300-730 Question #126: Real Exam Question with Answer & Explanation

The correct answer is B: Enable IKEv1 on the outside interface.. On Cisco ASA, IKEv1 must be explicitly activated on a specific interface before the device will process any incoming IKE packets; without this step, tunnel negotiation cannot begin.

Troubleshooting Using ASDM and CLI

Question

Refer to the exhibit. An engineer is building an IKEv1 tunnel to a peer Cisco ASA, but the tunnel is failing. Based on the configuration in the exhibit, which action must be taken to allow the VPN tunnel to come up?

Options

AAdd a route for the 10.7.7.0/24 network to egress the outside interface.
BEnable IKEv1 on the outside interface.
CChange the IKEv1 policy number to be at least 256.
DChange the transform set mode to transport.

Explanation

On Cisco ASA, IKEv1 must be explicitly activated on a specific interface before the device will process any incoming IKE packets; without this step, tunnel negotiation cannot begin.

Common mistakes.

A. A static route for the remote network affects post-tunnel traffic forwarding but has no bearing on whether IKE negotiation can succeed or fail.
C. IKEv1 policy numbers are user-defined values from 1 to 65535 with lower numbers having higher priority; there is no technical requirement that the number be at least 256.
D. Transport mode is intended for host-to-host IPsec and would break the tunnel entirely for a site-to-site scenario; tunnel mode is the correct and default mode for gateway-to-gateway VPNs.

Concept tested. Enabling IKEv1 on Cisco ASA interface

Reference. https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/vpn/asa-914-vpn-config/vpn-ike.html

Topics

#IKEv1#ASA configuration#interface activation#VPN tunnel

Community Discussion

No community discussion yet for this question.

Full 300-730 Practice