?
Solved

Active Directory Port Needs

Posted on 2005-04-25
3
Medium Priority
?
291 Views
Last Modified: 2011-09-20
We have a remote site that connects to our main facility over a VPN connection.  The remote site is a domain with in AD forest and has a DC at its location which is trusted by the DC's at the main facility.  After implementing it we ran into synchronization issues between the two site going therought the firewall.  We were able to get it running by dropping the outboud access list from the PIX at the main facility.  So right now we are allowing everything out from that firewall and at the remote site allowing these entries out:

access-list deny-outbound permit udp any any eq domain
access-list deny-outbound permit tcp any any eq www
access-list deny-outbound permit tcp any any eq https
access-list deny-outbound permit icmp any any
access-list deny-outbound permit tcp any any eq 3389
access-list deny-outbound permit tcp any any eq ldap
access-list deny-outbound permit udp any any eq 389
access-list deny-outbound permit udp any any eq 88
access-list deny-outbound permit tcp any any eq domain
access-list deny-outbound permit udp any any eq ntp
access-list deny-outbound permit tcp any any eq 135
access-list deny-outbound permit tcp any any eq 445
access-list deny-outbound permit tcp any any eq netbios-ssn
access-list deny-outbound permit udp any any eq netbios-ns
access-list deny-outbound permit tcp any any eq smtp
access-list deny-outbound deny tcp any any

Do I need to alow those same ports on the main firewall as well or is something needed on the inbound side of the interface?
0
Comment
Question by:leerlp
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13858262
If you are connecting over a VPN tunnel, most likely you have this command in the PIX:
  sysopt connection permit-ipsec

That single command negates/bypasses all interface access-lists and only uses the access-lists that define the interesting traffic to be encrypted.
-------------------------------------------------------
sysopt
       connection permit-ipsec

Implicitly permit any packet that came from an IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for IPSec connections.
-----------------------------------------------------------

Are you having specific issues that you can't seem to put your finger on?
0
 

Author Comment

by:leerlp
ID: 13858298
I like to be able to re-add to the outbound access at the main facility.  We generally only allow traffic out through our ISA server so we can limit who has access to the internet, etc.  Right now everything is open going out and users are abusing it.  I like to open whatever ports are needed at the mainfacility to get AD synchronizing with the remote site.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13858352
How about a compromise? Since AD requires so darn many ports to function..

access-list outbound permit ip <local private subnet> <mask> <remote private subnet> <mask>
access-list outbound permit ip host <ISA Server> any
access-group outbound in interface inside

All traffic not site-to-site, and not coming through the ISA proxy will be denied.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month17 days, 7 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question