Logging onto an AD server from outside PIX 501

[rtmags]

I have a setup in my lab using an AD server, PIX 501, and a dell laptop running Win 2K. The AD server is connected to interface1 (inside) and my laptop to interface0 (I named it SuSe). The AD server has an address of 167.155.212.251 and my laptop 192.168.11.108. I want my laptop to join and authenticate to the domain controlled by the AD server.

I found a KB article by MS showing what ports to open on the firewall (

http://support.microsoft.com/kb/179442)

and set up the PIX.

I first connected my laptop to the same subnet as the AD server, ran Etherpeek to grab packets, and began the process of joining a domain to see the traffic between the two computers. I then connected my laptop to ehternet0 and attempted to join the domain.

I saw two UDP packets to port 53, a return message from the AD (I compared this packet to a packet I captured when my laptop was on the same subnet and the packets were identical except for IP addresses and mac addresses). My laptop would then send an UDP packet to port 389 (LDAP). After two of these packets, my laptop starts sending mac level SMB broadcasts for SAM logins.

I looked in the syslog and saw:
<164>Mar 10 2005 17:53:09: %PIX-4-106100: access-list SusE_access_in denied udp SusE/192.168.11.108(1119) -> inside/167.155.212.251(389) hit-cnt 1 (first hit)

The ACL I had was
access-list SusE_access_in permit udp host TFTP_SERVER_NAT range 1024 65535 host PICSY_AD_SRVR_NAT eq 389 log 4

I loosened it up to:
access-list SusE_access_in permit udp host TFTP_SERVER_NAT range 1024 65535 any eq 389 log 4

Then I tried again and saw the same result, except the syslog said:
<164>Mar 10 2005 18:53:05: %PIX-4-106100: access-list SusE_access_in permitted udp SusE/192.168.11.108(1312) -> inside/167.155.212.251(389) hit-cnt 1 (first hit)

<163>Mar 10 2005 18:53:05: %PIX-3-305005: No translation group found for udp src SusE:TFTP_SERVER_NAT/1312 dst insideICSY_AD_SRVR/389

After a few hours, I needed to walk away for I am confused! Why did I first get a deny, then a permit after I changed the ACL from host to any???

Any ideas would be appreciated as I am sure it is something simple but I just developed tunnel vision and am not seeing it.


Below are the applicable sections from the config (I did not want to attach the entire thing, unless someone replies that they want me too)

Here are the applicable names:
name 167.155.212.108 TFTP_SERVER
name 192.168.11.108 TFTP_SERVER_NAT
name 167.155.212.251 PICSY_AD_SRVR
name 192.168.11.251 PICSY_AD_SRVR_NAT

Here are the statics:
static (inside,SusE) PICSY_AD_SRVR_NAT PICSY_AD_SRVR netmask 255.255.255.255 0 0
static (SusE,inside) PICSY_AD_SRVR PICSY_AD_SRVR_NAT netmask 255.255.255.255 0 0
static (SusE,inside) TFTP_SERVER TFTP_SERVER_NAT netmask 255.255.255.255 0 0
static (inside,SusE) TFTP_SERVER_NAT TFTP_SERVER netmask 255.255.255.255 0 0

Here are the ACL’s (every one)
access-list SusE_access_in remark Traffic for AD Logon
access-list SusE_access_in permit tcp host TFTP_SERVER_NAT range 1024 65535 host PICSY_AD_SRVR_NAT eq 135 log 4
access-list SusE_access_in remark LDAP for AD
access-list SusE_access_in permit tcp host TFTP_SERVER_NAT range 1024 65535 host PICSY_AD_SRVR_NAT eq ldap log 4
access-list SusE_access_in remark LDAP
access-list SusE_access_in permit udp host TFTP_SERVER_NAT range 1024 65535 any eq 389 log 4
access-list SusE_access_in remark LDAP SSL For AD
access-list SusE_access_in permit tcp host TFTP_SERVER_NAT range 1024 65535 host PICSY_AD_SRVR_NAT eq ldaps log 4
access-list SusE_access_in remark LDAP GC For AD
access-list SusE_access_in permit tcp host TFTP_SERVER_NAT range 1024 65535 host PICSY_AD_SRVR_NAT eq 3268 log 4
access-list SusE_access_in remark LDAP SSL For AD
access-list SusE_access_in permit tcp host TFTP_SERVER_NAT range 1024 65535 host PICSY_AD_SRVR_NAT eq 3269 log 4
access-list SusE_access_in remark DNS
access-list SusE_access_in permit tcp host TFTP_SERVER_NAT eq domain host PICSY_AD_SRVR_NAT eq domain log 4
access-list SusE_access_in remark DNS
access-list SusE_access_in permit udp host TFTP_SERVER_NAT eq domain host PICSY_AD_SRVR_NAT eq domain log 4
access-list SusE_access_in remark DNS
access-list SusE_access_in permit tcp host TFTP_SERVER_NAT range 1024 65535 host PICSY_AD_SRVR_NAT eq domain log 4
access-list SusE_access_in remark DNS
access-list SusE_access_in permit udp host TFTP_SERVER_NAT range 1024 65535 host PICSY_AD_SRVR_NAT eq domain log 4
access-list SusE_access_in remark Kerberos
access-list SusE_access_in permit tcp host TFTP_SERVER_NAT range 1024 65535 host PICSY_AD_SRVR_NAT eq 88 log 4
access-list SusE_access_in remark Kerberos
access-list SusE_access_in permit udp host TFTP_SERVER_NAT range 1024 65535 host PICSY_AD_SRVR_NAT eq 88 log 4
access-list SusE_access_in remark SMB
access-list SusE_access_in permit tcp host TFTP_SERVER_NAT range 1024 65535 host PICSY_AD_SRVR_NAT eq 445 log 4
access-list SusE_access_in remark Final Deny
access-list SusE_access_in deny tcp any any log 4

 

[buddyel]

Hello

Did you ever find a resolution to the "%PIX-3-305005: No translation group found for udp src SusE:TFTP_SERVER_NAT/1312 dst insideICSY_AD_SRVR/389"
error?