nerdexam
Cisco

352-001 · Question #292

What should be taken into consideration when designing IPsec networks using Authentication Header (AH)?

The correct answer is A. NAT. IPsec Authentication Header (AH) authenticates the entire IP packet including the IP header, making it incompatible with NAT, which modifies the source IP address and breaks the integrity check.

Designing Security

Question

What should be taken into consideration when designing IPsec networks using Authentication Header (AH)?

Options

  • ANAT
  • Btransform set
  • Ccrypto maps
  • DISAKMP

How the community answered

(24 responses)
  • A
    92% (22)
  • C
    4% (1)
  • D
    4% (1)

Why each option

IPsec Authentication Header (AH) authenticates the entire IP packet including the IP header, making it incompatible with NAT, which modifies the source IP address and breaks the integrity check.

ANATCorrect

AH provides integrity and authentication by computing a hash over the entire IP packet, including immutable fields in the IP header such as source and destination addresses. Network Address Translation modifies the source IP address in transit, which invalidates the AH integrity check and causes the receiving peer to discard the packet. This fundamental incompatibility means NAT must be considered - and typically avoided or replaced with NAT-T using ESP - in any AH-based IPsec design.

Btransform set

Transform sets define which encryption and hashing algorithms are used in IPsec but are not a compatibility concern specific to AH.

Ccrypto maps

Crypto maps are a configuration construct for applying IPsec policies and are not a design concern unique to AH.

DISAKMP

ISAKMP governs IKE phase 1 key exchange and applies equally to both AH and ESP, so it is not a specific consideration for AH.

Concept tested: IPsec AH incompatibility with NAT

Source: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/6907-ah-nat.html

Topics

#IPsec AH#NAT incompatibility#VPN design#Authentication Header

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice