CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] - نسخه متنی

Greg Bastien; Earl Carter; Christian Degu

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Copyright

About the Authors

About the Technical Reviewers

Acknowledgments

Icons Used in This Book

Command Syntax Conventions

Introduction

Why the "Second Edition"?

Who Should Read This Book?

How to Use This Book

Certification Exam and This Preparation Guide

Overview of the Cisco Certification Process

Cisco Security Specialist in the Real World

PIX AND Cisco IOS Commands

Rules of the Road

Chapter 1. Network Security

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 2. Firewall Technologies and the Cisco PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 3. Cisco PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 4. System Management/Maintenance

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 5. Understanding Cisco PIX Firewall Translation and Connection

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 6. Getting Started with the Cisco PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 7. Configuring Access

How Best to Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 8. Syslog and the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 9. Routing and the PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 10. Cisco PIX Firewall Failover

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 11. Virtual Private Networks

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Scenario

Chapter 12. Configuring Access VPNs

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 13. PIX Device Manager

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 14. CiscoWorks Management Center for Firewalls (PIX MC)

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 15. Content Filtering on the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 16. Overview of AAA and the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 17. Configuration of AAA on the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 18. Attack Guards and Advanced Protocol Handling

How To Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 19. Firewall Services Module

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 20. Case Study and Sample Configuration

Remote Offices

Firewall

Growth Expectation

Task 1: Basic Configuration for the Cisco PIX Firewall

Task 2: Configuring Access Rules on HQ

Task 3: Configuring Authentication

Task 4: Configuring Logging

Task 5: Configuring a VPN Between HQ and Remote Sites

Task 6: Configuring a Remote Access VPN to HQ

Task 7: Configuring Failover

What Is Wrong with This Picture?

Appendix A. Answers to the "Do I Know This Already?" Quizzes and Q&A Sections

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

Chapter 10

Chapter 11

Chapter 12

Chapter 13

Chapter 14

Chapter 15

Chapter 16

Chapter 17

Chapter 18

Chapter 19

Chapter 20

Index
توضیحات
افزودن یادداشت جدید












  • What Is Wrong with This Picture?


    Now that you have successfully gone through the configuration scenarios in the previous sections, this section focuses on problem solving after or during an implementation of Cisco PIX Firewall. Examples 20-9 through 20-11 show the configuration of three PIX Firewalls for this exercise.


    Example 20-9. Atlanta PIX Firewall Configuration


    1.   : Saved
    2.   :
    3.   PIX Version 6.2(2)
    4.   nameif ethernet0 outside security0
    5.   nameif ethernet1 inside security100
    6.   nameif ethernet2 DMZ security70
    7.   enable password ksjfglkasglc encrypted
    8.   passwd kjngczftglkacytiur encrypted
    9.   hostname Atlanta
    10.  domain-name www.BranchVPN.com
    11.  fixup protocol ftp 21
    12.  fixup protocol http 80
    13.  fixup protocol smtp 25
    14.  fixup protocol skinny 2000
    15.  names
    16.  access-list inbound permit icmp any host 192.168.3.10
    17.  access-list inbound permit tcp any host 192.168.3.10 eq www
    18.  access-list inbound permit tcp any host 192.168.3.10 eq 443
    19.  access-list DMZ permit udp 172.16.3.0 255.255.255.0 host 10.10.3.240 eq ntp
    20.  access-list VPN permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0
    21.  access-list VPN permit ip 10.10.3.0 255.255.255.0 10.10.10.0 255.255.255.0
    22.  access-list LosAngeles permit ip 10.10.3.0 255.255.255.0 10.10.10.0
    255.255.255.0
    23.  access-list Boston permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0
    24.  pager lines 24
    25.  logging on
    26.  logging timestamp
    27.  interface ethernet0 auto
    28.  interface ethernet1 auto
    29.  interface ethernet2 auto
    30.  mtu outside 1500
    31.  mtu inside 1500
    32.  ip address outside 192.168.3.1 255.255.255.0
    33.  ip address inside 10.10.3.1 255.255.255.0
    34.  ip address DMZ 172.16.3.1 255.255.255.0
    35.  arp timeout 14400
    36.  global (outside) 1 192.168.3.20-200
    37.  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    38.  nat (inside) 0 access-list VPN
    39.  static (DMZ,outside) 192.168.3.10 172.16.3.10 netmask 255.255.255.255 0 0
    40.  access-group inbound in interface outside
    41.  access-group DMZ in interface DMZ
    42.  route outside 0.0.0.0 0.0.0.0 192.168.3.254 1
    43.  timeout xlate 3:00:00
    44.  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    45.  timeout uauth 0:05:00 absolute
    46.  aaa-server TACACS+ protocol tacacs+
    47.  aaa-server RADIUS protocol radius
    48.  no snmp-server location
    49.  no snmp-server contact
    50.  snmp-server community public
    51.  no snmp-server enable traps
    52.  floodguard enable
    53.  sysopt connection permit-ipsec
    54.  crypto ipsec transform-set BranchVPN esp-3des esp-md5-hmac
    55.  crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
    56.  crypto map BranchVPN 10 ipsec-isakmp
    57.  crypto map BranchVPN 10 match address LosAngeles
    58.  crypto map BranchVPN 10 set peer 192.168.1.1
    59.  crypto map BranchVPN 10 set transform-set BranchVPN
    60.  crypto map BranchVPN 20 ipsec-isakmp
    61.  crypto map BranchVPN 20 match address Boston
    62.  crypto map BranchVPN 20 set peer 192.168.2.1
    63.  crypto map BranchVPN 20 set transform-set BranchVPN
    64.  crypto map BranchVPN interface DMZ
    65.  isakmp enable outside
    66.  isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
    67.  isakmp key ******** address 192.168.2.1 netmask 255.255.255.255
    68.  isakmp identity address
    69.  isakmp policy 20 authentication pre-share
    70.  isakmp policy 20 encryption 3des
    71.  isakmp policy 20 hash md5
    72.  isakmp policy 20 group 2
    73.  isakmp policy 20 lifetime 86400
    74.  terminal width 80
    75.  Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5


    Example 20-10. Boston PIX Firewall Configuration


    1.   :  Saved
    2.   :
    3.   PIX Version 6.2(2)
    4.   nameif ethernet0 outside security0
    5.   nameif ethernet1 inside security100
    6.   nameif ethernet2 DMZ security70
    7.   enable password ksjfglkasglc encrypted
    8.   passwd kjngczftglkacytiur encrypted
    9.   hostname Boston
    10.  domain-name www.BranchVPN.com
    11.  fixup protocol ftp 21
    12.  fixup protocol http 80
    13.  fixup protocol smtp 25
    14.  fixup protocol skinny 2000
    15.  names
    16.  access-list inbound permit icmp any host 192.168.2.10
    17.  access-list inbound permit tcp any host 192.168.2.10 eq www
    18.  access-list inbound permit tcp any host 192.168.2.10 eq 443
    access-list DMZ permit tcp 192.168.1.13 255.255.255.255 192.168.2.11 eq 1521
    19.  access-list DMZ permit udp 172.16.2.0 255.255.255.0 host 10.10.2.240 eq ntp
    20.  access-list VPN permit ip 10.10.2.0 255.255.255.0 10.10.10.0255.255.255.0
    21.  access-list VPN permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0
    22.  access-list LosAngeles permit ip 10.10.2.0 255.255.255.0 10.10.10.0
    255.255.255.0
    23.  access-list Atlanta permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0
    24.  pager lines 24
    25.  logging on
    26.  logging timestamp
    27.  interface ethernet0 auto
    28.  interface ethernet1 auto
    29.  interface ethernet2 auto
    30.  mtu outside 1500
    31.  mtu inside 1500
    32.  ip address outside 192.168.2.1 255.255.255.0
    33.  ip address inside 10.10.2.1 255.255.255.0
    34.  ip address DMZ 172.16.2.1 255.255.255.0
    35.  arp timeout 14400
    36.  global (outside) 1 192.168.2.20-200
    37.  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    38.  nat (inside) 0 access-list VPN
    39.  static (DMZ,outside) 192.168.2.10 172.16.2.10 netmask 255.255.255.255 0 0
    static (DMZ,outside) 192.168.2.11 172.16.2.11 netmask 255.255.255.255 0 0
    40.  access-group inbound in interface outside
    41.  access-group DMZ in interface DMZ
    42.  route outside 0.0.0.0 0.0.0.0 192.168.2.254 1
    43.  timeout xlate 3:00:00
    44.  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    45.  timeout uauth 0:05:00 absolute
    46.  aaa-server TACACS+ protocol tacacs+
    47.  aaa-server RADIUS protocol radius
    48.  no snmp-server location
    49.  no snmp-server contact
    50.  snmp-server community public
    51.  no snmp-server enable traps
    52.  floodguard enable
    53.  crypto ipsec transform-set BranchVPN esp-3des esp-md5-hmac
    54.  crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
    55.  crypto map BranchVPN 10 ipsec-isakmp
    56.  crypto map BranchVPN 10 match address LosAngeles
    57.  crypto map BranchVPN 10 set peer 192.168.1.1
    58.  crypto map BranchVPN 10 set transform-set BranchVPN
    59.  crypto map BranchVPN 20 ipsec-isakmp
    60.  crypto map BranchVPN 20 match address Atlanta
    61.  crypto map BranchVPN 20 set peer 192.168.3.1
    62.  crypto map BranchVPN 20 set transform-set BranchVPN
    63.  crypto map BranchVPN interface outside
    64.  isakmp enable outside
    65.  isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
    66.  isakmp key ******** address 192.168.3.1 netmask 255.255.255.255
    67.  isakmp identity address
    68.  isakmp policy 20 authentication pre-share
    69.  isakmp policy 20 encryption 3des
    70.  isakmp policy 20 hash md5
    71.  isakmp policy 20 group 2
    72.  isakmp policy 20 lifetime 86400
    73.  terminal width 80
    74.  Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5


    Example 20-11. Los Angeles PIX Firewall Configuration


    1.   :  Saved
    2.   :
    3.   PIX Version 6.2(2)
    4.   nameif ethernet0 outside security0
    5.   nameif ethernet1 inside security100
    6.   nameif ethernet2 DMZ security70
    7.   enable password HtmvK15kjhtlyfvcl encrypted
    8.   passwd Kkjhlkf1568Hke encrypted
    9.   hostname LosAngeles
    10.  domain-name www.BranchVPN.com
    11.  fixup protocol ftp 21
    12.  fixup protocol http 80
    13.  fixup protocol h323 1720
    14.  fixup protocol rsh 514
    15.  fixup protocol smtp 25
    16.  fixup protocol sqlnet 1521
    17.  fixup protocol sip 5060
    18.  fixup protocol skinny 2000
    19.  names
    access-list inbound permit tcp any host 192.168.1.9 eq ftp
    20.  access-list inbound permit icmp any host 192.168.1.10
    21.  access-list inbound permit tcp any host 192.168.1.10 eq www
    22.  access-list inbound permit tcp any host 192.168.1.10 eq 443
    23.  access-list inbound permit tcp any host 192.168.1.11 eq www
    24.  access-list inbound permit tcp any host 192.168.1.11 eq 443
    25.  access-list inbound permit tcp any host 192.168.1.12 eq www
    26.  access-list inbound permit tcp any host 192.168.1.12 eq 443
    27.  access-list inbound permit tcp any host 192.168.1.13 eq ftp
    28.  access-list Exchange permit tcp any host 192.168.1.14 eq 25
    access-list Exchange permit tcp any host 192.168.1.14 eq 443
    access-list DMZ permit tcp 172.16.1.13 255.255.255.255 10.10.11.221 eq 1521
    29.  access-list DMZ permit udp 172.16.1.0 255.255.255.0 host 10.10.10.240 eq ntp
    30.  access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0
    31.  access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.3.0 255.255.255.0
    32.  access-list Boston permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0
    33.  access-list Atlanta permit ip 10.10.10.0 255.255.255.0 10.10.3.0 255.255.255.0
    34.  pager lines 24
    35.  logging on
    36.  logging timestamp
    37.  interface ethernet0 auto
    38.  interface ethernet1 auto
    39.  interface ethernet2 auto
    40.  mtu outside 1500
    41.  mtu inside 1500
    42.  ip address outside 192.168.1.1 255.255.255.0
    43.  ip address inside 10.10.10.1 255.255.255.0
    44.  ip address DMZ 172.16.1.1 255.255.255.0
    45.  failover
    46.  failover timeout 0:00:00
    47.  failover poll 15
    48.  failover ip address outside 192.168.1.2
    49.  failover ip address inside 10.10.10.2
    50.  failover ip address DMZ 172.16.1.2
    51.  arp timeout 14400
    52.  global (outside) 1 192.168.1.20-250
    53.  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    54.  nat (inside) 0 access-list VPN
    55.  static (DMZ,outside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255 0 0
    56.  static (DMZ,outside) 192.168.1.11 172.16.1.11 netmask 255.255.255.255 0 0
    57.  static (DMZ,outside) 192.168.1.12 172.16.1.12 netmask 255.255.255.255 0 0
    58.  static (DMZ,outside) 192.168.1.13 172.16.1.13 netmask 255.255.255.255 0 0
    static (DMZ,outside) 192.168.1.14 172.16.1.14 netmask 255.255.255.255 0 0
    59.  access-group inbound in interface outside
    access-group Exchange in interface outside
    60.  access-group DMZ in interface DMZ
    61.  route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
    62.  timeout xlate 3:00:00
    63.  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
    sip 0:30:00 sip-media 0:02:00
    64.  timeout uauth 0:05:00 absolute
    65.  aaa-server TACACS+ protocol tacacs+
    66.  aaa-server RADIUS protocol radius
    67.  no snmp-server location
    68.  no snmp-server contact
    69.  snmp-server community public
    70.  no snmp-server enable traps
    71.  floodguard enable
    72.  sysopt connection permit-ipsec
    73.  no sysopt route dnat
    74.  crypto ipsec transform-set BranchVPN esp-3des esp-md5-hmac
    75.  crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
    76.  crypto map BranchVPN 10 ipsec-isakmp
    77.  crypto map BranchVPN 10 match address Boston
    78.  crypto map BranchVPN 10 set peer 192.168.2.1
    79.  crypto map BranchVPN 10 set transform-set BranchVPN
    80.  crypto map BranchVPN 20 ipsec-isakmp
    81.  crypto map BranchVPN 20 set peer 192.168.3.1
    82.  crypto map BranchVPN 20 set transform-set BranchVPN
    83.  crypto map BranchVPN interface outside
    84.  isakmp enable outside
    85.  isakmp key ******** address 192.168.2.1 netmask 255.255.255.255
    86.  isakmp key ******** address 192.168.3.1 netmask 255.255.255.255
    87.  isakmp identity address
    88.  isakmp policy 20 authentication pre-share
    89.  isakmp policy 20 encryption 3des
    90.  isakmp policy 20 hash md5
    91.  isakmp policy 20 group 2
    92.  isakmp policy 20 lifetime 86400
    93.  terminal width 80
    94.  Cryptochecksum:e0clmj3546549637cbsFds54132d5

    After you have reviewed the configuration files for the three PIX Firewalls, answer the following questions (the answers appear in Appendix A, "Answers to the 'Do I Know This Already?' Quizzes and Q&A Sections"):

    1.

    The VPN session is established, but no traffic, or just one-way traffic, is passing between the Boston firewall and Los Angeles firewall. Ellen starts debugging the problem using debug icmp trace . She pings the other end of the VPN node and gets the following results:


    LOCAL-PIX(config)#
    609001: Built local-host inside:10.10.2.21
    106014: Deny inbound icmp src outside:10.10.10.31 dst
    inside:10.10.2.21 (type 8, code 0)106014: Deny inbound icmp src
    outside:10.10.10.31 dst
    inside:10.10.2.21 (type 8, code 0) 106014: Deny inbound icmp src
    outside:10.10.10.31 dst
    inside:10.10.2.21 (type 8, code 0)
    106014: Deny inbound icmp src outside:10.10.10.31 dst
    inside:10.10.2.21 (type 8., code 0)
    106014: Deny inbound icmp src outside:10.10.10.31 dst
    inside:10.10.2.21 (type 8, code 0)
    609002: Teardown local-host inside:10.10.2.21duration 0:00:15

    What do these results indicate and what could be causing this problem? How would you help Ellen resolve this issue?

    2.

    Eric cannot get the VPN tunnel to work from HQ to the Atlanta branch office. He starts a debug and gets the following results:


