nerdexam
Exams300-730Questions#128
Cisco

300-730 · Question #128

300-730 Question #128: Real Exam Question with Answer & Explanation

The correct answer is B: Modify the crypto ACL on the ASA to permit network 172.16.20.0/24 to network 192.16.0.0/24.. The crypto ACL on the ASA defines the wrong traffic selectors for the IKEv2 negotiation, causing a proxy ID mismatch that prevents traffic from being encrypted and forwarded correctly.

Question

Refer to the exhibit. A Cisco ASA is configured as a client to a router running as a FlexVPN server. The router is configured with a virtual template to terminate FlexVPN clients. Traffic between networks 192.168.0.0/24 and 172.16.20.0/24 does not work as expected. Based on the show crypto ikev2 sa output collected from the Cisco ASA in the exhibit, what is the solution to this issue?

Options

  • AModify the crypto ACL on the ASA to permit network 192.168.0.0/24 to network 172.16.20.0/24.
  • BModify the crypto ACL on the ASA to permit network 172.16.20.0/24 to network 192.16.0.0/24.
  • CModify the crypto ACL on the ASA to permit network 172.16.20.0/24 to network 192.16.20.0/24.
  • DModify the crypto ACL on the router to permit network 172.16.20.0/24 to network 192.16.0.0/24.

Explanation

The crypto ACL on the ASA defines the wrong traffic selectors for the IKEv2 negotiation, causing a proxy ID mismatch that prevents traffic from being encrypted and forwarded correctly.

Common mistakes.

  • A. Permitting 192.168.0.0/24 as the source to 172.16.20.0/24 as the destination reverses the selector direction relative to what the show output indicates the router has negotiated, so the mismatch would persist.
  • C. Permitting 172.16.20.0/24 to 192.16.20.0/24 uses the same remote subnet on both sides of the ACL entry, which does not represent valid distinct source and destination networks.
  • D. The mismatch originates from the ASA client's crypto ACL, not from the FlexVPN server; changing the router's ACL would not correct the incorrect selectors being proposed by the ASA.

Concept tested. IKEv2 FlexVPN traffic selector proxy ID configuration

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-16/sec-ikev2-flex-xe-16-book.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-730 Practice