Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
960
Views
0
Helpful
2
Replies

PIX 515 Problem

oginina
Level 1
Level 1

‎07-21-2002 02:58 AM - edited ‎02-20-2020 10:10 PM

I have a PIX 515 Firewall with 3 interfaces, (internal, Internet, and DMZ). I have opened conduits between one of the servers in the DMZ and one of the internal servers to allow for Active Directory replication between the two servers, as they are windows 2000 domain controllers. The internal server has a static IP assigned to it on the DMZ, The conduits are opened for all TCP and UDP traffic using their actual IPs and the static IP. (4 conduits opened, 2 between the DMZ server and the internal IP of the internal server, and 2 between the DMZ server and the static IP of the internal server).

The problem is that still the servers cannot replicate. The server in the DMZ still cannot browse the IP of the internal server, or ping it using its internal IP address. It can browse and ping using its static IP but cannot replicate using that IP.

The IPs of the required server are listed in the HOSTS file for name resolution.

Thanks for your support.

Omnia

0 Helpful
2 Replies 2

yusuff
Cisco Employee
Cisco Employee

‎07-21-2002 03:26 PM

As youmentioned, you are not able to ping or browse the internal IP address from the DMZ which is normal, you have to ping/browse using the static IP, since that is what you is NATed statically on the PIX to the internal IP.

On you HOSTS file, make sure you have the static IP and not the internal IP of the inside server. If you can ping and browse but cannot replicate, than probably it is due to some ports being denied. Check what ports need to be opened for AD replication (i am not sure), if you don't know, for a test purpose, open everything on your firewall, eg;

conduit permit tcp any any

conduit permit udp any any

conduit permit ip any any

conduit permit icmp any any

and see if replication works, if it doesn't then you know it is not a PIX issue, since the PIX is wide open. And if it works, do a 'show conduit' and see which conduit got hit counts, and that way you will figure out the ports it is trying to use.

HTH

R/Yusuf

0 Helpful

oginina
Level 1
Level 1
In response to yusuff

‎07-26-2002 01:11 AM

Primarily thanks for your reply.

I already have the conduits applied. I have the following four of them:

conduit permit tcp host Static_IP host DMZ_Server_IP

conduit permit udp host Static_IP host DMZ_Server_IP

conduit permit tcp host Internal_IP host DMZ_Server_IP

conduit permit udp host Internal_IP host DMZ_Server_IP

I also have

conduit permit icmp any any

applied.

and the entries of the server's IP addresses are in the HOSTS and LMHosts files, still I cannot either ping or browse the server with its internal IP.

i.e.: even with all the conduits applied, the firewall does not seem to allow the traffic.

Thanks,

Omnia

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card