Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX & UDP Kerberos Request for Initial Authentication

I am doing some testing with a new Windows 2003 server acting as domain controller. When a client on the inside of the PIX tries to log on to the Win 2003 server, logon fails. A sniffer trace shows the client issues a udp kerberos request for initial authentication but never gets a response back from the server.

When I eliminate the PIX from the connection path, the client sends a udp port 88 kerberos request and the server returns a udp port 88 kerberos response. Then the client opens a TCP port 88 connection and the authentication process completes.

If I do a registry hack on the client to use TCP for kerberos authentication, logon works through the firewall.

I guess my question is: what is there in the PIX that would block udp port 88 kerberos response coming back from the server? The udp connection originated from the PIX inside interface and you would think the response back on the same port would be permitted by the PIX??

2 REPLIES
Bronze

Re: PIX & UDP Kerberos Request for Initial Authentication

Is it possile that the server is replying using an address that is different from that used as the destination address in the outbound traffic. This might happen in some cases with traffic servers and load balancing.

New Member

Re: PIX & UDP Kerberos Request for Initial Authentication

UDP is not acknowledged - you can think of it as uni-directional. Outbound TCP will have sequence numbers and acknowledgements that allow the flow to be traced. So inbound TCP in response to an outbound sequence will be allowed. UDP packets inbound, in response to an outbound UDP packet do not have this sequence information, so the firewall does not associate it with the original packet. Therefore, rules have to be created to allow inbound UDP from the desired source.

246
Views
0
Helpful
2
Replies
CreatePlease login to create content