NAT Solution - Quiz Explanation

NAT Solution for Internet Connectivity

The answers you selected are indicated below, along with text that explains the correct answers.
1. An organization has a number of sales representatives that work from their homes. Currently, the sales representatives access e-mail and applications within the private network by using VPN connections over the Internet. Many of the sales representatives are installing DSL in their homes to improve Internet access and would like to share the DSL connection with other computers in their home. In which of the following cases is NAT an appropriate solution for these sales representatives?
Please select the best answer.
  A. If the home users are using L2TP / IPSec tunnels on the internal networks for end-to-end security with destination computers on the corporate network
  B. If the users use Microsoft® Management Console MMC interfaces to manage resources on the corporate intranet
  C. If the users access computers on the internal network via PPTP/MPPE or L2TP/IPSec tunnels created between VPN gateways between the remote and the corporate networks
  D. If Kerberos authentication were used for network access control
  The correct answer is C. Answer C is correct because NAT can be used together with VPN tunneling. The internal network hosts will access the corporate network via a VPN tunnel that is created between two VPN gateway servers. The data is protected throughout its transit over the public Internet, but is not protected before it leaves the exit gateway and after it enters the destination gateway. Answer A is incorrect because end-to-end security requires IPSec, and IPSec cannot be supported behind the NAT server. You can use IPSec for the tunneling protocol between VPN gateways, but you cannot create a secure data end-to-end, because NAT cannot translate IPSec-encrypted packets. Answer B is incorrect because many MMC consoles require RPC communication over IP. NAT cannot reliably translate RPC communications; therefore, you should rely on RPC communications when access is from behind the NAT. Answer D is incorrect because Kerberos authentication does not work from behind a NAT.

2. A chain of retail clothing stores uses NAT to connect each retail store to the central administrative office over the Internet. At the end of each day, the manager of the retail stores exports sales data out of an SQL database into a Microsoft® Excel worksheet. The database server is located on the internal network of each store and uses a private IP address. The manager then sends the Excel worksheet in an email message to the director of sales at the central administrative office. Since the system was installed, the director of sales has been unable to access the SQL database in each of the retail locations. In addition, the manual export and email process currently in place is time-consuming and prone to error. What is preventing the director of sales from accessing the SQL databases?
Please select the best answer.
  A. The SQL database must be located on the same computer as the NAT server.
  B. The SQL database requires a NAT Emulator in order to access it through the NAT server.
  C. You must enable port filtering to allow SQL database packets through the external interface.
  D. You should specify address pools or special ports to allow access to internal network resources such as the SQL Server through the NAT.
 

Answer D is correct.

In order to access the resources on the internal networks that lie behind the NAT servers, you must configure the NAT servers on each of the networks to allow access to specific internal resources. You can do this by specifying address pools or special ports to allow external access to internal resources such as the SQL Server. Answer A is incorrect because the SQL Server does not need to be located on the NAT server if you have configured it to allow access to internal resources. Answer B is incorrect because there is no such object as a "NAT Emulator." Answer C is incorrect because port filter will not allow public requests for private resources to succeed. The NAT server must be specifically configured to allow such access to internal private-addressed network resources.