Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
717
Views
0
Helpful
3
Replies

Outside users unable to join windows ADS hosted on ASA's Inside

favolmendes
Level 1
Level 1

‎12-10-2010 01:11 PM - edited ‎03-11-2019 12:20 PM

Hi,

I am hosting Windows ADS domain controller on the inside(sec 100) of the firewall

I have users conneected to outside (sec 0) of the   firewall

I have turned on static NAT for the domain controller. " static (inside,outside) 172.168.1.1 192.168.1.1  0 0

Access-list xyz extended ip any any    along with access-grp

I can do a remote desktop to the domain controller

I have checked by " telnet 172.168.1.1 port no" i found the ports open for  services that i have enabled in the domain controller

On the domain controller i also hosting my DNS server

if i telnet 172.168.1.1 53  in command prmpt i find it open.

i have on  my outside computer the preferred DNS server  ip is 172.168.1.1 added in TCP settings

i enter my username and domain name on my computer but unable to join domain.

all the servers on the inside of the firewall can join the domain server.

Am i missing some thing here in configuration or does ADS doesn't work with static NAT ?

please help ?

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎12-10-2010 03:42 PM

Hi Favol,

Just quickly like to confirm on your ip address of 172.168.1.1. Is this a typo or your actually have that IP address correct.

Should it be 172.16.1.1?

Anyway, can you please confirm that 192.168.1.1 is the AD server actual ip address? Also, please confirm if on the AD itself you have turn off the windows firewall or allow inbound connection from different subnets on the windows firewall which is typically why connection might have been blocked.

Can you please perform a packet capture on the outside and inside interface of the ASA and check where it's failing. This is to ensure that we troubleshoot at which point it actually fails.

0 Helpful

favolmendes
Level 1
Level 1
In response to Jennifer Halim

‎12-11-2010 04:55 AM

hi,

172.168.1.1 is the correct address as this a private network. just want to inform you the DNS server has entries for domain server and other servers  with

private actual  ip addresses  that are inside the firewall. so i feel that when the query inquires the DNS server its replying with private inside ip address to the users on the outside . the firewall can not understand request for its inside address of the domain controller  on its outside interface. .

Can i somehow make the firewall as  DNS server wherein  i will have the domain  name and it  outside ip address mapping ?

Can i use the ASA in transparent and NAT mode simultaneously like  E0/0 and E0/1 in tranpsarent mode and

E0/2 with internet connection  and E0/3 hosts natted to use this internet connection on E0/2 ? this is my requirement

according to what i have read the ASA 5510  8.2 version can only be used in transparent or NAT mode.

please help

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to favolmendes

‎12-11-2010 03:45 PM

What you require is called DNS doctoring, ie: the ASA will automatically change the DNS reply from the private to public ip address according to the static NAT statement that you have configured when you have the "dns" keyword at the end of the static NAT statement.

Here is what you would need to change the existing static NAT statement to:

static (inside,outside) 172.168.1.1 192.168.1.1  0 0 dns

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card