04-24-2002 05:07 AM - edited 02-20-2020 10:02 PM
I have one PIX515 with two interfaces. In the inside interface is my Primary Domain Controller PDC with windows 2000 advanced server and in the outside interface are all my users running windows 2000. I have openened all the necesary ports in the PIX (all the ports for test purposes) but I can't:
1) Share folders between the users with windows 2000.
2) Get folders from the computers in the inside interface (other servers that I have)
3) When I try to connect to SQL I have an error in the authentication that says: "Could not generate SSPI context"
04-24-2002 05:28 AM
First, I would make sure that I have the statics setup properly. Second, if you are using access-lists or conduits, I would allow everything and see if you can get a connection that way. If you can, you should be able to look at the ports being sent through the PIX (issue the command "sh conn" and you will be able to determine them). The you can see if your access control is setup properly.
Hope this helps
04-24-2002 10:47 AM
How is your WINS setup?
Michael
04-24-2002 11:34 AM
I have already opened all the ports between these interfaces but I still cant´t get logined to the PDC.
Somebody told me that is not possible to make an authentication to the PDC through a PIX.
I´ll appreciate some other tips.
04-24-2002 04:27 PM
When a PIX opens all ports, it acts as a IP only router. So please check your WINS setup to make sure the name resolution function.
My 2 cents.
04-25-2002 08:44 AM
What do your translation statements look like, your authentications may be failing because you are not returning the proper source/destination information (kerberos key exchange fails) can you post your static/conduit/access-list statements and your nat/global statements?
DT
05-15-2002 09:22 AM
Mr. Thompson,
I got the same issue. I am setting up a PIX 520 UR Firewall here at University of Washington and I can login to the Active Directory Win2K domain and the Login scripts executes and established the connection to the necessary NETBIOS network shares. I opened the necessary port (or so I think). Conduit rules are included below, specifically, I am getting a Kerberos Error with Event ID 7 stating that The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was ????????????_ and lookup type 0x100.
Once I login to the domain, and try to use Active Directory for Users and Computers, I get an error message that the RPC Server is not available?
There is a Cisco article on how to setup PIX with Windows NT ((not Win2K) and WINS to login to the domain and connect to network shares. You can find the article at:
http://www.cisco.com/warp/customer/110/pixnetbios.html
I was wondering if there is a similar article for Windows 2000 Active Directory?
Here is the Conduit list (note that the IP addresses are replaced with non-routable private IP space for sanitization:
conduit permit icmp any any echo-reply (hitcnt=69)
conduit permit icmp any any unreachable (hitcnt=1512)
conduit permit icmp any any time-exceeded (hitcnt=1)
conduit permit icmp any any redirect (hitcnt=0)
conduit permit udp host 192.168.1.2 eq 389 any (hitcnt=1699)
conduit permit udp host 192.168.1.2 eq 88 any (hitcnt=943)
conduit permit udp host 192.168.1.2 eq netbios-ns any (hitcnt=1012)
conduit permit icmp host 192.168.1.2 any echo (hitcnt=1753)
conduit permit tcp host 192.168.1.2 eq 445 any (hitcnt=220)
conduit permit tcp host 192.168.1.2 eq 135 any (hitcnt=4880)
conduit permit tcp host 192.168.1.2 eq 389 any (hitcnt=121)
conduit permit tcp host 192.168.1.2 eq 1026 any (hitcnt=1007)
conduit permit tcp host 192.168.1.2 eq 139 any (hitcnt=640)
conduit permit udp host 192.168.1.2 eq netbios-dgm any (hitcnt=726)
conduit permit udp host 192.168.1.3 eq 389 any (hitcnt=942)
conduit permit udp host 192.168.1.3 eq 88 any (hitcnt=809)
conduit permit udp host 192.168.1.3 eq netbios-ns any (hitcnt=4)
conduit permit icmp host 192.168.1.3 any echo (hitcnt=1778)
conduit permit tcp host 192.168.1.3 eq 445 any (hitcnt=767)
conduit permit tcp host 192.168.1.3 eq 135 any (hitcnt=4977)
conduit permit tcp host 192.168.1.3 eq 389 any (hitcnt=481)
conduit permit tcp host 192.168.1.3 eq 1026 any (hitcnt=413)
conduit permit tcp host 192.168.1.3 eq 139 any (hitcnt=46)
conduit permit udp host 192.168.1.3 eq netbios-dgm any (hitcnt=0)
conduit permit tcp host 192.168.1.2 eq 3389 any (hitcnt=16)
conduit permit udp host 192.168.1.3 eq ntp any (hitcnt=20)
conduit permit udp host 192.168.1.2 eq ntp any (hitcnt=1)
05-15-2002 09:23 AM
jmondaca,
Have you figured out a solution to your problem? if yes, can you share your experiences with us. Thank you.
--Majid
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide