Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2901
  • Last Modified:

ASA to allow NETBIOS traffic.

Hi
I have a Cisco ASA firewall with 3 network interfaces, outside, inside and dmz.

I need my servers in the DMZ to be able to browse the network trough my network places and see the clients on the inside interface.
when I permit ALL traffic between interfaces, this works ok, but when I block traffic and allow only a certain number of ports for generic services (smtp, web, email and RDP) the network browsing stops working. I have NETBIOS enabled on the dmz servers. What ports do I need to open between the dmz subnet and the inside subnet to allow browsing of the internal network?
0
eggster34
Asked:
eggster34
  • 3
  • 2
1 Solution
 
AndyJG247Commented:
Maybe use WINS on the internal and let the servers in the DMZ resolve that way?

I believe NetBIOS uses UDP 137, 138 and TCP 139 and 445 but I wouldn't recommend setting it up this way.  I don't know your setup so apologies if you have already thought about it but a DMZ should be strictly limited in what it can do to the inside network and browsing is not something that is usually required.  You could always use the hosts file on the DMZ servers so they can resolve what you want, assuming it is only a few machines?
0
 
eggster34Author Commented:
it is about 200 machines so the hosts file is out of the question..
the ports are already open between both subnets but browsing still does not work.
0
 
AndyJG247Commented:
WINS an option?  NAT may break NetBIOS apparently.  What rules have you setup to allow the traffic?  Can you post them?

UDP ports

    * 137: NetBIOS name resolution (name service), WINS
    * 138 and? 139: NetBIOS datagram (browsing) [138 or sure, some documents include 139 too]
    * 135: RPC
    * 15: NETSTAT

TCP ports

    * 135: RPC
    * 139: NetBIOS session (NET USE)

The above from
http://www.faughnan.com/netbios.html 
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
eggster34Author Commented:
actually currently I have permit ip any any between all interfaces.
0
 
AndyJG247Commented:
Sorry for the delay, had problems with email validation stopping me posting.
You haven't mentioned what you are using for resolution DNS and/or WINS?
Can you ping the IP of the DNS/WINS servers correctly?

If you want a browse list then WINS would be the best option I believe.

0
 
Anthony PerkinsCommented:
Ping
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now