Cisco FWSM/ASA Question

[Matthew Watkins <matt () idnet net>]

I'm investigating a problem with Windows clients computers situated  
behind a pair of redundant firewall services modules (installed in a  
Cisco Catalyst 6513 switch). There's a new domain controller on one  
VLAN, and our Windows/PC clients sit on another. Both networks are  
routed through the FWSM, and general network connectivity seems fine.

The firewall blades are running the latest version of the FWSM/ASA code:

        FWSM Firewall Version 3.1(6)

Basically, my Mac laptop running OS X seems to connect to all parts  
of the network without problems. It can mount shares, resolve DNS  
etc... However, the Windows desktop clients seem unable to logon to  
the domain when booted up behind the firewall. Initially, I thought  
the problem might be related to DNS protocol inspection, since we  
were seeing the log messages below:

Jul 26 16:55:21 cam-sh-fw1-inside.redstardevelopment.com % 
FWSM-2-106007: Deny inbound UDP from 172.17.50.3/53 to  
172.29.6.2/1026 due to DNS Response

I've subsequently removed DNS inspection from the global default  
rules, but it hasn't made any difference. This is a new site which we  
are in the process of building, so the access-lists for both networks  
are currently wide open:

access-list PERMISSIVE extended permit ip any any
access-group PERMISSIVE in interface inside
access-group PERMISSIVE in interface office-wired
access-group PERMISSIVE in interface office-dmz

We've created a stripped down domain user account, with no DFS shares  
or home drive mappings, and this user account can successfully login  
to the domain. Our servers are all running Win2K3. Any ideas what the  
problem might be? I'm not seeing messages in the logs, and I'm a bit  
confused about the possible cause...

Any ideas gratefully received!

- Matt
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards