Cisco
300-730 · Question #66
300-730 Question #66: Real Exam Question with Answer & Explanation
The correct answer is D: phase 3: UN-NAT. The ASA packet-tracer output reveals the SSL VPN connection fails at phase 3 (UN-NAT), meaning the ASA cannot find a reverse NAT rule for the incoming client traffic and drops the packet before any session is established.
Question
Refer to the exhibit. An SSL client is connecting to an ASA headend. The session fails with the message "Connection attempt has timed out. Please verify Internet connectivity." Based on how the packet is processed, which phase is causing the failure?
Options
- Aphase 9: rpf-check
- Bphase 5: NAT
- Cphase 4: ACCESS-LIST
- Dphase 3: UN-NAT
Explanation
The ASA packet-tracer output reveals the SSL VPN connection fails at phase 3 (UN-NAT), meaning the ASA cannot find a reverse NAT rule for the incoming client traffic and drops the packet before any session is established.
Common mistakes.
- A. The rpf-check phase (phase 9) validates reverse path forwarding for the post-NAT address and occurs late in processing, well after the UN-NAT phase where this failure actually originates.
- B. Phase 5 NAT handles forward translation of outbound source addresses and runs after the UN-NAT lookup, so it is never reached when the failure already occurred at phase 3.
- C. Phase 4 ACCESS-LIST denials produce an explicit deny log entry rather than a connection timeout, and that phase occurs after the UN-NAT phase that is blocking traffic earlier in the pipeline.
Concept tested. ASA packet processing phases - UN-NAT failure
Community Discussion
No community discussion yet for this question.