Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WIN2K/NT Share Access Traffic Across Different Interface

Dear Sir,

We have a PIX 525 Firewall. Both inbound and outbound traffic works fine for Web access for users on all 4 interfaces. I have following question:

1. How to configure PIX for users on higher security interface to access WIN2K/NT share on lower security interface? Same question from lower security interface to higher security interface?

2. How to configure PIX to work for different NT domain on different interface to trust each other? ( from high security to low security and from low security to high security interface). Same question for user to map a driver letter to a server on different interface.

Thank you very much for your help.

Simon

2 REPLIES
Cisco Employee

Re: WIN2K/NT Share Access Traffic Across Different Interface

This sample configuration should help:

http://www.cisco.com/warp/public/110/pixnetbios.html

Regards,

-Nairi

New Member

Re: WIN2K/NT Share Access Traffic Across Different Interface

Thank you very much Nairi. The above link is very helpful and is the one that I am looking for. But I need more help from you to make it work. Below is my question:

1. We have 4 interfaces. Users and workstation on Inside interface (higher security) is on NT Domain A and need to map a drive letter ( and access shared folder) on server on Domain B which is on Intf2 interface (lower security). How to config PIX to establish two way trusts between Domain A and B on Inside and Intf2 interfaces? I have following config for users at Intf2 to access Inside. IP 192.168.3.109 on Inside interface is Domain Controller with WINS and DNS installed.

static (inside, intf2) 192.168.2.205 192.168.3.109 netmask 255.255.255.255

access-list acl_intf2 permit udp any host 192.168.2.205 eq 137

access-list acl_intf2 permit udp any host 192.168.2.205 eq 138

access-list acl_intf2 permit tcp any host 192.168.2.205 eq 139

access-list acl_intf2 permit udp any host 192.168.2.205 eq 53

access-list acl_intf2 permit tcp any host 192.168.2.205 eq 53

access-group acl_intf2 in interface intf2

The following config is for user and workstation at Inside to access Intf2:

nat (inside) 1 0 0

global (intf2) 1 192.168.2.210-192.168.2.250 netmask 255.255.255.0

global (intf2) 1 192.168.2.251 netmask 255.255.255.0

The test result is that users at Inside can not map drive letter ( and access Shared folder ) on server on Intf2. Same problem from Intf2 to Inside. But we have configuration on PIX for user at Inside & Outside to access Web server on Inft2. This is working fine.

2. Do you need to open Netlogon port UDP 138 ,NetBIOS port UDP137 and Shared Folder Port TCP 139 for traffics from Inside interface to Intf2 interface? If yes, how to do it? To my knowledge, all ports and all traffics are wide open from higher security interface to lower security interface. All your need is NAT & Global command. Am I right?

I would be much appreciated if you can help me to find the answer.

Many Thanks.

Simon

232
Views
0
Helpful
2
Replies
CreatePlease login to create content