eggster34
asked on
ASA to allow NETBIOS traffic.
Hi
I have a Cisco ASA firewall with 3 network interfaces, outside, inside and dmz.
I need my servers in the DMZ to be able to browse the network trough my network places and see the clients on the inside interface.
when I permit ALL traffic between interfaces, this works ok, but when I block traffic and allow only a certain number of ports for generic services (smtp, web, email and RDP) the network browsing stops working. I have NETBIOS enabled on the dmz servers. What ports do I need to open between the dmz subnet and the inside subnet to allow browsing of the internal network?
I have a Cisco ASA firewall with 3 network interfaces, outside, inside and dmz.
I need my servers in the DMZ to be able to browse the network trough my network places and see the clients on the inside interface.
when I permit ALL traffic between interfaces, this works ok, but when I block traffic and allow only a certain number of ports for generic services (smtp, web, email and RDP) the network browsing stops working. I have NETBIOS enabled on the dmz servers. What ports do I need to open between the dmz subnet and the inside subnet to allow browsing of the internal network?
ASKER
it is about 200 machines so the hosts file is out of the question..
the ports are already open between both subnets but browsing still does not work.
the ports are already open between both subnets but browsing still does not work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
actually currently I have permit ip any any between all interfaces.
Sorry for the delay, had problems with email validation stopping me posting.
You haven't mentioned what you are using for resolution DNS and/or WINS?
Can you ping the IP of the DNS/WINS servers correctly?
If you want a browse list then WINS would be the best option I believe.
You haven't mentioned what you are using for resolution DNS and/or WINS?
Can you ping the IP of the DNS/WINS servers correctly?
If you want a browse list then WINS would be the best option I believe.
Ping
I believe NetBIOS uses UDP 137, 138 and TCP 139 and 445 but I wouldn't recommend setting it up this way. I don't know your setup so apologies if you have already thought about it but a DMZ should be strictly limited in what it can do to the inside network and browsing is not something that is usually required. You could always use the hosts file on the DMZ servers so they can resolve what you want, assuming it is only a few machines?