5

First a little explanation of my network topology.

I have a internal domain, and edge network domain. There is no trust between the two domains (and IT will not allow a one way trust to be set up between the internal and the edge network domain)

enter image description here

When passing through the router it will NAT the traffic to the edge network. So all traffic dmzHost.edgeNetwork.local sees that did not originate on it's own sub-net appears will have a source IP of 192.168.10.10. Interestingly, any traffic going from the 192.168.10.0/24 subnet will not be NATed when connecting to a computer in the 10.0.0.0/8 subnet (I sent a email to IT asking why this is, as I do not understand the benefit of NAT to the edge network but open access from the Edge network. I could see the reasoning behind 10.x -> 192.x = NAT and 192.x -> 10.x = Dropped connection but the fact that they allow the connection through confuses me)

What I am wanting to do is to disable the firewall to any authorized computer so it can do remote management. The method I tried to do was

  1. On dmzHost, create a Connection Security Rules entry with the following settings:
    1. Endpoint 1 is set to 192.168.10.40 through 192.168.10.49 (this will be a GPO pushed out to several computers)
    2. Endpoint 2 is set to Any IP address
    3. Protocols and Ports is set to Any
    4. Authentication Requirements is set to Request inbound and outbound
    5. Authentication Method is set to Advanced with the first authentication method set to Preshared Key
  2. On lanPC, follow the same setup execpt:
    1. Set Endpoint 1 to Any IP address
    2. Set Endpoint 2 to 192.168.10.40 through 192.168.10.49

Checking Main Mode and Quick Mode under Security Associations I can see the connection established.

Main Mode:
Local Address    Remote Address    1st Authentication Method    2nd Authentication Method    Encryption    Integrity    Key Exchange
192.168.10.40    192.168.10.10     Preshared key                No authentication            AES-CBC 128   SHA-1        Diffie-Hellman Group 2

Quick Mode:
Local Address    Remote Address    Local Port    Remote Port    Protocol    AH Integrity    ESP Integrity    ESP Encryption
192.168.10.40    192.168.10.10     Any           Any            Any         None            SHA-1            None

Now when I set up the firewall rule, this is when it breaks.

I set up the firewall rule to allow all ports and all programs, however under Action I change from Allow the connection to Allow the connection if it is secure then under customize I have it set for Allow the connection to use null encapsulation.

Name                                          Group    Profile    Enabled    Action                       Override    Program    Local Address                  Remote Address    Protocol    Local Port    Remote Port    Allowed Users    Allowed Computers    
Allow full access to any computer with PSK             All        No         Secure (No encapsulation)    No          Any        192.168.10.40-192.168.10.49    Any               Any         Any           Any            Any              Any

When I enable that setting I lose all connections to 192.168.10.40 that has been NAT'ed by the router, I had to connect to another computer in the edge network and remote in from there to disable the firewall rule.

What do I need to do so lanPC.example.com can do remote administration (without needing to RDP in) on dmzHost.edgeNetwork.local?

Improve this question

0

Reset to default

You must log in to answer this question.