Add Domain COntroller through Site to Site Tunnel

anorton200 · ‎08-11-2005

I have a site to Site tunnel between a PIX 506E and a PIX 515E that goes between two locations. I can see each side via ip and can connect to each side with PCAnywhere etc... The problem I am having is attaching computers or servers to the domain from the remote location. I keep getting RPC is Unavailable. I am running version 7.0.(1)5 here on the PIX 515E. Does anyone have any ideas on how I can allow or pass traffic to allow these machines to connect and replicate?

Any and all help is much appreciated.

Thanks

Aaron

noonanac · ‎08-11-2005

Hi Aaron,

I would consider at specifying exact ACL's allowing to and the ports used such 138 and 139 for Netbios and so on (cannot remember any other Windows ports used), or specify an ACL allowing all IP between the two groups.

Regards,

Andrew.

Andrtew

anorton200 · ‎08-11-2005

I am a little new at the PIX. Can you tell me how I can accomplish that?

Thanks!

Aaron

a.paradis · ‎08-11-2005

Hi Aaron,

I really doubt this is related to your access-lists.

Normally, all traffic that is protected by the tunnel is allowed to pass through with the "sysopt connection permit-ipsec" command (it bypasses the access-lists).

You also said that you were able to access the server via PC Anywhere; is that using the private address or a public address? If it is with the public address, try with the private address to make sure the traffic is actually going through your VPN tunnel.

Another thing might be that one end of the tunnel has several subnets, and you forgot to protect that subnet on which your domain controller is?

- Alex

anorton200 · ‎08-11-2005

I was accessing the Nat'd IP address on the other side so I know the tunnel works. I also see under IPSEC rules it says protect my LAN (PIX SIDE) and Offsite (Remote Side) service is IP.

Any ideas?

a.paradis · ‎08-11-2005

Could you provide us with your pix's configuration? It would help greatly in determining the cause of you problem.

anorton200 · ‎08-11-2005

Let me try this.

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit Cp any host X.X.X.X7 eq smtp

access-list outside_access_in extended permit Cp any host X.X.X.X eq smtp

access-list outside_access_in extended permit udp any host X.X.X.X51 eq 2233

access-list outside_access_in extended permit udp object-group BOS host X.X.X.X51 range 10025 10027

access-list outside_access_in extended permit icmp host BOSwubos any

access-list outside_access_in extended permit udp host BOSwubos any eq snmp

access-list outside_access_in extended permit udp host ThomsonOne X.X.X.X 255.255.255.0 eq 4900

access-list outside_access_in extended permit Cp object-group BOS any object-group BOS-mgmt-Cp

access-list outside_access_in extended permit udp object-group BOS any object-group BOS-mgmt-udp

access-list outside_access_in extended permit Cp object-group BOS any eq pcanywhere-data

access-list outside_access_in extended permit Cp ecsbos 255.255.254.0 host X.X.X.X0 eq pcanywhere-data

access-list outside_access_in extended permit udp ecsbos 255.255.254.0 host X.X.X.X0 eq pcanywhere-status

access-list outside_access_in extended permit Cp ecsbos 255.255.254.0 host X.X.X.X1 eq pcanywhere-data

access-list outside_access_in extended permit udp ecsbos 255.255.254.0 host X.X.X.X1 eq pcanywhere-status

access-list outside_access_in extended permit Cp object-group C host X.X.X.X eq ssh

access-list outside_access_in extended permit Cp Net-SendIO 255.255.255.224 host X.X.X.X4 object-group SendIO

access-list outside_access_in extended permit Cp host BLPMDSGW host X.X.X.X eq 6464

access-list outside_access_in extended permit udp host ntp2. host X.X.X.X4 eq ntp

access-list outside_access_in extended permit udp Net-SendIO 255.255.255.224 host X.X.X.X4 object-group SendIO-UDP

access-list outside_access_in extended permit Cp BOS3 255.255.255.0 host X.X.X.X30 eq pop3

access-list outside_access_in extended permit Cp host advisorware host X.X.X.X0 eq pcanywhere-data

access-list outside_access_in extended permit udp host advisorware host X.X.X.X0 eq pcanywhere-status

access-list outside_access_in extended permit ip BOS2wells1 255.255.255.0 any

access-list outside_access_in extended deny ip any any

access-list dmz_access_in extended permit ip host smtp any

access-list dmz_access_in extended permit ip host C_dmz any

access-list dmz_access_in extended permit ip host p2prouter any

access-list dmz_access_in extended permit ip ChomeX.X.X.Xany

access-list dmz_access_in extended permit ip ChomecoX.X.X.Xany

access-list dmz_access_in extended permit icmp any any

access-list dmz_access_in extended permit Cp host C_dmz host C_LAN eq ssh

access-list dmz_access_in extended permit Cp host C_dmz host C_LAN eq ftp

access-list dmz_access_in extended permit Cp host SendIO host MAIL eq smtp

access-list dmz_access_in extended permit Cp host SendIO host BOS2DC2 eq 3268

access-list dmz_access_in extended permit udp host SendIO host BOS2DC2 eq 3268

access-list dmz_access_in extended permit Cp host SendIO host BOS2DC2 eq domain

access-list dmz_access_in extended permit udp host SendIO host BOS2DC2 eq domain

access-list dmz_access_in extended permit ip host SendIO any

access-list dmz_access_in extended permit ip host smtp_new any

access-list dmz_access_in extended deny ip any any

access-list inside_nat0_outbound extended permit ip X.X.X.X255.255.255.0 BOS2wells1 255.255.255.0

access-list outside_cryptomap_20 extended permit ip X.X.X.X255.255.255.0 BOS2wells1 255.255.255.0

access-list inside_access_in extended permit ip X.X.X.X255.255.255.0 any

anorton200 · ‎08-11-2005

Here is some more:

static (inside,dmz) X.X.X.XX.X.X.Xnetmask 255.255.255.0

static (inside,outside) X.X.X.X BOS2FS netmaskX.X.X.X

static (inside,outside) X.X.X.X BOS2SQL netmaskX.X.X.X

static (inside,outside) X.X.X.X MAIL netmaskX.X.X.X

static (dmz,outside) X.X.X.X7 smtp netmaskX.X.X.X

static (inside,outside) X.X.X.X50 gigeswiCh1 netmaskX.X.X.X

static (inside,outside) X.X.X.X47 mvswiCh netmaskX.X.X.X

static (inside,outside) X.X.X.X51 netstructurevpn netmaskX.X.X.X

static (dmz,outside) X.X.X.X C_dmz netmaskX.X.X.X

static (inside,outside) X.X.X.X45 BOS2wells netmaskX.X.X.X

static (inside,outside) X.X.X.X30 Audix netmaskX.X.X.X

static (inside,outside) X.X.X.X31 definity-clan1 netmaskX.X.X.X

static (inside,outside) X.X.X.X32 definity-clan2 netmaskX.X.X.X

static (inside,outside) X.X.X.X33 definity-medpro netmaskX.X.X.X

static (dmz,outside) X.X.X.X46 p2prouter netmaskX.X.X.X

static (inside,dmz) X.X.X.XX.X.X.Xnetmask 255.255.255.0

static (inside,outside) X.X.X.X44 adtran netmaskX.X.X.X

static (inside,outside) X.X.X.X0 Cserver netmaskX.X.X.X

static (inside,outside) C_LAN C_LAN netmaskX.X.X.X

static (inside,outside) X.X.X.X BES netmaskX.X.X.X

static (dmz,outside) X.X.X.X4 SendIO netmaskX.X.X.X

static (dmz,outside) X.X.X.X smtp_new netmaskX.X.X.X

static (inside,outside) X.X.X.X BOS2DC2 netmaskX.X.X.X

static (inside,outside) X.X.X.X BOS2DC1 netmaskX.X.X.X

static (inside,outside) X.X.X.X1 BACKUP netmaskX.X.X.X

static (inside,outside) X.X.X.X0 AW netmaskX.X.X.X

static (inside,MV) X.X.X.XX.X.X.Xnetmask 255.255.255.0

static (MV,test) X.X.X.X X.X.X.X netmask 255.255.255.0

static (MV,dmz) X.X.X.X X.X.X.X netmask 255.255.255.0

static (inside,outside) X.X.X.X FS1 netmaskX.X.X.X

static (inside,outside) X.X.X.X1 CDEVSQL netmaskX.X.X.X

anorton200 · ‎08-12-2005

Bump.

Thanks!

anorton200 · ‎08-16-2005

Still looking for help on this one.

Thanks

Aaron