Traversing from DMZ to Trust in Cisco ASA 5510

Unanswered Question
Aug 23rd, 2008
User Badges:

Hi All,


We have a Cisco ASA with three zones Untrust Trust and DMZ. A server in DMZ needs to be authenticated by the AD server in Trust. I am unable to reach the server in Trust from the DMZ server however I am able to reach the DMZ server from Trust.


There is no access-list defined in the Inside interface. There are couple of access-lists defined in the Outside Untrust interface.


Can anyone help me overcome this situation.


Regards,

K.V.Krisshna

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Farrukh Haroon Sat, 08/23/2008 - 18:37
User Badges:
  • Red, 2250 points or more

Is there any access-list on the DMZ interface?


Also how is your NAT configuration? Are you running no nat-control? Is there any dynamic NAT on the inside/dmz interface?, like:


nat (inside) 1 x x


Regards


Farrukh



JORGE RODRIGUEZ Sat, 08/23/2008 - 19:42
User Badges:
  • Green, 3000 points or more

In addition to Farrukh post ...please take a look at this scenario


Go over this link more broad info on AD authentication access across Firewalls

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en


quote from doc

User Login and Authentication

A user network logon across a firewall uses the following:

•Microsoft-DS traffic (445/tcp, 445/udp)

•Kerberos authentication protocol (88/tcp, 88/udp)

•Lightweight Directory Access Protocol (LDAP) ping (389/udp)

•Domain Name System (DNS) (53/tcp, 53/udp)

Computer Login and Authentication

A computer logon to a domain controller uses the following:

•Microsoft-DS traffic (445/tcp, 445/udp)

•Kerberos authentication protocol (88/tcp, 88/udp)

•LDAP ping (389/udp)

•DNS (53/tcp, 53/udp)



Try this bellow, you may not need all these ports but this is basically what needs to be allowed, go over the MS link to get the exact tcp udp required ports, you may wan to look at your FW logs when host in DMZ tries to authenticate to inside AD server, logs should tell you alot about what is being blocked from dmz to inside.


Create a TPC/UDP object groups

create no nat statement

Create ACL to permit DMZ host AD authentication using defined TCP/UDP object groups

you may also need netbios ports for drive mappings 137 udp and 139 tcp



object-group service AD_access_tcp

port-object eq 88

port-object eq 445

port-object eq 53

port-object eq 139


object-group service AD_Access_udp

port-object eq 88

port-object eq 389

port-object eq 445

port-object eq 53

port-object eq 137



say AD server ip in inside interface is 20.20.20.100 , and DMZ host is 30.30.30.100


static (inside,DMZ) 20.20.20.100 20.20.20.100 netmask 255.255.255.255


access-list DMZ_access_in permit tcp host 30.30.30.100 host 20.20.20.100 object-group AD_Access_tcp

access-list DMZ_access_in permit udp host 30.30.30.100 host 20.20.20.100 object-group AD_Access_udp

access-group DMZ_access_in in interface DMZ




Rgds

Jorge

Actions

This Discussion