cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
787
Views
0
Helpful
7
Replies

Domain Authentication through an ASA

conversyschris
Level 1
Level 1

Hello.

Basically this is my setup.

DMZ - 10.10.xxx.xxx

Private - 192.168.xx.xxx

Outside - 66.38.xxx.xxx

I have my new domain controller on the Private network where I house my database servers. I am trying to get my webservers from DMZ to authenticate through my ASA 5520 to the new domain controller on the Private side... I have tried a few things but haven't had any luck, does anyone know an easy way of explaining this configuration on the firewall, or have a document that could help me out?

Thanks,

Chris

7 Replies 7

jaravinthan
Level 1
Level 1

Hi,

What is the security level of DMZ and Private interfaces? do you have any ACL's on these interfaces inbound/outbound? what is protocol/port used by Webserver to authenticate to the DC?

JORGE RODRIGUEZ
Level 10
Level 10

Chris, if I understand, DC in inside and webserver in DMZ , what does your access list look like can you post.. you may need to open up some tcp and udp ports, create a service object group with these ports, tcp/udp 445, 88,389,53 you may also need netbios ports for file directory access.

refer to this link for ports required,

you may also look into spcific ports in microsoft website knowledbase.

http://www.jarmanator.net/kb/server2k3fwports.htm

http://technet2.microsoft.com/windowsserver/WSS/en/library/5b000a77-471a-400d-b446-aa68a9526f3e1033.mspx?mfr=true

this example is for just DNS tcp port

assume DC IP: 192.168.1.20

DMZ host IP : 10.10.10.1

static(inside,DMZ) 10.10.10.1 192.168.1.20 netmask 255.255.255.255

access-list DMZ_access_in permit tcp host 10.10.10.1 host 192.168.1.20 eq 53

access-group DMZ_access_in in interface DMZ

apply same principle when you create tcp udp services object group.

HTH

Jorge

Jorge Rodriguez

Hi Jorge,

Thanks for the response, I have attached a copy of my current ACLs loaded on the device, your post has already given me a great deal to work with, but hopefully you can take a look and determine a bit more of what I need for this setup.

Thanks

Chris

Forgot to add these lines to my configuration doc.

access-group OUT66 in interface Outside66

access-group DMZ in interface DMZ

After doing some research and looking into a few things I assume that this is what I need to add.

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 53

static (Inside,DMZ) 10.10.xxx.xxx 192.168.x.xxx netmask 255.255.255.255

Following the same format, I will add more ACL entries for the other protocols used by Active Directory to allow my host(s) to access the Domain Controller on the Inside

Does that config look as though it will work? I am having some major issues with this configuration because we do not have a test environment and I cant afford any downtime on my firewall, my deadline for testing is coming up soon, any review/comments would be appreciated.

Thanks in advance,

Chris

I am adding my configuration and testing this Monday. I have come up with this so far:

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 53

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 53

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 445

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 445

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 389

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 389

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 88

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 88

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 389

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 389

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 636

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 1025

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 3268

static (Inside,DMZ) 10.10.xxx.xxx 192.168.x.xxx netmask 255.255.255.255

As I mentioned I have to add this configuration and test in my LIVE environment on Monday, if anyone could review my initial ACL configuration from the document I posted, and asses my new additions to tell me if this will work as planned I would appreciate it.

Thanks,

Chris

My old post with the config expired, here it is.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: