Outside users unable to join windows ADS hosted on ASA's Inside

favolmendes · ‎12-10-2010

Hi,

I am hosting Windows ADS domain controller on the inside(sec 100) of the firewall

I have users conneected to outside (sec 0) of the firewall

I have turned on static NAT for the domain controller. " static (inside,outside) 172.168.1.1 192.168.1.1 0 0

Access-list xyz extended ip any any along with access-grp

I can do a remote desktop to the domain controller

I have checked by " telnet 172.168.1.1 port no" i found the ports open for services that i have enabled in the domain controller

On the domain controller i also hosting my DNS server

if i telnet 172.168.1.1 53 in command prmpt i find it open.

i have on my outside computer the preferred DNS server ip is 172.168.1.1 added in TCP settings

i enter my username and domain name on my computer but unable to join domain.

all the servers on the inside of the firewall can join the domain server.

Am i missing some thing here in configuration or does ADS doesn't work with static NAT ?

please help ?

Jennifer Halim · ‎12-10-2010

Hi Favol,

Just quickly like to confirm on your ip address of 172.168.1.1. Is this a typo or your actually have that IP address correct.

Should it be 172.16.1.1?

Anyway, can you please confirm that 192.168.1.1 is the AD server actual ip address? Also, please confirm if on the AD itself you have turn off the windows firewall or allow inbound connection from different subnets on the windows firewall which is typically why connection might have been blocked.

Can you please perform a packet capture on the outside and inside interface of the ASA and check where it's failing. This is to ensure that we troubleshoot at which point it actually fails.

favolmendes · ‎12-11-2010

hi,

172.168.1.1 is the correct address as this a private network. just want to inform you the DNS server has entries for domain server and other servers with

private actual ip addresses that are inside the firewall. so i feel that when the query inquires the DNS server its replying with private inside ip address to the users on the outside . the firewall can not understand request for its inside address of the domain controller on its outside interface. .

Can i somehow make the firewall as DNS server wherein i will have the domain name and it outside ip address mapping ?

Can i use the ASA in transparent and NAT mode simultaneously like E0/0 and E0/1 in tranpsarent mode and

E0/2 with internet connection and E0/3 hosts natted to use this internet connection on E0/2 ? this is my requirement

according to what i have read the ASA 5510 8.2 version can only be used in transparent or NAT mode.

please help

Jennifer Halim · ‎12-11-2010

What you require is called DNS doctoring, ie: the ASA will automatically change the DNS reply from the private to public ip address according to the static NAT statement that you have configured when you have the "dns" keyword at the end of the static NAT statement.

Here is what you would need to change the existing static NAT statement to:

static (inside,outside) 172.168.1.1 192.168.1.1 0 0 dns

Hope that helps.