ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 350-701 All Questions

View all questions & answers for the 350-701 exam
Go to Exam

Exam 350-701 topic 1 question 430 discussion

Actual exam question from Cisco's 350-701
Question #: 430
Topic #: 1
[All 350-701 Questions]

During a recent security audit, a Cisco IOS router with a working IPSEC configuration using IKEv1 was flagged for using a wildcard mask with the crypto isakmp key command. The VPN peer is a SOHO router with a dynamically assigned IP address. Dynamic DNS has been configured on the SOHO router to map the dynamic IP address to the host name of vpn.sohoroutercompany.com. In addition to the command crypto isakmp key Cisc123456789 hostname vpn.sohoroutercompany.com, what other two commands are now required on the Cisco IOS router far the VPN to continue to function after the wildcard command is removed? (Choose two.)

  • A. ip host vpn.sohoroutercompany.com <VPN Peer IP Address>
  • B. crypto isakmp identity hostname
  • C. Add the dynamic keyword to the existing crypto map command
  • D. fqdn vpn.sohoroutercompany.com <VPN Peer IP Address>
  • E. ip name-server <DNS Server IP Address>
Show Suggested Answer Hide Answer
Suggested Answer: BE 🗳️
by Ed1976 at Nov. 28, 2022, 11:09 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kloug
8 months, 2 weeks ago
Answer b,e
upvoted 1 times
...
MPoels
1 year, 4 months ago
Selected Answer: CE
It sounds like only the configuration of the (central) IOS router can be changed here. If the question in the exam allows the SOHO router configuration to be changed, you could also take answer B (instead of C).
upvoted 1 times
...
jpapas
1 year, 11 months ago
Selected Answer: CE
B is wrong guys. "Crypto isakmp identity hostname", forces the LOCAL router to offer the LOCAL hostname as ISAKMP-ID on IKE negociation. Is not relevant, as here we want to match something on remote offer. A and D are also both wrong (Static IP bindings) So the C and E are two correct. A note for C : C is correct , but there is a wording blur trick in answer : Dynamic should be added to "set peer" crypto map (SUB)command not to crypto map command itself (but every subcommand is included in parent command in general, right? ;) )
upvoted 3 times
...
ums008
1 year, 12 months ago
Selected Answer: BE
B & E is Correct https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-mt/dns-15-mt-book/dns-dyn-dns-supp-ios.html.xml
upvoted 1 times
...
Jessie45785
2 years, 1 month ago
Selected Answer: BE
I have to correct myself - C is WRONG! - Agree with @SegaMasterSystemAdmin - dynamic is part of SET PEER not Crypto MAP -- B & E - is the correct answer
upvoted 2 times
...
SegaMasterSystemAdmin
2 years, 2 months ago
The answer should be B and E The "dynamic" keyword is added to the "set peer hostname dynamic" command and not on the crypto map command itself, and the for lookups to work you need to have the DNS server set so B and E makes most sense.
upvoted 1 times
Nian
4 months ago
Adding the dynamic keyword to map command: crypto dynamic-map DYNMAP 10 .... crypto map MYMAP 100 ipsec-isakmp dynamic DYNMAP - associates dynamic crypto map (DYNMAP) with a static crypto map (MYMAP).
upvoted 1 times
...
...
Jessie45785
2 years, 2 months ago
Selected Answer: BC
Definitely B&C - (out of experience) https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-realtime-ipsec-0.html When specifying the host name of a remote IPsec peer via the set peer command, you can also issue the dynamic keyword, which defers DNS resolution of the host name until right before the IPsec tunnel has been established. Deferring resolution enables the software to detect whether the IP address of the remote IPsec peer has changed. Thus, the software can contact the peer at the new IP address. If the dynamic keyword is not issued, the host name is resolved immediately after it is specified. So, the software cannot detect an IP address change and, therefore, attempts to connect to the IP address that it previously resolved. DNS resolution assures users that their established IPsec tunnel is secure and authenticated.
upvoted 1 times
Jessie45785
2 years, 1 month ago
I have to correct myself - C is WRONG! - Agree with @SegaMasterSystemAdmin - dynamic is part of SET PEER not Crypto MAP -- B & E - is the correct answer
upvoted 1 times
...
...
Felice44
2 years, 3 months ago
Selected Answer: BC
“As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.” So B is correct. "When specifying the host name of a remote IPsec peer via the set peer command, you can also issue the dynamic keyword, which defers DNS resolution of the host name until right before the IPsec tunnel has been established. Deferring resolution enables the Cisco IOS software to detect whether the IP address of the remote IPsec peer has changed. Thus, the software can contact the peer at the new IP address." So C is correct. Configuring the DNS server is fine (I think it's implied), but it's more general than these commands that are certainly required
upvoted 1 times
...
tramollaaaa
2 years, 3 months ago
Selected Answer: BE
B and E is correct
upvoted 1 times
...
Juan07
2 years, 3 months ago
B &E is correct
upvoted 1 times
...
amtf8888
2 years, 6 months ago
Selected Answer: BE
BE is correct
upvoted 1 times
...
YmerG
2 years, 7 months ago
Selected Answer: BE
Refering to Cisco documentation answers are B and E: " The following example uses preshared keys at two peers and sets both their ISAKMP identities to hostname. At the local peer the ISAKMP identity is set and the preshared key is specified. crypto isakmp identity hostname crypto isakmp key sharedkeystring hostname RemoteRouter.example.com ip host RemoteRouter.example.com 192.168.0.1 " https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfike.html
upvoted 1 times
YmerG
2 years, 7 months ago
Sorry for the typo, I meant A and B
upvoted 1 times
amtf8888
2 years, 6 months ago
soho offic has dynamic ip , so , B is wrong, because it use static ip address
upvoted 2 times
Jessie45785
2 years, 2 months ago
You are wrong - The question is about the HQ router - and dynamic keyword is needed every time the SOHO router IP changes, otherwise how HQ router would kwon to refresh fqdn resolution when connection is terminated by SOHO router https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-realtime-ipsec-0.html When specifying the host name of a remote IPsec peer via the set peer command, you can also issue the dynamic keyword, which defers DNS resolution of the host name until right before the IPsec tunnel has been established. Deferring resolution enables the software to detect whether the IP address of the remote IPsec peer has changed. Thus, the software can contact the peer at the new IP address. If the dynamic keyword is not issued, the host name is resolved immediately after it is specified. So, the software cannot detect an IP address change and, therefore, attempts to connect to the IP address that it previously resolved. DNS resolution assures users that their established IPsec tunnel is secure and authenticated.
upvoted 1 times
Jessie45785
2 years, 2 months ago
B&C are hence correct
upvoted 1 times
...
...
...
...
...
Ed1976
2 years, 7 months ago
Selected Answer: BE
I think crypto-map was confegured already as dynamic, so Answer C is wrong.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel