topic Domain Authentication through an ASA in Network Security

Domain Authentication through an ASA

conversyschris — Mon, 11 Mar 2019 11:30:36 GMT

Hello.

Basically this is my setup.

DMZ - 10.10.xxx.xxx

Private - 192.168.xx.xxx

Outside - 66.38.xxx.xxx

I have my new domain controller on the Private network where I house my database servers. I am trying to get my webservers from DMZ to authenticate through my ASA 5520 to the new domain controller on the Private side... I have tried a few things but haven't had any luck, does anyone know an easy way of explaining this configuration on the firewall, or have a document that could help me out?

Thanks,

Chris

Re: Domain Authentication through an ASA

jaravinthan — Thu, 25 Oct 2007 15:08:57 GMT

Hi,

What is the security level of DMZ and Private interfaces? do you have any ACL's on these interfaces inbound/outbound? what is protocol/port used by Webserver to authenticate to the DC?

Re: Domain Authentication through an ASA

JORGE RODRIGUEZ — Thu, 25 Oct 2007 16:55:27 GMT

Chris, if I understand, DC in inside and webserver in DMZ , what does your access list look like can you post.. you may need to open up some tcp and udp ports, create a service object group with these ports, tcp/udp 445, 88,389,53 you may also need netbios ports for file directory access.

refer to this link for ports required,

you may also look into spcific ports in microsoft website knowledbase.

http://www.jarmanator.net/kb/server2k3fwports.htm

http://technet2.microsoft.com/windowsserver/WSS/en/library/5b000a77-471a-400d-b446-aa68a9526f3e1033.mspx?mfr=true

this example is for just DNS tcp port

assume DC IP: 192.168.1.20

DMZ host IP : 10.10.10.1

static(inside,DMZ) 10.10.10.1 192.168.1.20 netmask 255.255.255.255

access-list DMZ_access_in permit tcp host 10.10.10.1 host 192.168.1.20 eq 53

access-group DMZ_access_in in interface DMZ

apply same principle when you create tcp udp services object group.

HTH

Jorge

Re: Domain Authentication through an ASA

conversyschris — Fri, 26 Oct 2007 13:08:47 GMT

Hi Jorge,

Thanks for the response, I have attached a copy of my current ACLs loaded on the device, your post has already given me a great deal to work with, but hopefully you can take a look and determine a bit more of what I need for this setup.

Thanks

Chris

Re: Domain Authentication through an ASA

conversyschris — Fri, 26 Oct 2007 17:01:25 GMT

Forgot to add these lines to my configuration doc.

access-group OUT66 in interface Outside66

access-group DMZ in interface DMZ

Re: Domain Authentication through an ASA

conversyschris — Tue, 30 Oct 2007 12:39:30 GMT

After doing some research and looking into a few things I assume that this is what I need to add.

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 53

static (Inside,DMZ) 10.10.xxx.xxx 192.168.x.xxx netmask 255.255.255.255

Following the same format, I will add more ACL entries for the other protocols used by Active Directory to allow my host(s) to access the Domain Controller on the Inside

Does that config look as though it will work? I am having some major issues with this configuration because we do not have a test environment and I cant afford any downtime on my firewall, my deadline for testing is coming up soon, any review/comments would be appreciated.

Thanks in advance,

Chris

Re: Domain Authentication through an ASA

conversyschris — Fri, 02 Nov 2007 13:03:03 GMT

I am adding my configuration and testing this Monday. I have come up with this so far:

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 53

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 53

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 445

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 445

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 389

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 389

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 88

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 88

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 389

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 389

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 636

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 1025

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 3268

static (Inside,DMZ) 10.10.xxx.xxx 192.168.x.xxx netmask 255.255.255.255

As I mentioned I have to add this configuration and test in my LIVE environment on Monday, if anyone could review my initial ACL configuration from the document I posted, and asses my new additions to tell me if this will work as planned I would appreciate it.

Thanks,

Chris

Re: Domain Authentication through an ASA

conversyschris — Fri, 02 Nov 2007 13:07:50 GMT

My old post with the config expired, here it is.