Solved

SMTP Server(s) in DMZ - Open LDAP Port 389 to Domain Controllers on LAN using a Cisco PIX

Posted on 2006-10-23
4
1,065 Views
Last Modified: 2013-11-16
SMTP Server located in the DMZ. Our Spam Filtering software SurfControl uses Directory Harvest Detection which uses LDAP to verify valid email addresses.

Firewall is a PIX-515 Ver 6.1(1)

I need to open LDAP port 389 on the PIX firewall to allow LDAP request to our Domain Controllers. What I have already done follows.

I have added the following conduits on the firewall:

PIX-FIREWALL(config)# conduit permit tcp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.146
PIX-FIREWALL(config)# conduit permit tcp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.145
PIX-FIREWALL(config)# conduit permit udp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.146
PIX-FIREWALL(config)# conduit permit udp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.145

The first IP Address is the Domain Controller and the second is the SMTP mail Server.

I cannot telnet to a Domain Controller on port 389 from the DMZ, but I can from my PC which is on the LAN. I cannot ping the domain controller from the DMZ. When I try to telnet from the DMZ my (hitcnt = xxx) on the PIX doesn't show any hits. So I'm not even passing the firewall, right?

Any help/advice is appreciated. Thanks

0
Comment
Question by:huffakerce
  • 2
4 Comments
 
LVL 4

Expert Comment

by:LBACIS
ID: 17807063
I would try very hard to switch to secure ldap which is 636 this is a encapsulated protocol and of course is encrypted.
0
 

Author Comment

by:huffakerce
ID: 17807530
How's come I couldn't even telnet through to the Domain Controller from the DMZ.

My main concern right now is that I can't even seem to get through to where I need to go.

I didn't even know there was a secure LDAP. I will read up on this and see if it will work for our scenario.

Thanks..
0
 
LVL 3

Accepted Solution

by:
mahe2000 earned 250 total points
ID: 17817725
have you set the static for the DC??? something like:

static (inside,dmz) xxx.xxx.xxx.103  xxx.xxx.xxx.103  netmask 255.255.255.255

check routing too....

i recomend you to migrate conduits to access lists because they will be deprecated soon.......

you don't need udp conduits at all.... ldap is just tcp
0
 

Author Comment

by:huffakerce
ID: 17823111
All,

Actually I figured it out.. Because the mail server is in the DMZ and behind a Cisco Local Director. SMTP traffic comes into xxxx.xxxxx.com on the Local Director and then is directed to an individual server.

So I had to use the xxxx.xxxxx.com instead of the mail server directly. This is actually temporary on the PIX's because we have two 5520 ASA Clusters in place already just waiting to be turned up.

I also moved traffic over to port 636 using SSL LDAP.

Thank everyone for you help..

0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Switch Port Security 2 44
Cost effective dual wan w/ qos 5 42
Auto Voice Respond from Pilot no from UC560 1 21
Cisco  3750E switches 1 10
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now