21certify.com














Cisco:

Cisco® Secure VPN (CSVPN®)


9E0-121



Version 6.0

Jun. 17th, 2003

9E0-121 2

21certify.com


Study Tips
This product will provide you questions and answers along with detailed explanations
carefully compiled and written by our experts. Try to understand the concepts behind
the questions instead of cramming the questions. Go through the entire document at
least twice so that you make sure that you are not missing anything.
Latest Version
We are constantly reviewing our products. New material is added and old material is
revised. Free updates are available for 365 days after the purchase. You should check
the products page on the www.21certify.com web site for an update 3-4 days before the
scheduled exam date.


Important Note:
Please Read Carefully


This 21certify Exam has been carefully written and compiled by 21certify Exams experts. It is
designed to help you learn the concepts behind the questions rather than be a strict memorization tool.
Repeated readings will increase your comprehension.

We continually add to and update our 21certify Exams with new questions, so check that you have the
latest version of this 21certify Exam right before you take your exam.

For security purposes, each PDF file is encrypted with a unique serial number associated with your
21certify Exams account information. In accordance with International Copyright Law, 21certify
Exams reserves the right to take legal action against you should we find copies of this PDF file has
been distributed to other parties.

Please tell us what you think of this 21certify Exam. We appreciate both positive and critical
comments as your feedback helps us improve future versions.

We thank you for buying our 21certify Exams and look forward to supplying you with all your
Certification training needs.

Good studying!

21certify Exams Technical and Support Team
9E0-121 3

21certify.com

Note 1:
Section A contains 93 questions Section B contains 126
questions. Section C contains 171 questions. The total
number of questions is 390.
Note 2: First customer, if any, to beat 21certify in providing answers to the unanswered questions will receive a

free 21certify product. Send answers to

Section A
Q.1 If the central Concentrator configured for interactive unit authentication, a VPN 3002 will prompt for
username/password before establishing a tunnel. In how many ways can you make a VPN 3002 prompt for
the username/pasword?
A. 1
B. 5
C. 4
D. 2
E. 3
Answer: E

Q.2 Performing Quick configuration on a VPN 3002 Hardware, under “Private Interface”
what options are available to the administrator? (Choose all that apply)

A. Do not use the DHCP server to provide address.
B. Do you want to use DHCP server on Interface 1 to provide addresses for the local LAN?
C. Do not use DHCP client to request address.
D. Do you want to use DHCP client to request addresses for the local LAN?
Answer: A, B
Q.3 A VPN 3000 Concentrator is configured for Optional as Firewall Setting and the expected Firewall is
set to ICE BlackICE Defender. A client connects without any Firewall.
A. The tunnel will establish as normal.
B. There is no optional firewall setting in the AYT configuration on a Cisco 3000
Concentrator.
9E0-121 4

21certify.com



C. All answers are incorrect.
D. The tunnel will establish, AYT will fail, the tunnel will be removed and the client will get disconnected.
E. The Tunnel will establish, but the administrator will receive a notification message that the client did
not match any of the Concentrator’s configured firewalls.
Answer: C
Q.4 Trojan horses fall into which of the following methods?
A. Denial of Service Methods
B. Reconnaissance Methods
C. Stealth Methods
D. Access Methods
Answer: D
Q.5 What are the two purposes of X.509 certificate serial numbers?
A. It is a unique certificate numerical identifier in the certificate authority domain.
B. It identifies the certificate authority public key and hashing algorithm.
C. Includes subject’s public key and hashing algorithm.
D. It is the number used to identify certificates in CRLs.
E. It specifies start and expiration dates on the certificate.
Answer: A, D
Q.6 Which of the following statements is true in defining RSA signature system?
A. An RSA signature is formed when data is encrypted with a user’s private key and the receiver verifies the
signature by decrypting the message with the sender’s private key.
B. An RSA signature is formed when data is encrypted with a user’s public key and the receiver verifies the
signature by decrypting the message with the sender’s private key,
C. An RSA signature is formed when data is encrypted with a user’s private key and the receiver verifies the
signature by decrypting the message with the sender’s public key.
D. An RSA signature is formed when data is encrypted with a user’s public key and the receiver verifies the
signature by decrypting the message with the sender’s public key.
Answer: C
9E0-121 5


21certify.com

Q.7 Which model of the VPN 3000 Concentrator matches the following descriptions: -256 MB of
SRAM -Hardware Based Encryption -Programmable DSP-based security accelerator -Supports
up to 5000 simultaneous remote connections
A. Model 3080
B. Model 3015
C. Model 3060
D. Model 3030
Answer: C
Q.8 Each IPSec peer has how many keys?
A. 3
B. It depends
C. 4
D. 2
Answer: A
Q.9 VPN is the most cost-effective method of establishing a point-to-point connection between remote users
and the enterprise network. Cisco categorizes VPN in three types: (Choose three)
A. Hybrid VPN
B. Access VPN
C. Extranet VPN
D. Direct VPN
E. Intranet VPN
Q.10 To troubleshoot SCEP enrollment, the administrator should scrutinize what event class in the event
log?
A. IKE
B. IPSec
C. SCEP
D. Cert

Answer: D
Q.11 If the LAN-to-LAN tunnel is not established, which three IPSec LAN-to-LAN configuration
parameters should the administrator verify at both ends of the tunnel? (Choose three)
9E0-121 6

21certify.com

A. Name
B. Pre-shared key
C. Authentication
D. Routing
E. Local network IP address
F. Remote network IP address
Answer: B, E, F
Q.12 Which statement about the Cisco VPN client software update is true?
A. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote Cisco VPN Client
automatically downloads a new version of code from a configured web site.
B. As remote Cisco VPN Client connects to the Cisco VPN Concentrator, the remote Cisco VPN Client
automatically downloads a new version of code from a TFTP server.
C. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco VPN Concentrator
automatically downloads a new version of the software.
D. As a remote Cisco VPN Client connects to the Cisco VPN Concentrator, the Cisco VPN Concentrator only
sends an update notification to the remove Cisco VPN client.

Q.13 To clear the ARP cache on a Cisco VPN Concentrator, which status screen should the administrator
access?
A. Monitor | Routing Table
B. Monitor | ARP cache
C. Monitor | Statistics | MIB-II
D. Monitor | System Statistics

Answer: C
Q.14 When first installing the Cisco VPN Concentrator, why should you use CLI?
A. To configure the Cisco VPN Concentrator.
B. To configure the private LAN port.
C. To connect to the Internet.
D. To configure serial ports.
Answer: B
Q.15 Choose the two ways and administrator can set up user authentication and IP address assignment.
9E0-121 7

21certify.com

(Choose two)
A. Per user
B. Per domain
C. Per Cisco VPN Concentrator (globally)
D. Per group
E. Per network
F. Per server
Answer: C, D
A. Are you there
B. Authentication proxy
C. Stateful firewall (always on)
D. Content filtering
E. Central protection policy
F. Stateful failover
Answer: A, C, E
Q.17 How can you monitor IPSec sessions on the Cisco VPN Client?
A. Monitor-Screen | Encryption
B. Cisco VPN Client Connection Status window

C. Monitor-Sessions screen
D. Monitor-Routing table
Answer: B

Q.18 Fir the Cisco VPN Concentrator, what are the two types of certificate enrollment?
(Choose two)

A. File-based enrollment process
B. SCEP
C. PKCS#15 enrollment process
D. Automated enrollment process
E. Out-of-band enrollment process
F. Certified enrollment process
9E0-121 8

21certify.com

Answer: A, B
Q.19 When the IPSec client-to-LAN applications are changed from pre-shared keys to digital certificates,
what is true about the IPSec SA?
A. SA IKE authentication method should be changed.
B. SAP IPSec authentication method should be changed.
C. When the digital certificate is validated, the IPSec SA template automatically is updated.
D. When the digital certificate is activated, the IPSec SA template is automatically updated.
Answer: A
Q.20 How did Cisco solve the PAT translation issue?
A. Wrap a standard IKE packet with a UDP port number.
B. Wrap a standard IPSec packet with a UDP port number.
C. Change the IKE TCP port number from a well known to a dynamically assigned port number.
D. Change the IPSec TCP port number from a well known to a dynamically assigned port number.

