03-11-2013 12:31 PM - edited 03-11-2019 06:12 PM
Experts,
I'm trying to get a couple clients to talk to my Active Directory servers. I've created sub-interfaces on my ASA. So, my clients are on Gi0/1.139 and my two Active Directory servers are on Gi0/1.132. I've enabled traffic on TCP 53-5000 port range according to Microsoft. My clients still can't join the domain. Any idea on what ports I need to open up? My AD servers are Windows 2003. Thanks!
03-11-2013 01:52 PM
Do you have logging enabled? Do you see any blocked messages in the logs?
Sent from Cisco Technical Support iPad App
03-12-2013 04:47 AM
Stojanr,
I haven't looked at the log. I will do so and see what I find. Thanks
03-12-2013 04:55 AM
Hello Thomas,
what are the sec level of these 2 interfaces? if they are the same, use the command same-security-traffic permit inter-interface.
if different sec level, you need to check NAT/ACL.
regards,
Othman
03-12-2013 04:59 AM
Othman,
Gi0/1.132 is set to 75 and Gi0/1.139 is set to 0
03-12-2013 05:20 AM
please provide the config
03-12-2013 05:23 AM
Othman,
I can't do that due to security reasons and what the firewall is being used for. If this makes it difficult to troubleshoot, then I will close out the thread. Is there anything else I can provide?
03-13-2013 09:11 PM
Are you sure about the ports needed. I dont think it is only TCP 53-5000 port range according to Microsoft
You definetly need other microsoft ports like netbios (137 to 139), dns (udp/53), SMB/CIFS (TCP/445) and many others (LDAP, Kerberos...).
you might also need to open all dynamic ports >1025 (range 1024 65535)...
you should enable logging and see what the ASA is reporting as denied by interface ACL then adjust the configuration accordingly...
http://support.microsoft.com/kb/832017
Windows 2000, Windows XP and Windows Server 2003 use a dynamic port range of
System service name:
Netlogon
Application protocol | Protocol | Ports |
NetBIOS Datagram Service | UDP | 138 ³ |
NetBIOS Name Resolution | UDP | 137 ³ |
NetBIOS Session Service | TCP | 139 ³ |
SMB | TCP | 445 |
LDAP | UDP | 389 |
RPC¹ | TCP | 135, random port number between 1024 - 65535 135, random port number between 49152 - 65535² |
03-15-2013 05:22 AM
Patrick,
Thanks for the information. I'm using the logging and I'm seeing nothing. I also used the Syslog that came with my Solarwinds package. I went ahead and opened all TCP, UDP and ICMP ports for troubleshooting purposes and I still can't get the client to join the Domain Controller. Microsoft said the servers are configured correctly and that it's a firewall issue. I verified the routing and all is configured correctly. My ASA is on IOS 7.2(2). Where would I go to get a bug list for that IOS version?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide