Exam 300-710 topic 1 question 300 discussion

The answer is definitely B. I completely agree with Alex_morgan. I'd like to add something. First of all, the “incorrect proxy ARP configuraiton” is specifically the “Do not proxy ARP on Destination Interface” checkbox in the Advanced tab of the FMC's NAT policy. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config -76/interfaces-settings-nat.html#:~:text=Do%20not%20proxy%20ARP%20on%20Destination%20Interface As an example, this option is used when identity NAT is used to identify VPN traffic. In that case, if this checkbox is not turned on, the local LAN will attempt to respond to ARP even for requests that can be handled by the local LAN.

Disable proxy ARP in Advanced setting NAT rules.

Additional details By default, all ARP packets are allowed between bridge group members. You can control the flow of ARP packets by enabling ARP inspection. ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to the router. https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/platform_settings_for_firepower_threat_defense.html#:~:text=all%20ARP%20packets%20are%20allowed%20between%20bridge%20group%20members.

Agree it should be A

My choice is "ACP for ARP inside to inside". I guess that NAT is not usually implemented between inside and inside.