Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

OWA in Cisco PIX DMZ

Status
Not open for further replies.
kamire

kamire

Technical User
Joined
Nov 28, 2002
Messages
54
Location
RW
I am currently having a migration to Active Directory 2003 which is making my Outlook Web Access 5.5 on the DMZ not be in a position to be authenticated in the local area network. I would like to know which service and port i need to enable on my pIX in order to allow Directory services authentication on the PIX firewall.

The Exchange Servers are in the LAN and thus internet users need to come in through the PIX into the DMZ and then get the OWA logon.asp and from there give in their alias name and then get the username to be authenticated in by the AD on the local LAN.

Please this is very urgent.
 
Sort by date Sort by votes
This may be too late, but this article may help.


1. Create a static

static (dmz,outside) 222.123.123.123 192.168.1.123 dns netmask 255.255.255.255

2. outside to dmz

access-list outside_acl permit tcp any host 222.123.123.123 eq 80
access-list outside_acl permit tcp any host 222.123.123.123 eq 443

We need this host to go to the web to do window update and virus def update
access-list outside_acl permit tcp host 222.123.123.123 any eq 80
access-list outside_acl permit permit udp host 192.168.1.123 any eq domain

Time Synch (not now but can be added later)
#access-list outside_acl permit udp any host 222.123.123.123 eq 123

access-list dmz_acl permit udp host 192.168.1.123 any eq domain
access-list dmz_acl permit tcp host 192.168.1.123 any eq www


3. From dmz to inside



(DNS)
access-list dmz_acl permit udp host 192.168.1.123 host 10.10.0.121 eq 53
access-list dmz_acl permit tcp host 192.168.1.123 host 10.10.0.121 eq 53


Kerberos authentication
access-list dmz_acl permit udp host 192.168.1.123 host 10.10.0.121 eq 88
access-list dmz_acl permit tcp host 192.168.1.123 host 10.10.0.121 eq 88

EndPointMapper
access-list dmz_acl permit tcp host 192.168.1.123 host 10.10.0.121 eq 135

LDAP
access-list dmz_acl permit udp host 192.168.1.123 host 10.10.0.121 eq 389
access-list dmz_acl permit tcp host 192.168.1.123 host 10.10.0.121 eq 389

Server message block (SMB) for Netlogon, LDAP conversion and Microsoft Distributed File System (DFS) discovery
access-list dmz_acl permit tcp host 192.168.1.123 host 10.10.0.121 eq 445

LDAP to global catalog servers
access-list dmz_acl permit tcp host 192.168.1.123 host 10.10.0.121 eq 3268

AD Logon
access-list dmz_acl permit tcp host 192.168.1.123 host 10.10.0.121 eq 1025
access-list dmz_acl permit udp host 192.168.1.123 host 10.10.0.121 eq 1025
access-list dmz_acl permit tcp host 192.168.1.123 host 10.10.0.121 eq 1026
access-list dmz_acl permit udp host 192.168.1.123 host 10.10.0.121 eq 1026

Note: 10.10.0.121 is my dns, gc, and ad server, 192.168.1.0/24 is my dmz network, 10.10.0.0/24 is my inside network, and
222.123.123.0/27 is my "fake" pubic network.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AllenH12
  • Locked
  • Question Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
657
AllenH12
AllenH12
MottoK
  • Locked
  • Question Question
Cisco ISE blank GUI
Replies
0
Views
781
MottoK
MottoK
intel233
  • Locked
  • Question Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233
intel233
  • Locked
  • Question Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233
WhosYourDiffie
  • Locked
  • Question Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
426
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top