cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
438
Views
0
Helpful
2
Replies

XP client in DMZ wants to access file share on inside interface

rgnwcco
Level 1
Level 1

I have a Windows XP PC on a PIX 525 DMZ that requires to access a share on a File server that is on the inside interface. The authentication is to a Windows 2003 Active Directory DC on the inside.

Which ports should I open?

Is it possible to create a single service group with all these ports, such that I can reduce the number of lines in the ASDM?

2 Replies 2

nkhawaja
Cisco Employee
Cisco Employee

you need to open up ports for netbios traffic e.g.

tcp 139, 137, 135

see this link

http://www.cisco.com/warp/public/110/pixfaq.shtml

Q. I need to allow my users access to shared folders on my NT Domain from remote locations. How do I do this?

A. Microsoft's NetBios protocol allows file and printer sharing. Enabling NetBios across the Internet does not meet the security requirements of most networks. Further, NetBios is difficult to configure using NAT. While Microsoft makes this more secure using encrypted technologies, which work seamlessly with the PIX, it is possible to open the necessary ports.

In brief, you will need to set static translations for ALL hosts requiring access and conduits (or access lists in PIX Software 5.0.x and later) for TCP ports 135 and 139 and UDP ports 137 and 138. You must either use a WINS server to resolve the translated addresses to NetBios names or local properly configured LMHOSTS file on all your remote client machines. If using WINS, each and every host must have a static WINS entry for BOTH the local and translated addresses of the hosts being accessed. Using LMHOSTS should have both as well, unless your remote users are never connected to your inside network (for example, laptop computers). Your WINS server must be accessible to the Internet with the static and conduit commands and your remote hosts must be configured to point at this WINS server. Finally, Dynamic Host Configuration Protocol (DHCP) leases must be set to never expire, or better yet, statically configure the IP addresses on the hosts needing to be accessed from the Internet.

A safer and more secure way to do this is to configure either Point-to-Point Tunneling Protocol (PPTP) or IPSec encryption. Consult with your network security and design specialists for further details on the security ramifications.

Thanks for your note.

I have already opened the above mentioned ports, but they don't seem to be sufficent. I keep getting authentication failures. I think it is because I have a Win2003 Active Directory on the inside and I'm running DNS. Do I have to open all the Kerberos, LDAP, DNS and SMB ports also to my domain controllers?

Also, Can I put all the TCP ports and UDP ports in a single service group such that I need to add only one

single access rule in my configuration.