
YuChakTinMichael‘sGIACGCFWProjectAssignment
Page 126
ConfiguretheVPNportsandthestatic route:
Bydefault,RRASallocates5portsforPPTPand5portsforL2TP.ForGIACwewill
useonlyPPTP,andwillconfigureatotalof11portsforit.Theseportsare mappedto
theaddresseswedefinedforallocatingtotheVPNclients.
ThefinalstepistoensurethattheseexternalclientscanaccesstheCritical_Resources
subnet.Microsoftsuggeststhatweuseastaticrouteforthispurpose. Inthiscase,
gateway192.168.16.6isusedtoreachthedestinationsubnetof192.168.21.0. Since
RRASisrunning,staticroutetoCritical_ResourcesshouldbeaddedviatheRRAS
MMCconsole.Usingtherouteaddcommandwiththe–pswitchwillnotmakethe
entrypermanent.
ConfigureInputFilters:
“APPTPbasedVPNservertypicallyhastwophysicalinterfaces:oneinterfaceon
thesharedorpublicnetworkliketheInternet,andanotherontheprivateintranet.It
alsohasavirtualinterfaceconnectingtoallVPNclients.FortheVPNserverto
forwardtrafficbetweenVPNclients, IPforwardingmustbeenabledonallinterfaces.
However,enablingforwardingbetweenthetwophysicalinterfacescausestheVPN
servertorouteallIPtrafficfromthesharedorpublicnetwor ktotheintranet.To
protecttheintranetfromalltrafficnotsentbyaVPNclient,PPTPpacketfiltering
mustbeconfiguredsothattheVPNserveronlyperformsroutingbetweenVPNclients
andtheintranet andnotbetweenpotentiallymalicioususersonthesharedorpublic
networkandtheintranet.”(from MicrosoftTechnet
29
)
29
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/samplechapters/inbe/inbe_vpn_hueq.asp
Comentários a estes Manuais