You work as a network administrator at Domain.com. The Domain.com network uses an IP proxy that provides Network Address Translation (NAT). You have implemented IPSec for all Internet bound traffic; however, Internet access is now no longer possible. What should is the cause of this problem?
A.
Network Address Translation (NAT) does not work with IPSec.
B.
The IP proxy is blocking egress and ingress traffic on port 80.
C.
The IP proxy is blocking egress and ingress traffic on port 1293.
D.
The IP proxy is blocking egress and ingress traffic on port 8080.
Explanation:
Network Address Translation (NAT) is not compatible with IPSec because NAT changes the IP address in the IP header of each packet. IPSec does not allow this and drops the packet.
Incorrect Answers:
B: Port 80 is used for HTTP traffic. However, Internet access was possible before the switch t o IPSec. Therefore the problem does not lie with port blocking.
C: Port 1293 is used for IPSec traffic. If this port is blocked, IPSec traffic would not pass. However, the problem here is that Network Address Translation (NAT) changes the IP address in the IP header of each packet which is not permitted in IPSec.
D: Port 8080 is an alternate port for HTTP and is commonly used for proxy servers. However, the problem here is that Network Address Translation (NAT) changes the IP address in the IP header of each packet which is not permitted in IPSec.
References:
David Groth and Toby Skandier, Network+ Study Guide (4th Edition), Sybex, Alameda CA, 2005, pp. 134-13, 142-144.