why remote users using their Cisco VPN software client are not able to reach the 172.16.0.0 networks behind R1 once they successfully VPN into R1?

Referring to the network diagram and the R1 router configurations shown in the exhibit, why remote users using their Cisco VPN software client are not able to reach the 172.16.0.0 networks behind R1 once they successfully VPN into R1?

Referring to the network diagram and the R1 router configurations shown in the exhibit, why remote users using their Cisco VPN software client are not able to reach the 172.16.0.0 networks behind R1 once they successfully VPN into R1?

A.
Reverse Route Injection (RRI) is not enabled on R1

B.
The R1 configuration is missing the crypto ACL

C.
The ACL 100 on R1 is misconfigured.

D.
The Cisco VPN software client does not support DH group 2

E.
The dynamic crypto map on R1 is misconfigured.

Explanation:
Explanation

A is incorrect because the Cisco VPN client does support DH Group 2 B is incorrect because

Reverse route injection (RRI) is the ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities. Each route is created on the basis of the remote proxy network and mask, with the next hop to this network being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN) router as the next hop, the traffic is forced through the crypto process to be encrypted. http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gt_rrie.ht m

C is incorrect because the cyrpto ACL is not missing

The Crypto Access Check on Clear-Text Packets feature removes the checking of clear-text packets that go through the IP Security (IPSec) tunnel just prior to encryption or just after decryption. The clear-text packets were checked against the outside physical interface access control lists (ACLs). This checking was often referred to as a double ACL check. This feature enables easier configuration of ACLs and eliminates the security risks that are associated with a double check when using dynamic crypto maps.
crypto map map-name seq-number
Example:
Router(config)# crypto map vpn1 10
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_8/gt_crpks.h tm

D is incorrect because the dynamic crypto map is not misconfigured http://www.cisc.com/univercd/cc/td/doc/product/iaabu/csvpnc/csvpnsg/icike.htm

E is correct because the ACL is not applied to an interface

Show Hint

Leave a Reply 3

Your email address will not be published. Required fields are marked *

Sara

Sara

whats wrong with ACL 100 ?

Reply

Riley

Riley

It highlights answer C but the explanation states E is correct.

Reply

Veg

Veg

Well the explanation is for the ACL but the options are all messed up. I have a dump where the ACL option is E. so its like this is the correct list of answers according to the explanation.

A. The Cisco VPN software client does not support DH group 2
B. Reverse Route Injection (RRI) is not enabled on R1
C. The R1 configuration is missing the crypto ACL
D. The dynamic crypto map on R1 is misconfigured.
E. The ACL 100 on R1 is misconfigured.

Reply