nerdexam
Cisco

352-001 · Question #160

Your company plans to implement an Internet gateway router that is performing NAT. This same gateway will be terminating various IPsec tunnels to other remote sites. Which address type is appropriate

The correct answer is B. inside global. When NAT and IPsec coexist on the same router, the crypto ACL must reference inside global (post-NAT) addresses because NAT translation occurs before the IPsec crypto map is evaluated in the outbound path.

Designing Security

Question

Your company plans to implement an Internet gateway router that is performing NAT. This same gateway will be terminating various IPsec tunnels to other remote sites. Which address type is appropriate for the ACL that will govern the sources of traffic entering the tunnel in the inside interface?

Options

  • Ainside local
  • Binside global
  • Coutside local
  • Doutside global

How the community answered

(65 responses)
  • A
    11% (7)
  • B
    63% (41)
  • C
    8% (5)
  • D
    18% (12)

Why each option

When NAT and IPsec coexist on the same router, the crypto ACL must reference inside global (post-NAT) addresses because NAT translation occurs before the IPsec crypto map is evaluated in the outbound path.

Ainside local

Inside local addresses are the pre-NAT private addresses; by the time the outbound crypto ACL is evaluated, these addresses have already been translated and would not match the packet headers.

Binside globalCorrect

On a router performing both NAT and IPsec, outbound traffic from the inside is NAT-translated first - converting inside local (private) addresses to inside global (public) addresses - before the crypto map ACL is evaluated; therefore the ACL defining interesting traffic for the IPsec tunnel must match inside global addresses to correctly select and encrypt the traffic.

Coutside local

Outside local addresses represent destination hosts as seen from inside the network, not the source addresses of traffic originating from inside that the crypto ACL must match.

Doutside global

Outside global addresses represent the actual routable addresses of external destination hosts, not the translated source addresses that the crypto ACL governing interesting traffic must identify.

Concept tested: NAT and IPsec coexistence crypto ACL address selection

Source: https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13702-ipsec-nat-preserve.html

Topics

#NAT IPsec interaction#inside global#crypto ACL#address translation

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice