This post is about questions and answers for CCNA Security

Chapter 8 Test. I took this test on 14th June 2012. This

CCNA Security Chapter 8 test is using CCNAS v1.1. So i
would like to share the new questions and answers i chooses.
Just to be clear, for this test i only got 90%. Its not 100%
solution. If you have better answer or new questions, please
do share by leave your comment so i can improve this posts
answer for the benefits all of us.
Updated: 100% Correct.
1.

Refer to the exhibit. Based on the CCP screen that is shown,

which two conclusions can be drawn about the IKE policy that
is being configured? (Choose two.)It will use digital
certificates for authentication.It will use a predefined
key for authentication. It will use a very strong
encryption algorithm. (Original answer, Confirmed by
Xase)It will be the default policy with the highest
priority.It is being created using the CCP VPN Quick Setup

Wizard. (Andys answer)

2. A network administrator is planning to implement
centralized management of Cisco VPN devices to simplify
VPN deployment for remote offices and teleworkers. Which
Cisco IOS feature would provide this solution?
Cisco Easy VPNCisco VPN
VPNDynamic Multipoint VPN

ClientCisco

IOS

SSL

3. Which statement describes an important characteristic of

a site-to-site VPN?
It must be statically set up.It is ideally suited for use by
mobile workers.It requires using a VPN client on the host
PC.It is commonly implemented over dialup and cable modem
networks.After the initial connection is established, it can
dynamically change connection information.
4. With the Cisco Easy VPN feature, which process ensures
that a static route is created on the Cisco Easy VPN Server
for the internal IP address of each VPN client?
Cisco Express ForwardingNetwork Access ControlOnDemand RoutingReverse Path ForwardingReverse Route
Injection
5. Which two authentication methods can be configured when
using the CCP Site-to-Site VPN wizard? (Choose two.)

MD5SHApre-shared
certificates

keysencrypted

noncesdigital

6. Which UDP port must be permitted on any IP interface

used to exchange IKE information between security
gateways?
400500600700
7. When verifying IPsec configurations, which show command
displays the encryption algorithm, hash algorithm,
authentication method, and Diffie-Hellman group configured,
as well as default settings?
show crypto mapshow crypto ipsec sashow crypto isakmp
policyshow crypto ipsec transform-set
8.

Refer to the exhibit. A site-to-site VPN is required from R1

to R3. The administrator is using the CCP Site-to-Site VPN

wizard on R1. Which IP address should the administrator

enter
in
the
highlighted
field?10.1.1.110.1.1.210.2.2.110.2.2.2192.168.1.1192.168
.3.1
9. A user launches Cisco VPN Client software to connect
remotely to a VPN service. What does the user select before
entering the username and password?
the SSL connection typethe IKE negotiation processthe
desired preconfigured VPN server sitethe Cisco
Encryption Technology to be applied
10. What is the default IKE policy value for encryption?
128-bit AES192-bit AES256-bit
answer)DES (Corrected by Ja Shin)
11.

AES3DES (Original

Refer to the exhibit. Which two IPsec framework

components are valid options when configuring an IPsec VPN
on a Cisco ISR router? (Choose two.)Integrity options
include MD5 and RSA.IPsec protocol options include GRE
and AH.Confidentiality options include DES, 3DES, and
AES.Authentication options include pre-shared key and
SHA.Diffie-Hellman options include DH1, DH2, and DH5.
12.

Refer to the exhibit. Based on the CCP settings that are

shown, which Easy VPN Server component is being
configured?group policytransform setIKE proposaluser
authentication
13. Which action do IPsec peers take during the IKE Phase 2
exchange?
exchange
of
DH
keysnegotiation
of
IPsec
policyverification of peer identitynegotiation of IKE policy
sets
14. When configuring an IPsec VPN, what is used to define
the traffic that is sent through the IPsec tunnel and
protected by the IPsec process?
crypto mapcrypto ACL (Corrected by Ja Shin)ISAKMP
policy (Original answer)IPsec transform set
15. What is required for a host to use an SSL VPN to connect
to a remote network device?

VPN client software must be installed.A site-to-site VPN

must be preconfigured.A web browser must be installed on
the host.The host must be connected to a wired network.
16. What are two benefits of an SSL VPN? (Choose two.)
It supports all client/server applications.It supports the
same level of cryptographic security as an IPsec VPN.It has
the option of only requiring an SSL-enabled web
browser.The thin client mode functions without requiring
any downloads or software.It is compatible with DMVPNs,
Cisco IOS Firewall, IPsec, IPS, Cisco Easy VPN, and
NAT.
17. When using ESP tunnel mode, which portion of the packet
is not authenticated?
ESP headerESP trailernew IP headeroriginal IP header
18. How many bytes of overhead are added to each IP packet
while it is transported through a GRE tunnel?
8162432
19.
Which
two
statements
accurately
characteristics of IPsec? (Choose two.)

describe

IPsec works at the application layer and protects all

application data.IPsec works at the transport layer and

protects data at the network layer.IPsec works at the

network layer and operates over all Layer 2
protocols.IPsec is a framework of proprietary standards
that depend on Cisco specific algorithms.IPsec is a
framework of standards developed by Cisco that relies on
OSI algorithms.IPsec is a framework of open standards
that relies on existing algorithms.
20.

Refer to the exhibit. A network administrator is

troubleshooting a GRE VPN tunnel between R1 and R2.
Assuming the R2 GRE configuration is correct and based on
the running configuration of R1, what must the administrator
do to fix the problem?Change the tunnel source interface to
Fa0/0.Change the tunnel destination to 192.168.5.1.Change
the tunnel IP address to 192.168.3.1.Change the tunnel
destination to 209.165.200.225.Change the tunnel IP
address to 209.165.201.1.

Again, this answer CCNA Security Chapter 8 answer is not

100% correct. I only got 90% from this answer. So, if you
have a better answer or new questions, please share. Ill
improve this post based on the correction you provide. Thank
You.