Opening Pix 506E to allow DNS for windows Domain Controller

bobh · ‎03-09-2007

I have a 506E that is used to seperate an internal lan segment from another lan segment (it is a police department). The problem i am having is we set up a second domain controller on the other side of the pix and need to open it up to allow dns traffic to pass between both windows 2003 servers. Both are running active directory. Any help on what is the best way to get the two domain controllers talking would be appreciated. Thanks

acomiskey · ‎03-09-2007

This is probably the best Microsoft document I know of that explains in detail which ports are used by specific services on your Windows server. It should help you greatly. If you need more help, post up and I'm sure someone will help you out. It's hard to say how to get them talking as this could mean a lot depending upon what services are running etc. If it's just dns traffic of course you would need to allow udp 53.

http://support.microsoft.com/kb/832017

bobh · ‎03-09-2007

Thanks very much. This will help. The other problem is just knowing how to configure it all on the pix. Does Cisco have a similar document.

acomiskey · ‎03-09-2007

If you could post up a sanitized config and a little topology we could get you started.

bobh · ‎03-09-2007

I have tried to config it myself but I am not an expert.

The topology is this.

Their is a pix 506E that seperates two lan segments to secure one part (a public service agency) from the other. The outside lan segment is 192.168.10.x with a windows 2003 domain server at 192.168.10.2. A second domain controller (172.23.16.7) was put on the inside lan segment (172.23.16.x) to add redundancy and make the domain DNS more robust. I need to pix to allow dsn traffic to move both ways between the domain controllers to ensure they are updating each other.

I didn't design the original network and just have to deal with someone else's idea. Anyway here is an attatched copy of my running config. Thanks.

acomiskey · ‎03-09-2007

Which is supposed to be more secure 192.168.10 or 172.23.16?

bobh · ‎03-09-2007

The 172.23.16.x is the more secure and is inside where the less secure is the 192.168.10.x

acomiskey · ‎03-09-2007

Firstly, the first line in your access-list is permit ip any any, so any other line below that is ignored as all traffic would match the first entry.

bobh · ‎03-09-2007

If I remove that then it would start filtering down?

bobh · ‎03-09-2007

Right now I have no problem with e-mail flowing through but if I remove that then It looks like I would have to add an acl permitting smtp traffic right?

acomiskey · ‎03-09-2007

Yes, if you remove that you could end of with a lot of stuff that doesnt work.

acomiskey · ‎03-09-2007

Yes, it always starts at the top, works it's way down til it finds a match, also there is an explicit "deny any any" that is always the last statement, which is not displayed.

bobh · ‎03-09-2007

Thanks for your help so far. It looks like I will have to pick up trying to figure this out on Monday. If you have any other suggestions I could look at that would help. It's funny I've got one e-mail from tech support and they didn't mention anything of the things you did. You seemed to know more than the tech who e-mailed me. Thanks. I'll have to check out the replys when I return on Monday. Thanks again.

acomiskey · ‎03-09-2007

Well, I don't know about that, but it appears you have most of the AD ports defined, ldap, ldaps, DNS, kerberos, rpc, smb, netbios etc. But with the first permit ip any any it defeats the purpose of a firewall, especially since you specifically want to secure the inside network.