Re: IPSEC on two different NIC's

From: Ian Hellen [MS] (ianhelle@online.microsoft.com)
Date: 11/04/02

• Next message: Nick Trenary: "migrating local Doc & Set folder to domain."
• Previous message: DoctorWu: "Re: create new service"
• In reply to: johnny_b_good: "IPSEC on two different NIC's"
• Next in thread: johnnny_b_good: "Re: IPSEC on two different NIC's"
• Reply: johnnny_b_good: "Re: IPSEC on two different NIC's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Ian Hellen [MS]" <ianhelle@online.microsoft.com>
Date: Mon, 4 Nov 2002 21:51:00 -0000

You can't specify the NIC exactly - you have to configure the IPSec
filtering policies so that it only operates on one NIC and not the other.
E.g.
NIC1 = 135.41.5.1 on network 135.41.5.0/24 (internet)
NIC2 = 10.1.1.1 on network 10.1.0.0/16 (intranet)
IPSec rules will allow only inbound HTTP on NIC1 but will allow all 10.1.x.x
traffic on the other NIC.
AnyIPAddress - to subnet - 135.41.5.0/255.255.255.0 - dest port 80 - permit,
mirrored
AnyIPAddress - to subnet - 135.41.5.0/255.255.255.0 - any port/protocol -
block, mirrored
subnet 10.1.0.0/255.255.0.0 - to subnet 10.1.0.0/255.255.0.0 - any
port/protocol - permit, mirrored

IPSec evaluates rules from most to least specific so the port 80 permit rule
will fire before the any port block rule.

--
Ian Hellen
Principal Consultant, BCC Security Solutions
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm.
Please do not send email directly to this email address, This address is for
newsgroup purposes only.
"johnny_b_good" <johnbgood@happy.org> wrote in message
news:bf4001c28439$abda2dc0$3bef2ecf@TKMSFTNGXA10...
> Hi all,
>
> Quick question: Can I set up a W2K Server to have IPSEC
> enabled on one physical NIC, but without IPSEC enabled on
> the second physical NIC? So that I might have one NIC
> pointing inside to our LAN with IPSEC and one NIC pointing
> outside at the Internet with no IPSEC / plain old TCP/IP?
> If yes, please advise how or point me to the appropriate
> resource.
>
> Thanks in advance,
>
> Johnny

• Next message: Nick Trenary: "migrating local Doc & Set folder to domain."
• Previous message: DoctorWu: "Re: create new service"
• In reply to: johnny_b_good: "IPSEC on two different NIC's"
• Next in thread: johnnny_b_good: "Re: IPSEC on two different NIC's"
• Reply: johnnny_b_good: "Re: IPSEC on two different NIC's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Configuring Port range in IPsec ... IPSec is intended to validate traffic between two trusted peers, ... each port (what did you want for ports 20k-64k?) both tcp and udp. ... > Ports from 10000-20000 are open for all connections from segment 10.4.90.* ... > can specify a port range and a specify a segment. ... (microsoft.public.win2000.security) Re: IPSEC on two different NICs ... Johnny ... >You can't specify the NIC exactly - you have to configure ... >IPSec rules will allow only inbound HTTP on NIC1 but will ... >Ian Hellen ... (microsoft.public.win2000.security) Re: IPSec ... >In the Local Security Policy utility, ... destination, specify the ... >> I am trying to bind ipsec to one interface in Win2k Pro. ... (microsoft.public.win2000.security) Re: IPSec ... In the Local Security Policy utility, create a new IPSec policy. ... than specify "My IP Address" as the source or destination, ... > I am trying to bind ipsec to one interface in Win2k Pro. ... (microsoft.public.win2000.security) IPSEC on two different NICs ... Can I set up a W2K Server to have IPSEC ... pointing inside to our LAN with IPSEC and one NIC pointing ... Johnny ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint