Re: [Fwd: [Fwd: Firewall blocking broadcasts in between NT Servers]]

[mike.parsons () wachovia com]

Part of your problem may be related to an old vestige of Netbios
ecnapsulated in IP.  In that circumstance, your best bet may be to either
get a packet filter capable of "NAT"ing addresses in the payload (CISCO's
PIX comes to mind) or move the servers to segments protected by the
firewalls with routable addresses and using a redirect on the untrusted
interface of the firewalls to in effect publish those addresses to the
outside.

This way, you can overcome the deficiencies in the way Microsoft handles IP
addressing in NT.  (BTW, I sincerely hope they fix this in version 5.0 of
NT if it's ever released as GA.






gibbs () netquest com on 07/22/98 04:19:52 AM

Please respond to gibbs () netquest com

To:   firewall-wizards () nfr net
cc:    (bcc: Michael Parsons/CCI/WACH)
Subject:  [Fwd: [Fwd: Firewall blocking broadcasts in between NT Servers]]









Return-Path: <Wayne.vanVelthoven () nrc ca>
Received: from polaris.nrc.ca ([132.246.160.10]) by vega.netquest.com
(Post.Office MTA v3.1.2 release (PO205-101c)          ID#
0-37888U2500L250S0) with ESMTP id AAA213          for
<borkin () netquest com>; Sun, 19 Jul 1998 14:57:02 -0400
Received: by polaris.nrc.ca with Internet Mail Service (5.5.1960.3)    id
<3C9RXBV2>; Sun, 19 Jul 1998 14:49:29 -0400
Message-ID: <5A290E5510AED111BD5D00805FFE7EF47801A7 () polaris nrc ca>
From: "vanVelthoven, Wayne" <Wayne.vanVelthoven () nrc ca>
To: "'borkin () netquest com'" <borkin () netquest com>
Subject: RE: [Fwd: Firewall blocking broadcasts in between NT Servers]
Date: Sun, 19 Jul 1998 14:49:05 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
Content-Type: text/plain



I haven't been able to solve that one.  The firewall is doing IP
masquerading thing and I don't know how to handle that.  I tried using
LMHOSTS files all over as well as WINS static entries, but somehow the
PDC is still getting told about the wrong IP address.  The only way I
can see that happening is if the web server is sending the PDC messages
like "according to my records, my own IP address is..." as opposed to
"the IP address on this packet is mine".  So that amounts to the content
of the packet, which the firewall cannot translate.

The only thing (I think) I can do is to take the server out of the
domain and make it completely stand-alone.  We'll have to maintain an
extra SAM database, but at least the alerts will stop.

Nothing so far has helped with the masquerading problem, including
endless searches in the knowledge base.  Maybe I've missed something,
but for now I'm just telling them it can't be done.  If you hear about
any new ideas to solve this, please let me know.
Thanks very much for your help, Mike and everyone else who replied.

Wayne van Velthoven, MCP
National Research Council Canada


     -----Original Message-----
     From:     borkin () netquest com [SMTP:borkin () netquest com]
     Sent:     1998-07-17 (Friday) 22:19
     To:  wayne.vanvelthoven () nrc ca
     Subject:  [Fwd: Firewall blocking broadcasts in between NT
Servers]

     Wayne,

       I hope this has helped you.. let me know if and how you solved
the
     problem so I can pass it back to the people who helped.  I think
that
     the posts that you'll receive on this are pretty much at an end
unless I
     re-post what the current situation is.

     Mike

      << Message: Re: Firewall blocking broadcasts in between NT
Servers >>