You need probably an access-list but it depends if you have one the internal interface or not.
can you post your config, but remove all the confidential information as public IPs, users, passwords ...
access-list inside tcp 10.x.x.x 255.255.255.0 host LDAP-Server-IP eq 389
access-group inside interface inside
If you do not have an access-list on your inside interface then all traffic from the higher security level to the lower interface is bt default permited. You just need a correct NAT - Network address translation.
Controlling Network Access and Use version 6.3x:
Version 7.0 guide:
Where is the LDAP server located ?
If it is on the outside then you should allready have access to it.
If it is on the dmz interface then you need to define a NONAT entry which disables the NAT from the inside to the DMZ interface or add a PAT entry that translates the inside IPs to a valid DMZ IP.
example NONAT inside to DMZ:
static (inside,DMZ) InsideNet InsideNet netmask InsideSubnetMask 0 0
but anyway the pcs can't connect to the external LDAP
the only conf related to LDAP in my conf is
access-list 101 permit tcp any host A.B.C.70 eq ldap
where A.B.C.70 is a public IP from one of my internal servers (not the external LDAP that I wish to connect)
Your inside host should not have any problem to connect to the ouside LDAP which is on the internet. Because there is no access-list that blocks the connection.
Check your logs on the PIX. If you see the following line in the log : ....(SYN Timeout)
then the ldap server on the internet does not allow you to connect to server.
You can also try a telnet to the server to see if it responds in some way.
telnet LDAP-PubIP 389
thanks again for your reply, the case is that we need to allow to all my computers not neccesary only my host (A.B.C.70) to the external LDAP, for example if my computer have a private ip 10.1.1.170 and I put this command:
nat (inside) 1 10.1.0.170 255.255.255.255 0 0
this computer can connect to the external LDAP
if I delete:
no nat (inside) 1 10.1.0.170 255.255.255.255 0 0
now it can't
maybe I have to put something similar to this?
access-list 101 permit tcp any host 10.1.0.0 eq ldap
where 10.1.0.0 is my subnet....
(sorry but I'm learning cisco pix myself)
I suggest to type the following
no global (outside) 1 A.B.C.120-A.B.C.125
global (outside) 1 A.B.C.120-A.B.C.124
global (outside) 1 A.B.C.125
This will extend your hosts leaving to outside to unlimited instead of only 6 hosts...
I hope this helps!