Re: [fw-wiz] Cisco FWSM/ASA Question

Which fixups do you have enabled? Are you able to use wireshark or
something similar to sniff traffic on both sides of the fwsm to
determine if it's changing anything in transit?

PaulM


On 7/27/07, Matthew Watkins <matt@xxxxxxxxx> wrote:
I'm investigating a problem with Windows clients computers situated
behind a pair of redundant firewall services modules (installed in a
Cisco Catalyst 6513 switch). There's a new domain controller on one
VLAN, and our Windows/PC clients sit on another. Both networks are
routed through the FWSM, and general network connectivity seems fine.

The firewall blades are running the latest version of the FWSM/ASA code:

FWSM Firewall Version 3.1(6)

Basically, my Mac laptop running OS X seems to connect to all parts
of the network without problems. It can mount shares, resolve DNS
etc... However, the Windows desktop clients seem unable to logon to
the domain when booted up behind the firewall. Initially, I thought
the problem might be related to DNS protocol inspection, since we
were seeing the log messages below:

Jul 26 16:55:21 cam-sh-fw1-inside.redstardevelopment.com %
FWSM-2-106007: Deny inbound UDP from 172.17.50.3/53 to
172.29.6.2/1026 due to DNS Response

I've subsequently removed DNS inspection from the global default
rules, but it hasn't made any difference. This is a new site which we
are in the process of building, so the access-lists for both networks
are currently wide open:

access-list PERMISSIVE extended permit ip any any
access-group PERMISSIVE in interface inside
access-group PERMISSIVE in interface office-wired
access-group PERMISSIVE in interface office-dmz

We've created a stripped down domain user account, with no DFS shares
or home drive mappings, and this user account can successfully login
to the domain. Our servers are all running Win2K3. Any ideas what the
problem might be? I'm not seeing messages in the logs, and I'm a bit
confused about the possible cause...

Any ideas gratefully received!

- Matt
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • [fw-wiz] Cisco FWSM/ASA Question
    ... I'm investigating a problem with Windows clients computers situated ... The firewall blades are running the latest version of the FWSM/ASA code: ... It can mount shares, resolve DNS ... are in the process of building, so the access-lists for both networks ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Cisco FWSM/ASA Question
    ... At some point the standby firewall module had gone active, and was leading to some very random behaviour through the firewall. ... It can mount shares, resolve DNS ... are in the process of building, so the access-lists for both networks ...
    (Firewall-Wizards)
  • Website setup questions.
    ... Create firewall rule to direct HTTP port 80 to the SBS External NIC ... Create firewall rule to point DNS port 53 to the SBS External NIC ... NICS to get this request to not timeout or be refused. ...
    (microsoft.public.windows.server.sbs)
  • Re: For Microsoft Partners and Customers Who Cant Download or Access
    ... Using ipconfig /all showed the DNS IP is in fact the same IP ... as the firewall as you mentioned. ... Microsoft for msdn2.microsoft.com. ... use a static IP and set the DNS server addresses to the DNS ...
    (microsoft.public.dotnet.general)
  • Re: Setting another machine as a firewall
    ... I don't think a firewall is really the right technology to ... The alternative to implementing a proxy mail server on your firewall ... internet, then that is just a matter of writing filter rules to allow ... As far as DNS goes, combining a NAT'ing firewall with a mailserver on ...
    (freebsd-questions)