Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

AD through Cisco Pix

Hi,

I have Cisco Pix 515E,7.2(1) with two networks - inside and dmz. Communication between these network is NATed. In inside is Windows domain called GRP. In dmz I have some workstations which need to be domain member of GRP.

Is it any possibility to do it? Because I read, that kerberos has problem with NAT.

Many thanks,

Vladislav

7 REPLIES
New Member

Re: AD through Cisco Pix

Hi,

Yes it is possible.

DMZ interface is usually with lower security level then inside interface. Because of that you should define access-list that allows hosts from dmz to access your domain controllers and internal dns servers.

More on how communication between dmz and inside works:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

New Member

Re: AD through Cisco Pix

Thanks.

I have no problem to define ACL. The main question was about windows domain. I don't know if active directory requires anything special to allow on pix.

Or it is enough to allow standard windows ports - 138, 139, 445?

Vladislav

New Member

Re: AD through Cisco Pix

New Member

Re: AD through Cisco Pix

Thanks.

I know this document, but it is about accessing VPN users. There is nothing about my question.

Vladislav

New Member

Re: AD through Cisco Pix

If you are concerned about domain controllers then you should look at microsoft site.

If you have member server in dmz and dc in inside network then you have to enable traffic for following ports:

• Kerberos ports (88/tcp, 88/udp) used to perform mutual authentication between the member server and the domain controller. Kerberos traffic needs to be allowed in addition to the possible application specific traffic.

• DNS ports (53/tcp, 53/udp) used for name lookups.

• LDAP ports (389/udp, 389/tcp or 636/tcp for SSL) used for locator pings.

• Microsoft-DS traffic (445/tcp, 445/udp).

All neccessery data can be found here:

Active Directory in Networks Segmented by Firewalls

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&displaylang=en

I hope that you can solve problem now. :)

New Member

Re: AD through Cisco Pix

Thanks, very helpful document. There is one very important information for me:

Note

Active Directory functionality is not supported over a router that has Network Address Translation (NAT) enabled. The configuration recommendations in this paper apply only to non-NAT environments.

So in my scenario I have to disable NAT between DMZ and INSIDE.

Vladislav

New Member

Re: AD through Cisco Pix

You can set NAT like this.

hostname(config)#static (inside,dmz) 10.1.1.2 10.1.1.2 netmask 255.255.255.0

This way you will NAT complete inside network to dmz but with same address range. I have seen scenarios that work this way.

237
Views
3
Helpful
7
Replies
CreatePlease to create content