cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1138
Views
0
Helpful
2
Replies

PIX & UDP Kerberos Request for Initial Authentication

admin_2
Level 3
Level 3

I am doing some testing with a new Windows 2003 server acting as domain controller. When a client on the inside of the PIX tries to log on to the Win 2003 server, logon fails. A sniffer trace shows the client issues a udp kerberos request for initial authentication but never gets a response back from the server.

When I eliminate the PIX from the connection path, the client sends a udp port 88 kerberos request and the server returns a udp port 88 kerberos response. Then the client opens a TCP port 88 connection and the authentication process completes.

If I do a registry hack on the client to use TCP for kerberos authentication, logon works through the firewall.

I guess my question is: what is there in the PIX that would block udp port 88 kerberos response coming back from the server? The udp connection originated from the PIX inside interface and you would think the response back on the same port would be permitted by the PIX??

2 Replies 2

jsivulka
Level 5
Level 5

Is it possile that the server is replying using an address that is different from that used as the destination address in the outbound traffic. This might happen in some cases with traffic servers and load balancing.

csbowser
Level 1
Level 1

UDP is not acknowledged - you can think of it as uni-directional. Outbound TCP will have sequence numbers and acknowledgements that allow the flow to be traced. So inbound TCP in response to an outbound sequence will be allowed. UDP packets inbound, in response to an outbound UDP packet do not have this sequence information, so the firewall does not associate it with the original packet. Therefore, rules have to be created to allow inbound UDP from the desired source.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: