SMTP Server(s) in DMZ - Open LDAP Port 389 to Domain Controllers on LAN using a Cisco PIX

SMTP Server located in the DMZ. Our Spam Filtering software SurfControl uses Directory Harvest Detection which uses LDAP to verify valid email addresses.

Firewall is a PIX-515 Ver 6.1(1)

I need to open LDAP port 389 on the PIX firewall to allow LDAP request to our Domain Controllers. What I have already done follows.

I have added the following conduits on the firewall:

PIX-FIREWALL(config)# conduit permit tcp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.146
PIX-FIREWALL(config)# conduit permit tcp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.145
PIX-FIREWALL(config)# conduit permit udp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.146
PIX-FIREWALL(config)# conduit permit udp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.145

The first IP Address is the Domain Controller and the second is the SMTP mail Server.

I cannot telnet to a Domain Controller on port 389 from the DMZ, but I can from my PC which is on the LAN. I cannot ping the domain controller from the DMZ. When I try to telnet from the DMZ my (hitcnt = xxx) on the PIX doesn't show any hits. So I'm not even passing the firewall, right?

Any help/advice is appreciated. Thanks

huffakerceAsked:
Who is Participating?
 
mahe2000Commented:
have you set the static for the DC??? something like:

static (inside,dmz) xxx.xxx.xxx.103  xxx.xxx.xxx.103  netmask 255.255.255.255

check routing too....

i recomend you to migrate conduits to access lists because they will be deprecated soon.......

you don't need udp conduits at all.... ldap is just tcp
0
 
LBACISCommented:
I would try very hard to switch to secure ldap which is 636 this is a encapsulated protocol and of course is encrypted.
0
 
huffakerceAuthor Commented:
How's come I couldn't even telnet through to the Domain Controller from the DMZ.

My main concern right now is that I can't even seem to get through to where I need to go.

I didn't even know there was a secure LDAP. I will read up on this and see if it will work for our scenario.

Thanks..
0
 
huffakerceAuthor Commented:
All,

Actually I figured it out.. Because the mail server is in the DMZ and behind a Cisco Local Director. SMTP traffic comes into xxxx.xxxxx.com on the Local Director and then is directed to an individual server.

So I had to use the xxxx.xxxxx.com instead of the mail server directly. This is actually temporary on the PIX's because we have two 5520 ASA Clusters in place already just waiting to be turned up.

I also moved traffic over to port 636 using SSL LDAP.

Thank everyone for you help..

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.