ASA to allow NETBIOS traffic.

Posted on 2007-10-15
Last Modified: 2012-06-27
I have a Cisco ASA firewall with 3 network interfaces, outside, inside and dmz.

I need my servers in the DMZ to be able to browse the network trough my network places and see the clients on the inside interface.
when I permit ALL traffic between interfaces, this works ok, but when I block traffic and allow only a certain number of ports for generic services (smtp, web, email and RDP) the network browsing stops working. I have NETBIOS enabled on the dmz servers. What ports do I need to open between the dmz subnet and the inside subnet to allow browsing of the internal network?
Question by:eggster34
    LVL 2

    Expert Comment

    Maybe use WINS on the internal and let the servers in the DMZ resolve that way?

    I believe NetBIOS uses UDP 137, 138 and TCP 139 and 445 but I wouldn't recommend setting it up this way.  I don't know your setup so apologies if you have already thought about it but a DMZ should be strictly limited in what it can do to the inside network and browsing is not something that is usually required.  You could always use the hosts file on the DMZ servers so they can resolve what you want, assuming it is only a few machines?

    Author Comment

    it is about 200 machines so the hosts file is out of the question..
    the ports are already open between both subnets but browsing still does not work.
    LVL 2

    Accepted Solution

    WINS an option?  NAT may break NetBIOS apparently.  What rules have you setup to allow the traffic?  Can you post them?

    UDP ports

        * 137: NetBIOS name resolution (name service), WINS
        * 138 and? 139: NetBIOS datagram (browsing) [138 or sure, some documents include 139 too]
        * 135: RPC
        * 15: NETSTAT

    TCP ports

        * 135: RPC
        * 139: NetBIOS session (NET USE)

    The above from

    Author Comment

    actually currently I have permit ip any any between all interfaces.
    LVL 2

    Expert Comment

    Sorry for the delay, had problems with email validation stopping me posting.
    You haven't mentioned what you are using for resolution DNS and/or WINS?
    Can you ping the IP of the DNS/WINS servers correctly?

    If you want a browse list then WINS would be the best option I believe.

    LVL 75

    Expert Comment

    by:Anthony Perkins

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now