ASA: How to allow active directory to traverse outside and inside?

Unanswered Question
Apr 15th, 2009

I am attempting to get AD to cooperate from a parent domain on the outside of the ASA to a child domain on the inside of the ASA.

So far when I first setup the child domain all is well (assuming because the inside server is initiating the chatter) but after a little while (not sure of time frame) AD stops synching and get errors on the servers about such.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Collin Clark Thu, 04/16/2009 - 05:57

This is just off the top of my head, but you'll need LDAP, DNS, and Kerberos opened up. If you want filing browsing, you'll have to open RPC all ports >1024 and 137-139, & 445. You have a couple of other options though. You can use an IPSec tunnel between the two servers and/or RPC over HTTPS.

Hope that helps.

dirkmelvin Thu, 04/16/2009 - 06:33

I will try to illustrate my setup here.





I'll post my configs from both ASAs later today.

dirkmelvin Thu, 04/16/2009 - 11:50

I have attempted this, but all I get when I ping is negotiating IP security.

I think this should be working but I'm obviously missing something.

dirkmelvin Mon, 04/20/2009 - 08:38

Here my 2 configs.

Outside is the ASA connected to Internet, inside is the ASA on the inside interface of the outside ASA.

There are 3 AD servers on the inside interface of the outside ASA, and there are 2 AD servers on the inside interface of the inside ASA. all 5 of these servers need to speak AD to each other.


This Discussion