03-17-2009 01:32 AM - edited 03-11-2019 08:05 AM
Hi,
I have Cisco Pix 515E,7.2(1) with two networks - inside and dmz. Communication between these network is NATed. In inside is Windows domain called GRP. In dmz I have some workstations which need to be domain member of GRP.
Is it any possibility to do it? Because I read, that kerberos has problem with NAT.
Many thanks,
Vladislav
03-17-2009 11:56 AM
Hi,
Yes it is possible.
DMZ interface is usually with lower security level then inside interface. Because of that you should define access-list that allows hosts from dmz to access your domain controllers and internal dns servers.
More on how communication between dmz and inside works:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml
03-17-2009 10:47 PM
Thanks.
I have no problem to define ACL. The main question was about windows domain. I don't know if active directory requires anything special to allow on pix.
Or it is enough to allow standard windows ports - 138, 139, 445?
Vladislav
03-17-2009 10:56 PM
This document might help out with your configuration task.
03-17-2009 11:01 PM
Thanks.
I know this document, but it is about accessing VPN users. There is nothing about my question.
Vladislav
03-18-2009 12:36 AM
If you are concerned about domain controllers then you should look at microsoft site.
If you have member server in dmz and dc in inside network then you have to enable traffic for following ports:
⢠Kerberos ports (88/tcp, 88/udp) used to perform mutual authentication between the member server and the domain controller. Kerberos traffic needs to be allowed in addition to the possible application specific traffic.
⢠DNS ports (53/tcp, 53/udp) used for name lookups.
⢠LDAP ports (389/udp, 389/tcp or 636/tcp for SSL) used for locator pings.
⢠Microsoft-DS traffic (445/tcp, 445/udp).
All neccessery data can be found here:
Active Directory in Networks Segmented by Firewalls
I hope that you can solve problem now. :)
03-20-2009 02:54 AM
Thanks, very helpful document. There is one very important information for me:
Note
Active Directory functionality is not supported over a router that has Network Address Translation (NAT) enabled. The configuration recommendations in this paper apply only to non-NAT environments.
So in my scenario I have to disable NAT between DMZ and INSIDE.
Vladislav
03-20-2009 03:15 AM
You can set NAT like this.
hostname(config)#static (inside,dmz) 10.1.1.2 10.1.1.2 netmask 255.255.255.0
This way you will NAT complete inside network to dmz but with same address range. I have seen scenarios that work this way.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide