|
|
I have a Windows 2003 server that serves as an AD Domain Controller and a DNS
server for our small office network. The server sits on a private network
that connects to the Internet by a NAT / Firewall box. The internal network
is 192.168.1.0/24.
I configured a IPSec ACL on the 2003 Server that did the following things:
* Allowed any traffic (all protocols) to the server from the local network
(192.168.1.0 with a mask of 255.255.255.0). I checked the box that created
mirror image ACLs . I assumed that this would allow traffic to and from the
server going to and from my local network.
* Allowed any ICMP traffic from the server to anywhere (so that I could use
ping to troubleshoot server access). Mirror Image was checked.
Block IP traffic from anywhere to anywhere.
When I applied this IPSec policy, the DNS server stopped being able to do
any Fully Qualified Domain Name translations for local domain names as well
as external ones. The DNS wouldn't translate mit.edu or
testcomputer.mydomain.local.
I assumed that the DNS traffic, and Active Directory updates would use a
local address and IP protocol for the communication and updates, which would
be allowed under the IPSec policy. I believe that the policy was working
because I could remote desktop into the server from client computers on the
local network, which suggests that the IP traffic from Any to the Server was
working correctly.
Why was this going on? Is there a way to log IPSec filtering hits to see
what's getting allowed and what's getting denied?
Thanks
Rog
|
|
|