PIX Configuration for AD Domain architecture through a Cisco 2514 to multiple Domains

Posted on 2005-04-03
Medium Priority
Last Modified: 2013-11-16

I have a PIX 506E at the border, outside connected to the internet, inside connected to a Cisco 2514 (2 ethernet). On the PIX, NAT is enabled.  On the 2514 (IOS 12.2), Eth0 connects to the PIX and Eth1 is statically configured as and (Secondary).  The .20 and .30 sub-nets each contain a separate Wondow 2003 Domain in different Forests.  There is no trust between the two Domains (different clients).   Within both Domains, communication within the sub-net and routing to the Internet works fine.  
We also have a remote site with a PIX 501 configured for a persistent site to site VPN into the PIX 506.  This traffic is destined for the .30 sub-net.  We have port forwarding of specific traffic (firewall data) through the PIX 506 to a server on  the .30 sub-net.  Works great.  However, while we can ping the DCs on the .30 sub-net from the remote site, we cannot authenticate to the Domain, nor can the DC properly see the remote hosts.  We would like a seamless connection between the remote site and the .30 Domain.

PIX 506 config:
Cisco PIX 506E
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8vBxTK2BzUvwgePo encrypted
passwd 8vBxTK2BzUvwgePo encrypted
hostname ABCBorder
domain-name ABCInc.local
clock timezone EST -5
clock summer-time EDT recurring
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
name ABC-Core
name ABC_LAN
name ABC_DMZ
name XYZ_WB_Public
name XYZ-S1
name XYZ_Backbone
name MusicMatch
name XYZ_VPN_Range
name ABC_VPN_Range
name ABC_Prime
name XYZPIX-Inside
name XYZ_Office
name DNS1
name DNS2
name ABC_Sub-net
name ABC_Public_IP
object-group network ABCCorporateEnclave
  network-object ABC_LAN
  network-object ABC_DMZ
  network-object XYZ-S1
object-group network XYZ_Enclave
  network-object XYZ_WB_Public
  network-object XYZ_Office
  network-object XYZPIX-Inside
object-group service Icecap tcp
  description RealSecure data streams
  port-object eq 8082
  port-object eq 8081
  port-object eq 9081
  port-object eq 8089
  port-object eq 9089
object-group network BellSouth_DNS
  network-object DNS2
  network-object DNS1
object-group service Exchange tcp
  description Exchange Server Functions
  port-object eq pop3
  port-object eq pop2
  port-object eq smtp
access-list compiled
access-list outside_access_in remark DNS 1
access-list outside_access_in permit tcp host DNS1 eq domain any eq domain log 3
access-list outside_access_in remark DNS 2
access-list outside_access_in permit tcp host DNS2 eq domain any eq domain log 3
access-list outside_access_in permit icmp any any log 4
access-list outside_access_in remark Incoming traffic from XYZ Remote Office
access-list outside_access_in permit ip XYZ_Office any log 4
access-list outside_access_in remark Inbound Web Requests
access-list outside_access_in permit tcp any eq www any eq www log 4
access-list outside_access_in permit tcp any interface outside eq smtp log 2
access-list outside_access_in deny ip Miniclips_subnet any log 3
access-list inside_outbound_nat0_acl permit ip XYZ_Backbone XYZ_VPN_Range
access-list inside_outbound_nat0_acl permit ip XYZ_Backbone XYZ_Office
access-list inside_outbound_nat0_acl permit ip any ABC_VPN_Range
access-list inside_outbound_nat0_acl permit ip ABC_LAN XYZ_Office
access-list outside_cryptomap_20 remark XYZ Service Network
access-list outside_cryptomap_20 permit ip XYZ_Backbone XYZ_Office
access-list outside_cryptomap_20 permit ip ABC_LAN XYZ_Office
access-list outside_cryptomap_20 remark ABC Dial-in Clients
access-list outside_cryptomap_20 permit ip ABC_LAN ABC_VPN_Range
access-list outside_cryptomap_dyn_20 remark XYZ Dial-in Clients
access-list outside_cryptomap_dyn_20 permit ip XYZ_Backbone XYZ_VPN_Range
access-list ABC_splitTunnelAcl permit ip any
access-list ABC_splitTunnelAcl permit ip ABC_LAN any
access-list ABC_splitTunnelAcl permit ip XYZ_Backbone any
access-list XYZ_splitTunnelAcl permit ip XYZ_Backbone any
access-list XYZ_splitTunnelAcl permit ip ABC_LAN any
pager lines 24
logging on
logging timestamp
logging trap notifications
logging history critical
logging host inside ABC-Core format emblem
icmp permit XYZ_Backbone outside
icmp deny any outside
icmp permit any inside
icmp permit XYZ_Office inside
mtu outside 1500
mtu inside 1500
ip address outside ABC_Public_IP
ip address inside
ip verify reverse-path interface outside
ip audit name ABC_Default attack action alarm
ip audit name ABC_Default_Info info action alarm
ip audit interface outside ABC_Default_Info
ip audit interface outside ABC_Default
ip audit interface inside ABC_Default_Info
ip audit interface inside ABC_Default
ip audit info action alarm
ip audit attack action alarm
ip local pool XYZ_Dialin
ip local pool ABC_Dialin
pdm location ABC_LAN inside
pdm location XYZ_WB_Public outside
pdm location ABC-Core inside
pdm location XYZ-S1 inside
pdm location XYZ_Backbone inside
pdm location XYZ_VPN_Range outside
pdm location ABC_VPN_Range outside
pdm location XYZ_VPN_Range outside
pdm location XYZ_Office outside
pdm location inside
pdm location ABC_Prime inside
pdm location XYZPIX-Inside outside
pdm location XYZ_Office inside
pdm location DNS1 outside
pdm location DNS2 outside
pdm location ABC_Public_IP inside
pdm group ABCCorporateEnclave inside
pdm group XYZ_Enclave outside
pdm group BellSouth_DNS outside
pdm logging informational 200
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 dns 0 0
static (inside,outside) tcp interface www ABC_Prime www dns netmask 0 0
static (inside,outside) tcp interface pop3 ABC_Prime pop3 dns netmask 0 0
static (inside,outside) tcp interface 8080 ABC_Prime 8080 dns netmask 0 0
static (inside,outside) tcp interface https ABC_Prime https dns netmask 0 0
static (inside,outside) tcp interface smtp ABC_Prime smtp dns netmask 0 0
access-group outside_access_in in interface outside
rip outside passive version 2
rip inside default version 2
route outside 1
route outside DNS1 1
route outside DNS2 1
route inside ABC_LAN 1
route inside ABC-Core 1
route inside 1
route inside XYZ_Backbone 1
route inside XYZ-S1 1
route outside XYZ_VPN_Range 1
route outside ABC_VPN_Range 1
route outside XYZ_Office XYZPIX-Inside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp authenticate
ntp server source outside prefer
http server enable
http XYZ_WB_Public outside
http ABC_DMZ inside
http ABC_LAN inside
http XYZ_Backbone inside
snmp-server host inside
snmp-server location ABC Border
snmp-server contact Plumber
snmp-server community ABCLook
snmp-server enable traps
tftp-server inside ABC-Core /ABC_PIX506E_Default
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set myset ah-md5-hmac esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set pfs group2
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map inside_map interface inside
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group5
crypto map outside_map 20 set peer XYZ_WB_Public
crypto map outside_map 20 set transform-set ESP-AES-128-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address netmask no-xauth no-config-mode
isakmp key ******** address XYZ_WB_Public netmask no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup ABC address-pool ABC_Dialin
vpngroup ABC dns-server ABC_Prime ABC-Core
vpngroup ABC wins-server ABC_Prime
vpngroup ABC default-domain ABCInc.local
vpngroup ABC split-tunnel ABC_splitTunnelAcl
vpngroup ABC split-dns jb-associates.com XYZresearch.com ABCinc.net ABCinc.local
vpngroup ABC pfs
vpngroup ABC idle-time 3600
vpngroup ABC password ********
vpngroup XYZ address-pool XYZ_Dialin
vpngroup XYZ dns-server XYZ-S1
vpngroup XYZ wins-server ABC_Prime
vpngroup XYZ default-domain XYZresearch.com
vpngroup XYZ split-tunnel XYZ_splitTunnelAcl
vpngroup XYZ split-dns XYZresearch.com jb-associates.com ABCinc.local
vpngroup XYZ pfs
vpngroup XYZ idle-time 3600
vpngroup XYZ password ********
telnet ABC_LAN inside
telnet XYZ_Backbone inside
telnet timeout 15
ssh ABC_LAN inside
ssh timeout 5
management-access outside
console timeout 0
vpdn enable inside
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username Plumber password 3447cb2GHAT4/FWy encrypted privilege 15
username Jeff password 888R9R5lSIzjVUvS encrypted privilege 15
vpnclient server XYZ_WB_Public
vpnclient mode network-extension-mode
vpnclient vpngroup XYZ password ********
vpnclient username Plumber password ********
terminal width 80
banner login ....
: end

Cisco 2514 config:
PIX-Border#sho run
Building configuration...

Current configuration : 944 bytes
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname PIX-Border
enable password 7 120A0318160A5C537F
ip subnet-zero
ip name-server
ip name-server
ip name-server
ip name-server
interface Ethernet0
 description connected to Internet
 ip address dhcp
 ip rip send version 2
interface Ethernet1
 description connected to EthernetLAN
 ip address secondary
 ip address
interface Serial0
 no ip address
interface Serial1
 no ip address
ip classless
ip route 254
no ip http server
banner motd ^...^C
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 3
 password 7 070C2E5E470817045744
 login local
line vty 4
 password 7 041A08561D706D40282653
 login local

Thanks in advance.


Question by:jbainc
  • 3
  • 2
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 13694092
Nice work.
You have no access-lists on your router, and your PIX VPN allows all IP between the two subnets. What it will not allow are Netbios broadcasts. Not being able to find the domain controller comes down to name resolution.
Standard solutions are WINS in hybrid environment, DNS in Active Directory. A WINS server at each location, replicating between the two and you're done.

Here are some references to help get you started troubleshooting.
How Browsing a Wide Area Network Works:

Problems seeing workgroups when connected to a router:

How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues

Windows 2000 DNS - Diagnosing Name Resolution Problems

Windows 2000 DNS - Solving other common DNS problems

NetBIOS over TCP/IP Name Resolution and WINS

Author Comment

ID: 13729027

Thanks for the detailed response.  I'm currently on travel, but will delve into these links immediately upon my return...will let you know how it goes.  Thanks very much.


Author Comment

ID: 13778675
Both Domains are pure Windows 2003 Server/Windoes XP.  The .20 Domain is built around MS SBS 2003 Prem with AD and WINS active.  The .30 Domain is MS 2003 Server Standard with AD active.  Is a server at both ends running WINS still the simplest, most reliable method to replicate across the PIX to PIX VPN, or will a server at both ends running AD replication be sufficient?  I also have numerous laptops using Cisco VPN Client v4.x to connect in to the 506 PIX for a final destination of the .30 Domain.  Can I configure a solution to allow those machines to seamlessly view the .30 DCs and vice versa?  Thanks again.


Author Comment

ID: 13833595

Implementation of a server on the remote end of the site-to-site VPN is now allowing remote hosts to authenticate with the DC across the VPN tunnel.  Thanks for the help.  Wish I could have avoided the exta expense of another server at the remote end, but at this point time lost is more expensive than the hardware/software costs.  Thanks again.

LVL 79

Expert Comment

ID: 13833624
Glad you got it working!
Sorry for not following up on your secondary question:
> I also have numerous laptops using Cisco VPN Client v4.x to connect in to the 506 PIX for a final destination of the .30 Domain.  Can I configure a solution to allow those machines to seamlessly view the .30 DCs and vice versa?  Thanks again.
No. If a client connects to one site, they can only access that site's hosts. If you need to access hosts on the other side of the site-site VPN, then you must connect to the other PIX with the client. This is a restriction on the fundamental design of the PIX, wich will be changed in version 7.x, but 7.x won't run on the 506. It's for the big brothers only 515-535


Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month8 days, 21 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question