Reflexive ACL's and domain authentication across VPN tunnel
I have a remote windows 98 machine that is part of a windows 2000 domain and authenticates to the PDC across the vpn. This works fine with no prob, but I want to protect the PDC / mail server that is connected to the internet with reflexive ACL filtering. When I apply the following "test" reflexive ACL filtering on the 1710 in front of the PDC/ mail server, the remote win 98 machine can't connect to the domain anymore.
What is wrong with this ACL ? Shouldn't I need only to allow esp and isakmp in unestablished b/c the netbios info is encapsulated ?
I am assuming the following order of operations on the router: ACL filtering-->De-encapsulation->NAT
Re: Reflexive ACL's and domain authentication across VPN tunnel
Regarding the workaround referenced above..
"The workaround is to add permit entries in the ACL for the decapsulated clear
traffic in addtion to the IPSec traffic."
Is my assumtion correct that allowing in decapsulated traffic from the vpn peer private subnet does not pose a security threat b/c that subnet is referenced in the crypto map and if any traffic is recieved from that subnet that is not encrypted, it is dropped after it makes it through the ACL the first time and then is evaluated for decryption ?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...