Allow domain connection through firewall

Unanswered Question
Mar 11th, 2010


I want to connect a PC which is out side the firewall to the Windows server behind the firewall.

I have configured a vpn connection between our branch office router and our adsl router. There is a pix firewall behind this router to protect our network. now i want the PCs in the branch office to connect to the Windows Server which is behind the firewall.

How could i do that..? What ports do i have to open in the PIX..? Do i have to do any changes in the Win 2003 DNS A record to reflect the fiewall ip mappings to the Server..?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
KARUPPUCHAMY MA... Thu, 03/11/2010 - 02:26


Since your VPN connection is already up and running,You can access your windows server from your remote office.

You need to configure firewall to allow the access from the respective VPN clients to the windows server.

What kind of service (application) you are running on the windows server ???.

Based on the application the port number may differ. if you are running web service in your windows server,then you need to apply the rule in firewall saying that ,

access-list outside_acl extended permit tcp host eq www

Prior to that you should have a proper routing in your main office adsl router to reach the windowserver.



nimalrajphilips Thu, 03/11/2010 - 02:34

Hi.. I would like to join the pc at the remote office as a client pc for the windows domain controller available at the head office.

KARUPPUCHAMY MA... Thu, 03/11/2010 - 02:43


You have to allow domain and Active directory ports in firewall to make it success.

Create a acl saying that mention your souce network(remote network address), destination as your windows server and you need to allow the below ports in your firewall.

And apply the ACL in your outside interface.(the interface is connected to router).

TCP and UDP/389  - LDAP
TCP/636    -- LDAP SSL
TCP/3268  --  GC
TCP and UDP/ 53
TCP and UDP 445   
SMB over IP
TCP 135, Dynamic



nimalrajphilips Thu, 03/11/2010 - 06:21

Is there any way that i can map all these ports to the internal DC using single / fewer commands..? may be using object-groups equalent..?

Or do i have to use single line for each and every ports for the mappings..??

KARUPPUCHAMY MA... Thu, 03/11/2010 - 06:25

Hi, can create object group for all these ports and map into the ACL in a single line.



nimalrajphilips Thu, 03/11/2010 - 06:27

Hi, Actually i refered to port mappings. I have already done the access-list using object-groups.

At the same time i have to map the prots to the internal DC. My question was, do i have to use single line or each adnevery port.?

Cant i combine everything in one line..?

nimalrajphilips Fri, 03/12/2010 - 00:23


The following is the config i have in my firewall.

object-group service DC_Access
service-object tcp-udp eq 389
service-object tcp-udp eq 88
service-object tcp-udp eq domain
service-object tcp-udp eq 445
service-object tcp eq ldaps
service-object tcp eq 3268
service-object tcp eq 135

access-list inbound extended permit object-group DC_Access any any
access-group inbound in interface outside

static (inside,outside) netmask     (where is external IP and 1.1 is the DC IP)

When i tried to connect the PC outside the firewall to the DC, i got a error message saying,

"The following domain controllers were identified by the query.

However no domain controllers couldnot be contacted."

Any suggestions..??

nimalrajphilips Wed, 03/24/2010 - 09:34

Any one has any updates about this?

I have done a nat0 access-list to expose internal network behind the firewall to the external network on the outside interface of the PIX. Then, i pointed the DNS IP to the real IP address of the DNS server. After tht, i could bt able to join the domain.

But once i joined the computer, I am getting an error message saying "Changing the primary Domain DNS name of this computer to ""
failed. The name will remain

There after, once i restart the PC and try to login to the PC using domain credintioals, I am getting an error message saying,  "The security Database on the server does not have a computer account  for this workstation trust relationship."

However, I could see this new PC is listed in the Domain's AD Users & computers.

Any suggestions for this?

Jennifer Halim Wed, 03/24/2010 - 14:55

You might want to check if the dns name resolves to the correct ip  address. What if you try to ping to the external ip address of the DC,  does it work? What about telnet on port 445 towards the DC, does it connect?

I would suggest that on the outside ACL, you allow all IP towards the external IP of the DC to start with, when that works, you can tight down with ports that the DC uses? "permit ip any host "


This Discussion