Ubnable to authenticate AD user through firewall

coopermarsh · Feb 6, 2007

Hi all
I am unable to authenticate users through a firewall ihave done the following to enable comms through from the dmz

Any ideas anyone

access-list 112 permit tcp host 172.20.0.158 host 172.17.4.24 eq smtp
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.24 eq pop3
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.24 eq 143
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 389
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq 389
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 636
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq 636
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 3268
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 3269
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 445
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq 445
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 88
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq 88
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 135
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq 135
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq domain
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq domain
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 389
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq 389
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 636
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq 636
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 3268
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 3269
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 445
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq 445
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 88
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq 88
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 135
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq 135
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq domain
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq domain

downloadkid · Feb 6, 2007

what firewall are you using? Cisco? If so is the access list applied to 'in' or 'out'

coopermarsh · Feb 6, 2007

Its a cisco router, an the ;list is being applied in bound. (dmz > trusted)

Cannot seem to get the box to talk to the doamin

Odissey · Feb 7, 2007

Read this article:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/w2kstart.mspx#EECAI

WBR, Vadim V. Petukhov,
MCSE2003, CCEA4.0
vadimp@yandex.ru

coopermarsh · Feb 7, 2007

I am tailing the syslog for the router there is no denies bound for the DC's

I am getting a event error 537

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 07/02/2007
Time: 10:48:11
User: NT AUTHORITY\SYSTEM
Computer: FENCHURCHST
Description:
Logon Failure:
Reason: An error occurred during logon
User Name: jcoopermarsh
Domain: jacobsrimell
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: FENCHURCHST
Status code: 0xC000005E
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 1637

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

coopermarsh · Feb 8, 2007

Working at last

This is what i done, I ran wireshark and noticed that the server was tring to communicate on ports 1026 and 1025 to my DC's

The were been denied(access-list)

opened them up and viola it worked

access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 389
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq 389
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 636
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq 636
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 3268
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 3269
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 445
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq 445
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 88
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq 88
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 135
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq 135
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 1026
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq 1026
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq 1025
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq 1025
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.11 eq domain
access-list 112 permit udp host 172.20.0.158 host 172.17.4.11 eq domain
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 389
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq 389
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 636
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq 636
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 3268
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 3269
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 445
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq 445
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 88
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq 88
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 135
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq 135
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 1026
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq 1026
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq 1025
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq 1025
access-list 112 permit tcp host 172.20.0.158 host 172.17.4.12 eq domain
access-list 112 permit udp host 172.20.0.158 host 172.17.4.12 eq domain

Thanks for all your help

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Ubnable to authenticate AD user through firewall

coopermarsh

MIS

downloadkid

IS-IT--Management

coopermarsh

MIS

Odissey

Technical User

coopermarsh

MIS

coopermarsh

MIS

Similar threads

Part and Inventory Search

Sponsor