https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216664#M418170 <HTML><HEAD></HEAD><BODY><P>I have attempted this, but all I get when I ping is negotiating IP security.</P><P></P><P>I think this should be working but I'm obviously missing something.</P></BODY></HTML> Thu, 16 Apr 2009 18:50:40 GMT dirkmelvin 2009-04-16T18:50:40Z https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216659#M418165 <P>I am attempting to get AD to cooperate from a parent domain on the outside of the ASA to a child domain on the inside of the ASA.</P><P></P><P>So far when I first setup the child domain all is well (assuming because the inside server is initiating the chatter) but after a little while (not sure of time frame) AD stops synching and get errors on the servers about such.</P> Fri, 21 Feb 2020 11:24:20 GMT https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216659#M418165 dirkmelvin 2020-02-21T11:24:20Z https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216660#M418166 <HTML><HEAD></HEAD><BODY><P>This is just off the top of my head, but you'll need LDAP, DNS, and Kerberos opened up. If you want filing browsing, you'll have to open RPC all ports &gt;1024 and 137-139, &amp; 445. You have a couple of other options though. You can use an IPSec tunnel between the two servers and/or RPC over HTTPS. </P><P></P><P>Hope that helps.</P></BODY></HTML> Thu, 16 Apr 2009 12:57:32 GMT https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216660#M418166 Collin Clark 2009-04-16T12:57:32Z https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216661#M418167 <HTML><HEAD></HEAD><BODY><P>I will try to illustrate my setup here.</P><P></P><P>Internet----ASA1--Domain1</P><P> |</P><P> |</P><P> ASA2--Domain1.1</P><P>I'll post my configs from both ASAs later today.</P><P></P></BODY></HTML> Thu, 16 Apr 2009 13:33:30 GMT https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216661#M418167 dirkmelvin 2009-04-16T13:33:30Z https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216662#M418168 <HTML><HEAD></HEAD><BODY><P>I would recommend using an IPSEC tunnel for this if possible.</P><P></P><P>The following link shows a list of required ports</P><P></P><P><A class="jive-link-custom" href="http://technet.microsoft.com/en-us/library/bb727063.aspx" target="_blank">http://technet.microsoft.com/en-us/library/bb727063.aspx</A></P><P></P><P>HTH </P><P></P><P>Steve</P></BODY></HTML> Thu, 16 Apr 2009 18:47:31 GMT https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216662#M418168 AxiomConsulting 2009-04-16T18:47:31Z https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216663#M418169 <HTML><HEAD></HEAD><BODY><P>Nice link Steve, thanks.</P></BODY></HTML> Thu, 16 Apr 2009 18:49:17 GMT https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216663#M418169 Collin Clark 2009-04-16T18:49:17Z https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216664#M418170 <HTML><HEAD></HEAD><BODY><P>I have attempted this, but all I get when I ping is negotiating IP security.</P><P></P><P>I think this should be working but I'm obviously missing something.</P></BODY></HTML> Thu, 16 Apr 2009 18:50:40 GMT https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216664#M418170 dirkmelvin 2009-04-16T18:50:40Z https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216665#M418171 <HTML><HEAD></HEAD><BODY><P>If you are able to, please post your configs for us to review.</P><P></P><P>Thanks</P><P></P><P>Steve</P></BODY></HTML> Thu, 16 Apr 2009 18:53:33 GMT https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216665#M418171 AxiomConsulting 2009-04-16T18:53:33Z https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216666#M418172 <HTML><HEAD></HEAD><BODY><P>Here my 2 configs.</P><P></P><P>Outside is the ASA connected to Internet, inside is the ASA on the inside interface of the outside ASA.</P><P></P><P>There are 3 AD servers on the inside interface of the outside ASA, and there are 2 AD servers on the inside interface of the inside ASA. all 5 of these servers need to speak AD to each other.</P><P></P><P> </P><P></P></BODY></HTML> Mon, 20 Apr 2009 15:38:17 GMT https://community.cisco.com/t5/network-security/asa-how-to-allow-active-directory-to-traverse-outside-and-inside/m-p/1216666#M418172 dirkmelvin 2009-04-20T15:38:17Z