RRAS: need explanation for a question from the 70-291 MSPress book

Hello,

Can anyone please explain me the answer from the MSPress Book 70-291 (page
9-84) for the following question:

"You have deployed a Windows Server 2003 computer running the Routing And
Remote Access Service router to function as a simple firewall. How many
packet filters do you need to create to support remote access to a VPN server
through L2TP/IPSec? Assume that you want to provide the strictest security
standards."

Answer:

Twelve


Thanks a lot for your answers

=?Utf-8?B?WWFubg==?=

"Yann" <> wrote in message
newsBA79B10-25FB-4C59-961F-...
> Hello,
>
> Can anyone please explain me the answer from the MSPress Book 70-291 (page
> 9-84) for the following question:
>
> "You have deployed a Windows Server 2003 computer running the Routing And
> Remote Access Service router to function as a simple firewall. How many
> packet filters do you need to create to support remote access to a VPN
> server
> through L2TP/IPSec? Assume that you want to provide the strictest security
> standards."
>
> Answer:
>
> Twelve
>
>
> Thanks a lot for your answers

42

Thanks for all the fish.

Frisbee®

Yann пишет:
> Hello,
>
> Can anyone please explain me the answer from the MSPress Book 70-291 (page
> 9-84) for the following question:
>
> "You have deployed a Windows Server 2003 computer running the Routing And
> Remote Access Service router to function as a simple firewall. How many
> packet filters do you need to create to support remote access to a VPN server
> through L2TP/IPSec? Assume that you want to provide the strictest security
> standards."
>
> Answer:
>
> Twelve
>
>
> Thanks a lot for your answers
>
Perhaps 2 ports, 1 protocol number, 2 directions and, at lease, two
interfaces, i.e. 3*2*2=12?

Maxim M. Kazachek

Hi,

From Technet and the Win2003 Deployment guide.

L2TP/IPSec connections
For an L2TP/IPSec connection, configure the following packet filters on the
Internet and perimeter network interfaces of the firewall.

Internet interface of the firewall On the firewall's Internet interface,
configure the inbound and outbound filters in Table 8.7, specifying that all
packets are dropped except those that are specified by the filters.

Table 8.7 VPN Server Behind a Firewall: L2TP/IPSec Filters on the Firewall's
Internet Interface

Filter Action
Inbound
Destination IP address = Perimeter network interface of VPN server

UDP destination port = 500 (0x1F4)
Allows IKE traffic to the VPN server.

Destination IP address = Perimeter network interface of VPN server

UDP destination port = 4500 (0x1194)
Allows IPSec NAT-T traffic to the VPN server.

Destination IP address = Perimeter network interface of VPN server

IP Protocol ID = 50 (0x32)
Allows IPSec ESP traffic to the VPN server.

Outbound
Source IP address = Perimeter network interface of VPN server

UDP source port = 500 (0x1F4)
Allows IKE traffic from the VPN server.

Source IP address = Perimeter network interface of VPN server

UDP source port = 4500 (0x1194)
Allows IPSec NAT-T traffic from the VPN server.

Source IP address = Perimeter network interface of VPN server

IP Protocol ID = 50 (0x32)
Allows IPSec ESP traffic from the VPN server.


No filters are required for L2TP traffic at UDP port 1701. All L2TP traffic
at the firewall, including tunnel maintenance and tunneled data, is
encrypted as an IPSec ESP payload.

Perimeter network interface of the firewall On the firewall's perimeter
network interface, configure the inbound and outbound filters in Table 8.8,
specifying that all packets are dropped except those that are selected by
the filters.

Table 8.8 VPN Server Behind a Firewall: L2TP/IPSec Filters on the Firewall's
Perimeter Network Interface

Filter Action
Inbound
Source IP address = Perimeter network interface of VPN server

UDP source port = 500 (0x1F4)
Allows IKE traffic from the VPN server.

Source IP address = Perimeter network interface of VPN server

UDP source port = 4500 (0x1194)
Allows IPSec NAT-T traffic from the VPN server.

Source IP address = Perimeter network interface of VPN server

IP Protocol ID = 50 (0x32)
Allows IPSec ESP traffic from the VPN server.

Outbound
Destination IP address = Perimeter network interface of VPN server

UDP destination port = 500 (0x1F4)
Allows IKE traffic to the VPN server.

Destination IP address = Perimeter network interface of VPN server

UDP destination port = 4500 (0x1194)
Allows IPSec NAT-T traffic to the VPN server.

Destination IP address = Perimeter network interface of VPN server

IP Protocol ID = 50 (0x32)
Allows IPSec ESP traffic to the VPN server.




The above should come to 12.

So you are correct 2 Ports (500,4500), 1 protocol (50), 2 directions and 2
interfaces as this scenario is setup as a firewall.

--
Regards,

Alan

This posting is provided "AS IS" with no warranties, and confers no rights.
OR if you wish to include a script sample in your post please add "Use of
included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"




"Maxim M. Kazachek" <> wrote in message
news:...
> Yann ?????:
>> Hello,
>>
>> Can anyone please explain me the answer from the MSPress Book 70-291
>> (page 9-84) for the following question:
>>
>> "You have deployed a Windows Server 2003 computer running the Routing And
>> Remote Access Service router to function as a simple firewall. How many
>> packet filters do you need to create to support remote access to a VPN
>> server through L2TP/IPSec? Assume that you want to provide the strictest
>> security standards."
>>
>> Answer: Twelve
>>
>>
>> Thanks a lot for your answers
>>
> Perhaps 2 ports, 1 protocol number, 2 directions and, at lease, two
> interfaces, i.e. 3*2*2=12?

Alan [MSFT]