Question about NAT and Active Directory

Gregory Creek · ‎06-05-2012

Hello,

I have an ASA series appliance (8.2 I believe), and I am trying to get active directory to work across this appliance in routed mode.

- I have a workstation that is on the outside (192.168.70.151 subnet) and 2 redundant active directory controllers that are on the inside (192.168.3.101 and .3.102).

- I have static NAT set up, and the firewall rules open for any any ip and any any icmp.

- I have DNS rewrite enabled on my static NAT rules for the workstation and 2 ADCs

- I can successfully ping the ADCs from the workstation and vice versa across the NAT

What I can't seem to do, is join the computer to the domain. When I attempt to do this, I can see DNS traffic in my ADM log (port 53), and the error message I get on the workstation shows that the workstation was able to successfully query the DNS record to obtain the NetBIOS names of the 2 ADCs. However, I cannot join this workstation to the domain (I the error message says that either the domain controllers are not active, or that their IP address records in the DNS are not correct).

Maybe the IP address records from the DNS are their real 192.168.2.101 and 192.168.2.102 addresses, and thus the workstation can't reach them?

Has anyone encountered this situation before? Microsoft does not support this configuration, so any help would be GREATLY appreciated.

Thanks!

Jennifer Halim · ‎06-05-2012

1) What ip address are you NATing the AD to? the same subnet as the outside interface?

2) is the PC outside having an ip address in the same subnet as the outside interface?

3) what is the PC's default gateway?

4) If you static NAT the AD ip address to itself, does it work?

static (inside,outside) 192.168.2.101 192.168.2.101 netmask 255.255.255.255

static (inside,outside) 192.168.2.102 192.168.2.102 netmask 255.255.255.255

and change the ACL on the outside to the real IP as well.

Gregory Creek · ‎06-06-2012

Hello Jennifer, thank you for your reply!

1) I am NATing the AD servers to the same subnet as the outside interface (192.168.70.101 and .70.102)

2) Yes, the outside interface is 192.168.70.210

3) The PC's default gateway is the outside firewall interface (.70.210)

4) I will add the static NAT rules you suggested and see if that works. The firewall in general is configure to not allowed untranslated traffic, I will change that and see if it makes a difference.

Thanks!

Gregory Creek · ‎06-06-2012

So I was able to set up the NAT in this way, and all traffic appears to be flowing through the firewall, but the workstation is still not registering with the domain. After much research on Microsoft's website, it turns out that I will not be able to join this workstation to the domain because of some NetBIOS limitations and the fact that my ADCs are multi-homed.

Is there a way to put 2 interfaces on the ASA appliance on the same subnet when it is in routed mode? If I could do that, then this external workstation would stay on the same subnet, alleviating the domain registration problem.

I know I can do this in transparent mode, but the firewall is performing some other features that it must be in routed mode for.

Jennifer Halim · ‎06-06-2012

No, you can't put 2 interfaces on the ASA on the same subnet as the ASA is in routed (L3) mode.

Do you have "inspect dcerpc" enabled on your ASA?

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_mgmt.html#wp1478733