[Security+]

Did anyone here get the CBT Nuggets video for Security+? If so, was it worth it?

Also, what books would you guys recommend? Exam Cram?

[NETWORK SETUP]

Just came across this thread and though I would add what I have.

Cable and phone patches:

Rack:

More Rack

I have anywhere from 2 - 8 CAT5e drops per room (gives me the ability to change vlans by plugging into different ports in office, bedroom, etc...) that mostly hook into the L3 3550. Each wall plate has CAT5e, RG6 for cable, RG6 for SAT and CAT3. EATX server is virtual, running 8 VMs. Unfortunately, with one foot patch cables you find yourself not able to move the cable too far so I end up just changing VLANs on the port instead of actually moving the cable to another port. ;) When I actually get off my lazy ass and write ICND2, this will probably be a lot messier.

[Cisco Router 877]

Yep, you're right. I had IPSEC on the mind.

[Cisco Router 877]

Also, if all you are trying to do is vpn into your home network from the internet, you could scrap the idea of using the WIN2k8 box and simply IPSEC into your router using the windows IPSEC client. To do this, enter this config:

aaa authentication ppp default group radius local

ip name-server (ip of internal DNS server)

vpdn enable

!

vpdn-group REMOTE_USERS

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

username username password password

ip local pool defaultpool 10.0.0.2 10.0.0.100 (make this something addressable in your network)

interface Virtual-Template1

ip unnumbered FastEthernet0/4

peer default ip address pool defaultpool

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

on your outside ACL, you will need:

permit udp any any eq 1723

permit tcp any any eq 1723

[Cisco Router 877]

You need to make sure the ACLs applied to the outside interface are allowing your IPSEC traffic through.

On a Cisco 800 series ISR, I believe the WAN interface is defaulted to fa0/4. So what you would need to do is something like the following:

int fa0/4

ip access-group incoming in (if you already have an ACL applied to the outside, just use that one)

exit

ip access-list extended incoming

permit tcp any any established log

permit udp any any eq isakmp log

permit esp any any log

permit etc....other various services you require

deny ip any any log

exit

For the static translation, it shouldnt be much different than what you did for your RDP session. You will require something like this:

**change 10.0.0.1 to the IP of your win2k8 server

ip nat inside source static udp 10.0.0.1 500 interface FastEthernet0/4 500

ip nat inside source static esp 10.0.0.1 interface FastEthernet0/4

After you have this running and try it out, you should be able to see hits on the ACL. Do a sh access-list incoming and you will see the matches column, which should have incremented.

Extended IP access list incoming

40 permit udp any any eq isakmp (802874 matches)

60 permit esp any any (350226931 matches)

Im pretty sure windows IPSEC will be happy with isakmp and esp, you may need AH but only try that if you have no luck with the above.