Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DMZ/inside log into domain

Status
Not open for further replies.
lost4life

lost4life

IS-IT--Management
Jul 2, 2003
33
US
I have several web servers on the DMZ that are part of a NT domain. They have to stay on the domain due to user and SQL issues. The PDC is on the inside (IP 192.168.1.2). The WINS server is also on the inside (IP 192.168.1.3). How do I let the servers on the DMZ (IP 192.168.2.x) log into the domain?
 
Sort by date Sort by votes
Write an access list to give DMZ machines access to the PDC and the WINS...and vice versa.
 
Upvote 0 Downvote
I can create a static mapping for the wins and open the required ports, but the DMZ will not know where the PDC is. Won't the wins server return an inside ip address (192.168.1.2)for the pdc which would mean nothing to the DMZ who are 192.168.2.x.
 
Upvote 0 Downvote
Well, I didn't say a static mapping. I said an access list. That determines what can get to what.

If you've created the access lists and your DMZ machines still can't see the PDC, it's probably because you don't have WINS servers in the network settings of your DMZ machines.

Post the config of your firewall.
 
Upvote 0 Downvote
I have wins manually set on the dmz machines with an IP of 192.168.2.3. I have a static mapping static (inside,dmz) 192.168.2.3 192.168.1.3. I have been trying all different kinds of access-list. Currently this is what I have:
access-list acl_DMZ permit udp any any eq 53
access-list acl_DMZ permit tcp any any eq 88
access-list acl_DMZ permit udp any any eq 88
access-list acl_DMZ permit tcp any any eq 135
access-list acl_DMZ permit tcp any any eq 389
access-list acl_DMZ permit udp any any eq 389
access-list acl_DMZ permit tcp any any eq 445
access-list acl_DMZ permit tcp any any eq 3268
access-list acl_DMZ permit udp any any eq 137
access-list acl_DMZ permit udp any any eq 138
access-list acl_DMZ permit tcp any any eq 139
access-list acl_DMZ permit tcp any any eq 42
access-list acl_DMZ permit tcp any any range 1024 65535
access-group acl_DMZ in interface DMZ

thanks for your help. It has been a long day and I am getting more confused every second.
 
Upvote 0 Downvote
try this:

static (inside,dmz) 192.168.1.0 192.168.1.0 255.255.255.0 0 0
access-list acl_DMZ permit icmp any any

Then try pinging from a dmz machine to an inside machine, and vice versa.

Your whole config would be nice, just so I/we can see if you're missing anything else.
 
Upvote 0 Downvote
HI.

You can consider an alternate solution:
Implement a copy of the user accounts, and an additional SQL server on the DMZ.
Create a script to duplicate the required database(s) from internal SQL server to DMZ copy.
Then, the DMZ will be isolated from inside, for eliminating both security and other issues.

Another option that can be considered: Implement a domain controller in DMZ, and only allow domain controlleres related traffic between the DC in DMZ and the internal PDC.


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
167
kythri
kythri
MeesterDull
  • Locked
  • Question
Can't remote into my SonicWall
Replies
0
Views
107
MeesterDull
MeesterDull
raist3001
  • Locked
  • Question
Unable to remote into PBX behind Sonicwall TZ-190
Replies
1
Views
126
fojin
fojin
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
103
quazimotto
quazimotto
DivemasterBill
  • Locked
  • Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
160
DivemasterBill
DivemasterBill

Part and Inventory Search

Sponsor

Back
Top