MCSE 05 Implementing of a Network Infrastructure 08 Theory

8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory

1/80

ADVANTAGE PRO Chennais Premier Networking Training Center

Implementing IPSec in aImplementing IPSec in a

Windows 2003 NetworkWindows 2003 Network


2/80


Introduction to IPSecIntroduction to IPSec

Uses and PlanningUses and Planning

Windows 2003 IPSec componentsWindows 2003 IPSec components

Implementation and best practices of IPSecImplementation and best practices of IPSec

Troubleshooting and referencesTroubleshooting and references

What will not be covered in this discussionWhat will not be covered in this discussion


3/80


Introduction to IPSecIntroduction to IPSec The history of IPSecThe history of IPSec

Security properties of communicationsSecurity properties of communications

The need for IPSecThe need for IPSec

Benefits of IPSecBenefits of IPSec

Windows 2003 IPSec design goalsWindows 2003 IPSec design goals


4/80


Introduction to IPSecIntroduction to IPSecHistoryHistory

IPSec original work in 1992 by IEEEIPSec original work in 1992 by IEEE

Originally a new feature for IP version 6Originally a new feature for IP version 6

Adapted for IP version 4Adapted for IP version 4

RFCRFC--based; currently in draft formbased; currently in draft form

Windows 2003 IPSec jointly developed with CiscoWindows 2003 IPSec jointly developed with Cisco

Systems, Inc. and MicrosoftSystems, Inc. and Microsoft


5/80


Introduction to IPSecIntroduction to IPSecSecurity PropertiesSecurity Properties

NonNon--repudiationrepudiation AntiAnti--replayreplay

IntegrityIntegrity

ConfidentialityConfidentiality


6/80


Introduction to IPSecIntroduction to IPSecThe Need for IPSec (part 1)The Need for IPSec (part 1)

EavesdroppingEavesdropping

Data modificationData modification

Identity spoofing (IP address spoofing)Identity spoofing (IP address spoofing)

PasswordPassword--based attacksbased attacks


7/80


Introduction to IPSecIntroduction to IPSecThe Need for IPSec (part 2)The Need for IPSec (part 2)

Compromised Key attackCompromised Key attack

Sniffer attackSniffer attack

Application layer attackApplication layer attack

Denial of service attacksDenial of service attacks

ManMan--inin--thethe--middle attacksmiddle attacks


8/80


Introduction to IPSecIntroduction to IPSecBenefits of IPSecBenefits of IPSec

Provides endProvides end--toto--end protectionend protection

Provides defense against attacks internal to the networkProvides defense against attacks internal to the network

Transparent to applicationsTransparent to applications


9/80


Transparent to usersTransparent to users

Can be configured to specific users and groupsCan be configured to specific users and groups

Protects against attacks previously mentionedProtects against attacks previously mentioned


10/80


Introduction to IPSecIntroduction to IPSecWindows 2003 Design GoalsWindows 2003 Design Goals

To protect IP packetsTo protect IP packets

To provide a defense against network attacksTo provide a defense against network attacks


11/80


Uses of IPSecUses of IPSec

IPSec as a protocolIPSec as a protocol

Authentication Headers (AH)Authentication Headers (AH)

Encapsulated Security Payload (ESP)Encapsulated Security Payload (ESP)


12/80


Internet Key Exchange (IKE)Internet Key Exchange (IKE)

1.1. ISAKMPISAKMP

2. Oakley2. Oakley

Cryptographic algorithmsCryptographic algorithms


13/80


Uses of IPSecUses of IPSecIPSec as a ProtocolIPSec as a Protocol

IPSec is a protocol not a serviceIPSec is a protocol not a service

Two protocols with unique headers on each IP packetTwo protocols with unique headers on each IP packet

1.1. Authentication Headers (AH)Authentication Headers (AH)

2.2. Encapsulated Security Payload (ESP)Encapsulated Security Payload (ESP)

RFC 2401RFC 2401


14/80


Uses of IPSecUses of IPSecAuthentication HeadersAuthentication Headers

Provides the following Security PropertiesProvides the following Security Properties

1.1. AuthenticationAuthentication

2.2. IntegrityIntegrity

3.3. AntiAnti--replayreplay

Does not encrypt the dataDoes not encrypt the data

Data is readable but cannot be alteredData is readable but cannot be altered


15/80


Both the IP header and data are signedBoth the IP header and data are signed

Uses the HMAC algorithmsUses the HMAC algorithms

RFC 2402RFC 2402


16/80


Uses of IPSecUses of IPSecEncapsulated Security PayloadEncapsulated Security Payload

Provides the following Security propertiesProvides the following Security properties


2.2. IntegrityIntegrity

3.3. AntiAnti--replayreplay

4. Confidentiality4. Confidentiality


17/80


Can be used with Authentication HeadersCan be used with Authentication Headers

IP header is not signed unless it is tunneledIP header is not signed unless it is tunneled

Data is signedData is signed

Uses DES and 3DES algorithmsUses DES and 3DES algorithms

RFC 2406RFC 2406


18/80


Uses of IPSecUses of IPSecIKEIKE

Internet Key ExchangeInternet Key Exchange

Made up of ISAKMP and OakleyMade up of ISAKMP and Oakley

Standard method for building Security Associations andStandard method for building Security Associations and

Key Exchange ResolutionKey Exchange Resolution


19/80


Uses of IPSecUses of IPSecISAKMPISAKMP

Internet Security Association Key Management ProtocolInternet Security Association Key Management Protocol

Used to build a Security Association (SA)Used to build a Security Association (SA)

ISAKMP provides SA negotiationISAKMP provides SA negotiation

RFC 2408RFC 2408


20/80


Uses of IPSecUses of IPSecOakleyOakley Oakley Key Determination ProtocolOakley Key Determination Protocol

Oakley is second part to Build SAOakley is second part to Build SA

Provides Key Exchange ServiceProvides Key Exchange Service

RFC 2412RFC 2412

Two modesTwo modes

1.1. Main modeMain mode New key generation material and new encryptionNew key generation material and new encryption

keykey

2.2. Quick modeQuick mode Already have key generation material and needAlready have key generation material and need

new encryption keynew encryption key


21/80


Uses of IPSecUses of IPSecCryptographic AlgorithmsCryptographic Algorithms

IPSec as a protocolIPSec as a protocol

AHAH -- HMACHMAC--MD5 or HMACMD5 or HMAC--SHASHA

ESPESP -- DES (40 bit), DESDES (40 bit), DES--CBC,CBC, 3DES3DES

DH DiffieDH Diffie--Hellman group for key materialHellman group for key material

IPSec cryptographic related RFCs: 2085, 2104, 2403,IPSec cryptographic related RFCs: 2085, 2104, 2403,

2404, 2405, 2407, 2410, 24512404, 2405, 2407, 2410, 2451


22/80


Planning for IPSecPlanning for IPSecIn This Section We Will CoverIn This Section We Will Cover

When to use IPSecWhen to use IPSec

When to use AHWhen to use AH

When to use ESPWhen to use ESP

When to use AH and ESPWhen to use AH and ESP

When to not use IPSecWhen to not use IPSec

Authentication methodsAuthentication methods


23/80


Planning for IPSecPlanning for IPSecWhen to Use AHWhen to Use AH

When a secure connection is neededWhen a secure connection is needed

Must establish authentication of sourceMust establish authentication of source

Data itself is not sensitiveData itself is not sensitive

Risk of packet capturing compromising data is lowRisk of packet capturing compromising data is low


24/80


Planning for IPSecPlanning for IPSecWhen to Use ESPWhen to Use ESP

When the data itself must be protectedWhen the data itself must be protected

1.1. Financial informationFinancial information

2.2. Proprietary informationProprietary information

3.3. Sensitive informationSensitive information

Use only when data protection is justifiedUse only when data protection is justified


25/80


Planning for IPSecPlanning for IPSecWhen to Use AH and ESPWhen to Use AH and ESP

When a secure connection is neededWhen a secure connection is needed

Must establish authentication of sourceMust establish authentication of source

When the data itself must be protectedWhen the data itself must be protected

When security of the network offsets the performance ofWhen security of the network offsets the performance ofthe additional processingthe additional processing

Limit implementation to select hostsLimit implementation to select hosts


26/80


Planning for IPSecPlanning for IPSecWhen Not to Use IPSecWhen Not to Use IPSec Only use if there is a security needOnly use if there is a security need

SNMPSNMP

Security gatewaysSecurity gateways

Input filtersInput filters

Output filtersOutput filters

DHCP, WINS, and DNS ServersDHCP, WINS, and DNS Servers

Domain controllersDomain controllers

DownDown--level clientslevel clients


27/80


Planning for IPSecPlanning for IPSecAuthentication MethodsAuthentication Methods

Supported IPSec authentication methodsSupported IPSec authentication methods

1.1. Kerberos version 5.0Kerberos version 5.0

2.2. Public Key Certificate AuthoritiesPublic Key Certificate Authorities

3.3. Microsoft Certificate ServerMicrosoft Certificate Server

4.4. PrePre--shared Keyshared Key


28/80


Windows 2003 IPSec ComponentsWindows 2003 IPSec ComponentsIn This Section We Will CoverIn This Section We Will Cover

IPSec Policy Agent serviceIPSec Policy Agent service

Security AssociationsSecurity Associations

Key protectionKey protection

IPSec driverIPSec driver


29/80


Windows 2003 IPSec ComponentsWindows 2003 IPSec ComponentsIPSec Policy Agent Service (part 1)IPSec Policy Agent Service (part 1)

Main TasksMain Tasks

Retrieve the IP Security policyRetrieve the IP Security policy

Deliver policy to IPSec driver and ISAKMPDeliver policy to IPSec driver and ISAKMP

Periodically poll for new policiesPeriodically poll for new policies

Update or replace IPSec/ISAKMP policiesUpdate or replace IPSec/ISAKMP policies

Check for local IP address changes and update theCheck for local IP address changes and update the

IP filtersIP filters


30/80


31/80


Local PolicyLocal Policy

HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SYSTEMSYSTEM\\

CurrentControlSetCurrentControlSet\\ServicesServices\\PolicyAgentPolicyAgent\\

PolicyPolicy\\LocalLocal

PollingPolling


32/80


Windows 2003 IPSec ComponentsWindows 2003 IPSec ComponentsSecurity Associations (part 1)Security Associations (part 1)

Mutually agreed upon key, protocol, and securityMutually agreed upon key, protocol, and security

parameter interface that define the Security levelparameter interface that define the Security levelbetween sender and receiverbetween sender and receiver

Phase I SAPhase I SA ISAKMP SAISAKMP SA

1.1. Policy negotiationPolicy negotiation

2.2. DH exchangeDH exchange



33/80


Windows 2003 IPSec ComponentsWindows 2003 IPSec ComponentsSecurity Associations (part 2)Security Associations (part 2)

Phase II SAPhase II SA IPSec Driver SAIPSec Driver SA

1.1. Policy negotiationPolicy negotiation

2.2. Session key material refresh or exchangeSession key material refresh or exchange

3.3. SAs and keys passed to IPSec driverSAs and keys passed to IPSec driver

SA lifetimesSA lifetimes


34/80


Windows 2003 IPSec ComponentsWindows 2003 IPSec ComponentsKey ProtectionKey Protection

Key lifetimesKey lifetimes

Perfect Forward Secrecy (PFS)Perfect Forward Secrecy (PFS)

1.1. Phase IPhase I -- master key PFSmaster key PFS

2.2. Phase IIPhase II -- session key PFSsession key PFS


35/80


Windows 2003 IPSec ComponentsWindows 2003 IPSec ComponentsIPSec DriverIPSec Driver

Responsible forResponsible for

1.1. Stores existing filters and policy IdsStores existing filters and policy Ids

2.2. Checks each IP packet for match to policy filterChecks each IP packet for match to policy filter

3.3. Requests SA negotiations from ISAKMP for newRequests SA negotiations from ISAKMP for new

connectionsconnections


36/80


4.4. Stores existing SasStores existing Sas

5.5. Implementing IPSec policy as defined in SasImplementing IPSec policy as defined in Sas

6.6. Tracks key time length and number of bytesTracks key time length and number of bytes

transformed to request new keystransformed to request new keys

7.7. Updates SA changes and deletes expired SAsUpdates SA changes and deletes expired SAs


37/80


Implementation of IPSecImplementation of IPSecIn This Section We Will CoverIn This Section We Will Cover

Policies and Policy InheritancePolicies and Policy Inheritance

RulesRules

IP packet filteringIP packet filtering

Filter actionsFilter actions

Connection typesConnection types

AuthenticationAuthentication


38/80


Implementation of IPSecImplementation of IPSecPoliciesPolicies

IP Security Management snapIP Security Management snap--inin

Predefined policiesPredefined policies

Client (respond only)Client (respond only)

Server (request security)Server (request security)

Server (require security)Server (require security)

Policy inheritancePolicy inheritance


39/80


Implementation of IPSecImplementation of IPSec Determine how and when a policy is usedDetermine how and when a policy is used

Provide customization of policy based on source,Provide customization of policy based on source,

destination, and specific IP trafficdestination, and specific IP traffic

Rules are made up of five components:Rules are made up of five components:

1.1. Connection typeConnection type

2.2. Authentication methodsAuthentication methods

3.3. IP filter listIP filter list

4.4. Filter actionFilter action

5.5. Tunnel settingsTunnel settings


40/80


Implementation of IPSecImplementation of IPSecIP Packet FilteringIP Packet Filtering

Determines what packet types the security policy willDetermines what packet types the security policy will

apply toapply to

Set for both incoming and outgoing trafficSet for both incoming and outgoing traffic

Contains the following parametersContains the following parameters

1.1. The source and destination address of the IP packetThe source and destination address of the IP packet

2.2. The protocol being uses to transport packetThe protocol being uses to transport packet

3.3. Source and destination port of the protocolSource and destination port of the protocol


41/80


Implementation of IPSecImplementation of IPSecFilter ActionsFilter Actions DefaultsDefaults

PermitPermit

BlockBlock

Negotiate securityNegotiate security

CustomCustom

Accept unsecuredAccept unsecured -- respond with IPSecrespond with IPSec

Allow unsecured with nonAllow unsecured with non--IPSecIPSec--aware computeraware computer


42/80


Implementation of IPSecImplementation of IPSecConnection TypesConnection Types

Rule propertiesRule properties -- Connection Type tabConnection Type tab

All network connectionsAll network connections

Local area networkLocal area network

Remote accessRemote access


43/80


Implementation of IPSecImplementation of IPSecAuthentication MethodsAuthentication Methods

KerberosKerberos

CertificatesCertificates

Trusted certificate authorityTrusted certificate authority

Microsoft Certificate ServerMicrosoft Certificate Server

Preshared keyPreshared key


44/80


Best Practices for IPSecBest Practices for IPSecIn This Section We Will CoverIn This Section We Will Cover Evaluate network dataEvaluate network data

Determine network data flowDetermine network data flow

Design a network security planDesign a network security plan

Configure and test in lab before deployingConfigure and test in lab before deploying

IP filter listsIP filter lists

Things to consider (SNMP, DNS DHCP,WINS, DCs,Things to consider (SNMP, DNS DHCP,WINS, DCs,

and performance)and performance)


45/80


Best Practices for IPSecBest Practices for IPSecEvaluating Network DataEvaluating Network Data

What types of data travel the networkWhat types of data travel the network

Financial dataFinancial data

HR dataHR data

Legal dataLegal data ProprietaryProprietary

ClassifiedClassified


46/80


Risk of this information being compromisedRisk of this information being compromised

Some data will require different protectionSome data will require different protection


47/80


Best Practices for IPSecBest Practices for IPSecDetermining Network Data FlowDetermining Network Data Flow

Once the type of data is determinedOnce the type of data is determined

Where is the data storedWhere is the data stored

How does it route through the networkHow does it route through the network


48/80


What hosts access the dataWhat hosts access the data

While gathering information, also look atWhile gathering information, also look at

Network speedNetwork speed

BandwidthBandwidth

This will assist in optimization issues laterThis will assist in optimization issues later


49/80


Best Practices for IPSecBest Practices for IPSecDesigning a Network Security PlanDesigning a Network Security Plan

Evaluate your risk of attacksEvaluate your risk of attacks

Other security measures employedOther security measures employed

Communications ScenarioCommunications Scenario


50/80


Level of security neededLevel of security needed

Strive for a well balanced deployment of securityStrive for a well balanced deployment of security

measuresmeasures


51/80


Best Practices for IPSecBest Practices for IPSecIP Filter ListsIP Filter Lists

Filter ListsFilter Lists

Try to use general filtersTry to use general filters

Set up filters for logical network segmentsSet up filters for logical network segments

Filter display order versus filter applied orderFilter display order versus filter applied order


52/80


Filter ActionsFilter Actions

Rogue computersRogue computers

ESP and custom security methodsESP and custom security methods

RAS and knownRAS and known--key attackskey attacks


53/80


Best Practices for IPSecBest Practices for IPSecSpecial ServicesSpecial Services

SNMPSNMP

Security gatewaysSecurity gateways

DHCP, DNS, WINSDHCP, DNS, WINS

Domain controllersDomain controllers

DownDown--level clientslevel clients


54/80


Best Practices for IPSecBest Practices for IPSec IPSec one part of a security foundationIPSec one part of a security foundation

Designed for intranet not perimeterDesigned for intranet not perimeter

Security is a balance ofSecurity is a balance of

Perimeter securityPerimeter security

User access controlUser access control

Physical securityPhysical security

IPSec is endpoint to endpointIPSec is endpoint to endpoint


55/80


Troubleshooting IPSecTroubleshooting IPSec

System/Security logs and routesSystem/Security logs and routes

Ping and IPSec monitorPing and IPSec monitor

Network monitorNetwork monitor

Policy AgentPolicy Agent

Log filesLog files

Knowledge BaseKnowledge Base


56/80


Troubleshooting IPSecTroubleshooting IPSecSystem/Security Logs and RoutesSystem/Security Logs and Routes Event ViewerEvent Viewer

System Event logSystem Event log

Security Event logSecurity Event log

Default RoutesDefault Routes

Multiple routes of 0.0.0.0 or lowest metricMultiple routes of 0.0.0.0 or lowest metric


57/80


Troubleshooting IPSecTroubleshooting IPSecPING and IPSec MonitorPING and IPSec Monitor CommandsCommands

PingPing

IPSec MonitorIPSec Monitor Ipsecmon.exeIpsecmon.exe

Is IPSec enabled on hostIs IPSec enabled on host

Displays current SAs on hostDisplays current SAs on host

Displays whether the SAs are hard or softDisplays whether the SAs are hard or soft


58/80


Troubleshooting IPSecTroubleshooting IPSec Network MonitorNetwork Monitor Windows 2000 Network Monitor can view AH and ESPWindows 2000 Network Monitor can view AH and ESPpacketspackets

AHAH IP packet 51IP packet 51

ESPESP IP packet 50IP packet 50

ESP packet data is not visibleESP packet data is not visible

ISAKMP/OakleyISAKMP/Oakley UDP port 500UDP port 500


59/80


Troubleshooting IPSecTroubleshooting IPSecPolicy AgentPolicy Agent

ServicesServices Policy Agent ServicePolicy Agent Service

Start, stop, and restart Policy AgentStart, stop, and restart Policy Agent

Clears out old SasClears out old Sas

Refreshes policies from Active DirectoryRefreshes policies from Active Directory

Allows the restarting of the IPSec driverAllows the restarting of the IPSec driver


60/80


Policy Agent log filePolicy Agent log file

Ipsecpa.logIpsecpa.log

Broken links in Policy AgentBroken links in Policy Agent

Policy Agent checkPolicy Agent check


61/80


Troubleshooting IPSecTroubleshooting IPSecLog FilesLog Files Oakley logOakley log

HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SYSTEMSYSTEM\\CCSCCS\\ServicesServices\\

PolicyAgentPolicyAgent\\OakleyOakley

Add REG_DWORD : DebugAdd REG_DWORD : Debug

Value: 1Value: 1


62/80



63/80


Network Address Translation (NAT)Network Address Translation (NAT)


64/80


IntroductionIntroduction

With network address translation (NAT) in WindowsWith network address translation (NAT) in Windows

2003, you can configure your network to share a single2003, you can configure your network to share a single

connection to the Internet.connection to the Internet.

Fewer Internet valid IP addresses are needed.Fewer Internet valid IP addresses are needed.

Improved security because clients are not directly on theImproved security because clients are not directly on the

Internet.Internet.


65/80


IntroductionIntroduction (2)(2)

Internet Connection Sharing (ICS) is included withInternet Connection Sharing (ICS) is included with

Windows 2003 Professional and higher.Windows 2003 Professional and higher.

Network address translation (NAT) is included withNetwork address translation (NAT) is included with

Windows 2000 Server and higher.Windows 2000 Server and higher.

This presentation focuses on network addressThis presentation focuses on network address

translation.translation.


66/80


ComponentsComponents

NAT consists of the following three components:NAT consists of the following three components:

TranslationTranslation

AddressingAddressing

Name ResolutionName Resolution


67/80


Components: TranslationComponents: Translation

NAT translates the IP addresses and TCP/UDP portNAT translates the IP addresses and TCP/UDP port

numbers of packets that are forwarded between thenumbers of packets that are forwarded between the

private network and the Internet.private network and the Internet.

The packets sent out of NAT have a source IP address ofThe packets sent out of NAT have a source IP address of

the NAT machine.the NAT machine.

Therefore, external machines are never aware that NATTherefore, external machines are never aware that NAT

is being used.is being used.


68/80


Components: AddressingComponents: Addressing

The addressing component is a simplified DHCP serverThe addressing component is a simplified DHCP server

called the DHCP allocator.called the DHCP allocator.

Either the DHCP allocator or an existing DHCP serverEither the DHCP allocator or an existing DHCP server

can be used.can be used.


69/80


Components: Name ResolutionComponents: Name Resolution

The name resolution component of NAT is the DNSThe name resolution component of NAT is the DNS

Proxy.Proxy.

Either the DNS proxy or an existing DNS server can beEither the DNS proxy or an existing DNS server can be

used.used.


70/80


NAT ConfigurationNAT Configuration NAT is configured in the Routing and Remote Access service snapNAT is configured in the Routing and Remote Access service snap--

inin

The snapThe snap--inin

IP routingIP routing

RightRight--click General and click New Routing Protocolclick General and click New Routing Protocol

Select Network Address Translation (NAT) and then click OKSelect Network Address Translation (NAT) and then click OK


71/80


NAT ConfigurationNAT Configuration (2)(2)

After NAT is installed, it is necessary to specify a publicAfter NAT is installed, it is necessary to specify a public

and a private interface.and a private interface.

RightRight--click Network Address Translation (NAT)click Network Address Translation (NAT)

Choose New InterfaceChoose New Interface

Select the external interface and then click OKSelect the external interface and then click OK


72/80


Specify this interface as the public interface andSpecify this interface as the public interface and

enable Translate TCP/UDP Headersenable Translate TCP/UDP Headers

(recommended)(recommended)

Repeat the process for the internal interface andRepeat the process for the internal interface and

specify this as the private interfacespecify this as the private interface


73/80


Client ConfigurationClient Configuration

Clients behind NAT:Clients behind NAT:

Configured as DHCP client (discussion with DHCPConfigured as DHCP client (discussion with DHCP

allocator)allocator)

Configured as DHCP client (discussion with DHCPConfigured as DHCP client (discussion with DHCP

server)server)

Statically configured clientsStatically configured clients


74/80


75/80


Static Mapping: Address PoolStatic Mapping: Address Pool

Address Pool:Address Pool:

NAT also gives us the functionality to create a oneNAT also gives us the functionality to create a one--toto--oneone

mapping between external IP address and internal IP addressmapping between external IP address and internal IP address

Add external IP address to Address Pool listAdd external IP address to Address Pool list

Click Reservations and specify the external and internal IPClick Reservations and specify the external and internal IP

addressesaddresses

Also enable Allow incoming sessions to this addressAlso enable Allow incoming sessions to this address


76/80


NAT EditorsNAT Editors NAT performs TCP port and UDP port translation, in addition to IPNAT performs TCP port and UDP port translation, in addition to IP

address translationaddress translation

If an application stores IP address or port information within its ownIf an application stores IP address or port information within its own

header (like FTP PORT command), a NAT editor is neededheader (like FTP PORT command), a NAT editor is needed

Two editors that Windows 2000 includes are FTP and PPTPTwo editors that Windows 2000 includes are FTP and PPTP

Any service that encrypts these headers wont work (like IPSec)Any service that encrypts these headers wont work (like IPSec)


77/80


10.0.0.1

10.0.0.4

10.0.0.3

10.0.0.2

PPTP servera

b

c

NAT

204.x.1.10

Internet

Outgoing PPTP Client Through NATOutgoing PPTP Client Through NAT


78/80


Internet

10.0.0.1

10.0.0.4

10.0.0.3

10.0.0.2

PPTP servera

b

c

NAT

204.x.1.10

Connection request to port1723 from c to source 10.0.0.4, port1025.

10.0.0.4, port 1025

mapped to

204..x.1.10, port 2000

Connection request from c forwarded to source 204.x.1.10, port2000.

Request received and accepted.

During configuration, PPTP serverassigns 192.10.10.2 to cs VPN.

Tunnel established

Outgoing PPTP Client Through NATOutgoing PPTP Client Through NAT


79/80


Internet

10.0.0.1

10.0.0.4

10.0.0.3

10.0.0.2

PPTP servera

c

NAT

204.x.1.10

Original packet has app data,TCP, UDP, etc., source192.10.10.2.

PPP and GRE headers added.Encapsulated packet has

source 10.0.0.4, destinationPPTP server.

Original packet not touched,source 192.10.10.2.

Encapsulated packets IP

address translated. Source204.x.1.10, destination PPTPserver.

Original packet not touched,source 192.10.10.2.

Encapsulation removed by

PPTP server.

b

Outgoing PPTP Client ThroughOutgoing PPTP Client Through

NATNAT


80/80

ALL THE BESTALL THE BEST

Documents

MCSE 05 Implementing of a Network Infrastructure 08 Theory