Hello Jon, I did some research on this issue, but unfortunately the answer is negative, we can not have Win2k in DMZ to join into domains in the inside network.
To make it clear, here's the circumstance: - Win2K server is in the inside network with the inside IP address of x.x.x.x, and mapped to y.y.y.y in the DMZ side. - Win2K client is in the DMZ side and trying to log in to the windows domain. y.y.y.y is configured as the PDC. - All IP ports are opened on PIX to allow traffic from DMZ go through to the Inside network. I make the conclusion by two ways. Firstly, I used sniffer to monitor all traffics sent between the Win2K client and Win2k server. The problem occurs on the third packet that the client sent to the server. The destination address (server's address) of the first two packets sent by the client was y.y.y.y, which is the server's mapped address in DMZ. PIX translated y.y.y.y to x.x.x.x and sent the packets to the server in the inside network. Win2K server also replied to the client. However, the destination address of the third packet sent by the client became x.x.x.x, which is the server's inside IP address. PIX won't change this IP address and let the packet go through since there's no static mapping for x.x.x.x in the DMZ side. As the result, the login process failed. I assume Win2k server sent back its inside IP address and host name to the Win2k client, and then Win2K client began to use that inside IP address to contact Win2k server. I tried to configure DNS doctoring and alias on PIX to do translation, and tried to configure LMHOST and HOSTs file in Win2k client directly to solve this problem, but none of them were useful. Win2k client always uses x.x.x.x as the destination address of its third packet for the domain login. The second resource I got the conclusion is from a Microsoft security book, I think it proves this login issue. There's one sentence in the book: "You require a CA to run in the Demilitarized Zone (DMZ) where it can't contact Active Directory. If the CA isn't able to connect to Active Directory, then the CA must be configured as a Standalone CA." Sorry for my poor English if I'm wrong and please correct me. My understanding is that part of the sentence meaning is "Computers in DMZ can't contact Active Directory, (which is not in the DMZ)". Hope this helps. Fei. -----Original Message----- From: Jon Miles [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 5:06 PM To: Fei Yang Subject: PIX logon Fei, Hi. I saw your question in a firewall mailing list regarding logging onto a PDC from the DMZ - this is EXACTLY what I am trying to do. I see the reply to your question is to use a syslog server, but frankly I would prefer if you could just make it easy for me and tell me how you solved this problem :) Basically, I have a WIN2k workstation that cannot see the domain on the other side. I have opened up all of IP for the meantime, and am using NAT and static mappings. I can ping the global address of the PDC, so I know the connectivity works. My guess is that you have to tell the machine the IP address of the PDC, without it doing all the broadcasts. I also, know you cannot pass these broadcasts across the PIX with a helper address... Any help would be appreciated. Thanks. Jon Miles //Network Consultant 'delivering quality networking services' web: www.qosconsulting.net mail: [EMAIL PROTECTED] tel: 0118 935 4300 fax: 0118 935 4333 mobile: 0781 380 9932 QoS Consulting Limited 308 Kings Road Reading RG1 4HP _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
