After implementing the IKEv2 tunnel, it was observed that remote users on the 192.168.33.0/24 network are unable to access the internet. Which of the following can be done to resolve this problem?
A. Change the Diffie-Hellman group on the headquarter ASA to group5forthe dynamic crypto map
B. Change the remote traffic selector on the remote ASA to 192.168.22.0/24
C. Change to an IKEvI configuration since IKEv2 does not support a full tunnel with static peers
D. Change the local traffic selector on the headquarter ASA to 0.0.0.0/0
E. Change the remote traffic selector on the headquarter ASA to 0.0.0.0/0
Rogue is correct. The answer is D.
The dump explanation is basic encryption domain, but the scenario clearly stated traffic including internet so if you don’t change the local traffic select to 0.0.0.0 or ANY then internet traffic won’t traverse the tunnel. I’ve setup a remote ASA before and had to send ALL traffic to the main branch. I had to set the encryption domain to ANY.
Good luck any pay high attention to details!!!
It’s the remote traffic selector, for all traffic.
Why is it not E ?
D is correct answer as the returning internet traffic for users at remote site needs to be sent out via tunnel to them. For that reason remote selector should be set to any which is 0.0.0.0/0. If read carefully the option B only allows remote users to reach HQ vlan 33 users. they will not be able to go anywhere else via the tunnel + the internet returning traffic on HQ ASA will be dropped.
Technically, if you read the Scenario, D is technically the correct answer. In a different scenario exactly B would be correct, but here’s what the Scenario says, “For security reasons, all traffic from the remote site must be sent across the tunnel, including traffic destined to the Internet” Therefore, D.