Windows ias Radius server in cisco 515 pix DMZ

[fpower]

Hi all,
I am trying to implement a vpn for my office, I currently have a pc in the dmz running w2k ias for my RADIUS authentication,(against the local pc 192.168.10.10), and everything is working fine, but, I have been asked to have the vpn users have a single sign on and not be prompted for there internal network ids when accessing resources.
So I would like to add the server in the dmz to be a domain controller for ias authentication, but I do not know if this is a good idea or how to implement it.

any help would be greatly appreciated!

PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security30
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
hostname one
domain-name XXXXXXXXXX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
pager lines 24
logging on
logging trap debugging
logging host inside 10.10.1.40
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
ip address outside xxx.xxx.xx.xx 255.255.255.0
ip address inside 10.10.1.1 255.255.0.0
ip address DMZ1 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xx.xxx
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 80 permit ip 10.10.0.0 255.255.0.0 10.10.126.0 255.255.255.0
access-list 100 permit tcp 10.10.126.0 255.255.0.0 10.10.10.0 255.255.255.0 eq telnet
access-list 100 permit tcp 10.10.126.0 255.255.0.0 10.10.10.0 255.255.255.0 eq ftp
access-list 100 permit tcp 10.10.126.0 255.255.0.0 10.10.10.0 255.255.255.0 eq http
nat (inside) 0 access-list 80
static (inside,outside) xxx.xxx.xx.xx 10.10.1.28 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xx.xx 10.10.1.6 netmask 255.255.255.255 0 0
conduit permit tcp host xxx.xxx.xx.xx eq

http://www any

conduit permit tcp host xxx.xxx.xx.xx eq 443 any
conduit permit tcp host xxx.xxx.xx.xx eq smtp any
route outside 0.0.0.0 0.0.0.0 209.73.41.1 1
route inside 172.16.0.0 255.255.0.0 10.10.1.254 1
route inside 172.20.0.0 255.255.0.0 10.10.1.254 1
route inside 192.168.250.0 255.255.255.0 10.10.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
ip local pool vpnippool 10.10.126.1-10.10.126.100
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (dmz) host 192.168.10.10
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXXXXX
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
crypto map partnet-map client configuration address initiate;
crypto ipsec transform-set strong-des esp-des esp-sha-hmc
crypto dynamic-map cisco 4 set transform-set strong-des
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client authentication partnerauth
crypto map partner-map interface outside
isakmp key 12345 address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
vpngroup vpngroup address-pool vpnippool
vpngroup vpngroup dns-server 10.10.1.250
vpngroup vpngroup wins-server 10.10.1.250
vpngroup vpngroup default-domain domain.com
vpngroup vpngroup idle-time 1800
sysopt conection permit-ipsec
telnet 10.10.1.40 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:

 

[BuckWeet]

Setup access-lists so that you can talk from the IAS box to an internal domain controllers. And only those boxes can talk directly from the dmz to the ias..


BuckWeet

 

[fpower]

would I do that like this?
and thanks again for the help!

access-list acl-dmz permit tcp 10.10.1.250 eq domain host 192.168.10.10
access-list acl-dmz permit udp 10.10.1.250 eq domain host 192.168.10.10
access-list acl-dmz permit tcp 10.10.1.250 eq 88 host 192.168.10.10
access-list acl-dmz permit udp 10.10.1.250 eq 88 host 192.168.10.10
access-list acl-dmz permit tcp 10.10.1.250 eq 123 host 192.168.10.10
access-list acl-dmz permit tcp 10.10.1.250 eq 135 host 192.168.10.10
access-list acl-dmz permit tcp 10.10.1.250 eq 389 host 192.168.10.10
access-list acl-dmz permit udp 10.10.1.250 eq 389 host 192.168.10.10
access-list acl-dmz permit tcp 10.10.1.250 eq 3268 host 192.168.10.10
access-group acl-dmz in interface dmz1

 

[bwilliam13]

You're on the right track. You may need more rules than that...specifically ones for the inside interface also to allow connections coming from the DMZ.

 

[fpower]

I really can't thank you enough for the help. It is greatly apprecated.

I am still haveing an issue, so again any guidance would be greatly appreciated...
I have tried everything I can think of (granted it isn't much), but I have not been unable to get the inside to communicate with the dmz or dmz to inside... so far his is what I have tried.

I opened it up to allow anything from inside to talk to anything in dmz1,(I think), just to see if I could communicate, I really just wanted the server in the dmz(192.168.10.10) to be able to communicate with a server in the inside network(10.10.1.250) and vise-versa.

static (inside, dmz1) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
access-lit acl-dmz permit any 10.10.0.0 255.255.0.0 host 192.168.10.0
access-list acl-dmz in interface dmz1
access-list acl-in-from-dmz any 192.168.10.0 255.255.255.0 host 10.10.0.0
access-list acl-in-from-dmz in interface inside

Thanks again!