CCNP Security FAQ : Configuring Access VPNs

CCNP Security FAQ : Configuring Access VPNs

Q1. What is the Easy VPN Server functionality known as Initial Contact?
A. Ability to cause the Easy VPN Server to delete any existing connections, thus preventing SA synchronization problems

B. The first connection between an Easy VPN Client and Easy VPN Server

C. The initial message sent from the Easy VPN Server to the Easy VPN Client

D. The initial message sent from the Easy VPN Client to the Easy VPN Server

E. None of theses answers are correct

Answer: A

Q2. Which of the following platforms does not support the Easy VPN Remote feature functionality?
A. 800 Series routers
B. 900 Series routers
C. 7200 Series routers
D. 1700 Series routers
E. None of these answers are correct

Answer: C

Q3. Which two IKE authentication mechanisms do the Easy VPN Remote Clients support? (Choose two.)
A. Username/password
B. Preshared keys
C. Diffie-Hellman
D. Digital certificates
E. XAUTH

Answer: B

Q4. How many different operation modes does the Easy VPN Remote feature support?
A. 1
B. 4
C. 2
D. 3
E. None of these answers are correct

Answer: C

Q5. In which Easy VPN Remote mode are the IP addresses of the remote systems visible on the Easy VPN Server network?
A. Client mode.
B. Network extension mode.
C. Server mode.
D. No Easy VPN Remote modes support this functionality.
E. All Easy VPN Remote modes

Answer: B

Q6. The Cisco VPN Software Client supports which key management techniques?
A. IKE main mode
B. IKE aggressive mode
C. IKE active mode
D. Diffie-Hellman groups 1, 2, 5, and 7
E. All of these answers are correct
F. None of these answers are correct

Answer: A, B, D

Q7. What is Secure Unit Authentication (SUA)?
A. The ability to require the hosts on the remote protected network to be authenticated individually based on the IP address of the inside host

B. The ability to require one-time passwords, two-factor authentication, and similar authentication schemes before the establishment of a VPN tunnel to the Easy VPN Server

C. An authentication mechanism between the remote systems and the Easy VPN Remote Client

D. An authentication mechanism that the Cisco VPN Software Client uses to connect with the Easy VPN Remote feature

E. None of these answers are correct

Answer: B

Q8. Which authentication mechanisms are supported with PPPoE?
A. PAP
B. CHAP
C. IKE
D. MS-CHAP
E. None of these answers are correct

Answer: A, B, D

Q9. Which command enables the Cisco Security Appliance to pass configuration parameters learned from a DHCP server to its DHCP clients?
A. dhcpd auto_config
B. dhcpd option 150
C. dhcpd address
D. dhcpd bind
E. None of these answers are correct

Answer: A

Q10. Which of the following is false with regard to the Security Appliance?
A. You can pass configuration parameters learned from the DHCP client to the Security Appliance’s DHCP clients.

B. You can pass configuration parameters learned from the PPPoE client to the Security Appliance’s DHCP clients.

C. You can enable the DHCP client and the DHCP server simultaneously.

D. You can enable the PPPoE client and the DHCP client on the same interface simultaneously.

E. All of these statements are true.

Answer: D

Q11. Which two major components comprise the Easy VPN solution?

Answer: The Easy VPN comprises Easy VPN Server and Easy VPN Remote feature.

Q12. Which three types of devices can serve as Easy VPN Servers?

Answer: You can use Cisco Security Appliances, Cisco VPN 3000 Series Concentrators, and Cisco IOS routers as Easy VPN Servers.

Q13. What is DPD?

Answer: DPD enables two IPSec peers to determine if the other is still “alive” during the lifetime of the VPN connection.

Q14. What is Initial Contact?

Answer: Initial Contact enables the VPN Client to send an initial message that informs the gateway to ignore and delete any existing connections from that client, thus preventing connection problems caused by SA synchronization issues.

Q15. Which client platforms support the Easy VPN Remote feature?

Answer: The Easy VPN Remote feature is supported on the Cisco VPN Software Client, Cisco VPN 3002 Hardware Client, Cisco PIX 501 and 506/506E VPN Clients, and Cisco Easy VPN Remote router clients.

Q16. Which router platforms can be used as Cisco Easy VPN Clients?

Answer: The 800 Series routers, 900 Series routers, and 1700 Series routers can serve as Cisco Easy VPN Remote clients.

Q17. What are the six major steps that occur when the Easy VPN Remote client initiates a connection with the Easy VPN Server gateway?

Answer: When the Easy VPN Remote client initiates a connection with the Easy VPN Server, it goes through the following six steps: (1) VPN Client initiates the IKE phase 1 process; (2) VPN Client negotiates an IKE SA; (3) Easy VPN Server accepts the SA proposal; (4) the Easy VPN Server initiates a username/password challenge; (5) mode configuration process is initiated; and (6) IKE quick mode completes the connection.

Q18. When initiating the VPN connection, the client can use which two IKE authentication mechanisms?

Answer: When initiating the VPN connection, the client can use preshared keys and digital certificates for IKE authentication.

Q19. What is XAUTH?

Answer: Extended authentication (XAUTH) enables the Easy VPN Server to require username/password authentication (performed by a AAA server) in order to establish the VPN connection.

Q20. Which two modes of operation does the Easy VPN Remote support?

Answer: The Easy VPN Remote supports client mode and network extension mode.

Q21. In which Easy VPN Remote mode are the addresses of the remote system visible on the Easy VPN Server network?

Answer: When operating in network extension mode, the remote system addresses are visible on the Easy VPN Server network. In client mode, PAT is used on the Easy VPN Remote client so the remote system addresses are not visible.

Q22. What feature enables the Cisco VPN Software Client to be simple to deploy and manage?

Answer: The ability to push VPN access policies automatically from the Easy VPN Server to the Cisco VPN Software Client simplifies deployment and management.

Q23. Which encryption algorithms are supported by the Cisco VPN Software Client?

Answer: The Cisco VPN Software Client supports DES, 3DES, and AES (128- and 256-bit) encryption algorithms.

Q24. What is SUA?

Answer: Secure Unit Authentication (SUA) enables the Easy VPN Remote server to require one-time passwords, two-factor authentication, and similar authentication schemes before the establishment of a VPN tunnel to the Easy VPN Server.

Q25. What is IUA?

Answer: Individual User Authentication (IUA) causes the hosts on the remote protected network to be individually authenticated based on the IP address of the inside host.

Q26. What is PPPoE?

Answer: Point-to-Point Protocol over Ethernet (PPPoE) provides an authenticated method for assigning IP addresses to client systems over broadband connections by combining PPP and Ethernet.

Q27. What type of DHCP functionality does the Security Appliance provide?

Answer: Any Cisco Security Appliance provides both DHCP server and DHCP client functionality. As a DHCP server, the Security Appliance provides hosts protected by the firewall with the network parameters necessary for them to access the enterprise or corporate network. As a DHCP client, the Security Appliance can obtain its own IP address and network mask and, optionally, a default route from the DHCP server.

Q28. Which command enables you to configure the Security Appliance to pass configuration parameters learned by using either PPPoE or DHCP to its DHCP clients?

Answer: To enable the Security Appliance to pass the learned DHCP configuration parameters automatically to its DHCP clients, you use the dhcpd auto_config command.

More Resources

About the author

Scott

Leave a Comment