10-25-2007 07:51 AM - edited 03-11-2019 04:30 AM
Hello.
Basically this is my setup.
DMZ - 10.10.xxx.xxx
Private - 192.168.xx.xxx
Outside - 66.38.xxx.xxx
I have my new domain controller on the Private network where I house my database servers. I am trying to get my webservers from DMZ to authenticate through my ASA 5520 to the new domain controller on the Private side... I have tried a few things but haven't had any luck, does anyone know an easy way of explaining this configuration on the firewall, or have a document that could help me out?
Thanks,
Chris
10-25-2007 08:08 AM
Hi,
What is the security level of DMZ and Private interfaces? do you have any ACL's on these interfaces inbound/outbound? what is protocol/port used by Webserver to authenticate to the DC?
10-25-2007 09:55 AM
Chris, if I understand, DC in inside and webserver in DMZ , what does your access list look like can you post.. you may need to open up some tcp and udp ports, create a service object group with these ports, tcp/udp 445, 88,389,53 you may also need netbios ports for file directory access.
refer to this link for ports required,
you may also look into spcific ports in microsoft website knowledbase.
http://www.jarmanator.net/kb/server2k3fwports.htm
this example is for just DNS tcp port
assume DC IP: 192.168.1.20
DMZ host IP : 10.10.10.1
static(inside,DMZ) 10.10.10.1 192.168.1.20 netmask 255.255.255.255
access-list DMZ_access_in permit tcp host 10.10.10.1 host 192.168.1.20 eq 53
access-group DMZ_access_in in interface DMZ
apply same principle when you create tcp udp services object group.
HTH
Jorge
10-26-2007 06:08 AM
10-26-2007 10:01 AM
Forgot to add these lines to my configuration doc.
access-group OUT66 in interface Outside66
access-group DMZ in interface DMZ
10-30-2007 05:39 AM
After doing some research and looking into a few things I assume that this is what I need to add.
access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 53
static (Inside,DMZ) 10.10.xxx.xxx 192.168.x.xxx netmask 255.255.255.255
Following the same format, I will add more ACL entries for the other protocols used by Active Directory to allow my host(s) to access the Domain Controller on the Inside
Does that config look as though it will work? I am having some major issues with this configuration because we do not have a test environment and I cant afford any downtime on my firewall, my deadline for testing is coming up soon, any review/comments would be appreciated.
Thanks in advance,
Chris
11-02-2007 06:03 AM
I am adding my configuration and testing this Monday. I have come up with this so far:
access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 53
access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 53
access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 445
access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 445
access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 389
access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 389
access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 88
access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 88
access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 389
access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 389
access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 636
access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 1025
access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 3268
static (Inside,DMZ) 10.10.xxx.xxx 192.168.x.xxx netmask 255.255.255.255
As I mentioned I have to add this configuration and test in my LIVE environment on Monday, if anyone could review my initial ACL configuration from the document I posted, and asses my new additions to tell me if this will work as planned I would appreciate it.
Thanks,
Chris
11-02-2007 06:07 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide