Would using VPN with IP pooling help here? I don't know anything about Cisco or PIX but my understanding is that the VPN client and PIX or VPN 3000 concentrator can have a VPN connection where the PIX or Concentrator assigns an IP address to the client. The aps on client then think they are at that address and the decrypted packet on the inside has that "app address" as a source address. Internal servers reply to the application address and internal routing carries the packets to the PIX or VPN 3000 concentrator as if it were just another internal router.
I'm going to call the IP address visible to the application the "App Address" or AA and the externally visible network address the "Net Address" or NA. The PIX or VPN 3000 is the "Gateway". What you have flow logic wise is Client OS/App sees AA as it's address Packet encapsulated in Client NA Gateway external NA receives packet and decrypts Gateway Internal Address sends decrypted packet with AA as source Internal Server sees source as AA Internal Server replies to AA Packet gets routed to Gateway Internal Address Gateway encrypts and encapsulates in external NA Client receives on NA and unpacks the internal packet The decrypted packet with AA as the destination address is passed up the IP stack. I think Check Point calls this Office Mode. BTW, the reference to CA is for configuring a certificate authority and PKI. I would suggest sticking with simple password authentication for testing the encapsulation. Adam ----- Original Message ----- From: "Fei Yang" <[EMAIL PROTECTED]> To: "Jon Miles" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, April 26, 2002 10:05 AM Subject: Windows domain login through PIX Hello Jon, I did some research on this issue, but unfortunately the answer is negative, we can not have Win2k in DMZ to join into domains in the inside network. To make it clear, here's the circumstance: - Win2K server is in the inside network with the inside IP address of x.x.x.x, and mapped to y.y.y.y in the DMZ side. - Win2K client is in the DMZ side and trying to log in to the windows domain. y.y.y.y is configured as the PDC. - All IP ports are opened on PIX to allow traffic from DMZ go through to the Inside network. I make the conclusion by two ways. Firstly, I used sniffer to monitor all traffics sent between the Win2K client and Win2k server. The problem occurs on the third packet that the client sent to the server. The destination address (server's address) of the first two packets sent by the client was y.y.y.y, which is the server's mapped address in DMZ. PIX translated y.y.y.y to x.x.x.x and sent the packets to the server in the inside network. Win2K server also replied to the client. However, the destination address of the third packet sent by the client became x.x.x.x, which is the server's inside IP address. PIX won't change this IP address and let the packet go through since there's no static mapping for x.x.x.x in the DMZ side. As the result, the login process failed. I assume Win2k server sent back its inside IP address and host name to the Win2k client, and then Win2K client began to use that inside IP address to contact Win2k server. I tried to configure DNS doctoring and alias on PIX to do translation, and tried to configure LMHOST and HOSTs file in Win2k client directly to solve this problem, but none of them were useful. Win2k client always uses x.x.x.x as the destination address of its third packet for the domain login. The second resource I got the conclusion is from a Microsoft security book, I think it proves this login issue. There's one sentence in the book: "You require a CA to run in the Demilitarized Zone (DMZ) where it can't contact Active Directory. If the CA isn't able to connect to Active Directory, then the CA must be configured as a Standalone CA." Sorry for my poor English if I'm wrong and please correct me. My understanding is that part of the sentence meaning is "Computers in DMZ can't contact Active Directory, (which is not in the DMZ)". Hope this helps. Fei. -----Original Message----- From: Jon Miles [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 5:06 PM To: Fei Yang Subject: PIX logon Fei, Hi. I saw your question in a firewall mailing list regarding logging onto a PDC from the DMZ - this is EXACTLY what I am trying to do. I see the reply to your question is to use a syslog server, but frankly I would prefer if you could just make it easy for me and tell me how you solved this problem :) Basically, I have a WIN2k workstation that cannot see the domain on the other side. I have opened up all of IP for the meantime, and am using NAT and static mappings. I can ping the global address of the PDC, so I know the connectivity works. My guess is that you have to tell the machine the IP address of the PDC, without it doing all the broadcasts. I also, know you cannot pass these broadcasts across the PIX with a helper address... Any help would be appreciated. Thanks. Jon Miles //Network Consultant 'delivering quality networking services' web: www.qosconsulting.net mail: [EMAIL PROTECTED] tel: 0118 935 4300 fax: 0118 935 4333 mobile: 0781 380 9932 QoS Consulting Limited 308 Kings Road Reading RG1 4HP _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
