Solved

SMTP Server(s) in DMZ - Open LDAP Port 389 to Domain Controllers on LAN using a Cisco PIX

Posted on 2006-10-23
4
1,060 Views
Last Modified: 2013-11-16
SMTP Server located in the DMZ. Our Spam Filtering software SurfControl uses Directory Harvest Detection which uses LDAP to verify valid email addresses.

Firewall is a PIX-515 Ver 6.1(1)

I need to open LDAP port 389 on the PIX firewall to allow LDAP request to our Domain Controllers. What I have already done follows.

I have added the following conduits on the firewall:

PIX-FIREWALL(config)# conduit permit tcp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.146
PIX-FIREWALL(config)# conduit permit tcp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.145
PIX-FIREWALL(config)# conduit permit udp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.146
PIX-FIREWALL(config)# conduit permit udp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.145

The first IP Address is the Domain Controller and the second is the SMTP mail Server.

I cannot telnet to a Domain Controller on port 389 from the DMZ, but I can from my PC which is on the LAN. I cannot ping the domain controller from the DMZ. When I try to telnet from the DMZ my (hitcnt = xxx) on the PIX doesn't show any hits. So I'm not even passing the firewall, right?

Any help/advice is appreciated. Thanks

0
Comment
Question by:huffakerce
  • 2
4 Comments
 
LVL 4

Expert Comment

by:LBACIS
Comment Utility
I would try very hard to switch to secure ldap which is 636 this is a encapsulated protocol and of course is encrypted.
0
 

Author Comment

by:huffakerce
Comment Utility
How's come I couldn't even telnet through to the Domain Controller from the DMZ.

My main concern right now is that I can't even seem to get through to where I need to go.

I didn't even know there was a secure LDAP. I will read up on this and see if it will work for our scenario.

Thanks..
0
 
LVL 3

Accepted Solution

by:
mahe2000 earned 250 total points
Comment Utility
have you set the static for the DC??? something like:

static (inside,dmz) xxx.xxx.xxx.103  xxx.xxx.xxx.103  netmask 255.255.255.255

check routing too....

i recomend you to migrate conduits to access lists because they will be deprecated soon.......

you don't need udp conduits at all.... ldap is just tcp
0
 

Author Comment

by:huffakerce
Comment Utility
All,

Actually I figured it out.. Because the mail server is in the DMZ and behind a Cisco Local Director. SMTP traffic comes into xxxx.xxxxx.com on the Local Director and then is directed to an individual server.

So I had to use the xxxx.xxxxx.com instead of the mail server directly. This is actually temporary on the PIX's because we have two 5520 ASA Clusters in place already just waiting to be turned up.

I also moved traffic over to port 636 using SSL LDAP.

Thank everyone for you help..

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now