Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Reflexive ACL's and domain authentication across VPN tunnel

Hello,

I have a remote windows 98 machine that is part of a windows 2000 domain and authenticates to the PDC across the vpn. This works fine with no prob, but I want to protect the PDC / mail server that is connected to the internet with reflexive ACL filtering. When I apply the following "test" reflexive ACL filtering on the 1710 in front of the PDC/ mail server, the remote win 98 machine can't connect to the domain anymore.

What is wrong with this ACL ? Shouldn't I need only to allow esp and isakmp in unestablished b/c the netbios info is encapsulated ?

I am assuming the following order of operations on the router: ACL filtering-->De-encapsulation->NAT

Outside Interface:

interface Ethernet0

ip address xxx.xxx.xxx.162 255.255.255.224

ip access-group inboundfilters in

ip access-group outboundfilters out

ip nat outside

half-duplex

crypto map vpntunnel

Associated reflexive ACL's:

ip access-list extended inboundfilters

permit tcp any any eq smtp

permit tcp any any eq pop3

permit esp any any

permit udp any any eq isakmp

permit icmp any any

evaluate tcp

evaluate udp

ip access-list extended outboundfilters

permit esp any any

permit icmp any any

permit tcp any any reflect tcp

permit udp any any reflect udp

Don't know if this is a factor :

crypto ipsec transform-set vpnstrong esp-3des esp-sha-hmac

3 REPLIES
New Member

Re: Reflexive ACL's and domain authentication across VPN tunnel

Bug ID: CSCdm01118

Enjoy...

New Member

Re: Reflexive ACL's and domain authentication across VPN tunnel

ahh yes... from bug ID CSCdm01118:

"Currently with Cisco IOS, an inbound ACL is evaluated twice for the incoming

IPSec traffic, once for the encapsulted IPSec packet and once more after the

packet is decapsulated. So if the inbound ACL is configured to only allow IPSec

traffic (ISAKMP and ESP), then decapsulted clear packets will be dropped

during the second ACL processing.

The workaround is to add permit entries in the ACL for the decapsulated clear

traffic in addtion to the IPSec traffic."

Its not clear in the bugtrack info if this has been fixed yet ? I am running 12.2(4)XL . Anyone know if 12.2(8)T has resoved this ?

New Member

Re: Reflexive ACL's and domain authentication across VPN tunnel

Regarding the workaround referenced above..

"The workaround is to add permit entries in the ACL for the decapsulated clear

traffic in addtion to the IPSec traffic."

Is my assumtion correct that allowing in decapsulated traffic from the vpn peer private subnet does not pose a security threat b/c that subnet is referenced in the crypto map and if any traffic is recieved from that subnet that is not encrypted, it is dropped after it makes it through the ACL the first time and then is evaluated for decryption ?

any comments are greatly appreciated...

-patrick

439
Views
0
Helpful
3
Replies