New 2020 CCNP 300-730 SVPN exam questions from PassLeader 300-730 dumps! Welcome to download the newest PassLeader 300-730 VCE and PDF dumps: https://www.passleader.com/300-730.html (206 Q&As)
P.S. Free 2020 CCNP 300-730 SVPN dumps are available on Google Drive shared by PassLeader: https://drive.google.com/open?id=1FvI5Ex1cQ5aV-zvXk36EhmRwqRF3xMhg
NEW QUESTION 181
A network administrator deployed IKEv2 Cisco AnyConnect on a Cisco ASA. The current configuration tunnels all traffic through the VPN. Users report poor performance with cloud-based applications, but no issues have been reported about connections to on-premises servers. Packet analysis on Cisco Webex traffic shows very few duplicate ACKs, high RTT, and no IP fragments. Which action improves Webex performance for VPN users?
A. Configure QoS on the outside interface of the ASA.
B. Configure Cisco AnyConnect to use DTLS.
C. Configure a dynamic split tunnel exclusion.
D. Reduce the Cisco AnyConnect tunnel MTU.
Answer: C
NEW QUESTION 182
A network administrator is troubleshooting a FlexVPN tunnel. The hub router is unable to ping the spoke router’s tunnel interface IP address of 192.168.1.2, even though the tunnel is showing up. The output of the debug ip packet CLI command on the hub router shows the following entry:
“IP: tableid=0123456789 s=192.168.1.1 (local), d=192.168.1.2 (loopback2), routed via FIB.”
What must be configured to fix this issue?
A. A matching IKEv2 pre-shared key on the hub and spoke routers in the crypto keyring configuration.
B. An outbound ACL on the dynamic VTI of the hub router that allows ICMP traffic to 192.168.1.2.
C. An IKEv2 authorization policy must be configured on the spoke router to advertise the interface route.
D. A route map must be configured on hub router to set the next hop for 192.168.1.2 to the dynamic VTI.
Answer: C
NEW QUESTION 183
An engineer is implementing the FlexVPN solution on a Cisco IOS router. The router must only terminate VPN requests and must not initiate them. Additionally, the interface must support VPNs from other routers and Cisco AnyConnect connections. Which interface type must be configured to meet these requirements?
A. point-to-point GRE tunnel interface
B. multipoint GRE tunnel interface
C. static virtual tunnel interface
D. virtual template interface
Answer: D
Explanation:
The correct interface type to meet these requirements is the virtual template interface. This interface allows for the creation of multiple virtual access interfaces, which can be used for various types of remote access VPN connections, including site-to-site and AnyConnect VPNs. The virtual template interface can be configured to terminate VPN requests from other routers and allow for dynamic creation of VPN sessions, while also supporting AnyConnect VPN connections.
NEW QUESTION 184
An administrator is setting up Cisco AnyConnect on a Cisco ASA with the requirement that AnyConnect automatically establishes a VPN when a company-owned laptop is connected to the internet outside of the corporate network. Which configuration meets these requirements?
A. SBL with user certificate authentication.
B. TND with machine certificate authentication.
C. SBL with machine certificate authentication.
D. TND with user certificate authentication.
Answer: B
Explanation:
Trusted Network Detection (TND) gives you the ability to have AnyConnect automatically disconnect a VPN connection when the user is inside the corporate network (the trusted network) and start the VPN connection when the user is outside the corporate network (the untrusted network).
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administrati on/guide/b_AnyConnect_Administrator_Guide_4-1/configure-vpn.html#id_100236
NEW QUESTION 185
Which two protocols does DMVPN leverage to build dynamic VPNs to multiple destinations? (Choose two.)
A. IKEv2
B. NHRP
C. mGRE
D. mBGP
E. GDOI
Answer: BC
NEW QUESTION 186
An engineer is requesting an SSL certificate for a VPN load-balancing cluster in which two Cisco ASAs provide clientless SSLVPN access. The FQDN that users will enter to access the clientless VPN is asa.example.com, and users will be redirected to either asa1.example.com or asa2.example.com. The cluster FQDN and individual Cisco ASAs FQDNs resolve to IP addresses 192.168.0.1, 192.168.0.2, and 192.168.0.3 respectively. The issued certificate must be able to be used to validate the identity of either ASA in the cluster without returning any certificate validation errors. Which fields must be included in the certificate to meet these requirements?
A. CN=*.example.com, SAN=asa.example.com
B. CN=192.168.0.1, SAN=asa1.example.com, asa2.example.com
C. CN=asa.example.com, SAN=asa.example.com, asa1.example.com, asa2.example.com
D. CN=192.168.0.1, SAN=192.168.0.1, 192.168.0.2, 192.168.0.3
Answer: C
Explanation:
https://integratingit.wordpress.com/2020/03/14/asa-vpn-load-balancing/
NEW QUESTION 187
Over which two transport mediums is FlexVPN deployed? (Choose two.)
A. 5G
B. VPLS
C. Internet
D. MPLS
E. DWDM
Answer: CD
Explanation:
Transport network: FlexVPN can be deployed either over a public internet or a private Multiprotocol Label Switching (MPLS) VPN network.
https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/data_sheet_c78-704277.html
NEW QUESTION 188
The corporate network security policy requires that all internet and network traffic must be tunneled to the corporate office. Remote workers have been provided with printers to use locally at home while they are remotely connected to the corporate network. Which two steps must be executed to allow printing to the local printers? (Choose two.)
A. Configure the split-tunnel-policy on the Cisco ASA to tunnelall.
B. Check the Allow Local LAN access checkbox in the Cisco AnyConnect client.
C. Add a persistent static route in the client OS for the local LAN network.
D. Configure the split-tunnel-policy on the Cisco ASA to excludespecified.
E. Configure the split-tunnel-policy on the Cisco ASA to tunnelspecified.
Answer: BD
NEW QUESTION 189
A network engineer must configure the Cisco ASA so that Cisco AnyConnect clients establishing an SSL VPN connection create an additional tunnel for real-time traffic that is sensitive to packet delays. If this additional tunnel experiences any issues, it must fall back to a TLS connection. Which two Cisco AnyConnect features must be configured to accomplish this task? (Choose two.)
A. DTLS
B. DSCP Preservation
C. DPD
D. SSL Rekey
E. OMTU
Answer: AC
Explanation:
Configure Dead Peer Detection Dead Peer Detection (DPD) ensures that the ASA (gateway) or the client can quickly detect a condition where the peer is not responding, and the connection has failed. To enable dead peer detection (DPD) and set the frequency with which either the AnyConnect client or the ASA gateway performs DPD, do the following: Before you begin This feature applies to connectivity between the ASA gateway and the AnyConnect SSL VPN Client only. It does not work with IPsec since DPD is based on the standards implementation that does not allow padding, and CLientless SSL VPN is not supported. If you enable DTLS, enable Dead Peer Detection (DPD) also. DPD enables a failed DTLS connection to fallback to TLS. Otherwise, the connection terminates.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn- config/vpn-anyconnect.html
NEW QUESTION 190
When troubleshooting FlexVPN spoke-to-spoke tunnels, what should be verified first?
A. NHRP redirect is enabled on the hub.
B. The spokes have sent a resolution request.
C. NHRP cache entries exist on the spoke.
D. NHO routes exist on the spokes.
Answer: B
Explanation:
The Next Hop Resolution Protocol (NHRP) redirect is not a strict requirement for FlexVPN spoke-to-spoke tunnels to function. NHRP redirect is typically used in DMVPN (Dynamic Multipoint Virtual Private Network) deployments to optimize the routing of traffic between spoke-to-spoke connections by allowing the hub to inform spokes about more efficient paths. In a FlexVPN deployment, spokes send resolution requests to the hub for spoke-to-spoke communication. These resolution requests are typically related to Next Hop Resolution Protocol (NHRP) operations. NHRP is used in FlexVPN to dynamically map the public IP addresses of spokes to their private IP addresses, facilitating spoke-to-spoke communication without having to route all traffic through the hub.
NEW QUESTION 191
Users are getting untrusted server warnings when they connect to the URL https://asa.lab from their browsers. This URL resolves to 192.168.10.10, which is the IP address for a Cisco ASA configured for a clientless VPN. The VPN was recently set up and issued a certificate from an internal CA server. Users can connect to the VPN by ignoring the message, however, when users access other webservers that use certificates issued by the same internal CA server, they do not experience this issue. Which action resolves this issue?
A. Import the CA that signed the certificate into the machine trusted root CA store.
B. Reissue the certificate with asa.lab in the subject alternative name field.
C. Import the CA that signed the certificate into the user trusted root CA store.
D. Reissue the certificate with 192.168.10.10 in the subject common name field.
Answer: B
Explanation:
https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html
NEW QUESTION 192
Two Cisco ASAs are set up in a VPN load-balancing configuration in an environment where there are thousands of unique Cisco AnyConnect connections per day. Which scalable IP address assignment method must be implemented on both ASAs to achieve minimal overlap when assigning IP addresses from the same subnet to AnyConnect clients?
A. DHCP.
B. Local.
C. RADIUS framed IP address.
D. RADIUS address pools.
Answer: A
NEW QUESTION 193
Which feature must be disabled in EIGRP for DMVPN spokes to learn routes to other DMVPN spokes?
A. split-horizon
B. bandwidth percent
C. next-hop-self
D. hold time
Answer: A
NEW QUESTION 194
Which command must be configured on the tunnel interface of a FlexVPN spoke to receive a dynamic IP address from the hub?
A. ip address negotiated
B. ip unnumbered
C. ip address dhcp
D. ip address pool
Answer: A
NEW QUESTION 195
Which configuration allows a Cisco ASA to receive an IPsec connection from a peer with an unknown IP address?
A. dynamic crypto map
B. dynamic tunnel group
C. dynamic AAA attributes
D. dynamic access policy
Answer: A
NEW QUESTION 196
An organization wants to implement a site-to-site VPN solution that must be able to support 350 sites with direct communications between all sites, fully encrypt the packet header and payload, and support propagation of routing information over IPsec. Which solution meets these requirements?
A. IPsec full mesh
B. DMVPN
C. GETVPN
D. FlexVPN
Answer: D
Explanation:
https://networklessons.com/cisco/ccie-enterprise-infrastructure/flexvpn-ikev2-routing
NEW QUESTION 197
A network administrator wants the Cisco ASA to automatically start downloading the Cisco AnyConnect client without prompting the user to select between WebVPN or AnyConnect. Which command accomplishes this task?
A. anyconnect ssl df-bit-ignore enable
B. anyconnect ask none default anyconnect
C. anyconnect ask enable default anyconnect
D. anyconnect modules value default
Answer: B
NEW QUESTION 198
A clientless SSLVPN solution is built for 10 employees on a newly installed Cisco ASA. After a couple of days in production, it has been observed that only the first two users to log in each day are able to connect successfully. The remaining users encounter the message “Login failed”. Which action resolves the issue?
A. Allocate additional Cisco AnyConnect Premium licenses to the ASA.
B. Increase the vpn-simultaneous-logins parameter to a value of more than 2.
C. Increase the number or IP addresses available in the VPN pool.
D. Verify that the users that cannot log in are in the correct AD group with VPN permissions.
Answer: A
NEW QUESTION 199
A Cisco IOS router is reconfigured to connect to an additional DMVPN hub that is a part of a different DMVPN phase 3 cloud. After this change was made, users begin to experience problems accessing corporate resources over both tunnels. Before the additional tunnel was created, users could access resources over the first tunnel without any issues. Both tunnels terminate on the same interface of the router and use the same IPsec proposals. Which two actions resolve the issue without affecting spoke-to-spoke traffic in either DMVPN cloud? (Choose two.)
A. Enable dead peer detection for both tunnels.
B. Use the same shared IPsec profile for both tunnels.
C. Configure the same NHRP network IDs for both tunnels.
D. Specify the tunnel destination in each tunnel.
E. Assign a unique tunnel key to each tunnel.
Answer: DE
NEW QUESTION 200
Which two tasks must be performed to implement a clientless VPN on the Cisco ASA? (Choose two.)
A. Configure a connection profile.
B. Upload an AnyConnect Package.
C. Install an enrolled X.509 Certificate.
D. Configure a language translation file.
E. Configure a portal customization.
Answer: AC
NEW QUESTION 201
Drag and Drop
Drag and drop the GET VPN components from the left onto the correct descriptions on the right.
NEW QUESTION 202
……
New 2020 CCNP 300-730 SVPN exam questions from PassLeader 300-730 dumps! Welcome to download the newest PassLeader 300-730 VCE and PDF dumps: https://www.passleader.com/300-730.html (206 Q&As)
P.S. Free 2020 CCNP 300-730 SVPN dumps are available on Google Drive shared by PassLeader: https://drive.google.com/open?id=1FvI5Ex1cQ5aV-zvXk36EhmRwqRF3xMhg