Re: Config PIX to allow DMZ host to join NT domain in INSIDE

dundee · ‎07-17-2003

Hi Mynul,

My name is Quang Truong and I am with Marconi. I try to config PIX to allow a DMZ host (NT station) that can join NT domain, net logon , file shares to an NT server which resides in INSIDE network. If I config usin no NAT then OK but when trying with NAT and it failed. I use one example from TAC side for config PIX with NEtbios

I amusing PIX 515 with ver 6.2

I'm trying to configure a Windows box in the DMZ to join our domain in the Internal network

The following config would work without NAT

ip address outside 203.94.160.2 255.255.255.240

ip address inside 10.0.0.200 255.255.255.0

ip address dmz 192.168.10.1 255.255.255.0

access-list dmz_traffic permit tcp host 192.168.10.4 host 10.0.0.1 eq 139

access-list dmz_traffic permit udp host 192.168.10.4 host 10.0.0.1 eq 137

access-list dmz_traffic permit udp host 192.168.10.4 host 10.0.0.1 eq 138

access-group dmz_traffic in interface dmz

static (inside,dmz) 10.0.0.1 10.0.0.1 netmask 255.255.255.255 0 0

However, I would like to use NAT and the configuration below does not work

access-list dmz_traffic permit tcp host 192.168.10.4 host 192.168.10.11 eq 139

access-list dmz_traffic permit udp host 192.168.10.4 host 192.168.10.11 eq 137

access-list dmz_traffic permit udp host 192.168.10.4 host 192.168.10.11 eq 138

access-group dmz_traffic in interface dmz

static (inside,dmz) 192.168.10.11 10.0.0.1 netmask 255.255.255.255 0 0

I have search for the solution and have found that because PIX does not translate IP in NETBIOS header, the process of joining domain breaks down

If it is the problem, Is there a way to configure PIX to translate IP in NETBIOS header? or is there any work around?

If it is not the problem, How can i make it work please?

Regards,

Quang

quang.truong@marconi.com

jmia · ‎07-18-2003

Hello Quang,

I don't know if you've read the following documents? Might be helpful for your situation.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008c0f6.html

Hope this helps -

jmia · ‎07-18-2003

Quang,

The following FAQ from Cisco, might be worth reading too:

Q.

I need to allow my users access to shared folders on my NT Domain from remote locations. How do I do

this?

A.

Microsoft's NetBios protocol allows file and printer sharing. Enabling NetBios across the Internet does not meet the security requirements of most networks. Further, NetBios is difficult to configure

using NAT. While Microsoft makes this more secure using encrypted technologies, which work

seamlessly with the PIX, it is possible to open the necessary ports.

In brief, you will need to set static translations for ALL hosts requiring access and conduits (or access

lists in PIX Software 5.0.x and later) for TCP ports 135 and 139 and UDP ports 137 and 138. You

must either use a WINS server to resolve the translated addresses to NetBios names or local properly

configured LMHOSTS file on all your remote client machines. If using WINS, each and every host

must have a static WINS entry for BOTH the local and translated addresses of the hosts being

accessed. Using LMHOSTS should have both as well, unless your remote users are never connected

to your inside network (for example, laptop computers). Your WINS server must be accessible to the

Internet with the static and conduit commands and your remote hosts must be configured to point at

this WINS server. Finally, Dynamic Host Configuration Protocol (DHCP) leases must be set to never

expire, or better yet, statically configure the IP addresses on the hosts needing to be accessed from the

Internet.

A safer and more secure way to do this is to configure either Point-to-Point Tunneling Protocol

(PPTP) or IPSec encryption. Consult with your network security and design specialists for further

details on the security ramifications.

---

Hope it helps --