RRAS: need explanation for a question from the 70-291 MSPress book

Discussion in 'MCSE' started by Guest, Apr 17, 2007.

  1. Guest

    Guest Guest

    Hello,

    Can anyone please explain me the answer from the MSPress Book 70-291 (page
    9-84) for the following question:

    "You have deployed a Windows Server 2003 computer running the Routing And
    Remote Access Service router to function as a simple firewall. How many
    packet filters do you need to create to support remote access to a VPN server
    through L2TP/IPSec? Assume that you want to provide the strictest security
    standards."

    Answer:

    Twelve


    Thanks a lot for your answers
     
    Guest, Apr 17, 2007
    #1
    1. Advertisements

  2. Guest

    Frisbee® Guest

    42

    Thanks for all the fish.
     
    Frisbee®, Apr 17, 2007
    #2
    1. Advertisements

  3. Yann пишет:
    Perhaps 2 ports, 1 protocol number, 2 directions and, at lease, two
    interfaces, i.e. 3*2*2=12?
     
    Maxim M. Kazachek, Apr 30, 2007
    #3
  4. Guest

    Alan [MSFT] Guest

    Hi,

    From Technet and the Win2003 Deployment guide.

    L2TP/IPSec connections
    For an L2TP/IPSec connection, configure the following packet filters on the
    Internet and perimeter network interfaces of the firewall.

    Internet interface of the firewall On the firewall's Internet interface,
    configure the inbound and outbound filters in Table 8.7, specifying that all
    packets are dropped except those that are specified by the filters.

    Table 8.7 VPN Server Behind a Firewall: L2TP/IPSec Filters on the Firewall's
    Internet Interface

    Filter Action
    Inbound
    Destination IP address = Perimeter network interface of VPN server

    UDP destination port = 500 (0x1F4)
    Allows IKE traffic to the VPN server.

    Destination IP address = Perimeter network interface of VPN server

    UDP destination port = 4500 (0x1194)
    Allows IPSec NAT-T traffic to the VPN server.

    Destination IP address = Perimeter network interface of VPN server

    IP Protocol ID = 50 (0x32)
    Allows IPSec ESP traffic to the VPN server.

    Outbound
    Source IP address = Perimeter network interface of VPN server

    UDP source port = 500 (0x1F4)
    Allows IKE traffic from the VPN server.

    Source IP address = Perimeter network interface of VPN server

    UDP source port = 4500 (0x1194)
    Allows IPSec NAT-T traffic from the VPN server.

    Source IP address = Perimeter network interface of VPN server

    IP Protocol ID = 50 (0x32)
    Allows IPSec ESP traffic from the VPN server.


    No filters are required for L2TP traffic at UDP port 1701. All L2TP traffic
    at the firewall, including tunnel maintenance and tunneled data, is
    encrypted as an IPSec ESP payload.

    Perimeter network interface of the firewall On the firewall's perimeter
    network interface, configure the inbound and outbound filters in Table 8.8,
    specifying that all packets are dropped except those that are selected by
    the filters.

    Table 8.8 VPN Server Behind a Firewall: L2TP/IPSec Filters on the Firewall's
    Perimeter Network Interface

    Filter Action
    Inbound
    Source IP address = Perimeter network interface of VPN server

    UDP source port = 500 (0x1F4)
    Allows IKE traffic from the VPN server.

    Source IP address = Perimeter network interface of VPN server

    UDP source port = 4500 (0x1194)
    Allows IPSec NAT-T traffic from the VPN server.

    Source IP address = Perimeter network interface of VPN server

    IP Protocol ID = 50 (0x32)
    Allows IPSec ESP traffic from the VPN server.

    Outbound
    Destination IP address = Perimeter network interface of VPN server

    UDP destination port = 500 (0x1F4)
    Allows IKE traffic to the VPN server.

    Destination IP address = Perimeter network interface of VPN server

    UDP destination port = 4500 (0x1194)
    Allows IPSec NAT-T traffic to the VPN server.

    Destination IP address = Perimeter network interface of VPN server

    IP Protocol ID = 50 (0x32)
    Allows IPSec ESP traffic to the VPN server.




    The above should come to 12.

    So you are correct 2 Ports (500,4500), 1 protocol (50), 2 directions and 2
    interfaces as this scenario is setup as a firewall.

    --
    Regards,

    Alan

    This posting is provided "AS IS" with no warranties, and confers no rights.
    OR if you wish to include a script sample in your post please add "Use of
    included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm"
     
    Alan [MSFT], May 1, 2007
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.