CCNP Security Question of the Week

A user has called the helpdesk for a VPN-related issue. While at a coffee shop, the user attempted to connect to the VPN using the IPsec client and failed. In other locations, the user can successfully connect. Which of the following settings would more than likely allow the user to access the VPN while at this coffee shop?

  1. Enable IPsec over TCP
  2. Disable group authentication
  3. Enable DTLS
  4. Change the port number that the IPsec tunnel listens on at the head end ASA

The correct answer is 1.

In many environments, Port Address Translation (PAT) is used to connect users to the internet. IPSec and PAT are not compatible without using either NAT-T (NAT Traversal) on UDP port 4500, or the Cisco proprietary solution of IPSec over TCP (usually to port 10,000).

Related Courses:
ASAE — ASA Essentials
FIREWALL — Deploying Cisco ASA Firewall Solutions
VPN — Deploying Cisco ASA VPN Solutions
CCNP Security — Cisco Certified Network Professional Security

In this article

Join the Conversation