We are trying to put an OWA Server for Exchange 2000 in the DMZ. We cannot logon to the domain when we have the server in the DMZ. What ports need to be opened or other configuration needs to be done to get authentication to work through the Pix.
Configure to open all netbios ports as outlined here: http://www.cisco.com/warp/customer/110/pixfaq.shtml#Q21 For testing you can conduit permit ip any any to verify connectivity and then remove that narrow that down to the specific ports & protocols in the FAQ. The syslog in debugging mode is the window into the PIXs mind that tells you all.
I wouldn't suggest allowing domain login's from a lower security interface to the inside. There are known vulnerabilities with ports 137 and 139, which are used by the feared SUB-7 trojan which would compromise the internal LAN.
Use AAA with Cisco ACS and then you only have to allow port tcp-49 to connect via tacacs to the ACS server on the inside and have ACS use the PDC for authenticating the exchange server's login.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...