    crypto-isakmp-process-block: src 10.10.10.40, dest 10.10.3.34
    VPN Peer: ISAKMP: Added new peer: ip:10.10.10.40 Total VPN Peers:1
    VPN Peer: ISAKMP: Peer ip:10.10.10.40 Ref cnt incremented to:1
    Total VPN Peers:1
    OAK-MM exchange
    ISAKMP (0): processing SA payload. message ID = 0
    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP:      encryption DES-CBC
    ISAKMP:      hash MD5
    ISAKMP:      default group 1
    ISAKMP:      auth pre-share
    ISAKMP:      life type in seconds
    ISAKMP:      life duration (basic) of 2400
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): SA is doing pre-shared key authentication using id type ID-IPV4
    -ADDR
    return status is IKMP-NO-ERROR
    crypto-isakmp-process-block: src 10.10.10.40, dest 10.10.3.34
    OAK-MM exchange
    ISAKMP (0): processing KE payload. message ID = 0
    ISAKMP (0): processing NONCE payload. message ID = 0
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): remote peer supports dead peer detection
    ISAKMP (0): processing vendor id payload
    ISAKMP (0): speaking to another IOS box!
    return status is IKMP-NO-ERROR
    crypto-isakmp-process-block: src 10.10.10.40, dest 10.10.3.34
    OAK-MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): SA has been authenticated
    ISAKMP (0): ID payload
    next-payload : 8
    type         : 1
    protocol     : 17
    port         : 500
    length       : 8
    ISAKMP (0): Total payload length: 12
    return status is IKMP-NO-ERROR
    crypto-isakmp-process-block: src 10.10.10.40, dest 10.10.3.34
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 2457631438
    ISAKMP (0): processing notify INITIAL-CONTACTIPSEC(key-engine): got a queue
    event...
    IPSEC(key-engine-delete-sas): rec'd delete notify from ISAKMP
    IPSEC(key-engine-delete-sas): delete all SAs shared with 10.10.10.40
    return status is IKMP-NO-ERR-NO-TRANS
    crypto-isakmp-process-block: src 10.10.10.40, dest 10.10.3.34
    OAK-QM exchange
    oakley-process-quick-mode:
    OAK-QM-IDLE
    ISAKMP (0): processing SA payload. message ID = 133935992
    ISAKMP: Checking IPSec proposal 1
    ISAKMP: transform 1, ESP-DES
    ISAKMP:   attributes in transform:
    ISAKMP:      encaps is 1
    ISAKMP:      SA life type in seconds
    ISAKMP:      SA life duration (basic) of 28800
    ISAKMP:      SA life type in kilobytes
    ISAKMP:      SA life duration (VPI) of 0x0 0x46 0x50 0x0
    ISAKMP:      authenticator is HMAC-MD5
    IPSEC(validate-proposal): invalid local address 10.10.3.34
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): SA not acceptable!
    ISAKMP (0): sending NOTIFY message 14 protocol 0
    return status is IKMP-ERR-NO-RETRANS
    crypto-isakmp-process-block: src 10.10.10.40, dest 10.10.3.34
    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    What could be the cause of this problem?

    3.

    Bruce is having problems establishing a VPN session to the Atlanta office. He gets the following debug results:


    IPSEC(crypto-map-check): crypto map BranchVPN 20 incomplete. No peer or
    access-list specified. Packet discarded

    What is causing this problem, and how would you help Bruce successfully establish a VPN tunnel to the Atlanta office?

    4.

    The web administrator in Los Angeles needs to maintain the web servers in the DMZ from the internal network using Terminal Services (Transmission Control Protocol [TCP] port 3389). Is the firewall in Los Angeles configured to allow this access? Explain your answer.

    5.

    The web administrator in Los Angeles also needs to administer the web servers in Boston and Atlanta. Are the three firewalls configured to allow this access? Explain your answer.

    6.

    The Web server 172.16.1.13 needs to access an Oracle database server that sits on a segment connected to the internal network at 10.10.11.221. The web server initiates the connection on TCP port 1521 and retrieves inventory data. Can this connection be completed? Explain your answer.

    7.

    The web server 172.16.1.13 needs to access an Oracle database server on the DMZ in Boston using the address 172.16.2.11. The web server initiates the connection on TCP port 1521 to retrieve financial data. Can this connection be completed? Explain your answer.

    8.

    Is the configuration solution to question 7 a good idea? Explain your answer.

    9.

    The company has installed an FTP server on the DMZ segment in Los Angeles that customers can access to download updates. The FTP server address is 172.16.1.9. Can all external users access this FTP server? Explain your answer.

    10.

    The exchange server is installed on the DMZ segment in Los Angeles using the address 172.16.1.14. The firewall is configured to allow Simple Mail Transfer Protocol (SMTP) access for inbound mail and Secure Sockets Layer (SSL) access for users who want to connect using Outlook Web Access over an HTTP over SSL (HTTPS) connection. Will any users be able to receive their mail with this configuration? Explain your answer.

    11.

    What needs to be done in Los Angeles to allow access to the mail server?


      • / 191