nerdexam
Exams300-730Questions#127
Cisco

300-730 · Question #127

300-730 Question #127: Real Exam Question with Answer & Explanation

The correct answer is C: Allow protocol ESP or AH on the firewall in front of the Site B router.. The firewall in front of Site B is blocking ESP protocol packets from Site A, so the Site B router never receives the encrypted traffic and its decrypt counters stay at zero.

Troubleshooting VPNs

Question

An engineer has successfully established a Phase 1 and Phase 2 tunnel between two sites. Site A has internal subnet 192.168.0.0/24 and Site B has internal subnet 10.0.0.0/24. The engineer notices that no packets are decrypted at Site B. Pings to 192.168.0.0 from internal Site B devices make it to the Site B router, and the Site A router has incrementing encrypt and decrypt counters. What must be done to ensure bidirectional communication between both sites?

Options

  • AModify the routing at Site B so that traffic is sent to Site A.
  • BConfigure the correct DH group on both devices.
  • CAllow protocol ESP or AH on the firewall in front of the Site B router.
  • DEnable PFS on the headend device.

Explanation

The firewall in front of Site B is blocking ESP protocol packets from Site A, so the Site B router never receives the encrypted traffic and its decrypt counters stay at zero.

Common mistakes.

  • A. Routing at Site B is confirmed correct because pings from Site B internal devices reach the Site B router, eliminating a routing problem as the cause.
  • B. A DH group mismatch would prevent Phase 2 from establishing at all; since both Phase 1 and Phase 2 are already up, the DH configuration is valid on both sides.
  • D. PFS affects the security of Phase 2 rekeying sessions and does not determine whether packets in an already-established tunnel are decrypted.

Concept tested. Firewall ESP/AH protocol permit for IPsec traffic

Reference. https://www.cisco.com/c/en/us/support/docs/security-sdwan/ipsec/5409-ipsec-through-nats.html

Topics

#IPsec#ESP#firewall filtering#bidirectional traffic

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-730 Practice