cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1234
Views
0
Helpful
8
Replies
Highlighted
Beginner

ASA 5505 Port Issue

Experts,

I'm trying to get a couple clients to talk to my Active Directory servers. I've created sub-interfaces on my ASA. So, my clients are on Gi0/1.139 and my two Active Directory servers are on Gi0/1.132. I've enabled traffic on TCP 53-5000 port range according to Microsoft. My clients still can't join the domain. Any idea on what ports I need to open up? My AD servers are Windows 2003. Thanks!

8 REPLIES 8
Highlighted
Beginner

Do you have logging enabled? Do you see any blocked messages in the logs?

Sent from Cisco Technical Support iPad App

Highlighted

Stojanr,

I haven't looked at the log. I will do so and see what I find. Thanks

Highlighted

Hello Thomas,

what are the sec level of these 2 interfaces? if they are the same, use the command same-security-traffic permit inter-interface.

if different sec level, you need to check NAT/ACL.

regards,

Othman

Highlighted

Othman,

Gi0/1.132 is set to 75 and Gi0/1.139 is set to 0

Highlighted

please provide the config

Highlighted

Othman,

I can't do that due to security reasons and what the firewall is being used for. If this makes it difficult to troubleshoot, then I will close out the thread. Is there anything else I can provide?

Highlighted

Are you sure about the ports needed. I dont think it is only TCP 53-5000 port range according to Microsoft

You definetly need other microsoft ports like netbios (137 to 139), dns (udp/53), SMB/CIFS (TCP/445) and many others (LDAP, Kerberos...).

you might also need to open all dynamic ports >1025 (range 1024 65535)...

you should enable logging and see what the ASA is reporting as denied by interface ACL then adjust the configuration accordingly...

http://support.microsoft.com/kb/832017

Windows 2000, Windows XP and Windows Server 2003 use a dynamic port range of

  • Start port: 1025
  • End port: 5000

System service name:

Netlogon

Application protocolProtocolPorts
NetBIOS Datagram ServiceUDP138 ³
NetBIOS Name ResolutionUDP137 ³
NetBIOS Session ServiceTCP139 ³
SMBTCP445
LDAPUDP389
RPC¹TCP135, random port number between 1024 - 65535
135, random port number between 49152 - 65535²

Highlighted

Patrick,

Thanks for the information. I'm using the logging and I'm seeing nothing. I also used the Syslog that came with my Solarwinds package. I went ahead and opened all TCP, UDP and ICMP ports for troubleshooting purposes and I still can't get the client to join the Domain Controller. Microsoft said the servers are configured correctly and that it's a firewall issue. I verified the routing and all is configured correctly. My ASA is on IOS 7.2(2). Where would I go to get a bug list for that IOS version?

Content for Community-Ad