21certify.com Cisco: Cisco® Secure VPN (CSVPN®) 9E0-121 Version 6.0 Jun. 17th, 2003 9E0-121 2 21certify.com Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 365 days after the purchase. You should check the products page on the www.21certify.com web site for an update 3-4 days before the scheduled exam date. Important Note: Please Read Carefully This 21certify Exam has been carefully written and compiled by 21certify Exams experts. It is designed to help you learn the concepts behind the questions rather than be a strict memorization tool. Repeated readings will increase your comprehension. We continually add to and update our 21certify Exams with new questions, so check that you have the latest version of this 21certify Exam right before you take your exam. For security purposes, each PDF file is encrypted with a unique serial number associated with your 21certify Exams account information. In accordance with International Copyright Law, 21certify Exams reserves the right to take legal action against you should we find copies of this PDF file has been distributed to other parties. Please tell us what you think of this 21certify Exam. We appreciate both positive and critical comments as your feedback helps us improve future versions. We thank you for buying our 21certify Exams and look forward to supplying you with all your Certification training needs. Good studying! 21certify Exams Technical and Support Team 9E0-121 3 21certify.com Note 1: Section A contains 93 questions Section B contains 126 questions. Section C contains 171 questions. The total number of questions is 390. Note 2: First customer, if any, to beat 21certify in providing answers to the unanswered questions will receive a free 21certify product. Send answers to feedback@21certify.com. Section A Q.1 If the central Concentrator configured for interactive unit authentication, a VPN 3002 will prompt for username/password before establishing a tunnel. In how many ways can you make a VPN 3002 prompt for the username/pasword? A. 1 B. 5 C. 4 D. 2 E. 3 Answer: E Q.2 Performing Quick configuration on a VPN 3002 Hardware, under “Private Interface” what options are available to the administrator? (Choose all that apply) A. Do not use the DHCP server to provide address. B. Do you want to use DHCP server on Interface 1 to provide addresses for the local LAN? C. Do not use DHCP client to request address. D. Do you want to use DHCP client to request addresses for the local LAN? Answer: A, B Q.3 A VPN 3000 Concentrator is configured for Optional as Firewall Setting and the expected Firewall is set to ICE BlackICE Defender. A client connects without any Firewall. A. The tunnel will establish as normal. B. There is no optional firewall setting in the AYT configuration on a Cisco 3000 Concentrator. 9E0-121 4 21certify.com C. All answers are incorrect. D. The tunnel will establish, AYT will fail, the tunnel will be removed and the client will get disconnected. E. The Tunnel will establish, but the administrator will receive a notification message that the client did not match any of the Concentrator’s configured firewalls. Answer: C Q.4 Trojan horses fall into which of the following methods? A. Denial of Service Methods B. Reconnaissance Methods C. Stealth Methods D. Access Methods Answer: D Q.5 What are the two purposes of X.509 certificate serial numbers? A. It is a unique certificate numerical identifier in the certificate authority domain. B. It identifies the certificate authority public key and hashing algorithm. C. Includes subject’s public key and hashing algorithm. D. It is the number used to identify certificates in CRLs. E. It specifies start and expiration dates on the certificate. Answer: A, D Q.6 Which of the following statements is true in defining RSA signature system? A. An RSA signature is formed when data is encrypted with a user’s private key and the receiver verifies the signature by decrypting the message with the sender’s private key. B. An RSA signature is formed when data is encrypted with a user’s public key and the receiver verifies the signature by decrypting the message with the sender’s private key, C. An RSA signature is formed when data is encrypted with a user’s private key and the receiver verifies the signature by decrypting the message with the sender’s public key. D. An RSA signature is formed when data is encrypted with a user’s public key and the receiver verifies the signature by decrypting the message with the sender’s public key. Answer: C 9E0-121 5 21certify.com Q.7 Which model of the VPN 3000 Concentrator matches the following descriptions: -256 MB of SRAM -Hardware Based Encryption -Programmable DSP-based security accelerator -Supports up to 5000 simultaneous remote connections A. Model 3080 B. Model 3015 C. Model 3060 D. Model 3030 Answer: C Q.8 Each IPSec peer has how many keys? A. 3 B. It depends C. 4 D. 2 Answer: A Q.9 VPN is the most cost-effective method of establishing a point-to-point connection between remote users and the enterprise network. Cisco categorizes VPN in three types: (Choose three) A. Hybrid VPN B. Access VPN C. Extranet VPN D. Direct VPN E. Intranet VPN Q.10 To troubleshoot SCEP enrollment, the administrator should scrutinize what event class in the event log? A. IKE B. IPSec C. SCEP D. Cert Answer: D Q.11 If the LAN-to-LAN tunnel is not established, which three IPSec LAN-to-LAN configuration parameters should the administrator verify at both ends of the tunnel? (Choose three) 9E0-121 6 21certify.com A. Name B. Pre-shared key C. Authentication D. Routing E. Local network IP address F. Remote network IP address Answer: B, E, F Q.12 Which statement about the Cisco VPN client software update is true? A. