Re: PIX & Domain Controller Conflict

peterlebaige · ‎04-06-2004

Help! We have a PIX firewall, an HP server running Windows 2000 Terminal server & several PCs connected to a 3Com switch. A router is connected on the PIX¡¯s outside interface.

Problem: When users log in from their PCs (Windows XP Service Pack 1) to the domain, the first time each day, the login is extremely slow & their error logs all show they could not find the DC. Checking the the PC's ARP cache now you find there are two entries: 192.168.100.1 (PIX gateway) & 192.168.100.2 (Server)

Both these IPs are resolved to the PIX¡¯s MAC address If you now open a webpage & check the ARP cache again the PIX & server now are resolved to their respective MAC addresses. Logging out now (not rebooting) & logging back in is error-free.

Removing the NAT entry for the server & reloading the PIX stops the problem. Restoring the NAT entry again to allow external access brings the problem back again.

Any suggestions where the problem lies? The firewall configuration is attached.

mostiguy · ‎04-06-2004

static (outside,inside) 192.168.100.2 219.235.192.10

netmask 255.255.255.255 0 0

do you need this command? I don't think it can possibly help matters. It would probably force the pix to expect 192.168.100.2 to be on the outside interface of the pix, and the pix might proxy arp for it, creating the problematic arp entries.

it appears that you otherwise have a fairly simply network with nat.

trying removing that command, clear xlate, and see if the problem persists

peterlebaige · ‎04-08-2004

Thanks. We haven't had a chance to try the fix yet, but it seems from looking at some other PIX configs we've found that the entry you mentioned is superfluous, & may be causing the problem.

Will let you know the result.

peterlebaige · ‎04-15-2004

Thanks very much for your help, the command you identified was indeed the one causing the problem. As soon as it was erased, logging in was normal for the PCs again.