该博客围绕TestKing的Windows网络展开,公司为让移动销售人员访问内部资源,在防火墙外设置VPN服务器VPN1。需为VPN1配置最安全连接及合适的输出和输入过滤器,以允许VPN流量进出,同时介绍了PPTP协议使用的端口和IP协议ID等信息。
QUESTION NO: 159
You are the administrator of TestKing’s network, which consists of a single Windows 2000 domain. The
network has a persistent connection to the Internet. The relevant portion of its configuration is shown in
the exhibit.
Your company employs mobile salespeople who use portable computers, which run either Windows 98 or
Windows 2000 Professional. To enable these users to access internal resources, you place a virtual private
network server named VPN1 outside your firewall. VPN1 is a stand-alone Windows 2000 Server
computer running routing and remote access. The firewall performs network address translation, and it
is configured to allow inbound access from VPN1only.
You need to use the most secure VPN connection possible for each connection. You configure appropriate
VPN ports on VPN1.
VPN1 must now be configured to allow only appropriate traffic through the firewall on the internal
interface. Which output and input filters should you configure for the internal network adapter?
To answer click the select and place button, and the drag the correct filter configuration to the appropriate
filter type. You might need to use some filter configurations more than once. Use the minimum number of
necessary filters.
SELECT AND PLACE
Answer:
Output Filters
Source: Firewall external address, TCP port 1723
Source: Firewall external address, IP protocol ID 47
Input Filters
Destination: Firewall external address, TCP port 1723
Destination: Firewall external address, IP protocol ID 47
Explanation:
The firewall performs network address translations. The VPN must use PPTP, it cannot use L2TP/IPSec due the
network address translation. Both IPSec and NAT changes the IP headers and they cannot both be used on a
connection.
The VPN server is attached directly to the Internet and the firewall is between the VPN server and the intranet.
In this configuration, the VPN server must be configured with packet filters that only allow VPN traffic in and
out of its Internet interface.
PPTP use TCP port 1723 for tunnel maintenance traffic. For a filter to pass PPTP data it must allow IP protocol
ID 47.
The source and destinations addresses that are usually used to allow VPN traffic is the IP address of the VPN
server. In this case the firewall performs Network Address Translation so the Firewall external address is used
instead.
Incorrect Answers:
PPTP does not use UDP port 500, it uses TCP port 1723.
PPTP does not use TCP port 1701, it uses TCP port1723.
PPTP does not use IP protocol ID 50, it uses IP protocol ID 47.
Only the PPTP port and the PPTP IP protocol ID traffic should be allowed, not any protocol.
The firewall provides Network Address translation. The Firewalls external IP address must be used, not the
internal subnet address. There is no internal subnet address.
You are the administrator of TestKing’s network, which consists of a single Windows 2000 domain. The
network has a persistent connection to the Internet. The relevant portion of its configuration is shown in
the exhibit.
Your company employs mobile salespeople who use portable computers, which run either Windows 98 or
Windows 2000 Professional. To enable these users to access internal resources, you place a virtual private
network server named VPN1 outside your firewall. VPN1 is a stand-alone Windows 2000 Server
computer running routing and remote access. The firewall performs network address translation, and it
is configured to allow inbound access from VPN1only.
You need to use the most secure VPN connection possible for each connection. You configure appropriate
VPN ports on VPN1.
VPN1 must now be configured to allow only appropriate traffic through the firewall on the internal
interface. Which output and input filters should you configure for the internal network adapter?
To answer click the select and place button, and the drag the correct filter configuration to the appropriate
filter type. You might need to use some filter configurations more than once. Use the minimum number of
necessary filters.
SELECT AND PLACE
Answer:
Output Filters
Source: Firewall external address, TCP port 1723
Source: Firewall external address, IP protocol ID 47
Input Filters
Destination: Firewall external address, TCP port 1723
Destination: Firewall external address, IP protocol ID 47
Explanation:
The firewall performs network address translations. The VPN must use PPTP, it cannot use L2TP/IPSec due the
network address translation. Both IPSec and NAT changes the IP headers and they cannot both be used on a
connection.
The VPN server is attached directly to the Internet and the firewall is between the VPN server and the intranet.
In this configuration, the VPN server must be configured with packet filters that only allow VPN traffic in and
out of its Internet interface.
PPTP use TCP port 1723 for tunnel maintenance traffic. For a filter to pass PPTP data it must allow IP protocol
ID 47.
The source and destinations addresses that are usually used to allow VPN traffic is the IP address of the VPN
server. In this case the firewall performs Network Address Translation so the Firewall external address is used
instead.
Incorrect Answers:
PPTP does not use UDP port 500, it uses TCP port 1723.
PPTP does not use TCP port 1701, it uses TCP port1723.
PPTP does not use IP protocol ID 50, it uses IP protocol ID 47.
Only the PPTP port and the PPTP IP protocol ID traffic should be allowed, not any protocol.
The firewall provides Network Address translation. The Firewalls external IP address must be used, not the
internal subnet address. There is no internal subnet address.
扫一扫
748
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