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote Cisco VPN Client automatically downloads a new version of code from a configured web site. B. As remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote Cisco VPN Client automatically downloads a new version of code from a TFTP server. C. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco VPN Concentrator automatically downloads a new version of the software. D. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco VPN Concentrator only sends an update notification to the remove Cisco VPN client. Q.13 To clear the ARP cache on a Cisco VPN Concentrator, which status screen should the administrator access? A. Monitor | Routing Table B. Monitor | ARP cache C. Monitor | Statistics | MIB-II D. Monitor | System Statistics Answer: C Q.14 When first installing the Cisco VPN Concentrator, why should you use CLI? A. To configure the Cisco VPN Concentrator. B. To configure the private LAN port. C. To connect to the Internet. D. To configure serial ports. Answer: B Q.15 Choose the two ways and administrator can set up user authentication and IP address assignment. 9E0-121 7 21certify.com (Choose two) A. Per user B. Per domain C. Per Cisco VPN Concentrator (globally) D. Per group E. Per network F. Per server Answer: C, D A. Are you there B. Authentication proxy C. Stateful firewall (always on) D. Content filtering E. Central protection policy F. Stateful failover Answer: A, C, E Q.17 How can you monitor IPSec sessions on the Cisco VPN Client? A. Monitor-Screen | Encryption B. Cisco VPN Client Connection Status window C. Monitor-Sessions screen D. Monitor-Routing table Answer: B Q.18 Fir the Cisco VPN Concentrator, what are the two types of certificate enrollment? (Choose two) A. File-based enrollment process B. SCEP C. PKCS#15 enrollment process D. Automated enrollment process E. Out-of-band enrollment process F. Certified enrollment process 9E0-121 8 21certify.com Answer: A, B Q.19 When the IPSec client-to-LAN applications are changed from pre-shared keys to digital certificates, what is true about the IPSec SA? A. SA IKE authentication method should be changed. B. SAP IPSec authentication method should be changed. C. When the digital certificate is validated, the IPSec SA template automatically is updated. D. When the digital certificate is activated, the IPSec SA template is automatically updated. Answer: A Q.20 How did Cisco solve the PAT translation issue? A. Wrap a standard IKE packet with a UDP port number. B. Wrap a standard IPSec packet with a UDP port number. C. Change the IKE TCP port number from a well known to a dynamically assigned port number. D. Change the IPSec TCP port number from a well known to a dynamically assigned port number. Answer: B Q.21 How is user authentication enabled on the Cisco VPN 3002? A. Checked on the Cisco VPN Concentrator and pushed down to the Cisco VPN 3002. B. Unchecked on the Cisco VPN Concentrator and pushed down to the Cisco VPN 3002. C. Checked on the Cisco VPN 3002. D. Unchecked on the Cisco VPN 3002. Answer: A Q.22 What are the three steps in the auto-update configuration process? (Choose three) A. Enable the client update functionality in the Cisco VPN 3002. B. Enable the client update functionality in the Cisco VPN Concentrator. C. Modify the group-client, auto-update parameter. D. Configure the IKE auto-update message parameters. E. Send an update message. F. Configure the IPSec auto-update message parameters. 9E0-121 9 21certify.com Answer: B, C, E Q.23 When two adjacent Cisco VPN Concentrators are configured for VRRP and the master Cisco VPN Concentrator fails, which statement is true? A. All sessions are lost. B. Only remote access users need to re-establish their tunnels. C. No sessions are lost. D. Only site-to-site users need to re-establish their tunnels. Answer: B Q.24 Which Cisco IOS VPN feature allows the sender to encrypt packets before transmitting them across a network? A. Anti-replay B. Data confidentiality C. Data integrity D. Data original authentication Answer: B Q.25 How is data authentication achieved? A. Using DES B. Using ESP C. Using MD5 D. Using 3DES Answer: C Q.26 What is the name of the application that must be added to the Concentrator to perform load balancing? A. Virtual Termination Point (VTP) B. Virtual Designated Concentrator (VDC) C. Virtual Cluster Agent (VCA) D. Virtual Access Point (VAP) Answer: C 9E0-121 10 21certify.com Q.27 On a VPN 3002 hardware, what are the three levels of GUI Access rights? (Choose three) A. Admin B. Config C. Monitor D. Power on /Shut down E. Power F. Test Answer: A, B, C Q.28 Configuring a firewall policy: A. New filters are added to rules. B. Unlike ACLs that have an implicit any all at the end of it statements, Filters do not have an implicit deny all. C. New riles are added to filters. D. Like ACLs that have an implicit deny all at the end of it statements, Filters also have an implicit deny all. Answer: B, C Q.29 An intruder ping sweeps a network and notes the responding nodes. Cisco classifies this type of attack as: A. Reconnaissance B. Access C. Malicious ping D. Scooping E. Denial of Service Q.30 After you issue the “crypto ca enroll”, you are prompted to create a challenge password. Why should you remember this password? A. Because it is required if you intend to generate multiple certificates. B. Because if you ever try to reboot, you will be prompted for this password. C. Because it is required to generate RSA key pairs. D. You must supply this challenge password if you ever ask the CA to revoke your certificate. Answer: D [...]... auto-update URL? A http://10.0.1.10 /vpn3 00 2-3 .5.Rel-k9.bin B http://10.0.1.10 /vpn3 00 2-3 .5.rel-k9.bin C tftp://10.0.1.10 /vpn3 00 2-3 .5.Rel-k9.bin D ftp://10.0.1.10 /vpn3 00 2-3 .5.Rel-k9.bin Answer: C Q.68 What is the default configuration of the Cisco VPN 3002 public interface? A DHCP server is enabled B DHCP client is enabled C Static IP address of 192.168.10.1 D No configuration Answer: B 21certify.com 9E 0-1 21. .. Encryption Processor C Secure Encryption Protocol D Secure Encryption Process Answer: B Q.5 Your network contains 2000 users and a maximum of 1,000 simultaneous encrypted sessions Select the lowest-cost Cisco VPN Concentrator that could address this scenario 21certify.com 31 9E 0-1 21 A B C D E VPN VPN VPN VPN VPN 3005 3015 3030 3060 3080 Answer: C Q.6 Which Cisco VPN Concentrator is the lowest-price product... the Cisco VPN Concentrator’s private interface B VCA filter must be enabled on the Cisco VPN Concentrator public interface C VCA filter must be enabled on both Cisco VPN Concentrator interfaces D VCA filter is optional Answer: C Q.42 For the Cisco VPN Client to interoperate with the Cisco VPN 3000, what is the minimum version of the Cisco VPN 3000? A 2.5 B 2.6 C 3.0 D 3.1 Answer: C Q.43 If the VPN. .. is changed B PAT is always enabled on the Cisco VPN 3002 public interface C PAT status is configured on the Cisco VPN Concentrator and then pushed to the Cisco VPN 3002 during tunnel establishment D The Cisco VPN 3002 does not support PAT Answer: A Q.55 What does the backup server feature enable the Cisco VPN 3002 to access? A Backup DHCP server B Backup Cisco VPN Concentrator C Backup authentication... Monitoring-tunnel status screen C The tunnel must be manually initiated via the Monitoring-system status screen D The manual and automatic modes are defined on the Cisco VPN Concentrator and then pushed to the Cisco VPN 3002 during tunnel establishment 21certify.com 9E 0-1 21 23 Answer: C Q.77 What does IPSec do at the network layer? A Enables Cisco VPN B Generates a private DH key C Encrypts traffic between secure. .. A LED on your VPN 3030 is amber This could indicate: A Power Supply A is operating normally B Power Supply A is not installed C Power Supply A is not providing the correct voltage Answer: C Q.2 Which Cisco VPN Concentrator requires 128 MB of SRAM memory? 21certify.com 9E 0-1 21 A VPN 3005 B VPN 3015 C VPN 3030 D VPN 3060 E VPN 3080 Answer: C Q.3 How many SEP2 modules are installed in the VPN 3060? A 0... the Cisco VPN Client are you there feature? A Cisco Integrated Client firewall B Cyberguard 21certify.com 9E 0-1 21 17 C Zone Labs D Symantec Answer: C Q.53 Which data is shown on the Monitor Sessions screen? (Choose three) A Session summary B LAN-to-LAN sessions C Tunnel summary D Client tunnels E Site-to-site tunnels F Remote access sessions Answer: A, B, F Q.54 Which statement is true of the Cisco VPN. .. the Cisco VPN Client for IPSec over TCP, which statement is true? A There is no configuration because the information is pushed down to the Cisco VPN Client B There is no configuration needed because the feature is enabled by default C IPSec over TCP must be enabled on the Cisco VPN Client D IPSec over TCP and a TCP port number must be configured on the Cisco VPN Client Answer: D 21certify.com 9E 0-1 21. .. (Choose three) A The identity certificate is located into the Cisco VPN Concentrator first B The CA generates the root and identity certificates C The root certificate is loaded into the Cisco VPN Concentrator second D The root certificate is loaded into the Cisco VPN Concentrator first E Cisco VPN Concentrator generates a PKCS#7 F The Cisco VPN Concentrator generates a PKCS#10 Answer: B, D, F For connection... Q.50 The top section of the IPSec LAN-to-LAN screen, enables the administrator to configure what section of the LAN-to-LAN tunnel? A Tunnel information B Local private network C Remote private network D Cisco VPN Concentrator endpoint information Answer: A Q.51 When loading a Cisco VPN Concentrator certificate, why MUST the root certificate be loaded into the Cisco VPN Concentrator first? A To validate . B. http:// 10. 0.1. 10 /vpn3 00 2-3 .5.rel-k9.bin C. tftp:// 10. 0.1. 10 /vpn3 00 2-3 .5.Rel-k9.bin D. ftp:// 10. 0.1. 10 /vpn3 00 2-3 .5.Rel-k9.bin Answer: C Q .68 What is. Q.44 How many simultaneous session can a Cisco VPN 303 0 support? A. 100 B. 100 0 C. 1 500 D. 500 0 Answer: C 9E 0- 1 21 15 21certify.com Q.45 The Backup