Re: How to Establish NT Trust Relationship between Two Interface

li.simon · ‎11-15-2002

Dear Sir,

We have PIX-525 UR, PIX Ver 6.2(1) and need to establish two-way trust relationship for two NT domains reside at two interfaces (one reside at inside and the other reside at dmz1). Then we need to do drive mapping from inside to dmz1 and from dmz1 to inside. The existing PIX configuration allow users at outside and inside interfaces to access web server at dmz1 interface. The following link is for one domain reside at two interfaces and did not work for my case.

http://www.cisco.com/warp/public/110/pixnetbios.html Can someone help my problem?

Many Thanks, Simon

gfullage · ‎11-16-2002

The easiest way to see what's being denied is to turn on syslogging on the PIX and check for denied packets to/from your DC's. TRaffic from the inside to dmz1 should flow unrestricted unless you've applied an ACL to your inside interface, so it'll be traffic from dmz1 to inside that's getting stopped. Do you have a static translation for the DC on the inside interface so that the DC on dmz1 can access it? What if you just allow all IP between the two DC's, does that work?

li.simon · ‎11-18-2002

Thank you for your reply.

I do not have an ACL applied to inside interface. Just like you said,

Traffic from the inside to dmz1 should flow unrestricted. But I

could not even access Shared Folder (permission is for "everyone") on

dmz1 ( Domain B) from inside ( Domain A). FYI, we are using Windows

NT 4 as Domain Controller.

But I do have the following command for unfragment packet only for

all interfaces. I am not sure if fragment command cause the problem.

fragment chain 1 outside

fragment chain 1 inside

fragment chain 1 dmz1

Yes. I do have static translation and access-list setup for the DC on

the inside interface so that the DC on dmz1 can access it. Below is our

configure for this part:

static (inside, dmz1) 192.168.2.205 192.168.3.109 netmask 255.255.255.255

access-list acl_dmz1 permit udp any host 192.168.2.205 eq 137

access-list acl_dmz1 permit udp any host 192.168.2.205 eq 138

access-list acl_dmz1 permit tcp any host 192.168.2.205 eq 139

access-group acl_dmz1 in interface dmz1

The 192.168.2.205 is free ip on dmz1 used to map to 192.168.3.109 (DC

on the inside).

Can you show me how to allow all IP between the two DC's? If I am right,

just use NAT and Global on the inside interface and use the static mapping

with access-list permit any any. Am I right?

Thank you very much for your help.

Simon

mtumarinson · ‎11-18-2002

According to Microsft documentation if you are using Win2k AD it is not possible to join an AD domain behind a device that performs NAT. The document Number is #270152. I tried doing in our organization and I was wondering if somebody was sucessfull joining a win 2k domain from a lower security to a higher security level

li.simon · ‎11-18-2002

Do you know how to establish trust relationship between domains in two interfaces for NT 4? Is there any port that you need to open for trust from low security to high security? Now I can not even to see the shared folder and any servers on low security interface from high security interface. Is your win2K enviroment can work for this?

mtumarinson · ‎11-19-2002

For win NT 4.0 it is easier. Just do a static translation for you NT domain server and allow the ports that are listed in Cisco documentation to be open. It worked for me in our mixed environment.

li.simon · ‎11-19-2002

Thank you for your reply.

We have following configured for user at dmz1 to access shared folder on 192.168.3.109 ( DC ) in the inside ( different domain ) and did not work.