nerdexam
Exams300-730Questions#47
Cisco

300-730 · Question #47

300-730 Question #47: Real Exam Question with Answer & Explanation

The correct answer is D: The VPN IP address pool can overlap with the rest of the LAN networks.. In a Cisco AnyConnect SSL VPN design, DTLS can be enabled for better performance and the VPN IP pool is permitted to overlap with internal LAN subnets.

Question

Which two statements are true when designing a SSL VPN solution using Cisco AnyConnect? (Choose two.)

Options

  • AThe VPN server must have a self-signed certificate.
  • BA SSL group pre-shared key must be configured on the server.
  • CServer side certificate is optional if using AAA for client authentication.
  • DThe VPN IP address pool can overlap with the rest of the LAN networks.
  • EDTLS can be enabled for better performance.

Explanation

In a Cisco AnyConnect SSL VPN design, DTLS can be enabled for better performance and the VPN IP pool is permitted to overlap with internal LAN subnets.

Common mistakes.

  • A. A self-signed certificate is not required - Cisco best practice requires a CA-signed certificate on the ASA to prevent client trust warnings, and self-signed certs are discouraged in production AnyConnect deployments.
  • B. SSL group pre-shared keys are not part of AnyConnect SSL VPN design - pre-shared keys are used in IPsec IKE phase 1 negotiations and have no equivalent role in SSL/TLS-based VPN connections.
  • C. The server-side certificate is not optional even when AAA handles client authentication - TLS requires the server to present a certificate to complete the SSL handshake regardless of the client authentication method selected.

Concept tested. Cisco AnyConnect SSL VPN design with DTLS and IP pool overlap

Reference. https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/vpn-anyconnect.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-730 Practice