nerdexam
ExamsCAS-002Questions#830
CompTIA

CAS-002 · Question #830

CAS-002 Question #830: Real Exam Question with Answer & Explanation

The correct answer is A: Add a permit statement to allow traffic from 192.168.5.0/24 to the VPN network. Active FTP requires the server to initiate a data channel connection back to the client, but the router ACL only permits return traffic from the DMZ gateway (192.168.5.1/32), not from the FTP server at 192.168.5.11, blocking active FTP data transfers from VPN users.

Question

VPN users cannot access the active FTP server through the router but can access any server in the data center. Additional network information: DMZ network - 192.168.5.0/24 (FTP server is 192.168.5.11) VPN network - 192.168.1.0/24 Datacenter - 192.168.2.0/24 User network - 192.168.3.0/24 HR network - 192.168.4.0/24\ Traffic shaper configuration: VLAN Bandwidth Limit (Mbps) VPN 50 User 175 HR 250 Finance 250 Guest 0 Router ACL: Action SourceDestination Permit 192.168.1.0/24 192.168.2.0/24 Permit 192.168.1.0/24 192.168.3.0/24 Permit 192.168.1.0/24 192.168.5.0/24 Permit 192.168.2.0/24 192.168.1.0/24 Permit 192.168.3.0/24 192.168.1.0/24 Permit 192.168.5.1/32 192.168.1.0/24 Deny 192.168.4.0/24 192.168.1.0/24 Deny 192.168.1.0/24 192.168.4.0/24 Deny any any Which of the following solutions would allow the users to access the active FTP server?

Options

  • AAdd a permit statement to allow traffic from 192.168.5.0/24 to the VPN network
  • BAdd a permit statement to allow traffic to 192.168.5.1 from the VPN network
  • CIPS is blocking traffic and needs to be reconfigured
  • DConfigure the traffic shaper to limit DMZ traffic
  • EIncrease bandwidth limit on the VPN network

Explanation

Active FTP requires the server to initiate a data channel connection back to the client, but the router ACL only permits return traffic from the DMZ gateway (192.168.5.1/32), not from the FTP server at 192.168.5.11, blocking active FTP data transfers from VPN users.

Common mistakes.

  • B. The existing ACL already contains a permit entry for 192.168.5.1/32 to reach the VPN network; adding a duplicate permit for that same IP resolves nothing and does not address the missing rule for the FTP server at 192.168.5.11.
  • C. No IPS device is referenced anywhere in the provided network configuration, so IPS misconfiguration is not a supported conclusion from the given evidence.
  • D. Limiting DMZ bandwidth with the traffic shaper would reduce performance but would not restore connectivity - the issue is a missing ACL permit, not congestion.
  • E. VPN users can already successfully reach the datacenter (192.168.2.0/24), proving that available VPN bandwidth is sufficient and that bandwidth is not the cause of the FTP access failure.

Concept tested. Active FTP data channel direction and ACL return traffic rules

Reference. https://www.rfc-editor.org/rfc/rfc959

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice