Traversing from DMZ to Trust in Cisco ASA 5510

Unanswered Question
Aug 23rd, 2008
User Badges:

Hi All,

We have a Cisco ASA with three zones Untrust Trust and DMZ. A server in DMZ needs to be authenticated by the AD server in Trust. I am unable to reach the server in Trust from the DMZ server however I am able to reach the DMZ server from Trust.

There is no access-list defined in the Inside interface. There are couple of access-lists defined in the Outside Untrust interface.

Can anyone help me overcome this situation.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Farrukh Haroon Sat, 08/23/2008 - 18:37
User Badges:
  • Red, 2250 points or more

Is there any access-list on the DMZ interface?

Also how is your NAT configuration? Are you running no nat-control? Is there any dynamic NAT on the inside/dmz interface?, like:

nat (inside) 1 x x



JORGE RODRIGUEZ Sat, 08/23/2008 - 19:42
User Badges:
  • Green, 3000 points or more

In addition to Farrukh post ...please take a look at this scenario

Go over this link more broad info on AD authentication access across Firewalls

quote from doc

User Login and Authentication

A user network logon across a firewall uses the following:

•Microsoft-DS traffic (445/tcp, 445/udp)

•Kerberos authentication protocol (88/tcp, 88/udp)

•Lightweight Directory Access Protocol (LDAP) ping (389/udp)

•Domain Name System (DNS) (53/tcp, 53/udp)

Computer Login and Authentication

A computer logon to a domain controller uses the following:

•Microsoft-DS traffic (445/tcp, 445/udp)

•Kerberos authentication protocol (88/tcp, 88/udp)

•LDAP ping (389/udp)

•DNS (53/tcp, 53/udp)

Try this bellow, you may not need all these ports but this is basically what needs to be allowed, go over the MS link to get the exact tcp udp required ports, you may wan to look at your FW logs when host in DMZ tries to authenticate to inside AD server, logs should tell you alot about what is being blocked from dmz to inside.

Create a TPC/UDP object groups

create no nat statement

Create ACL to permit DMZ host AD authentication using defined TCP/UDP object groups

you may also need netbios ports for drive mappings 137 udp and 139 tcp

object-group service AD_access_tcp

port-object eq 88

port-object eq 445

port-object eq 53

port-object eq 139

object-group service AD_Access_udp

port-object eq 88

port-object eq 389

port-object eq 445

port-object eq 53

port-object eq 137

say AD server ip in inside interface is , and DMZ host is

static (inside,DMZ) netmask

access-list DMZ_access_in permit tcp host host object-group AD_Access_tcp

access-list DMZ_access_in permit udp host host object-group AD_Access_udp

access-group DMZ_access_in in interface DMZ




This Discussion