When configuring SSL VPN on the Cisco ASA appliance, which configuration step is required only for
Cisco AnyConnect full tunnel SSL VPN access and not required for clientless SSL VPN?
A.
user authentication
B.
group policy
C.
IP address pool
D.
SSL VPN interface
E.
connection profile
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-2mt/sec-connsslvpnssl-vpn.html
Cisco AnyConnect VPN Client Full Tunnel Support
Remote Client Software from the SSL VPN Gateway
Address Pool
Manual Entry to the IP Forwarding Table
Remote Client Software from the SSL VPN Gateway
The Cisco AnyConnect VPN Client software package is pushed from the SSL VPN gateway to remote
clients when support is needed. The remote user (PC or device) must have either the Java RuntimeEnvironment for Windows (version 1.4 later), or the browser must support or be configured to
permit Active X controls. In either scenario, the remote user must have local administrative
privileges.
Address Pool
The address pool is first defined with the ip local pool command in global configuration mode. The
standard configuration assumes that the IP addresses in the pool are reachable from a directly
connected network.
Address Pools for Nondirectly Connected Networks
If you need to configure an address pool for IP addresses from a network that is not directly
connected, perform the following steps:
Create a local loopback interface and configure it with an IP address and subnet mask from the
address pool.
Configure the address pool with the ip local pool command. The range of addresses must fall under
the subnet mask configured in Step 1.
Set up the route. If you are using the Routing Information Protocol (RIP), configure the router rip
command and then the network command, as usual, to specify a list of networks for the RIP process.
If you are using the Open Shortest Path First (OSPF) protocol, configure the ip ospf network point-topoint command in the loopback interface. As a third choice (instead of using the RIP or OSPF
protocol), you can set up static routes to the network.
Configure the svc address-pool command with the name configured in Step 2.
Manual Entry to the IP Forwarding Table
If the SSL VPN software client is unable to update the IP forwarding table on the PC of the remote
user, the following error message will be displayed in the router console or syslog:
Error : SSL VPN client was unable to Modify the IP forwarding table ……
This error can occur if the remote client does not have a default route. You can work around this
error by performing the following steps:
Open a command prompt (DOS shell) on the remote client.
Enter the route print command.
If a default route is not displayed in the output, enter the route command followed by the add and
mask keywords. Include the default gateway IP address at the end of the route statement. See the
following example:
C:\>route ADD 0.0.0.0 MASK 0.0.0.0 10.1.1.1