×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX 515 Problem

Unanswered Question
Jul 21st, 2002
User Badges:

I have a PIX 515 Firewall with 3 interfaces, (internal, Internet, and DMZ). I have opened conduits between one of the servers in the DMZ and one of the internal servers to allow for Active Directory replication between the two servers, as they are windows 2000 domain controllers. The internal server has a static IP assigned to it on the DMZ, The conduits are opened for all TCP and UDP traffic using their actual IPs and the static IP. (4 conduits opened, 2 between the DMZ server and the internal IP of the internal server, and 2 between the DMZ server and the static IP of the internal server).

The problem is that still the servers cannot replicate. The server in the DMZ still cannot browse the IP of the internal server, or ping it using its internal IP address. It can browse and ping using its static IP but cannot replicate using that IP.

The IPs of the required server are listed in the HOSTS file for name resolution.


Thanks for your support.

Omnia




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
yusuff Sun, 07/21/2002 - 15:26
User Badges:
  • Cisco Employee,

As youmentioned, you are not able to ping or browse the internal IP address from the DMZ which is normal, you have to ping/browse using the static IP, since that is what you is NATed statically on the PIX to the internal IP.


On you HOSTS file, make sure you have the static IP and not the internal IP of the inside server. If you can ping and browse but cannot replicate, than probably it is due to some ports being denied. Check what ports need to be opened for AD replication (i am not sure), if you don't know, for a test purpose, open everything on your firewall, eg;


conduit permit tcp any any

conduit permit udp any any

conduit permit ip any any

conduit permit icmp any any


and see if replication works, if it doesn't then you know it is not a PIX issue, since the PIX is wide open. And if it works, do a 'show conduit' and see which conduit got hit counts, and that way you will figure out the ports it is trying to use.


HTH

R/Yusuf


oginina Fri, 07/26/2002 - 01:11
User Badges:

Primarily thanks for your reply.

I already have the conduits applied. I have the following four of them:

conduit permit tcp host Static_IP host DMZ_Server_IP

conduit permit udp host Static_IP host DMZ_Server_IP

conduit permit tcp host Internal_IP host DMZ_Server_IP

conduit permit udp host Internal_IP host DMZ_Server_IP


I also have

conduit permit icmp any any

applied.

and the entries of the server's IP addresses are in the HOSTS and LMHosts files, still I cannot either ping or browse the server with its internal IP.


i.e.: even with all the conduits applied, the firewall does not seem to allow the traffic.


Thanks,

Omnia



Actions

This Discussion