nerdexam
Cisco

300-730 · Question #3

Refer to the exhibit. An internal clients behind the ASA are port address translated to the public outside interface that has an IP address of 3.3.3.3. Client 1 and client 2 have established successfu

The correct answer is C. Tunnel All Networks under Group Policy. For a browser 'what is my IP' check to return the ASA outside IP (3.3.3.3), all client internet traffic must flow through the VPN tunnel and out the ASA where PAT applies - requiring full tunnel mode.

Remote Access VPN

Question

Refer to the exhibit. An internal clients behind the ASA are port address translated to the public outside interface that has an IP address of 3.3.3.3. Client 1 and client 2 have established successful SSL VPN connections to the ASA. What must be implemented so that "3.3.3.3" is returned from a browser search on the IP address?

Options

  • ASame-security-traffic permit inter-interface under Group Policy
  • BExclude Network List Below under Group Policy
  • CTunnel All Networks under Group Policy
  • DTunnel Network List Below under Group Policy

How the community answered

(49 responses)
  • A
    29% (14)
  • B
    14% (7)
  • C
    49% (24)
  • D
    8% (4)

Why each option

For a browser 'what is my IP' check to return the ASA outside IP (3.3.3.3), all client internet traffic must flow through the VPN tunnel and out the ASA where PAT applies - requiring full tunnel mode.

ASame-security-traffic permit inter-interface under Group Policy

Same-security-traffic permit inter-interface controls traffic flow between ASA interfaces of the same security level and is unrelated to VPN split-tunnel behavior.

BExclude Network List Below under Group Policy

Exclude Network List Below is a split-tunnel option that excludes specific networks from the tunnel, sending internet traffic directly from the client without PAT through the ASA.

CTunnel All Networks under Group PolicyCorrect

Tunnel All Networks forces all client traffic, including internet-bound traffic, through the SSL VPN tunnel to the ASA. Once the traffic exits the ASA's outside interface, PAT translates the source to 3.3.3.3, so any IP-checking website returns that address. Without full tunneling, internet traffic bypasses the ASA entirely and reflects the client's own ISP-assigned IP.

DTunnel Network List Below under Group Policy

Tunnel Network List Below enables split tunneling for specific subnets only, meaning general internet traffic bypasses the VPN and the ASA's PAT, so the client's own public IP is returned instead of 3.3.3.3.

Concept tested: AnyConnect SSL VPN full tunnel vs split tunnel policy

Source: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-asa-vpn-sysopt.html

Topics

#SSL VPN#split tunneling#PAT#group policy

Community Discussion

No community discussion yet for this question.

Full 300-730 Practice