Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Windows domain access from DMZ

I have a web server in a DMZ. We can access web pages on the web server from the internal net and the web server can see a database server on the internal side. The web server can ping the DC, but windows authentication does not work. I need to be able to browse files on the web server in the DMZ. I added the web server to the domain prior to putting it in the DMZ.

access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.240.0 172.31.4.0 255.255.255.0

access-list DMZ_outbound extended permit ip host 172.31.4.127 host 10.4.0.12 (IP of DC)

Is there something else i need to add so that the web server in the DMZ can authenticat to the DC?

Thanks, Bill

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Windows domain access from DMZ

Just FYI, it is considered poor design to try and have a domain member server in a DMZ. There are several holes you have to open directly to your DCs which can be seen as a security risk.

You can accomplish being able to access files on the DMZ webserver from the internal network without joining the domain. I have the same setup and just created a local user on the webserver that we use to open the folders.

4 REPLIES
New Member

Re: Windows domain access from DMZ

Post

sh run nat

sh run global

sh run static

New Member

Re: Windows domain access from DMZ

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

static (DMZ,outside) tcp x.x.x.x www 172.31.4.127 www netmask 255.255.255.255

New Member

Re: Windows domain access from DMZ

Just FYI, it is considered poor design to try and have a domain member server in a DMZ. There are several holes you have to open directly to your DCs which can be seen as a security risk.

You can accomplish being able to access files on the DMZ webserver from the internal network without joining the domain. I have the same setup and just created a local user on the webserver that we use to open the folders.

New Member

Re: Windows domain access from DMZ

Thanks! I removed from the Domain, created a local user, and now all is good.

433
Views
0
Helpful
4
Replies