NAT-T / IPSEC issues......

From: Jay (jason.anthony_at_citrix.com)
Date: 02/18/04

Next message: sw: "Firewall blocking acess to secure (banking) sites"
Previous message: Torgeir Bakken (MVP): "Re: How to kill a process?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 17 Feb 2004 19:19:00 -0800

I have an IPSEC policy set between a W2K3 server in a DMZ
and a W2K3 Domain Controller on the internal network.
The policy is set to use a preshared key as the
authentication method and the rule/filter set is to
secure any and all traffice between the two.

The curve ball: The Server in the DMZ has a static NAT
address assigned to it.

To test the policy put in place, I pinged the domain
controller from the server in the DMZ and a got a
successful response:

C:\>ping jayz-server

Pinging jayz-server [192.168.0.100] with 32 bytes of data:

Negotiating IP Security.
Reply from 192.168.0.100: bytes=32 time=6ms TTL=128
Reply from 192.168.0.100: bytes=32 time=5ms TTL=128
Reply from 192.168.0.100: bytes=32 time=6ms TTL=128

Also, a netmon trace showed the key exchange between the
2 servers (ISAKMP) followed by ESP traffic over UDP 4500
(NAT-T). In addition, IPSEC monitor showed successul
security associations on both ends.

The issue: I cannot seem to make successful connections
to the domain controller over any protocols/ports other
than ICMP.

Example: I tried telneting to both 80 and 3389 and both
connections failed. While attempting the telnet I had
netmon running. The trace only showed a few ESP protocol
frames sent from the server in the DMZ to the domain
controller, but there are no responses from the domain
controller (again this is not the case when I ping).

NOTE: If I turn off the static NAT on the server in the
DMZ, connections work.

I am confused on this one because that's what I though
NAT-T addressde; IPSec traffic through a NAT. Are there
some caveats that I do not know about here? Why is only
ICMP working?

Any help is appreciated,

-Jay

Next message: sw: "Firewall blocking acess to secure (banking) sites"
Previous message: Torgeir Bakken (MVP): "Re: How to kill a process?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Terminal Server on a Domain Controller
... logons to a DC in your default domain and/or domain controller policy. ... > Win2003 Server with terminal server and active directory running on it. ...
(microsoft.public.cert.exam.mcse)
Error 401.1 unauthorized login.
... the Windows NT Authentication enabled. ... >server is a Domain Controller. ... even in the same DMZ. ...
(microsoft.public.inetserver.iis.security)
Re: shadow console connection through terminal connection on server 20
... |> | i checked the policy both on the server i'm trying to control, ... |> | the sole domain controller on the network. ... |> available on some standalone server. ... | i can't seem to shadow. ...
(microsoft.public.windows.terminal_services)
Re: Terminal Server Log on Problem with New Ad 2003
... 1.Allow log on through Terminal service in this add the ... policy check for the same there also. ... >> terminal server option, when i try to log on the AD ... >> (main domain controller and including all the server) i ...
(microsoft.public.windows.group_policy)
Re: Can not turn firewall off - option is grayed out
... It does say firewall is being controlled by the domain. ... know that the installation of server 2003 was the cause. ... full time IT person, actually I am the Controller, but have been elected as ... change the domain policy. ...
(microsoft.public.windowsxp.security_admin)