Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1538
Views
0
Helpful
8
Replies

ASA 5505 Port Issue

Thomas Yarger
Level 1
Level 1

‎03-11-2013 12:31 PM - edited ‎03-11-2019 06:12 PM

Experts,

I'm trying to get a couple clients to talk to my Active Directory servers. I've created sub-interfaces on my ASA. So, my clients are on Gi0/1.139 and my two Active Directory servers are on Gi0/1.132. I've enabled traffic on TCP 53-5000 port range according to Microsoft. My clients still can't join the domain. Any idea on what ports I need to open up? My AD servers are Windows 2003. Thanks!

Labels:
0 Helpful
8 Replies 8

stojanr
Level 1
Level 1

‎03-11-2013 01:52 PM

Do you have logging enabled? Do you see any blocked messages in the logs?

Sent from Cisco Technical Support iPad App

0 Helpful

Thomas Yarger
Level 1
Level 1
In response to stojanr

‎03-12-2013 04:47 AM

Stojanr,

I haven't looked at the log. I will do so and see what I find. Thanks

0 Helpful

oamarneh
Cisco Employee
Cisco Employee
In response to Thomas Yarger

‎03-12-2013 04:55 AM

Hello Thomas,

what are the sec level of these 2 interfaces? if they are the same, use the command same-security-traffic permit inter-interface.

if different sec level, you need to check NAT/ACL.

regards,

Othman

0 Helpful

Thomas Yarger
Level 1
Level 1
In response to oamarneh

‎03-12-2013 04:59 AM

Othman,

Gi0/1.132 is set to 75 and Gi0/1.139 is set to 0

0 Helpful

oamarneh
Cisco Employee
Cisco Employee
In response to Thomas Yarger

‎03-12-2013 05:20 AM

please provide the config

0 Helpful

Thomas Yarger
Level 1
Level 1
In response to oamarneh

‎03-12-2013 05:23 AM

Othman,

I can't do that due to security reasons and what the firewall is being used for. If this makes it difficult to troubleshoot, then I will close out the thread. Is there anything else I can provide?

0 Helpful

Patrick Moubarak
Level 4
Level 4
In response to Thomas Yarger

‎03-13-2013 09:11 PM

Are you sure about the ports needed. I dont think it is only TCP 53-5000 port range according to Microsoft

You definetly need other microsoft ports like netbios (137 to 139), dns (udp/53), SMB/CIFS (TCP/445) and many others (LDAP, Kerberos...).

you might also need to open all dynamic ports >1025 (range 1024 65535)...

you should enable logging and see what the ASA is reporting as denied by interface ACL then adjust the configuration accordingly...

http://support.microsoft.com/kb/832017

Windows 2000, Windows XP and Windows Server 2003 use a dynamic port range of

  • Start port: 1025
  • End port: 5000

System service name:

Netlogon

Application protocolProtocolPorts
NetBIOS Datagram ServiceUDP138 ³
NetBIOS Name ResolutionUDP137 ³
NetBIOS Session ServiceTCP139 ³
SMBTCP445
LDAPUDP389
RPC¹TCP135, random port number between 1024 - 65535
135, random port number between 49152 - 65535²

0 Helpful

Thomas Yarger
Level 1
Level 1
In response to Patrick Moubarak

‎03-15-2013 05:22 AM

Patrick,

Thanks for the information. I'm using the logging and I'm seeing nothing. I also used the Syslog that came with my Solarwinds package. I went ahead and opened all TCP, UDP and ICMP ports for troubleshooting purposes and I still can't get the client to join the Domain Controller. Microsoft said the servers are configured correctly and that it's a firewall issue. I verified the routing and all is configured correctly. My ASA is on IOS 7.2(2). Where would I go to get a bug list for that IOS version?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card