Cisco
300-730 · Question #65
300-730 Question #65: Real Exam Question with Answer & Explanation
The correct answer is B: same-security-traffic permit intra-interface. Two AnyConnect clients connected to the same ASA outside interface cannot communicate with each other by default because the ASA blocks intra-interface traffic, requiring the 'same-security-traffic permit intra-interface' command.
Question
Refer to the exhibit. Client 1 cannot communicate with client 2. Both clients are using Cisco AnyConnect and have established a successful SSL VPN connection to the hub ASA. Which command on the ASA is missing?
Options
- Adns-server value 10.1.1.2
- Bsame-security-traffic permit intra-interface
- Csame-security-traffic permit inter-interface
- Ddns-server value 10.1.1.3
Explanation
Two AnyConnect clients connected to the same ASA outside interface cannot communicate with each other by default because the ASA blocks intra-interface traffic, requiring the 'same-security-traffic permit intra-interface' command.
Common mistakes.
- A. Configuring a DNS server address of 10.1.1.2 affects name resolution for VPN clients but does not resolve the Layer 3 packet forwarding restriction that prevents client-to-client communication.
- C. The 'same-security-traffic permit inter-interface' command allows traffic between two different interfaces that share the same security level, which is unrelated to the intra-interface hairpin issue affecting both clients on the same outside interface.
- D. Adding a DNS server value of 10.1.1.3 addresses name resolution configuration, not the ASA's default behavior of blocking traffic that enters and exits the same interface.
Concept tested. ASA intra-interface hairpinning for AnyConnect client-to-client traffic
Community Discussion
No community discussion yet for this question.