After implementing the IKEv2 tunnel, it was observed that remote users on the
192.168.33.0/24 network are unable to access the internet. Which of the following can be done
to resolve this problem?
A.
Change the Diffie-Hellman group on the headquarter ASA to group5forthe dynamic crypto
map
B.
Change the remote traffic selector on the remote ASA to 192.168.22.0/24
C.
Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers
D.
Change the local traffic selector on the headquarter ASA to 0.0.0.0/0
E.
Change the remote traffic selector on the headquarter ASA to 0.0.0.0/0
Explanation:
The traffic selector is used to determine which traffic should be protected (encrypted over the
IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the
tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from
192.168.33.0/24 to 192.168.22.0/24.
We need to secure ALL traffic so the answer is D as getribica commented already.
I think the question is poorly worded. If they were expecting us to choose answer B, then the scenerio context about tunneling all traffic should be removed or negated. As the question is worded I think Grzeg is correct. However checking other internet sources, it appears they expect us to answer B.
“All traffic from the remote site must be sent over the tunnel including internet traffic.”.
This would make answer D a valid answer, B wouldn’t allow internet traffic to go over the tunnel.
who already gave the exam what the right answer?
New 300-209 Exam Questions and Answers Updated Recently (4/July/2017):
NEW QUESTION 293
A company has a Flex VPN solution for remote access and one of their Cisco any Connect remote clients is having trouble connecting property. Which command verifies that packets are being encrypted and decrypted?
A. show crypto session active
B. show crypto ikev2 stats
C. show crypto ikev1 sa
D. show crypto ikev2 sa
E. show crypto session detail
Answer: E
NEW QUESTION 294
Refer to the exhibit, which result of this command is true?
A. Makes the router generate a certificate signing request
B. Generates an RSA key called TRIALFOUR
C. It displays the RSA public keys of the router
D. It specifies self- signed enrollment for a trust point
Answer: A
NEW QUESTION 295
An engineer is attempting to establish a new site-to-site VPN connection. The tunnel terminates on an ASA 5506-X which is behind an ASA 5515-X. The engineer notices that the tunnel is not establishing. Which option is a potential cause?
A. Certificates were not configured
B. Diffie – Helman Group is not set
C. Access lists were not applied
D. NAT – traversal is not configured
Answer: D
NEW QUESTION 296
Which algorithm does ISAKMP use to securely derive encryption and integrity keys?
A. Diffie – Hellman
B. AES
C. ECDSA
D. RSA
E. 3DES
Answer: D
NEW QUESTION 297
Which purpose of configuring perfect Forward secret is true?
A. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 2 keys.
B. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 1 keys.
C. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 1 keys.
D. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 2 keys.
Answer: A
NEW QUESTION 298
An engineer has successfully established a phase 1 tunnel, but notices that no packets are decrypted on the head end side of the tunnel. What is a potential cause for this issue?
A. different phase 2 encryption
B. misconfigured DH group
C. disabled PFS
D. firewall blocking Phase 2 ESP or AH
Answer: A
NEW QUESTION 299
Which option describes traffic that will initiate a VPN connection?
A. trusted
B. external
C. internal
D. interesting
Answer: D
NEW QUESTION 300
……
P.S. These New 300-209 Exam Questions Were Just Updated From The Real 300-209 Exam, You Can Get The Newest 300-209 Dumps In PDF And VCE From — http://www.passleader.com/300-209.html (307q VCE and PDF)
Good Luck!
Besides, part of that new 307Q 300-209 dumps are available here:
https://drive.google.com/open?id=0B-ob6L_QjGLpVTNFVTRPdC0zTnM
Best Regards!