Chapter 19. Virtual Private Network (VPN)

Question 1

1. Which site-to-site VPN network topology is supported by Cisco Secure Firewall?

A. Point-to-Point

B. Hub and Spoke

C. Full Mesh

D. All of these answers are correct.

Answer 1

D. All of these answers are correct. Secure Firewall supports all three network topologies—Point-to-Point, Hub and Spoke, and Full Mesh—in a VPN configuration.

Question 2

Which protocol is not part of the IPsec framework?

A. Authentication Header (AH)

B. Generic Routing Encapsulation (GRE)

C. Internet Key Exchange (IKE)

D. Encapsulating Security Payload (ESP)

Answer 2

B. Generic Routing Encapsulation (GRE). AH, ESP, and IKE are the three major protocols in an IPsec framework.

Question 3

3. Which of the following protocols is used for encryption?

A. AES

B. ECDH

C. DH

D. SHA

Answer 3

A. AES. The Advanced Encryption Standard (AES) is a data encryption protocol that is standardized in FIPS 197.

Question 4

4. Which of the following protocols is used for data integrity?

A. AES

B. ECDH

C. SHA

D. DH

Answer 4

C. SHA. The Secure Hash Algorithm (SHA) is used for data integrity and is standardized in FIPS 180-4.

Question 5

5. Which of the following protocols is used to exchange secret keys?

A. IKE

B. ISAKMP

C. ECDH

D. All of these answers are correct.

Answer 5

D. All of these answers are correct. IKE, ISAKMP, and ECDH—all these protocols are used for key exchange.

Question 6

6. For site-to-site VPN deployment on Secure Firewall, which of the following is true?

A. When you are registering a management center with Cisco Smart Software Licensing, the export-controlled functionality must be allowed for stronger encryption algorithms.

B. Secure Firewall supports the configuration of a site-to-site virtual private network using both IKEv1 and IKEv2 protocols.

C. If an interface of the threat defense is configured with NAT and VPN, you need to exempt the internal traffic from being translated.

D. All of these answers are correct.

Answer 6

D. All of these answers are correct. When you are registering a management center with Cisco Smart Software Licensing, the export-controlled functionality must be allowed to enable modern encryption algorithms. Secure Firewall supports the configuration of a site-to-site virtual private network using both IKEv1 and IKEv2 protocols. If an interface of the threat defense is configured with NAT and VPN, you need to exempt the internal traffic from being translated using an identity NAT rule. This process is called NAT exemption.

Question 7

7. For a remote access VPN deployment of Secure Firewall, which of the following is false?

A. Secure Firewall supports the SSL protocol only to establish a secure connection with remote users.

B. The Simple Certificate Enrollment Protocol (SCEP) allows a threat defense to act as a CA server for a remote user.

C. When connecting to a remote access VPN, the remote user connects to the organization’s authentication server directly for credential validation.

D. All of these answers are correct.

Answer 7

D. All of these answers are correct. Secure Firewall supports both SSL and IKEv2 protocols in remote access VPN configuration. SCEP protocol allows Secure Firewall to obtain a certificate directly from the certificate authority. When remote users connect to a threat defense for VPN access, the threat defense communicates to an authentication server for credential validation.