Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
2
Replies

WIN2K/NT Share Access Traffic Across Different Interface

li.simon
Level 1
Level 1

‎11-12-2002 01:41 PM - edited ‎03-09-2019 01:02 AM

Dear Sir,

We have a PIX 525 Firewall. Both inbound and outbound traffic works fine for Web access for users on all 4 interfaces. I have following question:

1. How to configure PIX for users on higher security interface to access WIN2K/NT share on lower security interface? Same question from lower security interface to higher security interface?

2. How to configure PIX to work for different NT domain on different interface to trust each other? ( from high security to low security and from low security to high security interface). Same question for user to map a driver letter to a server on different interface.

Thank you very much for your help.

Simon

Labels:
0 Helpful
2 Replies 2

Nairi Adamian
Cisco Employee
Cisco Employee

‎11-12-2002 04:25 PM

This sample configuration should help:

http://www.cisco.com/warp/public/110/pixnetbios.html

Regards,

-Nairi

0 Helpful

li.simon
Level 1
Level 1
In response to Nairi Adamian

‎11-13-2002 03:21 PM

Thank you very much Nairi. The above link is very helpful and is the one that I am looking for. But I need more help from you to make it work. Below is my question:

1. We have 4 interfaces. Users and workstation on Inside interface (higher security) is on NT Domain A and need to map a drive letter ( and access shared folder) on server on Domain B which is on Intf2 interface (lower security). How to config PIX to establish two way trusts between Domain A and B on Inside and Intf2 interfaces? I have following config for users at Intf2 to access Inside. IP 192.168.3.109 on Inside interface is Domain Controller with WINS and DNS installed.

static (inside, intf2) 192.168.2.205 192.168.3.109 netmask 255.255.255.255

access-list acl_intf2 permit udp any host 192.168.2.205 eq 137

access-list acl_intf2 permit udp any host 192.168.2.205 eq 138

access-list acl_intf2 permit tcp any host 192.168.2.205 eq 139

access-list acl_intf2 permit udp any host 192.168.2.205 eq 53

access-list acl_intf2 permit tcp any host 192.168.2.205 eq 53

access-group acl_intf2 in interface intf2

The following config is for user and workstation at Inside to access Intf2:

nat (inside) 1 0 0

global (intf2) 1 192.168.2.210-192.168.2.250 netmask 255.255.255.0

global (intf2) 1 192.168.2.251 netmask 255.255.255.0

The test result is that users at Inside can not map drive letter ( and access Shared folder ) on server on Intf2. Same problem from Intf2 to Inside. But we have configuration on PIX for user at Inside & Outside to access Web server on Inft2. This is working fine.

2. Do you need to open Netlogon port UDP 138 ,NetBIOS port UDP137 and Shared Folder Port TCP 139 for traffics from Inside interface to Intf2 interface? If yes, how to do it? To my knowledge, all ports and all traffics are wide open from higher security interface to lower security interface. All your need is NAT & Global command. Am I right?

I would be much appreciated if you can help me to find the answer.

Many Thanks.

Simon

0 Helpful
Customers Also Viewed These Support Documents