IP IPSEC Policy blocking ping

  • Thread starter Thread starter Zakir
  • Start date Start date
Z

Zakir

Hi all,
I have an IPSEC policy setup on a windows 2000 server. When I turn on
the "Block all IP Traffic" filter on, I am no longer able to ping
machines and they are no longer able to ping me. I tried allowing port
7 for echo, but that didn't seem to fix the problem. The odd thing is
that normally ping is an ICMP command, not an IP command and IPSEC even
has an option called block all ICMP traffic that is seperate from BLcok
all IP traffic. Any ideas if there is an odd port I need to open or
something like this?

Thank you!

Zakir
 
Basically block all IP means block everything [other than default exemptions
such as broadcast, kerberos, IKE] ] and if you look at the protocols
available for selection you will see ICMP available. Create a permit rule
for the ICMP by selecting ICMP under protocol type and you should be good to
go. Keep in mind in ipsec that specific rules override general rules such as
block all. --- Steve
 
Another question: from what I am reading, NTLM authentication seems to
use a random port? Is this true? Is there a way to allow it through
IPSEC or do I need to set it to a static port in the registry first?
 
The link below may help and be sure to read the link in the article on
dynamic RPC and how you can do a registry mod to limit the ports that it
uses. Keep in mind that you can not use ipsec between domain members and
domain controllers if you are using an Active Directory domain. If you are
not going through firewalls then it usually is best to configure ipsec to be
used for all traffic between computers and will greatly simplify and rules.
If you are going through firewalls consider using a VPN connection through
the firewall and then you can use ipsec between the VPN server and end
computer if need be. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;179442
http://support.microsoft.com/?kbid=254949 --- ipsec considerations for
domain computers
 
Actually, it's not between a DC and a domain member, it's through
IIS... and web clients... maybe this isn't NTLM?
 
Back
Top