution for cost-effective remote access, intranet and extranet connectivity using public data services Reference: http://newsroom.cisco.com/dlls/fspnisapi7399-2.html Leading the way in IT testing and certification tools, www.testking.com - 7- 9E0 - 121 QUESTION NO: 10 To troubleshoot SCEP enrollment, the administrator should scrutinize what event class in the event log? A B C D IKE IPSec SCEP Cert Answer: D Explanation: The goal of SCEP is to support the secure issuance of certificates to network devices in a scalable manner, using existing technology whenever possible The protocol supports the following operations: • CA and RA public key distribution • Certificate enrollment • Certificate revocation • Certificate query • CRL query Reference: http://www.cisco.com/warp/public/cc/pd/sqsw/tech/scep_wp.htm QUESTION NO: 11 If the LAN-to-LAN tunnel is not established, which three IPSec LAN-to-LAN configuration parameters should the administrator verify at both ends of the tunnel? (Choose three) A B C D E F Name Pre-shared key Authentication Routing Local network IP address Remote network IP address Answer: C, E, F C Explanation: A continuation of step includes going to the configuration | System | Tunneling Protocols | IPSec LAN-to-LAN and clicking ADD to configure the IPSec parameters as follows: Step1 Enter the name for the LAN-to-LAN connection Step2 Set the peer value to be the IP address assigned to the outside interface of the remote PIX Firewall Leading the way in IT testing and certification tools, www.testking.com - 8- 9E0 - 121 Step3 Enter an alphanumeric string value for the preshared key to match that of the peer or select a digital certificate Step4 Select the authentication and encryption values to match the IPSec policy Select the IKE policy configured in Step1 Step5 Set the local network to be the network address that the private interface is on Step6 Set the destination network to be a network on the peer’s network Set the wildcard mask to be a network’s subnet mask Step7 Click Add Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 324 QUESTION NO: 12 Which statement about the Cisco VPN client software update is true? A As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote Cisco VPN Client automatically downloads a new version of code from a configured web site B As remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote Cisco VPN Client automatically downloads a new version of code from a TFTP server C As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco VPN Concentrator automatically downloads a new version of the software D As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco VPN Concentrator only sends an update notification to the remove Cisco VPN client Answer: D Explanation: When you enable client update, upon connection the central-site VPN Concentrator sends an IKE packet that contains an encrypted message that notifies VPN Client users about acceptable versions of executable system software The message includes a location that contains the new version of software for the VPN Client to download The administrator for that VPN Client can then retrieve the new software version, and update the VPN Client software Reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_ch apter09186a00800dc6fe.html QUESTION NO: 13 Leading the way in IT testing and certification tools, www.testking.com - 9- 9E0 - 121 To clear the ARP cache on a Cisco VPN Concentrator, which status screen should the administrator access? A B C D Monitor | Routing Table Monitor | ARP cache Monitor | Statistics | MIB-II Monitor | System Statistics Answer: C Explanation: Monitoring | Statistics | MIB-II | ARP Table This screen shows entries in the Address Resolution Protocol mapping table since the VPN 3002 was last booted or reset ARP matches IP addresses with physical MAC addresses, so the system can forward traffic to computers on its network RFC 2011 defines MIB entries in the ARP table Reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter0918 6a00800bcd4e.html#1889235 QUESTION NO: 14 When first installing the Cisco VPN Concentrator, why should you use CLI? A B C D To configure the Cisco VPN Concentrator To configure the private LAN port To connect to the Internet To configure serial ports Answer: B Explanation: The private LAN on the Cisco VPN 3000 Concentrator series initially must be configured with the CLI Once the private interface is configured, you can use the browser management interface Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 235 QUESTION NO: 15 Choose the two ways and administrator can set up user authentication and IP address assignment (Choose two) A Per user Leading the way in IT testing and certification tools, www.testking.com - 10 - 9E0 - 121 Answer: B QUESTION NO: 124 Choose the correct statements describing Cisco Secure VPN Client Version 1.1: A It uses native Microsoft PPP for dialer Dial-up Connections and Ethernet for network connections B It is fully compatible with IPSec standards C It uses native Microsoft TCP/IP D Requires 16MB of RAM for Windows 95 and 32MB of RAM for Windows 98 and NT E It needs 3MB available Hard Disk Space Answer: B, C, D QUESTION NO: 125 Approximately, how long does it take to generate keys on a Cisco 2500 and a Cisco 4700 with the recommended key length? A B C D Ten minutes on a 2500 and 10 seconds on a 4700 100 minutes on a 2500 and 100 seconds on a 4700 One minute on a 2500 and one second on a 4700.www.CompExams.info 42 Five minutes on a 2500 and five seconds on a 4700 Answer: D QUESTION NO: 126 Which of the following statements are true: A B C D ESP is rarely used ESP is not compatible with PAT AH is rarely used AH is not compatible with PAT Answer: C, D QUESTION NO: 127 Regarding the Users and Groups of Cisco VPN 3000 Concentrator, all of the following statements are true, except: Leading the way in IT testing and certification tools, www.testking.com - 125 - 9E0 - 121 A With Release 2.2, A maximum of 100 groups and 100 users can be configured in the Cisco VPN 3000 Concentrator internal server B Users must belong to a group C Using an external authentication server will improve manageability D Each user can be a member of more than one group E Both Groups and Users have attributes that determine their extent of authorization to use the Concentrator Answer: B, D QUESTION NO: 128 Why would you want to specify IKE authentication method? A B C D To change from digital certificate to pre-shared To change from pre-shared to digital certificate To request a certificate To check the status of a certificate Answer: A QUESTION NO: 129 What is the maximum number of simultaneous sessions supported when performing software encryption with a VPN 3000 Concentrator? A B C D 5000 1500 VPN 3000 series Concentrator does not support software encryption 100 Answer: D QUESTION NO: 130 Dynamic crypto maps are used only to host incoming IPSec sessions They are never used to establish an SA with a remote peer A False B True Answer: A Leading the way in IT testing and certification tools, www.testking.com - 126 - 9E0 - 121 QUESTION NO: 131 If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires A False B True Answer: B QUESTION NO: 132 On a PIX Firewall, you issue the ca enroll command to request a certificate Before receiving the certificate the PIX firewall dies due to power failure What should you do? A Reboot after the power is restored and issue the command: ca certificate restore B Contact your director and make sure that he understands that this was not your fault and it should not effect your upcoming raise C Reboot after the power is restored and wait for the certificate to arrive D Contact the CA administrator E Reboot after the power is restore and re-issue the request command Answer: D, E QUESTION NO: 133 On a PIX Firewall, what is the command to view CA communicating parameter settings? A B C D pixfirewall# show config ca pixfirewall# show ca configure pixfirewall# show certificate config pixfirewall# show ca configuration Answer: B QUESTION NO: 134 Which of the following statements is not true regarding IKE phase one: A Sets up a secure tunnel to negotiate IKE phase II parameters Leading the way in IT testing and certification tools, www.testking.com - 127 - 9E0 - 121 B By default, Cisco products use aggressive mode to initiate an IKE exchange C Main mode is more secure than the aggressive mode D Phase one can occur in two modes: main mode & aggressive mode Answer: B QUESTION NO: 135 Which model of the VPN 3000 Concentrator matches the following descriptions: • 256 MB of SRAM • Hardware Based Encryption • Programmable DSP-based security accelerator • Supports up to 5000 simultaneous remote connections A B C D Model 3080 Model 3060 Model 3030 Model 3015 Answer: B QUESTION NO: 136 How you reset a lifetime to its default value? A B C D crypto ipsec lifetime default no crypto ipsec association lifetime crypto ipsec lifetime 28000 no crypto ipsec security-association lifetime Answer: D QUESTION NO: 137 Tunnel Endpoint Discovery is an enhancement to the IP Security Protocol (IPSec) feature A Allows dynamic discovery of IPSec peer B Is a good candidate to replace CA C If Pre-Shared keys are used, you still need pre-defined IP address for IKE authentication purposes D Allows dynamic crypto maps to initiate SA negotiations Leading the way in IT testing and certification tools, www.testking.com - 128 - 9E0 - 121 Answer: A QUESTION NO: 138 On Cisco routers, the command: routerA(config)# crypto key generate rsa usagekeys generates RSA key pairs and "usage-keys" specifies that two RSA special key pairs should be generated What parameter in PIX Firewall software plays the same role? A B C D special-usage special-key specialkey usagekey Answer: C QUESTION NO: 139 During IPSec operation, you receive the following error message: %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from [chars] if SA is not authenticated! What is the recommended action? A B C D Reboot the remote router Reboot the local router Use the command "clear crypto sa" command Contact the remote peer's administrator to resolve the improper configuration Answer: D QUESTION NO: 140 It is recommended that you disable IKE on PIX Firewall interfaces that not terminate IKE and IPSec This will prevent possible DoS attacks on those interfaces What command would you use to perform this task? A B C D PixFirewall(config-if)# isakmp disable inside PixFirewall(config-if)# no isakmp enable inside PixFirewall(config)# no isakmp enable inside PixFirewall(config)# isakmp disable inside Answer: C Leading the way in IT testing and certification tools, www.testking.com - 129 - 9E0 - 121 QUESTION NO: 141 You are checking the configuration of