Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2410
Views
0
Helpful
3
Replies

Reflexive ACL's and domain authentication across VPN tunnel

pmacdanel
Level 1
Level 1

‎03-19-2002 04:50 PM - edited ‎02-21-2020 09:59 AM

Hello,

I have a remote windows 98 machine that is part of a windows 2000 domain and authenticates to the PDC across the vpn. This works fine with no prob, but I want to protect the PDC / mail server that is connected to the internet with reflexive ACL filtering. When I apply the following "test" reflexive ACL filtering on the 1710 in front of the PDC/ mail server, the remote win 98 machine can't connect to the domain anymore.

What is wrong with this ACL ? Shouldn't I need only to allow esp and isakmp in unestablished b/c the netbios info is encapsulated ?

I am assuming the following order of operations on the router: ACL filtering-->De-encapsulation->NAT

Outside Interface:

interface Ethernet0

ip address xxx.xxx.xxx.162 255.255.255.224

ip access-group inboundfilters in

ip access-group outboundfilters out

ip nat outside

half-duplex

crypto map vpntunnel

Associated reflexive ACL's:

ip access-list extended inboundfilters

permit tcp any any eq smtp

permit tcp any any eq pop3

permit esp any any

permit udp any any eq isakmp

permit icmp any any

evaluate tcp

evaluate udp

ip access-list extended outboundfilters

permit esp any any

permit icmp any any

permit tcp any any reflect tcp

permit udp any any reflect udp

Don't know if this is a factor :

crypto ipsec transform-set vpnstrong esp-3des esp-sha-hmac

Labels:
0 Helpful
3 Replies 3

JOSH GANT
Level 1
Level 1

‎03-20-2002 10:21 AM

Bug ID: CSCdm01118

Enjoy...

0 Helpful

pmacdanel
Level 1
Level 1
In response to JOSH GANT

‎03-20-2002 03:31 PM

ahh yes... from bug ID CSCdm01118:

"Currently with Cisco IOS, an inbound ACL is evaluated twice for the incoming

IPSec traffic, once for the encapsulted IPSec packet and once more after the

packet is decapsulated. So if the inbound ACL is configured to only allow IPSec

traffic (ISAKMP and ESP), then decapsulted clear packets will be dropped

during the second ACL processing.

The workaround is to add permit entries in the ACL for the decapsulated clear

traffic in addtion to the IPSec traffic."

Its not clear in the bugtrack info if this has been fixed yet ? I am running 12.2(4)XL . Anyone know if 12.2(8)T has resoved this ?

0 Helpful

pmacdanel
Level 1
Level 1
In response to pmacdanel

‎03-20-2002 05:53 PM

Regarding the workaround referenced above..

"The workaround is to add permit entries in the ACL for the decapsulated clear

traffic in addtion to the IPSec traffic."

Is my assumtion correct that allowing in decapsulated traffic from the vpn peer private subnet does not pose a security threat b/c that subnet is referenced in the crypto map and if any traffic is recieved from that subnet that is not encrypted, it is dropped after it makes it through the ACL the first time and then is evaluated for decryption ?

any comments are greatly appreciated...

-patrick

0 Helpful
Customers Also Viewed These Support Documents