08-23-2008 05:19 PM
Hi All,
We have a Cisco ASA with three zones Untrust Trust and DMZ. A server in DMZ needs to be authenticated by the AD server in Trust. I am unable to reach the server in Trust from the DMZ server however I am able to reach the DMZ server from Trust.
There is no access-list defined in the Inside interface. There are couple of access-lists defined in the Outside Untrust interface.
Can anyone help me overcome this situation.
Regards,
K.V.Krisshna
08-23-2008 06:37 PM
Is there any access-list on the DMZ interface?
Also how is your NAT configuration? Are you running no nat-control? Is there any dynamic NAT on the inside/dmz interface?, like:
nat (inside) 1 x x
Regards
Farrukh
08-23-2008 07:42 PM
In addition to Farrukh post ...please take a look at this scenario
Go over this link more broad info on AD authentication access across Firewalls
quote from doc
User Login and Authentication
A user network logon across a firewall uses the following:
â¢Microsoft-DS traffic (445/tcp, 445/udp)
â¢Kerberos authentication protocol (88/tcp, 88/udp)
â¢Lightweight Directory Access Protocol (LDAP) ping (389/udp)
â¢Domain Name System (DNS) (53/tcp, 53/udp)
Computer Login and Authentication
A computer logon to a domain controller uses the following:
â¢Microsoft-DS traffic (445/tcp, 445/udp)
â¢Kerberos authentication protocol (88/tcp, 88/udp)
â¢LDAP ping (389/udp)
â¢DNS (53/tcp, 53/udp)
Try this bellow, you may not need all these ports but this is basically what needs to be allowed, go over the MS link to get the exact tcp udp required ports, you may wan to look at your FW logs when host in DMZ tries to authenticate to inside AD server, logs should tell you alot about what is being blocked from dmz to inside.
Create a TPC/UDP object groups
create no nat statement
Create ACL to permit DMZ host AD authentication using defined TCP/UDP object groups
you may also need netbios ports for drive mappings 137 udp and 139 tcp
object-group service AD_access_tcp
port-object eq 88
port-object eq 445
port-object eq 53
port-object eq 139
object-group service AD_Access_udp
port-object eq 88
port-object eq 389
port-object eq 445
port-object eq 53
port-object eq 137
say AD server ip in inside interface is 20.20.20.100 , and DMZ host is 30.30.30.100
static (inside,DMZ) 20.20.20.100 20.20.20.100 netmask 255.255.255.255
access-list DMZ_access_in permit tcp host 30.30.30.100 host 20.20.20.100 object-group AD_Access_tcp
access-list DMZ_access_in permit udp host 30.30.30.100 host 20.20.20.100 object-group AD_Access_udp
access-group DMZ_access_in in interface DMZ
Rgds
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide