03-12-2007 01:20 PM - edited 03-11-2019 02:45 AM
I have a PiX 506E that is used by a public municiple agency to seperate one internal LAN from Another for security reasons. On the outside interface of the PIX is a less secure network (192.168.10.x) with a Windows 2003 Domain controller running DNS. We have installed another secondary domain conroller for the same domain on the inside interface (172.23.16.x). Since both domain controllers are for the same domain we need to configure the firewall to allow the domains to talk to each other. The DNS server on the outside interface is 192.168.10.2 and the second DNS server on the inside interface is 172.23.16.7. Curretnly SMTP and WWW traffic is passing through with no problem. I have attatched a sanitized running config to look at. I'm not sure where I am missing it but I have been unable to open the ports to get the two to talk together. Any help would be appreciated. Thanks
03-12-2007 01:31 PM
Hi ..
Please execute following commands-
no static (inside,outside) 192.168.10.2 172.23.16.7 netmask 255.255.255.255 0 0
clear xlate local 172.23.16.7
clear xlate global 192.168.10.2
Hope that helps. Also let me know if we are talking about DNS replication over here? Or normal DNS queries not going through?
Regards,
Vibhor.
03-12-2007 01:40 PM
I'm trying to get DNS replication to take place between the outside DNS Server (192.168.10.2) and the inside server (172.23.16.7). I tried the commands you gave me and it didn't seem to work.
03-12-2007 01:45 PM
I think DNS replication should take place with Active Directory replication.
03-12-2007 01:51 PM
It's the DNS replication that I cannot get working. When I go to active directory sites and services and try to replicate to the other server it tells me now that the rpc server is unavailable.
03-12-2007 01:53 PM
Most likely is attempting rpc 135 connection on some random port.
03-12-2007 01:59 PM
I ran accross this Microsoft article on setting some regestry settings on both domain controllers to limit the number of port rpc is using. Is this the only way to allow rpc traffic or is their a better suggestion on how to do what I am trying to accomplish.
03-12-2007 02:37 PM
Before you get into stuff like that, which when dealing with the registry would never be my first choice, get some logging going on the pix, try your replication and see exactly what is going on. No sense ruining your perfectly good domain controllers when you don't need to. Post up the logs.
03-12-2007 01:45 PM
If we are only talking about DNS zone transfers, it works on TCP(53), which is open on your PIX. However, if you are looking for WINS replication, for this we need to open port 42 (TCP n UDP). Are we only doing Zone transfers or WINS replications also?
Is it possible to collect syslogs at the time you try to replicate?
Regards,
Vibhor.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide