Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

edw
New Member

NT Domain across Access-Lists

Hiya,

I have Cisco 6006 Cores and want to lock a vlan down - however still want the PCs to be able to logon to certain shares and the domain. I have done some reading but can't find a diffinitive answer - which I find surprise considering most people must be using NT4 and above.

This is what Im trying to do :) I have the domain server say on 10.0.0.0 nad my computer on say 10.0.1.0. but I want to lock this vlan right the way down so it can authenticate but no much else. (there will be a few other ports for service but in general).

I tried this access-list but dont seem to get any joy:

permit udp any eq netbios-ns 10.0.0.0 0.0.0.255 eq netbios-ns (219 matches)

permit udp any eq netbios-dgm 10.0.0.0 0.0.0.255 eq netbios-dgm (13 matches)

permit tcp any gt 1023 10.0.0.0 0.0.0.255 eq 139 (20 matches)

permit udp 10.0.0.0 0.0.0.255 eq netbios-dgm any eq netbios-dgm (13 matches)

permit udp 10.0.0.0 0.0.0.255 eq netbios-ns any eq netbios-ns (107 matches)

permit tcp 10.0.0.0 0.0.0.255 eq 139 any eq 139

permit tcp any eq 42 10.0.0.0 0.0.0.255 eq 42

deny ip any any (1727 matches)

as you can see im getting hits but still cant auth or join the domain. ANy ideas has anyone managed to do this ?? Whats the tightest option ?

Thanks for any help

Ed

  • Other Network Infrastructure Subjects
1 REPLY
Anonymous
N/A

Re: NT Domain across Access-Lists

Uncheck: Require encrypted password

Allow: unencrypted password

Allow: Challenge Handshake Authentication Protocol (CHAP)

Allow: Microsoft CHAP (MS-CHAP)

Uncheck: Shiva Password Authentication Protocol (SPAP)

Uncheck: Allow older MS-CHAP version for Windows 95 servers

Uncheck: Microsoft CHAP Version 2 (MS-CHAP v2)

Check: Accept any authentication including clear-text

Uncheck: Require data encryption

Uncheck: Require encryption (disconnect if server declines)

Uncheck: Maximum strength encryption (disconnect if server declines)

111
Views
0
Helpful
1
Replies
This widget could not be displayed.