Required Tcp/udp Port no on PIX to join computer to Windows 2000 Domain.

pankaj_cisco111 · ‎07-04-2005

On Pix 515 I open port 135/TCP , 389/TCP/UDP, 636/TCP, 53/TCP/UDP, 88/Tcp/Udp & 445/TCP. Now I can logon to domain but still no able to join computer to domain via Administrator id. I got message; Network path not found. If i assign IP to IP permission on PIX then it's working. Pls. suggest.

tvanginneken · ‎07-05-2005

Hi,

what do you mean by "IP to IP permission"?

Kind Regards,

Tom

johansens · ‎07-05-2005

Perhaps you are missing Global Catalog (TCP/3268 and SSL-version at TCP/3269)?

Check this link for some info on AD:

http://www.windowsitpro.com/Article/ArticleID/37928/37928.html

pankaj_cisco111 · ‎07-06-2005

I have permitted TCP/3268 & TCP/3269 ports but still not able to join computer to domain via an authorized id. Pls. Look into this.

johansens · ‎07-09-2005

It's simpler if you check your logs to see what is being blocked...

Run the logging buffer at severity 4 (warnings) to avoid seeing the build-up and teardowns of allowed sessions.

If you run a syslog server, run at severity 6 (informational) and take a look at the logs watching for "%PIX-4-106023: Deny..."

or maybe the "%PIX-6-106015: Deny TCP (no connection) from..." messages.

ashfortha · ‎07-19-2005

I have exactly the same problem, I had assumed that the following access-list would allow inbound access to our network without any issues, but we still have a problem with PCs not able to Join a Windows Domain, and not able to change password, but able to login:-

access-list outside_acl line 1 permit ip x.x.x.x 255.255.192.0 any (hitcnt=1399846)

Note X.X.X.X is for illustration only. The hitcnt indicates some success such as some of the ports you have listed.