How to allow the mail server in the DMZ to access AD in the inside?

Unanswered Question
May 12th, 2008

I am using a pix 525 version 6.3 firewall and wanted to allow access to the the mail server in the DMZ to access the AD in inside. I can ping or make any access from inside to dmz area. But not form DMZ to inside.

what i have done is created a static map to AD's real ip with a map address which in the same range as in the DMZ area. then in the access-list in the DMZ inside, allowed access to "permit ip any any".

but still seems can't make connection form the DMZ area(mail server) to inside.

any help on this..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sadam.kherisat Mon, 05/12/2008 - 03:21

hi,

would do you mean by AD's real IP ? is it the actual IP of the AD ?? can you post your configuration plz

cisco24x7 Mon, 05/12/2008 - 03:46

static (inside,dmz) inside_ip inside_ip netmask x.x.x.x

that will do the trick.

samantha.lk Mon, 05/12/2008 - 18:01

I have already done this for a range of inside_IPs.

static (inside,dmz1) 10.70.4.0 10.70.4.0 netmask 255.255.255.0 0 0

by doing so I was able to ping inside IPs from DMZ area. But couldn't make telnet or other kind of access.

can someone advice why only able to ping by doing so?

I have aplied an access-list also to in-side of DMZ and allowed

permit ip any any

permit ICMP any any

Please advice.

aporcaro01 Mon, 05/12/2008 - 05:05

Could you post the configuration that you did?... We can verify better where's the problem...

Adriano Porcaro

samantha.lk Tue, 05/13/2008 - 02:52

I have already done a stattic nat for range of inside_IPs.

static (inside,dmz1) 10.70.4.0 10.70.4.0 netmask 255.255.255.0 0 0

by doing so I was able to ping inside IPs from DMZ area. But couldn't make telnet or other kind of access.

can someone advice why only able to ping by doing so?

I have aplied an access-list also to in-side of DMZ and allowed

permit ip any any

permit ICMP any any

further I want to know that allowing "ip any any" will allow all TCP and UDP access automatically?

see the diagrame and configurations for more details.

Please advice.

Attachment: 
samantha.lk Tue, 05/13/2008 - 17:50

Hi

Adriano, sadam or someone kindly advice in this issue since urgently I need to fix this.

I have uploaded all the details in the above post.

soonest responce would be appreciated.

speedingwolfids Thu, 05/15/2008 - 19:43

Hi there,

I've done this before and here is what you could do.

Outside interface

nameif ethernet0 outside security0

DMZ Interface

nameif ethernet2 DMZ security70

Inside Interface

nameif ethernet1 inside security100

I used NAT for my DMZ interface and its network is 192.168.100.0

nat (DMZ) 1 192.168.100.0 255.255.255.0 0 0

access-list 101 is my access list for my DMZ interface. Don't forget to apply:

access-group 101 in interface DMZ

Then i create access list 101 so that my mail server, Bridgehead talk to my inside AD 10.0.0.13

access-list 101 remark Permit BridgeHead talks to AD

access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq domain

access-list 101 permit udp host 192.168.100.67 host 10.0.0.13 eq domain

access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq 88

access-list 101 permit udp host 192.168.100.67 host 10.0.0.13 eq 88

access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq 135

access-list 101 permit tcp host 192.168.100.67 host 10.0.0.14 eq ldap

access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq ldap

access-list 101 permit udp host 192.168.100.67 host 10.0.0.13 eq 389

access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq 3268

access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq 445

access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq 1027

access-list 101 permit icmp host 192.168.100.67 any

I hope this help and it works for your situation.

samantha.lk Thu, 05/15/2008 - 20:08

Many thanks for your reply and I hope this would help me.

But before that I need to get some advice about existing nat entries. so let me give my current configus.

nameif ethernet1 dmz1 security50

nameif gb-ethernet0 inside security100

nameif gb-ethernet1 dmz2 security50

* my DMZ network is 10.50.4.0 255.255.255.0 00

* inside 10.70.4.0 255.255.255.0

* I have applied an access-list call 50 to DMZ inside.

access-list 50 permit icmp any any

access-list 50 permit ip any any

access-group 50 in interface dmz1

* bellow NAT entries already there.

global (outside) 2 interface

global (dmz1) 1 interface

global (dmz1) 2 10.50.4.4

nat (inside) 2 10.70.4.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,dmz1) 10.50.4.13 10.70.4.15 netmask 255.255.255.255 0 0

static (inside,dmz1) 10.70.4.0 10.70.4.0 netmask 255.255.255.0 0 0

Kindly advice will that your command works for me with existing configuration and if not what need to change.

many thanks once again and kindly response ASAP.

speedingwolfids Thu, 05/15/2008 - 20:49

I think it should work since you use global command to do port address translation. I would have a test machine, XP with RDP turn on, then access it from your inside network to this machine. You should be able to. Open a port 3389 and apply access-group 50 to dmz1 interface. Then see if you could access an internal machine using RDP from your XP machine in DMZ1. I'm not an pix expert so some one could point us to the right directions but I think this should work. If it does, then use open those ports that AD requires.

samantha.lk Thu, 05/15/2008 - 21:47

Thanks for the advice.

* first I just want to confirm that your command

"nat (DMZ) 1 192.168.100.0 255.255.255.0 0 0" will work for me also since I already have rule 1 created as I mention before.

* next is I have created an tempory static map to a inside xp pc from DMZ as

static (inside,dmz1) 10.50.4.13 (insidePC_IP 10.70.4.15) netmask 255.255.255.255 0 0

by doing so I was able come to insidePC_ Ip when I try to connect to 10.50.4.13 from DMZ pc. so I feel it should work for all tcp and udp since I have allow permit ip any any in the acces-list 50.

* now my fear is, I have another static map form outside to AD(same private ip) since our mail gateway is hosted in out side and it is communicating with AD. so is there any posibility of nating go crazy since one outside IP and DMZ ip is natted to the same AD's ip?

I want to get to know this before I go live today since already I failed once.

kindly advice me.

speedingwolfids Thu, 05/15/2008 - 22:53

If you permit ip any any from dmz to inside, you should be able to access inside machines. Basically, you open dmz to inside. have you tried to use RDP from DMZ1 to inside network? does that work? you said you were able to ping inside from dmz. also, do a netstat -a on the exchange server and see if it talks to AD.

samantha.lk Fri, 05/16/2008 - 00:18

Let me explain bit more for you.

when first time I moved the AD form DMZ to inside I was unable to ping or telnet form the DMZ to inside. At thet time acces-list was applied as permiting everything. But there were no NATing. so on that day I failed and reveted back everything.

* then next day i have added

static (inside,dmz1) 10.70.4.0 10.70.4.0 netmask 255.255.255.0 0 0

(10.70.4.0 is my inside). by doing so I only was able to ping form DMZ to any inside ip. not other than any type of connectivity.

* later I have temporly created a static nat to access a PC in inside form DMZ. as

static (inside,dmz1) 10.50.4.13 10.70.4.15 netmask 255.255.255.255 0 0

(10.70.4.15 is the one actually existing)

by doing so now I can make remote desktop form any DMZ side PC to 10.70.4.15(above)PC.

please note that still I didn't move the AD for second time and want to make sure about connectivity before getting in to trouble again when moving the AD to inside. So, is there any way to confirm?

kind advice is appreciated.

your netstat -a command will be very usefull when checking the connectivity.

speedingwolfids Fri, 05/16/2008 - 10:02

I think if you are able to rdp from dmz to inside, then you should be able to access the AD server. Try RDP from your dmz to your AD server. Make sure remote destkop option is turn on. also, try \\myadserver\c$ or somthing like that. if you can access, then you have your dmz wide open with your permit ip any any command.

samantha.lk Tue, 05/20/2008 - 21:01

Many thanks for spending your valuble time on advicing me.

I have another doubt related to this issue and hope you would advice on that too.

we have hosted our main gateway with outside ISP and it is also accessing the AD for LAD quaries. for that I have already added a static NAT as

static (dmz1,outside) 203.**.**.** 10.50.4.12 netmask 255.255.255.255 0 0

and it is working fine.

But when I move the AD to inside I will have to change it as

static (dmz1,outside) 203.**.**.** 10.70.4.21 netmask 255.255.255.255 0 0

to allow access with new AD ip.

again another nat have to create to access AD from DMZ for mail server as

static (inside,dmz1) 10.50.4.13(any DMZ side Ip) 10.70.4.21 netmask 255.255.255.255 0 0

my doubt is creating two NAT for same inside ip 10.70.4.21(AD) will create any confusion on NATing or not?

kindly advice.

Actions

This Discussion