PIX ,and Domain Controller errors to the DMZ


I have a PIX 515e running 7.0(4)2, and for the most part, it works great.

We're putting a file server into the DMZ so that outside users will
be able log in to our Windows network and access files there, a NAS.
This means we have a Windows server in the DMZ, and when it boots,
(and in the future authenticates clients that login) will contact
a domain controller on the INSIDE of the PIX.

I've set up the configuration to allow the server in the DMZ to
communicate with the domain controller in the INSIDE, with the
the usual steps for access from a lower to higher security system.
That is:

static (inside,dmz) dmz_ip inside_ip netmask 255.255.255.255

And set up the global NAT so this works. I've done this lots of
times, configuring access to our servers from the OUTSIDE. And so
I'm sure that I've gotten basic access from the DMZ to the domain
controller on the INSIDE.

However, there is still an error in the Windows Event log when the
NAS server in the DMZ boots up, which is Windows error / Event 1054:

Windows cannot obtain the domain controller name for your
computer. (The specified domain either does no exist, or could
not be contacted) Group Policy processing aborted.

I looked up the error on the Microsoft site, and it suggests that
the NIC connection is fluctuating up and down. And suggests, among
other things, a different NIC card. I tried a new card, to no avail.
It appears that the PIX slows down the data exchange between the NAS
sever and the domain controller just enough to make the connection
look bogus. There are a couple of other errors, but they all stem from
not being able to connect up with the domain controller. And these
errors are critical, since they block user authentication, and thus
access to the files on the NAS.

Technically, this is really a Windows problem, since the PIX is passing
the packets between interfaces, (albeit slowly?) But I'm sure someone out there has seen this error, because the obvious strategy is to put a Web server in the DMZ that relies on a domain controller on the INSIDE. And that creates exactly the same problem.

Thanks in advance for any help.

B Squared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When legendary Pop Warner coached the Carlisle Indians - a university for native Americans - he'd try anything to motivate his players.
Minutes before a 1917 game with Army at West Point, Warner offered
his shortest and cleverest pep talk:
"Just remember. These are the boys who took your land."
Carlisle went on to massacre Army 28-0.

.

Relevant Pages

  • Re: problem with connection from inside to DMZ via global IP
    ... i have pix 525 and configured www server on DMZ 172.16.1.73. ... Try using a DNS statement on ...
    (comp.dcom.sys.cisco)
  • Re: DNS/Active directory
    ... It is not a smart idea to have Active Directory in DMZ at all (if it needs ... to talk to DC in LAN). ... >>> Service overview and network port requirements for the Windows Server ... >>> much for protecting your LAN where your domain controller is... ...
    (microsoft.public.windows.server.general)
  • RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices
    ... The Nat 0 rule should be used for the internal server. ... This will allow trafic to traverse the PIX from ... Assuming you have the Server Statically mapped to an external Address: ... PIX 520, Three interfaces - inside, Outside and DMZ. ...
    (Firewall-Wizards)
  • Re: PIX ,and Domain Controller errors to the DMZ
    ... We're putting a file server into the DMZ so that outside users will ... be able log in to our Windows network and access files there, ... a domain controller on the INSIDE of the PIX. ...
    (comp.dcom.sys.cisco)
  • Re: problem with connection from inside to DMZ via global IP
    ... i have pix 525 and configured www server on DMZ 172.16.1.73. ... the computer which i connecting from have also static command ...
    (comp.dcom.sys.cisco)