Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
0
Helpful
2
Replies

cisco asa stopping PC from joining domain?

LionKin1984
Level 1
Level 1

‎03-12-2014 03:45 AM - edited ‎03-11-2019 08:55 PM

guys

I have a windows NT domain controller and windows NT PC, I want to join the PC to the domain (with a cisco asa 5512-x in between)

both the domain controller and NT PC are connected directly to the firewall and on the same security level too (its set up for offline testing at the minute), and communication between interfaces on security levels is enabled

I can ping from domain controller to NT PC successfully and vice verse, However when I try to join the NT PC to the domain, it wont let me, keeps saying 'the domain controller for this domain can not be located'

 

If I bypass the firewall, the domain can be joined no problem.

 

I dont have any ACL created as both PCs are on the same side of the firewall and on the same security level

Hope I have made myself understood

Thanks

Labels:
0 Helpful
2 Replies 2

James Leinweber
Level 4
Level 4

‎03-12-2014 09:06 AM

What is the DNS situation?  I don't recall about NT4, but recent windows clients want to find forest domain controllers by querying DNS for SRV records.  If the client is on-link, it might fall back to link-local multicast DNS, but that AVAHI stuff won't typically cross a routed firewall interface.  The server needs to have registered itself with its DNS server to create the SRV records, the client needs to have a default gateway and DNS server, and it helps if the client's subnet is assigned to a site in active directory sites & services.  E.g.

    nslookup

   > set querytype=SRV

   > _kerberos._tcp.YOUR.DOMAIN.HERE

 

 

Plus the firewall needs to permit a lot of UDP and TCP ports to communicate between the client and server, including ports like 88, 135-139, 384, 445, 464, 636, 3268 etc.  If you have no access-groups applied to the interfaces, you may need one or both of:

    same-security-traffic permit inter-interface

    same-security-traffic permit intra-interface

Personally, I recommend at least ingress ACL's on all interfaces, ignoring the security levels.

 

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful

LionKin1984
Level 1
Level 1
In response to James Leinweber

‎03-13-2014 01:52 AM

Thanks for your reply Jim

 

The domain controller is acting as DNS server and WINS server as well

I will try the permit the ports you mentioned above see if that ll make any difference

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card