In order to broadcast netbios to another ip subnet,you can use "ip helper-address" command.,it will auto open 8 udp ports(69,53,37,137,138,67,68,49),you can use "ip forward-protocol" command to close them,or open another tcp/udp port.
IPsec is a standard,you can use ipsec client for NT