Professional Documents
Culture Documents
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1
CCNA Security:
A New Associate Level
Career Path Option
BRKCRT-1104
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Disclaimer
Do not repeat the exercises demonstrated during this
presentation on any network for which you do not have complete
authorization to do so. The demonstrations are carried out on an
isolated network within the Global Knowledge remote labs
environment. Practicing similar exercises outside of this
environment requires many considerations including, but not
limited to:
1. Many organizations have security policies explicitly forbidding the use of
these types of tools on the their networks. Job termination and/or criminal
prosecution may be the penalty.
2. Often these types of tools are distributed with hidden malware. By installing
such tools you may unknowingly also be installing keystroke loggers, back
doors, or other types of malware.
3. Use of these types of tools with targets that are owned by other entities
may violate local, state and/or federal laws.
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Attack
Attack
Anywhere Everywhere
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
fingerd
Buffer overflow–fingerd expected a max of 512 bytes of input, but didn’t verify
Vulnerability in both target OS, but exploit was only written to BSD on the
DEC VAX
rsh/rexec
Checked the local .rhosts and /etc/hosts.equiv files for trust relationships
Needed to crack username/password
Tried common combinations for the password, such as username, first name,
last name and last name + firstname.
If those attempts failed, it used /usr/dict/words and tried every word in the
dictionary
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Hiding itself:
Hid itself from the ps command
Unlinked its files so they wouldn’t show up with the ls command
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12
The Main Point: If the very first internet worm was this
clever, imagine how clever the they’ve become over the
last 20 years!
Multiple vectors
Dictionary cracking
Using local resources (C compiler, dictionary file)
Evasion of detection
Intelligent location of other networks
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Smurf Attack
Attacker 200.1.1.1
ICMP ECHO Replies
Target
ICMP ECHO
SRC=200.1.1.1
DST=171.1.255.255
171.1.0.0/16
Intermediaries
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15
SYN
2) SYN
e to cket
pons
e to Packet
Res YN ACK ket
pons a S Pac
Res RST P TCP
TCP RST +1
TCP ID = n
IP
Zombie doesn’t respond to
Zombie the RST, IPID is unchanged Zombie
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Data-Srv
10.10.1.10
Global Knowledge: Cisco Security Remote Labs
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18
IP 10.1.1.2
MAC A.A.A.A A
A B IP 10.1.1.1 B
C MAC B.B.B.B
ARP Table in Host B
ARP Table in Host A
10.1.1.2 = MAC C.C.C.C
10.1.1.1 = MAC C.C.C.C
3. Subsequent gratuitous ARP
IP 10.1.1.3 replies overwrite legitimate replies
C
MAC C.C.C.C 10.1.1.1 bound to C.C.C.C
Attacker
10.1.1.2 bound to C.C.C.C
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20
www.sectools.org
www.remote-exploit.org
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21
Agenda
Introduction
Disclaimer
Attack Methodologies
Security Policy
Cryptography Fundamentals
Securing Administrative Access
Firewall
VPN
IPS
Layer 2 Security
Sample Questions
Answer Key
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23
Initiation
Security
Operations and Policy
Maintenance Implementation
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24
Security Policy
Policies, Guidelines, Standards
Industry
Security
Best
System
Practices
Security Operations
Incident Response, Monitor and
maintenance, Compliance Audit
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25
Reading List
SANS Security Policy Project:
http://www.sans.org/resources/policies/
What:
Cryptography: From the greek kryptó (hidden) and gráfo
(to write)
Cryptology: From the Greek kryptó (hidden) and legein
(to speak)
Why:
Confidentiality, privacy, encryption,
Origin Authentication
Data Integrity
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28
Examples:
MD5–128 bit output
SHA1–160 bit output
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29
Hash Hash
function function
Update Message
Time is X 2
4ehIDx67NMop9 4ehIDx67NMop9 4ehIDx67NMop9
Message + hash
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35
16. What is the chance that someone could use the "DES Cracker"-
like hardware to crack an AES key?