a VPN 3000 Concentrator configuration and find 0.0.0.0 in the Default Gateway field How will the Concentrator react to unrouted packets? A B C D 0.0.0.0 is an invalid entry in this field The concentrator will send the packets out the public interface The concentrator will drop the unrouted packets The concentrator will send the packets out the private interface Answer: C QUESTION NO: 142 Which IP Security protocol provides data authentication and integrity, but does not provide data confidentiality for IP packets? A B C D DES Authentication Header ESP Radius Answer: B QUESTION NO: 143 Which types of commands Monitor and Manage IKE and IPSec communications? A B C D E F show clear interface crypto map debug crypto isakmp policy Answer: A, B, E QUESTION NO: 144 In crypto access list, the permit any any statement is strongly discouraged, because: Leading the way in IT testing and certification tools, www.testking.com - 130 - 9E0 - 121 A This will cause all inbound traffic to be protected and will require protection for all outbound traffic B This will cause all outbound traffic to be protected and will require protection for all inbound traffic C It denies protection for all outbound traffic D It denies protection for all inbound traffic Answer: B QUESTION NO: 145 For scalability, it is possible to pre-configure VPN clients by creating a client configuration file and distributing it with the VPN client software What is the name of this file? A B C D IPSeconfig.txt IPSecgen.dll IPSecdlr.ini IPSecVPN.gen Answer: C QUESTION NO: 146 You want to verify that you have correctly configured VPN by debugging CA events What are the two commands that you would use? A debug crypto isakmp debug crypto packet B debug crypto packet debug crypto events C debug crypto ca debug crypto events D debug crypto key-exchange debug crypto pki transactions Answer: D QUESTION NO: 147 When configuring IPSec for PIX Firewall, in the summative configuration What is the default for replay-detection? Leading the way in IT testing and certification tools, www.testking.com - 131 - 9E0 - 121 A B C D checked only not checked only Either checked or not checked IPSec does not support replay-detection, use CBAC instead Answer: C QUESTION NO: 148 With the help of Domain Specific Port (DSP) all of the following benefits are achieved, except: A B C D Can off-load encryption Can off-load decryption Has a build in feature to stop misconfiguration Can be reprogrammed as the standards change and new standards become solidified Answer: C QUESTION NO: 149 Old RSA keys can consume a lot of space unnecessarily What is the command you use to delete these keys? A B C D erase crypto rsa crypto key zeroize rsa delete crypto rsa squeeze crypto rsa Answer: B QUESTION NO: 150 IPSec uses this method to track all the particulars concerning a given IPSec communication session A B C D What is Transform Set What is Security Association What is Internet Key Exchange What is CA Answer: B Leading the way in IT testing and certification tools, www.testking.com - 132 - 9E0 - 121 QUESTION NO: 151 What is the maximum length of the VPN 3000 Concentrator Admin password? A B C D 32 Characters 31 Characters Characters 16 Characters Answer: B QUESTION NO: 152 On PIX Firewall, the following command specifies a pre-shared key isakmp key cisco1234 address 0.0.0.0 What does 0.0.0.0 refer to? A B C D The IP address of the local peer The wildcard The wildcard mask The default gateway of the PIX Firewall Answer: B QUESTION NO: 153 In the process of CA configuration, you need to generate a general-purpose key set that will be used with RSA signatures What Cisco IOS command would you use? A B C D routerA(config)# crypto key generate rsa usage-keys routerA(config)# crypto key generate rsa usage keys routerA(config)# crypto key generate routerA(config)# crypto key generate rsa Answer: D QUESTION NO: 154 Speaking of Authentication Header (AH ) Tunnel & Transport mode, which of the following statement is not true: Leading the way in IT testing and certification tools, www.testking.com - 133 - 9E0 - 121 A In transport mode, AH services protect the external IP header along with the data payload B AH can work hand in hand with Network Address Translation (NAT) C In tunnel mode, all of the original header is authenticated D AH header sits between the IP Header and the Data payload and other higher layer protocols Answer: B QUESTION NO: 155 Only an administrator can use the VPN Concentrator Manager and Cisco provides more than one predefined administrator A True B False Answer: A QUESTION NO: 156 Regarding the encryption method of the VPN 3000 Concentrators, which of the following statements are true: A B C D All of the current models use Hardware based encryption All of the current models use software based encryption Models 3005 & 3015 are software based and the rest are hardware based Models 3005 & 3015 are hardware based and the rest are software based Answer: C QUESTION NO: 157 What is Xauth feature? A It is kind of authentication that uses TACACS+ B It stands for kind of authenticating that was valid in the past, but has timed out and is no more valid C It is kind of authentication that is needed to access the X-rated websites D It stand for extended authentication where the length of the password is longer than 16 characters Answer: A Leading the way in IT testing and certification tools, www.testking.com - 134 - 9E0 - 121 QUESTION NO: 158 As the administrator of your VPN 3000 Concentrator, you need to shutdown the VPN Concentrator; that is, bring the system to a halt so you can turn off the power You want also to terminate all sessions and prevent new user sessions What action you take? A B C D E Cancel a scheduled reboot/shutdown Reboot without saving the active configuration Reboot Reboot with factory default configuration Shut down without automatic reboot Answer: E QUESTION NO: 159 Choose the true statements: A You can configure multiple transform sets, and then specify one or more of these mtransform sets in a crypto map entry B The command to define a transform set is: crypto isakmp transform-se C The are a limit of one AH and two ESP transforms, a total of three D The default mode for each transform is tunnel Answer: A, C, D Reference: Managing Cisco Network Security p 573-574 QUESTION NO: 160 In how many ways can IKE phase one authenticate IPSec peers? A B C D It varies Answer: D QUESTION NO: 161 Leading the way in IT testing and certification tools, www.testking.com - 135 - 9E0 - 121 On a CSPF, the ca enroll command is used to send an enrollment request to the CA requesting a certificate Choose the true statement: A B C D You will need one ca enroll command per every RSA key pair, per every peer You will need one ca enroll command per all RSA key pairs You will need one ca enroll command per every RSA key pair, per every CA You will need one ca enroll command per every RSA key pairs Answer: D QUESTION NO: 162 Which of the following statements regarding digital certificates is false? A The whole point of encryption is to ensure the confidentiality of your information B Digital certificates provide a means to digitally authenticate devices and individual users C Digital certificate is signed by a certification authority (CA) D When a new device is added to the network, users simply enroll that device with a CA and the configuration changes to other peers are minimal Answer: A QUESTION NO: 163 What is the command that you enter to view default and any configured IKE phase one policies? A B C D show crypto ipsec policy show crypto cisco algorithms show crypto isakmp policy show crypto config Answer: C QUESTION NO: 164 Which of the following is not true about the VPN 3000 Concentrator: A B C D Supports up to 2000 remote users Management interface is accessible via web browser Are available in redundant and non-redundant series Are modular and field upgradeable Leading the way in IT testing and certification tools, www.testking.com - 136 - 9E0 - 121 E Cisco VPN 3000 client is provided for free Answer: A QUESTION NO: 165 After configuring multiple transform sets, where you specify the transform set? A B C D In the interface In crypto map entry In an access-list In ISAKMP policy Answer: B QUESTION NO: 166 Why not specify PFS in IPSec? A B C D It reduces CPU usage It conflicts with RSA Signature It increases CPU usage It prevents DoS attack Answer: C QUESTION NO: 167 The ESP protocol with the DES encryption algorithm in transport mode is user for: A B C D All of the above Confidentiality Integrity Authentication Answer: B QUESTION NO: 168 What is the command that you use to view previously configured transform sets? A show crypto ipsec transform-set Leading the way in IT testing and certification tools, www.testking.com - 137 - 9E0 - 121 B show crypto map transform-set C show transform-set D show isakmp transform-set Answer: A QUESTION NO: 169 How you configure your PIX Firewall for PFS? A B C D As part of interface configuration commands As part of crypto map configuration commands As part of Transform-set configuration commands PIXFirewall(config)# set pfs enable Answer: B QUESTION NO: 170 All of the following are true about IPSec, except: A B C D It enables encrypted communication between peers at the IP layer AH and ESP are two of its main protocols It is Cisco proprietary Cisco IOS version 11.3(T) & later, PIX Firewall version 5.0 & later support it Answer: C QUESTION NO: 171 Why you use crypto map global command? A To delete or set a crypto map B To indicate that SA and ISAKMP will not be used C Because you have too much time on your hand and have nothing better to in your life, other than entering this command D To create or modify a crypto map entry and enter the crypto map configuration mode crypto map (global IPSec) Answer: D Note: Section A contains 93 questions Section B contains 126 questions Leading the way in IT testing and certification tools, www.testking.com - 138 - 9E0 - 121 Section C contains 171 questions The total number of questions is 390 Leading the way in IT testing and certification tools, www.testking.com - 139 - ... enabled on the Cisco VPN 3002? A B C D Checked on the Cisco VPN Concentrator and pushed down to the Cisco VPN 3002 Unchecked on the Cisco VPN Concentrator and pushed down to the Cisco VPN 3002 Checked... to the Cisco VPN Concentrator, the remote Cisco VPN Client automatically downloads a new version of code from a configured web site B As remote Cisco VPN Client connects to the Cisco VPN Concentrator,... Concentrator, the remote Cisco VPN Client automatically downloads a new version of code from a TFTP server C As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco VPN Concentrator