I have Cisco Pix 515E,7.2(1) with two networks - inside and dmz. Communication between these network is NATed. In inside is Windows domain called GRP. In dmz I have some workstations which need to be domain member of GRP.
Is it any possibility to do it? Because I read, that kerberos has problem with NAT.
DMZ interface is usually with lower security level then inside interface. Because of that you should define access-list that allows hosts from dmz to access your domain controllers and internal dns servers.
More on how communication between dmz and inside works:
If you are concerned about domain controllers then you should look at microsoft site.
If you have member server in dmz and dc in inside network then you have to enable traffic for following ports:
â¢ Kerberos ports (88/tcp, 88/udp) used to perform mutual authentication between the member server and the domain controller. Kerberos traffic needs to be allowed in addition to the possible application specific traffic.
â¢ DNS ports (53/tcp, 53/udp) used for name lookups.
â¢ LDAP ports (389/udp, 389/tcp or 636/tcp for SSL) used for locator pings.
â¢ Microsoft-DS traffic (445/tcp, 445/udp).
All neccessery data can be found here:
Active Directory in Networks Segmented by Firewalls
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :