300-320 Question #161: Real Exam Question with Answer & Explanation

The correct answer is C: Layer 3 in-band virtual gateway mode. For remote access VPN clients terminating on a Cisco ASA, the Cisco best practice for NAC (Network Admission Control) is Layer 3 in-band virtual gateway mode. In this mode, the NAC Appliance Manager/Server sits in the traffic path (in-band) at Layer 3, using a virtual IP as the g

Question

A network engineer must perform posture assessments on Cisco ASA remote access VPN clients and control their network access based on the results. What mode is the Cisco best practice NAC deployment design for this situation?

Options

ALayer 2 in-band real IP gateway mode
BLayer 2 out-of-band real IP gateway mode
CLayer 3 in-band virtual gateway mode
DLayer 3 out-of-band virtual gateway mode

Explanation

For remote access VPN clients terminating on a Cisco ASA, the Cisco best practice for NAC (Network Admission Control) is Layer 3 in-band virtual gateway mode. In this mode, the NAC Appliance Manager/Server sits in the traffic path (in-band) at Layer 3, using a virtual IP as the gateway that VPN clients are directed to for posture assessment. Because VPN clients are already Layer 3 (routed) endpoints arriving from untrusted networks, a Layer 3 solution is required - Layer 2 modes cannot intercept traffic from remote routed clients. The virtual gateway model is preferred over a real IP gateway in VPN scenarios because it integrates cleanly with the ASA's address assignment and avoids routing conflicts.

Community Discussion

No community discussion yet for this question.

Full 300-320 Practice