[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] NT (netbios) Trusts over NAT
Hi there, I have a problem getting NetBIOS to work over NAT with Checkpoint Firewall. We are running CPFW-1 4.1 (SP3), and I have 3 interfaces on the Firewall box as follows: hme1 - 10.1.0.0/16 qfe0 - 192.168.0.0/24 hme0 - Real-world Address Range At the moment we have a machine on the LAN (10.1.0.0/16 subnet) that authenticates to another machine (PDC) on the same network. I want to move this machine into the 192.168.0.0/24 subnet and keep the ability to authenticate back to the internal network. If I look at /opt/CPfw1-41/conf/objects.C, I have set ":netbios_nat (true)" under the :props section. However, when I physically move the machine over to the other network, and try to authenticate across, I get a "no domain server was available to validate your password". The only traffic I see in my logs is NetBIOS broadcast traffic from the machine I have moved onto the subnet I have moved it to. I've tried NAT'ing these packets back directly onto the 10.1.0.0/16 subnet without any joy. I don't know a huge ammount about Microsoft NT or NetBIOS, so it is possible that there is a setting somewhere I need to adjust on the MS Operating System side...... Does anyone have any ideas? There is an article on Microsofts website saying to establish a domain trust across a firewall I need to open up the following ports: 135 TCP/UDP 137 UDP 138 UDP 139 TCP All ports above 1024 for RPC communication (!!!!!??!?) (see: http://support.microsoft.com/support/kb/articles/q179/4/42.asp) Is this really true? Has anybody on this list had any experience whatsoever with getting NT trust relationships to work in a NAT environment with Checkpoint Firewall? Or can somebody tell me exactly what is going to happen in terms of straight TCP / UDP communication between these 2 machines when I enter the password and hit 'enter'? :)) Thanks in advance, -jonny ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|