Limited Time Discount Offer 30% Off - Ends in 02:00:00


Cisco CCNP Security 300-209 Exam - CCNP Security Implementing Cisco Secure Mobility Solutions (SIMOS)

Purchase Individually

  • Premium File

    409 Questions & Answers
    Last Update: Dec 5, 2019

  • Training Course

    241 Lectures

  • Study Guide

    151 Pages


Download Free Cisco 300-209 Exam Questions

Questions & Answers for Cisco 300-209

Showing 1-15 of 213 Questions

Question #1

Which two features are required when configuring a DMVPN network? (Choose two.)

A. Dynamic routing protocol

B. GRE tunnel interface

C. Next Hop Resolution Protocol

D. Dynamic crypto map

E. IPsec encryption

Question #2

What are the three primary components of a GET VPN network? (Choose three.)

A. Group Domain of Interpretation protocol

B. Simple Network Management Protocol

C. server load balancer

D. accounting server

E. group member

F. key server

Question #3

Which three types of web resources or protocols are enabled by default on the Cisco ASA
Clientless SSL VPN portal? (Choose three.)






F. ICA (Citrix)

Question #4

You are the network security administrator for your organization. Your company is growing
and a remote branch office is being created. You are tasked with configuring your
headquarters Cisco ASA to create a site-to-site IPsec VPN connection to the branch office
Cisco ISR. The branch office ISR has already been deployed and configured and you need
to complete the IPsec connectivity configurations on the HQ ASA to bring the new office
Use the following parameters to complete your configuration using ASDM. For this
exercise, not all ASDM screens are active.
✑ Enable IKEv1 on outside I/F for Site-to-site VPN
✑ Add a Connection Profile with the following parameters:
✑ Peer IP:
✑ Connection name:
✑ Local protected network:
✑ Remote protected network:
✑ Group Policy Name: use the default policy name supplied
✑ Preshared key: cisco
✑ Disable IKEv2
✑ Encryption Algorithms: use the ASA defaults
✑ Disable pre-configured NAT for testing of the IPsec tunnel
✑ Disable the outside NAT pool rule
✑ Establish the IPsec tunnel by sending ICMP pings from the Employee PC to the
Branch Server at IP address
✑ Verify tunnel establishment in ASDM VPN Statistics> Sessions window pane
You have completed this exercise when you have successfully configured, established, and
verified site-to-site IPsec connectivity between the ASA and the Branch ISR.


Review the explanation for detailed answer steps.

First, click on Configuration ->Site-to-Site VPN to bring up this screen:

Click on allow IKE v1 Access for the outside per the instructions as shown below:

Then click apply at the bottom of the page. This will bring up the following pop up message:

Click on Send.
Next, we need to set up the connection profile. From the connection profile tab, click on

Then, fill in the information per the instructions as shown below:

Hit OK and you should see this:

To test this, we need to disable NAT. Go to Configuration -> Firewall -> NAT rules and you
should see this:

Click on Rule 1 to get the details and you will see this:

We need to uncheck the Enable rule button on the bottom. It might also be a good idea to
uncheck the Translate DNS replies that match the rule but it should not be needed.
Then, go back to the topology:

Click on Employee PC, and you will see a desktop with a command prompt shortcut. Use
this to ping the IP address of and you should see replies:

We can also verify by viewing the VPN Statistics -> Sessions and see the bytes in/out
incrementing as shown below:

Question #5

Which command enables IOS SSL VPN Smart Tunnel support for PuTTY?

A. appl ssh putty.exe win

B. appl ssh putty.exe windows

C. appl ssh putty

D. appl ssh putty.exe

Question #6

Which option is an example of an asymmetric algorithm?





Question #7

Which encryption and authentication algorithms does Cisco recommend when deploying a
Cisco NGE supported VPN solution?

A. AES-GCM and SHA-2

B. 3DES and DH

C. AES-CBC and SHA-1

D. 3DES and SHA-1

Question #8

A company needs to provide secure access to its remote workforce. The end users use
public kiosk computers and a wide range of devices. They will be accessing only an
internal web application. Which VPN solution satisfies these requirements?

A. Clientless SSLVPN

B. AnyConnect Client using SSLVPN

C. AnyConnect Client using IKEv2

D. FlexVPN Client

E. Windows built-in PPTP client

Question #9

A network administrator is configuring AES encryption for the ISAKMP policy on an IOS
router. Which two configurations are valid? (Choose two.)

A. crypto isakmp policy 10 encryption aes 254

B. crypto isakmp policy 10 encryption aes 192

C. crypto isakmp policy 10 encryption aes 256

D. crypto isakmp policy 10 encryption aes 196

E. crypto isakmp policy 10 encryption aes 199

F. crypto isakmp policy 10 encryption aes 64

Question #10

Which two troubleshooting steps should be taken when Cisco AnyConnect cannot establish
an IKEv2 connection, while SSL works fine? (Choose two.)

A. Verify that the primary protocol on the client machine is set to IPsec.

B. Verify that AnyConnect is enabled on the correct interface.

C. Verify that the IKEv2 protocol is enabled on the group policy.

D. Verify that ASDM and AnyConnect are not using the same port.

E. Verify that SSL and IKEv2 certificates are not referencing the same trustpoint.

Question #11

Refer to the exhibit.

Which two characteristics of the VPN implementation are evident? (Choose two.)

A. dual DMVPN cloud setup with dual hub

B. DMVPN Phase 3 implementation

C. single DMVPN cloud setup with dual hub

D. DMVPN Phase 1 implementation

E. quad DMVPN cloud with quadra hub

F. DMVPN Phase 2 implementation

Question #12

Which are two main use cases for Clientless SSL VPN? (Choose two.)

A. In kiosks that are part of a shared environment

B. When the users do not have admin rights to install a new VPN client

C. When full tunneling is needed to support applications that use TCP, UDP, and ICMP

D. To create VPN site-to-site tunnels in combination with remote access

Question #13

An IOS SSL VPN is configured to forward TCP ports. A remote user cannot access the
corporate FTP site with a Web browser. What is a possible reason for the failure?

A. The user's FTP application is not supported.

B. The user is connecting to an IOS VPN gateway configured in Thin Client Mode.

C. The user is connecting to an IOS VPN gateway configured in Tunnel Mode.

D. The user's operating system is not supported.

Thin-Client SSL VPN (Port Forwarding)
A remote client must download a small, Java-based applet for secure access of TCP
applications that use static port numbers. UDP is not supported. Examples include access
to POP3, SMTP, IMAP, SSH, and Telnet. The user needs local administrative privileges
because changes are made to files on the local machine. This method of SSL VPN does
not work with applications that use dynamic port assignments, for example, several FTP

Question #14

Refer to the exhibit.

An administrator had the above configuration working with SSL protocol, but as soon as the
administrator specified IPsec as the primary protocol, the Cisco AnyConnect client was not
able to connect. What is the problem?

A. IPsec will not work in conjunction with a group URL.

B. The Cisco AnyConnect implementation does not allow the two group URLs to be the same. SSL does allow this.

C. If you specify the primary protocol as IPsec, the User Group must be the exact name of the connection profile (tunnel group).

D. A new XML profile should be created instead of modifying the existing profile, so that the clients force the update.

Question #15

Which command specifies the path to the Host Scan package in an ASA AnyConnect

A. csd hostscan path image

B. csd hostscan image path

C. csd hostscan path

D. hostscan image path

Purchase Individually

  • Premium File

    409 Questions & Answers
    Last Update: Dec 5, 2019

  • Training Course

    241 Lectures

  • Study Guide

    151 Pages


Cisco 300-209 Training Course

Try Our Special 30% Discount Offer for
Premium 300-209 VCE File

  • Verified by experts

300-209 Premium File

  • Real Questions
  • Last Update: Dec 5, 2019
  • 100% Accurate Answers
  • Fast Exam Update




You save

Enter Your Email Address to Receive Your 30% Discount Code


You save

Use Discount Code:

A confirmation link was sent to your e-mail.

Please check your mailbox for a message from and follow the directions.

Download Free Demo of VCE Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.

Simply submit your e-mail address below to get started with our interactive software demo of your free trial.

  • Realistic exam simulation and exam editor with preview functions
  • Whole exam in a single file with several different question types
  • Customizable exam-taking mode & detailed score reports