300-730 · Question #108
300-730 Question #108: Real Exam Question with Answer & Explanation
The correct answer is A: Add an SSL cipher that can be negotiated with the webserver to the Cisco ASA.. In clientless SSLVPN the ASA acts as an SSL proxy between remote users and backend servers; if no common SSL cipher can be negotiated with the internal HTTPS server, the ASA reports the server as unavailable even when ICMP reachability is confirmed.
Question
Options
- AAdd an SSL cipher that can be negotiated with the webserver to the Cisco ASA.
- BAdd the http 192.168.0.101 255.255.255.255 inside command to the Cisco ASA.
- CConfigure routing on the Cisco ASA so it can reach the webserver.
- DConfigure a DNS server that can resolve the webserver domain on the Cisco ASA.
Explanation
In clientless SSLVPN the ASA acts as an SSL proxy between remote users and backend servers; if no common SSL cipher can be negotiated with the internal HTTPS server, the ASA reports the server as unavailable even when ICMP reachability is confirmed.
Common mistakes.
- B. The 'http' command grants ASDM or CLI management access to the ASA itself; it does not control access to internal webservers for clientless SSLVPN users.
- C. Routing is already confirmed working because pings from the ASA to 192.168.0.101 succeed; the problem exists at the SSL layer, not the network layer.
- D. DNS resolution is not the issue because the error message references the server by IP address (192.168.0.101), indicating the problem is an SSL cipher negotiation failure, not a name resolution failure.
Concept tested. Clientless SSLVPN SSL cipher negotiation between ASA proxy and backend server
Topics
Community Discussion
No community discussion yet for this question.