11-15-2002 05:47 PM - edited 03-09-2019 01:05 AM
Dear Sir,
We have PIX-525 UR, PIX Ver 6.2(1) and need to establish two-way trust relationship for two NT domains reside at two interfaces (one reside at inside and the other reside at dmz1). Then we need to do drive mapping from inside to dmz1 and from dmz1 to inside. The existing PIX configuration allow users at outside and inside interfaces to access web server at dmz1 interface. The following link is for one domain reside at two interfaces and did not work for my case.
http://www.cisco.com/warp/public/110/pixnetbios.html Can someone help my problem?
Many Thanks, Simon
11-16-2002 09:39 PM
The easiest way to see what's being denied is to turn on syslogging on the PIX and check for denied packets to/from your DC's. TRaffic from the inside to dmz1 should flow unrestricted unless you've applied an ACL to your inside interface, so it'll be traffic from dmz1 to inside that's getting stopped. Do you have a static translation for the DC on the inside interface so that the DC on dmz1 can access it? What if you just allow all IP between the two DC's, does that work?
11-18-2002 09:36 AM
Thank you for your reply.
I do not have an ACL applied to inside interface. Just like you said,
Traffic from the inside to dmz1 should flow unrestricted. But I
could not even access Shared Folder (permission is for "everyone") on
dmz1 ( Domain B) from inside ( Domain A). FYI, we are using Windows
NT 4 as Domain Controller.
But I do have the following command for unfragment packet only for
all interfaces. I am not sure if fragment command cause the problem.
fragment chain 1 outside
fragment chain 1 inside
fragment chain 1 dmz1
Yes. I do have static translation and access-list setup for the DC on
the inside interface so that the DC on dmz1 can access it. Below is our
configure for this part:
static (inside, dmz1) 192.168.2.205 192.168.3.109 netmask 255.255.255.255
access-list acl_dmz1 permit udp any host 192.168.2.205 eq 137
access-list acl_dmz1 permit udp any host 192.168.2.205 eq 138
access-list acl_dmz1 permit tcp any host 192.168.2.205 eq 139
access-group acl_dmz1 in interface dmz1
The 192.168.2.205 is free ip on dmz1 used to map to 192.168.3.109 (DC
on the inside).
Can you show me how to allow all IP between the two DC's? If I am right,
just use NAT and Global on the inside interface and use the static mapping
with access-list permit any any. Am I right?
Thank you very much for your help.
Simon
11-18-2002 06:28 AM
According to Microsft documentation if you are using Win2k AD it is not possible to join an AD domain behind a device that performs NAT. The document Number is #270152. I tried doing in our organization and I was wondering if somebody was sucessfull joining a win 2k domain from a lower security to a higher security level
11-18-2002 12:38 PM
Do you know how to establish trust relationship between domains in two interfaces for NT 4? Is there any port that you need to open for trust from low security to high security? Now I can not even to see the shared folder and any servers on low security interface from high security interface. Is your win2K enviroment can work for this?
11-19-2002 06:12 AM
For win NT 4.0 it is easier. Just do a static translation for you NT domain server and allow the ports that are listed in Cisco documentation to be open. It worked for me in our mixed environment.
11-19-2002 11:51 AM
Thank you for your reply.
We have following configured for user at dmz1 to access shared folder on 192.168.3.109 ( DC ) in the inside ( different domain ) and did not work.
static (inside, dmz1) 192.168.2.205 192.168.3.109 netmask 255.255.255.255
access-list acl_dmz1 permit udp any host 192.168.2.205 eq 137
access-list acl_dmz1 permit udp any host 192.168.2.205 eq 138
access-list acl_dmz1 permit tcp any host 192.168.2.205 eq 139
access-group acl_dmz1 in interface dmz1
The 192.168.2.205 is free ip on dmz1 used to map to 192.168.3.109 (DC
on the inside).
Do you know what port need to be open for join domain and establish trust between two NT 4 domains in two interfaces ( dmz1 and inside )
Thank you
Simon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide