NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] NT (netbios) Trusts over NAT



Hi there,

I have a problem getting NetBIOS to work over NAT with Checkpoint
Firewall.

We are running CPFW-1 4.1 (SP3), and I have 3 interfaces on the Firewall
box as follows:

hme1	-	10.1.0.0/16
qfe0	-	192.168.0.0/24
hme0	-	Real-world Address Range

At the moment we have a machine on the LAN (10.1.0.0/16 subnet) that
authenticates to another machine (PDC) on the same network.
I want to move this machine into the 192.168.0.0/24 subnet and keep
the ability to authenticate back to the internal network.

If I look at /opt/CPfw1-41/conf/objects.C, I have set ":netbios_nat
(true)" under the :props section.

However, when I physically move the machine over to the other network, and
try to authenticate across, I get a "no domain server was available to
validate your password".   The only traffic I see in my logs is NetBIOS
broadcast traffic from the machine I have moved onto the subnet I have
moved it to.  I've tried NAT'ing these packets back directly onto the
10.1.0.0/16 subnet without any joy.

I don't know a huge ammount about Microsoft NT or NetBIOS, so it is
possible that there is a setting somewhere I need to adjust on the MS
Operating System side......  Does anyone have any ideas?

There is an article on Microsofts website saying to establish a domain
trust across a firewall I need to open up the following ports:
135 TCP/UDP
137 UDP
138 UDP
139 TCP
All ports above 1024 for RPC communication  (!!!!!??!?)
(see: http://support.microsoft.com/support/kb/articles/q179/4/42.asp)
Is this really true?

Has anybody on this list had any experience whatsoever with getting NT
trust relationships to work in a NAT environment with Checkpoint Firewall?
Or can somebody tell me exactly what is going to happen in terms of
straight TCP / UDP communication between these 2 machines when I enter the
password and hit 'enter'?   :))

Thanks in advance,
-jonny




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.