| 1: | On the public interface of the edge router, allow IPSec traffic from the remote-site peers 10.10.1.1 and 10.10.2.1 (not shown). Also allow remote-access VPN traffic. |
| A1: | The edge router's public interface filtering is configured as follows: edge_rtr(config)#access-list 100 permit udp host 10.10.1.1 host 172.31.254.2 eq isakmp edge_rtr(config)#access-list 100 permit udp host 10.10.2.1 host 172.31.254.2 eq isakmp edge_rtr(config)#access-list 100 permit esp host 10.10.1.1 host 172.31.254.2 edge_rtr(config)#access-list 100 permit esp host 10.10.1.1 host 172.31.254.2 edge_rtr(config)#access-list 100 permit udp any host 172.31.254.3 eq isakmp edge_rtr(config)#access-list 100 permit esp any host 172.31.254.3 edge_rtr(config)#interface s0/0 edge_rtr(config-if)#ip access-group 100 in |
| 2: | On the PIX Firewall, permit outside users access to the public services. Note that the public server, 10.1.3.2, appears publicly as 172.31.254.4 via static NAT on the PIX Firewall. |
| A2: | The correct configuration is as follows: PIX_FW(config)#access-list outside_access_in permit tcp any host 172.31.254.4 eq ftp PIX_FW(config)#access-list outside_access_in permit tcp any host 172.31.254.4 eq www PIX_FW(config)#access-list outside_access_in permit tcp any host 172.31.254.4 eq smtp PIX_FW(config)#access-list outside_access_in permit udp any host 172.31.254.4 eq domain |
| 3: | Allow only legitimate traffic from remote-access users to the public services segment. Note that the VPN concentrator is configured with a remote-access address pool of 192.168.1.1 to 192.168.1.254. |
| A3: | The correct configuration is as follows: [View full width] |
| 4: | Allow remote-access user traffic to the Internet and internal network. |
| A4: | The correct configuration is as follows:
PIX_FW(config)#access-list remote_access_in permit ip
192.168.1.0 255.255.255.0 any
|