ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 300-710 All Questions

View all questions & answers for the 300-710 exam
Go to Exam

Exam 300-710 topic 1 question 300 discussion

Actual exam question from Cisco's 300-710
Question #: 300
Topic #: 1
[All 300-710 Questions]

A network administrator is deploying a new Cisco Secure Firewall Threat Defense (FTD) firewall. After Cisco Secure FTD is deployed, inside clients have intermittent connectivity to each other. When reviewing the packet capture on the Secure FTD firewall, the administrator sees that Secure FTD is responding to all the ARP requests on the inside network. Which action must the network administrator take to resolve the issue?

  • A. Review the access policy and verify that ARP is allowed from inside to inside.
  • B. Review NAT policy and disable incorrect proxy ARP configuration.
  • C. Convert the FTD to transparent mode to allow ARP requests.
  • D. Hardcode the MAC address of the FTD to IP mapping on client machines.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by gwb at March 26, 2024, 12:27 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
d0980cc
2 weeks, 3 days ago
Selected Answer: C
The issue could be related to NAT and proxy ARP to destination interface (outbound), but the issue is with inside client to client. Therefore since it's a new deployment, I'd change it to Transparent Mode. I choose C
upvoted 1 times
...
tinyJoe
3 months, 3 weeks ago
Selected Answer: B
The answer is definitely B. I completely agree with Alex_morgan. I'd like to add something. First of all, the “incorrect proxy ARP configuraiton” is specifically the “Do not proxy ARP on Destination Interface” checkbox in the Advanced tab of the FMC's NAT policy. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config -76/interfaces-settings-nat.html#:~:text=Do%20not%20proxy%20ARP%20on%20Destination%20Interface As an example, this option is used when identity NAT is used to identify VPN traffic. In that case, if this checkbox is not turned on, the local LAN will attempt to respond to ARP even for requests that can be handled by the local LAN.
upvoted 3 times
...
Alex_morgan
7 months, 2 weeks ago
Selected Answer: B
Disable proxy ARP in Advanced setting NAT rules.
upvoted 2 times
...
Doris8000
8 months, 3 weeks ago
Additional details By default, all ARP packets are allowed between bridge group members. You can control the flow of ARP packets by enabling ARP inspection. ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to the router. https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/platform_settings_for_firepower_threat_defense.html#:~:text=all%20ARP%20packets%20are%20allowed%20between%20bridge%20group%20members.
upvoted 1 times
...
Doris8000
8 months, 3 weeks ago
Agree it should be A
upvoted 1 times
...
gwb
1 year, 1 month ago
My choice is "ACP for ARP inside to inside". I guess that NAT is not usually implemented between inside and inside.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago