Does anyone have a link to information on configuring the PIX to allow NT authentication from windows clients to Windows2000 AD? We are looking to create a secure connection to a business partner which wil also be installing a PIX. They are physically located where we can connect them with a crossover cable. We are both planning to have outbound any any rules but would like to have the ability to authenticate to each others domains. There is currently a trust between the two domains and no firewalls in place. We would like to control inbound access to our network resources. Any help appreciated.
What do you mean by outbound any any rules? You are expecting to block only on the inbound?
You need to fully describe the architecture. Are both domains AD, or is one? What client OS's? Are you using WINS (if so, you need to track down the wins replication ports, tcp 42 IIRC).
To start, you will need 135-139,445 open for tcp and udp, for windows filesharing and auth to work. Depending of the state of win2k rollout, you might need to open up global catalog ports, ldap (tcp 389), kerberos (88tcp/udp), etc.
For what it is worth, implementing a trust between two orgs is an enormous security commitment. If I had to do such a thing, I would spend a lot of time worrying about the security of the servers and desktops at the machine level, more so than the network level. To have the trust work at the network level requires opening a ton of ports, so to get good granular security, you need to work on the actual boxes.
I would strongly consider subnetting or isolating desktop machines. There really should be no reason that corp A's desktops need to talk to corp B's desktops. By blocking all such commo, you can reduce risk of spreading worms, virii,etc.
As part of the trust agreement, each org should get a test account in the remote domain. This should be a regular user account. You should spend a lot of time with this user account trying to see what you can access with it in your own organization.
nice high-level overview of what ports and services do what.
hope this helps.
How are the two domains connected now? Through a router, VLAN's, etc? Tight NTFS permissions and group policy may be a better answer, unless you are only wanting to allow certain IP Addresses and ports through the Firewall. If there is an existing router between the domains, you may be able to configure ACL's on the router without adding the extra expense of a PIX.