Exam 300-730 topic 1 question 61 discussion

Web ACLs allow administrators to control the resources users are able to access when making access requests through a clientless SSL VPN.

Web ACLs allow administrators to control the resources users are able to access when making access requests through a clientless SSL VPN.

"D". To ensure that users in the sales department cannot access the finance department server in a clientless SSL VPN setup, a webtype ACL (Access Control List) must be added to the configuration. A webtype ACL is used to define specific access controls for clientless SSL VPN users. It allows you to control and restrict the resources that users can access through the SSL VPN portal. By creating a webtype ACL and applying it to the appropriate group-policy associated with the sales department, you can explicitly deny access to the finance department server. This ACL will prevent users in the sales department from reaching the finance department server even though they are configured under separate group-policies. On the other hand, "tunnel group lock" is not directly related to restricting access to specific resources. It is a feature that allows you to lock a user to a specific tunnel group, ensuring that the user always connects to that particular tunnel group. Therefore, the correct approach to prevent users in the sales department from accessing the finance department server in a clientless SSL VPN setup is to use a webtype ACL.

The correct answer is D. webtype ACL ! User Anonymous983475 says: But if we use only one ACL and the user can access another tunnel group, he will have the access according to the other tunnel group. That's not quite right, because we can assign a specific group policy to the remote users that prevents access even if he uses a different tunnel group: ASA(config)# access-list WebACL_SALES_DEPARTMENT webtype permit url http://192.168.10.100 log default ASA(config)# access-list WebACL_FINANCE_DEPARTMENT webtype permit url http://192.168.20.100 log default ASA(config)# group-policy sales_department internal ASA(config)# group-policy sales_department attributes ASA(config-group-policy)# vpn-tunnel-protocol ssl-clientless ASA(config-group-policy)# webvpn ASA(config-group-webvpn)# filtervalue WebACL_SALES_DEPARTMENT ASA(config)# username RemoteUser1 password xxx ASA(config)# username RemoteUser1 attribute ASA(config-username)# vpn-group-policy sales_department

Database access doesn't seem to be controlled by webtype ACL's... We can't know because it doesn't state which protocol is used. So I'd choose answer A.

A should be correct, we want to restrict users to access certain host. But if we only use an ACL and user can access another tunnel group they will have the access as per the other tunnel-group.

D is the only correct answer

D is correct https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/acl-webtype.html

It is A https://www.youtube.com/watch?v=I5gbHC-stm4

Agree. D

Agree. D is correct through use of webtype ACLs.

Excuse me. The correct answer is D Web type ACL Reference https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/acl-webtype.pdf

A is correct. Reference https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/acl-webtype.pdf