Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
866
Views
5
Helpful
2
Replies

Traversing from DMZ to Trust in Cisco ASA 5510

AGINetworkGroup
Level 1
Level 1

‎08-23-2008 05:19 PM

Hi All,

We have a Cisco ASA with three zones Untrust Trust and DMZ. A server in DMZ needs to be authenticated by the AD server in Trust. I am unable to reach the server in Trust from the DMZ server however I am able to reach the DMZ server from Trust.

There is no access-list defined in the Inside interface. There are couple of access-lists defined in the Outside Untrust interface.

Can anyone help me overcome this situation.

Regards,

K.V.Krisshna

Labels:
0 Helpful
2 Replies 2

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-23-2008 06:37 PM

Is there any access-list on the DMZ interface?

Also how is your NAT configuration? Are you running no nat-control? Is there any dynamic NAT on the inside/dmz interface?, like:

nat (inside) 1 x x

Regards

Farrukh

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to Farrukh Haroon

‎08-23-2008 07:42 PM

In addition to Farrukh post ...please take a look at this scenario

Go over this link more broad info on AD authentication access across Firewalls

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en

quote from doc

User Login and Authentication

A user network logon across a firewall uses the following:

•Microsoft-DS traffic (445/tcp, 445/udp)

•Kerberos authentication protocol (88/tcp, 88/udp)

•Lightweight Directory Access Protocol (LDAP) ping (389/udp)

•Domain Name System (DNS) (53/tcp, 53/udp)

Computer Login and Authentication

A computer logon to a domain controller uses the following:

•Microsoft-DS traffic (445/tcp, 445/udp)

•Kerberos authentication protocol (88/tcp, 88/udp)

•LDAP ping (389/udp)

•DNS (53/tcp, 53/udp)

Try this bellow, you may not need all these ports but this is basically what needs to be allowed, go over the MS link to get the exact tcp udp required ports, you may wan to look at your FW logs when host in DMZ tries to authenticate to inside AD server, logs should tell you alot about what is being blocked from dmz to inside.

Create a TPC/UDP object groups

create no nat statement

Create ACL to permit DMZ host AD authentication using defined TCP/UDP object groups

you may also need netbios ports for drive mappings 137 udp and 139 tcp

object-group service AD_access_tcp

port-object eq 88

port-object eq 445

port-object eq 53

port-object eq 139

object-group service AD_Access_udp

port-object eq 88

port-object eq 389

port-object eq 445

port-object eq 53

port-object eq 137

say AD server ip in inside interface is 20.20.20.100 , and DMZ host is 30.30.30.100

static (inside,DMZ) 20.20.20.100 20.20.20.100 netmask 255.255.255.255

access-list DMZ_access_in permit tcp host 30.30.30.100 host 20.20.20.100 object-group AD_Access_tcp

access-list DMZ_access_in permit udp host 30.30.30.100 host 20.20.20.100 object-group AD_Access_udp

access-group DMZ_access_in in interface DMZ

Rgds

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents