I have created a new network, as a first step in separating part of our orginisation. the new network is separated by a pix 515e 6.3(1) [the inside of the firewall is on the new network]. My problem is that during the split the users within the new network(DHCP addressed from local server) need to logon to the original NT4 domain structure through the firewall, I have been able to get them to logon using NAT (pool) addresses but not when I try to PAT (same inteface) them.
My questions are:
i. is it possible for domain login using PAT (if so how?)
ii. if I cant PAT are there any known problems that i may encounter (apart from name resolution) using DHCP and NAT pool and not having everything static.
Is the WINS and DNS servers sitting across the firewall? I assume so because you alluded to the NT4 domain structure being accessed via the firewall. I don't believe that PAT would work as all users will be seen as coming from a single ip address and if wins is sitting across the firewall too, then all workstations will have registered with the same ip address. I would continue to use NAT or bypass nat for win domain authentication by using the nat (inside) 0 access-list command, where the acl would refer to connections to the nt4 domain structure.
If you are using nat as part of a security policy, I would recommend that ipsec be used between the firewall and nt domiain network to further protect the traffic, as it provides much better security than address translation.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...