I have a PiX 506E that is used by a public municiple agency to seperate one internal LAN from Another for security reasons. On the outside interface of the PIX is a less secure network (192.168.10.x) with a Windows 2003 Domain controller running DNS. We have installed another secondary domain conroller for the same domain on the inside interface (172.23.16.x). Since both domain controllers are for the same domain we need to configure the firewall to allow the domains to talk to each other. The DNS server on the outside interface is 192.168.10.2 and the second DNS server on the inside interface is 172.23.16.7. Curretnly SMTP and WWW traffic is passing through with no problem. I have attatched a sanitized running config to look at. I'm not sure where I am missing it but I have been unable to open the ports to get the two to talk together. Any help would be appreciated. Thanks
I ran accross this Microsoft article on setting some regestry settings on both domain controllers to limit the number of port rpc is using. Is this the only way to allow rpc traffic or is their a better suggestion on how to do what I am trying to accomplish.
Before you get into stuff like that, which when dealing with the registry would never be my first choice, get some logging going on the pix, try your replication and see exactly what is going on. No sense ruining your perfectly good domain controllers when you don't need to. Post up the logs.
If we are only talking about DNS zone transfers, it works on TCP(53), which is open on your PIX. However, if you are looking for WINS replication, for this we need to open port 42 (TCP n UDP). Are we only doing Zone transfers or WINS replications also?
Is it possible to collect syslogs at the time you try to replicate?
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...