Description
Exam Demo
300-735 CCNA Security Implementing Cisco Network Security
QUESTION 1
You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please click exhibit to answer the following
questions.
Exhibit:
Which of the following user accounts will be able to connect to the ASA by using ASDM? (Select the best answer.)
A. only john
B. only boson
C. only jane
D. both john and jane
E. both jane and boson
F. john, jane, and boson
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Both the jane and the boson user accounts will be able to connect to the Cisco Adaptive Security Appliance (ASA) by using Cisco Adaptive Security
Device Manager (ASDM). When you add a user to the local Authentication, Authorization, and Accounting (AAA) database on an ASA, you can specify
security parameters for the user. One security option you can specify is whether the user can establish a management connection to the ASA. This
option is configured in the Add or Edit User Account dialog box in ASDM. Under Access Restriction, you can select Full Access (ASDM, SSH, Telnet
and Console), CLI login prompt for SSH, Telnet and console (no ASDM access), or No ASDM, SSH, Telnet or Console access. The Full Access
(ASDM, SSH, Telnet and Console) option will let the user use ASDM or the command line interface (CLI) to administer the ASA. In this scenario, this
option is selected for both the jane and the boson user accounts, as shown in the following exhibits:
You can access the Add or Edit User Account dialog box in ASDM by clicking Configuration, clicking the Remote Access VPN button, expanding AAA/
Local Users, and clicking Local Users. To open the Edit User Account dialog box, you should double click the user account that you want to open.
The john user account is configured with the No ASDM, SSH, Telnet or Console access option. This option will prevent the user from establishing a
management connection to the device by using ASDM, SSH, Telnet, or the console.
Reference:
Cisco: Configuring AAA Servers and the Local Database: Adding a User Account
QUESTION 2
You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please click exhibit to answer the following
questions.
Which of the following tunneling protocols will the jane user account be able to use when establishing a clientless SSL VPN connection by using the
boson tunnel group? (Select the best answer.)
Exhibit:
A. only clientless SSL VPN
B. only SSL VPN client
C. only IPSec
D. only L2TP/IPSec
E. both client and clientless SSL VPN
F. both clientless SSL VPN and IPSec
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The jane user account will be able to use only the clientless Secure Sockets Layer (SSL) virtual private network (VPN) tunneling protocol when
establishing a clientless SSL VPN connection by using the boson tunnel group. You can specify the tunneling protocols that can be used to establish a
connection to a tunnel group, which is also known as a connection profile, either in a group policy or within a user account, depending on whether the
tunneling protocol configuration should be applied to a group or to a single user.
When you configure a tunneling protocol, you can specify one or more of the following four options: Clientless SSL VPN, SSL VPN Client, IPSec, or
L2TP/IPSec.
In this scenario, you can view the tunneling protocols that are configured for the jane user account by accessing her user account information in Cisco
Adaptive Security Device Manager (ASDM) by clicking Configuration, clicking the Remote Access VPN button, expanding AAA/Local Users, clicking
Local Users, and doubleclicking the jane user account, which will open the Edit User Account dialog box. You should then click VPN Policy, which will
display a pane that includes a Tunneling Protocols entry. This entry for the jane user account is configured with the Inherit option, which means that the
tunneling protocols that the jane user account can use will be inherited from a group policy that is associated with the jane user account. In this scenario,
the jane user account is associated with the boson_grp group policy.
To view the tunneling protocols that are associated with the boson_grp group policy in ASDM, you should click Configuration, click the Remote Access
VPN button, expand Clientless SSL VPN Access, select Group Policies, and doubleclick boson_grp, which will open the Edit Internal Group Policy dialog
box. The More Options section on the General pane displays the Tunneling Protocols entry. Only the Clientless SSL VPNoption is selected, as shown in
the following exhibit:
Reference:
Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes
QUESTION 3
You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please click exhibit to answer the following
questions.
Exhibit:
Which of the following statements are true regarding clientless SSL VPN connections that are made by using the boson tunnel group? (Select 3
choices.)
A. VPN clients will be authenticated using the local AAA database.
B. VPN clients will be authenticated using digital certificates.
C. The DfltGrpPolicy group policy will be applied to the VPN connections.
D. The boson_grp group policy will be applied to the VPN connections.
E. No welcome banner will be displayed to VPN clients.
F. A welcome banner will be displayed to VPN clients.
Correct Answer: ADF
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Virtual private network (VPN) clients will be authenticated using the local Authentication, Authorization, and Accounting (AAA) database, the boson_grp
group policy will be applied to the VPN connections, and a welcome banner will be displayed to VPN clients. When configuring a tunnel group, which is also known as a connection profile, in Cisco Adaptive Security Device Manager (ASDM), you can specify a number of parameters. For example, you
can specify the type of authentication to use and the default group policy to use for VPN connections made by using the tunnel group. This information
can be configured or modified on the Add or Edit Clientless SSL VPN Connection Profile dialog box in ASDM. To access this dialog box in ASDM, you
should click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, and click Connection Profiles. You should then
doubleclick a connection profile, which will open the Edit Clientless SSL VPN Connection Profile dialog box for the selected connection profile. The Edit
Clientless SSL VPN Connection Profile dialog box for the boson tunnel group is shown in the following exhibit:
The Authentication section of the Basic screen of the Edit Clientless SSL VPN Connection Profile dialog box indicates that the tunnel group will use the
local AAA database for user authentication. Thus any VPN connections made by using this tunnel group will be authenticated against the AAA
database.
The Default Group Policy section indicates that the boson_grp group policy will be applied to this connection profile. That is, the settings in the
boson_grp group policy will apply to VPN users who connect by using the boson tunnel group.
You can view the details of the boson_grp group policy to determine whether a banner message will be displayed to VPN clients. This information is
displayed on the Generalpane of the Add or Edit Internal Group Policy dialog box. To view the details of an existing group policy for clientless SSL VPN
users in ASDM, you should click Configuration, expand Clientless SSL VPN Access, and click Group Policies. You can then doubleclick boson_grp,
which will open the Edit Internal Group Policy dialog box, which is shown in the following exhibit:
The Banner entry contains a value of Welcome to Boson Software! Because VPN connections made by using the boson tunnel group will use the
boson_grp group policy, you can determine that VPN users will be shown a welcome banner in this scenario.
Reference:
Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profiles
Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes
QUESTION 4
You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please click exhibit to answer the following
questions.
Exhibit:
Which of the following statements is true regarding VPN connections made by a user who is using the john user account? (Select the best answer.)
A. The user will be unable to establish a VPN connection by using the boson tunnel group.
B. The user will be able to establish a connection by using any tunnel group.
C. The DfltGrpPolicy group policy will be applied to any VPN connection that the user established.
D. The user will be able to establish only clientless SSL VPN connections.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The user will be able to establish only clientless Secure Sockets Layer (SSL) virtual private network (VPN) connections. The tunneling protocols that a
user can use to establish a VPN connection can be configured in the user profile or in a group policy. To configure the tunneling protocols in a user
profile, you should access the VPN Policy pane of the Add or Edit User Account dialog box. To access this pane, you should click Configuration, click
the Remote Access VPN button, expand AAA/Local Users, click Local Users, doubleclick john, and then click VPN Policy. The VPN Policy pane of the
john user account is shown in the following exhibit:
The Tunneling Protocols entry indicates that the john user account is inheriting the tunneling protocol settings from a group policy. The Group Policy
entry indicates that the group policy associated with the john user account is boson_grp. Therefore, you must view the details of the boson_grp group
policy to determine the tunneling protocols that the john user account can use.
To view the details of the boson_grp group policy, you should click Configuration, expand Clientless SSL VPN Access, click Group Policies, and
doubleclick boson_grp, which will open the Edit Internal Group Policy dialog box, as shown in the following exhibit:
The Tunneling Protocols entry indicates that the group policy allows only clientless SSL VPN connections. Because the john user account inherits this
setting, the john user account will be able to establish a VPN connection by using only a clientless SSL VPN connection.
Reference:
Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes
QUESTION 5
You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an ASA. Please questions.
Exhibit:
Which of the following connection profiles will use the boson_grp group policy? (Select the best answer.)
A. only the boson connection profile
B. only the DefaultRAGroup connection profile
C. only the DefaultWEBVPNGroup connection profile
D. both the boson connection profile and the DefaultWEBVPNGroup connection profile
E. both the DefaultRAGroup connection profile and the DefaultWEBVPNGroup
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Only the boson connection profile will use the boson_grp group policy. To determine which connection profiles will use the boson_grp group policy, you
should access the Connection Profiles pane in Cisco Adaptive Security Device Manager (ASDM). To access this pane, you should click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, and click Connection Profiles, which will open the Connection Profiles
configuration pane, as shown in the following exhibit:
This pane displays a summary of the connection profiles that are configured on the Cisco Adaptive Security
Appliance (ASA). In this scenario, there are three connection profiles. There are two default profiles, DefaultRAGroup and DefaultWEBVPNGroup, and
one userspecified connection profile, boson. To view which group policy is associated with which connection profile, you should doubleclick the
connection profiles to open the Edit Clientless SSL VPN Connection Profile dialog box. The default group policy that is associated with a connection
profile is displayed on the Basic pane of this dialog box. By viewing this information, you can determine that only the boson connection profile uses the
boson_grp group policy. The Basic pane of the boson connection profile is shown in the following exhibit:
The two default connection profiles use the default group policy, which is DfltGrpPolicy.
Reference:
Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profiles
