Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
3
Helpful
7
Replies

AD through Cisco Pix

valsidalv
Level 1
Level 1

‎03-17-2009 01:32 AM - edited ‎03-11-2019 08:05 AM

Hi,

I have Cisco Pix 515E,7.2(1) with two networks - inside and dmz. Communication between these network is NATed. In inside is Windows domain called GRP. In dmz I have some workstations which need to be domain member of GRP.

Is it any possibility to do it? Because I read, that kerberos has problem with NAT.

Many thanks,

Vladislav

Labels:
0 Helpful
7 Replies 7

veljko.tasic
Level 1
Level 1

‎03-17-2009 11:56 AM

Hi,

Yes it is possible.

DMZ interface is usually with lower security level then inside interface. Because of that you should define access-list that allows hosts from dmz to access your domain controllers and internal dns servers.

More on how communication between dmz and inside works:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

0 Helpful

valsidalv
Level 1
Level 1
In response to veljko.tasic

‎03-17-2009 10:47 PM

Thanks.

I have no problem to define ACL. The main question was about windows domain. I don't know if active directory requires anything special to allow on pix.

Or it is enough to allow standard windows ports - 138, 139, 445?

Vladislav

0 Helpful

valsidalv
Level 1
Level 1
In response to sdoremus33

‎03-17-2009 11:01 PM

Thanks.

I know this document, but it is about accessing VPN users. There is nothing about my question.

Vladislav

0 Helpful

veljko.tasic
Level 1
Level 1
In response to valsidalv

‎03-18-2009 12:36 AM

If you are concerned about domain controllers then you should look at microsoft site.

If you have member server in dmz and dc in inside network then you have to enable traffic for following ports:

• Kerberos ports (88/tcp, 88/udp) used to perform mutual authentication between the member server and the domain controller. Kerberos traffic needs to be allowed in addition to the possible application specific traffic.

• DNS ports (53/tcp, 53/udp) used for name lookups.

• LDAP ports (389/udp, 389/tcp or 636/tcp for SSL) used for locator pings.

• Microsoft-DS traffic (445/tcp, 445/udp).

All neccessery data can be found here:

Active Directory in Networks Segmented by Firewalls

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&displaylang=en

I hope that you can solve problem now. :)

valsidalv
Level 1
Level 1
In response to veljko.tasic

‎03-20-2009 02:54 AM

Thanks, very helpful document. There is one very important information for me:

Note

Active Directory functionality is not supported over a router that has Network Address Translation (NAT) enabled. The configuration recommendations in this paper apply only to non-NAT environments.

So in my scenario I have to disable NAT between DMZ and INSIDE.

Vladislav

0 Helpful

veljko.tasic
Level 1
Level 1
In response to valsidalv

‎03-20-2009 03:15 AM

You can set NAT like this.

hostname(config)#static (inside,dmz) 10.1.1.2 10.1.1.2 netmask 255.255.255.0

This way you will NAT complete inside network to dmz but with same address range. I have seen scenarios that work this way.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card