nerdexam
Exams352-001Questions#292
Cisco

352-001 · Question #292

352-001 Question #292: Real Exam Question with Answer & Explanation

The correct answer is A: NAT. IPsec Authentication Header (AH) authenticates the entire IP packet including the IP header, making it incompatible with NAT, which modifies the source IP address and breaks the integrity check.

Question

What should be taken into consideration when designing IPsec networks using Authentication Header (AH)?

Options

  • ANAT
  • Btransform set
  • Ccrypto maps
  • DISAKMP

Explanation

IPsec Authentication Header (AH) authenticates the entire IP packet including the IP header, making it incompatible with NAT, which modifies the source IP address and breaks the integrity check.

Common mistakes.

  • B. Transform sets define which encryption and hashing algorithms are used in IPsec but are not a compatibility concern specific to AH.
  • C. Crypto maps are a configuration construct for applying IPsec policies and are not a design concern unique to AH.
  • D. ISAKMP governs IKE phase 1 key exchange and applies equally to both AH and ESP, so it is not a specific consideration for AH.

Concept tested. IPsec AH incompatibility with NAT

Reference. https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/6907-ah-nat.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 352-001 Practice