Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1171
Views
0
Helpful
3
Replies

access-list tcp/udp ports

melvynbrown
Level 1
Level 1

‎05-23-2006 01:25 PM - edited ‎02-20-2020 09:37 PM

HELP REQUIRED

can anybody advise me on what ports i will need to open

on a pix firewall that will allow me to join a computer

that resides off of a dmz interface (security level 50)

to a domain whose domain controller resides off of an

inside interface (security level 100)

the domain controller (server-3) is running active directory

integrated dns

the config i have setup is this

access-list 102 permit udp host 192.168.2.2 host 192.168.1.2 eq 53

access-list 102 permit tcp host 192.168.2.2 host 192.168.1.2 eq 3268

access-list 102 permit tcp host 192.168.2.2 host 192.168.1.2 eq 88

access-list 102 permit tcp host 192.168.2.2 host 192.168.1.2 eq 389

access-list 102 permit tcp host 192.168.2.2 host 192.168.1.2 eq 464

static (inside,dmz) 192.168.1.2 192.168.1.2

access-group 102 in interface dmz

with the above config when i try and join the dmz based computer

to the domain i get the following reply

dns was succesfully queried for the service location (srv)

resource record used to locate a domain controller for domain acme.com

the query was for the srv record _ldap._tcp.dc._msds.acme.com

the following domain controllers were identified by the query

server-3.acme.com

it then tells me that a domain controller for the acme.com

could not be contacted

i'm pretty sure i have missed something out when configuring the

firewall as clients residing on the same subnet as the domain controller/dns

server can join the domain with no problems

any help that anybody can give me will be greatly appreciated

melvyn brown

Labels:
0 Helpful
3 Replies 3

mheusinger
Level 10
Level 10

‎05-23-2006 01:36 PM

Hello,

you could install a packet analyzer like ethereal (freeware) and trace the packets sent. Then you can open the required ports one by one until you get everything up and running. Or you install ethereal on a test machine, place it in the server LAN, trace the successful join and check all ports needed.

Regards, Martin

0 Helpful

mheusinger
Level 10
Level 10

‎05-23-2006 01:38 PM

Hello,

you could install a packet analyzer like ethereal (freeware) and trace the packets sent. Then you can open the required ports one by one until you get everything up and running. Or you install ethereal on a test machine, place it in the server LAN, trace the successful join and check all ports needed.

Regards, Martin

0 Helpful

a.kiprawih
Level 7
Level 7

‎05-23-2006 10:18 PM

HI,

In case if you used Microsoft Active Directory (AD) as your domain controller, open TCP 445 from DMZ to Inside. AD uses TCP 45.

Or, you can see details on ports used by client to join your domain by permitting the client IP to access Domain Controller IP via any services using ACL - permit specific DMZ client IP to AD server with TCP/UDP service 'any any', e.g:

access-list 100 permit tcp host host any

access-list 100 permit udp host host any

access-group 100 in interface DMZ.

Note:

Make sure you have proper address mapping between DMZ and Inside subnet, or specific for Domain Controller.

If this is successful, check what specific TCP or UDP ports used for the session/connection:

sh conn | i

Rgds,

AK

0 Helpful
Customers Also Viewed These Support Documents