Clients unable to register in Active directory via ASA

Unanswered Question
Oct 24th, 2007


We have three zones ( inside,dmz,Outside) and the AD server is connected in the DMZ zone . In the ASA i have opened the following ports for ( outside to dmz communication)

· Microsoft-DS traffic (445/tcp, 445/udp)

· Kerberos authentication protocol (88/tcp, 88/udp)

· Lightweight Directory Access Protocol (LDAP) ping (389/udp)

· Domain Name System (DNS) (53/tcp, 53/udp)

Computer Login and Authentication

A computer logon to a domain controller uses the following:

· Microsoft-DS traffic (445/tcp, 445/udp)

· Kerberos authentication protocol (88/tcp, 88/udp)

· LDAP ping (389/udp)

· DNS (53/tcp, 53/udp)

. TCP (1025,2967)

However, when i am trying to add the client (located in outside segment) to the domain(DMZ) i am getting the following error

Deny UPD source outside:<IP>/1176 dst dmz:AD-real-IP/389 by acces-group "out_in_dmz" [0x0, 0x0]

I have opened port 389(TCP/UDP) but still i am gettting the error.

From the Inside zone however, i am able to connect to the AD server

Can someone suggest

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
psureshrao Wed, 10/24/2007 - 19:45

Can you brief some points. How is the connectivity from outside to DMZ, How the natting has been done for DMZ zone.Can you post the out_in_dmz acl list. so that i can have clear picture and able to suggest you.

jaravinthan Fri, 10/26/2007 - 01:52


COnnect to the device via ASDM. enable ASDM logging to debug. try to add the client (or connect to DC in dmz from outside) and check whether the device drops any packets. allow those ports as well.

Else try allowing ip any for that particular DMZ DC server from outaside for testing purpose and try to add. Hope this helps.


This Discussion