Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Windows 2000 Advanced Server - PIX 515

I have one PIX515 with two interfaces. In the inside interface is my Primary Domain Controller PDC with windows 2000 advanced server and in the outside interface are all my users running windows 2000. I have openened all the necesary ports in the PIX (all the ports for test purposes) but I can't:

1) Share folders between the users with windows 2000.

2) Get folders from the computers in the inside interface (other servers that I have)

3) When I try to connect to SQL I have an error in the authentication that says: "Could not generate SSPI context"

7 REPLIES
New Member

Re: Windows 2000 Advanced Server - PIX 515

First, I would make sure that I have the statics setup properly. Second, if you are using access-lists or conduits, I would allow everything and see if you can get a connection that way. If you can, you should be able to look at the ports being sent through the PIX (issue the command "sh conn" and you will be able to determine them). The you can see if your access control is setup properly.

Hope this helps

New Member

Re: Windows 2000 Advanced Server - PIX 515

How is your WINS setup?

Michael

New Member

Re: Windows 2000 Advanced Server - PIX 515

I have already opened all the ports between these interfaces but I still cant´t get logined to the PDC.

Somebody told me that is not possible to make an authentication to the PDC through a PIX.

I´ll appreciate some other tips.

New Member

Re: Windows 2000 Advanced Server - PIX 515

When a PIX opens all ports, it acts as a IP only router. So please check your WINS setup to make sure the name resolution function.

My 2 cents.

New Member

Re: Windows 2000 Advanced Server - PIX 515

What do your translation statements look like, your authentications may be failing because you are not returning the proper source/destination information (kerberos key exchange fails) can you post your static/conduit/access-list statements and your nat/global statements?

DT

New Member

Re: Windows 2000 Advanced Server - PIX 515

Mr. Thompson,

I got the same issue. I am setting up a PIX 520 UR Firewall here at University of Washington and I can login to the Active Directory Win2K domain and the Login scripts executes and established the connection to the necessary NETBIOS network shares. I opened the necessary port (or so I think). Conduit rules are included below, specifically, I am getting a Kerberos Error with Event ID 7 stating that The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was ????????????_ and lookup type 0x100.

Once I login to the domain, and try to use Active Directory for Users and Computers, I get an error message that the RPC Server is not available?

There is a Cisco article on how to setup PIX with Windows NT ((not Win2K) and WINS to login to the domain and connect to network shares. You can find the article at:

http://www.cisco.com/warp/customer/110/pixnetbios.html

I was wondering if there is a similar article for Windows 2000 Active Directory?

Here is the Conduit list (note that the IP addresses are replaced with non-routable private IP space for sanitization:

conduit permit icmp any any echo-reply (hitcnt=69)

conduit permit icmp any any unreachable (hitcnt=1512)

conduit permit icmp any any time-exceeded (hitcnt=1)

conduit permit icmp any any redirect (hitcnt=0)

conduit permit udp host 192.168.1.2 eq 389 any (hitcnt=1699)

conduit permit udp host 192.168.1.2 eq 88 any (hitcnt=943)

conduit permit udp host 192.168.1.2 eq netbios-ns any (hitcnt=1012)

conduit permit icmp host 192.168.1.2 any echo (hitcnt=1753)

conduit permit tcp host 192.168.1.2 eq 445 any (hitcnt=220)

conduit permit tcp host 192.168.1.2 eq 135 any (hitcnt=4880)

conduit permit tcp host 192.168.1.2 eq 389 any (hitcnt=121)

conduit permit tcp host 192.168.1.2 eq 1026 any (hitcnt=1007)

conduit permit tcp host 192.168.1.2 eq 139 any (hitcnt=640)

conduit permit udp host 192.168.1.2 eq netbios-dgm any (hitcnt=726)

conduit permit udp host 192.168.1.3 eq 389 any (hitcnt=942)

conduit permit udp host 192.168.1.3 eq 88 any (hitcnt=809)

conduit permit udp host 192.168.1.3 eq netbios-ns any (hitcnt=4)

conduit permit icmp host 192.168.1.3 any echo (hitcnt=1778)

conduit permit tcp host 192.168.1.3 eq 445 any (hitcnt=767)

conduit permit tcp host 192.168.1.3 eq 135 any (hitcnt=4977)

conduit permit tcp host 192.168.1.3 eq 389 any (hitcnt=481)

conduit permit tcp host 192.168.1.3 eq 1026 any (hitcnt=413)

conduit permit tcp host 192.168.1.3 eq 139 any (hitcnt=46)

conduit permit udp host 192.168.1.3 eq netbios-dgm any (hitcnt=0)

conduit permit tcp host 192.168.1.2 eq 3389 any (hitcnt=16)

conduit permit udp host 192.168.1.3 eq ntp any (hitcnt=20)

conduit permit udp host 192.168.1.2 eq ntp any (hitcnt=1)

New Member

Re: Windows 2000 Advanced Server - PIX 515

jmondaca,

Have you figured out a solution to your problem? if yes, can you share your experiences with us. Thank you.

--Majid

96
Views
0
Helpful
7
Replies
CreatePlease login to create content