Setting up two way trusts through a router.

[ste1]

I have a Cisco 4500 (IOS 12.0) with two LAN interfaces. The router has IP access lists applied to one of the interfaces which restrict access to certain devices.
I have a NT domain controller on each ethernet network and need to set up a two way trust between these servers but for some reason the router prevents the trust from forming. If I move the PDC's so they are on the same segment the trust can be established. Any ideas.

Thanks

Ste1010

 

[sudheermt]

Hi,
The router processes only tcp/ip, not netbeui, so native Windows networking cannot be accessed,try enabeling Netbeui over tcp/ip.

thanks
Sudheer

 

[wybnormal]

Not quite correct. Native Netbeui(netbios?) can be native to the router by using DLSW or bridging mode. In DLSW, a TCP connection is opened between the routers and then traffic is allowed across. Normal applications for this is SNA and NB. Bridging is another simpler way to allow NB traffic across a router.

I think what you meant to say is that NB is not natively routable since it's based a peer to peer protocol and does not use a logical addressing scheme like TCP/IP. It is bridgable.

MikeS
Find me at

http://www.packetattack.com

"The trouble with giving up civil rights is that you never get them back"

 

[marsd]

This is what you need.

http://www.cisco.com/warp/public/473/108_4.html

 

[ste1]

Thanks guys.

I believe the NT servers are using NBT (Netbios over TCP). As it is using TCP and not UDP I thought any traffic would get through the router or does the server broadcast and therefore packets are dropped by the router.

 

[CCIEWANNABE]

"I thought any traffic"

Service Protocol Source port (on client unless specified) Destination port (on server unless specified)
FTP (control connection) TCP > 1023 21
FTP (data connection) TCP 20 (from server) > 1023 (to client)
FTP PASV data connection TCP > 1023 20
FTP PASV data connection as implemented by many browsers TCP > 1023 > 1023
Secure Shell (SSH) TCP > 1023 22
Telnet TCP > 1023 23
SMTP TCP > 1023 25
TACACS UDP 49 49
DNS UDP 53> 1023 53
DNS (for zone transfers and for large queries in presence of large packet loss) TCP > 1023 53
TFTP UDP > 1023 69
POP3 TCP > 1023 110
IDENT (often used by mailers) TCP > 1023 113
NNTP (News) TCP > 1023 119
NTP (Network Time Protocol) UDP 123 123
Netbios services UDP 137, 138 > 1023 137, 138
Netbios file sharing TCP > 1023 139
SNMP UDP > 1023 161
SSL TCP > 1023 443
REXEC TCP > 1023 512
RLOGIN TCP < 1024 513
RSH TCP < 1024 514
SOCKS TCP > 1023 1080
Squid Proxy TCP > 1023 3128
Syslog UDP > 1023 514
or


TCP and UDP qualifers

or


Table A.1. IP protocols
Protocol name IP protocol number
AH 51
EIGRP 88
ESP 50
GRE 47
ICMP 1
IGMP 2
IGRP 9
IP 0-255
IPINIP 94
NOS 4
OSPF 89
TCP 6
UDP 17

Get the message allot of protocols pass thru.
Route once; switch many

 

[wybnormal]

Depends.. dont you just love this answers ?

Pre 4.0 NT, would broadcast UDP packets for many things including the first part of the domain login sequence. Wins and DHCP also use UDP as does what MS calls *browsing* Lets not forget DNS which also uses UDP port 53, TFTP and a few others.

Win2K is better but still needs to use UDP if it's in a mixed network(2K and 4.0) And we haven't touched on Active Directory yet.

A router being a layer 3 device is designed to break broadcast domains. In other words, the broadcast stops here.. at the router. If you need to get broadcasts past the router, then it's bridging time, IP Helper address time or UDP Forwarding time.

At the min, you will need IP Helper on the router interfaces and/or you will use UDP FOrwarding to add or to delete broadcast packets you dont want.

Read this document for all the gory details.. or at least enough to answer your question.

Windows Networking Design Implementation Guide

http://www.cisco.com/warp/public/473/winnt_dg.htm

MikeS Find me at

http://www.packetattack.com

&quot;The trouble with giving up civil rights is that you never get them back&quot;

 

[vancek]

This could be caused by a WINS problem. Make sure WINS is installed and both servers are pointing to the same WINS server (or at least two different WINS servers that are properly replicating). Then check that they are showing in the WINS DB and each DC is properly registering [1Ch] for their respective Domain.

Good Luck,
V--

 

[BuckWeet]

Simple fix for this, install WINS (most recommended way) on one of the servers, then have all your PC's register to that. Or the 2nd way, which takes administrative time, use a LMHOSTS file..

NetBIOS broadcasts don't get routed, and why turn on bridging. If you're going to do that, just take the router out of the equation totally.


Use WINS....

My 2 cents

BuckWeet

 

[wybnormal]

Buck-

I've had to use bridging in the past for some cranky apps that a healthcare provider insisted that they had to have. Even though there was an updated version(they cost money). They used a screwball custom protocol to talk between the server and the workstations. Also, if you have something fun like DECnet or LAT, bridging is one of the simplest ways to go. Granted, you wont see much of it anymore, but sometimes you will run into something ancient in either a dinky company or a very large one where it's been forgotten about. ( it works, why replace it?)

Bridging is one of those things to keep in the back of your mind for the one time you need it.

And for the record, there is way to turn on briging and still route. In fact Cisco has a WHOLE book on it.. Cisco IOS 12.0 Bridging and IBM Network Solutions. It's one thick book and covers virtually any way you need to get NB, TokenRing, SNA etc across a network. Get it used off Ebay and be prepared for the shipping charge.

MikeS
Find me at

http://www.packetattack.com

&quot;The trouble with giving up civil rights is that you never get them back&quot;

 

[BuckWeet]

He's talking about doing bridging on 2 LAN interfaces, not over a WAN, if you're going to do it on LAN interfaces, take the router out, and put in a switch..

 

[wybnormal]

Buck-

LAN1- DECnet----|
R1-----WAN----R3---2ndHost
LAN2- Host------|

In this case we had a normal network of IP and IPX on E0 and E1 plus an overlay of DECnet which need both local bridging and bridging to the 2nd host. Each E interface had over 5 IP helper addresses plus 10 PVCs on the Serial port. So replacing the router with a switch would have been a really bad idea.

Not real common but real enough. I was only pointing that two things.. one, it's possible to route NB over a router by a couple of methods and that you can bridge AND route at the same time. I never offered it as a solution to ste1's problem.

A NB broadcast WILL be routed *IF* you use IP helper or UDP port forwarding. A sniff trace will show you this or you can read how the IOS will take the UDP packet, repackage it into a unicast packet and move it along as a normal packet till it gets to where it needs to be.

One of the funnest (is this a word?) is read about it at RouterGod's site.

http://www.routergod.com/trinity/

Here is a paper from MS explaining their take on it.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q190930

Find me at

http://www.packetattack.com

&quot;The trouble with giving up civil rights is that you never get them back&quot;