Which option must be added to the configuration to make sure the users in the sales department cannot access the finance department server?

An engineer is configuring clientless SSL VPN. The finance department has a database server that only they should access, but the sales department can currently access it. The finance and the sales departments are configured as separate group-policies. Which option must be added to the configuration to make sure the users in the sales department cannot access the finance department server?
A. Web type ACL
B. Port forwarding
C. Tunnel group lock
D. VPN filter ACL

cisco-exams

4 thoughts on “Which option must be added to the configuration to make sure the users in the sales department cannot access the finance department server?

  1. Correct answer should be D – VPN Filter ACL.
    Group-lock restricts users by checking if the group configured in the VPN client is the same as the connection profile to which the user is assigned.If it is not, the ASA prevents the user from connecting.If you do not configure group-lock, the ASA authenticate susers without regard to the assigned group (https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/vpn-groups.pdf)

    VPN Filters consist of rules that determine whether to allow or reject tunneled data packets that come through the security appliance, based on criteria such as source address, destination address, and protocol. You configure Access Control Lists (ACLs) in order to permit or deny various types of traffic. The filter can be configured on the group policy, username attributes, or Dynamic Access Policy (DAP).

    1. EDIT : Answer should be A. Web Type ACL (as the question is about clientless SSL VPN and not AnyConnect, webtype ACL can be used to achieve the same purpose as VPN Filter for client VPN).

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.