Answer: B
Q.21 How is user authentication enabled on the Cisco VPN 3002?
A. Checked on the Cisco VPN Concentrator and pushed down to the Cisco VPN 3002.
B. Unchecked on the Cisco VPN Concentrator and pushed down to the Cisco VPN 3002.
C. Checked on the Cisco VPN 3002.
D. Unchecked on the Cisco VPN 3002.
Answer: A
Q.22 What are the three steps in the auto-update configuration process? (Choose three)
A. Enable the client update functionality in the Cisco VPN 3002.
B. Enable the client update functionality in the Cisco VPN Concentrator.
C. Modify the group-client, auto-update parameter.
D. Configure the IKE auto-update message parameters.
E. Send an update message.
F. Configure the IPSec auto-update message parameters.
9E0-121 9

21certify.com

Answer: B, C, E Q.23 When two adjacent Cisco VPN Concentrators are configured for VRRP and the
master Cisco VPN Concentrator fails, which statement is true?
A. All sessions are lost.
B. Only remote access users need to re-establish their tunnels.
C. No sessions are lost.
D. Only site-to-site users need to re-establish their tunnels.
Answer: B
Q.24 Which Cisco IOS VPN feature allows the sender to encrypt packets before transmitting them across a
network?
A. Anti-replay
B. Data confidentiality
C. Data integrity

D. Data original authentication
Answer: B
Q.25 How is data authentication achieved?
A. Using DES
B. Using ESP
C. Using MD5
D. Using 3DES
Answer: C
Q.26 What is the name of the application that must be added to the Concentrator to perform load
balancing?
A. Virtual Termination Point (VTP)
B. Virtual Designated Concentrator (VDC)
C. Virtual Cluster Agent (VCA)
D. Virtual Access Point (VAP)
Answer: C
9E0-121 10

21certify.com

Q.27 On a VPN 3002 hardware, what are the three levels of GUI Access rights? (Choose three)
A. Admin
B. Config
C. Monitor
D. Power on /Shut down
E. Power
F. Test
Answer: A, B, C
Q.28 Configuring a firewall policy:
A. New filters are added to rules.
B. Unlike ACLs that have an implicit any all at the end of it statements, Filters do not have an implicit deny

all.
C. New riles are added to filters.
D. Like ACLs that have an implicit deny all at the end of it statements, Filters also have an implicit deny all.
Answer: B, C
Q.29 An intruder ping sweeps a network and notes the responding nodes. Cisco classifies this type of attack
as:
A. Reconnaissance
B. Access
C. Malicious ping
D. Scooping
E. Denial of Service
Q.30 After you issue the “crypto ca enroll”, you are prompted to create a challenge password.
Why should you remember this password?

A. Because it is required if you intend to generate multiple certificates.
B. Because if you ever try to reboot, you will be prompted for this password.
C. Because it is required to generate RSA key pairs.
D. You must supply this challenge password if you ever ask the CA to revoke your certificate.
Answer: D
9E0-121 11

21certify.com

Q.31 You have received a brand new VPN 3030 Concentrator from Cisco. You power it on, console to it
from your laptop and configure the Private LAN port with your networks IP address as 172.29.10.44. Later,
you ping the Concentrator and you get a successful response. You make sure that your system
administration tasks and network permit a cleartext connection between the VPN Concentrator and your
browser. Then you inform your infamous MIS Director and give him the IP address, the Login name as
“admin” and the password as “admin”. The Director points his browser to http://www.172.29.10.44 What
will happen next?

A. The browser will open but the log in it will fail because of wrong password.
B. The browser will open with the “VPN 3000 Concentrator Series Manager” GUI and ask for the
username and password.
C. The browser will fail and say “The page can not be displayed”.
D. The browser will open but the log in will fail because of wrong Login.
Answer: C

Q.32 IKE protocol supports multiple authentication methods during the phase one exchange.
The two entities must agree on a common authentication protocol through a negotiation
process.
In how many ways can IKE phase one authenticate IPSec peers?

A. 2
B. 3
C. 4
D. It varies
Answer: B
Q.33 At what layer of the OSI model does the IPSec work?
A. Layer 2
B. Transportation
C. Session
D. Application
E. Network
Answer: E
9E0-121 12

21certify.com

Q.34 In the top section of the IPSec LAN-to-LAN screen, what is the peer value?
A. System name of the remote Cisco VPN Concentrator.

B. Internal IP address of the remote Cisco VPN Concentrator.
C. Public Interface IP address of the remote peer.
D. Private interface IP address of the remote peer.
Answer: C
Q.35 What are three steps in the file-based certificate enrollment process? (Choose three)
A. The identity certificate is located into the Cisco VPN Concentrator first.
B. The CA generates the root and identity certificates.
C. The root certificate is loaded into the Cisco VPN Concentrator second.
D. The root certificate is loaded into the Cisco VPN Concentrator first.
E. Cisco VPN Concentrator generates a PKCS#7.
F. The Cisco VPN Concentrator generates a PKCS#10.
Answer: B, D, F

For connection 3 of the firewall policy chart, choose the action and IP addresses.
A. action drop, destination address, any
B. action forward, destination address, any
C. action forward, destination address, www.cisco.com
D. action drop, destination address, www.cisco.com
Answer: B
9E0-121 13

21certify.com

Q.37 Which of the firewalls supports Cisco Central Policy Protection?
A. Symantee
B. Zone Labs
C. Cyberguard
D. Network Ice BlackICE defender
Answer: B
Q.38 What are two types of certificates in a central CA environment? (Choose two)

A. Public key certificate
B. Root certificate
C. Private key certificate
D. Certificate of authority
E. Identity certificate
F. Signature certificate
Answer: B, E
Q.39 When should you change the administration password?
A. Immediately upon installation.
B. At least weekly.
C. When the system crashes.
D. Every time someone leaves the company.
Answer: A
Q.40 When a VPN 3002 is configured to establish a tunnel to a load balancing cluster, what IP address
should the administrator put in the VPN 3002 remote server field?
A. Cluster’s virtual IP address.
B. Master the Cisco VPN Concentrator’s public interface IP address.
C. Master the Cisco VPN Concentrator’s private interface IP address.
D. Load balancing server’s virtual IP address.
Answer: A
9E0-121 14

21certify.com

Q.41 Which VCA filter statement is true?
A. VCA filter must be enabled on the Cisco VPN Concentrator’s private interface.
B. VCA filter must be enabled on the Cisco VPN Concentrator public interface.
C. VCA filter must be enabled on both Cisco VPN Concentrator interfaces.
D. VCA filter is optional.
Answer: C

Q.42 For the Cisco VPN Client to interoperate with the Cisco VPN 3000, what is the minimum version of
the Cisco VPN 3000?

A. 2.5
B. 2.6
C. 3.0
D. 3.1
Answer: C
Q.43 If the VPN is owned and managed by the corporate security, which product would you choose?
A. PIX Firewall 515
B. 2900
C. 3030
D. 3660
Answer: A
Q.44 How many simultaneous session can a Cisco VPN 3030 support?
A. 100
B. 1000
C. 1500
D. 5000
Answer: C
9E0-121 15

21certify.com

Q.45 The Backup Server feature can be configured on VPN 3002, as well as on the Concentrator. Which of
the following statements are true?
A. In the backup server window of VPN 3002 you can define up to 10 backup servers.
B. The list of backup servers defined on VPN 3002 will not be overwritten if the Concentrator sends a
backup server list to the VPN 3002.
C. The list of backup servers defined on VPN 3002 will be overwritten if the

Concentrator sends a backup server list to the VPN 3002.

D. In the backup server window of VPN 3002 you can define up to 6 backup servers.
Answer: A
Q.46 In VPN 3002, what are the two modes of operation? (Choose two)
A. Transparent
B. Network Extended Mode
C. Standard Mode
D. Network Extension Mode
E. Client Mode
Answer: D, E
Q.47 When installing Cisco VPN client, why are you urged to uninstall the older version?
A. Otherwise two identical icons in the system taskbar are created.
B. Otherwise you will be prompted to select the version whenever you launch the program.
C. Otherwise it will cause blue screen of death under Windows NT.
D. Otherwise the new version will be corrupted.
Answer: A, D
Q.48 How do you configure users and groups on the Cisco VPN 3000 Concentrator Series as recommended
by Cisco?
A. First the groups; second, the specific groups; and third, the users.
B. First the specific groups; second, the groups; and third, the users.
C. First the users; second, the groups; and third, the specific groups.
D. First the users; second, the specific groups; and third, the groups.
9E0-121 16

21certify.com

Answer: A
Q.49
A. With ESP in tunnel mode and encryption selected, the entire original IP datagram is encrypted.

B. With ESP in tunnel mode and encryption selected, only the data is encrypted.
C. When both authentication and encryption is selected under ESP, encryption is
performed before authentication.

D. When both authentication and encryption is selected under ESP, authentication is performed before
encryption.
Answer: A, C
Q.50 The top section of the IPSec LAN-to-LAN screen, enables the administrator to configure what section
of the LAN-to-LAN tunnel?
A. Tunnel information
B. Local private network
C. Remote private network
D. Cisco VPN Concentrator endpoint information
Answer: A
Q.51 When loading a Cisco VPN Concentrator certificate, why MUST the root certificate be loaded into
the Cisco VPN Concentrator first?
A. To validate the identity certificate.
B. To generate the identity certificate.
C. To be downloaded to the PC.
D. To generate a root certificate.
Answer: A
Q.52 Which firewall is supported by the Cisco VPN Client are you there feature?
A. Cisco Integrated Client firewall
B. Cyberguard
9E0-121 17

21certify.com

C. Zone Labs
D. Symantec

Answer: C
Q.53 Which data is shown on the Monitor Sessions screen? (Choose three)
A. Session summary
B. LAN-to-LAN sessions
C. Tunnel summary
D. Client tunnels
E. Site-to-site tunnels
F. Remote access sessions
Answer: A, B, F
Q.54 Which statement is true of the Cisco VPN 3002 port address translation?
A. The administrator can disable PAT when the default private interface address is changed.
B. PAT is always enabled on the Cisco VPN 3002 public interface.
C. PAT status is configured on the Cisco VPN Concentrator and then pushed to the Cisco VPN 3002 during
tunnel establishment.
D. The Cisco VPN 3002 does not support PAT.
Answer: A
Q.55 What does the backup server feature enable the Cisco VPN 3002 to access?
A. Backup DHCP server
B. Backup Cisco VPN Concentrator
C. Backup authentication server
D. Backup certificate server
Answer: B
A. Uses aggressive mode.
B. Uses main mode.
C. Optionally performs an additional DH exchange.
D. Verifies the other side’s identity.
E. Periodically renegotiates IPSec SAs to ensure security.
9E0-121 18

21certify.com


F. Negotiates IPSec SA parameters protected by an existing IKE SA.
Answer: C, E, F
Q.57 Which feature is supported on the Cisco VPN 3005?
A. It supports up to 3 network ports.
B. It supports up to 100 sessions
C. Its hardware is upgradeable.
D. 64 MB of memory is standard.
Answer: B
Q.58 The user behind VPN 3002 is an IP phone and the administrator of the central Concentrator has
configured the VPN 3002 for User Authentication. What will happen to the IP phone of it tries to call the
corporate office?
A. IP phones are not allowed behind VPN 3002.
B. IP phones are exception to the rule.
C. IP phone should be authentication for each call.
D. User authentications is not allowed when IP phones exist behind the 3002 hardware.
Answer: B
Q.59 The applications associated with Internet solutions are provided by Cisco AVVID which enables
enterprise customers to move their traditional business models to Internet business models.
A. True
B. False

Q.60 When preparing for IPSec which command ensures basic connectivity has been achieved between
IPSec peers before configuring IPSec?
A. show access list
B. show crypto map
C. tracert
D. ping
9E0-121 19


21certify.com

Answer: D
Q.61 IPSec uses this method to track all the particulars concerning a given IPSec communication session.
A. What is Transform Set.
B. What is Security Association.
C. What is CA.
D. What is Internet Key Exchange.
Answer: B
Q.62 Which feature allows an administrator to edit the reachable subnets at both ends of the LAN-to-LAN
tunnel?
A. Network auto-discovery
B. Cisco VPN configuration tool
C. Network lists
D. LAN-to-LAN wizard
Answer: C
Q.63 What are two reasons for revoking a certificate? (Choose two)
A. Invalid time
B. Change of association
C. Compromised security
D. Invalid date
E. Invalid signature
Answer: B, C
Q.64 Which reboot option shuts down the Cisco VPN 3000 Concentrator, terminates all sessions, and
prevents new user sessions?
A. Cancel a scheduled reboot.
B. Shutdown without automatic reboot.
C. Reboot without saving the active configuration.
D. Save the active configuration at time of reboot.
9E0-121 20


21certify.com

Answer: B
Q.65 Which three are supported user authentication types? (Choose three)
A. NT Domain
B. Radius
C. AES
D. SDI
E. TACACS+
F. Entrust
Answer: A, B, D
Q.66 When configuring address assignments, which method uses the Cisco VPN 300 Concentrator to assign
IP addresses from an internal pool?
A. Remote client pool
B. Per-user
C. Configured pool
D. DHCP pool

Q.67 Which is a correct way to enter an auto-update URL?
A. http://10.0.1.10/vpn3002-3.5.Rel-k9.bin
B. http://10.0.1.10/vpn3002-3.5.rel-k9.bin
C. tftp://10.0.1.10/vpn3002-3.5.Rel-k9.bin
D. ftp://10.0.1.10/vpn3002-3.5.Rel-k9.bin
Answer: C
Q.68 What is the default configuration of the Cisco VPN 3002 public interface?
A. DHCP server is enabled.
B. DHCP client is enabled.
C. Static IP address of 192.168.10.1
D. No configuration.

Answer: B
9E0-121 21

21certify.com

Q.69 Which three computer systems allow the Cisco VPN Client to use secure, reliable tunnel connections
to a host network? (Choose three)
A. Solaris
B. Linux
C. Novell
D. Windows
E. HP-UX
F. IBM AIX
Answer: A, B, D
Q.70 When configuring a VPN 3002 hardware, the GUI asks “Do you want to configure the IP
address of the Private interface” and you answer “no”.
What will happen next?

A. You may choose between client mode and network extension mode, depending on your choice of PAT.
B. There is no such question in the confirmation process.
C. You are locked into the client mode.
D. You are locked into network extension mode.
Answer: C
Q.71 Which Diffie-Heliman group offers the highest level of security?
A. D-H Group 1
B. SHA-1
C. DES
D. 3DES
E. D-H Group 3
F. D-H Group 2

Answer: F
Q.72 Which of the following statements is not true regarding IKE phase one:
A. Main mode is more secure than the aggressive mode.
B. Phase one can occur in two modes: main mode & aggressive mode.
C. Sets up a secure tunnel to negotiate IKE phase II parameters.
D. By default, Cisco products use aggressive mode to initiate an IKE exchange.
9E0-121 22

21certify.com

Answer: D
Q.73 Where can an administrator verify that the LAN-to-LAN tunnel was established?
A. View | IPSec Tunnels
B. Monitor | Tunnels
C. Monitor | Systems
D. Administration | Sessions

Q.74 Choose three parameters sent from the Cisco VPN Concentrator to the remote Cisco VPN Client
during tunnel establishment. (Choose three)
A. Group name
B. Primary DNS address
C. Access priority
D. Split tunnel policy
E. Cisco VPN Client IP address
F. Access priority level
Answer: B, D, E
Q.75 Which three tasks are required to add to the ACL? (Choose three)
A. Assign IP mask
B. Set session limit
C. Enable the IP address

D. Assign IP address
E. Set session timeout
F. Assign access group
Answer: A, D, F
Q.76 When the Cisco VPN 3002 is fully configured in client mode, what is the default status of the VPN
tunnel?
A. The tunnel is up automatically.
B. The tunnel must be manually initiated via the Monitoring-tunnel status screen.
C. The tunnel must be manually initiated via the Monitoring-system status screen.
D. The manual and automatic modes are defined on the Cisco VPN Concentrator and then pushed to the
Cisco VPN 3002 during tunnel establishment.
9E0-121 23

21certify.com

Answer: C Q.77 What does IPSec do at the network layer?
A. Enables Cisco VPN.
B. Generates a private DH key.
C. Encrypts traffic between secure IPSec gateways.
D. Protects and authenticates IP packets between IPSec devices.
Answer: D
Q. 77 What does IPSec do at the network layer?
A. Enables Cisco VPN.
B. Generates a private DH key.
C. Encrypts traffic between secure IPSec gateways.
D. Protects and authenticates IP packets between IPSec devices.
Q.78 You have just received a brand new VPN 3002 Hardware from Cisco. You need to gain access to its
VPN 3002 manager. What command will you enter at the browser?
A. http://192.168.10.1:8080
B. http://192.168.10.1

C. https://192.168.10.1
D. https://192.168.19.1:8080
E. http://192.168.1.1
F. http://192.168.1.1
Answer: B
Q.79 You are asked to choose between Authentication Header (AH) and Encapsulating Security Payload
(ESP) as an IPSec protocol. You need to make sure that data from an authenticated source is transferred
with integrity. Confidentiality is not an issue. Which protocol would you choose?
A. None
B. AH
C. Both
D. ESP
Answer: B
9E0-121 24

21certify.com

Q.80
A. User name
B. Validity dates
C. Private key
D. Issuer’s name
E. CA signature algorithm
F. User’s private key information
Answer: B, D, E
Q.81 What are the two RRI features supported by the Cisco VPN Concentrator? (Choose two)
A. Tunnel mode RRI
B. Transport mode RRI
C. Client RRI
D. Network extension RRI

E. LAN extension RRI
F. Cisco VPN Concentrator RRI
Answer: C, D
Q.82 What type of keys does DES and 3DES require for encryption and decryption?
A. Elliptical curve keys
B. Exponentiation keys
C. Symmetrical keys
D. Asymmetrical keys
Answer: C
Q.83 Which of the following is not one of the tasks that a security policy needs to accomplish?
A. Identify the resources that need to be protected.
B. Identify the organizations security objectives.
C. Identify the network infrastructure.
D. Document the Hierarchy and the organizational chart.
E. Document the resources to be protected.
Answer: D
9E0-121 25

21certify.com

Q.84 In the local network section of the IPSec LAN-to-LAN screen, what IP address is entered in the IP
address field?
A. Network, subnet, and host IP address of the remote Cisco VPN Concentrator’s private interface.
B. Network and subnet IP address of the remote private LAN.
C. Network, subnet, and host IP address of the local Cisco VPN Concentrator’s private interface.
D. Network and subnet IP address of the local private LAN.
Answer: D
Q.85 Exhibit:

For connection 2 of the firewall policy chart, choose the action and IP addresses.

A. action drop, source and destination address, 10.0.1.0
B. action forward, source and destination address, 10.0.1.0
C. action forward, source and destination address, 10.0.1.10
D. action drop, source and destination address, 10.0.1.10

Q.86 When configuring the Cisco VPN Client for IPSec over TCP, which statement is true?
A. There is no configuration because the information is pushed down to the Cisco VPN Client.
B. There is no configuration needed because the feature is enabled by default.
C. IPSec over TCP must be enabled on the Cisco VPN Client.
D. IPSec over TCP and a TCP port number must be configured on the Cisco VPN Client.
Answer: D