?
Solved

PIX Configuration for AD Domain architecture through a Cisco 2514 to multiple Domains

Posted on 2005-04-03
5
Medium Priority
?
443 Views
Last Modified: 2013-11-16
Greetings;

I have a PIX 506E at the border, outside connected to the internet, inside connected to a Cisco 2514 (2 ethernet). On the PIX, NAT is enabled.  On the 2514 (IOS 12.2), Eth0 connects to the PIX and Eth1 is statically configured as 192.168.20.1/24 and 192.168.30.1/24 (Secondary).  The .20 and .30 sub-nets each contain a separate Wondow 2003 Domain in different Forests.  There is no trust between the two Domains (different clients).   Within both Domains, communication within the sub-net and routing to the Internet works fine.  
We also have a remote site with a PIX 501 configured for a persistent site to site VPN into the PIX 506.  This traffic is destined for the .30 sub-net.  We have port forwarding of specific traffic (firewall data) through the PIX 506 to a server on  the .30 sub-net.  Works great.  However, while we can ping the DCs on the .30 sub-net from the remote site, we cannot authenticate to the Domain, nor can the DC properly see the remote hosts.  We would like a seamless connection between the remote site and the .30 Domain.

PIX 506 config:
Cisco PIX 506E
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8vBxTK2BzUvwgePo encrypted
passwd 8vBxTK2BzUvwgePo encrypted
hostname ABCBorder
domain-name ABCInc.local
clock timezone EST -5
clock summer-time EDT recurring
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 192.168.20.2 ABC-Core
name 192.168.20.0 ABC_LAN
name 192.168.1.0 ABC_DMZ
name 5.6.7.8 XYZ_WB_Public
name 192.168.30.2 XYZ-S1
name 192.168.30.0 XYZ_Backbone
name 69.28.159.0 MusicMatch
name 192.168.40.0 XYZ_VPN_Range
name 192.168.50.0 ABC_VPN_Range
name 192.168.20.3 ABC_Prime
name 192.168.99.1 XYZPIX-Inside
name 192.168.99.0 XYZ_Office
name 24.25.5.60 DNS1
name 24.25.5.61 DNS2
name 1.2.3.4 ABC_Sub-net
name 1.2.3.5 ABC_Public_IP
object-group network ABCCorporateEnclave
  network-object ABC_LAN 255.255.255.0
  network-object ABC_DMZ 255.255.255.0
  network-object XYZ-S1 255.255.255.255
object-group network XYZ_Enclave
  network-object XYZ_WB_Public 255.255.255.255
  network-object XYZ_Office 255.255.255.0
  network-object XYZPIX-Inside 255.255.255.255
object-group service Icecap tcp
  description RealSecure data streams
  port-object eq 8082
  port-object eq 8081
  port-object eq 9081
  port-object eq 8089
  port-object eq 9089
object-group network BellSouth_DNS
  network-object DNS2 255.255.255.255
  network-object DNS1 255.255.255.255
object-group service Exchange tcp
  description Exchange Server Functions
  port-object eq pop3
  port-object eq pop2
  port-object eq smtp
access-list compiled
access-list outside_access_in remark DNS 1
access-list outside_access_in permit tcp host DNS1 eq domain any eq domain log 3
access-list outside_access_in remark DNS 2
access-list outside_access_in permit tcp host DNS2 eq domain any eq domain log 3
access-list outside_access_in permit icmp any any log 4
access-list outside_access_in remark Incoming traffic from XYZ Remote Office
access-list outside_access_in permit ip XYZ_Office 255.255.255.0 any log 4
access-list outside_access_in remark Inbound Web Requests
access-list outside_access_in permit tcp any eq www any eq www log 4
access-list outside_access_in permit tcp any interface outside eq smtp log 2
access-list outside_access_in deny ip Miniclips_subnet 255.255.255.0 any log 3
access-list inside_outbound_nat0_acl permit ip XYZ_Backbone 255.255.255.0 XYZ_VPN_Range 255.255.255.224
access-list inside_outbound_nat0_acl permit ip XYZ_Backbone 255.255.255.0 XYZ_Office 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any ABC_VPN_Range 255.255.255.224
access-list inside_outbound_nat0_acl permit ip ABC_LAN 255.255.255.0 XYZ_Office 255.255.255.0
access-list outside_cryptomap_20 remark XYZ Service Network
access-list outside_cryptomap_20 permit ip XYZ_Backbone 255.255.255.0 XYZ_Office 255.255.255.0
access-list outside_cryptomap_20 permit ip ABC_LAN 255.255.255.0 XYZ_Office 255.255.255.0
access-list outside_cryptomap_20 remark ABC Dial-in Clients
access-list outside_cryptomap_20 permit ip ABC_LAN 255.255.255.0 ABC_VPN_Range 255.255.255.224
access-list outside_cryptomap_dyn_20 remark XYZ Dial-in Clients
access-list outside_cryptomap_dyn_20 permit ip XYZ_Backbone 255.255.255.0 XYZ_VPN_Range 255.255.255.224
access-list ABC_splitTunnelAcl permit ip 192.168.0.0 255.255.0.0 any
access-list ABC_splitTunnelAcl permit ip ABC_LAN 255.255.255.0 any
access-list ABC_splitTunnelAcl permit ip XYZ_Backbone 255.255.255.0 any
access-list XYZ_splitTunnelAcl permit ip XYZ_Backbone 255.255.255.0 any
access-list XYZ_splitTunnelAcl permit ip ABC_LAN 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging trap notifications
logging history critical
logging host inside ABC-Core format emblem
icmp permit XYZ_Backbone 255.255.255.0 outside
icmp deny any outside
icmp permit any inside
icmp permit XYZ_Office 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
ip address outside ABC_Public_IP 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name ABC_Default attack action alarm
ip audit name ABC_Default_Info info action alarm
ip audit interface outside ABC_Default_Info
ip audit interface outside ABC_Default
ip audit interface inside ABC_Default_Info
ip audit interface inside ABC_Default
ip audit info action alarm
ip audit attack action alarm
ip local pool XYZ_Dialin 192.168.40.101-192.168.40.129
ip local pool ABC_Dialin 192.168.50.101-192.168.50.129
pdm location ABC_LAN 255.255.255.0 inside
pdm location XYZ_WB_Public 255.255.255.255 outside
pdm location ABC-Core 255.255.255.255 inside
pdm location XYZ-S1 255.255.255.255 inside
pdm location XYZ_Backbone 255.255.255.0 inside
pdm location XYZ_VPN_Range 255.255.255.192 outside
pdm location ABC_VPN_Range 255.255.255.224 outside
pdm location XYZ_VPN_Range 255.255.255.224 outside
pdm location XYZ_Office 255.255.255.0 outside
pdm location 192.168.20.15 255.255.255.255 inside
pdm location ABC_Prime 255.255.255.255 inside
pdm location XYZPIX-Inside 255.255.255.255 outside
pdm location XYZ_Office 255.255.255.0 inside
pdm location DNS1 255.255.255.255 outside
pdm location DNS2 255.255.255.255 outside
pdm location ABC_Public_IP 255.255.255.255 inside
pdm group ABCCorporateEnclave inside
pdm group XYZ_Enclave outside
pdm group BellSouth_DNS outside
pdm logging informational 200
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
static (inside,outside) tcp interface www ABC_Prime www dns netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 ABC_Prime pop3 dns netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8080 ABC_Prime 8080 dns netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https ABC_Prime https dns netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp ABC_Prime smtp dns netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
rip outside passive version 2
rip inside default version 2
route outside 0.0.0.0 0.0.0.0 24.106.180.181 1
route outside DNS1 255.255.255.255 24.106.180.181 1
route outside DNS2 255.255.255.255 24.106.180.181 1
route inside ABC_LAN 255.255.255.0 192.168.1.1 1
route inside ABC-Core 255.255.255.255 192.168.1.1 1
route inside 192.168.20.15 255.255.255.255 192.168.1.1 1
route inside XYZ_Backbone 255.255.255.0 192.168.1.1 1
route inside XYZ-S1 255.255.255.255 192.168.1.1 1
route outside XYZ_VPN_Range 255.255.255.192 192.168.1.2 1
route outside ABC_VPN_Range 255.255.255.224 192.168.1.2 1
route outside XYZ_Office 255.255.255.0 XYZPIX-Inside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp authenticate
ntp server 192.5.41.209 source outside prefer
http server enable
http XYZ_WB_Public 255.255.255.255 outside
http ABC_DMZ 255.255.255.0 inside
http ABC_LAN 255.255.255.0 inside
http XYZ_Backbone 255.255.255.0 inside
snmp-server host inside 192.168.20.15
snmp-server location ABC Border
snmp-server contact Plumber
snmp-server community ABCLook
snmp-server enable traps
tftp-server inside ABC-Core /ABC_PIX506E_Default
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set myset ah-md5-hmac esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set pfs group2
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map inside_map interface inside
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group5
crypto map outside_map 20 set peer XYZ_WB_Public
crypto map outside_map 20 set transform-set ESP-AES-128-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp key ******** address XYZ_WB_Public netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup ABC address-pool ABC_Dialin
vpngroup ABC dns-server ABC_Prime ABC-Core
vpngroup ABC wins-server ABC_Prime
vpngroup ABC default-domain ABCInc.local
vpngroup ABC split-tunnel ABC_splitTunnelAcl
vpngroup ABC split-dns jb-associates.com XYZresearch.com ABCinc.net ABCinc.local
vpngroup ABC pfs
vpngroup ABC idle-time 3600
vpngroup ABC password ********
vpngroup XYZ address-pool XYZ_Dialin
vpngroup XYZ dns-server XYZ-S1 192.168.30.3
vpngroup XYZ wins-server ABC_Prime
vpngroup XYZ default-domain XYZresearch.com
vpngroup XYZ split-tunnel XYZ_splitTunnelAcl
vpngroup XYZ split-dns XYZresearch.com jb-associates.com ABCinc.local
vpngroup XYZ pfs
vpngroup XYZ idle-time 3600
vpngroup XYZ password ********
telnet ABC_LAN 255.255.255.0 inside
telnet XYZ_Backbone 255.255.255.0 inside
telnet timeout 15
ssh ABC_LAN 255.255.255.0 inside
ssh timeout 5
management-access outside
console timeout 0
vpdn enable inside
dhcpd address 192.168.1.2-192.168.1.4 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username Plumber password 3447cb2GHAT4/FWy encrypted privilege 15
username Jeff password 888R9R5lSIzjVUvS encrypted privilege 15
vpnclient server XYZ_WB_Public
vpnclient mode network-extension-mode
vpnclient vpngroup XYZ password ********
vpnclient username Plumber password ********
terminal width 80
banner login ....
Cryptochecksum:8efe13131e5ff92f4871e1b08d6e24b5
: end
[OK]


Cisco 2514 config:
PIX-Border#sho run
Building configuration...

Current configuration : 944 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname PIX-Border
!
enable password 7 120A0318160A5C537F
!
ip subnet-zero
ip name-server 192.168.20.2
ip name-server 192.168.30.2
ip name-server 205.152.244.252
ip name-server 205.152.37.254
!
!
!
!
!
interface Ethernet0
 description connected to Internet
 ip address dhcp
 ip rip send version 2
!
interface Ethernet1
 description connected to EthernetLAN
 ip address 192.168.30.1 255.255.255.0 secondary
 ip address 192.168.20.1 255.255.255.0
!
interface Serial0
 no ip address
 shutdown
!
interface Serial1
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1 254
no ip http server
!
banner motd ^...^C
!
line con 0
 exec-timeout 0 0
 login
line aux 0
line vty 0 3
 password 7 070C2E5E470817045744
 login local
line vty 4
 password 7 041A08561D706D40282653
 login local
!
end


Thanks in advance.

Jeff

0
Comment
Question by:jbainc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13694092
Nice work.
You have no access-lists on your router, and your PIX VPN allows all IP between the two subnets. What it will not allow are Netbios broadcasts. Not being able to find the domain controller comes down to name resolution.
Standard solutions are WINS in hybrid environment, DNS in Active Directory. A WINS server at each location, replicating between the two and you're done.

Here are some references to help get you started troubleshooting.
How Browsing a Wide Area Network Works:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q117633&

Problems seeing workgroups when connected to a router:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q315978

How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues
http://support.microsoft.com/support/kb/articles/Q180/0/94.ASP 

Windows 2000 DNS - Diagnosing Name Resolution Problems
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/cnet/cncf_imp_zvri.asp

Windows 2000 DNS - Solving other common DNS problems
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/cnet/cncf_imp_ibxf.asp

NetBIOS over TCP/IP Name Resolution and WINS
http://support.microsoft.com/default.aspx?scid=kb;EN-US;119493
0
 

Author Comment

by:jbainc
ID: 13729027
lrmoore;

Thanks for the detailed response.  I'm currently on travel, but will delve into these links immediately upon my return...will let you know how it goes.  Thanks very much.

Jeff
0
 

Author Comment

by:jbainc
ID: 13778675
Both Domains are pure Windows 2003 Server/Windoes XP.  The .20 Domain is built around MS SBS 2003 Prem with AD and WINS active.  The .30 Domain is MS 2003 Server Standard with AD active.  Is a server at both ends running WINS still the simplest, most reliable method to replicate across the PIX to PIX VPN, or will a server at both ends running AD replication be sufficient?  I also have numerous laptops using Cisco VPN Client v4.x to connect in to the 506 PIX for a final destination of the .30 Domain.  Can I configure a solution to allow those machines to seamlessly view the .30 DCs and vice versa?  Thanks again.

Jeff
0
 

Author Comment

by:jbainc
ID: 13833595
lrmoore;

Implementation of a server on the remote end of the site-to-site VPN is now allowing remote hosts to authenticate with the DC across the VPN tunnel.  Thanks for the help.  Wish I could have avoided the exta expense of another server at the remote end, but at this point time lost is more expensive than the hardware/software costs.  Thanks again.

Jeff
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13833624
Glad you got it working!
Sorry for not following up on your secondary question:
> I also have numerous laptops using Cisco VPN Client v4.x to connect in to the 506 PIX for a final destination of the .30 Domain.  Can I configure a solution to allow those machines to seamlessly view the .30 DCs and vice versa?  Thanks again.
No. If a client connects to one site, they can only access that site's hosts. If you need to access hosts on the other side of the site-site VPN, then you must connect to the other PIX with the client. This is a restriction on the fundamental design of the PIX, wich will be changed in version 7.x, but 7.x won't run on the 506. It's for the big brothers only 515-535

0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month10 days, 16 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question