cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1265
Views
0
Helpful
2
Replies

Issue registering Windows server in a DMZ to Windows Domain controller in another DMZ

Jeff Bull
Level 1
Level 1

I'm attempting to setup a Windows domain to manage our DMZ environments, and am having some issues. Have opened what I believe are the necessary ports to allow a client Windows server in one DMZ (behind our ASA) to access a Windows DC in another DMZ (same ASA), yet the client Server shows an error when you try to add it to the domain (see attached). Here are the ACL entries [scrubbed] between the two DMZ networks:

 

!--Object groups

object-group service Directory-Services-TCP_SG tcp
 port-object eq 135
 port-object eq ldaps
 port-object eq 3268
 port-object eq 3269
 port-object eq 5722
 port-object eq 9389
 port-object eq netbios-ssn

object-group service Directory-Services-UDP_SG udp
 port-object eq netbios-dgm
 port-object eq netbios-ns
 
 object-group service Directory-Services-TCP-UDP_SG tcp-udp
 description Various Active Directory TCP and UDP ports
 port-object eq domain
 port-object eq 88
 port-object eq 389
 port-object eq 464
 port-object eq 445
 
 object-group service NTP-UDP_SG udp
 port-object eq ntp
 
 object-group service Sophos_Ports tcp
 port-object eq 8192
 port-object eq 8194
 port-object eq 445
 port-object eq netbios-ssn
 port-object eq 135
 port-object eq 137
 port-object eq www
 port-object eq 3268
 port-object eq ldap


!--PRD-Mgmt Network (Where DC's live)

access-list PRD-Mgmt_access_in remark Permit DC01 access to 192.168.2.0 via TCP Directory Services
access-list PRD-Mgmt_access_in extended permit tcp host 192.168.1.11 192.168.2.0 255.255.255.128 object-group Directory-Services-TCP_SG 
access-list PRD-Mgmt_access_in remark Permit DC01 access to 192.168.2.0 via UDP Directory Services
access-list PRD-Mgmt_access_in extended permit udp host 192.168.1.11 192.168.2.0 255.255.255.128 object-group Directory-Services-UDP_SG 
access-list PRD-Mgmt_access_in remark Permit DC01 access to 192.168.2.0 via TCP-UDP Directory Services
access-list PRD-Mgmt_access_in extended permit object-group TCPUDP host 192.168.1.11 192.168.2.0 255.255.255.128 object-group Directory-Services-TCP-UDP_SG 
access-list PRD-Mgmt_access_in remark Permit DC01 access to 192.168.2.0 via NTP
access-list PRD-Mgmt_access_in extended permit udp host 192.168.1.11 192.168.2.0 255.255.255.128 object-group NTP-UDP_SG 
access-list PRD-Mgmt_access_in remark Permit DC01 access to INT-DC-A via DNS
access-list PRD-Mgmt_access_in extended permit object-group TCPUDP host 192.168.1.11 host 10.1.2.211 eq domain 
access-list PRD-Mgmt_access_in remark Permit DC01 access to INT-DC-A via NTP
access-list PRD-Mgmt_access_in extended permit udp host 192.168.1.11 host 10.1.2.211 object-group NTP-UDP_SG 
access-list PRD-Mgmt_access_in remark Permit DC02 access to 192.168.2.0 via TCP Directory Services
access-list PRD-Mgmt_access_in extended permit tcp host 192.168.1.13 192.168.2.0 255.255.255.128 object-group Directory-Services-TCP_SG 
access-list PRD-Mgmt_access_in remark Permit DC02 access to 192.168.2.0 via UDP Directory Services
access-list PRD-Mgmt_access_in extended permit udp host 192.168.1.13 192.168.2.0 255.255.255.128 object-group Directory-Services-UDP_SG 
access-list PRD-Mgmt_access_in remark Permit DC02 access to 192.168.2.0 via TCP-UDP Directory Services
access-list PRD-Mgmt_access_in extended permit object-group TCPUDP host 192.168.1.13 192.168.2.0 255.255.255.128 object-group Directory-Services-TCP-UDP_SG 
access-list PRD-Mgmt_access_in remark Permit DC02 access to 192.168.2.0 via NTP
access-list PRD-Mgmt_access_in extended permit udp host 192.168.1.13 192.168.2.0 255.255.255.128 object-group NTP-UDP_SG 
access-list PRD-Mgmt_access_in remark Permit DC02 access to INT-DC-A via DNS
access-list PRD-Mgmt_access_in extended permit object-group TCPUDP host 192.168.1.13 host 10.1.2.211 eq domain 
access-list PRD-Mgmt_access_in remark Permit DC02 access to INT-DC-A via NTP
access-list PRD-Mgmt_access_in extended permit udp host 192.168.1.13 host 10.1.2.211 object-group NTP-UDP_SG 
access-list PRD-Mgmt_access_in extended permit icmp 192.168.1.0 255.255.255.128 host 10.1.1.100 
access-list PRD-Mgmt_access_in remark Permit 192.168.1.0 access to Sophos for Sophos communication
access-list PRD-Mgmt_access_in extended permit tcp 192.168.1.0 255.255.255.128 host 10.1.1.100 object-group Sophos_Ports 
access-list PRD-Mgmt_access_in remark Permit 192.168.1.0 access to 192.168.2.0 via ICMP
access-list PRD-Mgmt_access_in extended permit icmp 192.168.1.0 255.255.255.128 192.168.2.0 255.255.255.128 


!--PRD-App Network (Where client Servers live)

access-list PRD-App_access_in remark Permit 192.168.2.0 access to DC01 via TCP Directory Services
access-list PRD-App_access_in extended permit tcp 192.168.2.0 255.255.255.128 host 192.168.1.11 object-group Directory-Services-TCP_SG 
access-list PRD-App_access_in remark Permit 192.168.2.0 access to DC01 via UDP Directory Services
access-list PRD-App_access_in extended permit udp 192.168.2.0 255.255.255.128 host 192.168.1.11 object-group Directory-Services-UDP_SG 
access-list PRD-App_access_in remark Permit 192.168.2.0 access to DC01 via TCP-UDP Directory Services
access-list PRD-App_access_in extended permit object-group TCPUDP 192.168.2.0 255.255.255.128 host 192.168.1.11 object-group Directory-Services-TCP-UDP_SG 
access-list PRD-App_access_in remark Permit 192.168.2.0 access to DC02 via TCP Directory Services
access-list PRD-App_access_in extended permit tcp 192.168.2.0 255.255.255.128 host 192.168.1.13 object-group Directory-Services-TCP_SG 
access-list PRD-App_access_in remark Permit 192.168.2.0 access to DC02 via UDP Director Services
access-list PRD-App_access_in extended permit udp 192.168.2.0 255.255.255.128 host 192.168.1.13 object-group Directory-Services-UDP_SG 
access-list PRD-App_access_in remark Permit 192.168.2.0 access to DC02 via TCP-UDP Directory Services
access-list PRD-App_access_in extended permit object-group TCPUDP 192.168.2.0 255.255.255.128 host 192.168.1.13 object-group Directory-Services-TCP-UDP_SG 
access-list PRD-App_access_in extended permit udp 192.168.2.0 255.255.255.128 host 192.168.1.11 object-group NTP-UDP_SG 
access-list PRD-App_access_in extended permit udp 192.168.2.0 255.255.255.128 host 192.168.1.13 object-group NTP-UDP_SG 
access-list PRD-App_access_in remark Permit 192.168.2.0 access to Sophos for Sophos communication
access-list PRD-App_access_in extended permit tcp 192.168.2.0 255.255.255.128 host 10.1.1.100 object-group Sophos_Ports 
access-list PRD-App_access_in remark Permit 192.168.2.0 access to 192.168.1.0 via ICMP
access-list PRD-App_access_in extended permit icmp 192.168.2.0 255.255.255.128 192.168.1.0 255.255.255.128 

1 Accepted Solution

Accepted Solutions

run a packet tracer on the ASA and see where the packet is being dropped...if at all.

packet-tracer input tcp <DMZ PC interface> 12345 <DMZ DC interface> 53 detail

packet-tracer input udp <DMZ PC interface> 12345 <DMZ DC interface> 53 detail

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

2 Replies 2

run a packet tracer on the ASA and see where the packet is being dropped...if at all.

packet-tracer input tcp <DMZ PC interface> 12345 <DMZ DC interface> 53 detail

packet-tracer input udp <DMZ PC interface> 12345 <DMZ DC interface> 53 detail

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Found the problem!! Was related to an issue with DCERPC on the ASA, and the creation of a class-map to allow the Windows RPC process to function as needed.

 

This blog explains the steps necessary to fix this issue:

 

http://clintboessen.blogspot.com/2011/06/allowing-domain-membership-through.html

Review Cisco Networking for a $25 gift card