04-02-2004 07:35 AM - edited 02-21-2020 10:09 AM
I am doing some testing with a new Windows 2003 server acting as domain controller. When a client on the inside of the PIX tries to log on to the Win 2003 server, logon fails. A sniffer trace shows the client issues a udp kerberos request for initial authentication but never gets a response back from the server.
When I eliminate the PIX from the connection path, the client sends a udp port 88 kerberos request and the server returns a udp port 88 kerberos response. Then the client opens a TCP port 88 connection and the authentication process completes.
If I do a registry hack on the client to use TCP for kerberos authentication, logon works through the firewall.
I guess my question is: what is there in the PIX that would block udp port 88 kerberos response coming back from the server? The udp connection originated from the PIX inside interface and you would think the response back on the same port would be permitted by the PIX??
04-08-2004 11:32 AM
Is it possile that the server is replying using an address that is different from that used as the destination address in the outbound traffic. This might happen in some cases with traffic servers and load balancing.
07-27-2004 04:06 AM
UDP is not acknowledged - you can think of it as uni-directional. Outbound TCP will have sequence numbers and acknowledgements that allow the flow to be traced. So inbound TCP in response to an outbound sequence will be allowed. UDP packets inbound, in response to an outbound UDP packet do not have this sequence information, so the firewall does not associate it with the original packet. Therefore, rules have to be created to allow inbound UDP from the desired source.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: