Hello.

I'm trying to configure my ASA to allow domain memberships to exist between two zones. I have a zone that will house the Domain Controllers, and a zone that will house the members. I can't seem to get the membership between the 2 zones to work.

Here is what I've done so far:

I have an object group that has all the active directory ports.

object-group service ActiveDirectory
 service-object tcp-udp eq 389
 service-object tcp-udp eq 464
 service-object tcp eq 135
 service-object tcp eq 3268
 service-object tcp eq 3269
 service-object tcp eq ldaps
 service-object udp eq ntp
 service-object tcp-udp eq 445
 service-object tcp-udp eq 88
 service-object tcp-udp eq domain
 service-object tcp eq netbios-ssn
 service-object udp eq netbios-ns

Then an ACL entry:

access-list servers_access_in extended permit object-group ActiveDirectory 192.168.25.0 255.255.255.0 192.168.28.0 255.255.255.0

Then a class map:

class-map class-DCERP
 match port tcp eq 135

And a policy map:

policy-map type inspect dcerpc ActiveDirectory
 parameters
  endpoint-mapper lookup-operation timeout 0:05:00

policy-map inside-policy-DCERP
 class class-DCERP
  inspect dcerpc
policy-map servers-policy-DCERP
 class class-DCERP
  inspect dcerpc

And Applied:

service-policy inside-policy-DCERP interface inside
service-policy servers-policy-DCERP interface servers

However, everytime I try and get AD to work across the zone, I get an RPC error.

Does anybody see what's wrong with what I'm trying to do?