06-05-2012 03:13 PM - edited 03-11-2019 04:15 PM
Hello,
I have an ASA series appliance (8.2 I believe), and I am trying to get active directory to work across this appliance in routed mode.
- I have a workstation that is on the outside (192.168.70.151 subnet) and 2 redundant active directory controllers that are on the inside (192.168.3.101 and .3.102).
- I have static NAT set up, and the firewall rules open for any any ip and any any icmp.
- I have DNS rewrite enabled on my static NAT rules for the workstation and 2 ADCs
- I can successfully ping the ADCs from the workstation and vice versa across the NAT
What I can't seem to do, is join the computer to the domain. When I attempt to do this, I can see DNS traffic in my ADM log (port 53), and the error message I get on the workstation shows that the workstation was able to successfully query the DNS record to obtain the NetBIOS names of the 2 ADCs. However, I cannot join this workstation to the domain (I the error message says that either the domain controllers are not active, or that their IP address records in the DNS are not correct).
Maybe the IP address records from the DNS are their real 192.168.2.101 and 192.168.2.102 addresses, and thus the workstation can't reach them?
Has anyone encountered this situation before? Microsoft does not support this configuration, so any help would be GREATLY appreciated.
Thanks!
06-05-2012 08:14 PM
1) What ip address are you NATing the AD to? the same subnet as the outside interface?
2) is the PC outside having an ip address in the same subnet as the outside interface?
3) what is the PC's default gateway?
4) If you static NAT the AD ip address to itself, does it work?
static (inside,outside) 192.168.2.101 192.168.2.101 netmask 255.255.255.255
static (inside,outside) 192.168.2.102 192.168.2.102 netmask 255.255.255.255
and change the ACL on the outside to the real IP as well.
06-06-2012 05:30 AM
Hello Jennifer, thank you for your reply!
1) I am NATing the AD servers to the same subnet as the outside interface (192.168.70.101 and .70.102)
2) Yes, the outside interface is 192.168.70.210
3) The PC's default gateway is the outside firewall interface (.70.210)
4) I will add the static NAT rules you suggested and see if that works. The firewall in general is configure to not allowed untranslated traffic, I will change that and see if it makes a difference.
Thanks!
06-06-2012 11:02 AM
So I was able to set up the NAT in this way, and all traffic appears to be flowing through the firewall, but the workstation is still not registering with the domain. After much research on Microsoft's website, it turns out that I will not be able to join this workstation to the domain because of some NetBIOS limitations and the fact that my ADCs are multi-homed.
Is there a way to put 2 interfaces on the ASA appliance on the same subnet when it is in routed mode? If I could do that, then this external workstation would stay on the same subnet, alleviating the domain registration problem.
I know I can do this in transparent mode, but the firewall is performing some other features that it must be in routed mode for.
06-06-2012 08:23 PM
No, you can't put 2 interfaces on the ASA on the same subnet as the ASA is in routed (L3) mode.
Do you have "inspect dcerpc" enabled on your ASA?
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_mgmt.html#wp1478733
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide