Exam 300-710 topic 1 question 196 discussion

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/216180-troubleshoot-common-anyconnect-communica.pdf see section: AnyConnect clients cannot communicate between each other that leaves us with A and B, I would go for A, the way B is formulated "Split tunneling is enabled for the Remote Access VPN on FTD" is a bit odd, the fact that split tunnel is enabled is not a problem, but if you tunnel specific networks you need to make sure the VPN pool addresses in the Split-Tunnel ACL.

Read my comment below for a full explanation, but it is without a doubt 100% A. But the test bank I bought swears it is C, but its wrong. Hairpinning is not a feature but a normal part of NAT, just written in a specific way of (outside,outside).

The answer is without a doubt A. I've set many of these up on ASAs and FTDs alike all the way back to the ASA w/ Firepower sensors and even set one up like a month ago. I've even had a ticket at work about this exact problem, audio between Anyconnect users. It is not a "feature" but just a normal part of NAT, setting it up with nat (outside,outside) instead of the standard nat (inside,outside). However, the test banks I've studied always say the answer is C, but that is not correct. Never been more sure of anything in my life. Sometimes Cisco asks questions in a weird way to intentionally confuse you to the wrong answer, but I'm not seeing it in this one.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215875-configure-anyconnect-vpn-client-on-ftd.html#toc-hId-809586599

C is correct.

Not C because it is a feature enabled by default

Step 2. Hairpin Configuration Also known as U-turn, this is a translation method that allows the traffic to flow over the same interface the traffic is received on. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215875-configure-anyconnect-vpn-client-on-ftd.html

A, B and C are all valid answers. A: If you do not have NO-NAT policy, outside to outside traffic will be NAT-ed to outside interface B: If you have split tunneling, then you are only allowed to specific subnets in ACL. Here I'm not sure if traffic from same subnet ( IP pool for DHCP) is allowed C: ASA does not line same traffic entering outside interface and at the same time exiting interface, to combat this problem, Hairpining must be enabled. To be honest, I'd go with A here.

Definatley A …packets to other users in the RAVPN pool will be NATed to interface IP ( for example) and they will never reach the other RAVPN users.

I'd go with B. If you have split tunel, than only LAN networks are working.

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/firepower_threat_defense_remote_access_vpns.html

The cause of this issue is likely option B, which is that split tunneling is enabled for the Remote Access VPN on FTD. Split tunneling allows the remote user's traffic to be split between the corporate network and the Internet. This means that when a remote user is on a call with another remote user using their softphone, the audio traffic may be sent directly between the two remote users and not through the corporate network. If split tunneling is enabled, the audio traffic would not be routed through the corporate network and would fail to reach the remote users. To resolve this issue, the network administrator should disable split tunneling on the Remote Access VPN configuration in the FTD device. This will force all traffic to be routed through the corporate network, allowing the audio traffic to reach the remote users.

A is correct. Hairpinning is not a "feature" but a configuration that needs some steps on the ASA, less on the FTD. Here you just have to have the no-nat and a acp allowing the traffic. NAT is correct.

I think C is the answer, here is an explanation for the hairpinning feature: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215875-configure-anyconnect-vpn-client-on-ftd.html#anc14:~:text=NAT%20exemption%20configuration.-,Step%202.%20Hairpin%20Configuration,turn)%20is%20responsible%20to%20route%20the%20traffic%20from%20outside%20to%20outside.,-A%20VPN%20pool

its D, see: https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/firepower_threat_defense_site_to_site_vpns.html#:~:text=Enable%20Spoke%20to%20Spoke%20Connectivity%20through%20Hub%E2%80%94Disabled%20by%20default.%20Choosing%20this%20field%20enables%20the%20devices%20on%20each%20end%20of%20the%20spokes%20to%20extend%20their%20connection%20through%20the%20hub%20node%20to%20the%20other%20device.