topic Re: Domain Controller on DMZ in Network Security

Domain Controller on DMZ

mrmozaffari — Mon, 11 Mar 2019 08:58:47 GMT

I have a problem with Domain Controller when its on dmz and client of DC on inside,i ve configured an access-list to permit conversation between DC and Clients but they cant join to domain.

The DC ip address is 172.16.1.9 which i nat it to 10.9.0.15 ,and users subnet is 10.9.0.0/16 ,i also define dhcp server on DC and clients can take their ip address from dhcp but they can't join to domain.

please help me.

Thanks.

Re: Domain Controller on DMZ

vadi_ag — Tue, 21 Nov 2006 13:37:56 GMT

I cannot see any acl entry for port 53 udp/tcp this port is for DNS and allow port 500 and 50 and u hav to allow ports 88 tcp/udp for kerberos for time being u can allow tcp/udp echo port check out if this works then rate my reply if not we will try somethinf else

Raj

Re: Domain Controller on DMZ

mrmozaffari — Wed, 22 Nov 2006 08:10:33 GMT

Hi Vadi

Thank you for your reply but after i saw your comments I've changed my access-list and add permit ip any any to my access list but again i saw that the clients could not join to domain.

Thanks.

Re: Domain Controller on DMZ

mrmozaffari — Thu, 23 Nov 2006 08:43:48 GMT

Please someone help me.

Thanks.

Re: Domain Controller on DMZ

vadi_ag — Wed, 29 Nov 2006 07:57:13 GMT

If u have allowed any any in ur acl then it should work now i am suspecting ur DC for testing purpose u can take one client and assign IP of ur DMZ and place this client on DMZ and then u try to add this client to ur domain if this works fine then we hav to look at ur config again if this does not works then u can check ur DC

Re: Domain Controller on DMZ

jgervia_2 — Thu, 30 Nov 2006 00:59:27 GMT

Hello,

If you don't have an access-list applied to your inside interface, going to the DMZ should be allowed on all ports/protocols, so it shouldn't be an access list issue.

Make sure you've disabled nat unless you need it :

no nat-control

By default, you need nat from a high-->low interface unless you turn it off. The static doesn't really cover that (you have to tell the pix what the ip addresses on the inside will be when they are on the dmz).

Also, make sure when they are getting their DHCP address from the server that they are getting the *translated* address as the WINS server, not the real one. I don't know if this would be an issue - are you not routing the DMZ network internally?

--Jason

Please rate this message if it answered some or all of your question/issue.