How to open ports from DMZ interface to INSIDE interface on PIX 515

Probably another simple one for everyone but here we go....
I have a PIX 515e with PIX 7.2(2) and the latest ASDM.
I wish to open ports from my DMZ to my INSIDE interface in order to get my WS_FTP server to pull users from active directory and at this point just to know how to do it. I currently do not have any NAT, Routes, ACLs in my pix for this because at this point i just put everything back to normal and wanted to start fresh.
Thanks in advance!

IP Address:
WS_FTP server internal 10.30.30.15 external 192.168.8.21 on DMZ
AD is internal 10.0.2.13 no external address at this time on INSIDE

I believe that I need all these ports open for this to work
UDP      domain            53
TCP      domain            53
UDP      Kerberos      88
TCP      Kerberos      88
UDP      Time            123
TCP      Kerberos Auth      135
UDP      netbios-ns      137
TCP      netbios-ssn      139
TCP      ldap            389
UDP      ldap            389
TCP      microsoft-ds      445
TCP      ldap to GC      3268

Below is my interface setup:
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.8.254 255.255.255.0
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.2.1 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 10.30.30.1 255.255.255.0
 ospf cost 10
!
interface Ethernet3
 nameif vendor
 security-level 40
 ip address 192.168.1.254 255.255.255.0
 ospf cost 10
!
richakrAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
Put in these commands to allow the access that you desire:

static (inside,dmz) 10.0.2.13 10.0.2.13 netmask 255.255.255.255           <---allows DMZ hosts to see AD server as it's real IP address
static (dmz,outside) 192.168.8.21 10.30.30.15 netmask 255.255.255.255  <-allows Internet to see the WS_FTP server as 192.168.8.21
access-list acl_outside_in permit tcp any host 192.168.8.21 eq 21           <---allows FTP traffic from the Internet to the WS_FTP server
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 53
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 53
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 88
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 88
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 123
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 135
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 137
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 139
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 389
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 389
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 445
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 3268
access-list acl_dmz_in deny any 10.0.2.0 255.255.255.0           <----denies any other inbound traffic not explicitly identified above
access-list acl_dmz_in permit ip any any                               <----allows DMZ hosts to get to the Internet...take this out if not desired
access-group acl_dmz_in in interface dmz                             <----applies ACL to the DMZ interface
access-group acl_outside_in in interface outside                  <----applies ACL to the outside interface

This should point you in the right direction...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rsivanandanCommented:
As of now from inside to dmz all the traffic is allowed and you don't need to do anything on that end (Higher security to Lower security)

Now for the machine from dmz to talk to inside you can do nat as below;

static(inside,dmz) 10.0.2.13 10.0.2.13 netmask 255.255.255.255

access-list DMZ-IN permit udp host 10.30.30.15 host 10.0.2.13 eq domain
.... etc.. keep adding for all the services you need so that the ftp server talks to AD server

access-group DMZ-IN in interface dmz

Cheers,
Rajesh
0
rsivanandanCommented:
oops.. again at the same time!

Cheers,
Rajesh
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

batry_boyCommented:
;-)
0
richakrAuthor Commented:
Thanks guys sorry rsivanandan but barty just beat you to the punch.
0
rsivanandanCommented:
No issues... :)

Cheers,
Rajesh
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.