Solved

SMTP Server(s) in DMZ - Open LDAP Port 389 to Domain Controllers on LAN using a Cisco PIX

Posted on 2006-10-23
4
1,061 Views
Last Modified: 2013-11-16
SMTP Server located in the DMZ. Our Spam Filtering software SurfControl uses Directory Harvest Detection which uses LDAP to verify valid email addresses.

Firewall is a PIX-515 Ver 6.1(1)

I need to open LDAP port 389 on the PIX firewall to allow LDAP request to our Domain Controllers. What I have already done follows.

I have added the following conduits on the firewall:

PIX-FIREWALL(config)# conduit permit tcp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.146
PIX-FIREWALL(config)# conduit permit tcp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.145
PIX-FIREWALL(config)# conduit permit udp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.146
PIX-FIREWALL(config)# conduit permit udp host xxx.xxx.xxx.103 eq 389 host xxx.xxx.xxx.145

The first IP Address is the Domain Controller and the second is the SMTP mail Server.

I cannot telnet to a Domain Controller on port 389 from the DMZ, but I can from my PC which is on the LAN. I cannot ping the domain controller from the DMZ. When I try to telnet from the DMZ my (hitcnt = xxx) on the PIX doesn't show any hits. So I'm not even passing the firewall, right?

Any help/advice is appreciated. Thanks

0
Comment
Question by:huffakerce
  • 2
4 Comments
 
LVL 4

Expert Comment

by:LBACIS
ID: 17807063
I would try very hard to switch to secure ldap which is 636 this is a encapsulated protocol and of course is encrypted.
0
 

Author Comment

by:huffakerce
ID: 17807530
How's come I couldn't even telnet through to the Domain Controller from the DMZ.

My main concern right now is that I can't even seem to get through to where I need to go.

I didn't even know there was a secure LDAP. I will read up on this and see if it will work for our scenario.

Thanks..
0
 
LVL 3

Accepted Solution

by:
mahe2000 earned 250 total points
ID: 17817725
have you set the static for the DC??? something like:

static (inside,dmz) xxx.xxx.xxx.103  xxx.xxx.xxx.103  netmask 255.255.255.255

check routing too....

i recomend you to migrate conduits to access lists because they will be deprecated soon.......

you don't need udp conduits at all.... ldap is just tcp
0
 

Author Comment

by:huffakerce
ID: 17823111
All,

Actually I figured it out.. Because the mail server is in the DMZ and behind a Cisco Local Director. SMTP traffic comes into xxxx.xxxxx.com on the Local Director and then is directed to an individual server.

So I had to use the xxxx.xxxxx.com instead of the mail server directly. This is actually temporary on the PIX's because we have two 5520 ASA Clusters in place already just waiting to be turned up.

I also moved traffic over to port 636 using SSL LDAP.

Thank everyone for you help..

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cisco nexus experiance 2 61
Cisco ASA 5505 ios upgrade 6 45
EIGRP Configuration 2 46
Cisco 2911/Etherswitch: Bringing up SVI and not seeing vlan on one side of trunk 7 40
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now