NAT Review - Quiz Explanation

The answers you selected are indicated below, along with text that explains the correct answers.

1.	Your organization has been having problems with users accessing inappropriate content on the Internet. At the present time, you are using private IP addresses on your internal network and NAT to provide access to the Internet. How would you configure NAT to limit user exposure to objectionable content on the Internet? Please select the best answer.
	A.	Configure the packet filter in RRAS to prevent access to certain URLs.
	B.	Configure a reverse proxy so that internal servers do not respond to external requests.
	C.	Replace the NAT server with a Proxy Server.
	D.	Configure the NAT DNS settings to prevent answers for objectionable sites.
	The correct answer is C. Answer C correct because NAT examines packets only at the network and transport layers. The RRAS packet filter can examine IP and TCP headers to assess source and destination IP addresses and port numbers. In order to prevent access to objectionable Web sites, you would have to configure the NAT server to block access to all IP addresses that might contain objectionable content (this would be a very time-consuming and ultimately fruitless process, because these sites often change servers and IP addresses). Proxy servers can be configured to use add-in programs that block sites with objectionable content. These plug-in modules access large databases that are updated by the manufacturer on a regular basis. Answer A is incorrect because you cannot block URLs using a packet filter; the URL is not contained in the IP or TCP headers. Answer B is incorrect because reverse proxying only affects what external users can access on your internal network. It has no effect on what internal users can access on the Internet. Answer D is incorrect because the NAT server uses DNS proxies. The DNS server is typically the one used by the internal organization, or by the ISP. It would not be realistic to expect a DNS Administrator to create bogus records on a DNS server for the purpose of blocking objectionable content.

2.	You have an organization that includes 245 computers, all of which are all located on a single network ID. These computers use private IP addresses and NAT to access the Internet. The network ID that you use for these computers is 192.168.1.0, and the internal interface on the NAT server is located on that logical network. You are using the DHCP Allocator included with the NAT server. Recently, the computers have been experiencing difficulties accessing the NAT server. When you query the users, they tell you that when they can't communicate with the NAT server, they are unable to contact any other server on the network. What is most likely the problem? Please select the best answer.
	A.	The users are intermittently setting their IP settings manually, and then changing them back without telling you.
	B.	A rogue DHCP server is located on the segment
	C.	The DHCP Allocator has been configured with the incorrect static address pool
	D.	The NAT server has temporarily been going offline, and then coming back up again.
	The correct answer is B. Answer B is correct because you cannot have more than one DHCP server handing out IP addressing information on a segment, unless those DHCP servers have been configured to provide valid addresses for the segment. In this case, it is most likely that the DHCP Allocator was handing out IP addresses, and there was another DHCP server on the segment handling out invalid addresses. When the DHCP client machines attempted to renew their IP addresses, some of them were obtaining incorrect IP addressing information from the rogue DHCP server. This would prevent them from connecting to the NAT server, and any other servers on the network. Answer A is incorrect because it is unlikely that a large group of users would all manually change their IP addressing information to incorrect settings, then back to the correct settings again. Answer C is incorrect because if the DHCP Allocator were configured with a static address pool, it is unlikely that the computers would ever be able to contact the NAT server, and the problems would not be intermittent in nature. Answer D is incorrect because temporary outages of the NAT server should not make it impossible for network clients to contact other servers on the segment. Even if you are using the DHCP Allocator, the DHCP clients are unlikely to frequently require the renewal of their IP addressing information during the short intervals when the NAT Server is unavailable.