All NT authentication traffic and LAN file transfer (drive mapping/SMB
traffic/NetBIOS) activity happens on ports 137, 138, and 139. Of all the
ports you open on your firewall, those are among the most dangerous. If your
firewall supports VPN connections, you might have the external client open a
VPN and then map drives through the resulting tunnel. You could also, if you
want to flirt with danger, open up those three aforementioned ports to a
specific external IP address, and allow SMB traffic only from that specific
external host.
You say, 'Yes, but I'm asking about how to deal with NAT.' You will want to
create another IP on the external interface of your firewall (PIX can do
this) that maps directly to the NAT'ed IP on the target host inside your
network. Then, when your external host attatches to that IP, it is actually
having that connection forwarded to the internal host. In essence, the
internal host has both a private (NAT) IP and a public IP. You allow the new
external IP on the firewall to accept SMB connections from the specific IP
of the client you want to map drives from. That's less secure than many
would like, but it's a way around the NAT problem.
-----Original Message-----
From: Tim Uckun [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 22, 1999 9:02 AM
To: [EMAIL PROTECTED]
Subject: NT Drivesharing and firewalls.
I need to mount a drive from a NT machine inside a NATed firewall to an NT
machine outside the network. Does anybody have a pointer on dealing with NT
specific problems when dealing with firewall. Anybody know which ports an
NT machine uses for PDC/BDC traffic or drive sharig?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
