Security Basics mailing list archives

RE: unable to join domain from dmz

From: "Gautam R. Singh" <gautam.singh () gmail com>
Date: Thu, 9 Sep 2004 10:47:04 +0530

I don't have any experience is these things but isn't DMZ supposed to
be a place where u should use to host web server mail servers which
are accessible from wan

If u are looking for authentication etc, i belive cisco has
authentication AAA u can use tacacs or radius with it

#aaa-server rass host 172.16.17.1.1 secret
#aaa-server rass protocol tac
#aaa-authentication include http inside 172.16.0.0 255.255.0.0 0 0 rass

i may be wrong with ^above^ commands :)

Regards
Gautam R. Singh

[ccna, checkpoint.. etc yet unemployed]



On Wed, 8 Sep 2004 00:24:24 +0100, James P. Saveker <james () wetgoat net> wrote:

In my opinion... yes.  However it is a recognized way of perimeter
authentication to have what known as a "secure domain".  Radius is another
way of doing it - however both methods have pro's and con's.




-----Original Message-----
From: Phillip McCollum [mailto:PMcCollum () sanmanuel com]
Sent: 01 September 2004 18:51
To: dan.tesch () comcast net; andrew.shore () holistecs com;
security-basics () lists securityfocus com
Subject: RE: unable to join domain from dmz

Correct me if I'm wrong, but isn't it just a bad idea in general to have
any sort of Domain Controller data on a server in the DMZ?

Phillip McCollum
Network Technician
San Manuel Band of Mission Indians
pmccollum - at - sanmanuel.com

"Andrew Shore" <andrew.shore () holistecs com> 8/26/2004 7:33:52 AM

conduit permit ip host 172.17.0.10 172.17.0.0 255.255.0.0

Is this the real line from the pix or a typo in the question?

You should need conduit command from the 172.17.x.x to 172.17.x.x as
this does not go through the firewall

You need to allow netbios traffic to and from the BDC sever on the dmz
to the PDC.

Also as stated before you will need a wins server.

conduit permit icmp any any is allow the ping command.

Also you should really use access-list rather than conduit commands as
I
believe Cisco are dropping support for the conduit command with the
next
PIX OS release, mind you they've said that for years.

Hope this helps

Andy
-----Original Message-----
From: Dan Tesch [mailto:dan.tesch () comcast net]
Sent: 24 August 2004 21:50
To: Security Basics
Subject: Re: unable to join domain from dmz

***********************
Your mail has been scanned by EdgeDefence(TM).
***********************

You can do this by adding an entry in LMHOSTS also, you can google
for instructions - simpler than setting up WINS.

You need to setup a WINS server.  Otherwise you cannot cross

subnets.


On Mon, 23 Aug 2004 12:12:52 +0300, Bilal Dar <bdar () pbad sbg com sa>

wrote:

I am having a problem, i couldn't figure out the reason till now.

We
are

having our NT 4 Primary Domain Controller on the inside network,

now
i
am

installing another server in the DMZ as a Backup Domain

Controller.
When
i

try to join the domain during installation i get an error stating

"The

domain controller for the domain cannot be located"

Dmz = 172.17.0.0/16
Inside = 172.16.0.0/16

PDC = 172.16.4.2
NewServer = 172.17.0.10/16

conduit permit icmp any any
conduit permit ip host 172.17.0.10 172.16.0.0 255.255.0.0
conduit permit ip host 172.17.0.10 172.17.0.0 255.255.0.0
conduit permit tcp host 172.17.0.10 eq smtp any
conduit permit tcp host 172.17.0.10 eq pop3 any
conduit permit tcp host 172.17.0.10 eq domain any
conduit permit udp host 172.17.0.10 eq domain any
conduit permit ip host 172.17.4.2 host 172.17.0.10

I can ping NewServer from Inside network. Am i missing something?

Thanks



--
END OF LINE
       -MCP


------------------------------------------------------------------------
---
Computer Forensics Training at the InfoSec Institute. All of our class
sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand
skills of
a certified computer examiner, learn to recover trace data left behind
by
fraud, theft, and cybercrime perpetrators. Discover the source of
computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html

------------------------------------------------------------------------
----

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class
sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand
skills of
a certified computer examiner, learn to recover trace data left behind
by
fraud, theft, and cybercrime perpetrators. Discover the source of
computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html

----------------------------------------------------------------------------

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------



--
Gautam R. Singh
PGP Key: http://gautam.techwhack.com/key/

NOTE: The information contained in this message is confidential and
intended only for the use of the individual or entity identified. If
the reader of this message is not the intended recipient, any
dissemination, distribution or copying of the information in this
message is strictly prohibited. If you have received this message by
error, please notify the sender immediately.




-- 
Gautam R. Singh
PGP Key: http://gautam.techwhack.com/key/


NOTE: The information contained in this message is confidential and
intended only for the use of the individual or entity identified. If
the reader of this message is not the intended recipient, any
dissemination, distribution or copying of the information in this
message is strictly prohibited. If you have received this message by
error, please notify the sender immediately.

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------

Current thread:

RE: unable to join domain from dmz Phillip McCollum (Sep 07)
- RE: unable to join domain from dmz Cherian Palayoor (Sep 09)
- <Possible follow-ups>
- RE: unable to join domain from dmz James P. Saveker (Sep 08)
  - Message not available
    - RE: unable to join domain from dmz Gautam R. Singh (Sep 09)
- unable to join domain from dmz Hayden Searle (Sep 10)