cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1524
Views
0
Helpful
8
Replies

ASA 5505 Port Issue

Thomas Yarger
Level 1
Level 1

Experts,

I'm trying to get a couple clients to talk to my Active Directory servers. I've created sub-interfaces on my ASA. So, my clients are on Gi0/1.139 and my two Active Directory servers are on Gi0/1.132. I've enabled traffic on TCP 53-5000 port range according to Microsoft. My clients still can't join the domain. Any idea on what ports I need to open up? My AD servers are Windows 2003. Thanks!

8 Replies 8

stojanr
Level 1
Level 1

Do you have logging enabled? Do you see any blocked messages in the logs?

Sent from Cisco Technical Support iPad App

Stojanr,

I haven't looked at the log. I will do so and see what I find. Thanks

Hello Thomas,

what are the sec level of these 2 interfaces? if they are the same, use the command same-security-traffic permit inter-interface.

if different sec level, you need to check NAT/ACL.

regards,

Othman

Othman,

Gi0/1.132 is set to 75 and Gi0/1.139 is set to 0

please provide the config

Othman,

I can't do that due to security reasons and what the firewall is being used for. If this makes it difficult to troubleshoot, then I will close out the thread. Is there anything else I can provide?

Are you sure about the ports needed. I dont think it is only TCP 53-5000 port range according to Microsoft

You definetly need other microsoft ports like netbios (137 to 139), dns (udp/53), SMB/CIFS (TCP/445) and many others (LDAP, Kerberos...).

you might also need to open all dynamic ports >1025 (range 1024 65535)...

you should enable logging and see what the ASA is reporting as denied by interface ACL then adjust the configuration accordingly...

http://support.microsoft.com/kb/832017

Windows 2000, Windows XP and Windows Server 2003 use a dynamic port range of

  • Start port: 1025
  • End port: 5000

System service name:

Netlogon

Application protocolProtocolPorts
NetBIOS Datagram ServiceUDP138 ³
NetBIOS Name ResolutionUDP137 ³
NetBIOS Session ServiceTCP139 ³
SMBTCP445
LDAPUDP389
RPC¹TCP135, random port number between 1024 - 65535
135, random port number between 49152 - 65535²

Patrick,

Thanks for the information. I'm using the logging and I'm seeing nothing. I also used the Syslog that came with my Solarwinds package. I went ahead and opened all TCP, UDP and ICMP ports for troubleshooting purposes and I still can't get the client to join the Domain Controller. Microsoft said the servers are configured correctly and that it's a firewall issue. I verified the routing and all is configured correctly. My ASA is on IOS 7.2(2). Where would I go to get a bug list for that IOS version?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: