AD through Cisco Pix

Unanswered Question
Mar 17th, 2009
User Badges:


I have Cisco Pix 515E,7.2(1) with two networks - inside and dmz. Communication between these network is NATed. In inside is Windows domain called GRP. In dmz I have some workstations which need to be domain member of GRP.

Is it any possibility to do it? Because I read, that kerberos has problem with NAT.

Many thanks,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
veljko.tasic Tue, 03/17/2009 - 11:56
User Badges:


Yes it is possible.

DMZ interface is usually with lower security level then inside interface. Because of that you should define access-list that allows hosts from dmz to access your domain controllers and internal dns servers.

More on how communication between dmz and inside works:

valsidalv Tue, 03/17/2009 - 22:47
User Badges:


I have no problem to define ACL. The main question was about windows domain. I don't know if active directory requires anything special to allow on pix.

Or it is enough to allow standard windows ports - 138, 139, 445?


valsidalv Tue, 03/17/2009 - 23:01
User Badges:


I know this document, but it is about accessing VPN users. There is nothing about my question.


veljko.tasic Wed, 03/18/2009 - 00:36
User Badges:

If you are concerned about domain controllers then you should look at microsoft site.

If you have member server in dmz and dc in inside network then you have to enable traffic for following ports:

• Kerberos ports (88/tcp, 88/udp) used to perform mutual authentication between the member server and the domain controller. Kerberos traffic needs to be allowed in addition to the possible application specific traffic.

• DNS ports (53/tcp, 53/udp) used for name lookups.

• LDAP ports (389/udp, 389/tcp or 636/tcp for SSL) used for locator pings.

• Microsoft-DS traffic (445/tcp, 445/udp).

All neccessery data can be found here:

Active Directory in Networks Segmented by Firewalls

I hope that you can solve problem now. :)

valsidalv Fri, 03/20/2009 - 02:54
User Badges:

Thanks, very helpful document. There is one very important information for me:


Active Directory functionality is not supported over a router that has Network Address Translation (NAT) enabled. The configuration recommendations in this paper apply only to non-NAT environments.

So in my scenario I have to disable NAT between DMZ and INSIDE.


veljko.tasic Fri, 03/20/2009 - 03:15
User Badges:

You can set NAT like this.

hostname(config)#static (inside,dmz) netmask

This way you will NAT complete inside network to dmz but with same address range. I have seen scenarios that work this way.


This Discussion