Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SMTP Server(s) in DMZ - Open LDAP Port 389 to Domain Controllers on LAN using a Cisco PIX

Posted on 2006-10-23
4
Medium Priority
?
1,075 Views
Last Modified: 2013-11-16
SMTP Server located in the DMZ. Our Spam Filtering software SurfControl uses Directory Harvest Detection which uses LDAP to verify valid email addresses.

Firewall is a PIX-515 Ver 6.1(1)

I need to open LDAP port 389 on the PIX firewall to allow LDAP request to our Domain Controllers. What I have already done follows.

I have added the following conduits on the firewall:

PIX-FIREWALL(config)# conduit permit tcp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.146
PIX-FIREWALL(config)# conduit permit tcp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.145
PIX-FIREWALL(config)# conduit permit udp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.146
PIX-FIREWALL(config)# conduit permit udp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.145

The first IP Address is the Domain Controller and the second is the SMTP mail Server.

I cannot telnet to a Domain Controller on port 389 from the DMZ, but I can from my PC which is on the LAN. I cannot ping the domain controller from the DMZ. When I try to telnet from the DMZ my (hitcnt = xxx) on the PIX doesn't show any hits. So I'm not even passing the firewall, right?

Any help/advice is appreciated. Thanks

0
Comment
Question by:huffakerce
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 4

Expert Comment

by:LBACIS
ID: 17807063
I would try very hard to switch to secure ldap which is 636 this is a encapsulated protocol and of course is encrypted.
0
 

Author Comment

by:huffakerce
ID: 17807530
How's come I couldn't even telnet through to the Domain Controller from the DMZ.

My main concern right now is that I can't even seem to get through to where I need to go.

I didn't even know there was a secure LDAP. I will read up on this and see if it will work for our scenario.

Thanks..
0
 
LVL 3

Accepted Solution

by:
mahe2000 earned 750 total points
ID: 17817725
have you set the static for the DC??? something like:

static (inside,dmz) xxx.xxx.xxx.103  xxx.xxx.xxx.103  netmask 255.255.255.255

check routing too....

i recomend you to migrate conduits to access lists because they will be deprecated soon.......

you don't need udp conduits at all.... ldap is just tcp
0
 

Author Comment

by:huffakerce
ID: 17823111
All,

Actually I figured it out.. Because the mail server is in the DMZ and behind a Cisco Local Director. SMTP traffic comes into xxxx.xxxxx.com on the Local Director and then is directed to an individual server.

So I had to use the xxxx.xxxxx.com instead of the mail server directly. This is actually temporary on the PIX's because we have two 5520 ASA Clusters in place already just waiting to be turned up.

I also moved traffic over to port 636 using SSL LDAP.

Thank everyone for you help..

0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question