05-23-2006 01:25 PM - edited 02-20-2020 09:37 PM
HELP REQUIRED
can anybody advise me on what ports i will need to open
on a pix firewall that will allow me to join a computer
that resides off of a dmz interface (security level 50)
to a domain whose domain controller resides off of an
inside interface (security level 100)
the domain controller (server-3) is running active directory
integrated dns
the config i have setup is this
access-list 102 permit udp host 192.168.2.2 host 192.168.1.2 eq 53
access-list 102 permit tcp host 192.168.2.2 host 192.168.1.2 eq 3268
access-list 102 permit tcp host 192.168.2.2 host 192.168.1.2 eq 88
access-list 102 permit tcp host 192.168.2.2 host 192.168.1.2 eq 389
access-list 102 permit tcp host 192.168.2.2 host 192.168.1.2 eq 464
static (inside,dmz) 192.168.1.2 192.168.1.2
access-group 102 in interface dmz
with the above config when i try and join the dmz based computer
to the domain i get the following reply
dns was succesfully queried for the service location (srv)
resource record used to locate a domain controller for domain acme.com
the query was for the srv record _ldap._tcp.dc._msds.acme.com
the following domain controllers were identified by the query
server-3.acme.com
it then tells me that a domain controller for the acme.com
could not be contacted
i'm pretty sure i have missed something out when configuring the
firewall as clients residing on the same subnet as the domain controller/dns
server can join the domain with no problems
any help that anybody can give me will be greatly appreciated
melvyn brown
05-23-2006 01:36 PM
Hello,
you could install a packet analyzer like ethereal (freeware) and trace the packets sent. Then you can open the required ports one by one until you get everything up and running. Or you install ethereal on a test machine, place it in the server LAN, trace the successful join and check all ports needed.
Regards, Martin
05-23-2006 01:38 PM
Hello,
you could install a packet analyzer like ethereal (freeware) and trace the packets sent. Then you can open the required ports one by one until you get everything up and running. Or you install ethereal on a test machine, place it in the server LAN, trace the successful join and check all ports needed.
Regards, Martin
05-23-2006 10:18 PM
HI,
In case if you used Microsoft Active Directory (AD) as your domain controller, open TCP 445 from DMZ to Inside. AD uses TCP 45.
Or, you can see details on ports used by client to join your domain by permitting the client IP to access Domain Controller IP via any services using ACL - permit specific DMZ client IP to AD server with TCP/UDP service 'any any', e.g:
access-list 100 permit tcp host
access-list 100 permit udp host
access-group 100 in interface DMZ.
Note:
Make sure you have proper address mapping between DMZ and Inside subnet, or specific for Domain Controller.
If this is successful, check what specific TCP or UDP ports used for the session/connection:
sh conn | i
Rgds,
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide