Just set up a static so that the DMZ client does not NAT when talking to the PDC on the inside, say your dmz cleint's IP is 10.0.0.6:
Static(int_if dmz_int) 10.0.0.6 10.0.0.6 255.255.255.255 255.255.255.255 At 10:05 AM 4/26/2002 -0400, Fei Yang wrote: >Hello Jon, > >I did some research on this issue, but unfortunately the answer is >negative, we can not have Win2k in DMZ to join into domains in the inside >network. > >To make it clear, here's the circumstance: >- Win2K server is in the inside network with the inside IP address of >x.x.x.x, and mapped to y.y.y.y in the DMZ side. >- Win2K client is in the DMZ side and trying to log in to the windows >domain. y.y.y.y is configured as the PDC. >- All IP ports are opened on PIX to allow traffic from DMZ go through to >the Inside network. > >I make the conclusion by two ways. > >Firstly, I used sniffer to monitor all traffics sent between the Win2K >client and Win2k server. The problem occurs on the third packet that the >client sent to the server. The destination address (server's address) of >the first two packets sent by the client was y.y.y.y, which is the >server's mapped address in DMZ. PIX translated y.y.y.y to x.x.x.x and sent >the packets to the server in the inside network. Win2K server also replied >to the client. However, the destination address of the third packet sent >by the client became x.x.x.x, which is the server's inside IP address. PIX >won't change this IP address and let the packet go through since there's >no static mapping for x.x.x.x in the DMZ side. As the result, the login >process failed. > >I assume Win2k server sent back its inside IP address and host name to the >Win2k client, and then Win2K client began to use that inside IP address to >contact Win2k server. I tried to configure DNS doctoring and alias on PIX >to do translation, and tried to configure LMHOST and HOSTs file in Win2k >client directly to solve this problem, but none of them were useful. Win2k >client always uses x.x.x.x as the destination address of its third packet >for the domain login. > >The second resource I got the conclusion is from a Microsoft security >book, I think it proves this login issue. There's one sentence in the book: > >"You require a CA to run in the Demilitarized Zone (DMZ) where it can't >contact Active Directory. If the CA isn't able to connect to Active >Directory, then the CA must be configured as a Standalone CA." > >Sorry for my poor English if I'm wrong and please correct me. My >understanding is that part of the sentence meaning is "Computers in DMZ >can't contact Active Directory, (which is not in the DMZ)". > >Hope this helps. >Fei. > > >-----Original Message----- >From: Jon Miles [mailto:[EMAIL PROTECTED]] >Sent: Thursday, April 25, 2002 5:06 PM >To: Fei Yang >Subject: PIX logon > > >Fei, > >Hi. I saw your question in a firewall mailing list regarding logging >onto a PDC from the DMZ - this is EXACTLY what I am trying to do. I see >the reply to your question is to use a syslog server, but frankly I >would prefer if you could just make it easy for me and tell me how you >solved this problem :) > >Basically, I have a WIN2k workstation that cannot see the domain on the >other side. I have opened up all of IP for the meantime, and am using >NAT and static mappings. I can ping the global address of the PDC, so I >know the connectivity works. My guess is that you have to tell the >machine the IP address of the PDC, without it doing all the broadcasts. >I also, know you cannot pass these broadcasts across the PIX with a >helper address... >Any help would be appreciated. >Thanks. > >Jon Miles >//Network Consultant > >'delivering quality networking services' > >web: www.qosconsulting.net >mail: [EMAIL PROTECTED] >tel: 0118 935 4300 >fax: 0118 935 4333 >mobile: 0781 380 9932 > >QoS Consulting Limited >308 Kings Road >Reading >RG1 4HP > > >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >For Account Management (unsubscribe, get/change password, etc) Please go to: >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
