DMZ's uses can't join DC located inside ASA 7.2

Unanswered Question
Aug 25th, 2007
User Badges:


I have a concern related to DC (Domain Controller) located into DMZ on ASA running 7.2.

The scenario as following, all LAN segments reside behind the ASA's inside interface as well as the DC server, I have a bunch of branches connected all the way to my DMZ interface and accessed the DC with NATted IP address from the DMZ subnet.

The branch's user can't join the domain and they saw the DC with its real IP (inside IP) not the translated one, I overcome the problem by statically configured the DC to be shown with its real IP on DMZ and this solve the issue and users joined the domain smoothly.

How could I solve the issue and keep the DC shown with NATted IP on DMZ !!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Sat, 08/25/2007 - 08:55
User Badges:
  • Green, 3000 points or more

Hi Belal, Im not quite sure.. you indicated you have a DC located in the DMZ where also your branches connect to DMZ, but then you said your branches cannot access the DC natted IP address. How many DC do you have? one in the DMZ interface and one in the Inside interface or just one in the inside?

Lets assume you only have one Domain Controller in the Inside interface and you have given a NAT IP pertaining to DMZ, what you need to do is create a one-to-one static nat and create access-list to allow access between the DMZ and the inside DC so your users/branches can authenticate to the DC in the inside interface.

can you post config? strip out public IP info.



balsheikh Sun, 08/26/2007 - 00:12
User Badges:

Hi Jorge,

Let me brief the picture clearly, the DC in the inside interface and the branches coming from DMZ interface.

Previous setup, DC configured with one-to-one static nat and ACL to grant the access to the DC. I can ping it and connected to it remotely (RDP) but users can't join the domain.

static (inside,Co-operate) netmask

access-list Co-operate-ACL extended permit ip any

Current setup, I disabled the natting for DC

static (inside,Co-operate) netmask

access-list Co-operate-ACL extended permit ip any


JORGE RODRIGUEZ Sun, 08/26/2007 - 05:55
User Badges:
  • Green, 3000 points or more


DC Inside IP:, given IP for NAT Co-operative:

This should work.

static (inside,Co-operate) netmask

access-list Co-operate_access_in permit tcp any host

access-group Co-operate_access_in in interface Co-operate

Users comming from co-operate interface will point to to joing domain .

o-campbell Sun, 08/26/2007 - 11:41
User Badges:

Sounds like a DNS issue. Host on DMZ point to AD DNS servers which are resolving the DNS address of login AD server as the internal IP. The PIX 6.X code supported an alias command which allowed the PIX to overwrite information in DNS reply packets to change the addresses seen by clients. An example is below.

alias (DMZ)

This would overwrite DNS replies to dns clients on the DMZ interface containing with the NAT'ed address


anandramapathy Mon, 08/27/2007 - 01:11
User Badges:
  • Bronze, 100 points or more

Turn on ASDM logging in the ADM, Logging options.

Check the ASDM Log what is happening when the users try to login to the DC.

Otherwise use the Packet tracer to find out where your packet is getting blocked.

Also check if you are hitting a bug like me. I was suggested to upgrade to 5.2(3) which sloved the issue


Externally found moderate defect: Verified (V)

nat-exempt failed on non-outside interface

balsheikh Tue, 08/28/2007 - 00:18
User Badges:

Hi Jorge,

Trust me it's not a translation or permission issue, as HTH said it's a DNS resolution issue.

I had investigated deeply in this case and found a methodology called DNS Doctoring may help me to get it work as planned, I need a time for testing and I'll get back to you with the last result.

Have you configured DNS Doctoring before !! I believe it's a key for the solution..



JORGE RODRIGUEZ Tue, 08/28/2007 - 08:02
User Badges:
  • Green, 3000 points or more

Hey Betal, I see, but if this is a dns issue you would also be experiencing dns issues on all other interfaces including inside/outside..

I would do one more last thing in ammending in my previous acl allowing udp 53 domain from Co-operate

access-list Co-operate_access_in permit udp any eq 53 host

access-group Co-operate_access_in in interface Co-operate

I have not run into dns issues yet and have not implemented dns doctoring before, it is a matter of reading how to implemented.

Did you try Owen's post above adding an Alias?


This Discussion