I'm trying to get a couple clients to talk to my Active Directory servers. I've created sub-interfaces on my ASA. So, my clients are on Gi0/1.139 and my two Active Directory servers are on Gi0/1.132. I've enabled traffic on TCP 53-5000 port range according to Microsoft. My clients still can't join the domain. Any idea on what ports I need to open up? My AD servers are Windows 2003. Thanks!
what are the sec level of these 2 interfaces? if they are the same, use the command same-security-traffic permit inter-interface.
if different sec level, you need to check NAT/ACL.
I can't do that due to security reasons and what the firewall is being used for. If this makes it difficult to troubleshoot, then I will close out the thread. Is there anything else I can provide?
Are you sure about the ports needed. I dont think it is only TCP 53-5000 port range according to Microsoft
You definetly need other microsoft ports like netbios (137 to 139), dns (udp/53), SMB/CIFS (TCP/445) and many others (LDAP, Kerberos...).
you might also need to open all dynamic ports >1025 (range 1024 65535)...
you should enable logging and see what the ASA is reporting as denied by interface ACL then adjust the configuration accordingly...
Windows 2000, Windows XP and Windows Server 2003 use a dynamic port range of
System service name:
|NetBIOS Datagram Service||UDP||138 ³|
|NetBIOS Name Resolution||UDP||137 ³|
|NetBIOS Session Service||TCP||139 ³|
|RPC¹||TCP||135, random port number between 1024 - 65535|
135, random port number between 49152 - 65535²
Thanks for the information. I'm using the logging and I'm seeing nothing. I also used the Syslog that came with my Solarwinds package. I went ahead and opened all TCP, UDP and ICMP ports for troubleshooting purposes and I still can't get the client to join the Domain Controller. Microsoft said the servers are configured correctly and that it's a firewall issue. I verified the routing and all is configured correctly. My ASA is on IOS 7.2(2). Where would I go to get a bug list for that IOS version?