SNCF — Securing Networks with Firepower — Question 146

A network administrator is configuring a site-to-site IPsec VPN to a router sitting behind a Cisco FTD. The administrator has configured an access policy to allow traffic to this device on UDP 500, 4500, and ESP. VPN traffic is not working. Which action resolves this issue?

Answer options

• A. Change the access policy to allow all ports.
• B. Enable IPsec Inspection on the access policy.
• C. Set the allow action in the access policy to trust.
• D. Modify the NAT policy to use the interface PAT.

Correct answer: C

Explanation

The correct action is to adjust the allow action in the access policy to trust, as it allows the VPN traffic to be treated properly by the security appliance. The other options either open unnecessary ports, do not address inspection requirements, or do not relate to the trust level needed for VPN traffic.