Solved: Issue registering Windows server in a DMZ to Windows Domain controller in another DMZ

Jeff Bull · ‎10-01-2014

I'm attempting to setup a Windows domain to manage our DMZ environments, and am having some issues. Have opened what I believe are the necessary ports to allow a client Windows server in one DMZ (behind our ASA) to access a Windows DC in another DMZ (same ASA), yet the client Server shows an error when you try to add it to the domain (see attached). Here are the ACL entries [scrubbed] between the two DMZ networks:

!--Object groups

object-group service Directory-Services-TCP_SG tcp
port-object eq 135
port-object eq ldaps
port-object eq 3268
port-object eq 3269
port-object eq 5722
port-object eq 9389
port-object eq netbios-ssn

object-group service Directory-Services-UDP_SG udp
port-object eq netbios-dgm
port-object eq netbios-ns

object-group service Directory-Services-TCP-UDP_SG tcp-udp
description Various Active Directory TCP and UDP ports
port-object eq domain
port-object eq 88
port-object eq 389
port-object eq 464
port-object eq 445

object-group service NTP-UDP_SG udp
port-object eq ntp

object-group service Sophos_Ports tcp
port-object eq 8192
port-object eq 8194
port-object eq 445
port-object eq netbios-ssn
port-object eq 135
port-object eq 137
port-object eq www
port-object eq 3268
port-object eq ldap

!--PRD-Mgmt Network (Where DC's live)

access-list PRD-Mgmt_access_in remark Permit DC01 access to 192.168.2.0 via TCP Directory Services
access-list PRD-Mgmt_access_in extended permit tcp host 192.168.1.11 192.168.2.0 255.255.255.128 object-group Directory-Services-TCP_SG
access-list PRD-Mgmt_access_in remark Permit DC01 access to 192.168.2.0 via UDP Directory Services
access-list PRD-Mgmt_access_in extended permit udp host 192.168.1.11 192.168.2.0 255.255.255.128 object-group Directory-Services-UDP_SG
access-list PRD-Mgmt_access_in remark Permit DC01 access to 192.168.2.0 via TCP-UDP Directory Services
access-list PRD-Mgmt_access_in extended permit object-group TCPUDP host 192.168.1.11 192.168.2.0 255.255.255.128 object-group Directory-Services-TCP-UDP_SG
access-list PRD-Mgmt_access_in remark Permit DC01 access to 192.168.2.0 via NTP
access-list PRD-Mgmt_access_in extended permit udp host 192.168.1.11 192.168.2.0 255.255.255.128 object-group NTP-UDP_SG
access-list PRD-Mgmt_access_in remark Permit DC01 access to INT-DC-A via DNS
access-list PRD-Mgmt_access_in extended permit object-group TCPUDP host 192.168.1.11 host 10.1.2.211 eq domain
access-list PRD-Mgmt_access_in remark Permit DC01 access to INT-DC-A via NTP
access-list PRD-Mgmt_access_in extended permit udp host 192.168.1.11 host 10.1.2.211 object-group NTP-UDP_SG
access-list PRD-Mgmt_access_in remark Permit DC02 access to 192.168.2.0 via TCP Directory Services
access-list PRD-Mgmt_access_in extended permit tcp host 192.168.1.13 192.168.2.0 255.255.255.128 object-group Directory-Services-TCP_SG
access-list PRD-Mgmt_access_in remark Permit DC02 access to 192.168.2.0 via UDP Directory Services
access-list PRD-Mgmt_access_in extended permit udp host 192.168.1.13 192.168.2.0 255.255.255.128 object-group Directory-Services-UDP_SG
access-list PRD-Mgmt_access_in remark Permit DC02 access to 192.168.2.0 via TCP-UDP Directory Services
access-list PRD-Mgmt_access_in extended permit object-group TCPUDP host 192.168.1.13 192.168.2.0 255.255.255.128 object-group Directory-Services-TCP-UDP_SG
access-list PRD-Mgmt_access_in remark Permit DC02 access to 192.168.2.0 via NTP
access-list PRD-Mgmt_access_in extended permit udp host 192.168.1.13 192.168.2.0 255.255.255.128 object-group NTP-UDP_SG
access-list PRD-Mgmt_access_in remark Permit DC02 access to INT-DC-A via DNS
access-list PRD-Mgmt_access_in extended permit object-group TCPUDP host 192.168.1.13 host 10.1.2.211 eq domain
access-list PRD-Mgmt_access_in remark Permit DC02 access to INT-DC-A via NTP
access-list PRD-Mgmt_access_in extended permit udp host 192.168.1.13 host 10.1.2.211 object-group NTP-UDP_SG
access-list PRD-Mgmt_access_in extended permit icmp 192.168.1.0 255.255.255.128 host 10.1.1.100
access-list PRD-Mgmt_access_in remark Permit 192.168.1.0 access to Sophos for Sophos communication
access-list PRD-Mgmt_access_in extended permit tcp 192.168.1.0 255.255.255.128 host 10.1.1.100 object-group Sophos_Ports
access-list PRD-Mgmt_access_in remark Permit 192.168.1.0 access to 192.168.2.0 via ICMP
access-list PRD-Mgmt_access_in extended permit icmp 192.168.1.0 255.255.255.128 192.168.2.0 255.255.255.128

!--PRD-App Network (Where client Servers live)

access-list PRD-App_access_in remark Permit 192.168.2.0 access to DC01 via TCP Directory Services
access-list PRD-App_access_in extended permit tcp 192.168.2.0 255.255.255.128 host 192.168.1.11 object-group Directory-Services-TCP_SG
access-list PRD-App_access_in remark Permit 192.168.2.0 access to DC01 via UDP Directory Services
access-list PRD-App_access_in extended permit udp 192.168.2.0 255.255.255.128 host 192.168.1.11 object-group Directory-Services-UDP_SG
access-list PRD-App_access_in remark Permit 192.168.2.0 access to DC01 via TCP-UDP Directory Services
access-list PRD-App_access_in extended permit object-group TCPUDP 192.168.2.0 255.255.255.128 host 192.168.1.11 object-group Directory-Services-TCP-UDP_SG
access-list PRD-App_access_in remark Permit 192.168.2.0 access to DC02 via TCP Directory Services
access-list PRD-App_access_in extended permit tcp 192.168.2.0 255.255.255.128 host 192.168.1.13 object-group Directory-Services-TCP_SG
access-list PRD-App_access_in remark Permit 192.168.2.0 access to DC02 via UDP Director Services
access-list PRD-App_access_in extended permit udp 192.168.2.0 255.255.255.128 host 192.168.1.13 object-group Directory-Services-UDP_SG
access-list PRD-App_access_in remark Permit 192.168.2.0 access to DC02 via TCP-UDP Directory Services
access-list PRD-App_access_in extended permit object-group TCPUDP 192.168.2.0 255.255.255.128 host 192.168.1.13 object-group Directory-Services-TCP-UDP_SG
access-list PRD-App_access_in extended permit udp 192.168.2.0 255.255.255.128 host 192.168.1.11 object-group NTP-UDP_SG
access-list PRD-App_access_in extended permit udp 192.168.2.0 255.255.255.128 host 192.168.1.13 object-group NTP-UDP_SG
access-list PRD-App_access_in remark Permit 192.168.2.0 access to Sophos for Sophos communication
access-list PRD-App_access_in extended permit tcp 192.168.2.0 255.255.255.128 host 10.1.1.100 object-group Sophos_Ports
access-list PRD-App_access_in remark Permit 192.168.2.0 access to 192.168.1.0 via ICMP
access-list PRD-App_access_in extended permit icmp 192.168.2.0 255.255.255.128 192.168.1.0 255.255.255.128

Marius Gunnerud · ‎10-02-2014

run a packet tracer on the ASA and see where the packet is being dropped...if at all.

packet-tracer input tcp <DMZ PC interface> 12345 <DMZ DC interface> 53 detail

packet-tracer input udp <DMZ PC interface> 12345 <DMZ DC interface> 53 detail

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎10-02-2014

run a packet tracer on the ASA and see where the packet is being dropped...if at all.

packet-tracer input tcp <DMZ PC interface> 12345 <DMZ DC interface> 53 detail

packet-tracer input udp <DMZ PC interface> 12345 <DMZ DC interface> 53 detail

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Jeff Bull · ‎10-02-2014

Found the problem!! Was related to an issue with DCERPC on the ASA, and the creation of a class-map to allow the Windows RPC process to function as needed.

This blog explains the steps necessary to fix this issue:

http://clintboessen.blogspot.com/2011/06/allowing-domain-membership-through.html