159.You are the administrator of your company's network, which consists of a single Windows 2000 domain. The network has a persistent connection to the Internet. The relevant portion of its configuration is
shown in the exhibit.
<img src="./70-216/images/pic1_112_0001.jpg">
(the VPN is between the firewall and the internet)
Your company employs mobile salespeople who use portable computers, which run either Windows 98 or Windows 2000 Professional. To enable these users to access internal resources, you place a virtual private network server named VPN1 outside your firewall. VPN1 is a stand-alone Windows 2000 Server computer running routing and remote access. The firewall performs network address translation, and it is configured to allow inbound access from VPN1only.
You need to use the most secure VPN connection possible for each connection. You configure appropriate VPN ports on PN1.
VPN1 must now be configured to allow only appropriate traffic through the firewall on the internal interface. Which output and input filters should you configure for the internal network adapter?
Answer:
Output Filters
Source: Firewall external address, TCP port 1723
Source: Firewall external address, IP protocol ID 47
Input Filters
Destination: Firewall external address, TCP port 1723
Destination: Firewall external address, IP protocol ID 47
Explanation:
The firewall performs network address translations. The VPN must use PPTP, it cannot use L2TP/IPSec due the network address translation. Both IPSec and NAT changes the IP headers and they cannot both be used on a connection.
The VPN server is attached directly to the Internet and the firewall is between the VPN server and the intranet.
In this configuration, the VPN server must be configured with packet filters that only allow VPN traffic in and
out of its Internet interface.
PPTP use TCP port 1723 for tunnel maintenance traffic. For a filter to pass PPTP data it must allow IP protocol
ID 47.
The source and destinations addresses that are usually used to allow VPN traffic is the IP address of the VPN
server. In this case the firewall performs Network Address Translation so the Firewall external address is used
instead.
My question :
First of all, what (or which one) is the internal network adapter ?
For the input filters, shouldn't the destination be the VPN address ? Despite what the explaination says.
shown in the exhibit.
<img src="./70-216/images/pic1_112_0001.jpg">
(the VPN is between the firewall and the internet)
Your company employs mobile salespeople who use portable computers, which run either Windows 98 or Windows 2000 Professional. To enable these users to access internal resources, you place a virtual private network server named VPN1 outside your firewall. VPN1 is a stand-alone Windows 2000 Server computer running routing and remote access. The firewall performs network address translation, and it is configured to allow inbound access from VPN1only.
You need to use the most secure VPN connection possible for each connection. You configure appropriate VPN ports on PN1.
VPN1 must now be configured to allow only appropriate traffic through the firewall on the internal interface. Which output and input filters should you configure for the internal network adapter?
Answer:
Output Filters
Source: Firewall external address, TCP port 1723
Source: Firewall external address, IP protocol ID 47
Input Filters
Destination: Firewall external address, TCP port 1723
Destination: Firewall external address, IP protocol ID 47
Explanation:
The firewall performs network address translations. The VPN must use PPTP, it cannot use L2TP/IPSec due the network address translation. Both IPSec and NAT changes the IP headers and they cannot both be used on a connection.
The VPN server is attached directly to the Internet and the firewall is between the VPN server and the intranet.
In this configuration, the VPN server must be configured with packet filters that only allow VPN traffic in and
out of its Internet interface.
PPTP use TCP port 1723 for tunnel maintenance traffic. For a filter to pass PPTP data it must allow IP protocol
ID 47.
The source and destinations addresses that are usually used to allow VPN traffic is the IP address of the VPN
server. In this case the firewall performs Network Address Translation so the Firewall external address is used
instead.
My question :
First of all, what (or which one) is the internal network adapter ?
For the input filters, shouldn't the destination be the VPN address ? Despite what the explaination says.