Exam 300-209 topic 1 question 73 discussion

Actual exam question from Cisco's 300-209

Question #: 73
Topic #: 1

Which option shows the correct traffic selectors for the child SA on the remote ASA, when the headquarter ASA initiates the tunnel?

A. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 192.168.20.0/0-192.168.20.255/65535
B. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 192.168.22.0/0-192.168.22.255/65535
C. Local selector 192.168.22.0/0-192.168.22.255/65535 Remote selector 192.168.33.0/0-192.168.33.255/65535
D. Local selector 192.168.33.0/0-192.168.33.255/65535 Remote selector 0.0.0.0/0 - 0.0.0.0/65535
E. Local selector 0.0.0.0/0 - 0.0.0.0/65535 Remote selector 192.168.22.0/0 -192.168.22.255/65535

Show Suggested Answer

Suggested Answer: B 🗳️
The traffic selector is used to determine which traffic should be protected (encrypted over the IPSec tunnel). We want this to be specific, otherwise Internet traffic will also be sent over the tunnel and most likely dropped on the remote side. Here, we just want to protect traffic from 192.168.33.0/24 (THE LOCAL SIDE) to
192.168.22.0/24 (THE REMOTE SIDE).

by depocu at Dec. 29, 2019, 12:17 a.m.

Comments

Submit Cancel

ubatubo

5 years, 5 months ago

Not all internet traffic will be tunneled with B option. (only 192.168.22.0 destination network) It must be D option for internet traffic tunneling (0.0.0.0 destination network)

upvoted 1 times

...

depocu

5 years, 6 months ago

How this setup will force internet traffic to go out from rremote ASA to HQ ASA. I think it sould be Local 192.168.33.0/ - Remote 0.0.0.0/0

upvoted 1 times

...