300-710 Question #255: Real Exam Question with Answer & Explanation

Question

A network administrator is troubleshooting access to a website hosted behind a Cisco FTD device External clients cannot access the web server via HTTPS The IP address configured on the web server is 192 168 7.46 The administrator is running the command capture CAP interface outside match ip any 192.168.7.46 255.255.255.255 but cannot see any traffic in the capture Why is this occurring?

Options

• AThe capture must use the public IP address of the web server.
• BThe FTD has no route to the web server.
• CThe access policy is blocking the traffic.
• DThe packet capture shows only blocked traffic

Explanation

The packet capture on the outside interface is failing to show traffic for the internal web server because external clients would be targeting the FTD's public IP address, not the internal private IP, before NAT translation occurs.

Common mistakes.

• B. While having no route to the web server would prevent access, it would not prevent the capture from showing incoming packets on the outside interface if they were indeed destined for the public IP address that maps to the web server.
• C. If an access policy were blocking the traffic, the packets would still arrive on the outside interface and be visible in a capture matching the correct public destination IP, even if they were subsequently dropped by the policy.
• D. Packet captures typically show all traffic that matches the filter criteria, regardless of whether it is ultimately allowed or blocked by security policies.

Concept tested. FTD packet capture and NAT understanding

Reference. https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/nat-for-firepower-threat-defense.html

No community discussion yet for this question.