[Free] Download New Updated (December) Cisco 640-554 Exam Questions 161-170

By | December 12, 2015



Which option describes the purpose of Diffie-Hellman?



used between the initiator and the responder to establish a basic security policy


used to verify the identity of the peer


used for asymmetric public key encryption


used to establish a symmetric shared key via a public key exchange process


Correct Answer: D




D-H Group

Diffie-Hellman (D-H) Group. Diffie-Hellman is a public-key cryptography protocol that allows two routers to establish a shared secret over an unsecure communications channel. The options are as follows:

group1–768-bit D-H Group. D-H Group 1.

group2–1024-bit D-H Group. D-H Group 2. This group provides more security than group 1, but requires more processing time.

group5–1536-bit D-H Group. D-H Group 5. This group provides more security than group 2, but requires more processing time.


If your router does not support group5, it will not appear in the list.

Easy VPN servers do not support D-H Group 1.




Which three statements about the IPsec ESP modes of operation are true? (Choose three.)



Tunnel mode is used between a host and a security gateway.


Tunnel mode is used between two security gateways.


Tunnel mode only encrypts and authenticates the data.


Transport mode authenticates the IP header.


Transport mode leaves the original IP header in the clear.


Correct Answer: ABE


http://www.cisco.com/en/US/docs/net_mgmt/vpn_solutions_center/2.0/ip_security/provisioning/gui de/IPsecPG1.html


The Encapsulating Security Payload (ESP)

The Encapsulating Security Payload (ESP) contains six parts as described below. The first two parts are not encrypted, but they are authenticated. Those parts are as follows:


The Security Parameter Index (SPI) is an arbitrary 32-bit number that tells the device receiving the packet what group of security protocols the sender is using for communication. Those protocols include the particular algorithms and keys, and how long those keys are valid.

The Sequence Number is a counter that is incremented by 1 each time a packet is sent to the same address and uses the same SPI. The sequence number indicates which packet is which, and how many packets have been sent with the same group of parameters. The sequence number also protects against replay attacks.


Replay attacks involve an attacker who copies a packet and sends it out of sequence to confuse communicating devices.

The remaining four parts of the ESP are all e
ncrypted during transmission across the network.

Those parts are as follows:


clip_image002The Payload Data is the actual data that is carried by the packet.

clip_image002[1]The Padding, from 0 to 255 bytes of data, allows certain types of encryption algorithms to require the data to be a multiple of a certain number of bytes. The padding also ensures that the text of a message terminates on a four-byte boundary (an architectural requirement within IP).

clip_image002[2]The Pad Length field specifies how much of the payload is padding rather than data.

clip_image002[3]The Next Header field, like a standard IP Next Header field, identifies the type of data carried and the protocol.


The ESP is added after a standard IP header. Because the packet has a standard IP header, the network can route it with standard IP devices. As a result, IPsec is backwards-compatible with IP routers and other equipment even if that equipment isn’t designed to use IPsec. ESP can support any number of encryption protocols. It’s up to the user to decide which ones to use. Different protocols can be used for every person a user communicates with. However, IPsec specifies a basic DES-Cipher Block Chaining mode (CBC) cipher as the default to ensure minimal interoperability among IPsec networks. ESP’s encryption capability is designed for symmetric encryption algorithms. IPsec employs asymmetric algorithms for such specialized purposes as negotiating keys for symmetric encryption.


Tunneling with ESP

Tunneling takes an original IP packet header and encapsulates it within the ESP. Then, it adds a new IP header containing the address of a gateway device to the packet. Tunneling allows a user to send illegal IP addresses through a public network (like the Internet) that otherwise would not accept them. Tunneling with ESP offers the advantage of hiding original source and destination addresses from users on the public network. Hiding these addresses reduces the power of traffic analysis attacks. A traffic analysis attack employs network monitoring techniques to determine how much data and what type of data is being communicated be
tween two users.




When configuring SSL VPN on the Cisco ASA appliance, which configuration step is required only for Cisco AnyConnect full tunnel SSL VPN access and not required for clientless SSL VPN?



user authentication


group policy


IP address pool


SSL VPN interface


connection profile


Correct Answer: C




Cisco AnyConnect VPN Client Full Tunnel Support

Remote Client Software from the SSL VPN Gateway

Address Pool

Manual Entry to the IP Forwarding Table

Remote Client Software from the SSL VPN Gateway

The Cisco AnyConnect VPN Client software package is pushed from the SSL VPN gateway to remote clients when support is needed. The remote user (PC or device) must have either the Java Runtime Environment for Windows (version 1.4 later), or the browser must support or be configured to permit Active X controls. In either scenario, the remote user must have local administrative privileges.


Address Pool

The address pool is first defined with the ip local pool command in global configuration mode. The standard configuration assumes that the IP addresses in the pool are reachable from a directly connected network.


Address Pools for Nondirectly Connected Networks

If you need to configure an address pool for IP addresses from a network that is not directly connected, perform the following steps:

Create a local loopback interface and configure it with an IP address and subnet mask from the address pool.


Configure the address pool with the ip local pool command. The range of addresses must fall under the subnet mask configured in Step 1.

Set up the route. If you are using the Routing Information Protocol (RIP), configure the router rip command and then the network command, as usual, to specify a list of networks for the RIP process. If you are using the Open Shortest Path First (OSPF) protoco
l, configure the ip ospf network point-to-point command in the loopback interface. As a third choice (instead of using the RIP or OSPF protocol), you can set up static routes to the network.


Configure the svc address-pool command with the name configured in Step 2.

Manual Entry to the IP Forwarding Table

If the SSL VPN software client is unable to update the IP forwarding table on the PC of the remote user, the following error message will be displayed in the router console or syslog:

Error : SSL VPN client was unable to Modify the IP forwarding table ……

This error can occur if the remote client does not have a default route. You can work around this error by performing the following steps:

Open a command prompt (DOS shell) on the remote client.

Enter the route print command.

If a default route is not displayed in the output, enter the route command followed by the add and mask keywords. Include the default gateway IP address at the end of the route statement. See the following example:

C:>route ADD MASK





For what purpose is the Cisco ASA appliance web launch SSL VPN feature used?



to enable split tunneling when using clientless SSL VPN access


to enable users to login to a web portal to download and launch the AnyConnect client


to enable smart tunnel access for applications that are not web-based


to optimize the SSL VPN connections using DTLS


to enable single-sign-on so the SSL VPN users need only log in once


Correct Answer: B




AnyConnect Standalone and WebLaunch Options

The user can use the AnyConnect Client in the following modes:

Standalone mode–Lets the user establish a Cisco AnyConnect VPN client connection without the need to use a web browser. If you have permanently installed the AnyConnect client on the user’s PC, the user can run in standalone mode. In standalone mode, a user opens the AnyConnect client just like any other application and enters the username and password credentials into the fields of the AnyConnect GUI. Depending on how you configure the system, the user might also be required to select a group. When the connection is established, the security appliance checks the version of the client on the user’s PC and, if necessary, downloads the latest version.


WebLaunch mode–Lets the user enter the URL of the security appliance in the Address or Location field of a browser using the https protocol. The user then enters the username and password information on a Logon screen and selects the group and clicks submit. If you have specified a banner, that information appears, and the user acknowledges the banner by clicking Continue.


The portal window appears. To start the AnyConnect client, the user clicks Start AnyConnect on the main pane. A series of documentary windows appears. When the Connection Established dialog box appears, the connection is working, and the user can proceed with online activities. Whether connecting via standalone mode or WebLaunch mode, the AnyConnect client package must be installed on the security appliance in order for the client to connect. This ensures that the security appliance is the single point of enforcement as to which versions of the client can establish a session, even if you deploy the client with an enterprise software deployment system. When you load a client package on the security appliance, you enforce a policy that only versions as new as the one loaded can connect. AnyConnect users must upgrade their clients by loading the latest version of the client with the latest security features on the security appliance.




Which statement describes how VPN traffic is encrypted to provide confidentiality when using asymmetric encryption?



The sender encrypts the data using the sender’s private key, and the receiver decrypts the data using the sender’s public key.


The sender encrypts the data using the sender’s public key, and the receiver decrypts the data using the sender’s private key.


The sender encrypts the data using the sender’s public key, and the receiver decrypts the data using the receiver’s public key.


The sender encrypts the data using the receiver’s private key, and the receiver decrypts the data using the receiver’s public key.


The sender encrypts the data using the receiver’s public key, and the receiver decrypts the data using the receiver’s private key.


The sender encrypts the data using the receiver’s private key, and the receiver decrypts the data using the sender’s public key.


Correct Answer: E




Public-Key Cryptography and Asymmetric Encryption


In asymmetric encryption, two different keys are used to render data illegible to anyone who may be eavesdropping on a conversation. The certificates contain the two components of asymmetric encryption:

public key and private key.

Data that is encrypted with the public key can be decrypted with the private key, and vice versa. However, data encrypted with the public key cannot be decrypted with the public key. The parties who need to encrypt their communications will exchange their public keys (contained in the certificate), but will not disclose their private keys. The sending party will use the public key of the receiving party to encrypt message data and forward the ciphertext (encrypted data) to the other party. The receiving party will then decrypt the ciphertext with their private key.

Data encrypted with the public key cannot be decrypted with the public key. This prevents someone from compromising the ciphertext after acquiring both public keys by eavesdropping on the certificate exchange.




Which four types of VPN are supported using Cisco ISRs and Cisco ASA appliances? (Choose four.)



SSL clientless remote-access VPNs


SSL full-tunnel client remote-access VPNs


SSL site-to-site VPNs


IPsec site-to-site VPNs


IPsec client remote-access VPNs


IPsec clientless remote-access VPNs


Correct Answer: ABDE




SSL VPN Access Modes

SSL VPN provides three modes of remote access on IOS routers: Clientless, Thin Client and Full Client. On ASA devices, there are two modes: Clientless (which includes Clientless and Thin Client port forwarding) and AnyConnect Client (a full client).


Clientless Access Mode

In Clientless mode, the remote user accesses the internal or corporate network using a Web browser on the client machine. No applet downloading is required. Clientless mode is useful for accessing most content that you would expect in a Web browser, such as Internet access, databases, and online tools that employ a Web interface. It supports Web browsing (using HTTP and HTTPS), file sharing using Common Internet File System (CIFS), and Outlook Web Access (OWA) email. For Clientless mode to work successfully, the remote user’s PC must be running Windows 2000, Windows XP, or Linux operating systems. Browser-based SSL VPN users connecting from Windows operating systems can browse shared file systems and perform the following operations: view folders, view folder and file properties, create, move, copy, copy from the local host to the remote host, copy from the remote host to the local host, and delete. Internet Explorer indicates when a Web folder is accessible. Accessing this folder launches another window, providing a view of the shared folder, on which users can perform web folder functions, assuming the properties of the folders and documents permit them.


Thin Client Access Mode

Thin Client mode, also called TCP port forwarding, assumes that the client application uses TCP to connect to a well-known server and port. In this mode, the remote user downloads a Java applet by clicking the link provided on the portal page. The Java applet acts as a TCP proxy on the client machine for the services configured on the SSL VPN gateway. The Java applet starts a new SSL connection for every client connection. The Java applet initiates an HTTP request from the remote user client to the SSL VPN gateway. The name and port number of the internal email server is included in the HTTP request. The SSL VPN gateway creates a TCP connection to that internal email server and port. Thin Client mode extends the capability of the cryptographic functions of the Web browser to enable remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protoc
ol (SMTP), Internet Message Access protocol (IMAP), Telnet, and Secure Shell (SSH).



The TCP port-forwarding proxy works only with Sun’s Java Runtime Environment (JRE) version 1.4 or later. A Java applet is loaded through the browser that verifies the JRE version. The Java applet refuses to run if a compatible JRE version is not detected. When using Thin Client mode, you should be aware of the following:


The remote user must allow the Java applet to download and install.

For TCP port-forwarding applications to work seamlessly, administrative privileges must be enabled for remote users.

You cannot use Thin Client mode for applications such as FTP, where the ports are negotiated dynamically.

That is, you can use TCP port forwarding only with static ports.

Full Tunnel Client Access Mode

Full Tunnel Client mode enables access to the corporate network completely over an SSL VPN tunnel, which is used to move data at the network (IP) layer. This mode supports most IP-based applications, such as Microsoft Outlook, Microsoft Exchange, Lotus Notes E-mail, and Telnet. Being part of the SSL VPN is completely transparent to the applications run on the client. A Java applet is downloaded to handle the tunneling between the client host and the SSL VPN gateway. The user can use any application as if the client host was in the internal network.

The tunnel connection is determined by the group policy configuration. The SSL VPN client (SVC) or AnyConnect client is downloaded and installed to the remote client, and the tunnel connection is established when the remote user logs in to the SSL VPN gateway. By default, the client software is removed from the remote client after the connection is closed, but you can keep it installed, if required. https://learningnetwork.cisco.com/servlet/JiveServlet/downloadBody/12870-102-1-48375/Cisco%20VPN%20(5).pdf


LAN-to-LAN IPsec Implementations

LAN-to-LAN IPsec is a term often used to describe an IPsec tunnel created between two LANs. These are also called site to site IPsec VPNs. LAN-to-LAN VPNs are created when two private networks are merged across a public network such that the users on either of these networks can access resources on the other network as if they were on their own private network.


Remote-Access Client IPsec Implementations

Remote-access client IPsec VPNs are created when a remote user connects to an IPsec router or access server using an IPsec client installed on the remote user’s machine. Generally, these remote-access machines connect to the public network or the Internet using dialup or some other similar means of connectivity. As soon as basic connectivity to the Internet is established, the IPsec client can set up an encrypted tunnel across the pubic network or the Internet to an
IPsec termination device located at the edge of the private network to which the client wants to connect and be a part of. These IPsec termination devices are also known as IPsec remoteaccess concentrators.




Which description of the Diffie-Hellman protocol is true?



It uses symmetrical encryption to provide data confidentiality over an unsecured communications channel.


It uses asymmetrical encryption to provide authentication over an unsecured communications channel.


It is used within the IKE Phase 1 exchange to provide peer authentication.


It provides a way for two peers to establish a shared-secret key, which only they will know, even though they are communicating over an unsecured channel.


It is a data integrity algorithm that is used within the IKE exchanges to guarantee the integrity of the message of the IKE exchanges.


Correct Answer: D




Modulus Group

The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Options are:

1–Diffie-Hellman Group 1 (768-bit modulus).

2–Diffie-Hellman Group 2 (1024-bit modulus).

5–Diffie-Hellman Group 5 (1536-bit modulus, considered good protection for 128-bit keys, but group 14 is better). If you are using AES encryption, use this group (or higher). The ASA supports this group as the highest group.

7–Diffie-Hellman Group 7 (163-bit elliptical curve field size).

14–Diffie-Hellman Group 14 (2048-bit modulus, considered good protection for 128-bit keys).

15–Diffie-Hellman Group 15 (3072-bit modulus, considered good protection for 192-bit keys).

16–Diffie-Hellman Group 16 (4096-bit modulus, considered good protection for 256-bit keys).




Which IPsec transform set provides the strongest protection?



crypto ipsec transform-set 1 esp-3des esp-sha-hmac


crypto ipsec transform-set 2 esp-3des esp-md5-hmac


crypto ipsec transform-set 3 esp-aes 256 esp-sha-hmac


crypto ipsec transform-set 4 esp-aes esp-md5-hmac


crypto ipsec transform-set 5 esp-des esp-sha-hmac


crypto ipsec transform-set 6 esp-des esp-md5-hmac


Correct Answer: C



Table 22-2 IKEv2 Proposal Dialog Box

Name The name of the policy object. A maximum of 128 characters is allowed. Description A description of the policy object. A maximum of 1024 characters is allowed. Priority The priority value of the IKE proposal. The priority value determines the order of the IKE proposals compared by the two negotiating peers when attempting to find a common security association (SA). If the remote IPsec peer does not support the parameters selected in your first priority policy, the device tries to use the parameters defined in the policy with the next lowest priority number.

Valid values range from 1 to 65535. The lower the number, the higher the priority. If you leave this field blank, Security Manager assigns the lowest unassigned value starting with 1, then 5, then continuing in increments of 5.

Encryption Algorithm

The encryption algorithm used to establish the Phase 1 SA for protecting Phase 2 negotiations. Click Select and select all of the algorithms that you want to allow in the VPN:

AES–Encrypts according to the Advanced Encryption Standard using 128-bit keys.

AES-192–Encrypts according to the Advanced Encryption Standard using 192-bit keys.

AES-256–Encrypts according to the Advanced Encryption Standard using 256-bit keys.

DES–Encrypts according to the Data Encryption Standard using 56-bit keys.

3DES–Encrypts three times using 56-bit keys. 3DES is more secure than DES, but requires more processing for encryption and decryption. It is less secure than AES. A 3DES license is required to use this option.

Null–No encryption algorithm.

Integrity (Hash) Algorithm

The integrity portion of the hash algorithm used in the IKE proposal. The hash algorithm creates a message digest, which is used to ensure message integrity. Click Select and select all of the algorithms that you want to allow in the VPN:

SHA (Secure Hash Algorithm)–Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5.

MD5 (Message Digest 5)–Produces a 128-bit digest. MD5 uses less processing time than SHA. Prf Algorithm The pseudo-random function (PRF) portion of the hash algorithm used in the IKE proposal. In IKEv1, the Integrity and PRF algorithms are not separated, but in IKEv2, you can specify different algorithms for these elements. Click Select and select all of the algorithms that you want to allow in the VPN:

SHA (Secure Hash Algorithm)–Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5.

MD5 (Message Digest 5)–Produces a 12
8-bit digest. MD5 uses less processing time than SHA.

Modulus Group

The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Click Select and select all of the groups that you want to allow in the


1–Diffie-Hellman Group 1 (768-bit modulus).

2–Diffie-Hellman Group 2 (1024-bit modulus). This is the minimum recommended setting.

5–Diffie-Hellman Group 5 (1536-bit modulus, considered good protection for 128-bit keys).

Select this option if you are using AES encryption.


The lifetime of the security association (SA), in seconds. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPsec security associations can be set up more quickly than with shorter lifetimes. You can specify a value from 120 to 2147483647 seconds. The default is 86400. Category The category assigned to the object.

Categories help you organize and identify rules and objects.





Which statement about asymmetric encryption algorithms is true?



They use the same key for encryption and decryption of data.


They use the same key for decryption but different keys for encryption of data.


They use different keys for encryption and decryption of data.


They use different keys for decryption but the same key for encryption of data.


Correct Answer: C




Transport Layer Protocol

Server authentication occurs at the transport layer, based on the server possessing a public- private key pair. A server may have multiple host keys using multiple different asymmetric encryption algorithms. Multiple hosts may share the same host key. In any case, the server host key is used during key exchange to authenticate the identity of the host. For this authentication to be possible, the client must have presumptive knowledge of the server public host key. RFC 4251 dictates two alternative trust models that can be used:


The client has a local database that associates each host name (as typed by the user) with the corresponding public host key. This method requires no centrally administered infrastructure and no third-party coordination.

The downside is that the database of name-to-key associations may become burdensome to maintain.

The host name-to-key association is certified by a trusted Certification Authority (CA). The client knows only the CA root key and can verify the valid
ity of all host keys certified by accepted CAs. This alternative eases the maintenance problem, because ideally only a single CA key needs to be securely stored on the client. On the other hand, each host key must be appropriately certified by a central authority before authorization is possible.




Which option can be used to authenticate the IPsec peers during IKE Phase 1?



Diffie-Hellman Nonce


pre-shared key




integrity check value






Correct Answer: B




Encryption algorithm

56-bit DES-CBC, des, Default 56-bit DES-CBC

168-bit DES, 3des, Default 168-bit DES


Hash algorithm

SHA-1 (HMAC variant), sha, Default SHA-1

MD5 (HMAC variant), md5


Authentication method

RSA signatures, rsa-sig, Default RSA signatures

RSA encrypted nonces, rsa-encr

preshared keys, pre-share

Diffie-Hellman group identifier

768-bit Diffie-Hellman, 1, Default 768-bit Diffie-Hellman

1024-bit Diffie-Hellman, 2 Lifetime of the security association

Any number of seconds, Default 86400 seconds (one day)


Free VCE & PDF File for Cisco 640-554 Exam Questions

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …