ASA: How to allow active directory to traverse outside and inside?

dirkmelvin · ‎04-15-2009

I am attempting to get AD to cooperate from a parent domain on the outside of the ASA to a child domain on the inside of the ASA.

So far when I first setup the child domain all is well (assuming because the inside server is initiating the chatter) but after a little while (not sure of time frame) AD stops synching and get errors on the servers about such.

Collin Clark · ‎04-16-2009

This is just off the top of my head, but you'll need LDAP, DNS, and Kerberos opened up. If you want filing browsing, you'll have to open RPC all ports >1024 and 137-139, & 445. You have a couple of other options though. You can use an IPSec tunnel between the two servers and/or RPC over HTTPS.

Hope that helps.

dirkmelvin · ‎04-16-2009

I will try to illustrate my setup here.

Internet----ASA1--Domain1

|

ASA2--Domain1.1

I'll post my configs from both ASAs later today.

AxiomConsulting · ‎04-16-2009

I would recommend using an IPSEC tunnel for this if possible.

The following link shows a list of required ports

http://technet.microsoft.com/en-us/library/bb727063.aspx

HTH

Steve

Collin Clark · ‎04-16-2009

Nice link Steve, thanks.

dirkmelvin · ‎04-16-2009

I have attempted this, but all I get when I ping is negotiating IP security.

I think this should be working but I'm obviously missing something.

AxiomConsulting · ‎04-16-2009

If you are able to, please post your configs for us to review.

Thanks

Steve

dirkmelvin · ‎04-20-2009

Here my 2 configs.

Outside is the ASA connected to Internet, inside is the ASA on the inside interface of the outside ASA.

There are 3 AD servers on the inside interface of the outside ASA, and there are 2 AD servers on the inside interface of the inside ASA. all 5 of these servers need to speak AD to each other.