Cisco
300-730 · Question #180
300-730 Question #180: Real Exam Question with Answer & Explanation
The correct answer is B: sysopt connection permit-vpn. The sysopt connection permit-vpn command on Cisco ASA globally allows decrypted IPsec VPN traffic to bypass interface ACL checks, preventing VPN payloads from being dropped by inbound ACLs.
Question
Which command is configured Cisco ASA to allow packets from an IPsec tunnel and the payloads to bypass interface ACLs on the firewall?
Options
- Asysopt connection permit-acl
- Bsysopt connection permit-vpn
- Csysopt connection permit-sslvpn
- Dsysopt connection permit-ikev1
Explanation
The sysopt connection permit-vpn command on Cisco ASA globally allows decrypted IPsec VPN traffic to bypass interface ACL checks, preventing VPN payloads from being dropped by inbound ACLs.
Common mistakes.
- A.
sysopt connection permit-aclis not a valid Cisco ASA command and does not exist in the ASA command set. - C.
sysopt connection permit-sslvpnis not a valid ASA command; SSL VPN access is governed through group policies and connection profiles, not a sysopt bypass command. - D.
sysopt connection permit-ikev1is not a valid ASA command; IKEv1 is the control-plane negotiation protocol and has no separate sysopt ACL bypass option.
Concept tested. Cisco ASA sysopt command for IPsec VPN ACL bypass
Reference. https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s9.html
Community Discussion
No community discussion yet for this question.