In the late 1990s, specialized "DES Cracker" machines were built that
could recover a DES key after a few hours. In other words, by trying
possible key values, the hardware could determine which key was used
to encrypt a message
Assuming that one could build a machine that could recover a DES key
in a second (i.e., try 255 keys per second), then it would take that
machine approximately 149 thousand-billion (149 trillion) years to crack
a 128-bit AES key. To put that into perspective, the universe is believed
to be less than 20 billion years old
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37
Agenda
Introduction
Disclaimer
Attack Methodologies
Security Policy
Cryptography Fundamentals
Securing Administrative Access
Firewall
VPN
IPS
Layer 2 Security
Sample Questions
Answer Key
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38
Implementing AAA
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40
Local or
TACACS+ Variety of External
RADIUS Databases
AAA Client
(Network Access Server) Cisco Secure ACS
for Windows
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication login TACACS_ONLY group tacacs+
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec start-stop tacacs+
aaa accounting network start-stop tacacs+
!
tacacs-server host 10.0.1.11 key Secretf0rAcs
!
line vty 0 4
login authentication TACACS_ONLY
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43
AAA
Adding TACACS+ Server Using SDM
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45
AAA
ACS—Adding the AAA Client (Router)
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47
Group Setup
IOS-FW>en
Password:
IOS-FW#debug ip packet
Command authorization failed.
% Incomplete command.
IOS-FW#debug snmp packet
SNMP packet debugging is on
IOS-FW#undebug all
All possible debugging has been turned off
IOS-FW#
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49
SSH v1 SSH v2
Separate Transport,
Architecture One Monlithic Protocol Authentication and
Connection Protocols
Integrity Check Weak CRC-32 Strong HMAC
Negotiates algorithms for
Security Only negotiates bulk
PKI, bulk encryption
Negotiation cipher
encryption, HMAC
Uses server’s public
Uses Diffie-Hellman key
Session Key key to protect session
exchange
key provided by client
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51
Agenda
Introduction
Disclaimer
Attack Methodologies
Security Policy
Cryptography Fundamentals
Securing Administrative Access
Firewall
VPN
IPS
Layer 2 Security
Sample Questions
Answer Key
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52
A firewall is a system or
group of systems that
enforce an access control
policy between
two networks Good Traffic
Bad Traffic
Three basic classes of
firewalls include:
Packet Filters
Proxy Servers
Stateful Firewalls
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53
Packet Filtering
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59
E0 Self-Zone
S3
Zone Z1 Zone Z2
E1
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63
Inspect
Monitor outbound traffic according to permit/deny policy
Anticipate return traffic according to session table entries
Drop
Analogous to deny
Pass
Analogous to permit
No stateful capability
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70
The Problem
The hosts on the Site A and Site B networks use legacy, insecure
protocols such as SMTP, POP, HTTP and Telnet
This is OK for intra-site communications on the protected
internal networks
It is not acceptable across the Internet
Changing the protocols used by the hosts is not an option, so you need
the routers to use VPN technology to protect data transmitted between
the sites
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74
IPSec SA
Two-Phase protocol:
Phase 1 exchange: two peers establish a secure, authenticated channel for IKE
communications
Main mode or aggressive mode accomplishes a phase 1 exchange
Phase 2 exchange: security associations are negotiated on behalf of IPSec
services. Quick mode accomplishes a phase II exchange
Each phase has its SAs: ISAKMP SA (Phase 1) and IPSec SA
(Phase 2)
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75
Pre-shared key
Easy to deploy, not scalable
YB XB
XA
YB mod p = zz YA mod p = zz
(Alice calculated) (Bob calculated)
XA XB
zz = shared secret = g mod p
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77
IP header IP payload
New Original
ESP header IP payload
IP header IP header
IP datagram encrypted
with ESP Tunnel
Integrity checked
IP header IP payload
IP datagram encrypted
with ESP Transport
Integrity checked
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79
RouterA RouterB
10.2.2.3
10.1.1.3
1. Host A sends interesting traffic to Host B.
2. Routers A and B negotiate an IKE Phase 1 session.
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81
1
Wizards for IPsec
3 Solutions
2 Individual IPsec
Components
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83
A
Internet
B
10.0.1.12 10.0.6.12
172.30.1.2 172.30.6.2
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85
Agenda
Introduction
Disclaimer
Attack Methodologies
Security Policy
Cryptography Fundamentals
Securing Administrative Access
Firewall
VPN
IPS
Layer 2 Security
Sample Questions
Answer Key
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86
Promiscuous
Sensor
CSA MC CS MARS
IOS Firewall
Agent Agent Agent with IOS IPS
Untrusted
Network
Inline
Sensor
Agent Agent Agent Agent
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89
Network
Management
Console
Alarm
SDEE Protocol
Alarm
Syslog
Syslog
Server
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98
Deobfuscation: The sensor decodes the URL as an HTTP daemon would. %6F
represents the ASCII code for “o” in Hex. The sensor determines that R%6F%6FT.eXe
is really an attempt to access root.exe.
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99
With IOS IPS enabled, the router detects a suspiciously long user name field in the
FTP control stream. The shell connection is not successful, and the event is logged.
msf 3com_3cdaemon_ftp_overflow(win32_reverse) > exploit
[*] Starting Reverse Handler.
[*] Attempting to exploit Windows 2000 English
[*] Exiting Reverse Handler.
msf 3com_3cdaemon_ftp_overflow(win32_reverse) >
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100
Why Be Concerned?
If one layer is hacked, communications are compromised without
the other layers being aware of the problem.
Security is only as strong as your weakest link.
When it comes to networking, Layer 2 can be a very weak link.
Application Stream
Application Application
Presentation Presentation
Compromised
Session Session
Physical Links
Physical Physical
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102
Attacker 1
BRKCRT-1104
Attacker 2
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103
switchport port-security
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104
Root Bridge
Priority = 8192
MAC Address=
0000.00C0.1234
F F F B
F
F F F
F B F F
ST iority
ity DU
Pr
=0
PB =
Pr P BP
PD 0
ior
ST
U
Root
Bridge
Attacker
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105
BPDU Guard
Root
Bridge
F F
F
F
F B
BPDU
Guard
Enabled
STP BPDU
Attacker
Switch(config)#
spanning-tree portfast bpduguard default
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106
F F
Root
Guard
Enabled
F B
F
STP BPDU
Attacker Priority = 0
MAC Address = 0000.0c45.1234
Switch(config-if)#
spanning-tree guard root
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107
802.1Q VLAN
10
k Trunk
un
Tr
Q VLAN Server
2.1 20
80
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108
Trunk Fra 4
m e
(Native VLAN = 10)
Note: This attack works only if the trunk has the same native
VLAN as the attacker.
Victim
The attacker sends double-encapsulated 802.1Q frames. (VLAN 20)
The switch performs only one level of decapsulation.
Only unidirectional traffic is passed.
The attack works even if the trunk ports are set to “off”.
Note: There is no way to execute these attacks unless the switch is misconfigured.
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110
IP 10.1.1.2
MAC A.A.A.A A
A B IP 10.1.1.1 B
C MAC B.B.B.B
ARP Table in Host B
ARP Table in Host A
10.1.1.2 = MAC C.C.C.C
10.1.1.1 = MAC C.C.C.C
3. Subsequent gratuitous ARP
IP 10.1.1.3 replies overwrite legitimate replies
C
MAC C.C.C.C 10.1.1.1 bound to C.C.C.C
Attacker
10.1.1.2 bound to C.C.C.C
L3-Sw#config t
Enter configuration commands, one per line. End with CNTL/Z.
L3-Sw(config)#interface range fa0/2 - 4
L3-Sw(config-if-range)#switchport protected
L3-Sw(config-if-range)#end
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 113
Agenda
Introduction
Disclaimer
Attack Methodologies
Security Policy
Cryptography Fundamentals
Securing Administrative Access
Firewall
VPN
IPS
Layer 2 Security
Sample Questions
Answer Key
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 114
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 115
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 116
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 117
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 120
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 121
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 122
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 124
aessha
esp-sha-hmac esp-sha-hmac
20
aessha
What is wrong regarding the partial S2S IPSec VPN configuration shown?
A. The transform-set name does not match between the peers
B. The transform-set is missing the AH option
C. The transform-set is missing the “mode tunnel” option
D. The crypto acl is not a mirror image of the crypto acl on the other peer
E. The crypto acl is not matching the 172.16.172.10 and 172.16.171.20 IP address
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 126
Correct Answer: D
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 128
Correct Answer: B
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 129
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 130
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 131
Correct Answer: C
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 132
Correct Answer: C
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 133
Correct Answer: D
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 135
aessha
esp-sha-hmac esp-sha-hmac
20
aessha
What is wrong regarding the partial S2S IPSec VPN configuration shown?
A. The transform-set name does not match between the peers
B. The transform-set is missing the AH option
Correct Answer: D
C. The transform-set is missing the “mode tunnel” option
D. The crypto acl is not a mirror image of the crypto acl on the other peer
E. The crypto acl is not matching the 172.16.172.10 and 172.16.171.20 IP address
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 137
Q and A
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 138
BRKCRT-1104
14381_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 140