Authenticating to Active Directory through DMZ

Unanswered Question
Jul 17th, 2007
User Badges:

I have a PIX 515e with 3 interfaces,


Inside (sec100) 10.0.10.1

DMZ (sec50) 10.0.20.4

Outside (sec0) 64.69.117.1


I have a server on the DMZ with RDP enabled, and from that server I can ping outside IPs by number, but not name. I can ping the server itself from outside and inside fine as well. The server IP is 10.0.20.10


I know I have an ACL problem but I am afraid of opening up certain ports for fear of defeating the DMZ's purpose altogether. So I ask you all what I need to do :)


I am attaching my config.



please let me know what I need to do to get to enable my servers on the DMZ to query the DNS servers on the inside network, also please let me know what I need to do to get Active directory logons working..currently when I try to logon to the server on the DMZ, it tells me that the System cannot log you on because the domain is not available. I assume port 389 needed to be opened on the DMZ ACL but there may be others as well.


If oyu see any other problems let me know. I will be moving all of the servers on this config to the DMZ once I get everything working properly.


Rob



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Tue, 07/17/2007 - 05:11
User Badges:
  • Green, 3000 points or more

This will get the dns working. If dns server is 10.0.10.100...


access-list dmz permit udp any host 10.0.10.100 eq domain

access-list dmz deny ip any 10.0.10.0 255.255.255.0

access-list dmz permit ip any any

access-group dmz in interface DMZ


edit: I'll edit this since your config is now posted.

thebrom Tue, 07/17/2007 - 05:24
User Badges:

ok, can you help explain that answer some and what each entry accomplishes?


I mean prior to you postinbg I had screwed up and placed access-list dmz permit TCP any host 10.0.10.100 eq domain


I forgto DNS is UDP, I am so burnt out right now, but I understand that entry, but what is the purpose of the DENY entry and then the permit IP any any?


I assume the order has a lot of signifigance as well. At any rate the DNS is now working but I am still getting denials on AD logon. This is really something I should know I am a CCSP, but there were no real details on the PIX exam regarding DNS configurations and I need to get up to speed on this stuff so it is all second nature.


Thanks, Rob

acomiskey Tue, 07/17/2007 - 05:24
User Badges:
  • Green, 3000 points or more

Ok, now I can see your config.


access-list acl_dmz permit icmp any any

access-list acl_dmz permit udp any host eq domain

access-list acl_dmz permit tcp any host eq ldap

access-list acl_dmz deny ip any 10.0.10.0 255.255.252.0

access-list acl_dmz permit ip any any

acomiskey Tue, 07/17/2007 - 05:29
User Badges:
  • Green, 3000 points or more

The acl for the dmz is written in a particular order. You want to...


1. Permit what you need from dmz hosts to inside hosts(dns, active directory ports etc.)

2. Deny everything else from dmz hosts to inside hosts.

3. Permit ip any any. (This allows dmz access outbound, internet etc.)


You may need more ports for the AD logon. Kerberos possibly, tcp 88.

thebrom Tue, 07/17/2007 - 05:38
User Badges:

ok so when I open additional ports I need to put the permits above the deny that I have already entered?


I am not sure I understand what you're saying in regards to my ACL being written improperly, how should it look? I am lost with what you're saying about the sourse addresses, etc

acomiskey Tue, 07/17/2007 - 05:46
User Badges:
  • Green, 3000 points or more

"ok so when I open additional ports I need to put the permits above the deny that I have already entered?"


-Yes.


"I am not sure I understand what you're saying in regards to my ACL being written improperly, how should it look? I am lost with what you're saying about the sourse addresses, etc"


-Sorry, this may be my fault, it takes longer to figure out an acl when it's using object groups etc. Forget what I said. What you had originally allows any on the dmz to public servers. Was this working?

thebrom Tue, 07/17/2007 - 05:54
User Badges:

yes I was able to get outbound PINGS to public IPs, just not public website names, now it is working with the DNS entry you supplied. Thanks for your help there!


Now I just need to get the darn logons to work, I hate to dual home the servers. that would defeat the whole purpose of a DMZ IMO.


I have the LDAP opened in line 1 of the dmz acl, but maybe like you said there are others needed although my syslog isn't showing much


Although I do see this:


07-17-2007 09:52:32 Local4.Warning 10.0.10.1 Jul 17 2007 09:43:45: %PIX-4-106023: Deny udp src outside:207.190.222.91/389 dst dmz:SP2DMZPUB/1182 by access-group "acl_outside"


I think I need to open LDAP on the outside ACL?

acomiskey Tue, 07/17/2007 - 05:59
User Badges:
  • Green, 3000 points or more

I can't imagine why that would be needed and is probably a bad idea. Here are the ports I use for the AD. You may not need them all but they work for me...


tcp 389

udp 389

udp 53

tcp 53

tcp 88

udp 88

tcp 445

tcp 135

tcp 1025

tcp 636


Hope these help.


thebrom Tue, 07/17/2007 - 06:24
User Badges:

ok I will try those, but I am still thinking that would need to be open on my otuside interface because my statics are


static (dmz,outside) SP2DMZPUB SP2DMZPRI netmask 255.255.255.255 0 0


the SP2DMZPUB is a public outside IP address and the SP2DMZPRI is a 10.0.20.0/24 address. so wouldnt that stuff need to be allowed through my outside interface as well?

acomiskey Tue, 07/17/2007 - 06:26
User Badges:
  • Green, 3000 points or more

But you are not coming from the outside interface. You are coming from the dmz interface.


The source of the traffic is the dmz address 10.0.20.x, not the public address.

Actions

This Discussion