I have a PIX 515 Firewall with 3 interfaces, (internal, Internet, and DMZ). I have opened conduits between one of the servers in the DMZ and one of the internal servers to allow for Active Directory replication between the two servers, as they are windows 2000 domain controllers. The internal server has a static IP assigned to it on the DMZ, The conduits are opened for all TCP and UDP traffic using their actual IPs and the static IP. (4 conduits opened, 2 between the DMZ server and the internal IP of the internal server, and 2 between the DMZ server and the static IP of the internal server).
The problem is that still the servers cannot replicate. The server in the DMZ still cannot browse the IP of the internal server, or ping it using its internal IP address. It can browse and ping using its static IP but cannot replicate using that IP.
The IPs of the required server are listed in the HOSTS file for name resolution.
As youmentioned, you are not able to ping or browse the internal IP address from the DMZ which is normal, you have to ping/browse using the static IP, since that is what you is NATed statically on the PIX to the internal IP.
On you HOSTS file, make sure you have the static IP and not the internal IP of the inside server. If you can ping and browse but cannot replicate, than probably it is due to some ports being denied. Check what ports need to be opened for AD replication (i am not sure), if you don't know, for a test purpose, open everything on your firewall, eg;
conduit permit tcp any any
conduit permit udp any any
conduit permit ip any any
conduit permit icmp any any
and see if replication works, if it doesn't then you know it is not a PIX issue, since the PIX is wide open. And if it works, do a 'show conduit' and see which conduit got hit counts, and that way you will figure out the ports it is trying to use.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :