03-11-2013 12:31 PM - edited 03-11-2019 06:12 PM
Experts,
I'm trying to get a couple clients to talk to my Active Directory servers. I've created sub-interfaces on my ASA. So, my clients are on Gi0/1.139 and my two Active Directory servers are on Gi0/1.132. I've enabled traffic on TCP 53-5000 port range according to Microsoft. My clients still can't join the domain. Any idea on what ports I need to open up? My AD servers are Windows 2003. Thanks!
03-11-2013 01:52 PM
Do you have logging enabled? Do you see any blocked messages in the logs?
Sent from Cisco Technical Support iPad App
03-12-2013 04:47 AM
Stojanr,
I haven't looked at the log. I will do so and see what I find. Thanks
03-12-2013 04:55 AM
Hello Thomas,
what are the sec level of these 2 interfaces? if they are the same, use the command same-security-traffic permit inter-interface.
if different sec level, you need to check NAT/ACL.
regards,
Othman
03-12-2013 04:59 AM
Othman,
Gi0/1.132 is set to 75 and Gi0/1.139 is set to 0
03-12-2013 05:20 AM
please provide the config
03-12-2013 05:23 AM
Othman,
I can't do that due to security reasons and what the firewall is being used for. If this makes it difficult to troubleshoot, then I will close out the thread. Is there anything else I can provide?
03-13-2013 09:11 PM
Are you sure about the ports needed. I dont think it is only TCP 53-5000 port range according to Microsoft
You definetly need other microsoft ports like netbios (137 to 139), dns (udp/53), SMB/CIFS (TCP/445) and many others (LDAP, Kerberos...).
you might also need to open all dynamic ports >1025 (range 1024 65535)...
you should enable logging and see what the ASA is reporting as denied by interface ACL then adjust the configuration accordingly...
http://support.microsoft.com/kb/832017
Windows 2000, Windows XP and Windows Server 2003 use a dynamic port range of
System service name:
Netlogon
Application protocol | Protocol | Ports |
NetBIOS Datagram Service | UDP | 138 ³ |
NetBIOS Name Resolution | UDP | 137 ³ |
NetBIOS Session Service | TCP | 139 ³ |
SMB | TCP | 445 |
LDAP | UDP | 389 |
RPC¹ | TCP | 135, random port number between 1024 - 65535 135, random port number between 49152 - 65535² |
03-15-2013 05:22 AM
Patrick,
Thanks for the information. I'm using the logging and I'm seeing nothing. I also used the Syslog that came with my Solarwinds package. I went ahead and opened all TCP, UDP and ICMP ports for troubleshooting purposes and I still can't get the client to join the Domain Controller. Microsoft said the servers are configured correctly and that it's a firewall issue. I verified the routing and all is configured correctly. My ASA is on IOS 7.2(2). Where would I go to get a bug list for that IOS version?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: