Opening Pix 506E to allow DNS for windows Domain Controller

Unanswered Question

I have a 506E that is used to seperate an internal lan segment from another lan segment (it is a police department). The problem i am having is we set up a second domain controller on the other side of the pix and need to open it up to allow dns traffic to pass between both windows 2003 servers. Both are running active directory. Any help on what is the best way to get the two domain controllers talking would be appreciated. Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 03/09/2007 - 16:55

This is probably the best Microsoft document I know of that explains in detail which ports are used by specific services on your Windows server. It should help you greatly. If you need more help, post up and I'm sure someone will help you out. It's hard to say how to get them talking as this could mean a lot depending upon what services are running etc. If it's just dns traffic of course you would need to allow udp 53.


http://support.microsoft.com/kb/832017

acomiskey Fri, 03/09/2007 - 17:10

If you could post up a sanitized config and a little topology we could get you started.

I have tried to config it myself but I am not an expert.


The topology is this.


Their is a pix 506E that seperates two lan segments to secure one part (a public service agency) from the other. The outside lan segment is 192.168.10.x with a windows 2003 domain server at 192.168.10.2. A second domain controller (172.23.16.7) was put on the inside lan segment (172.23.16.x) to add redundancy and make the domain DNS more robust. I need to pix to allow dsn traffic to move both ways between the domain controllers to ensure they are updating each other.


I didn't design the original network and just have to deal with someone else's idea. Anyway here is an attatched copy of my running config. Thanks.







Attachment: 
acomiskey Fri, 03/09/2007 - 17:52

Which is supposed to be more secure 192.168.10 or 172.23.16?

acomiskey Fri, 03/09/2007 - 17:58

Firstly, the first line in your access-list is permit ip any any, so any other line below that is ignored as all traffic would match the first entry.

acomiskey Fri, 03/09/2007 - 18:05

Yes, if you remove that you could end of with a lot of stuff that doesnt work.

acomiskey Fri, 03/09/2007 - 18:04

Yes, it always starts at the top, works it's way down til it finds a match, also there is an explicit "deny any any" that is always the last statement, which is not displayed.

Thanks for your help so far. It looks like I will have to pick up trying to figure this out on Monday. If you have any other suggestions I could look at that would help. It's funny I've got one e-mail from tech support and they didn't mention anything of the things you did. You seemed to know more than the tech who e-mailed me. Thanks. I'll have to check out the replys when I return on Monday. Thanks again.

acomiskey Fri, 03/09/2007 - 18:29

Well, I don't know about that, but it appears you have most of the AD ports defined, ldap, ldaps, DNS, kerberos, rpc, smb, netbios etc. But with the first permit ip any any it defeats the purpose of a firewall, especially since you specifically want to secure the inside network.

Actions

This Discussion